OpenShift 4.2 Release Notes Tracker

[adellape]

Leave comments to be included by the OpenShift docs team as Release Notes for OCP 4.2. Provide xrefs to related PRs or docs content if possible.

cc @openshift/team-documentation

Initial PR = https://github.com/openshift/openshift-docs/pull/16410

[bmcelvee]

DevEx - In 4.2, builds will keep their layers by default. (We've already updated the Running Entitled Builds docs: https://docs.openshift.com/container-platform/4.1/builds/running-entitled-builds.html#builds-strategy-docker-squash-layers_running-entitled-builds.)

[soltysh]

Workloads - In 4.2 the usage of /oapi endpoint from oc is being deprecated with the plan to remove it in 4.3. The /oapi endpoint was responsible for serving non-group openshift APIs and was removed in 4.1.

[adellape]

See https://jira.coreos.com/browse/OSDOCS-650 for deprecation notice of Group F APIs in 4.2.

[ironcladlou]

https://bugzilla.redhat.com/show_bug.cgi?id=1746467 https://github.com/openshift/router/pull/30 https://wiki.mozilla.org/Security/Server_Side_TLS

We are disabling ingress controller TLS 1.0 and 1.1 support to match the Mozilla intermediate security profile.

New and upgraded ingress controllers will no longer support these TLS versions.

/cc @openshift/sig-network-edge

[jboxman]

And that reminds me.

• OVN SDN as Tech Preview in 4.2
• Two new CNI plug-ins for Multus: bridge and ipvlan
• CNO now supports configuring SimpleMacvlan

I probably need to come up with words for these.

[soltysh]

oc adm migrate and all its subcommands is being deprecated.

[ahardin-rh]

@jboxman yes please :bowing_woman:

[soltysh]

oc version deprecated --short flag, the default output is what --short flag was printing.

[bmcelvee]

DevEx - https://jira.coreos.com/browse/DEVEXP-341: "Builds on Windows nodes are not supported."

[bergerhoffer]

For https://jira.coreos.com/browse/WRKLDS-5. Related docs PR: https://github.com/openshift/openshift-docs/pull/16546

Basically it's new in 4.2 that master nodes can be schedulable at all. The docs PR has details on when they default as schedulable (if there are no worker nodes in the cluster) or not (if there are). PR still needs SME review though. @ravisantoshgudimetla can confirm wording if necessary.

[bobfuru]

Recycle reclaim policy has been deprecated for 4.x. Related PR 16439 Related BZ 1746962 Dynamic provisioning is recommended.

[bobfuru]

Persistent volume snapshots are deprecated in 4.2. Related docs BZ 1750466

[gabemontero]

DevEx: For https://bugzilla.redhat.com/show_bug.cgi?id=1750650

Given deficiencies in the curl/git versions available on RHEL7, the git clone operation inherent with OpenShift builds in not functional when accessing a git repository via an HTTPS proxy, where that access attempts to provide a certificate.

@bmcelvee FYI

[kalexand-rh]

Per @morenod, osp 15 is not supported in 4.2.

[ahardin-rh]

@kalexand-rh Thank you! @morenod I was under the impression that OSP 13 and 15 were both supported and this was what was communicated in the recent "What's New in OCP 4.2" presentation in the context of installer-provisioned OpenShift on OpenStack.

[bparees]

Given deficiencies in the curl/git versions available on RHEL7, the git clone operator inherent with OpenShift builds accessing a git repository for source is currently not functional in OpenShift.

@gabemontero @bmcelvee this is an overstatement of the situation. (also i think you meant operation, not operator?).

The limitation is git clone operations that go through a proxy that is performing MITM tls hijacking/reencrypting of the proxied connection will not work.

git clone in general is fine, and git clone that goes through a proxy that is not doing a MITM hijack is, as far as i know, also fine.

[bmcelvee]

Given deficiencies in the curl/git versions available on RHEL7, the git clone operator inherent with OpenShift builds accessing a git repository for source is currently not functional in OpenShift.

@gabemontero @bmcelvee this is an overstatement of the situation. (also i think you meant operation, not operator?).

The limitation is git clone operations that go through a proxy that is performing MITM tls hijacking/reencrypting of the proxied connection will not work.

git clone in general is fine, and git clone that goes through a proxy that is not doing a MITM hijack is, as far as i know, also fine.

@bparees @gabemontero it sounds like this could be added as a warning in the Git source docs, in addition to the release notes, since it doesn't sound like a common situation but could cause issues for some users. Is that correct?

