diff --git a/config/calico_versions.yml b/config/calico_versions.yml index e44bc9d272..775add984e 100644 --- a/config/calico_versions.yml +++ b/config/calico_versions.yml @@ -12,7 +12,9 @@ components: calico/kube-controllers: version: v3.23.4 flexvol: - version: v3.23.4 + # The v3.23 version of this image has CVEs due to outdated Go, and rebuilding this image with the latest golang is non-trivial. + # The v3.24.3 version of this image is built on newer Go, and lacks CVEs. The pod2daemon-flexvol code has not changed in years. + version: v3.24.3 calico/apiserver: version: v3.23.4 calico/windows-upgrade: diff --git a/config/common_versions.yml b/config/common_versions.yml index a1b8ff943c..260969f37b 100644 --- a/config/common_versions.yml +++ b/config/common_versions.yml @@ -1,5 +1,5 @@ -title: v1.1.3 +title: v1.1.4 components: key-cert-provisioner: image: tigera/key-cert-provisioner - version: v1.1.3 + version: v1.1.4 diff --git a/config/enterprise_versions.yml b/config/enterprise_versions.yml index f8130f8488..44551150c7 100644 --- a/config/enterprise_versions.yml +++ b/config/enterprise_versions.yml @@ -1,135 +1,135 @@ # Components defined here are required to be kept in sync with hack/gen-versions/enterprise.go.tpl -title: v3.14.2 +title: v3.14.3 components: libcalico-go: - version: v3.14.2 + version: v3.14.3 cnx-manager: image: tigera/cnx-manager - version: v3.14.2 + version: v3.14.3 voltron: image: tigera/voltron - version: v3.14.2 + version: v3.14.3 cnx-apiserver: image: tigera/cnx-apiserver - version: v3.14.2 + version: v3.14.3 cnx-queryserver: image: tigera/cnx-queryserver - version: v3.14.2 + version: v3.14.3 cnx-kube-controllers: image: tigera/kube-controllers - version: v3.14.2 + version: v3.14.3 typha: image: tigera/typha - version: v3.14.2 + version: v3.14.3 cnx-node: image: tigera/cnx-node - version: v3.14.2 + version: v3.14.3 fluentd: image: tigera/fluentd - version: v3.14.2 + version: v3.14.3 fluentd-windows: image: tigera/fluentd-windows - version: v3.14.2 + version: v3.14.3 es-proxy: image: tigera/es-proxy - version: v3.14.2 + version: v3.14.3 es-gateway: image: tigera/es-gateway - version: v3.14.2 + version: v3.14.3 dex: image: tigera/dex - version: v3.14.2 + version: v3.14.3 eck-kibana: version: 7.16.2 kibana: image: tigera/kibana - version: v3.14.2 + version: v3.14.3 eck-elasticsearch: version: 7.16.2 elasticsearch: image: tigera/elasticsearch - version: v3.14.2 + version: v3.14.3 elastic-tsee-installer: image: tigera/intrusion-detection-job-installer - version: v3.14.2 + version: v3.14.3 es-curator: image: tigera/es-curator - version: v3.14.2 + version: v3.14.3 intrusion-detection-controller: image: tigera/intrusion-detection-controller - version: v3.14.2 + version: v3.14.3 anomaly_detection_jobs: image: tigera/anomaly_detection_jobs - version: v3.14.2 + version: v3.14.3 anomaly-detection-api: image: tigera/anomaly-detection-api - version: v3.14.2 + version: v3.14.3 compliance-controller: image: tigera/compliance-controller - version: v3.14.2 + version: v3.14.3 compliance-reporter: image: tigera/compliance-reporter - version: v3.14.2 + version: v3.14.3 compliance-snapshotter: image: tigera/compliance-snapshotter - version: v3.14.2 + version: v3.14.3 compliance-server: image: tigera/compliance-server - version: v3.14.2 + version: v3.14.3 compliance-benchmarker: image: tigera/compliance-benchmarker - version: v3.14.2 + version: v3.14.3 guardian: image: tigera/guardian - version: v3.14.2 + version: v3.14.3 tigera-cni: image: tigera/cni - version: v3.14.2 + version: v3.14.3 cloud-controllers: image: tigera/cloud-controllers - version: v3.14.2 + version: v3.14.3 elasticsearch-metrics: image: tigera/elasticsearch-metrics - version: v3.14.2 + version: v3.14.3 packetcapture-api: image: tigera/packetcapture-api - version: v3.14.2 + version: v3.14.3 # coreos-prometheus holds the version of prometheus built for tigera/prometheus, # which prometheus operator uses to validate. coreos-prometheus: - version: v2.32.0 + version: v2.32.1 prometheus: image: tigera/prometheus - version: v3.14.2 + version: v3.14.3 # coreos-prometheus holds the version of alertmanager built for tigera/alertmanager, # which prometheus operator uses to validate. coreos-alertmanager: version: v0.23.0 alertmanager: image: tigera/alertmanager - version: v3.14.2 + version: v3.14.3 tigera-prometheus-service: image: tigera/prometheus-service - version: v3.14.2 + version: v3.14.3 deep-packet-inspection: image: tigera/deep-packet-inspection - version: v3.14.2 + version: v3.14.3 windows-upgrade: image: tigera/calico-windows-upgrade - version: v3.14.2 + version: v3.14.3 # The components below are third-party images that have been retagged under # quay.io/tigera so all enterprise images come from the same repository and org. elasticsearch-operator: image: tigera/eck-operator - version: v3.14.2 + version: v3.14.3 eck-elasticsearch-operator: version: 1.8.0 l7-collector: image: tigera/l7-collector - version: v3.14.2 + version: v3.14.3 envoy: image: tigera/envoy - version: v3.14.2 + version: v3.14.3 dikastes: image: tigera/dikastes - version: v3.14.2 + version: v3.14.3 diff --git a/pkg/components/calico.go b/pkg/components/calico.go index 9b741ddda4..08e3267d86 100644 --- a/pkg/components/calico.go +++ b/pkg/components/calico.go @@ -43,7 +43,7 @@ var ( } ComponentFlexVolume = component{ - Version: "v3.23.4", + Version: "v3.24.3", Image: "calico/pod2daemon-flexvol", } diff --git a/pkg/components/common.go b/pkg/components/common.go index af4502e341..6517907ff7 100644 --- a/pkg/components/common.go +++ b/pkg/components/common.go @@ -16,7 +16,7 @@ package components var ( ComponentCSRInitContainer = component{ - Version: "v1.1.3", + Version: "v1.1.4", Image: "tigera/key-cert-provisioner", } CommonComponents = []component{ diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go index 858b8031e5..58df5b9392 100644 --- a/pkg/components/enterprise.go +++ b/pkg/components/enterprise.go @@ -18,40 +18,40 @@ package components var ( - EnterpriseRelease string = "v3.14.2" + EnterpriseRelease string = "v3.14.3" ComponentAPIServer = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/cnx-apiserver", } ComponentComplianceBenchmarker = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/compliance-benchmarker", } ComponentComplianceController = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/compliance-controller", } ComponentComplianceReporter = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/compliance-reporter", } ComponentComplianceServer = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/compliance-server", } ComponentComplianceSnapshotter = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/compliance-snapshotter", } ComponentDeepPacketInspection = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/deep-packet-inspection", } @@ -66,12 +66,12 @@ var ( } ComponentElasticTseeInstaller = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/intrusion-detection-job-installer", } ComponentElasticsearch = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/elasticsearch", } @@ -81,107 +81,107 @@ var ( } ComponentElasticsearchOperator = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/eck-operator", } ComponentEsCurator = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/es-curator", } ComponentEsProxy = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/es-proxy", } ComponentESGateway = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/es-gateway", } ComponentFluentd = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/fluentd", } ComponentFluentdWindows = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/fluentd-windows", } ComponentGuardian = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/guardian", } ComponentIntrusionDetectionController = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/intrusion-detection-controller", } ComponentAnomalyDetectionJobs = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/anomaly_detection_jobs", } ComponentAnomalyDetectionAPI = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/anomaly-detection-api", } ComponentKibana = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/kibana", } ComponentManager = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/cnx-manager", } ComponentDex = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/dex", } ComponentManagerProxy = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/voltron", } ComponentPacketCapture = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/packetcapture-api", } ComponentL7Collector = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/l7-collector", } ComponentEnvoyProxy = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/envoy", } ComponentDikastes = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/dikastes", } ComponentCoreOSPrometheus = component{ - Version: "v2.32.0", + Version: "v2.32.1", Image: "tigera/prometheus", } ComponentPrometheus = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/prometheus", } ComponentTigeraPrometheusService = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/prometheus-service", } @@ -191,47 +191,47 @@ var ( } ComponentPrometheusAlertmanager = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/alertmanager", } ComponentQueryServer = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/cnx-queryserver", } ComponentTigeraKubeControllers = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/kube-controllers", } ComponentTigeraNode = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/cnx-node", } ComponentTigeraTypha = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/typha", } ComponentTigeraCNI = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/cni", } ComponentCloudControllers = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/cloud-controllers", } ComponentElasticsearchMetrics = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/elasticsearch-metrics", } ComponentTigeraWindowsUpgrade = component{ - Version: "v3.14.2", + Version: "v3.14.3", Image: "tigera/calico-windows-upgrade", } EnterpriseComponents = []component{ diff --git a/pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml b/pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml index b476ffa7af..f11b7fb964 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml @@ -121,6 +121,11 @@ spec: node appears to use the IP of the ingress node; this requires a permissive L2 network. [Default: Tunnel]' type: string + bpfHostConntrackBypass: + description: 'BPFHostConntrackBypass Controls whether to bypass Linux + conntrack in BPF mode for workloads and services. [Default: true + - bypass Linux conntrack]' + type: boolean bpfKubeProxyEndpointSlicesEnabled: description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls whether Felix's embedded kube-proxy accepts EndpointSlices or not. @@ -492,7 +497,6 @@ spec: are auto-detected. type: string floatingIPs: - default: Disabled description: FloatingIPs configures whether or not Felix will program floating IP addresses. enum: @@ -1132,8 +1136,8 @@ spec: type: boolean vxlanEnabled: description: 'VXLANEnabled overrides whether Felix should create the - VXLAN tunnel device for VXLAN networking. Optional as Felix determines - this based on the existing IP pools. [Default: nil (unset)]' + VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix + determines this based on the existing IP pools. [Default: nil (unset)]' type: boolean vxlanMTU: description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel