2022-03-25.md

This Week in Enhancements - 2022-03-25

Updates since 2022-03-18

Enhancements for Release Priorities

Prioritized New Changes

<PR ID>: (activity this week / total activity) summary

There was 1 Prioritized New pull request:

• 1067: (171/171) agent-installer: Automated Workflow for Agent-based Installer (dhellmann)

  do-not-merge/hold, priority/important-soon

  "Cluster 0" deployments, for the first cluster in an environment, are unique because they occur in situations where there may not be a lot of other infrastructure to support long-running services normally associated with automated provisioning for on-premises use cases. Nevertheless, users and partners want to automate these deployments. The assisted installer GUI provides an excellent user experience for manually deploying clusters. This enhancement covers the automation use case.

Other Enhancements

Other Merged Changes

<PR ID>: (activity this week / total activity) summary

There were 6 Other Merged pull requests:

• 980: (3/88) authentication: enhancements/authentication: detect invalid certificates (s-urbaniak)

  OpenShift 4.10 is going to be rebased against Kubernetes 1.23. This requires using Go 1.17. However, starting with Go 1.17 the support for the CommonName field of server HTTPS certificates is going to be removed.

  Formally, the temporary GODEBUG=x509ignoreCN=0 flag has been removed. This implies that starting from OpenShift 4.10 invalid certificates will not be trusted any more as they will fail verification.

  Example:

  Given the following certificate:

  Certificate:
      Data:
          ...
          Subject: CN=foo-domain.com
          X509v3 extensions:
              X509v3 Key Usage: critical
                  Digital Signature, Key Encipherment
              X509v3 Extended Key Usage:
                  TLS Web Server Authentication
              X509v3 Basic Constraints: critical
                  CA:FALSE
  

  Verification against the foo-domain.com hostname of such certificate will fail with the following error in Go 1.17:

  x509: certificate relies on legacy Common Name field, use SANs instead
  

  Verification of server certificates is executed during the TLS Handshake procedure. A TLS (https) client observing an invalid certificate will reject the connection attempt.

  Cluster internal issued certificates are not affected, however custom certificates can be configured in various cases:

  • custom serving certificates for kube-apiserver
  • custom API webhooks
  • custom aggregated API endpoints
  • custom certificates for route endpoints
  • certificates of external auth identity providers

  This will lead to broken connections to critical core parts of OpenShift and thus to a degraded cluster if invalid custom certificates are configured.

  This enhancement suggests a solution to prevent core workloads involving invalid certificates, functional on OpenShift 4.9, to break upon the upgrade to OpenShift 4.10. It therefore proposes:

  • a way to detect invalid certificates in kube-apiserver and oauth-server
  • a way to prevent upgrades from OpenShift 4.9 to OpenShift 4.10 in the face of invalid certificates

• 995: (4/232) machine-api: Add enhancement for AWS Placement Groups in Machine API (JoelSpeed)

  This enhancement describes the process of integrating AWS Placement Groups into the OpenShift Machine API.

  Placement Groups allow users to define how groups of Machines should be placed within the Availability Zone. For example, they can be clustered together within the same network spine, or separated for redundancy.

• 1002: (5/101) ingress: CFE-10: Add host-network-bind-options (Elbehery)

  This enhancement aims to enable reuse of the same nodes by 2 or more Ingress Controllers with HostNetwork endpoint strategy without running into port reuse conflicts. This is done by allowing configuration of the ports used by the router pods within the Ingress Controller API specification.

• 1028: (6/16) cluster-logging: flow-control-api spec (pmoogi-redhat)

  If the log collector cannot keep up with the rate that logs are written, some logging data will be lost. Lack of flow control these problems:

  • Hard to predict and impossible to control the volume of logs.
  • No control over which logs get lost.
  • During an outage, log buffers build up without user control. This can cause long recovery times and very high latency when the connection is restored.

  This proposal defines an API to let cluster administrators to limit logging rates, or ignore some logs entirely. Logs may still be lost if the collector cannot keep up, but administrators have more control over what is lost, and more predictability of log rates.

• 1063: (37/38) installer: add stage-based exit codes to the openshift-installer (deads2k)

  openshift-installer callers will now get more granular exit codes. Callers of openshift-installer can expect non-zero exit codes that may change over time as the openshift-installer evolves over time. openshift-installer provides no guarantee that exit codes will not change as result of changes like greater granularity, lower granularity, re-organization, or other needs. openshift-installer does guarantee that a particular exit code will not be re-used to have a different meaning in the same y-level version. openshift-installer will make reasonable efforts to avoid re-using a particular exit code to have different meanings across y-level versions, but for sufficiently compelling reasons may do so.

Other Merged Pull Requests Modifying Existing Documents

• 1070: (25/25) machine-api: [OCPCLOUD-1475] machine: update azure-ultra-disks with data disk deletion policy (damdo)

Other New Changes

<PR ID>: (activity this week / total activity) summary

There were 6 Other New pull requests:

• 1066: (7/7) dev-guide: Document the various event files produced by CI (DennisPeriquet)

• 1069: (27/27) dev-guide: Add notes to explain how API fields should be documented in conventions (JoelSpeed)

  As an API reviewer, I would like to see thorough documentation added to new API fields so that I can understand the mechanics of the changes we are adding to our API and so that customers can understand how they can and can't use the new fields.

  To encourage better documentation on ur APIs, I think we should add some notes to the conventions prompting users with a number of questions to think about when writing their godoc and some examples of how this might look in practice.

  This is a first draft of this to gather initial feedback:

  • Is this the right location for this kind of content?
  • What other questions should users be asked when writing their godoc
  • Do we have any other recommendations about godoc that aren't already noted

  ToDo:

  • Add more examples of where the godoc is used
  • Provide example of godoc output for examples to help authors understand what the user might see
  • Clarify any language guidance we have for writing these godoc (Eg should we follow product doc styling)
  • Confirm we want to split out an official API conventions/style guide

• 1071: (4/4) baremetal: Add bootstrap-external-ip (honza)

  When installing a bare metal IPI cluster, you can use the networkConfig field in the install-config.yaml file to configure the control plane network interfaces for the cluster hosts. However, currently, you cannot configure the bootstrap VM networking using the same means.

Other New Pull Requests Modifying Existing Documents

• 1068: (4/4) dev-guide: Add etcd readyz port (hasbro17)
• 1072: (9/9) machine-api: update machine-api-usage-telemetry (elmiko)
• 1073: (8/8) general: Fix links to make relative to page (johnbwork)

Other Active Changes

<PR ID>: (activity this week / total activity) summary

There were 16 Other Active pull requests:

• 1037: (68/247) insights: New Insights config API proposal (tremes)
• 1041: (44/185) single-node: Enhancement for enabling single-node-openshift with workers (omertuc)
• 1064: (40/41) network: Add enhancement proposal for SDN live migration (pliurh)
• 1034: (37/136) agent-installer: Agent Installer Development Environment (lranjbar)
• 1059: (34/212) baremetal: Converge ZTP and Metal3 flows (dtantsur)
• 1008: (19/241) machine-api: [OCPCLOUD-1248] Add initial iteration of ControlPlaneMachineSet operator enhancement (JoelSpeed)
• 918: (18/151) installer: vsphere: add multiple datacenter and clusters (jcpowermac)
• 937: (16/155) monitoring: support configuration of alerting notifications by application owners (simonpasquier)
• 1036: (15/145) insights: Insights Operator Prometheus Alerts for Insights Recommendations (natiiix)
• 1056: (13/93) cluster-scope-secret-volumes: BUILD-406: shared resource validating admission EP (gabemontero)
• 1030: (12/53) monitoring: enhancements/monitoring: User-Defined Alerting and Relabeling Rules (bison)
• 1057: (6/103) installer: Enhancement for enabling 4-node cluster deployments as a day0 operation (flaper87)
• 1048: (2/38) network: Dual Stack VIPs for on-prem deployments (cybertron)
• 745: (1/135) security: Security Profiles Operator integration in OpenShift (JAORMX)

Other Active Pull Requests Modifying Existing Documents

• 1062: (25/28) storage: Update the CSI migration enhancement (bertinatto)
• 1051: (16/148) api-review: Update enhancement proposal to support update of user-defined AWS tags (TrilokGeer)

Other Closed Changes

<PR ID>: (activity this week / total activity) summary

There were 2 Other Closed pull requests:

• 958: (2/112) monitoring: enhancements/monitoring: User-defined alerting rules proposal (bison)
• 1025: (2/51) kube-apiserver: Introduce detection of stale clusteroperator conditions (mfojtik)

Revived (closed more than 7 days ago, but with new comments) Changes

<PR ID>: (activity this week / total activity) summary

There was 1 Revived (closed more than 7 days ago, but with new comments) pull request:

Revived (closed more than 7 days ago, but with new comments) Pull Requests Modifying Existing Documents

• 538: (3/22) machine-api: update machine-api-usage-telemetry (elmiko)

Idle (no comments for at least 7 days) Changes

<PR ID>: (activity this week / total activity) summary

There were 19 Idle (no comments for at least 7 days) pull requests:

• 461: (0/16) ingress: Add aws-elb-idle-timeout enhancement (Miciah)
• 811: (0/73) network: Enhancement proposal for OVN secondary networks (maiqueb)
• 929: (0/250) api-review: [OCPNODE-747] New CRD ImageDigestMirrorSet and ImageTagMirrorSet to support AllowMirrByTags (QiWang19)
• 943: (0/112) etcd: [OCPCLOUD-1244] Add proposal for etcd protection mechanism during control plane scaling (JoelSpeed)
• 981: (0/157) general: Added proposal for HyperShift monitoring. (bwplotka)
• 987: (0/104) dns: Add the DNS-over-TLS enhancement initial draft (brandisher)
• 1005: (0/107) general: Non-disruptive upgrades in DPU clusters (danwinship)
• 1009: (0/85) general: OpenStack Cloud Provider Config Upgrade (stephenfin)
• 1010: (0/70) authentication: add enhancement on PSa autolabeling (stlaz)
• 1014: (0/355) multi-arch: Heterogeneous architecture clusters (Prashanth684)
• 1019: (0/22) node-tuning: Enhancement for improving image pull via shortname security (umohnani8)
• 1023: (0/20) ingress: Add route-subdomain enhancement (Miciah)
• 1027: (0/5) general: Enable ProjectRequestLimit on OpenShift 4.x (josefkarasek)
• 1035: (0/122) network: Pods Egress DSCP QoS proposal (oribon)
• 1039: (0/3) ingress: Add tunable-router-kubelet-probes (Miciah)
• 1047: (0/3) authentication: AUTH-125 Cert Manager enhancement document (slaskawi)

Idle (no comments for at least 7 days) Pull Requests Modifying Existing Documents

• 1046: (0/2) ingress: transition-ingress-from-beta-to-stable status → implemented (Miciah)
• 1054: (0/4) ingress: NE-585 Update enhancement after implementation (candita)
• 1061: (0/2) dev-guide: Host port registry: Add konnectivity agent (alvaroaleman)