[bparees]

@bparees @gabemontero it sounds like this could be added as a warning in the Git source docs, in addition to the release notes, since it doesn't sound like a common situation but could cause issues for some users. Is that correct?

it could, for now (we do hope to be able to remove this restriction in the future). but this will also not be the only limitation on the "4.2 proxy support" we are announcing....so it probably belongs in both places:

1) doc the limitation where the build feature is doc'd 2) release notes about "here's all limitations that apply when you are using the new cluster proxy feature"

[gabemontero]

btw @bmcelvee @bparees I've been hacking on my original comment re: the release note

among other things, based on @ricardomaraschini 's latest findings, I'm not sure if explicitly enabling MITM is required to cause the problem.

What he conveyed was that curl/git was incorrectly propagating the cert to the proxy.

@ricardomaraschini - please clarify / correct my interpretation of your findings as needed

[bmcelvee]

@gabemontero @bparees @ricardomaraschini I opened https://github.com/openshift/openshift-docs/pull/16757 with a draft warning in the build feature. We can update it from there.

[vikram-redhat]

In OpenShift 4.2, the Service Catalog, the Template Service Broker, the Ansible Service Broker and their Operators will be deprecated. They will be removed in a future OpenShift release.

@bergerhoffer @adellape

https://bugzilla.redhat.com/show_bug.cgi?id=1753818

[dmesser]

@vikram-redhat is correct. The release notes need to point out this fact more prominently, not just an API deprecation notice. The Operators will be marked deprecated and removed in the future. In addition, if still installed, an update to 4.4 will be blocked.

[Preeticp]

Developer Experience: ODO OpenShift Do (odo) is a simple CLI tool for developers to create, build, and deploy applications on OpenShift. odo is completely client based and requires no server within the OpenShift cluster for deployment. It detects changes to local code and deploys it to the cluster automatically, giving instant feedback to validate changes in real-time. It supports multiple languages and frameworks.

Web Console: Developer Perspective The Developer perspective adds a developer focused perspective to the Web Console. It provides workflows specific to developer use cases such as creation and deployment of applications to OpenShift using multiple options. It provides a visual representation of the applications within a project, their build status, and the components and services associated with them enabling easy interaction and monitoring. It incorporates Serverless capabilities (Technical Preview) and the ability to create workspaces to edit your application code using Eclipse Che.

[gabemontero]

DevEx: for https://bugzilla.redhat.com/show_bug.cgi?id=1745192

Builds that use image references that correlate to an image mirror, as will be the case in a disconnected environment, will fail to pull/push those image references if the mirror requires authentication.

@bmcelvee @adambkaplan @bparees @mtrmac @wzheng1 @wewang58 ^^

[qinpingli]

Multi-cluster: The release notes preview(http://file.rdu.redhat.com/~ahardin/09062019/OCP-4-2-release-notes/release_notes/ocp-4-2-release-notes.html#ocp-4-2-multi-cluster) says multi-cluster is a tech preview feature, actually, it's still a dev preview feature in OCP 4.2. And we will only release community operator in OCP 4.2.

@abhat Could you help double confirm?

[yanpzhan]

Web Console: Identity Providers On cluster OAuth configuration page, more IDPs are provided for user to login to cluster, such as GitHub, GitLab, Google, LDAP, Keystone and so on.

[vikram-redhat]

@qinpingli we don't document dev preview features in the product docs. If it is not tech preview we will just need to remove it.

Multi-cluster: The release notes preview(http://file.rdu.redhat.com/~ahardin/09062019/OCP-4-2-release-notes/release_notes/ocp-4-2-release-notes.html#ocp-4-2-multi-cluster) says multi-cluster is a tech preview feature, actually, it's still a dev preview feature in OCP 4.2. And we will only release community operator in OCP 4.2.

@abhat Could you help double confirm?

[xinredhat]

Does it need to involve Migrating OpenShift Container Platform version 3 to 4

[bmcelvee]

Network Edge:

The Ingress Operator supports all ingress features on {product-version} with installer-provisioned infrastructure on Azure. https://jira.coreos.com/browse/PROD-1094

The Ingress Operator supports all ingress features on {product-version} with installer-provisioned infrastructure on GCP. https://jira.coreos.com/browse/PROD-1100

[bobfuru]

Persistent volume snapshots are deprecated in 4.2. Related docs BZ 1750466

^^ No longer the case. Should be:

In 4.1 Release Notes, persistent volume snapshot was incorrectly marked as Tech Preview. This functionality was deprecated in OCP 3.11.

[xingxingxia]

Apiserver and Auth: https://jira.coreos.com/browse/MSTR-717 corsAllowedOrigins can be configured.

