From 870e916d626ba94c2b6c846899e82cf6a593c36c Mon Sep 17 00:00:00 2001 From: Ciprian Hacman Date: Sun, 18 Feb 2024 10:32:08 +0200 Subject: [PATCH 1/2] Update Calico to v3.27.3 --- .../k8s-1.25.yaml.template | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.25.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.25.yaml.template index 75dbd8f0d5..c1f8ae1113 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.25.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.25.yaml.template @@ -1,4 +1,4 @@ -# Pulled and modified from: https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calico-typha.yaml +# Pulled and modified from: https://raw.githubusercontent.com/projectcalico/calico/v3.27.3/manifests/calico-typha.yaml --- {{- if .Networking.Calico.BPFEnabled }} # Set these to the IP and port of your API server; In BPF mode, we need to connect directly to the @@ -1101,6 +1101,13 @@ spec: Loose]' pattern: ^(?i)(Disabled|Strict|Loose)?$ type: string + bpfExcludeCIDRsFromNAT: + description: BPFExcludeCIDRsFromNAT is a list of CIDRs that are to + be excluded from NAT resolution so that host can handle them. A + typical usecase is node local DNS cache. + items: + type: string + type: array bpfExtToServiceConnmark: description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit mark that is set on connections from an external client to a local @@ -4837,7 +4844,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.27.0" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.27.3" }} imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -4866,7 +4873,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.27.0" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.27.3" }} imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -4909,7 +4916,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/node:{{ or .Networking.Calico.Version "v3.27.0" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/node:{{ or .Networking.Calico.Version "v3.27.3" }} imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -4935,7 +4942,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/node:{{ or .Networking.Calico.Version "v3.27.0" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/node:{{ or .Networking.Calico.Version "v3.27.3" }} imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -5264,7 +5271,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/kube-controllers:{{ or .Networking.Calico.Version "v3.27.0" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/kube-controllers:{{ or .Networking.Calico.Version "v3.27.3" }} imagePullPolicy: IfNotPresent env: # Choose which controllers to run. @@ -5354,7 +5361,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/typha:{{ or .Networking.Calico.Version "v3.27.0" }} + - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/typha:{{ or .Networking.Calico.Version "v3.27.3" }} imagePullPolicy: IfNotPresent name: calico-typha ports: From b5813b2a77cca14637f2d7ff33818a06bb70190e Mon Sep 17 00:00:00 2001 From: Ciprian Hacman Date: Sun, 18 Feb 2024 10:55:48 +0200 Subject: [PATCH 2/2] hack/update-expected.sh --- ...al-ipv6.example.com-addons-bootstrap_content | 2 +- ...etworking.projectcalico.org-k8s-1.25_content | 15 +++++++++++---- ...ecalico.example.com-addons-bootstrap_content | 2 +- ...etworking.projectcalico.org-k8s-1.25_content | 17 ++++++++++++----- 4 files changed, 25 insertions(+), 11 deletions(-) diff --git a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content index 207f19010a..dc1c21c7f6 100644 --- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content @@ -106,7 +106,7 @@ spec: version: 9.99.0 - id: k8s-1.25 manifest: networking.projectcalico.org/k8s-1.25.yaml - manifestHash: 77dd86f0456cd77fd3209ee5e2a992443e8c2caeca038f1d00645271d0e9689f + manifestHash: 554c99dd8abc16860278375424f914ab819f3ea0ce16654b8dda2e51e06080c4 name: networking.projectcalico.org prune: kinds: diff --git a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-networking.projectcalico.org-k8s-1.25_content b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-networking.projectcalico.org-k8s-1.25_content index 43bf06e10a..b42de118b8 100644 --- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-networking.projectcalico.org-k8s-1.25_content +++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-networking.projectcalico.org-k8s-1.25_content @@ -1114,6 +1114,13 @@ spec: Loose]' pattern: ^(?i)(Disabled|Strict|Loose)?$ type: string + bpfExcludeCIDRsFromNAT: + description: BPFExcludeCIDRsFromNAT is a list of CIDRs that are to + be excluded from NAT resolution so that host can handle them. A + typical usecase is node local DNS cache. + items: + type: string + type: array bpfExtToServiceConnmark: description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit mark that is set on connections from an external client to a local @@ -4981,7 +4988,7 @@ spec: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/node:v3.27.0 + image: docker.io/calico/node:v3.27.3 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -5061,7 +5068,7 @@ spec: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/cni:v3.27.0 + image: docker.io/calico/cni:v3.27.3 imagePullPolicy: IfNotPresent name: install-cni securityContext: @@ -5075,7 +5082,7 @@ spec: - calico-node - -init - -best-effort - image: docker.io/calico/node:v3.27.0 + image: docker.io/calico/node:v3.27.3 imagePullPolicy: IfNotPresent name: mount-bpffs securityContext: @@ -5198,7 +5205,7 @@ spec: value: node - name: DATASTORE_TYPE value: kubernetes - image: docker.io/calico/kube-controllers:v3.27.0 + image: docker.io/calico/kube-controllers:v3.27.3 imagePullPolicy: IfNotPresent livenessProbe: exec: diff --git a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-bootstrap_content b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-bootstrap_content index 74199e84e6..4c24bd6f28 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-bootstrap_content @@ -106,7 +106,7 @@ spec: version: 9.99.0 - id: k8s-1.25 manifest: networking.projectcalico.org/k8s-1.25.yaml - manifestHash: cc27531722191b2f6724cf77ce9dc70f827479e074616e90a8006689065f9761 + manifestHash: 2ba3f766420e62e454cdf6462f3cf1e01c0be716ec3309c441ab2c9249413f87 name: networking.projectcalico.org prune: kinds: diff --git a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-networking.projectcalico.org-k8s-1.25_content b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-networking.projectcalico.org-k8s-1.25_content index dd86868d8c..fa262326b0 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-networking.projectcalico.org-k8s-1.25_content +++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-networking.projectcalico.org-k8s-1.25_content @@ -1113,6 +1113,13 @@ spec: Loose]' pattern: ^(?i)(Disabled|Strict|Loose)?$ type: string + bpfExcludeCIDRsFromNAT: + description: BPFExcludeCIDRsFromNAT is a list of CIDRs that are to + be excluded from NAT resolution so that host can handle them. A + typical usecase is node local DNS cache. + items: + type: string + type: array bpfExtToServiceConnmark: description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit mark that is set on connections from an external client to a local @@ -4976,7 +4983,7 @@ spec: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/node:v3.27.0 + image: docker.io/calico/node:v3.27.3 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -5050,7 +5057,7 @@ spec: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/cni:v3.27.0 + image: docker.io/calico/cni:v3.27.3 imagePullPolicy: IfNotPresent name: upgrade-ipam securityContext: @@ -5085,7 +5092,7 @@ spec: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/cni:v3.27.0 + image: docker.io/calico/cni:v3.27.3 imagePullPolicy: IfNotPresent name: install-cni securityContext: @@ -5099,7 +5106,7 @@ spec: - calico-node - -init - -best-effort - image: docker.io/calico/node:v3.27.0 + image: docker.io/calico/node:v3.27.3 imagePullPolicy: IfNotPresent name: mount-bpffs securityContext: @@ -5225,7 +5232,7 @@ spec: value: node - name: DATASTORE_TYPE value: kubernetes - image: docker.io/calico/kube-controllers:v3.27.0 + image: docker.io/calico/kube-controllers:v3.27.3 imagePullPolicy: IfNotPresent livenessProbe: exec: