TELCODOCS-2622 Telco RAN RDS updates

Author: slovern

modules/telco-ran-cert-manager-operator.adoc

@@ -0,0 +1,27 @@
+// Module included in the following assemblies:
+//
+// * scalability_and_performance/telco-ran-du-rds.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="telco-ran-cert-manager-operator_{context}"]
+= cert-manager Operator
+
+
+New in this release::
+* The cert-manager Operator is a new optional component in this release.
+
+Description::
++
+--
+The cert-manager Operator for {product-title} manages the lifecycle of TLS certificates for cluster components and workloads.
+The cert-manager Operator automates certificate issuance, renewal, and rotation, eliminating manual certificate management.
+The reference configuration includes the cert-manager Operator to optionally manage certificates for the API server and ingress controller endpoints.
+--
+
+Limits and requirements::
+
+* The reference configuration includes only the ACME DNS01 challenge type for platform certificate issuance.
+
+Engineering considerations::
+
+* Use {rh-rhacm} `CertificatePolicy` resources on the hub cluster to monitor certificate expiration and compliance across managed clusters.

modules/telco-ran-crs-day-2-operators.adoc

@@ -46,6 +46,10 @@ PTP Operator,`ptp-operator/configuration/PtpConfigThreeCardGmWpc.yaml`,Configure
 PTP Operator,`ptp-operator/configuration/PtpConfigGmWpc.yaml`,Configures PTP grandmaster clock settings for hosts that have a single NIC. Dependent on cluster role.,No
 PTP Operator,`ptp-operator/configuration/PtpConfigSlave.yaml`,Configures PTP settings for a PTP ordinary clock. Dependent on cluster role.,No
 PTP Operator,`ptp-operator/configuration/PtpConfigDualFollower.yaml`,Configures PTP settings for a PTP ordinary clock with 2 interfaces in an active/standby configuration. Dependent on cluster role.,No
+PTP Operator,`ptp-operator/configuration/PtpConfigTBCWpc.yaml`,Configures PTP as a Telcom boundary clock. Dependent on cluster role.,No
+PTP Operator,`ptp-operator/configuration/PtpConfigDualCardTBCWpc.yaml`,Configures PTP as a Telcom boundary clock for hosts that have dual NICs. Dependent on cluster role.,No
+PTP Operator,`ptp-operator/configuration/PtpConfigThreeCardTBCWpc.yaml`,Configures PTP as a Telcom boundary clock for hosts that have 3 NICs. Dependent on cluster role.,No
+PTP Operator,`ptp-operator/configuration/PtpConfigTTSCWpc.yaml`,Configures PTP settings for a PTP Telcom Time Slave Clock with single interface. Dependent on cluster role.,N
 PTP Operator,`ptp-operator/PtpOperatorConfig.yaml`,"Configures the PTP Operator settings, specifying node selection criteria for running PTP daemons in the openshift-ptp namespace.",No
 PTP Operator,`ptp-operator/PtpSubscription.yaml`,Manages installation and updates of the PTP Operator in the openshift-ptp namespace.,No
 PTP Operator,`ptp-operator/PtpSubscriptionNS.yaml`,Configures the namespace for the PTP Operator.,No
@@ -63,4 +67,12 @@ SR-IOV Operator,`sriov-operator/SriovOperatorConfigForSNO.yaml`,"Configures the
 SR-IOV Operator,`sriov-operator/SriovSubscription.yaml`,Manages the installation and updates of the SR-IOV Network Operator.,No
 SR-IOV Operator,`sriov-operator/SriovSubscriptionNS.yaml`,Creates the namespace for the SR-IOV Network Operator with specific annotations for workload management and deployment waves.,No
 SR-IOV Operator,`sriov-operator/SriovSubscriptionOperGroup.yaml`,"Defines the target namespace for the SR-IOV Network Operators, enabling their management and deployment within this namespace.",No
+Cert-Manager,`optional/cert-manager/certManagerNS.yaml`,Defines the cert-manager-operator namespace.,Yes
+Cert-Manager,`optional/cert-manager/certManagerOperatorgroup.yaml`,Defines the OperatorGroup for cert-manager.,Yes
+Cert-Manager,`optional/cert-manager/certManagerSubscription.yaml`,Installs the OpenShift cert-manager operator.,Yes
+Cert-Manager,`optional/cert-manager/certManagerClusterIssuer.yaml`,Configures an ACME ClusterIssuer using Let's Encrypt with DNS-01 challenge.,Yes
+Cert-Manager,`optional/cert-manager/apiServerCertificate.yaml`,Creates a certificate for the API Server endpoint.,Yes
+Cert-Manager,`optional/cert-manager/ingressCertificate.yaml`,Creates a wildcard certificate for the Ingress/Router.,Yes
+Cert-Manager,`optional/cert-manager/apiServerConfig.yaml`,Configures OpenShift to use the cert-manager generated API Server certificate.,Yes
+Cert-Manager,`optional/cert-manager/ingressControllerConfig.yaml`,Configures OpenShift to use the cert-manager generated Ingress certificate.,Yes
 |====

modules/telco-ran-crs-machine-configuration.adoc

@@ -12,8 +12,6 @@
 Component,Reference CR,Description,Optional
 Container runtime (crun),`optional-extra-manifest/enable-crun-master.yaml`,Configures the container runtime (crun) for control plane nodes.,No
 Container runtime (crun),`optional-extra-manifest/enable-crun-worker.yaml`,Configures the container runtime (crun) for worker nodes.,No
-CRI-O wipe disable,`extra-manifest/99-crio-disable-wipe-master.yaml`,Disables automatic CRI-O cache wipe following a reboot for on control plane nodes.,No
-CRI-O wipe disable,`extra-manifest/99-crio-disable-wipe-worker.yaml`,Disables automatic CRI-O cache wipe following a reboot for on worker nodes.,No
 Kdump enable,`extra-manifest/06-kdump-master.yaml`,Configures kdump crash reporting on master nodes.,No
 Kdump enable,`extra-manifest/06-kdump-worker.yaml`,Configures kdump crash reporting on worker nodes.,No
 Kubelet configuration and container mount hiding,`extra-manifest/01-container-mount-ns-and-kubelet-conf-master.yaml`,Configures a mount namespace for sharing container-specific mounts between kubelet and CRI-O on control plane nodes.,No

modules/telco-ran-du-application-workloads.adoc

@@ -14,6 +14,7 @@ Description and limits::
 --
 * Develop cloud-native network functions (CNFs) that conform to the latest version of link:https://redhat-best-practices-for-k8s.github.io/guide/[Red Hat best practices for Kubernetes].
 * Use SR-IOV for high performance networking.
+* For information on the decrease in the default maximum open files soft limit for containers, see the {product-title} 4.21 release notes. 
 * Use exec probes sparingly and only when no other suitable options are available.
 ** Do not use exec probes if a CNF uses CPU pinning.
 Use other probe implementations, for example, `httpGet` or `tcpSocket`.

modules/telco-ran-machine-configuration.adoc

@@ -10,8 +10,7 @@ New in this release::
 * No reference design updates in this release
 
 Limits and requirements::
-* The CRI-O wipe disable `MachineConfig` CR assumes that images on disk are static other than during scheduled maintenance in defined maintenance windows.
-To ensure the images are static, do not set the pod `imagePullPolicy` field to `Always`.
+* To ensure images are static, except during scheduled maintenance in defined maintenance windows, do not set the pod `imagePullPolicy` field to `Always`.
 * The configuration CRs in this table are required components unless otherwise noted.
 
 .Machine configuration options

modules/telco-ran-node-tuning-operator.adoc

@@ -7,8 +7,9 @@
 = CPU partitioning and performance tuning
 
 New in this release::
-* The `PerformanceProfile` and `TunedPerformancePatch` objects have been updated to fully support the aarch64 architecture.
-** If you have previously applied additional patches to the `TunedPerformancePatch` object, you must convert those patches to a new performance profile that includes the `ran-du-performance` profile instead. See the "Engineering considerations" section.
+* There is now optional support for `acpi_idle` CPUIdle driver.
+* Updates to `TunedPerformancePatch` to enable the triggering a kernel panic for system recovery and diagnostic purposes when x86_64 architecture nodes become unresponsive. The `TunedPerformancePatch` configures the `kernel.panic_on_unrecovered_nmi` sysctl parameter to enable triggering a kernel panic through BMC Non-Maskable Interrupt (NMI) on x86_64 architectures.
+
 
 
 Description::
@@ -61,8 +62,10 @@ The variation must still meet the specified limits.
 * Hardware without IRQ affinity support affects isolated CPUs.
 To ensure that pods with guaranteed whole CPU QoS have full use of allocated CPUs, all hardware in the server must support IRQ affinity.
 * To enable workload partitioning, set `cpuPartitioningMode` to `AllNodes` during deployment, and then use the `PerformanceProfile` CR to allocate enough CPUs to support the operating system, interrupts, and {product-title} pods.
-* Under x86_64, the `PerformanceProfile` CR includes additional kernel arguments settings for `vfio_pci`.
-These arguments are included for support of devices such as the FEC accelerator. You can omit them if they are not required for your workload.
+* Tailor `systemReserved` memory for each cluster based on its size and application workload. The minimum recommended value is 11Gi.
+* Under x86_64, the `PerformanceProfile` may be customized with the following optional arguments in the `additionalKernelargs` list:
+** The `vcio_pci` arguments support devices such as the FEC accelerator. You can omit them if they are not required for your workload.
+** To enable the `acpi_idle`` CPUIdle driver, for example, for Intel FlexRAN, add `intel_idle.max_cstate=0`
 * Under aarch64, the `PerformanceProfile` must be adjusted depending on the needs of the platform:
 ** For Grace Hopper systems, the following kernel commandline arguments are required:
 *** `acpi_power_meter.force_cap_on=y`

modules/telco-ran-ptp-operator.adoc

@@ -7,7 +7,7 @@
 = PTP Operator
 
 New in this release::
-* No reference design updates in this release
+* {product-title} 4.20 introduced unassisted holdover for boundary clocks and time synchronous clocks as a Technology Preview feature. This feature is now Generally Available (GA).
 
 Description::
 Configure Precision Time Protocol (PTP) in cluster nodes.
@@ -35,9 +35,9 @@ Limits and requirements::
 * Log reduction must be enabled with `true` or `enhanced`.
 
 Engineering considerations::
-* * Example RAN DU RDS configurations are provided for:
+* Example RAN DU RDS configurations are provided for:
 ** T-GM, T-BC, and T-TSC
 ** Variations with and without HA
 * PTP fast event notifications use `ConfigMap` CRs to persist subscriber details.
 * Hierarchical event subscription as described in the O-RAN specification is not supported for PTP events.
-* The PTP fast events REST API v1 is end of life.
+* Cluster Node(s) must have proper NTP configuration to ensure correct time prior to PTP operator taking ownership of node timing.

modules/telco-ran-red-hat-advanced-cluster-management-rhacm.adoc

@@ -7,7 +7,7 @@
 = Red Hat Advanced Cluster Management
 
 New in this release::
-* No reference design updates in this release
+* The CRI-O wipe disable `MachineConfig` CR is no longer needed as cri-o is now handling unclean shutdowns by performing a quick check and repair.
 
 Description::
 +

modules/telco-ran-sysctls.adoc

@@ -7,17 +7,27 @@
 = Kubelet Settings
 
 Some CNF workloads make use of sysctls which are not in the list of system-wide safe sysctls.
-Generally, network sysctls are namespaced and you can enable them using the `kubeletconfig.experimental` annotation in the `PerformanceProfile` Custom Resource (CR) as a string of JSON in the following form: 
+Generally, network sysctls are namespaced and you can enable them using the `kubeletconfig.experimental` annotation in the `PerformanceProfile` Custom Resource (CR).
 
-.Example snippet showing allowedUnsafeSysctls
+Additionally, the `systemReserved` memory can be configured through the same `kubeletconfig.experimental` annotation to reserve memory for system daemons and kernel processes. An example setting of these parameters as a string of JSON is shown here:
+.Example snippet showing allowedUnsafeSysctls and systemReserved
+
+
+.Example snippet showing allowedUnsafeSysctls and systemReserved
 [source,yaml]
 ----
 apiVersion: performance.openshift.io/v2
 kind: PerformanceProfile
 metadata:
   name: {{ .metadata.name }}
-  annotations:kubeletconfig.experimental: |
-      {"allowedUnsafeSysctls":["net.ipv6.conf.all.accept_ra"]}
+  annotations:
+    # allowedUnsafeSysctls: some pods want the kernel stack to ignore IPv6 router Advertisement.
+    # systemReserved: when used, it should be tailored for each environment.
+    kubeletconfig.experimental: |
+      {
+       "allowedUnsafeSysctls":["net.ipv6.conf.all.accept_ra"],
+       "systemReserved":{"memory":"11Gi"}
+      }
 # ...
 ----
 

modules/ztp-telco-ran-software-versions.adoc

@@ -14,27 +14,27 @@ The Red Hat telco RAN DU {product-version} solution has been validated using the
 |Component
 |Software version
 
-|Managed cluster version
+|cert-manager Operator
 |4.19
 
 |Cluster Logging Operator
 |6.2
 
 |Local Storage Operator
-|4.20
+|4.21
 
 |OpenShift API for Data Protection (OADP)
 |1.5
 
 |PTP Operator
-|4.20
+|4.21
 
 |SR-IOV Operator
-|4.20
+|4.21
 
 |SRIOV-FEC Operator
 |2.11
 
 |Lifecycle Agent
-|4.20
+|4.21
 |====