[bergerhoffer]

Apiserver and Auth: https://jira.coreos.com/browse/MSTR-717 corsAllowedOrigins can be configured.

@ahardin-rh @sheriff-rh For the above item, the related docs are here [1] if you want to link to them from the release notes.

[1] https://docs.openshift.com/container-platform/4.2/authentication/allowing-javascript-access-api-server.html

[abhat]

Multi-cluster: The release notes preview(http://file.rdu.redhat.com/~ahardin/09062019/OCP-4-2-release-notes/release_notes/ocp-4-2-release-notes.html#ocp-4-2-multi-cluster) says multi-cluster is a tech preview feature, actually, it's still a dev preview feature in OCP 4.2. And we will only release community operator in OCP 4.2.

@abhat Could you help double confirm?

That is correct @qinpingli, multi-cluster will stay at dev preview in 4.2. We will only release the community version of the operator that points to an upstream rc for kubefed.

[qinpingli]

@vikram-redhat

Multi-cluster: The release notes preview(http://file.rdu.redhat.com/~ahardin/09062019/OCP-4-2-release-notes/release_notes/ocp-4-2-release-notes.html#ocp-4-2-multi-cluster) says multi-cluster is a tech preview feature, actually, it's still a dev preview feature in OCP 4.2. And we will only release community operator in OCP 4.2. @abhat Could you help double confirm?

That is correct @qinpingli, multi-cluster will stay at dev preview in 4.2. We will only release the community version of the operator that points to an upstream rc for kubefed.

@vikram-redhat Please help remove the multi-cluster part from the OCP 4.2 doc, thx.

[vikram-redhat]

@vikram-redhat

Multi-cluster: The release notes preview(http://file.rdu.redhat.com/~ahardin/09062019/OCP-4-2-release-notes/release_notes/ocp-4-2-release-notes.html#ocp-4-2-multi-cluster) says multi-cluster is a tech preview feature, actually, it's still a dev preview feature in OCP 4.2. And we will only release community operator in OCP 4.2. @abhat Could you help double confirm?

That is correct @qinpingli, multi-cluster will stay at dev preview in 4.2. We will only release the community version of the operator that points to an upstream rc for kubefed.

@vikram-redhat Please help remove the multi-cluster part from the OCP 4.2 doc, thx.

@ahardin-rh ^ - not sure if we have any content other than release notes?

[ahardin-rh]

@vikram-redhat The content is removed. That link is to an old build. We only had mention in the release notes. Thanks!

[deads2k]

The following APIs are deprecated and will be removed in a future release

1. ClusterRole.authorization.openshift.io - use ClusterRole.rbac.authorization.k8s.io instead
2. ClusterRoleBinding.authorization.openshift.io - use ClusterRoleBinding.rbac.authorization.k8s.io instead
3. Role.authorization.openshift.io - use Role.rbac.authorization.k8s.io instead
4. RoleBinding.authorization.openshift.io - use RoleBinding.rbac.authorization.k8s.io instead

[jboxman]

I notice we don't define CNO anywhere:

s/CNO SUPPORTS SIMPLEMACVLAN/Cluster Network Operator SUPPORTS SIMPLEMACVLAN/

s/CNO now supports configuring SimpleMacvlan./Cluster Network Operator now supports configuring SimpleMacvlan./

[jboxman]

OVN and OVN SDN both appear in TP table. I think we should omit OVN and leave OVN SDN in the table.

[jboxman]

Also, for known issues, in 4.2.0 DHCP does not currently work with any of the Multus CNI plug-ins. The BZ is this: https://bugzilla.redhat.com/show_bug.cgi?id=1754686

[huffmanca]

Added a known issue under https://github.com/openshift/openshift-docs/pull/17135 where the ClusterStorageOperator does not automatically update the default StorageClass to include new attributes.

[bobfuru]

Persistent volume snapshots are deprecated in 4.2. Related docs BZ 1750466

^^ No longer the case. Should be:

In 4.1 Release Notes, persistent volume snapshot was incorrectly marked as Tech Preview. This functionality was deprecated in OCP 3.11.

^^ This has changed back to original statement. Omit "In 4.1...3.11" and use "Persistent volume snapshots are deprecated in 4.2."

[jboxman]

And for Known Issues: The Cluster Network Operator does not a remove NetworkAttachmentDefinition that the Operator created previously, when the additional network is removed from the additionalNetworks collection. (https://bugzilla.redhat.com/show_bug.cgi?id=1755586)

[ahardin-rh]

Addressed these last additions in https://github.com/openshift/openshift-docs/pull/17296 Closing the tracker. All further fixes can be submitted in a new PR against the master branch. Thanks, all!