Update to version v3.19.0

bin/update.sh

@@ -1,15 +1,18 @@
 #!/bin/bash
-curl https://docs.projectcalico.org/manifests/calico.yaml -O
+BASEURL=https://docs.projectcalico.org/manifests
+#BASEURL=https://docs.projectcalico.org/archive/v3.18/manifests
+curl "${BASEURL}"/calico.yaml -O
 kubernetes-split-yaml calico.yaml > generated.log
 mv generated/*.yaml files/
 rmdir generated
 echo -e '---\ncalico_files:' > vars/calico-files.yaml
 cat generated.log | while read LIGNE; do if [ $(echo "${LIGNE}" | grep -c ^File) -eq 1 ]; then echo -n "${LIGNE} "; else echo "${LIGNE}"; fi; done | grep ^File | sort -V | sed 's|.*\(generated/\)\(.*\.yaml\)|  - "\2"|' >> vars/calico-files.yaml
 rm -f generated.log calico.yaml
-curl https://docs.projectcalico.org/manifests/calicoctl.yaml -O
+curl "${BASEURL}"/calicoctl.yaml -O
 kubernetes-split-yaml calicoctl.yaml > generated.log
 mv generated/*.yaml files/
 rmdir generated
+echo -e '\ncalicoctl_files:' >> vars/calico-files.yaml
 cat generated.log | while read LIGNE; do if [ $(echo "${LIGNE}" | grep -c ^File) -eq 1 ]; then echo -n "${LIGNE} "; else echo "${LIGNE}"; fi; done | grep ^File | sort -V | sed 's|.*\(generated/\)\(.*\.yaml\)|  - "\2"|' >> vars/calico-files.yaml
 rm -f generated.log calicoctl.yaml
 

files/calico-kube-controllers-Deployment.yaml

@@ -34,16 +34,25 @@ spec:
       priorityClassName: system-cluster-critical
       containers:
         - name: calico-kube-controllers
-          image: docker.io/calico/kube-controllers:v3.18.1
+          image: docker.io/calico/kube-controllers:v3.19.0
           env:
             # Choose which controllers to run.
             - name: ENABLED_CONTROLLERS
               value: node
             - name: DATASTORE_TYPE
               value: kubernetes
+          livenessProbe:
+            exec:
+              command:
+              - /usr/bin/check-status
+              - -l
+            periodSeconds: 10
+            initialDelaySeconds: 10
+            failureThreshold: 6
           readinessProbe:
             exec:
               command:
               - /usr/bin/check-status
               - -r
+            periodSeconds: 10
 

files/calico-node-DaemonSet.yaml

@@ -44,7 +44,7 @@ spec:
         # It can be deleted if this is a fresh installation, or if you have already
         # upgraded to use calico-ipam.
         - name: upgrade-ipam
-          image: docker.io/calico/cni:v3.18.1
+          image: docker.io/calico/cni:v3.19.0
           command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
           envFrom:
           - configMapRef:
@@ -71,7 +71,7 @@ spec:
         # This container installs the CNI binaries
         # and CNI network config file on each node.
         - name: install-cni
-          image: docker.io/calico/cni:v3.18.1
+          image: docker.io/calico/cni:v3.19.0
           command: ["/opt/cni/bin/install"]
           envFrom:
           - configMapRef:
@@ -112,7 +112,7 @@ spec:
         # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
         # to communicate with Felix over the Policy Sync API.
         - name: flexvol-driver
-          image: docker.io/calico/pod2daemon-flexvol:v3.18.1
+          image: docker.io/calico/pod2daemon-flexvol:v3.19.0
           volumeMounts:
           - name: flexvol-driver-host
             mountPath: /host/driver
@@ -123,7 +123,7 @@ spec:
         # container programs network policy and routes on each
         # host.
         - name: calico-node
-          image: docker.io/calico/node:v3.18.1
+          image: docker.io/calico/node:v3.19.0
           envFrom:
           - configMapRef:
               # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
@@ -191,9 +191,6 @@ spec:
             # Disable IPv6 on Kubernetes.
             - name: FELIX_IPV6SUPPORT
               value: "false"
-            # Set Felix logging to "info"
-            - name: FELIX_LOGSEVERITYSCREEN
-              value: "info"
             - name: FELIX_HEALTHENABLED
               value: "true"
             - name: FELIX_IPTABLESBACKEND

files/calicoctl-Pod.yaml

@@ -11,7 +11,7 @@ spec:
   serviceAccountName: calicoctl
   containers:
   - name: calicoctl
-    image: calico/ctl:v3.18.1
+    image: calico/ctl:v3.19.0
     command:
       - /calicoctl
     args:

files/calicoctl-ServiceAccount.yaml

@@ -1,7 +1,7 @@
-# Calico Version v3.18.1
-# https://docs.projectcalico.org/releases#v3.18.1
+# Calico Version v3.19.0
+# https://docs.projectcalico.org/releases#v3.19.0
 # This manifest includes the following component versions:
-#   calico/ctl:v3.18.1
+#   calico/ctl:v3.19.0
 
 apiVersion: v1
 kind: ServiceAccount

files/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml

@@ -77,6 +77,13 @@ spec:
                 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
                   [Default: false]'
                 type: boolean
+              bpfExtToServiceConnmark:
+                description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
+                  mark that is set on connections from an external client to a local
+                  service. This mark allows us to control how packets of that connection
+                  are routed within the host and how is routing intepreted by RPF
+                  check. [Default: 0]'
+                type: integer
               bpfExternalServiceMode:
                 description: 'BPFExternalServiceMode in BPF mode, controls how connections
                   from outside the cluster to services (node ports and cluster IPs)
@@ -165,49 +172,55 @@ spec:
                   type: string
                 type: array
               failsafeInboundHostPorts:
-                description: 'FailsafeInboundHostPorts is a comma-delimited list of
-                  UDP/TCP ports that Felix will allow incoming traffic to host endpoints
+                description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports
+                  and CIDRs that Felix will allow incoming traffic to host endpoints
                   on irrespective of the security policy. This is useful to avoid
-                  accidentally cutting off a host with incorrect configuration. Each
-                  port should be specified as tcp:<port-number> or udp:<port-number>.
-                  For back-compatibility, if the protocol is not specified, it defaults
-                  to "tcp". To disable all inbound host ports, use the value none.
-                  The default value allows ssh access and DHCP. [Default: tcp:22,
+                  accidentally cutting off a host with incorrect configuration. For
+                  back-compatibility, if the protocol is not specified, it defaults
+                  to "tcp". If a CIDR is not specified, it will allow traffic from
+                  all addresses. To disable all inbound host ports, use the value
+                  none. The default value allows ssh access and DHCP. [Default: tcp:22,
                   udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
                 items:
-                  description: ProtoPort is combination of protocol and port, both
-                    must be specified.
+                  description: ProtoPort is combination of protocol, port, and CIDR.
+                    All three must be specified.
                   properties:
+                    net:
+                      type: string
                     port:
                       type: integer
                     protocol:
                       type: string
                   required:
+                  - net
                   - port
                   - protocol
                   type: object
                 type: array
               failsafeOutboundHostPorts:
-                description: 'FailsafeOutboundHostPorts is a comma-delimited list
-                  of UDP/TCP ports that Felix will allow outgoing traffic from host
-                  endpoints to irrespective of the security policy. This is useful
-                  to avoid accidentally cutting off a host with incorrect configuration.
-                  Each port should be specified as tcp:<port-number> or udp:<port-number>.
-                  For back-compatibility, if the protocol is not specified, it defaults
-                  to "tcp". To disable all outbound host ports, use the value none.
-                  The default value opens etcd''s standard ports to ensure that Felix
-                  does not get cut off from etcd as well as allowing DHCP and DNS.
-                  [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667,
-                  udp:53, udp:67]'
+                description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports
+                  and CIDRs that Felix will allow outgoing traffic from host endpoints
+                  to irrespective of the security policy. This is useful to avoid
+                  accidentally cutting off a host with incorrect configuration. For
+                  back-compatibility, if the protocol is not specified, it defaults
+                  to "tcp". If a CIDR is not specified, it will allow traffic from
+                  all addresses. To disable all outbound host ports, use the value
+                  none. The default value opens etcd''s standard ports to ensure that
+                  Felix does not get cut off from etcd as well as allowing DHCP and
+                  DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,
+                  tcp:6667, udp:53, udp:67]'
                 items:
-                  description: ProtoPort is combination of protocol and port, both
-                    must be specified.
+                  description: ProtoPort is combination of protocol, port, and CIDR.
+                    All three must be specified.
                   properties:
+                    net:
+                      type: string
                     port:
                       type: integer
                     protocol:
                       type: string
                   required:
+                  - net
                   - port
                   - protocol
                   type: object

tasks/main.yml

@@ -12,6 +12,30 @@
       resource_definition: "{{ lookup('file', item) | from_yaml }}"
     with_items:
       - "{{ calico_files }}"
+    register: calico_changed
+
+  - name: delete pods calicoctl
+    k8s:
+      state: absent
+      context: "{{ my_context }}"
+      kind: Pod
+      name: calicoctl
+      namespace: kube-system
+    when:
+      - calico_changed is changed
+
+  - name: calicoctl install
+    k8s:
+      state: present
+      context: "{{ my_context }}"
+      apply: yes
+      resource_definition: "{{ lookup('file', item) | from_yaml }}"
+    with_items:
+      - "{{ calicoctl_files }}"
+    when:
+      - calico_changed is changed
+
+
   when:
     - kubernetes_network == "calico"
   tags:

vars/calico-files.yaml

@@ -25,6 +25,8 @@ calico_files:
   - "calico-kube-controllers-Deployment.yaml"
   - "calico-kube-controllers-ServiceAccount.yaml"
   - "calico-kube-controllers-PodDisruptionBudget.yaml"
+
+calicoctl_files:
   - "calicoctl-ServiceAccount.yaml"
   - "calicoctl-Pod.yaml"
   - "calicoctl-ClusterRole.yaml"