CIS Release 2.12.0 (#2787)

Signed-off-by: Vivek Lohiya <vklohiya@live.com>
F5Networks · Mar 2, 2023 · a4c8008 · a4c8008
1 parent a6d8ab9
commit a4c8008
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 25 deletions.
diff --git a/docs/RELEASE-NOTES.rst b/docs/RELEASE-NOTES.rst
@@ -1,40 +1,41 @@
 Release Notes for Container Ingress Services for Kubernetes & OpenShift
 =======================================================================
 
-Next Release
+2.12.0
 -------------
 
 Added Functionality
 ```````````````````
 **What’s new:**
-    * Next generation routes preview. See `Documentation <https://github.com/F5Networks/k8s-bigip-ctlr/tree/master/docs/config_examples/next-gen-routes>`_ for more details.
+    * Next generation routes. See `Documentation <https://github.com/F5Networks/k8s-bigip-ctlr/tree/master/docs/config_examples/next-gen-routes>`_ for more details.
         * Support for rewrite-app-root annotation in routes
         * Support for WAF annotation in routes
         * Support for allow-source-range annotation in routes
         * Support for targetPort in route's health monitors
     * Ingress
         * Support for partition annotation in Ingress
         * Added wildcard character(*) validation for ingress path
-        * Deprecated  extensions/v1beta1 ingress API and it's no longer processed by CIS >=2.12
     * CRD
-        * Support for ipIntelligencePolicy with policy CR
-        * Support for configuring ratio on GSLBDomainPool with externaldns CR
-        * Add partition support for custom resources - VS, TS and IngressLink
+        * Support for ipIntelligencePolicy with policy CR. See `Examples <https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/config_examples/customResource/Policy/sample-policy.yaml>`_
+            * Support for configuring ratio on GSLBDomainPool with externaldns CR. See `Examples <https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/config_examples/customResource/ExternalDNS/externaldns-pool-ratio.yaml>`_
+        * Support for BIGIP partition with Virtual Server, Transport Server and IngressLink custom resources See `Examples <https://github.com/F5Networks/k8s-bigip-ctlr/tree/master/docs/config_examples/customResource/VirtualServer/partition>`_
         * Support for none as value for iRules in policy CR and virtual server CR to disable adding default CIS iRule on BIGIP. See `Documentation <https://github.com/F5Networks/k8s-bigip-ctlr/tree/master/docs/config_examples/customResource>`_ for more details.
-        * `Issue 2737 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/2737>`_: Support for serviceNamespace field in transport server spec that allows to define a pool service from another namespace for transport server CR.
-        * `Issue 2682 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/2682>`_: Support to Enable "HTTP MRF Router" on VirtualServer CRD required for HTTP2 Full Proxy feature
-        * `Issue 2666 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/2666>`_: Support multiple virtual addresses on VirtualServer CR
-        * `Issue 2703 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/2703>`_: Support host group having multiple hosts with EDNS
-        * `Issue 2729 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/2729>`_: Support for named port with servicePort
-        * `Issue 2744 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/2744>`_: Support for Host header rewrite in VirtualServer CR
+        * Support for path/pool based WAF for VS CR. See `Examples <https://github.com/F5Networks/k8s-bigip-ctlr/tree/master/docs/config_examples/customResource/VirtualServer/pool-waf>`_
+        * `Issue 2737 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/2737>`_: Support for serviceNamespace field in transport server spec that allows to define a pool service from another namespace for transport server CR. See `Examples <https://github.com/F5Networks/k8s-bigip-ctlr/tree/master/docs/config_examples/customResource/TransportServer/serviceNamespace>`_
+        * `Issue 2682 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/2682>`_: Support to Enable "HTTP MRF Router" on VirtualServer CRD required for HTTP2 Full Proxy feature. See `Examples <https://github.com/F5Networks/k8s-bigip-ctlr/tree/master/docs/config_examples/customResource/VirtualServer/HttpMrfRoutingEnabled>`_
+        * `Issue 2666 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/2666>`_: Support for multiple virtual addresses on VirtualServer CR. See `Examples <https://github.com/F5Networks/k8s-bigip-ctlr/tree/master/docs/config_examples/customResource/VirtualServer/virtual-with-multiplevip/>`_
+        * `Issue 2729 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/2729>`_: Support for named port with servicePort. See `Examples <https://github.com/F5Networks/k8s-bigip-ctlr/tree/master/docs/config_examples/customResource/VirtualServer/virtual-with-named-port>`_
+        * `Issue 2744 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/2744>`_: Support for Host header rewrite in VirtualServer CR. See `Examples <https://github.com/F5Networks/k8s-bigip-ctlr/tree/master/docs/config_examples/customResource/VirtualServer/HostRewrite>`_
     * Helm Chart Enhancements
         * Support for podSecurityContext
         * Support for bigip-login secret creation
         * Support for latest CRD schema
+        * Fix for nesting of ingressClass definitions
     * Support for --http-client-metrics deployment parameter to export the AS3 http client prometheus metrics
 
 Bug Fixes
 `````````
+* `Issue 2703 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/2703>`_: Fix host group having multiple hosts with EDNS.
