Merge branch 'master' into maintenance/CaaS4.5

adoc/MAIN.release-notes.adoc

@@ -44,7 +44,8 @@ This release supports deployment on:
 
 // Release specific files, latest on top!
 
-include::release-4.5.0.adoc[Release 4.5.0]
+include::release-4.5.1.adoc[Release 4.5.1]
+//include::release-4.5.0.adoc[Release 4.5.0]
 
 //include::release-4.2.2.adoc[Release 4.2.2]
 

adoc/release-4.2.1.adoc

@@ -14,10 +14,9 @@
 
 === Metrics Server
 
-The Metrics Server now supports monitoring of *CPU* and *memory* of a pod or node.  You can use commands `kubectl top nodes` get status for node and use `kubectl top pods` to get status for pod.
-This information can also be used and show in be Prometheus or Grafana.
-
-For detailed instructions please see link:https://documentation.suse.com/suse-caasp/4.2/single-html/caasp-admin/#_monitoring_certificates[the Administration Guide]
+{productname} now supports the metrics server as an addon to monitor the *CPU* and *memory* of a pod or node.
+You can use commands `kubectl top nodes` get status for node and use `kubectl top pods` to get status for one or more pods.
+Also, with metrics-server default built-in by {productname}, the user can set up a horizontal pod autoscaler (HPA) to auto-scale the number of pods or set up a vertical pod autoscaler (VPA) to auto allocate more or less CPUs and memory resources.
 
 === Cert Status Checker
 
@@ -35,8 +34,16 @@ For detailed instructions please see link:https://documentation.suse.com/suse-ca
 === Required Actions
 
 * To migrate from etcd to CRD in case of upgrade, follow the steps described in the link:https://docs.cilium.io/en/v1.6/install/upgrade/#upgrade-notes[official Cilium documentation].
+
 * Run `skuba addons upgrade apply` to upgrade Cilium to version 1.6.6. See information about a possible warning, which might appear during the upgrade in link:https://documentation.suse.com/suse-caasp/4.2/single-html/caasp-admin/#_generating_an_overview_of_available_addon_updates[the Administration Guide].
 
+* {productname} did not detect existing metrics-server installed by the administrator, so please remove the installed metrics-server manually before upgrade addons.
++
+[source,bash]
+----
+helm delete metrics-server --purge
+----
+
 * In order to update `skuba` to apply the latest fixes, you also need to update the admin workstation. For detailed instructions, see link:https://documentation.suse.com/suse-caasp/4.2/single-html/caasp-admin/#_update_management_workstation[this section in the Admin Guide].
 
 === Bugs Fixed in 4.2.1 since 4.2.0

adoc/release-4.2.3.adoc

@@ -0,0 +1,36 @@
+== Changes in 4.2.3
+
+////
+=== Deprecations in 4.2.3
+None
+////
+
+=== Required Actions
+
+To apply the fix for the CRI-O bug mentioned below, you must perform `skuba-update`.
+See https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_base_os_updates for more details.
+
+* {productname} did not detect existing `metrics-server` installed by the administrator via helm, so please remove the installed `metrics-server` manually before running `skuba upgrade addons`.
++
+[source,bash]
+----
+helm delete metrics-server --purge
+----
+
+=== Bugs Fixed in 4.2.3 since 4.2.2
+
+* link:https://bugzilla.suse.com/show_bug.cgi?id=1174400[bsc#1174400] [cri-o] $HOME is not used in /etc/passwd when runAsUser is used with crio 1.16.1
+
+[[docs-changes-423]]
+=== Documentation Changes
+
+Minor fixes and improvements, refer to: https://github.com/SUSE/doc-caasp/releases/
+
+[[known-issues-423]]
+=== Known Issues
+
+* Kubeproxy is not fully deprecated since envoyproxy requires support of Linux Kernel 5.3 and upwards.
+
+==== sles15sp1 aws image is inactive
+
+When deploying on AWS, you need to modify the configuration for {tf} on your management node. You need to set `state = "inactive"` in `/usr/share/caasp/terraform/aws/ami.tf`, to avoid the the error `Error: Invalid index` during deployment of nodes.

adoc/release-4.2.4.adoc

@@ -0,0 +1,37 @@
+== Changes in 4.2.4
+
+////
+=== Deprecations in 4.2.3
+None
+////
+
+=== Required Actions
+
+To apply the fix for the CRI-O bug mentioned below, you must perform `skuba-update`.
+See https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_base_os_updates for more details.
+
+* {productname} did not detect existing `metrics-server` installed by the administrator via helm, so please remove the installed `metrics-server` manually before running `skuba upgrade addons`.
++
+[source,bash]
+----
+helm delete metrics-server --purge
+----
+
+=== Bugs Fixed in 4.2.4 since 4.2.3
+
+* link:https://bugzilla.suse.com/show_bug.cgi?id=1174400[bsc#1174400] [cri-o] $HOME is not used in /etc/passwd when runAsUser is used with crio 1.16.1
+
+[[docs-changes-424]]
+=== Documentation Changes
+
+* Added instructions for automatic certificate renewal link:{docurl}/html/caasp-admin/_security.html#_automatic_certificate_renewal[using the `kucero` addon].
+* Various minor fixes and improvements, refer to: https://github.com/SUSE/doc-caasp/releases
+
+[[known-issues-424]]
+=== Known Issues
+
+* Kubeproxy is not fully deprecated since envoyproxy requires support of Linux Kernel 5.3 and upwards.
+
+==== sles15sp1 aws image is inactive
+
+When deploying on AWS, you need to modify the configuration for {tf} on your management node. You need to set `state = "inactive"` in `/usr/share/caasp/terraform/aws/ami.tf`, to avoid the the error `Error: Invalid index` during deployment of nodes.

adoc/release-4.5.1.adoc

@@ -0,0 +1,50 @@
+== Changes in 4.5.1
+
+=== Deprecations in 4.5.1
+None
+
+=== Required Actions
+
+* Run `skuba addons upgrade apply` to update Cilium images to rev3 which has the bug fixes to be installed.
+* In order to use the latest `skuba` fixes, you need to update the admin workstation. For detailed instructions, see the link:{docurl}single-html/caasp-admin/#_update_management_workstation[Administration Guide]
+* Envoy security fixes will be updated with `skuba addons upgrade apply`. The bugs and security fixes applied are listed in the following sections.
+
+=== Bugs Fixed in 4.5.1 since 4.5.0
+
+* link:https://bugzilla.suse.com/show_bug.cgi?id=1173559[bsc#1173559] [envoy] - CVE-2020-12605,CVE-2020-8663,CVE-2020-12603,CVE-2020-12604: envoy-proxy, cilium-proxy: multiple resource exhaustion issues
+* link:https://bugzilla.suse.com/show_bug.cgi?id=1176755[bsc#1176755] [helm3] - CVE-2020-15184: helm3: `alias` field on a `Chart.yaml` is not properly sanitized
+* link:https://bugzilla.suse.com/show_bug.cgi?id=1176754[bsc#1176754] [helm] - CVE-2020-15185: helm3: Helm repository can contain duplicates of the same chart
+* link:https://bugzilla.suse.com/show_bug.cgi?id=1176752[bsc#1176752] [helm3] - CVE-2020-15187: helm3: plugin can contain duplicates of the same entry
+* link:https://bugzilla.suse.com/show_bug.cgi?id=1174075[bsc#1174075] [kubernetes] - Changing %{_libexecdir} breaks some packages which are misusing the macro
+* link:https://bugzilla.suse.com/show_bug.cgi?id=1167073[bsc#1167073] [envoy] - CaaSPv5: envoy-proxy doesn't build on SLE15SP2
+* link:https://bugzilla.suse.com/show_bug.cgi?id=11776753[bsc#1176753] [helm3] - CVE-2020-15186: helm3: plugin names are not sanitized properly
+
+=== Security issues fixed in 4.5.1 since 4.5.0
+
+* CVE-2020-12603: "Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (i.e. 1 byte) data frames."
+* CVE-2020-12604: "Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream."
+* CVE-2020-12605: "Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs."
+* CVE-2020-8663:  "Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may exhaust file descriptors and/or memory when accepting too many connections."
+* CVE-2020-15187: "In Helm before version 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack."
+* CVE-2020-15185: "In Helm before version 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository."
+* CVE-2020-15184: "In Helm before version 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart."
+* CVE-2020-15186: "In Helm before version 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `hellm --help`."
+
+[[docs-changes-451]]
+=== Documentation Changes
+
+* None
+
+[[known-issues-451]]
+=== Known Issues
+
+* https://bugzilla.suse.com/show_bug.cgi?id=1176225 - Upgraded v4.5 cluster is running etcd from v4 namespace
+* https://bugzilla.suse.com/show_bug.cgi?id=1172270 - cilium-init:1.6.6 does not exist in registry
+* Kubeproxy is not fully deprecated since envoyproxy requires support of Linux Kernel 5.3 and upwards.
+* If the cluster node(s) was bootstrapped/joined before kubernetes version 1.17, you have to manually modify the contents of `/etc/kubernetes/kubelet.conf` to point to the automatically rotated kubelet client certificates by replacing `client-certificate-data` and `client-key-data` with:
++
+[source,bash]
+----
+client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem
+client-key: /var/lib/kubelet/pki/kubelet-client-current.pem
+----