From 3f7fe4d290541bbdd73c97bdc89a29a29855a48a Mon Sep 17 00:00:00 2001 From: matt Date: Mon, 9 Jan 2023 00:04:02 -0800 Subject: [PATCH] Updates for v3.25.0 --- apiserver/Makefile | 5 + calico/_data/versions.yml | 33 +++--- .../release-notes/v3.25.0-release-notes.md | 106 ++++++++++++++++++ charts/calico/values.yaml | 2 +- charts/tigera-operator/values.yaml | 4 +- hack/release/pkg/builder/builder.go | 2 +- manifests/apiserver.yaml | 2 +- manifests/calico-bpf.yaml | 10 +- manifests/calico-etcd.yaml | 8 +- manifests/calico-policy-only.yaml | 10 +- manifests/calico-typha.yaml | 12 +- manifests/calico-vxlan.yaml | 10 +- manifests/calico-windows-bgp.yaml | 8 +- manifests/calico-windows-vxlan.yaml | 6 +- manifests/calico.yaml | 10 +- manifests/calicoctl-etcd.yaml | 4 +- manifests/calicoctl.yaml | 4 +- manifests/canal-etcd.yaml | 8 +- manifests/canal.yaml | 8 +- manifests/csi-driver.yaml | 4 +- manifests/flannel-migration/calico.yaml | 10 +- manifests/ocp/02-tigera-operator.yaml | 6 +- manifests/tigera-operator.yaml | 4 +- 23 files changed, 193 insertions(+), 83 deletions(-) create mode 100644 calico/_includes/release-notes/v3.25.0-release-notes.md diff --git a/apiserver/Makefile b/apiserver/Makefile index 45e9f681185..9384e99da58 100644 --- a/apiserver/Makefile +++ b/apiserver/Makefile @@ -55,6 +55,11 @@ VERSION_FLAGS = -X $(PACKAGE_NAME)/cmd/apiserver/server.VERSION=$(APISERVER_VERS include ../lib.Makefile +# TODO Add s390x back to VALIDARCHES. Excluding it should be temporary since +# there are currently issues in our pipeline with building s390x images. Remove +# this command once the s390x build pipeline has been fixed. +VALIDARCHES=amd64 arm64 ppc64le + # We need CGO to leverage Boring SSL. However, the cross-compile doesn't support CGO yet. ifeq ($(ARCH), $(filter $(ARCH),amd64)) CGO_ENABLED=1 diff --git a/calico/_data/versions.yml b/calico/_data/versions.yml index feb119f2e2b..67f9c983615 100644 --- a/calico/_data/versions.yml +++ b/calico/_data/versions.yml @@ -1,38 +1,37 @@ -- title: v3.25.0-pre - note: "" - manifests_url: https://raw.githubusercontent.com/projectcalico/calico/release-v3.25 +- title: v3.25.0 + manifests_url: https://raw.githubusercontent.com/projectcalico/calico/v3.25.0 chart: version: 0 tigera-operator: image: tigera/operator registry: quay.io - version: release-v3.25 + version: v1.29.0 components: typha: - version: release-v3.25 + version: v3.25.0 calicoctl: - version: release-v3.25 + version: v3.25.0 calico/node: - version: release-v3.25 + version: v3.25.0 calico/cni: - version: release-v3.25 + version: v3.25.0 calico/apiserver: - version: release-v3.25 + version: v3.25.0 calico/kube-controllers: - version: release-v3.25 + version: v3.25.0 calico/flannel-migration-controller: - version: release-v3.25 + version: v3.25.0 calico/windows: - version: release-v3.25 + version: v3.25.0 networking-calico: - version: release-v3.25 + version: v3.25.0 flannel: version: v0.16.3 calico/dikastes: - version: release-v3.25 + version: v3.25.0 flexvol: - version: release-v3.25 + version: v3.25.0 csi-driver: - version: release-v3.25 + version: v3.25.0 csi-node-driver-registrar: - version: release-v3.25 + version: v3.25.0 diff --git a/calico/_includes/release-notes/v3.25.0-release-notes.md b/calico/_includes/release-notes/v3.25.0-release-notes.md new file mode 100644 index 00000000000..034ad684fb7 --- /dev/null +++ b/calico/_includes/release-notes/v3.25.0-release-notes.md @@ -0,0 +1,106 @@ +09 Jan 2023 + +#### eBPF Dataplane Stability: Connect Time Load Balancing (CTLB) + +In certain scenarios, Calico would not update rapidly changing pods and IPs properly. We have added +some large changes to the eBPF dataplane in order to ensure that connect time load balancing works +in larger, rapidly changing environments. + +Pull Requests: + - ebpf: ipv4 and ipv6 code separated to different object files so the v6 code gets never loaded outside tests. [calico #7093](https://github.com/projectcalico/calico/pull/7093) (@tomastigera) + - ebpf: CTLB resolves service when ipv4 is masked as ipv6. Commonly happens with grpc. [calico #7087](https://github.com/projectcalico/calico/pull/7087) (@tomastigera) + - ebpf: we can apply the CTLB-turned-off workaround just to UDP [calico #6783](https://github.com/projectcalico/calico/pull/6783) (@tomastigera) + - ebpf: host can accesses services without CTLB - gated feature [calico #6527](https://github.com/projectcalico/calico/pull/6527) (@tomastigera) + +#### Bug fixes + +##### General + - Fix incorrect cleanup in the service policy index after having both ingress and egress rules that reference the same service, resulting in missed IP set updates after one rule was deactivated. [calico #7148](https://github.com/projectcalico/calico/pull/7148) (@fasaxc) + - Fix panic in calico-node when invalid spoofed IP range provided on a pod. [calico #7076](https://github.com/projectcalico/calico/pull/7076) (@caseydavenport) + - fixed felix docs for bpf config options [calico #7065](https://github.com/projectcalico/calico/pull/7065) (@tomastigera) + - Fix missing nsswitch files in Typha causing localhost lookup fails [calico #6971](https://github.com/projectcalico/calico/pull/6971) (@wdoekes) + - Fix that Calico would try to use the IPV6 VXLAN or Wireguard tunnel devices for its BGP connections. [calico #6929](https://github.com/projectcalico/calico/pull/6929) (@coutinhop) + - Fix that Calico would try to use the VXLAN tunnel device for its BGP connections. [calico #6902](https://github.com/projectcalico/calico/pull/6902) (@caseydavenport) + - Add missing Auto option for IptablesBackend FelixConfiguration field [calico #6871](https://github.com/projectcalico/calico/pull/6871) (@huiyizzz) + - Fix an issue that caused annotations and labels to be overwritten during a calicoctl patch command [calico #6791](https://github.com/projectcalico/calico/pull/6791) (@mgleung) + - Fixed SyncLabels validation for Kubernetes datastore. [calico #6786](https://github.com/projectcalico/calico/pull/6786) (@huiyizzz) + - Fix issues with OCP installs using the wrong operator manifest. [calico #6724](https://github.com/projectcalico/calico/pull/6724) (@mgleung) + - Fix bug in IPv6 router ID calculation on IPv6 single-stack clusters that resulted in invalid router IDs being calculated. Note that this change will result in new router IDs being used for some IPv6 single-stack nodes. [calico #6674](https://github.com/projectcalico/calico/pull/6674) (@ramanujadasu) + - Fix that `calicoctl ipam release` could only release IPAM handles when running in etcd mode. [calico #6650](https://github.com/projectcalico/calico/pull/6650) (@fasaxc) + - Fix issue in L3RouteResolver CIDRTrie which could result in crashes when the IPv6 trie had a node with a /63 prefix. [calico #6532](https://github.com/projectcalico/calico/pull/6532) (@coutinhop) + - Fix nil error logged from kube-controllers health reporter [calico #6513](https://github.com/projectcalico/calico/pull/6513) (@caseydavenport) + - Fix that kube-controllers health checks didn't include a timeout on HTTP calls [calico #6513](https://github.com/projectcalico/calico/pull/6513) (@caseydavenport) + - Set IPIPMode and VXLANMode to the default "Never" if they are empty strings in IPPools. [calico #6498](https://github.com/projectcalico/calico/pull/6498) (@coutinhop) + - Fix that single-IP entries on BGPConfiguration LoadBalancerIPs were not advertised according to external traffic policy. [calico #6282](https://github.com/projectcalico/calico/pull/6282) (@mtryfoss) + - fix: ErrorActionPreference must continue for kubectl commands Issue #6127 [calico #6257](https://github.com/projectcalico/calico/pull/6257) (@chrisjohnson00) + +##### eBPF + - ebpf: fix error setting accept_local - device may get stuck dirty [calico #7071](https://github.com/projectcalico/calico/pull/7071) (@tomastigera) + - ebpf: no src fixup on host iface for traffic returning from pod to the nodeport tunnel [calico #7039](https://github.com/projectcalico/calico/pull/7039) (@tomastigera) + - ebpf: XDP (notrack) policy debug output is removed/cleaned up when XDP program is removed (fix) [calico #6994](https://github.com/projectcalico/calico/pull/6994) (@tomastigera) + - ebpf: fixes ifstate leak when devices go down [calico #6946](https://github.com/projectcalico/calico/pull/6946) (@tomastigera) + +##### Windows + - Fixed issue when Calico Windows hostprocess installation would fail to clean up a previous manual install of Calico Windows. [calico #6952](https://github.com/projectcalico/calico/pull/6952) (@coutinhop) + - Fix issues with the windows node names in GCE [calico #6470](https://github.com/projectcalico/calico/pull/6470) (@lmm) + +##### Wireguard + - Limit rate of logging 'Wireguard is not supported' to fix log spam issues. [calico #6534](https://github.com/projectcalico/calico/pull/6534) (@coutinhop) + +#### Other changes + +##### General + - Felix now supports overriding the timeouts of its internal readiness/liveness watchdog. This is useful for dealing with issues "in prod" without needing a new release. The timeouts have also been tuned to reduce false positives. [calico #7061](https://github.com/projectcalico/calico/pull/7061) (@fasaxc) + - Typha now shares snapshots between clients that connect at roughly the same time. This dramatically reduces load when many clients connect at once. [calico #7047](https://github.com/projectcalico/calico/pull/7047) (@fasaxc) + - By default, skip bridge interface created by `docker network create` command in IP auto-detection [calico #7045](https://github.com/projectcalico/calico/pull/7045) (@masap) + - The Typha protocol now supports compression. This is enabled automatically if client and server both support it. [calico #7043](https://github.com/projectcalico/calico/pull/7043) (@fasaxc) + - Add ignorable interfaces via the BGPConfiguration API [calico #7006](https://github.com/projectcalico/calico/pull/7006) (@huiyizzz) + - Typha now supports graceful shut down, disconnecting calico-node pods at a configured rate instead of all at once. [calico #6973](https://github.com/projectcalico/calico/pull/6973) (@fasaxc) + - Update installation documentation for AWS to include information regarding and links for CSI driver installation [calico #6967](https://github.com/projectcalico/calico/pull/6967) (@Josh-Tigera) + - Update golang from 1.18.7 to 1.18.8 to avoid CVEs. [calico #6961](https://github.com/projectcalico/calico/pull/6961) (@Behnam-Shobiri) + - By default, skip 'podman' interface in IP auto-detection [calico #6950](https://github.com/projectcalico/calico/pull/6950) (@OrvilleQ) + - By default, skip 'nodelocaldns' interface in IP auto-detection [calico #6942](https://github.com/projectcalico/calico/pull/6942) (@cyclinder) + - ebpf: faster program loading for workload endpoint - unused programs not loaded. [calico #6933](https://github.com/projectcalico/calico/pull/6933) (@tomastigera) + - Remove problematic terminology from the codebase. [calico #6912](https://github.com/projectcalico/calico/pull/6912) (@fasaxc) + - Update Istio support to include Istio v1.15.2 [calico #6890](https://github.com/projectcalico/calico/pull/6890) (@frozenprocess) + - Add generalized TTL security mechanism (GTSM) via BGPPeer API [calico #6862](https://github.com/projectcalico/calico/pull/6862) (@Josh-Tigera) + - Retain OpenSSL FIPS dependent files in calico-node image. [calico #6852](https://github.com/projectcalico/calico/pull/6852) (@hjiawei) + - Disable VXLAN checksum offload by default for all kernels. If this was fixed, it has since been regressed. [calico #6842](https://github.com/projectcalico/calico/pull/6842) (@fasaxc) + - Improve formatting of logged-out health reports from components such as Felix. [calico #6833](https://github.com/projectcalico/calico/pull/6833) (@fasaxc) + - Update golang to 1.18.7 to avoid new CVEs. [calico #6824](https://github.com/projectcalico/calico/pull/6824) (@Behnam-Shobiri) + - Updated documentation list of images to pull for deploying from private registry (now includes node-driver-registrar) [calico #6812](https://github.com/projectcalico/calico/pull/6812) (@Josh-Tigera) + - Match full interface names in IP auto-detection default exclude list. [calico #6760](https://github.com/projectcalico/calico/pull/6760) (@neoaggelos) + - Update multiple golang dependencies. [calico #6719](https://github.com/projectcalico/calico/pull/6719) (@Behnam-Shobiri) + - Update the go version used to build the binaries from 1.18.5 to 1.18.6 [calico #6717](https://github.com/projectcalico/calico/pull/6717) (@Behnam-Shobiri) + - Calico now uses a faster JSON parsing library; this reduces CPU load and improves start-up latency. [calico #6705](https://github.com/projectcalico/calico/pull/6705) (@fasaxc) + - Reduce parsing overhead when parsing key/value pairs from Typha. [calico #6703](https://github.com/projectcalico/calico/pull/6703) (@fasaxc) + - Many of Typha's Prometheus metrics are now split by syncer (client) type, represented by a label "syncer" on the metrics. This prevents cross-talk where the syncers would all share the same metrics and the last writer to the metric would "win". [calico #6675](https://github.com/projectcalico/calico/pull/6675) (@fasaxc) + - The vxlanEnabled attribute from FelixConfiguration is now ignored for IPv6 VXLAN pools, allowing VXLAN to have IPv4 enabled independently from IPv6. [calico #6671](https://github.com/projectcalico/calico/pull/6671) (@muff1nman) + - Typha now uses a B-tree for its internal cache, which allows it to export a Prometheus metric, typha_snapshot_size, that gives the total size of its current snapshot of the Calico datastore. [calico #6666](https://github.com/projectcalico/calico/pull/6666) (@fasaxc) + - Use exponential backoff for kube-controllers health check timeout, retry sooner if failed. [calico #6610](https://github.com/projectcalico/calico/pull/6610) (@caseydavenport) + - Bump K8S_VERSION and KUBECTL_VERSION to v1.24.3 in metadata.mk [calico #6606](https://github.com/projectcalico/calico/pull/6606) (@coutinhop) + - Update Installation CRD to include new CSI changes introduced by recent operator API changes. [calico #6596](https://github.com/projectcalico/calico/pull/6596) (@Josh-Tigera) + - Helm: imagePullSecrets now also applied to tigera-operator serviceaccount [calico #6591](https://github.com/projectcalico/calico/pull/6591) (@tamcore) + - Retry kube-controllers initialization on failure [calico #6566](https://github.com/projectcalico/calico/pull/6566) (@tmjd) + - Update the base images to alpine 3.16 for the flexvolume and CSI driver [calico #6559](https://github.com/projectcalico/calico/pull/6559) (@mgleung) + - Windows quickstart install script creates calico service account token secret if missing [calico #6464](https://github.com/projectcalico/calico/pull/6464) (@lmm) + - Updating the dependencies - to avoid indirect vulnerabilities (CVE) detection from scanners. [calico #6452](https://github.com/projectcalico/calico/pull/6452) (@Behnam-Shobiri) + - added FeatureGates to Felix [calico #6381](https://github.com/projectcalico/calico/pull/6381) (@tomastigera) + - eBPF: Add BPF counters to XDP programs, and also load XDP programs using Libbpf instead of iproute2. [calico #6371](https://github.com/projectcalico/calico/pull/6371) (@mazdakn) + - The arm64 image of calico-kube-controllers now runs as non-root by default (similar to the amd64 image). [calico #6346](https://github.com/projectcalico/calico/pull/6346) (@ialidzhikov) + +##### eBPF + - ebpf: Include enPxxxxxx in the default BPFDataIfacePattern [calico #7077](https://github.com/projectcalico/calico/pull/7077) (@TrevorTaoARM) + - ebpf: cleanup previously attached programs when BPFDataIfacePattern changes. [calico #7008](https://github.com/projectcalico/calico/pull/7008) (@tomastigera) + - ebpf : BPFDisableLinuxConntrack added to FelixConfiguration resource. [calico #6641](https://github.com/projectcalico/calico/pull/6641) (@mazdakn) + - ebpf: New felix config bpfL3IfacePattern allows to specify non calico L3 devices such as wireguard, vxlan. [calico #6612](https://github.com/projectcalico/calico/pull/6612) (@sridhartigera) + +##### Windows + - Update Windows NSSM version [calico #6861](https://github.com/projectcalico/calico/pull/6861) (@song-jiang) + - windows: ensure calico-managed kubelet starts after the calico network has been initialized [calico #6656](https://github.com/projectcalico/calico/pull/6656) (@vitaliy-leschenko) + +##### OpenStack + - Calico for OpenStack: remove iptables programming by the DHCP agent that is no longer needed, and that was increasing the need for Felix to resync Calico's iptables programming. Existing users will see issues - i.e. a VM failing to learn its IP address at boot time - if their VM OS is old enough to have unfixed DHCP client software. In that case the remedy is to update the VM OS. For example, in Tigera's own testing, we updated from CirrOS 0.3.4 to CirrOS 0.6.0. [calico #6857](https://github.com/projectcalico/calico/pull/6857) (@tj90241) + - Calico for OpenStack: prime the project (aka tenant) data cache on Neutron server startup [calico #6839](https://github.com/projectcalico/calico/pull/6839) (@tj90241) + - Allow Calico to set MTU in OpenStack [calico #6725](https://github.com/projectcalico/calico/pull/6725) (@nelljerram) + diff --git a/charts/calico/values.yaml b/charts/calico/values.yaml index 39e7210d51a..8a2a1ab8966 100644 --- a/charts/calico/values.yaml +++ b/charts/calico/values.yaml @@ -1,5 +1,5 @@ # The Calico version to use when generating manifests. -version: master +version: v3.25.0 # Configure the images to use when generating manifests. node: diff --git a/charts/tigera-operator/values.yaml b/charts/tigera-operator/values.yaml index dc9a71bb04f..d2351f585a4 100644 --- a/charts/tigera-operator/values.yaml +++ b/charts/tigera-operator/values.yaml @@ -41,8 +41,8 @@ podLabels: {} # Image and registry configuration for the tigera/operator pod. tigeraOperator: image: tigera/operator - version: master + version: v1.29.0 registry: quay.io calicoctl: image: docker.io/calico/ctl - tag: master + tag: v3.25.0 diff --git a/hack/release/pkg/builder/builder.go b/hack/release/pkg/builder/builder.go index 0f9aae35b43..acb12540b9e 100644 --- a/hack/release/pkg/builder/builder.go +++ b/hack/release/pkg/builder/builder.go @@ -483,7 +483,7 @@ func (r *ReleaseBuilder) assertManifestVersions(ver string) error { // Go through a subset of yaml files in manifests/ and extract the images // that they use. Verify that the images are using the given version. // We also do the manifests/ocp/ yaml to check the calico/ctl image is correct. - manifests := []string{"calico.yaml", "manifests/ocp/02-tigera-operator.yaml"} + manifests := []string{"calico.yaml", "ocp/02-tigera-operator.yaml"} for _, m := range manifests { args := []string{"-Po", `image:\K(.*)`, m} diff --git a/manifests/apiserver.yaml b/manifests/apiserver.yaml index 5a88708f347..d6438590c18 100644 --- a/manifests/apiserver.yaml +++ b/manifests/apiserver.yaml @@ -77,7 +77,7 @@ spec: env: - name: DATASTORE_TYPE value: kubernetes - image: calico/apiserver:master + image: calico/apiserver:v3.25.0 livenessProbe: httpGet: path: /version diff --git a/manifests/calico-bpf.yaml b/manifests/calico-bpf.yaml index 45a525d29cc..b0968f70a5d 100644 --- a/manifests/calico-bpf.yaml +++ b/manifests/calico-bpf.yaml @@ -4445,7 +4445,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -4484,7 +4484,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -4538,7 +4538,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -4564,7 +4564,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -4795,7 +4795,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:master + image: docker.io/calico/kube-controllers:v3.25.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. diff --git a/manifests/calico-etcd.yaml b/manifests/calico-etcd.yaml index a331da5e177..76b7776edb5 100644 --- a/manifests/calico-etcd.yaml +++ b/manifests/calico-etcd.yaml @@ -266,7 +266,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -312,7 +312,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -338,7 +338,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -578,7 +578,7 @@ spec: hostNetwork: true containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:master + image: docker.io/calico/kube-controllers:v3.25.0 imagePullPolicy: IfNotPresent env: # The location of the etcd cluster. diff --git a/manifests/calico-policy-only.yaml b/manifests/calico-policy-only.yaml index 938e02992a7..bc9368dd472 100644 --- a/manifests/calico-policy-only.yaml +++ b/manifests/calico-policy-only.yaml @@ -4441,7 +4441,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -4478,7 +4478,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -4504,7 +4504,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -4692,7 +4692,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:master + image: docker.io/calico/kube-controllers:v3.25.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. @@ -4776,7 +4776,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: docker.io/calico/typha:master + - image: docker.io/calico/typha:v3.25.0 imagePullPolicy: IfNotPresent name: calico-typha ports: diff --git a/manifests/calico-typha.yaml b/manifests/calico-typha.yaml index 49ccbfeae43..d58a2e5a8fa 100644 --- a/manifests/calico-typha.yaml +++ b/manifests/calico-typha.yaml @@ -4476,7 +4476,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -4504,7 +4504,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -4547,7 +4547,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -4573,7 +4573,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -4796,7 +4796,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:master + image: docker.io/calico/kube-controllers:v3.25.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. @@ -4880,7 +4880,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: docker.io/calico/typha:master + - image: docker.io/calico/typha:v3.25.0 imagePullPolicy: IfNotPresent name: calico-typha ports: diff --git a/manifests/calico-vxlan.yaml b/manifests/calico-vxlan.yaml index 41b3e715e66..4876d794f79 100644 --- a/manifests/calico-vxlan.yaml +++ b/manifests/calico-vxlan.yaml @@ -4440,7 +4440,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -4468,7 +4468,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -4511,7 +4511,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -4537,7 +4537,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -4752,7 +4752,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:master + image: docker.io/calico/kube-controllers:v3.25.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. diff --git a/manifests/calico-windows-bgp.yaml b/manifests/calico-windows-bgp.yaml index 228a3969b1e..1ac1ef76a3f 100644 --- a/manifests/calico-windows-bgp.yaml +++ b/manifests/calico-windows-bgp.yaml @@ -60,7 +60,7 @@ spec: operator: Exists initContainers: - name: install - image: calico/windows:master + image: calico/windows:v3.25.0 args: - ".\\host-process-install.ps1" imagePullPolicy: Always @@ -76,7 +76,7 @@ spec: fieldPath: spec.nodeName containers: - name: node - image: calico/windows:master + image: calico/windows:v3.25.0 imagePullPolicy: Always args: - ".\\node\\node-service.ps1" @@ -94,7 +94,7 @@ spec: apiVersion: v1 fieldPath: spec.nodeName - name: felix - image: calico/windows:master + image: calico/windows:v3.25.0 imagePullPolicy: Always args: - ".\\felix\\felix-service.ps1" @@ -128,7 +128,7 @@ spec: periodSeconds: 10 timeoutSeconds: 10 - name: confd - image: calico/windows:master + image: calico/windows:v3.25.0 imagePullPolicy: Always args: - ".\\confd\\confd-service.ps1" diff --git a/manifests/calico-windows-vxlan.yaml b/manifests/calico-windows-vxlan.yaml index 6b0c26325ef..5aeca5eae6e 100644 --- a/manifests/calico-windows-vxlan.yaml +++ b/manifests/calico-windows-vxlan.yaml @@ -60,7 +60,7 @@ spec: operator: Exists initContainers: - name: install - image: calico/windows:master + image: calico/windows:v3.25.0 args: - ".\\host-process-install.ps1" imagePullPolicy: Always @@ -76,7 +76,7 @@ spec: fieldPath: spec.nodeName containers: - name: node - image: calico/windows:master + image: calico/windows:v3.25.0 imagePullPolicy: Always args: - ".\\node\\node-service.ps1" @@ -94,7 +94,7 @@ spec: apiVersion: v1 fieldPath: spec.nodeName - name: felix - image: calico/windows:master + image: calico/windows:v3.25.0 imagePullPolicy: Always args: - ".\\felix\\felix-service.ps1" diff --git a/manifests/calico.yaml b/manifests/calico.yaml index a7e20e2689e..59cf3094294 100644 --- a/manifests/calico.yaml +++ b/manifests/calico.yaml @@ -4440,7 +4440,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -4468,7 +4468,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -4511,7 +4511,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -4537,7 +4537,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -4754,7 +4754,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:master + image: docker.io/calico/kube-controllers:v3.25.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. diff --git a/manifests/calicoctl-etcd.yaml b/manifests/calicoctl-etcd.yaml index 1e2712f9a3e..4714ea5d67e 100644 --- a/manifests/calicoctl-etcd.yaml +++ b/manifests/calicoctl-etcd.yaml @@ -1,7 +1,7 @@ # Calico Version master # https://projectcalico.docs.tigera.io/releases#master # This manifest includes the following component versions: -# calico/ctl:master +# calico/ctl:v3.25.0 apiVersion: v1 kind: Pod @@ -14,7 +14,7 @@ spec: hostNetwork: true containers: - name: calicoctl - image: calico/ctl:master + image: calico/ctl:v3.25.0 command: - /calicoctl args: diff --git a/manifests/calicoctl.yaml b/manifests/calicoctl.yaml index 93af2d70223..10dbe470abd 100644 --- a/manifests/calicoctl.yaml +++ b/manifests/calicoctl.yaml @@ -1,7 +1,7 @@ # Calico Version master # https://projectcalico.docs.tigera.io/releases#master # This manifest includes the following component versions: -# calico/ctl:master +# calico/ctl:v3.25.0 apiVersion: v1 kind: ServiceAccount @@ -23,7 +23,7 @@ spec: serviceAccountName: calicoctl containers: - name: calicoctl - image: calico/ctl:master + image: calico/ctl:v3.25.0 command: - /calicoctl args: diff --git a/manifests/canal-etcd.yaml b/manifests/canal-etcd.yaml index a73dafa628a..47b74a4773f 100644 --- a/manifests/canal-etcd.yaml +++ b/manifests/canal-etcd.yaml @@ -345,7 +345,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -415,7 +415,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -441,7 +441,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -737,7 +737,7 @@ spec: hostNetwork: true containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:master + image: docker.io/calico/kube-controllers:v3.25.0 imagePullPolicy: IfNotPresent env: # The location of the etcd cluster. diff --git a/manifests/canal.yaml b/manifests/canal.yaml index ee23cf2caa3..076ab3bca32 100644 --- a/manifests/canal.yaml +++ b/manifests/canal.yaml @@ -4463,7 +4463,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -4512,7 +4512,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -4538,7 +4538,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -4766,7 +4766,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:master + image: docker.io/calico/kube-controllers:v3.25.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. diff --git a/manifests/csi-driver.yaml b/manifests/csi-driver.yaml index 6cd732b2823..c783ae34c6b 100644 --- a/manifests/csi-driver.yaml +++ b/manifests/csi-driver.yaml @@ -50,7 +50,7 @@ spec: effect: NoSchedule containers: - name: calico-csi - image: calico/csi:master + image: calico/csi:v3.25.0 imagePullPolicy: IfNotPresent args: - --nodeid=$(KUBE_NODE_NAME) @@ -75,7 +75,7 @@ spec: mountPath: /var/lib/kubelet/ mountPropagation: "Bidirectional" - name: csi-node-driver-registrar - image: calico/node-driver-registrar:master + image: calico/node-driver-registrar:v3.25.0 imagePullPolicy: IfNotPresent args: - --v=5 diff --git a/manifests/flannel-migration/calico.yaml b/manifests/flannel-migration/calico.yaml index fbd29f1465c..d7e93e45074 100644 --- a/manifests/flannel-migration/calico.yaml +++ b/manifests/flannel-migration/calico.yaml @@ -4442,7 +4442,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -4470,7 +4470,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -4513,7 +4513,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -4539,7 +4539,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -4754,7 +4754,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:master + image: docker.io/calico/kube-controllers:v3.25.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. diff --git a/manifests/ocp/02-tigera-operator.yaml b/manifests/ocp/02-tigera-operator.yaml index 7e0458369f8..357f9bc4cce 100644 --- a/manifests/ocp/02-tigera-operator.yaml +++ b/manifests/ocp/02-tigera-operator.yaml @@ -29,7 +29,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: tigera-operator - image: quay.io/tigera/operator:master + image: quay.io/tigera/operator:v1.29.0 imagePullPolicy: IfNotPresent command: - operator @@ -47,7 +47,7 @@ spec: - name: OPERATOR_NAME value: "tigera-operator" - name: TIGERA_OPERATOR_INIT_IMAGE_VERSION - value: master + value: v1.29.0 envFrom: - configMapRef: name: kubernetes-services-endpoint @@ -66,7 +66,7 @@ spec: name: install-resources-script initContainers: - name: create-initial-resources - image: docker.io/calico/ctl:master + image: docker.io/calico/ctl:v3.25.0 env: - name: DATASTORE_TYPE value: kubernetes diff --git a/manifests/tigera-operator.yaml b/manifests/tigera-operator.yaml index b5ec8d215dd..4fcf630a2b3 100644 --- a/manifests/tigera-operator.yaml +++ b/manifests/tigera-operator.yaml @@ -18151,7 +18151,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: tigera-operator - image: quay.io/tigera/operator:master + image: quay.io/tigera/operator:v1.29.0 imagePullPolicy: IfNotPresent command: - operator @@ -18169,7 +18169,7 @@ spec: - name: OPERATOR_NAME value: "tigera-operator" - name: TIGERA_OPERATOR_INIT_IMAGE_VERSION - value: master + value: v1.29.0 envFrom: - configMapRef: name: kubernetes-services-endpoint