Merge branch 'devel' into ovn-ic

.github/workflows/build.yml

@@ -12,15 +12,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           fetch-depth: 0
 
       - name: Build the website static files
         run: make static-all
 
       - name: Upload proposed static website for review
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
         with:
           name: Proposed static website
           path: output

.github/workflows/linting.yml

@@ -38,7 +38,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
 
       - name: Run markdown-link-check
         uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec
@@ -53,7 +53,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       - name: Run markdownlint
         uses: nosborn/github-action-markdown-cli@9b5e871c11cc0649c5ac2526af22e23525fa344d
         with:
@@ -66,7 +66,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       - name: Run yamllint
         uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c
         with:

.github/workflows/periodic.yml

@@ -16,7 +16,7 @@ jobs:
       issues: write
     steps:
       - name: Check out the repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
 
       - name: Run markdown-link-check
         uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec

.github/workflows/publish.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           fetch-depth: 0
 

.markdownlinkcheck.json

@@ -20,6 +20,9 @@
     },
     {
       "pattern": "^https://opensource.org/licenses/Apache-2.0$"
+    },
+    {
+      "pattern": "^https://web.archive.org/web/"
     }
   ]
 }

src/content/community/releases/_index.en.md

@@ -5,6 +5,99 @@ weight = 40
 +++
 <!-- markdownlint-disable no-duplicate-header -->
 
