diff --git a/charts/internal/calico/templates/custom-resource-definition/crd-bgppeers.yaml b/charts/internal/calico/templates/custom-resource-definition/crd-bgppeers.yaml index da3c7f76..7ca87186 100644 --- a/charts/internal/calico/templates/custom-resource-definition/crd-bgppeers.yaml +++ b/charts/internal/calico/templates/custom-resource-definition/crd-bgppeers.yaml @@ -66,7 +66,7 @@ spec: numAllowedLocalASNumbers: description: Maximum number of local AS numbers that are allowed in the AS path for received routes. This removes BGP loop prevention - and should only be used if absolutely necesssary. + and should only be used if absolutely necessary. format: int32 type: integer password: diff --git a/charts/internal/calico/templates/custom-resource-definition/crd-felixconfigurations.yaml b/charts/internal/calico/templates/custom-resource-definition/crd-felixconfigurations.yaml index 87eafcd9..9e2a61c9 100644 --- a/charts/internal/calico/templates/custom-resource-definition/crd-felixconfigurations.yaml +++ b/charts/internal/calico/templates/custom-resource-definition/crd-felixconfigurations.yaml @@ -170,8 +170,9 @@ spec: - Disabled type: string bpfKubeProxyEndpointSlicesEnabled: - description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls - whether Felix's embedded kube-proxy accepts EndpointSlices or not. + description: BPFKubeProxyEndpointSlicesEnabled is deprecated and has + no effect. BPF kube-proxy always accepts endpoint slices. This option + will be removed in the next release. type: boolean bpfKubeProxyIptablesCleanupEnabled: description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF @@ -290,11 +291,23 @@ spec: type: string debugDisableLogDropping: type: boolean + debugHost: + description: DebugHost is the host IP or hostname to bind the debug + port to. Only used if DebugPort is set. [Default:localhost] + type: string debugMemoryProfilePath: type: string + debugPort: + description: DebugPort if set, enables Felix's debug HTTP port, which + allows memory and CPU profiles to be retrieved. The debug port + is not secure, it should not be exposed to the internet. + type: integer debugSimulateCalcGraphHangAfter: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string + debugSimulateDataplaneApplyDelay: + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string debugSimulateDataplaneHangAfter: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string @@ -334,6 +347,12 @@ spec: type: string endpointReportingEnabled: type: boolean + endpointStatusPathPrefix: + description: "EndpointStatusPathPrefix is the path to the directory + where endpoint status will be written. Endpoint status file reporting + is disabled if field is left empty. \n Chosen directory should match + the directory used by the CNI for PodStartupDelay. [Default: \"\"]" + type: string externalNodesList: description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes which may source tunnel traffic and have the tunneled traffic be @@ -605,7 +624,7 @@ spec: description: 'MetadataAddr is the IP address or domain name of the server that can answer VM queries for cloud-init metadata. In OpenStack, this corresponds to the machine running nova-api (or in Ubuntu, - nova-api-metadata). A value of none (case insensitive) means that + nova-api-metadata). A value of none (case-insensitive) means that Felix should not set up any NAT rule for the metadata path. [Default: 127.0.0.1]' type: string diff --git a/charts/internal/calico/templates/custom-resource-definition/crd-globalnetworkpolicies.yaml b/charts/internal/calico/templates/custom-resource-definition/crd-globalnetworkpolicies.yaml index dc8c6238..80c9a158 100644 --- a/charts/internal/calico/templates/custom-resource-definition/crd-globalnetworkpolicies.yaml +++ b/charts/internal/calico/templates/custom-resource-definition/crd-globalnetworkpolicies.yaml @@ -820,17 +820,17 @@ spec: any DNAT. type: boolean selector: - description: "The selector is an expression used to pick pick out - the endpoints that the policy should be applied to. \n Selector - expressions follow this syntax: \n \tlabel == \"string_literal\" - \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" - \ -> not equal; also matches if label is not present \tlabel in - { \"a\", \"b\", \"c\", ... } -> true if the value of label X is - one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", - ... } -> true if the value of label X is not one of \"a\", \"b\", - \"c\" \thas(label_name) -> True if that label is present \t! expr - -> negation of expr \texpr && expr -> Short-circuit and \texpr - || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() + description: "The selector is an expression used to pick out the endpoints + that the policy should be applied to. \n Selector expressions follow + this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g. + my_label == \"foo bar\" \tlabel != \"string_literal\" -> not + equal; also matches if label is not present \tlabel in { \"a\", + \"b\", \"c\", ... } -> true if the value of label X is one of + \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } + \ -> true if the value of label X is not one of \"a\", \"b\", \"c\" + \thas(label_name) -> True if that label is present \t! expr -> + negation of expr \texpr && expr -> Short-circuit and \texpr || + expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() or the empty selector -> matches all endpoints. \n Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive but they do not support escape characters. \n Examples diff --git a/charts/internal/calico/templates/custom-resource-definition/crd-networkpolicies.yaml b/charts/internal/calico/templates/custom-resource-definition/crd-networkpolicies.yaml index 0576d2db..f146e605 100644 --- a/charts/internal/calico/templates/custom-resource-definition/crd-networkpolicies.yaml +++ b/charts/internal/calico/templates/custom-resource-definition/crd-networkpolicies.yaml @@ -801,17 +801,17 @@ spec: type: string type: array selector: - description: "The selector is an expression used to pick pick out - the endpoints that the policy should be applied to. \n Selector - expressions follow this syntax: \n \tlabel == \"string_literal\" - \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" - \ -> not equal; also matches if label is not present \tlabel in - { \"a\", \"b\", \"c\", ... } -> true if the value of label X is - one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", - ... } -> true if the value of label X is not one of \"a\", \"b\", - \"c\" \thas(label_name) -> True if that label is present \t! expr - -> negation of expr \texpr && expr -> Short-circuit and \texpr - || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() + description: "The selector is an expression used to pick out the endpoints + that the policy should be applied to. \n Selector expressions follow + this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g. + my_label == \"foo bar\" \tlabel != \"string_literal\" -> not + equal; also matches if label is not present \tlabel in { \"a\", + \"b\", \"c\", ... } -> true if the value of label X is one of + \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } + \ -> true if the value of label X is not one of \"a\", \"b\", \"c\" + \thas(label_name) -> True if that label is present \t! expr -> + negation of expr \texpr && expr -> Short-circuit and \texpr || + expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() or the empty selector -> matches all endpoints. \n Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive but they do not support escape characters. \n Examples diff --git a/charts/internal/calico/templates/node/clusterrole-calico-node.yaml b/charts/internal/calico/templates/node/clusterrole-calico-node.yaml index b57af9e9..5f7cc514 100644 --- a/charts/internal/calico/templates/node/clusterrole-calico-node.yaml +++ b/charts/internal/calico/templates/node/clusterrole-calico-node.yaml @@ -111,7 +111,7 @@ rules: - create - update # Calico must update some CRDs. - - apiGroups: [ "crd.projectcalico.org" ] + - apiGroups: ["crd.projectcalico.org"] resources: - caliconodestatuses verbs: diff --git a/imagevector/images.yaml b/imagevector/images.yaml index 95984406..86dffcbc 100644 --- a/imagevector/images.yaml +++ b/imagevector/images.yaml @@ -2,7 +2,7 @@ images: - name: calico-node sourceRepository: github.com/projectcalico/calico repository: quay.io/calico/node - tag: v3.27.4 + tag: v3.28.2 labels: - name: 'gardener.cloud/cve-categorisation' value: @@ -15,7 +15,7 @@ images: - name: calico-cni sourceRepository: github.com/projectcalico/cni-plugin repository: quay.io/calico/cni - tag: v3.27.4 + tag: v3.28.2 labels: - name: 'gardener.cloud/cve-categorisation' value: @@ -28,7 +28,7 @@ images: - name: calico-typha sourceRepository: github.com/projectcalico/typha repository: quay.io/calico/typha - tag: v3.27.4 + tag: v3.28.2 labels: - name: cloud.gardener.cnudie/dso/scanning-hints/binary_id/v1 value: @@ -45,7 +45,7 @@ images: - name: calico-kube-controllers sourceRepository: github.com/projectcalico/kube-controllers repository: quay.io/calico/kube-controllers - tag: v3.27.4 + tag: v3.28.2 labels: - name: 'gardener.cloud/cve-categorisation' value: