Update calico to version 3.28.0

bin/update.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-CALICO_VERSION="3.27.3"
+CALICO_VERSION="3.28.0"
 #BASEURL=https://docs.projectcalico.org/manifests
 #BASEURL=https://docs.projectcalico.org/archive/v3.18/manifests
 BASEURL="https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests"

templates/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml

@@ -64,7 +64,7 @@ spec:
               numAllowedLocalASNumbers:
                 description: Maximum number of local AS numbers that are allowed in
                   the AS path for received routes. This removes BGP loop prevention
-                  and should only be used if absolutely necesssary.
+                  and should only be used if absolutely necessary.
                 format: int32
                 type: integer
               password:

templates/calico-kube-controllers-Deployment.yaml

@@ -36,7 +36,7 @@ spec:
       priorityClassName: system-cluster-critical
       containers:
         - name: calico-kube-controllers
-          image: docker.io/calico/kube-controllers:v3.27.3
+          image: docker.io/calico/kube-controllers:v3.28.0
           imagePullPolicy: IfNotPresent
           env:
             # Choose which controllers to run.

templates/calico-node-ClusterRole.yaml

@@ -110,7 +110,7 @@ rules:
       - create
       - update
   # Calico must update some CRDs.
-  - apiGroups: [ "crd.projectcalico.org" ]
+  - apiGroups: ["crd.projectcalico.org"]
     resources:
       - caliconodestatuses
     verbs:

templates/calico-node-DaemonSet.yaml

@@ -44,7 +44,7 @@ spec:
         # It can be deleted if this is a fresh installation, or if you have already
         # upgraded to use calico-ipam.
         - name: upgrade-ipam
-          image: docker.io/calico/cni:v3.27.3
+          image: docker.io/calico/cni:v3.28.0
           imagePullPolicy: IfNotPresent
           command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
           envFrom:
@@ -72,7 +72,7 @@ spec:
         # This container installs the CNI binaries
         # and CNI network config file on each node.
         - name: install-cni
-          image: docker.io/calico/cni:v3.27.3
+          image: docker.io/calico/cni:v3.28.0
           imagePullPolicy: IfNotPresent
           command: ["/opt/cni/bin/install"]
           envFrom:
@@ -115,7 +115,7 @@ spec:
         # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
         # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
         - name: "mount-bpffs"
-          image: docker.io/calico/node:v3.27.3
+          image: docker.io/calico/node:v3.28.0
           imagePullPolicy: IfNotPresent
           command: ["calico-node", "-init", "-best-effort"]
           volumeMounts:
@@ -141,7 +141,7 @@ spec:
         # container programs network policy and routes on each
         # host.
         - name: calico-node
-          image: docker.io/calico/node:v3.27.3
+          image: docker.io/calico/node:v3.28.0
           imagePullPolicy: IfNotPresent
           envFrom:
           - configMapRef:

templates/calicoctl-Pod.yaml

@@ -11,9 +11,9 @@ spec:
   serviceAccountName: calicoctl
   containers:
   - name: calicoctl
-    image: calico/ctl:v3.27.3
+    image: calico/ctl:v3.28.0
     command:
-      - /calicoctl
+      - calicoctl
     args:
       - version
       - --poll=1m

templates/calicoctl-ServiceAccount.yaml

@@ -1,7 +1,7 @@
 # Calico Version master
 # https://projectcalico.docs.tigera.io/releases#master
 # This manifest includes the following component versions:
-#   calico/ctl:v3.27.3
+#   calico/ctl:v3.28.0
 
 apiVersion: v1
 kind: ServiceAccount

templates/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml

@@ -168,8 +168,9 @@ spec:
                 - Disabled
                 type: string
               bpfKubeProxyEndpointSlicesEnabled:
-                description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
+                description: BPFKubeProxyEndpointSlicesEnabled is deprecated and has
-                  whether Felix's embedded kube-proxy accepts EndpointSlices or not.
+                  no effect. BPF kube-proxy always accepts endpoint slices. This option
+                  will be removed in the next release.
                 type: boolean
               bpfKubeProxyIptablesCleanupEnabled:
                 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
@@ -288,11 +289,23 @@ spec:
                 type: string
               debugDisableLogDropping:
                 type: boolean
+              debugHost:
+                description: DebugHost is the host IP or hostname to bind the debug
+                  port to.  Only used if DebugPort is set. [Default:localhost]
+                type: string
               debugMemoryProfilePath:
                 type: string
+              debugPort:
+                description: DebugPort if set, enables Felix's debug HTTP port, which
+                  allows memory and CPU profiles to be retrieved.  The debug port
+                  is not secure, it should not be exposed to the internet.
+                type: integer
               debugSimulateCalcGraphHangAfter:
                 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                 type: string
+              debugSimulateDataplaneApplyDelay:
+                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+                type: string
               debugSimulateDataplaneHangAfter:
                 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                 type: string
@@ -332,6 +345,12 @@ spec:
                 type: string
               endpointReportingEnabled:
                 type: boolean
+              endpointStatusPathPrefix:
+                description: "EndpointStatusPathPrefix is the path to the directory
+                  where endpoint status will be written. Endpoint status file reporting
+                  is disabled if field is left empty. \n Chosen directory should match
+                  the directory used by the CNI for PodStartupDelay. [Default: \"\"]"
+                type: string
               externalNodesList:
                 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
                   which may source tunnel traffic and have the tunneled traffic be
@@ -603,7 +622,7 @@ spec:
                 description: 'MetadataAddr is the IP address or domain name of the
                   server that can answer VM queries for cloud-init metadata. In OpenStack,
                   this corresponds to the machine running nova-api (or in Ubuntu,
-                  nova-api-metadata). A value of none (case insensitive) means that
+                  nova-api-metadata). A value of none (case-insensitive) means that
                   Felix should not set up any NAT rule for the metadata path. [Default:
                   127.0.0.1]'
                 type: string

templates/globalnetworkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml

@@ -818,17 +818,17 @@ spec:
                   any DNAT.
                 type: boolean
               selector:
-                description: "The selector is an expression used to pick pick out
+                description: "The selector is an expression used to pick out the endpoints
-                  the endpoints that the policy should be applied to. \n Selector
+                  that the policy should be applied to. \n Selector expressions follow
-                  expressions follow this syntax: \n \tlabel == \"string_literal\"
+                  this syntax: \n \tlabel == \"string_literal\"  ->  comparison, e.g.
-                  \ ->  comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
+                  my_label == \"foo bar\" \tlabel != \"string_literal\"   ->  not
-                  \  ->  not equal; also matches if label is not present \tlabel in
+                  equal; also matches if label is not present \tlabel in { \"a\",
-                  { \"a\", \"b\", \"c\", ... }  ->  true if the value of label X is
+                  \"b\", \"c\", ... }  ->  true if the value of label X is one of
-                  one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
+                  \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... }
-                  ... }  ->  true if the value of label X is not one of \"a\", \"b\",
+                  \ ->  true if the value of label X is not one of \"a\", \"b\", \"c\"
-                  \"c\" \thas(label_name)  -> True if that label is present \t! expr
+                  \thas(label_name)  -> True if that label is present \t! expr ->
-                  -> negation of expr \texpr && expr  -> Short-circuit and \texpr
+                  negation of expr \texpr && expr  -> Short-circuit and \texpr ||
-                  || expr  -> Short-circuit or \t( expr ) -> parens for grouping \tall()
+                  expr  -> Short-circuit or \t( expr ) -> parens for grouping \tall()
                   or the empty selector -> matches all endpoints. \n Label names are
                   allowed to contain alphanumerics, -, _ and /. String literals are
                   more permissive but they do not support escape characters. \n Examples

templates/networkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml

@@ -799,17 +799,17 @@ spec:
                   type: string
                 type: array
               selector:
-                description: "The selector is an expression used to pick pick out
+                description: "The selector is an expression used to pick out the endpoints
-                  the endpoints that the policy should be applied to. \n Selector
+                  that the policy should be applied to. \n Selector expressions follow
-                  expressions follow this syntax: \n \tlabel == \"string_literal\"
+                  this syntax: \n \tlabel == \"string_literal\"  ->  comparison, e.g.
-                  \ ->  comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
+                  my_label == \"foo bar\" \tlabel != \"string_literal\"   ->  not
-                  \  ->  not equal; also matches if label is not present \tlabel in
+                  equal; also matches if label is not present \tlabel in { \"a\",
-                  { \"a\", \"b\", \"c\", ... }  ->  true if the value of label X is
+                  \"b\", \"c\", ... }  ->  true if the value of label X is one of
-                  one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
+                  \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... }
-                  ... }  ->  true if the value of label X is not one of \"a\", \"b\",
+                  \ ->  true if the value of label X is not one of \"a\", \"b\", \"c\"
-                  \"c\" \thas(label_name)  -> True if that label is present \t! expr
+                  \thas(label_name)  -> True if that label is present \t! expr ->
-                  -> negation of expr \texpr && expr  -> Short-circuit and \texpr
+                  negation of expr \texpr && expr  -> Short-circuit and \texpr ||
-                  || expr  -> Short-circuit or \t( expr ) -> parens for grouping \tall()
+                  expr  -> Short-circuit or \t( expr ) -> parens for grouping \tall()
                   or the empty selector -> matches all endpoints. \n Label names are
                   allowed to contain alphanumerics, -, _ and /. String literals are
                   more permissive but they do not support escape characters. \n Examples