From d6f17858ce3f9a012a8adbd6c1211fce02d95913 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 12 May 2024 13:01:23 +0200 Subject: [PATCH] Update calico to version 3.28.0 --- bin/update.sh | 2 +- ...ctcalico.org-CustomResourceDefinition.yaml | 2 +- .../calico-kube-controllers-Deployment.yaml | 2 +- templates/calico-node-ClusterRole.yaml | 2 +- templates/calico-node-DaemonSet.yaml | 8 +++--- templates/calicoctl-Pod.yaml | 4 +-- templates/calicoctl-ServiceAccount.yaml | 2 +- ...ctcalico.org-CustomResourceDefinition.yaml | 25 ++++++++++++++++--- ...ctcalico.org-CustomResourceDefinition.yaml | 22 ++++++++-------- ...ctcalico.org-CustomResourceDefinition.yaml | 22 ++++++++-------- 10 files changed, 55 insertions(+), 36 deletions(-) diff --git a/bin/update.sh b/bin/update.sh index 5fac1c7..5d1db70 100755 --- a/bin/update.sh +++ b/bin/update.sh @@ -1,5 +1,5 @@ #!/bin/bash -CALICO_VERSION="3.27.3" +CALICO_VERSION="3.28.0" #BASEURL=https://docs.projectcalico.org/manifests #BASEURL=https://docs.projectcalico.org/archive/v3.18/manifests BASEURL="https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests" diff --git a/templates/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml b/templates/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml index 742cf79..226bdd2 100644 --- a/templates/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml +++ b/templates/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml @@ -64,7 +64,7 @@ spec: numAllowedLocalASNumbers: description: Maximum number of local AS numbers that are allowed in the AS path for received routes. This removes BGP loop prevention - and should only be used if absolutely necesssary. + and should only be used if absolutely necessary. format: int32 type: integer password: diff --git a/templates/calico-kube-controllers-Deployment.yaml b/templates/calico-kube-controllers-Deployment.yaml index 1d2c2cd..7299448 100644 --- a/templates/calico-kube-controllers-Deployment.yaml +++ b/templates/calico-kube-controllers-Deployment.yaml @@ -36,7 +36,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:v3.27.3 + image: docker.io/calico/kube-controllers:v3.28.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. diff --git a/templates/calico-node-ClusterRole.yaml b/templates/calico-node-ClusterRole.yaml index 42e5ed1..a9016d0 100644 --- a/templates/calico-node-ClusterRole.yaml +++ b/templates/calico-node-ClusterRole.yaml @@ -110,7 +110,7 @@ rules: - create - update # Calico must update some CRDs. - - apiGroups: [ "crd.projectcalico.org" ] + - apiGroups: ["crd.projectcalico.org"] resources: - caliconodestatuses verbs: diff --git a/templates/calico-node-DaemonSet.yaml b/templates/calico-node-DaemonSet.yaml index 65bf158..1085976 100644 --- a/templates/calico-node-DaemonSet.yaml +++ b/templates/calico-node-DaemonSet.yaml @@ -44,7 +44,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:v3.27.3 + image: docker.io/calico/cni:v3.28.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -72,7 +72,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:v3.27.3 + image: docker.io/calico/cni:v3.28.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -115,7 +115,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:v3.27.3 + image: docker.io/calico/node:v3.28.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -141,7 +141,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:v3.27.3 + image: docker.io/calico/node:v3.28.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: diff --git a/templates/calicoctl-Pod.yaml b/templates/calicoctl-Pod.yaml index 9dfe002..3c4329c 100644 --- a/templates/calicoctl-Pod.yaml +++ b/templates/calicoctl-Pod.yaml @@ -11,9 +11,9 @@ spec: serviceAccountName: calicoctl containers: - name: calicoctl - image: calico/ctl:v3.27.3 + image: calico/ctl:v3.28.0 command: - - /calicoctl + - calicoctl args: - version - --poll=1m diff --git a/templates/calicoctl-ServiceAccount.yaml b/templates/calicoctl-ServiceAccount.yaml index 099ba1c..667ff63 100644 --- a/templates/calicoctl-ServiceAccount.yaml +++ b/templates/calicoctl-ServiceAccount.yaml @@ -1,7 +1,7 @@ # Calico Version master # https://projectcalico.docs.tigera.io/releases#master # This manifest includes the following component versions: -# calico/ctl:v3.27.3 +# calico/ctl:v3.28.0 apiVersion: v1 kind: ServiceAccount diff --git a/templates/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml b/templates/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml index 6a159c8..29a9fa1 100644 --- a/templates/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml +++ b/templates/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml @@ -168,8 +168,9 @@ spec: - Disabled type: string bpfKubeProxyEndpointSlicesEnabled: - description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls - whether Felix's embedded kube-proxy accepts EndpointSlices or not. + description: BPFKubeProxyEndpointSlicesEnabled is deprecated and has + no effect. BPF kube-proxy always accepts endpoint slices. This option + will be removed in the next release. type: boolean bpfKubeProxyIptablesCleanupEnabled: description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF @@ -288,11 +289,23 @@ spec: type: string debugDisableLogDropping: type: boolean + debugHost: + description: DebugHost is the host IP or hostname to bind the debug + port to. Only used if DebugPort is set. [Default:localhost] + type: string debugMemoryProfilePath: type: string + debugPort: + description: DebugPort if set, enables Felix's debug HTTP port, which + allows memory and CPU profiles to be retrieved. The debug port + is not secure, it should not be exposed to the internet. + type: integer debugSimulateCalcGraphHangAfter: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string + debugSimulateDataplaneApplyDelay: + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string debugSimulateDataplaneHangAfter: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string @@ -332,6 +345,12 @@ spec: type: string endpointReportingEnabled: type: boolean + endpointStatusPathPrefix: + description: "EndpointStatusPathPrefix is the path to the directory + where endpoint status will be written. Endpoint status file reporting + is disabled if field is left empty. \n Chosen directory should match + the directory used by the CNI for PodStartupDelay. [Default: \"\"]" + type: string externalNodesList: description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes which may source tunnel traffic and have the tunneled traffic be @@ -603,7 +622,7 @@ spec: description: 'MetadataAddr is the IP address or domain name of the server that can answer VM queries for cloud-init metadata. In OpenStack, this corresponds to the machine running nova-api (or in Ubuntu, - nova-api-metadata). A value of none (case insensitive) means that + nova-api-metadata). A value of none (case-insensitive) means that Felix should not set up any NAT rule for the metadata path. [Default: 127.0.0.1]' type: string diff --git a/templates/globalnetworkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml b/templates/globalnetworkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml index d0da112..7ff7035 100644 --- a/templates/globalnetworkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml +++ b/templates/globalnetworkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml @@ -818,17 +818,17 @@ spec: any DNAT. type: boolean selector: - description: "The selector is an expression used to pick pick out - the endpoints that the policy should be applied to. \n Selector - expressions follow this syntax: \n \tlabel == \"string_literal\" - \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" - \ -> not equal; also matches if label is not present \tlabel in - { \"a\", \"b\", \"c\", ... } -> true if the value of label X is - one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", - ... } -> true if the value of label X is not one of \"a\", \"b\", - \"c\" \thas(label_name) -> True if that label is present \t! expr - -> negation of expr \texpr && expr -> Short-circuit and \texpr - || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() + description: "The selector is an expression used to pick out the endpoints + that the policy should be applied to. \n Selector expressions follow + this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g. + my_label == \"foo bar\" \tlabel != \"string_literal\" -> not + equal; also matches if label is not present \tlabel in { \"a\", + \"b\", \"c\", ... } -> true if the value of label X is one of + \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } + \ -> true if the value of label X is not one of \"a\", \"b\", \"c\" + \thas(label_name) -> True if that label is present \t! expr -> + negation of expr \texpr && expr -> Short-circuit and \texpr || + expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() or the empty selector -> matches all endpoints. \n Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive but they do not support escape characters. \n Examples diff --git a/templates/networkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml b/templates/networkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml index 125c20c..8d4f903 100644 --- a/templates/networkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml +++ b/templates/networkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml @@ -799,17 +799,17 @@ spec: type: string type: array selector: - description: "The selector is an expression used to pick pick out - the endpoints that the policy should be applied to. \n Selector - expressions follow this syntax: \n \tlabel == \"string_literal\" - \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" - \ -> not equal; also matches if label is not present \tlabel in - { \"a\", \"b\", \"c\", ... } -> true if the value of label X is - one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", - ... } -> true if the value of label X is not one of \"a\", \"b\", - \"c\" \thas(label_name) -> True if that label is present \t! expr - -> negation of expr \texpr && expr -> Short-circuit and \texpr - || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() + description: "The selector is an expression used to pick out the endpoints + that the policy should be applied to. \n Selector expressions follow + this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g. + my_label == \"foo bar\" \tlabel != \"string_literal\" -> not + equal; also matches if label is not present \tlabel in { \"a\", + \"b\", \"c\", ... } -> true if the value of label X is one of + \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } + \ -> true if the value of label X is not one of \"a\", \"b\", \"c\" + \thas(label_name) -> True if that label is present \t! expr -> + negation of expr \texpr && expr -> Short-circuit and \texpr || + expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() or the empty selector -> matches all endpoints. \n Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive but they do not support escape characters. \n Examples