From aba4a34020cd40f52ac875a817a42a08a9d492a3 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Mon, 16 Dec 2024 12:14:05 -0800 Subject: [PATCH 1/4] docs: add PE-5567 to release notes --- .../release-notes/release-notes.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/docs-content/release-notes/release-notes.md b/docs/docs-content/release-notes/release-notes.md index dc342b76a5..816a3143ba 100644 --- a/docs/docs-content/release-notes/release-notes.md +++ b/docs/docs-content/release-notes/release-notes.md @@ -89,6 +89,24 @@ tags: ["release-notes"] Previously, nodes were always drained during upgrades and repaves, even for single-node clusters. Refer to [Skip Node Draining](../clusters/edge/cluster-management/skip-draining.md) for guidance on configuring draining behavior. +- Upgrading the Palette from 4.4.x to 4.5.15 and later will now automatically renew the Certificate Authority (CA) + certificate for Mutating Webhook Handler (MWH). This was an issue that affected 4.4.x and prior versions and was + partially addressed in 4.5.0. The new version fully addresses the issue by automatically renewing the CA certificate + for 10 years during an upgrade. In previous 4.5.x versions, while you would not encounter the certificate expiry issue + if your cluster was created using a 4.5.x version of the Palette agent, upgrading from 4.4.x would not have renewed + the certificate automatically. + +#### Bug Fixes + +- Fixed an issue where the Certificate Authority (CA) certificate for Mutating Webhook Handler (MWH) expires after 90 + days and does not get automatically renewed, which affects cluster health. This issue affected Palette versions 4.4.20 + and prior and was fixed in 4.5.11. However, upgrading + + However, if you upgrade a cluster from 4.4.x to 4.5.x, this issue does not get addressed automatically. You must + manually delete the related secret and webhook using the commands + `kubectl delete secret --namespace spectro-system stylus-webhook-tls && kubectl delete mutatingwebhookconfiguration stylus-webhook` + and Palette agent will recreate them. + #### Deprecations and Removals - The EdgeForge build process utility, CanvOS has an argument variable named `PROXY_CERT_PATH`. This variable is From b7fb67f29be305c66b7f243b5d41c98ead73f1ae Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Mon, 16 Dec 2024 12:17:04 -0800 Subject: [PATCH 2/4] docs: remove dupe entry --- docs/docs-content/release-notes/release-notes.md | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/docs/docs-content/release-notes/release-notes.md b/docs/docs-content/release-notes/release-notes.md index 816a3143ba..db3a53c2ed 100644 --- a/docs/docs-content/release-notes/release-notes.md +++ b/docs/docs-content/release-notes/release-notes.md @@ -96,17 +96,6 @@ tags: ["release-notes"] if your cluster was created using a 4.5.x version of the Palette agent, upgrading from 4.4.x would not have renewed the certificate automatically. -#### Bug Fixes - -- Fixed an issue where the Certificate Authority (CA) certificate for Mutating Webhook Handler (MWH) expires after 90 - days and does not get automatically renewed, which affects cluster health. This issue affected Palette versions 4.4.20 - and prior and was fixed in 4.5.11. However, upgrading - - However, if you upgrade a cluster from 4.4.x to 4.5.x, this issue does not get addressed automatically. You must - manually delete the related secret and webhook using the commands - `kubectl delete secret --namespace spectro-system stylus-webhook-tls && kubectl delete mutatingwebhookconfiguration stylus-webhook` - and Palette agent will recreate them. - #### Deprecations and Removals - The EdgeForge build process utility, CanvOS has an argument variable named `PROXY_CERT_PATH`. This variable is From c09706d133689512bc50a6317e075d835c509ae4 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Mon, 16 Dec 2024 14:19:29 -0800 Subject: [PATCH 3/4] docs: minor edit --- .../release-notes/release-notes.md | 30 +++++++++++-------- 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/docs/docs-content/release-notes/release-notes.md b/docs/docs-content/release-notes/release-notes.md index db3a53c2ed..2ed97bfe75 100644 --- a/docs/docs-content/release-notes/release-notes.md +++ b/docs/docs-content/release-notes/release-notes.md @@ -83,18 +83,24 @@ tags: ["release-notes"] [Build Provider Images](../clusters/edge/edgeforge-workflow/palette-canvos/build-provider-images.md) for guidance on using the **certs** folder to pass multiple proxy certificates to the CanvOS build process. - -- The Edge - pack has new parameters that allow you to configure node draining behavior during cluster upgrades or repaves. - Previously, nodes were always drained during upgrades and repaves, even for single-node clusters. Refer to - [Skip Node Draining](../clusters/edge/cluster-management/skip-draining.md) for guidance on configuring draining behavior. - -- Upgrading the Palette from 4.4.x to 4.5.15 and later will now automatically renew the Certificate Authority (CA) - certificate for Mutating Webhook Handler (MWH). This was an issue that affected 4.4.x and prior versions and was - partially addressed in 4.5.0. The new version fully addresses the issue by automatically renewing the CA certificate - for 10 years during an upgrade. In previous 4.5.x versions, while you would not encounter the certificate expiry issue - if your cluster was created using a 4.5.x version of the Palette agent, upgrading from 4.4.x would not have renewed - the certificate automatically. + + +- The Edge pack has new parameters that + allow you to configure node draining behavior during cluster upgrades or repaves. Previously, nodes were always + drained during upgrades and repaves, even for single-node clusters. Refer to + [Skip Node Draining](../clusters/edge/cluster-management/skip-draining.md) for guidance on configuring draining + behavior. + + + +- Upgrading the Palette agent from 4.4.x to 4.5.11 and later will now automatically renew the Certificate Authority (CA) + certificate for `stylus-webhook` Mutating Webhook Configuration. The corresponding Palette version for Palette agent + 4.5.11 is 4.5.15. + + This was an issue that affected 4.4.x and prior versions and was partially addressed in 4.5.0. The new version fully + addresses the issue by automatically renewing the CA certificate for 10 years during an upgrade. In previous 4.5.x + versions, while you would not encounter the certificate expiry issue if your cluster was created using a 4.5.x version + of the Palette agent, upgrading from 4.4.x would not have renewed the certificate automatically. #### Deprecations and Removals From 6a38ec2b0e9a3dd97615aeed120f87beafbf83e8 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Mon, 16 Dec 2024 14:28:36 -0800 Subject: [PATCH 4/4] docs: move over to bug fix --- docs/docs-content/release-notes/release-notes.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/docs-content/release-notes/release-notes.md b/docs/docs-content/release-notes/release-notes.md index 2ed97bfe75..523ff0dc2e 100644 --- a/docs/docs-content/release-notes/release-notes.md +++ b/docs/docs-content/release-notes/release-notes.md @@ -93,6 +93,8 @@ tags: ["release-notes"] +#### Bug Fixes + - Upgrading the Palette agent from 4.4.x to 4.5.11 and later will now automatically renew the Certificate Authority (CA) certificate for `stylus-webhook` Mutating Webhook Configuration. The corresponding Palette version for Palette agent 4.5.11 is 4.5.15.