2.17.0 release with openshift 4.15 (#3449)

Author: vidyasagar-m

README.md

@@ -22,7 +22,7 @@ For guides on this and other solutions for Kubernetes, see the
 
 What's New?
 -----------
-Support for Custom Resource Definitions [Documentation](https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/config_examples/customResource/CustomResource.md)
+Support for Custom Resource Definitions [Documentation] (https://github.com/F5Networks/k8s-bigip-ctlr/blob/2.x-master/docs/config_examples/customResource/CustomResource.md)
 
 Getting Help
 ------------

docs/RELEASE-NOTES.rst

@@ -384,7 +384,7 @@ different terminations(for same domain), one with edge and another with re-encry
 | interval | Int | Required | 5 | Seconds between health queries |
 | timeout | Int | Optional | 16 | Seconds before query fails |
 
-Refer https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/config_examples/customResource/ExternalDNS/README.md 
+Refer https://github.com/F5Networks/k8s-bigip-ctlr/blob/2.x-master/docs/config_examples/customResource/ExternalDNS/README.md 
 
 **Note**: 
 * To set up external DNS using BIG-IP GTM user needs to first manually configure GSLB → Datacenter and GSLB → Server on BIG-IP common partition.

docs/config_examples/customResource/CustomResource.md

@@ -22,6 +22,12 @@ Create IngressLink Custom Resource definition as follows:
     export CIS_VERSION=<cis-version>
     # For example
     # export CIS_VERSION=v2.12.0
+    # or
+    # export CIS_VERSION=2.x-master
+    #
+    # the latter if using a CIS image with :latest label
+    #
+
     kubectl create -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/${CIS_VERSION}/docs/config_examples/customResourceDefinitions/customresourcedefinitions.yml
     ```
 

docs/config_examples/customResource/IngressLink/README.md

@@ -13,14 +13,19 @@ Custom resources can appear and disappear in a running cluster through dynamic r
   export CIS_VERSION=<cis-version>
   # For example
   # export CIS_VERSION=v2.12.0
+  # or
+  # export CIS_VERSION=2.x-master
+  #
+  # the latter if using a CIS image with :latest label
+  #
   kubectl create -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/${CIS_VERSION}/docs/config_examples/customResourceDefinitions/customresourcedefinitions.yml
   ```
 
 ## Updating Custom Resource Definitions
 
 Currently, all 2.x.x releases support v1 version of CRDs. 
 
-Below are changes which need attention. Please refer [release notes](https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/RELEASE-NOTES.rst), [upgrade documentation](https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/upgradeProcess.md) for complete details.
+Below are changes which need attention. Please refer [release notes](https://github.com/F5Networks/k8s-bigip-ctlr/blob/2.x-master/docs/RELEASE-NOTES.rst), [upgrade documentation](https://github.com/F5Networks/k8s-bigip-ctlr/blob/2.x-master/docs/upgradeProcess.md) for complete details.
 
 | Version    | Change                                                                      |
 |------------|-----------------------------------------------------------------------------|

docs/config_examples/customResourceDefinitions/crd_update.md

@@ -118,6 +118,12 @@ spec:
                 dos:
                   type: string
                   pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$'
+                profileAccess:
+                  type: string
+                  pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$'
+                policyPerRequestAccess:
+                  type: string
+                  pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$'
                 botDefense:
                   type: string
                   pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$'
@@ -393,6 +399,9 @@ spec:
                   type: integer
                   minimum: 1
                   maximum: 65535
+              x-kubernetes-validations:
+                - rule: "!has(self.partition) || self.partition != 'Common'"
+                  message: "The partition cannot be 'Common' if specified."
             status:
               type: object
               properties:
@@ -641,6 +650,27 @@ spec:
                       anyOf:
                         - type: integer
                         - type: string
+                    weight:
+                      type: integer
+                      minimum: 0
+                      maximum: 100
+                    alternateBackends:
+                      type: array
+                      items:
+                        type: object
+                        properties:
+                          service:
+                            type: string
+                            pattern: '[a-z]([-a-z0-9]*[a-z0-9])?'
+                          serviceNamespace:
+                            type: string
+                            pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$'
+                          weight:
+                            type: integer
+                            minimum: 0
+                            maximum: 100
+                        required:
+                          - service
                     serviceNamespace:
                       type: string
                       pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$'
@@ -719,13 +749,20 @@ spec:
                             anyOf:
                               - type: integer
                               - type: string
+                          weight:
+                            type: integer
+                            minimum: 0
+                            maximum: 100
                   required:
                       - service
                       - servicePort
               required:
                 - virtualServerPort
                 - pool
                 - mode
+              x-kubernetes-validations:
+                - rule: "!has(self.partition) || self.partition != 'Common'"
+                  message: "The partition cannot be 'Common' if specified."
             status:
               type: object
               properties:
@@ -943,6 +980,9 @@ spec:
                         type: string
                       type: object
                   type: object
+              x-kubernetes-validations:
+                - rule: "!has(self.partition) || self.partition != 'Common'"
+                  message: "The partition cannot be 'Common' if specified."
             status:
               type: object
               properties:
@@ -990,6 +1030,12 @@ spec:
                     waf:
                       type: string
                       pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$'
+                    profileAccess:
+                      type: string
+                      pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$'
+                    policyPerRequestAccess:
+                      type: string
+                      pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$'
                 l3Policies:
                   type: object
                   properties:

docs/config_examples/customResourceDefinitions/customresourcedefinitions.yml

@@ -87,9 +87,9 @@ If it's specified in both the places then allow source range in policy CR has mo
 ### SSL Profiles precedence
 * SSL can be specified in route as certificate(spec certs), route annotation as bigip reference/secret or as default SSL profiles in extended configmap. 
 * If route is defined with both certificate(spec certs) and SSL annotation then route annotation will have more precedence followed by route certificate(spec certs). Default SSL profiles in extended configmap will have the least precedence.
-* Route with SSL profiles annotation reference to bigip [Example](https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/config_examples/next-gen-routes/routes/reencrypt-route-with-bigip-reference-in-ssl-annotaion.yaml)
-* Route with SSL profiles annotation reference to secret [Example](https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/config_examples/next-gen-routes/routes/reencrypt-route-with-k8s-secret-in-ssl-annotation.yaml)
-* Extended configmap with defaultTLS [Example](https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/config_examples/next-gen-routes/configmap/extendedRouteConfigwithBaseConfig.yaml)
+* Route with SSL profiles annotation reference to bigip [Example] (https://github.com/F5Networks/k8s-bigip-ctlr/blob/2.x-master/docs/config_examples/next-gen-routes/routes/reencrypt-route-with-bigip-reference-in-ssl-annotaion.yaml)
+* Route with SSL profiles annotation reference to secret [Example] (https://github.com/F5Networks/k8s-bigip-ctlr/blob/2.x-master/docs/config_examples/next-gen-routes/routes/reencrypt-route-with-k8s-secret-in-ssl-annotation.yaml)
+* Extended configmap with defaultTLS [Example] (https://github.com/F5Networks/k8s-bigip-ctlr/blob/2.x-master/docs/config_examples/next-gen-routes/configmap/extendedRouteConfigwithBaseConfig.yaml)
 
 ### Support for Health Monitors from pod readiness probe using autoMonitor
 CIS uses the readiness probe of the pods to form the health monitors, whenever health annotations not provided in the route annotations and autoMonitor is set to readiness-probe in the extended configmap.
@@ -98,12 +98,12 @@ By default, autoMonitor is set to none in the extended configmap.
 This behaviour can be changed by setting autoMonitor in baseRouteSpec of the extended configmap.
 
 ## Migration Guide
-Follow  [Migration Guide](https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/config_examples/next-gen-routes/migration-guide.md)
+Follow  [Migration Guide] (https://github.com/F5Networks/k8s-bigip-ctlr/blob/2.x-master/docs/config_examples/next-gen-routes/migration-guide.md)
 
 ## Prerequisites
 
 * Clean up the partition in BIG-IP, where the existing route config is deployed.
-  * Use the POST Method with below endpoint along with this AS3 declaration [Empty Declaration](https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/config_examples/next-gen-routes/AS3-empty-declaration.json) for cleanup.
+  * Use the POST Method with below endpoint along with this AS3 declaration [Empty Declaration] (https://github.com/F5Networks/k8s-bigip-ctlr/blob/2.x-master/docs/config_examples/next-gen-routes/AS3-empty-declaration.json) for cleanup.
 
     mgmt/shared/appsvcs/declare
 
@@ -114,6 +114,11 @@ Follow  [Migration Guide](https://github.com/F5Networks/k8s-bigip-ctlr/blob/mast
     export CIS_VERSION=<cis-version>
     # For example
     # export CIS_VERSION=v2.12.0
+    # or
+    # export CIS_VERSION=2.x-master
+    #
+    # the latter if using a CIS image with :latest label
+    #
     kubectl create -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/${CIS_VERSION}/docs/config_examples/customResourceDefinitions/customresourcedefinitions.yml
     ```
 
@@ -717,10 +722,10 @@ allow, redirect and none termination supported with edge routes, while re-encryp
 ### Do we support bigIP referenced SSL Profiles annotations on routes?
 Yes you can continue the SSL Profiles in route annotations.
 ### Do we support Kubernetes secrets in SSL Profiles annotations on routes?
-Yes you can define the Kubernetes secret in route's SSL annotations. Please refer to [Example](https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/config_examples/next-gen-routes/routes/reencrypt-route-with-k8s-secret-in-ssl-annotation.yaml).
+Yes you can define the Kubernetes secret in route's SSL annotations. Please refer to [Example] (https://github.com/F5Networks/k8s-bigip-ctlr/blob/2.x-master/docs/config_examples/next-gen-routes/routes/reencrypt-route-with-k8s-secret-in-ssl-annotation.yaml).
 ### Can we the use legacy default-client-ssl and default-server-ssl CLI parameters?
 No, they are no longer supported as CLI parameters. These CLI parameters are moved to extended configmap -> baseRouteSpec -> defaultTLS -> clientSSL and serverSSL.
-Please refer to [Example](https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/config_examples/next-gen-routes/configmap/extendedRouteConfigwithBaseConfig.yaml).
+Please refer to [Example] (https://github.com/F5Networks/k8s-bigip-ctlr/blob/2.x-master/docs/config_examples/next-gen-routes/configmap/extendedRouteConfigwithBaseConfig.yaml).
 ### What is the precedence of client and server SSL profiles? 
 CIS considers following precedence order.  Route annotations have the highest priority( followed by) route certificates(spec certs) have next priority (followed by) extended configmap baseRouteSpec default profiles.
 ### What is not supported with the SSL profiles?
@@ -743,7 +748,7 @@ You can use both PolicyCR and httpServerPolicyCR in route group to apply differe
 If only policyCR is used in a route group, then profiles/policies specified in it are applied to both HTTP and HTTPS virtual servers.</br>
 If only httpServerPolicyCR is used in a route group, then profiles/policies specified in it are applied to only HTTP virtual server.</br>
 If both policyCR and httpServerPolicyCR are used in a route group, then profiles/policies specified in policyCR are applied to HTTPS virtual server and profiles/policies specified in httpServerPolicyCR are applied to HTTP virtual server.</br>
-To use the httpServerPolicyCR in Extended ConfigMap, please refer to [Example](https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/config_examples/next-gen-routes/configmap). </br>
+To use the httpServerPolicyCR in Extended ConfigMap, please refer to [Example] (https://github.com/F5Networks/k8s-bigip-ctlr/blob/2.x-master/docs/config_examples/next-gen-routes/configmap). </br>
 Make sure that both policyCR and httpServerPolicyCR are created in a namespace which CIS is monitoring.
 
 

docs/config_examples/next-gen-routes/README.md

@@ -166,6 +166,11 @@ Sample Route:
     export CIS_VERSION=<cis-version>
     # For example
     # export CIS_VERSION=v2.12.0
+    # or
+    # export CIS_VERSION=2.x-master
+    #
+    # the latter if using a CIS image with :latest label
+    #
     kubectl create -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/${CIS_VERSION}/docs/config_examples/customResourceDefinitions/customresourcedefinitions.yml
     ```
 

docs/config_examples/next-gen-routes/migration-guide.md

@@ -0,0 +1,49 @@
+# for reference only
+# Should be changed as per your cluster requirements
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: bigip-ctlr-clusterrole
+rules:
+  - apiGroups: ["", "extensions", "networking.k8s.io"]
+    resources: ["nodes", "services", "endpoints", "namespaces", "ingresses", "pods", "ingressclasses", "policies"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["", "extensions", "networking.k8s.io"]
+    resources: ["configmaps", "events", "ingresses/status", "services/status"]
+    verbs: ["get", "list", "watch", "update", "create", "patch"]
+  - apiGroups: ["cis.f5.com"]
+    resources: ["virtualservers","virtualservers/status", "tlsprofiles", "transportservers", "transportservers/status", "ingresslinks", "ingresslinks/status", "externaldnses", "policies"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["fic.f5.com"]
+    resources: ["ipams", "ipams/status"]
+    verbs: ["get", "list", "watch", "update", "create", "patch", "delete"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch", "update", "create", "patch"]
+  - apiGroups: ["", "extensions"]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["config.openshift.io/v1"]
+    resources: ["network"]
+    verbs: ["list"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: bigip-ctlr-clusterrole-binding
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: bigip-ctlr-clusterrole
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: bigip-ctlr
+    namespace: kube-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: bigip-ctlr
+  namespace: kube-system

docs/config_examples/rbac/k8s_rbac.yml

@@ -0,0 +1,49 @@
+# for reference only
+# Should be changed as per your cluster requirements
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: bigip-ctlr-clusterrole
+rules:
+  - apiGroups: ["", "extensions", "networking.k8s.io", "route.openshift.io"]
+    resources: ["nodes", "services", "endpoints", "namespaces", "ingresses", "pods", "ingressclasses", "policies", "routes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["", "extensions", "networking.k8s.io", "route.openshift.io"]
+    resources: ["configmaps", "events", "ingresses/status", "services/status", "routes/status"]
+    verbs: ["get", "list", "watch", "update", "create", "patch"]
+  - apiGroups: ["cis.f5.com"]
+    resources: ["virtualservers","virtualservers/status", "tlsprofiles", "transportservers", "transportservers/status", "ingresslinks", "ingresslinks/status", "externaldnses", "policies"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["fic.f5.com"]
+    resources: ["ipams", "ipams/status"]
+    verbs: ["get", "list", "watch", "update", "create", "patch", "delete"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch", "update", "create", "patch"]
+  - apiGroups: ["", "extensions"]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["config.openshift.io/v1"]
+    resources: ["network"]
+    verbs: ["list"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: bigip-ctlr-clusterrole-binding
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: bigip-ctlr-clusterrole
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: bigip-ctlr
+    namespace: kube-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: bigip-ctlr
+  namespace: kube-system