+## v0.15.3 (November 3, 2023)
+
+* The `subctl diagnose` command has been enhanced to check for potential firewall issues that may be blocking ESP traffic
+  and will provide an appropriate error message.
+* Submariner now explicitly enables forwarding on the interfaces that it creates to support forwarding even when
+  global forwarding on the node is turned off.
+* Enhanced Calico CNI detection now includes searching for calico-node CNI pods when the calico-config map is
+  not detected.
+* Submariner now explicitly configures dpddelay when initiating IPsec connections to prevent excessively frequent
+  liveness probes.
+* Service Discovery will now publish DNS records for pods that are not ready based on the setting of the `publishNotReadyAddresses`
+  flag on the service.
+* The CNI detection method in Submariner Operator is now improved to detect the Flannel CNI, even when the Flannel configMap
+  is missing from the cluster.
+* Submariner now ensures that the IPsec control socket is created before initiating connection requests, and also
+  automatically retries connections in response to errors reported by the 'whack' command.
+* The pod CIDR detection logic now ensures that the node's `podCIDR` is exclusively used for single-node deployments.
+* The Submariner gateway now retries reading local node information on startup to reduce pod restarts if the Kubernetes API server is
+  temporarily unavailable.
+* Reduced data path downtime with Libreswan cable driver when gateway pod restarts.
+
+## v0.14.7 (October 17, 2023)
+
+* Submariner now explicitly enables forwarding on the interfaces that it creates to support forwarding even
+  when global forwarding on the node is turned off.
+* Submariner now ensures that the IPsec control socket is created before initiating connection requests, and also
+  automatically retries connections in response to errors reported by the 'whack' command.
+* The Submariner gateway now retries reading local node information on startup to reduce pod restarts if the Kubernetes API server is
+  temporarily unavailable.
+* Reduced data path downtime with Libreswan cable driver when gateway pod restarts.
+
+## v0.16.0 (October 2, 2023)
+
+### New features
+
+* The `subctl cloud prepare azure` command has a new flag, `air-gapped`, to indicate the cluster is in an air-gapped
+  environment which may forbid certain configurations in a disconnected Azure installation.
+* `subctl` is now built for ARM Macs (Darwin arm64).
+* `subctl show versions` now shows the version of the metrics proxy component.
+* The `subctl gather` command now collects metrics proxy pod logs in Globalnet deployments.
+* For headless services, Service Discovery now derives its `EndpointSlices` from the Kubernetes `EndpointSlices` so for each
+  Kubernetes `EndpointSlice` there will be a corresponding Service Discovery `EndpointSlice`.  Service Discovery `EndpointSlices`
+  follow the same naming convention in that the names are auto-generated by Kubernetes prefixed by the service name.
+  Endpoints for all conditions are now included - prior releases only published ready endpoints.
+* Service Discovery will now publish DNS records for pods that are not ready based on the setting of the `publishNotReadyAddresses`
+  flag on the service.
+* Service Discovery now propagates labels from an exported `Service` to its generated `EndpointSlices`.
+* The new `subctl upgrade` command can upgrade `subctl` itself in-place, and upgrade Submariner deployments on brokers
+  and joined clusters to the corresponding version of Submariner.
+* The `subctl diagnose` command has been enhanced to check for potential firewall issues that may be blocking ESP traffic
+  and will provide an appropriate error message.
+* Submariner now explicitly enables forwarding on the interfaces that it creates to support forwarding even when
+  global forwarding on the node is turned off.
+
+### Other changes
+
+* Reduced data path downtime with Libreswan cable driver when gateway pod restarts.
+* Fixed an issue with OVNKubernetes CNI where routes could be accidentally deleted during cluster restart, or
+  upgrade scenarios.
+* Submariner gateway pods now skip invoking cable engine cleanup during termination, as this is handled by the route agent
+  during gateway migration.
+* The status condition type "Allocated" for Globalnet resources now adheres to the intended design of status conditions in
+  Kubernetes by reflecting only the latest observed status.
+* Fixed issue which caused the IPsec pluto process to crash when the remote endpoint was unstable.
+* Submariner now explicitly configures dpddelay when initiating IPsec connections to prevent excessively frequent
+  liveness probes.
+* Submariner now uses case-insensitive comparison while parsing CNI names.
+* Enhanced Calico CNI detection now includes searching for calico-node CNI pods when the calico-config map is not detected.
+* Submariner now automatically creates the necessary Calico IPPools for remote cluster connectivity when the Calico API Server is
+  installed in the cluster.
+* Fixed an issue with Service Discovery with Globalnet enabled where a service was inaccessible after recreating it.
+* Fixed an issue with Service Discovery where a remote cluster's service was inaccessible after recreating its local namespace.
+* Service Discovery with Globalnet enabled now correctly handles headless services without a selector.
+* The pod CIDR detection logic now ensures that the node's `podCIDR` is exclusively used for single-node deployments.
+* `subctl verify` no longer requires the KUBECONFIG environment variable to be set.
+* The `submariner_service_export` metric is now properly exposed after being inadvertently removed.
+* The Globalnet component now handles out-of-order remote endpoint notifications properly.
+* The Submariner gateway now retries reading local node information on startup to reduce pod restarts if the Kubernetes API server is
+  temporarily unavailable.
+* Submariner now ensures that the IPsec control socket is created before initiating connection requests, and also
+  automatically retries connections in response to errors reported by the 'whack' command.
+* The CNI detection method in Submariner Operator is now improved to detect the Flannel CNI, even when the Flannel configMap
+  is missing from the cluster.
+
+### Known issues
+
+* Upgrades involving OVN can fail because one of the OVN sockets is replaced by a directory.
+  To bring affected nodes up successfully, all invalid sockets on each node must be removed: `find /run -type d -name '*.sock' -delete`.
+  v0.16.0 includes a partial fix for this: route agents wait for node readiness before starting,
+  which allows OVN to finish initializing.
+  In some scenarios however, an invalid directory is created before OVN is upgraded, which prevents OVN from starting up correctly.
+  This will be fixed fully in v0.16.1.
+
 ## v0.14.6 (July 5, 2023)
 
 * The `subctl cloud prepare azure` command has a new flag, `air-gapped`, to indicate the cluster is in an air-gapped

src/content/development/release-process/_index.en.md

@@ -66,11 +66,10 @@ resolved before the branch can be merged.
 
 The release notes are maintained in reverse chronological order. Each version should have its release date added in the release note merge PR.
 
-See [the 0.15.2 merge PR](https://github.com/submariner-io/submariner-website/pull/991) for an example of a release note merge PR: it
-contains all the commits which built up the release notes, and a final merge commit from `devel` to resolve conflicts. The result only
-contains changes to the release notes `_index.en.md` file, with the changes for the released version. If additional changes need to be
-added to a pending merge branch, they should be merged to the release notes branch and that branch then merged to the pending merge branch
-(which will result in a fast-forward merge). The updated pending merge branch can then be force-pushed to GitHub to update the PR.
+Our GitHub configuration requires a rebase before merging PRs, which means we need to use `git rebase` instead of `git merge`.
+See [the 0.16.0 PR](https://github.com/submariner-io/submariner-website/pull/1056) for an example. If additional changes need to be added,
+they should be added to the release notes branch first. If the initial PR is still pending, they can then be rebased onto the PR's branch.
+If the initial PR has been merged, they can be rebased onto devel and submitted with an additional PR.
 
 ### Updating Dependencies
 
@@ -330,7 +329,7 @@ OpenShift users will find Submariner's Operator in the official [Red Hat catalog
 
 1) Clone the [`submariner-operator`](https://github.com/submariner-io/submariner-operator) repository.
 
-2) Make sure you have [`operator-sdk` v1 installed](https://v1-0-x.sdk.operatorframework.io/docs/installation/install-operator-sdk/).
+2) Make sure you have [`operator-sdk` v1 installed](https://sdk.operatorframework.io/docs/installation/).
 
 3) Generate new package manifests:
 

src/content/getting-started/architecture/broker/_index.en.md

@@ -7,8 +7,10 @@ Submariner uses a central Broker component to facilitate the exchange of metadat
 information between Gateway Engines deployed in participating clusters. The Broker is
 basically a set of Custom Resource Definitions (CRDs) backed by the Kubernetes datastore.
 The Broker also defines a ServiceAccount and RBAC components to enable other Submariner
-components to securely access the Broker's API. There are no Pods or Services deployed
-with the Broker.
+components to securely access the Broker's API.
+
+While there no Services associated with the Broker, if using ```subctl``` to deploy the Broker, an
+operator Pod is also deployed that installs the CRDs and the Globalnet configuration.
 
 Submariner defines two CRDs that are exchanged via the Broker: `Endpoint` and `Cluster`.
 The `Endpoint` CRD contains the information about the active Gateway Engine in a cluster,

src/content/getting-started/quickstart/_index.en.md

@@ -5,7 +5,6 @@ weight = 20
 +++
 
 * [Sandbox Environment (kind)](kind)
-* [K3s](k3s)
 * [Managed Kubernetes](managed-kubernetes)
   * [Google (GKE)](managed-kubernetes/gke)
   * [Rancher](managed-kubernetes/rancher)

src/content/getting-started/quickstart/external/_index.md

@@ -48,9 +48,6 @@ In addition to providing connectivity, the source IP of traffic is also preserve
     | cluster-b |10.42.0.0/24  |10.43.0.0/16  |
 
     Note that we will use Globalnet in this guide, therefore overlapping CIDRs are supported.
-    One of the easiest way to create this environment will be to deploy two K3s clusters by the steps described
-    [here](https://submariner.io/getting-started/quickstart/k3s/) until "Deploy cluster-b on node-b",
-    with modifying deploy commands to just `curl -sfL https://get.k3s.io | sh -` to use default CIDR.
 
 {{% notice note %}}
 In this configuration, global IPs are used to access between the gateway node and non-cluster hosts,
@@ -79,7 +76,7 @@ subctl deploy-broker --kubeconfig kubeconfig.cluster-a --globalnet
 
 When Submariner joins a cluster to the broker via the `subctl join` command, it chooses a node on which to install the
 gateway by labeling it appropriately. By default, Submariner uses a worker node for the gateway; if there are no worker
-nodes, then no gateway is installed unless a node is manually labeled as a gateway. Since we are deploying k3s all-in-one
+nodes, then no gateway is installed unless a node is manually labeled as a gateway. Since we are deploying all-in-one
 nodes, there are no worker nodes, so it is necessary to label the single node as a gateway. By default, the node name is
 the hostname. In this example, the hostnames are "cluster-a" and "cluster-b", respectively.
 
@@ -322,19 +319,6 @@ curl 242.0.255.253
 
 On test-vm, check the console log of HTTP server that there are accesses from pods
 
-{{% notice note %}}
-Currently, **headless** service without selector is not supported for Globalnet,
-therefore service without selector needs to be used.
-This feature is under discussion in [#1537](https://github.com/submariner-io/submariner/issues/1537).
-{{% /notice %}}
-
-{{% notice note %}}
-Currently, DNS resolution for service without selector is not supported,
-therefore global IPs need to be used to access to the external hosts.
-This feature is under discussion in [#603](https://github.com/submariner-io/lighthouse/issues/603).
-Note that there is a workaround to make it resolvable by manually creating endpointslice, as described [here](https://github.com/submariner-io/lighthouse/issues/603#issuecomment-901944297).
-{{% /notice %}}
-
 ##### Verify access to Deployment from non-cluster hosts
 
 Create Deployment in cluster-b: