From bffce232c46ada7aec139a87bd21e344987b8dfc Mon Sep 17 00:00:00 2001 From: Steve Hipwell Date: Mon, 13 May 2024 10:10:26 +0100 Subject: [PATCH] feat(tigera-operator): Updated image to v1.34.0 (#956) Signed-off-by: Steve Hipwell --- charts/nexus3/CHANGELOG.md | 16 +- charts/thanos/CHANGELOG.md | 10 +- charts/tigera-operator/CHANGELOG.md | 11 + charts/tigera-operator/Chart.yaml | 10 +- charts/tigera-operator/README.md | 8 +- .../crds/apiservers.operator.tigera.io.yaml | 26 +- .../bgppeers.crd.projectcalico.org.yaml | 2 +- ...xconfigurations.crd.projectcalico.org.yaml | 44 +++- ...networkpolicies.crd.projectcalico.org.yaml | 22 +- ...networkpolicies.crd.projectcalico.org.yaml | 22 +- .../installations.operator.tigera.io.yaml | 247 ++++++++++++++---- .../templates/clusterrole.yaml | 34 +-- 12 files changed, 309 insertions(+), 143 deletions(-) diff --git a/charts/nexus3/CHANGELOG.md b/charts/nexus3/CHANGELOG.md index 5b8bb71a..b55ab1e6 100644 --- a/charts/nexus3/CHANGELOG.md +++ b/charts/nexus3/CHANGELOG.md @@ -33,7 +33,7 @@ ### Fixed -- Fixed incorrect behaviour when `rootPassword.key` is set due to the deprecated `config.rootPassword.key` incorrectly having a default value. +- Fixed incorrect behavior when `rootPassword.key` is set due to the deprecated `config.rootPassword.key` incorrectly having a default value. ## [v4.42.0] - 2024-04-03 @@ -74,9 +74,9 @@ ### Added -- Added `license.enabled`, `license.secret` & `license.key` to configure the _Nexus3_ pro licence. -- Added `highAvailability.enabled` & `highAvailability.replicas` values to enable configuring [high availability](https://help.sonatype.com/repomanager3/planning-your-implementation/resiliency-and-high-availability/high-availability-deployment-options/option-1---manual-high-availability-deployment) when running _Nexus3_ as a `StatefulSet` with a pro licence. -- Added `storeProperties` value to configure a _PostgreSQl_ data store for _Nexus3_ with a pro licence. +- Added `license.enabled`, `license.secret` & `license.key` to configure the _Nexus3_ pro license. +- Added `highAvailability.enabled` & `highAvailability.replicas` values to enable configuring [high availability](https://help.sonatype.com/repomanager3/planning-your-implementation/resiliency-and-high-availability/high-availability-deployment-options/option-1---manual-high-availability-deployment) when running _Nexus3_ as a `StatefulSet` with a pro license. +- Added `storeProperties` value to configure a _PostgreSQl_ data store for _Nexus3_ with a pro license. ## [v4.37.0] - 2023-12-06 @@ -319,7 +319,7 @@ ### Added -- Added `metrics.serviceMonitor.endpointConfig` to allow customisation of the `ServiceMonitor` endpoint. +- Added `metrics.serviceMonitor.endpointConfig` to allow customization of the `ServiceMonitor` endpoint. - Added `config.anonymous.roles` to allow the anonymous user's roles to be configured. - Added `config.users` to enable users to be configured, new users will get a random password. - Added `imagePullSecrets` to replace `image.pullSecrets`. @@ -430,7 +430,7 @@ ### Removed -- Customisable ingress path (not actually supported) +- Customizable ingress path (not actually supported) ## v4.2.1 - 2021-04-23 @@ -454,7 +454,7 @@ ### Changed -- Fixed regex when S3 blobstore is used +- Fixed regex when S3 blob store is used ## v4.0.2 - 2021-01-15 @@ -553,7 +553,7 @@ ### Changed -- Use custom logback config with customizable retention +- Use custom Logback config with customizable retention ## v3.2.2- 2020-09-30 diff --git a/charts/thanos/CHANGELOG.md b/charts/thanos/CHANGELOG.md index f03bb309..79c4bd6a 100644 --- a/charts/thanos/CHANGELOG.md +++ b/charts/thanos/CHANGELOG.md @@ -19,7 +19,7 @@ ### Added - Added built in support for automatically setting the `GOMEMLIMIT` env variable on all Thanos components via the `autoGomemlimit.enabled` & `autoGomemlimit.ratio` values. -- Added experimental support for configuring query to access store pods as a group via the `storeEndpointGroup` value, this switches to round-robin instead of fanout. +- Added experimental support for configuring query to access store pods as a group via the `storeEndpointGroup` value, this switches to round-robin instead of fan-out. - Added experimental support