Update calico to version 3.28.0

2024-05-12 13:01:23 +02:00 · 2024-05-12 13:01:23 +02:00 · d6f17858ce
commit d6f17858ce
parent 7548f12db8
10 changed files with 55 additions and 36 deletions
--- a/bin/update.sh
+++ b/bin/update.sh
@ -1,5 +1,5 @@
 #!/bin/bash
-CALICO_VERSION="3.27.3"
+CALICO_VERSION="3.28.0"
 #BASEURL=https://docs.projectcalico.org/manifests
 #BASEURL=https://docs.projectcalico.org/archive/v3.18/manifests
 BASEURL="https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests"
--- a/templates/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml
+++ b/templates/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml
@ -64,7 +64,7 @@ spec:
              numAllowedLocalASNumbers:
                description: Maximum number of local AS numbers that are allowed in
                  the AS path for received routes. This removes BGP loop prevention
-                  and should only be used if absolutely necesssary.
+                  and should only be used if absolutely necessary.
                format: int32
                type: integer
              password:
--- a/templates/calico-kube-controllers-Deployment.yaml
+++ b/templates/calico-kube-controllers-Deployment.yaml
@ -36,7 +36,7 @@ spec:
      priorityClassName: system-cluster-critical
      containers:
        - name: calico-kube-controllers
-          image: docker.io/calico/kube-controllers:v3.27.3
+          image: docker.io/calico/kube-controllers:v3.28.0
          imagePullPolicy: IfNotPresent
          env:
            # Choose which controllers to run.
--- a/templates/calico-node-DaemonSet.yaml
+++ b/templates/calico-node-DaemonSet.yaml
@ -44,7 +44,7 @@ spec:
        # It can be deleted if this is a fresh installation, or if you have already
        # upgraded to use calico-ipam.
        - name: upgrade-ipam
-          image: docker.io/calico/cni:v3.27.3
+          image: docker.io/calico/cni:v3.28.0
          imagePullPolicy: IfNotPresent
          command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
          envFrom:
@ -72,7 +72,7 @@ spec:
        # This container installs the CNI binaries
        # and CNI network config file on each node.
        - name: install-cni
-          image: docker.io/calico/cni:v3.27.3
+          image: docker.io/calico/cni:v3.28.0
          imagePullPolicy: IfNotPresent
          command: ["/opt/cni/bin/install"]
          envFrom:
@ -115,7 +115,7 @@ spec:
        # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
        # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
        - name: "mount-bpffs"
-          image: docker.io/calico/node:v3.27.3
+          image: docker.io/calico/node:v3.28.0
          imagePullPolicy: IfNotPresent
          command: ["calico-node", "-init", "-best-effort"]
          volumeMounts:
@ -141,7 +141,7 @@ spec:
        # container programs network policy and routes on each
        # host.
        - name: calico-node
-          image: docker.io/calico/node:v3.27.3
+          image: docker.io/calico/node:v3.28.0
          imagePullPolicy: IfNotPresent
          envFrom:
          - configMapRef:
--- a/templates/calicoctl-Pod.yaml
+++ b/templates/calicoctl-Pod.yaml
@ -11,9 +11,9 @@ spec:
  serviceAccountName: calicoctl
  containers:
  - name: calicoctl
-    image: calico/ctl:v3.27.3
+    image: calico/ctl:v3.28.0
    command:
-      - /calicoctl
+      - calicoctl
    args:
      - version
      - --poll=1m
--- a/templates/calicoctl-ServiceAccount.yaml
+++ b/templates/calicoctl-ServiceAccount.yaml
@ -1,7 +1,7 @@
 # Calico Version master
 # https://projectcalico.docs.tigera.io/releases#master
 # This manifest includes the following component versions:
-#   calico/ctl:v3.27.3
+#   calico/ctl:v3.28.0
 apiVersion: v1
 kind: ServiceAccount
--- a/templates/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml
+++ b/templates/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml
@ -168,8 +168,9 @@ spec:
                - Disabled
                type: string
              bpfKubeProxyEndpointSlicesEnabled:
-                description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
+                description: BPFKubeProxyEndpointSlicesEnabled is deprecated and has
-                  whether Felix's embedded kube-proxy accepts EndpointSlices or not.
+                  no effect. BPF kube-proxy always accepts endpoint slices. This option
                  will be removed in the next release.
                type: boolean
              bpfKubeProxyIptablesCleanupEnabled:
                description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
@ -288,11 +289,23 @@ spec:
                type: string
              debugDisableLogDropping:
                type: boolean
              debugHost:
                description: DebugHost is the host IP or hostname to bind the debug
                  port to.  Only used if DebugPort is set. [Default:localhost]
                type: string
              debugMemoryProfilePath:
                type: string
              debugPort:
                description: DebugPort if set, enables Felix's debug HTTP port, which
                  allows memory and CPU profiles to be retrieved.  The debug port
                  is not secure, it should not be exposed to the internet.
                type: integer
              debugSimulateCalcGraphHangAfter:
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              debugSimulateDataplaneApplyDelay:
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              debugSimulateDataplaneHangAfter:
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
@ -332,6 +345,12 @@ spec:
                type: string
              endpointReportingEnabled:
                type: boolean
              endpointStatusPathPrefix:
                description: "EndpointStatusPathPrefix is the path to the directory
                  where endpoint status will be written. Endpoint status file reporting
                  is disabled if field is left empty. \n Chosen directory should match
                  the directory used by the CNI for PodStartupDelay. [Default: \"\"]"
                type: string
              externalNodesList:
                description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
                  which may source tunnel traffic and have the tunneled traffic be
@ -603,7 +622,7 @@ spec:
                description: 'MetadataAddr is the IP address or domain name of the
                  server that can answer VM queries for cloud-init metadata. In OpenStack,
                  this corresponds to the machine running nova-api (or in Ubuntu,
-                  nova-api-metadata). A value of none (case insensitive) means that
+                  nova-api-metadata). A value of none (case-insensitive) means that
                  Felix should not set up any NAT rule for the metadata path. [Default:
                  127.0.0.1]'
                type: string
--- a/templates/globalnetworkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml
+++ b/templates/globalnetworkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml
@ -818,17 +818,17 @@ spec:
                  any DNAT.
                type: boolean
              selector:
-                description: "The selector is an expression used to pick pick out
+                description: "The selector is an expression used to pick out the endpoints
-                  the endpoints that the policy should be applied to. \n Selector
+                  that the policy should be applied to. \n Selector expressions follow
-                  expressions follow this syntax: \n \tlabel == \"string_literal\"
+                  this syntax: \n \tlabel == \"string_literal\"  ->  comparison, e.g.
-                  \ ->  comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
+                  my_label == \"foo bar\" \tlabel != \"string_literal\"   ->  not
-                  \  ->  not equal; also matches if label is not present \tlabel in
+                  equal; also matches if label is not present \tlabel in { \"a\",
-                  { \"a\", \"b\", \"c\", ... }  ->  true if the value of label X is
+                  \"b\", \"c\", ... }  ->  true if the value of label X is one of
-                  one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
+                  \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... }
-                  ... }  ->  true if the value of label X is not one of \"a\", \"b\",
+                  \ ->  true if the value of label X is not one of \"a\", \"b\", \"c\"
-                  \"c\" \thas(label_name)  -> True if that label is present \t! expr
+                  \thas(label_name)  -> True if that label is present \t! expr ->
-                  -> negation of expr \texpr && expr  -> Short-circuit and \texpr
+                  negation of expr \texpr && expr  -> Short-circuit and \texpr ||
-                  || expr  -> Short-circuit or \t( expr ) -> parens for grouping \tall()
+                  expr  -> Short-circuit or \t( expr ) -> parens for grouping \tall()
                  or the empty selector -> matches all endpoints. \n Label names are
                  allowed to contain alphanumerics, -, _ and /. String literals are
                  more permissive but they do not support escape characters. \n Examples
--- a/templates/networkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml
+++ b/templates/networkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml
@ -799,17 +799,17 @@ spec:
                  type: string
                type: array
              selector:
-                description: "The selector is an expression used to pick pick out
+                description: "The selector is an expression used to pick out the endpoints
-                  the endpoints that the policy should be applied to. \n Selector
+                  that the policy should be applied to. \n Selector expressions follow
-                  expressions follow this syntax: \n \tlabel == \"string_literal\"
+                  this syntax: \n \tlabel == \"string_literal\"  ->  comparison, e.g.
-                  \ ->  comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
+                  my_label == \"foo bar\" \tlabel != \"string_literal\"   ->  not
-                  \  ->  not equal; also matches if label is not present \tlabel in
+                  equal; also matches if label is not present \tlabel in { \"a\",
-                  { \"a\", \"b\", \"c\", ... }  ->  true if the value of label X is
+                  \"b\", \"c\", ... }  ->  true if the value of label X is one of
-                  one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
+                  \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... }
-                  ... }  ->  true if the value of label X is not one of \"a\", \"b\",
+                  \ ->  true if the value of label X is not one of \"a\", \"b\", \"c\"
-                  \"c\" \thas(label_name)  -> True if that label is present \t! expr
+                  \thas(label_name)  -> True if that label is present \t! expr ->
-                  -> negation of expr \texpr && expr  -> Short-circuit and \texpr
+                  negation of expr \texpr && expr  -> Short-circuit and \texpr ||
-                  || expr  -> Short-circuit or \t( expr ) -> parens for grouping \tall()
+                  expr  -> Short-circuit or \t( expr ) -> parens for grouping \tall()
                  or the empty selector -> matches all endpoints. \n Label names are
                  allowed to contain alphanumerics, -, _ and /. String literals are
                  more permissive but they do not support escape characters. \n Examples