Add 3.2.5 release notes

_data/toc.yaml

@@ -1688,6 +1688,8 @@ manuals:
           title: Set the user's session timeout
         - path: /ee/ucp/admin/configure/ucp-configuration-file/
           title: UCP configuration file
+	- path: /ee/ucp/admin/configure/kms-plugin/
+          title: KMS plugin support for UCP
         - path: /ee/ucp/admin/configure/use-node-local-network-in-swarm/
           title: Use a local node network in a swarm
         - path: /ee/ucp/admin/configure/use-your-own-tls-certificates/

ee/ucp/admin/configure/kms-plugin.md

@@ -0,0 +1,33 @@
+---
+title: KMS plugin support for UCP
+description: Learn about the KMS plugin for UCP.
+keywords: ucp, kms, kubernetes, plugin, configuration
+---
+
+>{% include enterprise_label_shortform.md %}
+
+Docker Universal Control Plane (UCP) 3.2.5 adds support for a Key Management Service (KMS) plugin to allow access to third-party secrets management solutions, such as Vault. This plugin is used by UCP for access from Kubernetes clusters.
+
+## Deployment
+
+KMS must be deployed before a machine becomes a UCP manager or it may be considered unhealthy. UCP will not health check, clean up, or otherwise manage the KMS plugin.
+
+## Configuration
+
+KMS plugin configuration should be done through UCP. UCP will maintain ownership of the Kubernetes EncryptionConfig file, where the KMS plugin is configured for Kubernetes. UCP does not currently check this file’s contents after deployment. 
+
+UCP adds new configuration options to the cluster configuration table. These options are not exposed through the web UI, but can be configured via the [API](https://docs.docker.com/ee/ucp/admin/configure/ucp-configuration-file/).
+
+The following table shows the configuration options for the KMS plugin. These options are not required.
+
+| Parameter        | Type | Description                              |
+|------------------|------|------------------------------------------|
+| `kms_enabled`    | bool | Determines if UCP should configure a KMS plugin. |
+| `kms_name` | string  | Name of the KMS plugin resource (for example, “vault”). |
+| `kms_endpoint`   | string  | Path of the KMS plugin socket. This path must refer to a UNIX socket on the host (for example, “/tmp/socketfile.sock”). UCP will bind mount this file to make it accessible to the API server. |
+| `kms_cachesize`  | int  | Number of data encryption keys (DEKs) to be cached in the clear. |
+
+## Where to go next
+* [Using a KMS provider for data encryption](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/)
+* [Encrypting Secret Data at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/)
+* [UCP API Documentation](https://docs.docker.com/reference/ucp/3.2/api/)

ee/ucp/release-notes.md

@@ -26,6 +26,30 @@ upgrade your installation to the latest release.
 
 # Version 3.2
 
+## 3.2.5
+2020-01-28
+
+### Known issues
+* UCP currently turns on vulnerability information for images deployed within UCP by default for upgrades. This may cause clusters to fail due to performance issues. (ENGORC-2746)
+* For Red Hat Enterprise Linux (RHEL) 8, if firewalld is running and `FirewallBackend=nftables` is set in `/etc/firewalld/firewalld.conf`, change this to `FirewallBackend=iptables`, or you can explicitly run the following commands to allow traffic to enter the default bridge (docker0) network:
+
+    ```
+    firewall-cmd --permanent --zone=trusted --add-interface=docker0
+    firewall-cmd --reload
+    ```
+### Kubernetes
+* Enabled support for a user-managed Kubernetes KMS plugin. See [KMS plugin support for UCP](/ee/ucp/admin/configure/kms-support.md) for more information.
+
+### Components
+
+| Component             | Version |
+| --------------------- | ------- |
+| UCP                   | 3.2.5   |
+| Kubernetes            | 1.14.8  |
+| Calico                | 3.8.2   |
+| Interlock             | 3.0.0   |
+| Interlock NGINX proxy | 1.14.2  |
+
 ## 3.2.4
 2019-11-14