for external endpoint groups via the `additionalEndpointGroups` value. ### Changed @@ -147,7 +147,7 @@ - Added support for not providing a tag as part of the image by setting the value to `"-"`. - Added support for using a digest as part of the image. -- Added support for customising the config reloader image. +- Added support for customizing the config reloader image. - Added support for compact to deduplicate HA Prometheus replica metrics by setting `compact.replicaDeduplication` which will use the `penalty` deduplication function. ### Changed @@ -341,7 +341,7 @@ ### Added -- Added `serviceMonitor.endpointConfig` to allow customisation of the `ServiceMonitor` endpoint. +- Added `serviceMonitor.endpointConfig` to allow customization of the `ServiceMonitor` endpoint. ### Changed @@ -413,7 +413,7 @@ ### Changed -- Fix rule rules configmap support. +- Fix rule rules ConfigMap support. ## [v0.10.0] - 2021-09-17 @@ -446,7 +446,7 @@ ### Changed -- Fixed compact service statefulset service name. +- Fixed compact service StatefulSet service name. ### Removed diff --git a/charts/tigera-operator/CHANGELOG.md b/charts/tigera-operator/CHANGELOG.md index 7a96dd1f..64c0587e 100644 --- a/charts/tigera-operator/CHANGELOG.md +++ b/charts/tigera-operator/CHANGELOG.md @@ -14,6 +14,16 @@ ## [UNRELEASED] +## [v2.10.0] - 2024-05-13 + +### Changed + +- Updated the _Tigera Operator_ OCI image to [v1.34.0](https://github.com/tigera/operator/releases/tag/v1.34.0) (_Calico_ [v3.28.0](https://github.com/projectcalico/calico/releases/tag/v3.28.0)). + +### Removed + +- Removed unnecessary permissions for removed PSP resources. + ### Fixed - Fixed incorrect `ServiceMonitor` name via the `jobLabel` field. @@ -495,6 +505,7 @@ RELEASE LINKS --> [UNRELEASED]: https://github.com/stevehipwell/helm-charts/tree/main/charts/tigera-operator +[v2.10.0]: https://github.com/stevehipwell/helm-charts/releases/tag/tigera-operator-2.10.0 [v2.9.3]: https://github.com/stevehipwell/helm-charts/releases/tag/tigera-operator-2.9.3 [v2.9.2]: https://github.com/stevehipwell/helm-charts/releases/tag/tigera-operator-2.9.2 [v2.9.1]: https://github.com/stevehipwell/helm-charts/releases/tag/tigera-operator-2.9.1 diff --git a/charts/tigera-operator/Chart.yaml b/charts/tigera-operator/Chart.yaml index 70813f48..4ae41bbe 100644 --- a/charts/tigera-operator/Chart.yaml +++ b/charts/tigera-operator/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: tigera-operator description: Helm chart to install the Tigera Operator for managing Calico. type: application -version: 2.9.3 -appVersion: 1.32.7 +version: 2.10.0 +appVersion: 1.34.0 keywords: - kubernetes - cni @@ -26,4 +26,8 @@ annotations: artifacthub.io/alternativeName: tigera artifacthub.io/changes: | - kind: changed - description: "Updated the _Tigera Operator_ OCI image to [v1.32.7](https://github.com/tigera/operator/releases/tag/v1.32.7) (_Calico_ [v3.27.3](https://github.com/projectcalico/calico/releases/tag/v3.27.3))." + description: "Updated the _Tigera Operator_ OCI image to [v1.34.0](https://github.com/tigera/operator/releases/tag/v1.34.0) (_Calico_ [v3.28.0](https://github.com/projectcalico/calico/releases/tag/v3.28.0))." + - kind: removed + description: "Removed unnecessary permissions for removed PSP resources." + - kind: fixed + description: "Fixed incorrect `ServiceMonitor` name via the `jobLabel` field." diff --git a/charts/tigera-operator/README.md b/charts/tigera-operator/README.md index fd38d641..42a000ed 100644 --- a/charts/tigera-operator/README.md +++ b/charts/tigera-operator/README.md @@ -1,6 +1,6 @@ # tigera-operator -![Version: 2.9.3](https://img.shields.io/badge/Version-2.9.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.32.7](https://img.shields.io/badge/AppVersion-1.32.7-informational?style=flat-square) +![Version: 2.10.0](https://img.shields.io/badge/Version-2.10.