 * `Issue 2726 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/2726>`_: Fix prometheus metrics broken in v2.11.1
 * `Issue 2767 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/2767>`_: Fix wrong pool member port configured
 * `Issue 2764 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/2764>`_: Remove unwanted TLS iRule deployed on reencrypt when passing XFF
@@ -51,11 +52,37 @@ Vulnerability Fixes
 +------------------+------------------------------------------------------------------+
 | CVE-2022-23491   | Upgraded certifi package in f5-cccl repository                   |
 +------------------+------------------------------------------------------------------+
+| CVE-2022-21698   | Upgraded prometheus vendor package in k8s-bigip-ctlr repository  |
++------------------+------------------------------------------------------------------+
+| CVE-2022-27664   | Upgraded golang in k8s-bigip-ctlr repository                     |
++------------------+------------------------------------------------------------------+
+| CVE-2021-43565   | Upgraded golang in k8s-bigip-ctlr repository                     |
++------------------+------------------------------------------------------------------+
+| CVE-2022-27191   | Upgraded golang in k8s-bigip-ctlr repository                     |
++------------------+------------------------------------------------------------------+
 
 Known Issues
 `````````````
-Partition annotation change for ingress intermittently cause AS3 422 error. If you encounter this issue it's advised to delete the old ingress & recreate the ingress with new partition.
+* Partition annotation change for ingress intermittently cause AS3 422 error. When error, delete the old ingress & recreate the ingress with new partition.
+* Partition change for custom resources (VS/TS/IngressLink) may cause AS3 422 error for default partition. When error, restart the CIS controller.
 
+Upgrade notes
+``````````````
+* Refer `guide <https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/config_examples/next-gen-routes/migration-guide.md>`_ to migrate to next generation routes.
+* Deprecated extensions/v1beta1 ingress API and it's no longer processed by CIS >=2.12. Use the networking.k8s.io/v1 API for ingress.
+* Deprecated CommonName support for host certificate verification in secrets,  use subject alternative name(SAN) in certificates instead.
+
+FIC 0.1.9 Release notes :
+-------------------------
+
+Added Functionality
+```````````````````
+**What’s new:**
+    * Base image upgraded to RedHat UBI-9 for FIC Container image
+
+Bug Fixes
+````````````
+* `Issue 2747 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/2747>`_ Fix to persist IP addresses after CIS restart
 
 
 2.11.1
@@ -727,7 +754,6 @@ Added Functionality
 * VirtualServer Custom Resource without Host Parameter.
 * Share Nodes implementation for CRD, Ingress and Routes.
 * WAF Integration.
-* Support Pool Based WAF for VS CR
 * SNAT in VirtualServer CRD.
 * Option to configure Virtual address port.
 * App-Root Rewrite and Path Rewrite.

diff --git a/docs/config_examples/customResource/Policy/extended-configmap-routes-with-policy.yaml b/docs/config_examples/customResource/Policy/extended-configmap-routes-with-policy.yaml
@@ -11,10 +11,6 @@ data:
       vserverName: nextgenroutes
       allowOverride: true
       policyCR: default/sample-policy
-      tls:
-        clientSSL: /Common/clientssl
-        serverSSL: /Common/serverssl
-        reference: bigip
     - namespace: bar
       vserverAddr: 10.8.3.12
       allowOverride: true

diff --git a/docs/upgradeProcess.md b/docs/upgradeProcess.md
@@ -35,7 +35,8 @@ Compatibility Matrix
 | v2.10.0     | v16.0          | v1.24              | v4.11.1                                                       | Yes | Yes | v3.38     | v0.1.8      | v0.0.2     | v0.0.22 |Red Hat Enterprise Linux release 8.6 (Ootpa)|
 | v2.10.1     | v16.0          | v1.24              | v4.11.1                                                       | Yes | Yes | v3.38     | v0.1.8      | v0.0.2     | v0.0.22 |Red Hat Enterprise Linux release 8.6 (Ootpa)|
 | v2.11.0     | v16.0          | v1.24              | v4.11.1                                                       | Yes | Yes | v3.38     | v0.1.8      | v0.0.3     | v0.0.22 |Red Hat Enterprise Linux release 8.7 (Ootpa)|
-| v2.11.1     | v16.0          | v1.24              | v4.11.1                                                       | Yes | Yes | v3.41     | v0.1.8      | v0.0.4     | v0.0.23 |Red Hat Enterprise Linux release 9.1 (Plow)|            
+| v2.11.1     | v16.0          | v1.24              | v4.11.1                                                       | Yes | Yes | v3.41     | v0.1.8      | v0.0.4     | v0.0.23 |Red Hat Enterprise Linux release 9.1 (Plow)|
+| v2.12.0     | v16.0          | v1.24              | v4.11.1                                                       | Yes | Yes | v3.41     | v0.1.9      | v0.0.4     | v0.0.24 |Red Hat Enterprise Linux release 9.1 (Plow)|            
 
 
 CIS Features and Examples
@@ -258,5 +259,7 @@ Refer Release Notes for [CIS v2.11.1](https://github.com/F5Networks/k8s-bigip-ct
 * RBAC changes to read the openshift network config
 * Moving to CIS > 2.11.1 requires an update to RBAC and CR schema definition. See [RBAC](https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/config_examples/rbac/clusterrole.yaml) and [CR schema](https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/config_examples/customResourceDefinitions/customresourcedefinitions.yml) 
 
-### **Upgrading from 2.11.1 to 2.12:**
-* Deprecated extensions/v1beta1 ingress API and it's no longer processed by CIS >=2.12.Use networking.k8s.io/v1  API for ingress
+### **Upgrading from 2.11.1 to 2.12.0:**
+* Deprecated extensions/v1beta1 ingress API and it's no longer processed by CIS >=2.12.Use networking.k8s.io/v1 API for ingress.
+* Refer [guide](https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/config_examples/next-gen-routes/migration-guide.md) to migrate to next generation routes.
+* Deprecated CommonName support for host certificate verification in secrets, use subject alternative name(SAN) in certificates instead.
diff --git a/f5-bigip-ctlr-operator/Dockerfile b/f5-bigip-ctlr-operator/Dockerfile
@@ -7,7 +7,7 @@ ENV HOME=/opt/helm
 LABEL name="F5 Container Ingress Services Operator" \
       maintainer="f5_cis_operators@f5.com" \
       vendor="F5 Networks Inc." \
-      version="v1.12.0" \
+      version="v1.13.0" \
       release="1" \
       summary="Container Ingress Services Operator for F5 BIG-IP" \
       description="F5 BIG-IP Controller Operator is a Service Operator which installs F5 BIG-IP Controller (Container Ingress Services) on Kubernetes and OpenShift platforms and respective supported versions."

diff --git a/f5-bigip-ctlr-operator/bundle/manifests/f5-bigip-ctlr-operator.clusterserviceversion.yaml b/f5-bigip-ctlr-operator/bundle/manifests/f5-bigip-ctlr-operator.clusterserviceversion.yaml
@@ -50,13 +50,13 @@ metadata:
     categories: Networking
     certified: "false"
     containerImage: registry.connect.redhat.com/f5networks/k8s-bigip-ctlr-operator@sha256:560aff6297fa8d5c13d830b0186035205abb1785d62f310a268054fbfd3ae7d1
-    createdAt: "2023-01-05T03:01:48Z"
+    createdAt: "2023-03-02T03:01:48Z"
     description: Operator to install F5 Container Ingress Services (CIS) for BIG-IP.
     operators.operatorframework.io/builder: operator-sdk-v1.26.0
     operators.operatorframework.io/project_layout: helm.sdk.operatorframework.io/v1
     repository: https://github.com/F5Networks/k8s-bigip-ctlr
     support: F5 Operators Team <f5_cis_operators@f5.com>
-  name: f5-bigip-ctlr-operator.v1.12.0
+  name: f5-bigip-ctlr-operator.v1.13.0
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -392,4 +392,4 @@ spec:
   minKubeVersion: 1.13.0
   provider:
     name: F5 Networks Inc.
-  version: 1.12.0
+  version: 1.13.0