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.34.0](https://img.shields.io/badge/AppVersion-1.34.0-informational?style=flat-square) The [Tigera Operator](https://www.tigera.io/) is a Kubernetes operator which manages the lifecycle of a [Calico](https://www.tigera.io/project-calico/) or [Calico Enterprise](https://www.tigera.io/tigera-products/calico-enterprise/) installation on Kubernetes. Its goal is to make installation, upgrades, and ongoing lifecycle management of _Calico_ and _Calico Enterprise_ as simple and reliable as possible. @@ -27,7 +27,7 @@ It is possible to use the _Tigera Operator_ for other use-cases by installing ad To install the chart using the recommended OCI method you can use the following command. ```shell -helm upgrade --install tigera-operator oci://ghcr.io/stevehipwell/helm-charts/tigera-operator --version 2.9.3 +helm upgrade --install tigera-operator oci://ghcr.io/stevehipwell/helm-charts/tigera-operator --version 2.10.0 ``` #### Verification @@ -35,7 +35,7 @@ helm upgrade --install tigera-operator oci://ghcr.io/stevehipwell/helm-charts/ti As the OCI chart release is signed by [Cosign](https://github.com/sigstore/cosign) you can verify the chart before installing it by running the following command. ```shell -cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/action-stars/helm-workflows/\.github/workflows/release\.yaml@.+' --certificate-github-workflow-repository stevehipwell/helm-charts --certificate-github-workflow-name Release ghcr.io/stevehipwell/helm-charts/tigera-operator:2.9.3 +cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/action-stars/helm-workflows/\.github/workflows/release\.yaml@.+' --certificate-github-workflow-repository stevehipwell/helm-charts --certificate-github-workflow-name Release ghcr.io/stevehipwell/helm-charts/tigera-operator:2.10.0 ``` ### Non-OCI Repository @@ -44,7 +44,7 @@ Alternatively you can use the legacy non-OCI method via the following commands. ```shell helm repo add stevehipwell https://stevehipwell.github.io/helm-charts/ -helm upgrade --install tigera-operator stevehipwell/tigera-operator --version 2.9.3 +helm upgrade --install tigera-operator stevehipwell/tigera-operator --version 2.10.0 ``` ## Values diff --git a/charts/tigera-operator/crds/apiservers.operator.tigera.io.yaml b/charts/tigera-operator/crds/apiservers.operator.tigera.io.yaml index 29d5dc57..fbc9d388 100644 --- a/charts/tigera-operator/crds/apiservers.operator.tigera.io.yaml +++ b/charts/tigera-operator/crds/apiservers.operator.tigera.io.yaml @@ -1277,8 +1277,9 @@ spec: properties: name: description: - Name is an enum which identifies + "Name is an enum which identifies the API server Deployment container by name. + Supported values are: calico-apiserver, tigera-queryserver" enum: - calico-apiserver - tigera-queryserver @@ -1349,7 +1350,8 @@ spec: If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -1370,9 +1372,9 @@ spec: properties: name: description: - Name is an enum which identifies + "Name is an enum which identifies the API server Deployment init container by - name. + name. Supported values are: calico-apiserver-certs-key-cert-provisioner" enum: - calico-apiserver-certs-key-cert-provisioner type: string @@ -1440,7 +1442,8 @@ spec: If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -1602,16 +1605,21 @@ spec: x-kubernetes-map-type: atomic matchLabelKeys: description: - MatchLabelKeys is a set of pod + "MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the - incoming pod. Keys that don't exist in the - incoming pod labels will be ignored. A null - or empty list means only match against labelSelector. + incoming pod. The same key is forbidden to + exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector + isn't set. Keys that don't exist in the incoming + pod labels will be ignored. A null or empty + list means only match against labelSelector. + \n This is a beta field and requires the MatchLabelKeysInPodTopologySpread + feature gate to be enabled (enabled by default)." items: type: string type: array diff --git a/charts/tigera-operator/crds/calico/bgppeers.crd.projectcalico.org.yaml b/charts/tigera-operator/crds/calico/bgppeers.crd.projectcalico.org.yaml index c9f83207..91da9119 100644 --- a/charts/tigera-operator/crds/calico/bgppeers.crd.projectcalico.org.yaml +++ b/charts/tigera-operator/crds/calico/bgppeers.crd.projectcalico.org.yaml @@ -70,7 +70,7 @@ spec: description: Maximum number of local AS numbers that are allowed in the AS path for received routes. This removes BGP loop prevention - and should only be used if absolutely necesssary. + and should only be used if absolutely necessary. format: int32 type: integer password: diff --git a/charts/tigera-operator/crds/calico/felixconfigurations.crd.projectcalico.org.yaml b/charts/tigera-operator/crds/calico/felixconfigurations.crd.projectcalico.org.yaml index c4476574..a202c236 100644 --- a/charts/tigera-operator/crds/calico/felixconfigurations.crd.projectcalico.org.yaml +++ b/charts/tigera-operator/crds/calico/felixconfigurations.crd.projectcalico.org.yaml @@ -132,14 +132,14 @@ spec: Loose]" pattern: ^(?i)(Disabled|Strict|Loose)?$ type: string - bpfExcludeCIDRsFromNAT: - description: - BPFExcludeCIDRsFromNAT is a list of CIDRs that are to - be excluded from NAT resolution so that host can handle them. A - typical usecase is node local DNS cache. - items: - type: string - type: array + bpfExcludeCIDRsFromNAT: + description: + BPFExcludeCIDRsFromNAT is a list of CIDRs that are to + be excluded from NAT resolution so that host can handle them. A + typical usecase is node local DNS cache. + items: + type: string + type: array bpfExtToServiceConnmark: description: "BPFExtToServiceConnmark in BPF mode, control a 32bit @@ -188,8 +188,9 @@ spec: type: string bpfKubeProxyEndpointSlicesEnabled: description: - BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls - whether Felix's embedded kube-proxy accepts EndpointSlices or not. + BPFKubeProxyEndpointSlicesEnabled is deprecated and has + no effect. BPF kube-proxy always accepts endpoint slices. This option + will be removed in the next release. type: boolean bpfKubeProxyIptablesCleanupEnabled: description: @@ -324,11 +325,25 @@ spec: type: string debugDisableLogDropping: type: boolean + debugHost: + description: + DebugHost is the host IP or hostname to bind the debug + port to. Only used if DebugPort is set. [Default:localhost] + type: string debugMemoryProfilePath: type: string + debugPort: + description: + DebugPort if set, enables Felix's debug HTTP port, which + allows memory and CPU profiles to be retrieved. The debug port + is not secure, it should not be exposed to the internet. + type: integer debugSimulateCalcGraphHangAfter: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string + debugSimulateDataplaneApplyDelay: + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string debugSimulateDataplaneHangAfter: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string @@ -372,6 +387,13 @@ spec: type: string endpointReportingEnabled: type: boolean + endpointStatusPathPrefix: + description: + "EndpointStatusPathPrefix is the path to the directory + where endpoint status will be written. Endpoint status file reporting + is disabled if field is left empty. \n Chosen directory should match + the directory used by the CNI for PodStartupDelay. [Default: \"\"]" + type: string externalNodesList: description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes @@ -676,7 +698,7 @@ spec: "MetadataAddr is the IP address or domain name of the server that can answer VM queries for cloud-init metadata. In OpenStack, this corresponds to the machine running nova-api (or in Ubuntu, - nova-api-metadata). A value of none (case insensitive) means that + nova-api-metadata). A value of none (case-insensitive) means that Felix should not set up any NAT rule for the metadata path. [Default: 127.0.0.1]" type: string diff --git a/charts/tigera-operator/crds/calico/globalnetworkpolicies.crd.projectcalico.org.yaml b/charts/tigera-operator/crds/calico/globalnetworkpolicies.crd.projectcalico.org.yaml index fbdeaf0c..f3ee5970 100644 --- a/charts/tigera-operator/crds/calico/globalnetworkpolicies.crd.projectcalico.org.yaml +++ b/charts/tigera-operator/crds/calico/globalnetworkpolicies.crd.projectcalico.org.yaml @@ -914,17 +914,17 @@ spec: type: boolean selector: description: - "The selector is an expression used to pick pick out - the endpoints that the policy should be applied to. \n Selector - expressions follow this syntax: \n \tlabel == \"string_literal\" - \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" - \ -> not equal; also matches if label is not present \tlabel in - { \"a\", \"b\", \"c\", ... } -> true if the value of label X is - one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", - ... } -> true if the value of label X is not one of \"a\", \"b\", - \"c\" \thas(label_name) -> True if that label is present \t! expr - -> negation of expr \texpr && expr -> Short-circuit and \texpr - || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() + "The selector is an expression used to pick out the endpoints + that the policy should be applied to. \n Selector expressions follow + this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g. + my_label == \"foo bar\" \tlabel != \"string_literal\" -> not + equal; also matches if label is not present \tlabel in { \"a\", + \"b\", \"c\", ... } -> true if the value of label X is one of + \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } + \ -> true if the value of label X is not one of \"a\", \"b\", \"c\" + \thas(label_name) -> True if that label is present \t! expr -> + negation of expr \texpr && expr -> Short-circuit and \texpr || + expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() or the empty selector -> matches all endpoints. \n Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive but they do not support escape characters. \n Examples diff --git a/charts/tigera-operator/crds/calico/networkpolicies.crd.projectcalico.org.yaml b/charts/tigera-operator/crds/calico/networkpolicies.crd.projectcalico.org.yaml index 11ebd990..7236b36a 100644 --- a/charts/tigera-operator/crds/calico/networkpolicies.crd.projectcalico.org.yaml +++ b/charts/tigera-operator/crds/calico/networkpolicies.crd.projectcalico.org.yaml @@ -891,17 +891,17 @@ spec: type: array selector: description: - "The selector is an expression used to pick pick out - the endpoints that the policy should be applied to. \n Selector - expressions follow this syntax: \n \tlabel == \"string_literal\" - \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" - \ -> not equal; also matches if label is not present \tlabel in - { \"a\", \"b\", \"c\", ... } -> true if the value of label X is - one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", - ... } -> true if the value of label X is not one of \"a\", \"b\", - \"c\" \thas(label_name) -> True if that label is present \t! expr - -> negation of expr \texpr && expr -> Short-circuit and \texpr - || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() + "The selector is an expression used to pick out the endpoints + that the policy should be applied to. \n Selector expressions follow + this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g. + my_label == \"foo bar\" \tlabel != \"string_literal\" -> not + equal; also matches if label is not present \tlabel in { \"a\", + \"b\", \"c\", ... } -> true if the value of label X is one of + \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } + \ -> true if the value of label X is not one of \"a\", \"b\", \"c\" + \thas(label_name) -> True if that label is present \t! expr -> + negation of expr \texpr && expr -> Short-circuit and \texpr || + expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() or the empty selector -> matches all endpoints. \n Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive but they do not support escape characters. \n Examples diff --git a/charts/tigera-operator/crds/installations.operator.tigera.io.yaml b/charts/tigera-operator/crds/installations.operator.tigera.io.yaml index 6cc8a51a..e40fbb57 100644 --- a/charts/tigera-operator/crds/installations.operator.tigera.io.yaml +++ b/charts/tigera-operator/crds/installations.operator.tigera.io.yaml @@ -1285,9 +1285,9 @@ spec: properties: name: description: - Name is an enum which identifies + "Name is an enum which identifies the calico-kube-controllers Deployment container - by name. + by name. Supported values are: calico-kube-controllers" enum: - calico-kube-controllers type: string @@ -1358,7 +1358,8 @@ spec: If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -1486,6 +1487,14 @@ spec: specified. If omitted, a single pool will be configured if needed. items: properties: + allowedUses: + description: + AllowedUse controls what the IP pool will be + used for. If not specified or empty, defaults to ["Tunnel", + "Workload"] for back-compatibility + items: + type: string + type: array blockSize: description: "BlockSize specifies the CIDR prefex length @@ -1516,6 +1525,11 @@ spec: - VXLANCrossSubnet - None type: string + name: + description: + Name is the name of the IP pool. If omitted, + this will be generated. + type: string natOutgoing: description: "NATOutgoing specifies if NAT will be enabled @@ -1532,6 +1546,7 @@ spec: required: - cidr type: object + maxItems: 25 type: array linuxDataplane: description: @@ -1545,6 +1560,16 @@ spec: - BPF - VPP type: string + linuxPolicySetupTimeoutSeconds: + description: + "LinuxPolicySetupTimeoutSeconds delays new pods from + running containers until their policy has been programmed in + the dataplane. The specified delay defines the maximum amount + of time that the Calico CNI plugin will wait for policy to be + programmed. \n Only applies to pods created on Linux nodes. + \n * A value of 0 disables pod startup delays. \n Default: 0" + format: int32 + type: integer mtu: description: MTU specifies the maximum transmission unit to use @@ -1648,6 +1673,23 @@ spec: on interfaces that do not match the given regex. type: string type: object + sysctl: + description: Sysctl configures sysctl parameters for tuning plugin + items: + properties: + key: + enum: + - net.ipv4.tcp_keepalive_intvl + - net.ipv4.tcp_keepalive_probes + - net.ipv4.tcp_keepalive_time + type: string + value: + type: string + required: + - key + - value + type: object + type: array windowsDataplane: description: "WindowsDataplane is used to select the dataplane @@ -2901,8 +2943,9 @@ spec: properties: name: description: - Name is an enum which identifies + "Name is an enum which identifies the calico-node DaemonSet container by name. + Supported values are: calico-node" enum: - calico-node type: string @@ -2972,7 +3015,8 @@ spec: If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -2993,9 +3037,11 @@ spec: properties: name: description: - Name is an enum which identifies + "Name is an enum which identifies the calico-node DaemonSet init container by - name. + name. Supported values are: install-cni, hostpath-init, + flexvol-driver, mount-bpffs, node-certs-key-cert-provisioner, + calico-node-prometheus-server-tls-key-cert-provisioner" enum: - install-cni - hostpath-init @@ -3070,7 +3116,8 @@ spec: If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -4398,9 +4445,9 @@ spec: properties: name: description: - Name is an enum which identifies + "Name is an enum which identifies the calico-node-windows DaemonSet container - by name. + by name. Supported values are: calico-node-windows" enum: - calico-node-windows type: string @@ -4470,7 +4517,8 @@ spec: If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -4491,9 +4539,11 @@ spec: properties: name: description: - Name is an enum which identifies + "Name is an enum which identifies the calico-node-windows DaemonSet init container - by name. + by name. Supported values are: install-cni;hostpath-init, + flexvol-driver, mount-bpffs, node-certs-key-cert-provisioner, + calico-node-windows-prometheus-server-tls-key-cert-provisioner" enum: - install-cni - hostpath-init @@ -4569,7 +4619,8 @@ spec: If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -5971,7 +6022,8 @@ spec: If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -6229,8 +6281,8 @@ spec: "Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. More info: - https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + otherwise to an implementation-defined value. Requests + cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -7544,9 +7596,9 @@ spec: properties: name: description: - Name is an enum which identifies + "Name is an enum which identifies the csi-node-driver DaemonSet container by - name. + name. Supported values are: csi-node-driver" enum: - csi-node-driver type: string @@ -7614,7 +7666,8 @@ spec: If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -7778,6 +7831,7 @@ spec: - OpenShift - DockerEnterprise - RKE2 + - TKG type: string logging: description: Logging Configuration for Components @@ -9446,8 +9500,9 @@ spec: properties: name: description: - Name is an enum which identifies - the typha Deployment container by name. + "Name is an enum which identifies + the typha Deployment container by name. Supported + values are: calico-typha" enum: - calico-typha type: string @@ -9517,7 +9572,8 @@ spec: If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -9538,8 +9594,9 @@ spec: properties: name: description: - Name is an enum which identifies + "Name is an enum which identifies the typha Deployment init container by name. + Supported values are: typha-certs-key-cert-provisioner" enum: - typha-certs-key-cert-provisioner type: string @@ -9609,7 +9666,8 @@ spec: If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -9781,16 +9839,21 @@ spec: x-kubernetes-map-type: atomic matchLabelKeys: description: - MatchLabelKeys is a set of pod + "MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the - incoming pod. Keys that don't exist in the - incoming pod labels will be ignored. A null - or empty list means only match against labelSelector. + incoming pod. The same key is forbidden to + exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector + isn't set. Keys that don't exist in the incoming + pod labels will be ignored. A null or empty + list means only match against labelSelector. + \n This is a beta field and requires the MatchLabelKeysInPodTopologySpread + feature gate to be enabled (enabled by default)." items: type: string type: array @@ -11340,9 +11403,10 @@ spec: properties: name: description: - Name is an enum which identifies + "Name is an enum which identifies the calico-kube-controllers Deployment - container by name. + container by name. Supported values are: + calico-kube-controllers" enum: - calico-kube-controllers type: string @@ -11414,7 +11478,8 @@ spec: a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -11548,6 +11613,14 @@ spec: if needed. items: properties: + allowedUses: + description: + AllowedUse controls what the IP pool will + be used for. If not specified or empty, defaults + to ["Tunnel", "Workload"] for back-compatibility + items: + type: string + type: array blockSize: description: "BlockSize specifies the CIDR prefex length @@ -11579,6 +11652,11 @@ spec: - VXLANCrossSubnet - None type: string + name: + description: + Name is the name of the IP pool. If omitted, + this will be generated. + type: string natOutgoing: description: "NATOutgoing specifies if NAT will be enabled @@ -11595,6 +11673,7 @@ spec: required: - cidr type: object + maxItems: 25 type: array linuxDataplane: description: @@ -11608,6 +11687,17 @@ spec: - BPF - VPP type: string + linuxPolicySetupTimeoutSeconds: + description: + "LinuxPolicySetupTimeoutSeconds delays new pods + from running containers until their policy has been programmed + in the dataplane. The specified delay defines the maximum + amount of time that the Calico CNI plugin will wait for + policy to be programmed. \n Only applies to pods created + on Linux nodes. \n * A value of 0 disables pod startup delays. + \n Default: 0" + format: int32 + type: integer mtu: description: MTU specifies the maximum transmission unit to @@ -11713,6 +11803,25 @@ spec: on interfaces that do not match the given regex. type: string type: object + sysctl: + description: + Sysctl configures sysctl parameters for tuning + plugin + items: + properties: + key: + enum: + - net.ipv4.tcp_keepalive_intvl + - net.ipv4.tcp_keepalive_probes + - net.ipv4.tcp_keepalive_time + type: string + value: + type: string + required: + - key + - value + type: object + type: array windowsDataplane: description: "WindowsDataplane is used to select the dataplane @@ -13062,9 +13171,9 @@ spec: properties: name: description: - Name is an enum which identifies + "Name is an enum which identifies the calico-node DaemonSet container by - name. + name. Supported values are: calico-node" enum: - calico-node type: string @@ -13136,7 +13245,8 @@ spec: a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -13157,9 +13267,11 @@ spec: properties: name: description: - Name is an enum which identifies + "Name is an enum which identifies the calico-node DaemonSet init container - by name. + by name. Supported values are: install-cni, + hostpath-init, flexvol-driver, mount-bpffs, + node-certs-key-cert-provisioner, calico-node-prometheus-server-tls-key-cert-provisioner" enum: - install-cni - hostpath-init @@ -13236,7 +13348,8 @@ spec: a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -14660,9 +14773,9 @@ spec: properties: name: description: - Name is an enum which identifies + "Name is an enum which identifies the calico-node-windows DaemonSet container - by name. + by name. Supported values are: calico-node-windows" enum: - calico-node-windows type: string @@ -14734,7 +14847,8 @@ spec: a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -14756,9 +14870,12 @@ spec: properties: name: description: - Name is an enum which identifies + "Name is an enum which identifies the calico-node-windows DaemonSet init - container by name. + container by name. Supported values are: + install-cni;hostpath-init, flexvol-driver, + mount-bpffs, node-certs-key-cert-provisioner, + calico-node-windows-prometheus-server-tls-key-cert-provisioner" enum: - install-cni - hostpath-init @@ -14835,7 +14952,8 @@ spec: a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -16333,7 +16451,8 @@ spec: a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -16604,7 +16723,7 @@ spec: of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -18014,9 +18133,9 @@ spec: properties: name: description: - Name is an enum which identifies + "Name is an enum which identifies the csi-node-driver DaemonSet container - by name. + by name. Supported values are: csi-node-driver" enum: - csi-node-driver type: string @@ -18086,7 +18205,8 @@ spec: a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -18253,6 +18373,7 @@ spec: - OpenShift - DockerEnterprise - RKE2 + - TKG type: string logging: description: Logging Configuration for Components @@ -20033,8 +20154,9 @@ spec: properties: name: description: - Name is an enum which identifies + "Name is an enum which identifies the typha Deployment container by name. + Supported values are: calico-typha" enum: - calico-typha type: string @@ -20106,7 +20228,8 @@ spec: a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -20127,9 +20250,9 @@ spec: properties: name: description: - Name is an enum which identifies + "Name is an enum which identifies the typha Deployment init container by - name. + name. Supported values are: typha-certs-key-cert-provisioner" enum: - typha-certs-key-cert-provisioner type: string @@ -20201,7 +20324,8 @@ spec: a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" + Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" type: object type: object required: @@ -20382,7 +20506,7 @@ spec: x-kubernetes-map-type: atomic matchLabelKeys: description: - MatchLabelKeys is a set of + "MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the @@ -20390,9 +20514,16 @@ spec: are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming - pod. Keys that don't exist in the incoming - pod labels will be ignored. A null or - empty list means only match against labelSelector. + pod. The same key is forbidden to exist + in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector + isn't set. Keys that don't exist in the + incoming pod labels will be ignored. A + null or empty list means only match against + labelSelector. \n This is a beta field + and requires the MatchLabelKeysInPodTopologySpread + feature gate to be enabled (enabled by + default)." items: type: string type: array diff --git a/charts/tigera-operator/templates/clusterrole.yaml b/charts/tigera-operator/templates/clusterrole.yaml index 55ebd282..20023bac 100644 --- a/charts/tigera-operator/templates/clusterrole.yaml +++ b/charts/tigera-operator/templates/clusterrole.yaml @@ -156,13 +156,24 @@ rules: - apiGroups: - crd.projectcalico.org resources: - - ippools - kubecontrollersconfigurations - bgpconfigurations verbs: - get - list - watch + - apiGroups: + - projectcalico.org + resources: + - ippools + verbs: + - create + - update + - delete + - patch + - get + - list + - watch - apiGroups: - projectcalico.org resources: @@ -225,27 +236,6 @@ rules: - get - create - delete - # Add the appropriate pod security policy permissions - - apiGroups: - - policy - resources: - - podsecuritypolicies - resourceNames: - - tigera-operator - verbs: - - use - - apiGroups: - - policy - resources: - - podsecuritypolicies - verbs: - - get - - list - - watch - - create - - update - - delete -# Add the permissions to monitor the status of certificatesigningrequests when certificate management is enabled. - apiGroups: - certificates.k8s.io resources: