tigera/operator v1.32.1

on GitHub

01 Dec 2023

Included Calico versions

Calico Enterprise version: v3.18.0-2.0

Note: Operator v1.32.0 was never released due to a CI issue, and Operator v1.32.1 is being released to resolve this issue. Thus, the below release notes cover the release which would have been v1.32.0. No changes were introduced in v1.32.1 beyond the CI resolution, which is documented in PR #3034.

Enhancements

• [Calico Enterprise] Add some common content-types expected in micro-service traffic #2839 (@peterkellydev)

Other changes

• Fix! Delete Rolebind from toDelete objects #3028 (@asincu)
• [cherry-pick][1.32] Allow linseed to read secrets in tigera-operator namespace (#3024) #3027 (@asincu)
• Change rollout settings for Fluentd to speed up rollout. #3026 (@rene-dekker)
• [cherry-pick][v.32] Allow linseed to query managed clusters and set REQUIRE_TENANT_CLAIM #3025 (@asincu)
• Allow linseed to read secrets in tigera-operator namespace #3024 (@asincu)
• Enable REQUIRE_TENANT_CLAIM check for all multi-tenancy setups #3023 (@asincu)
• Allow get managed clusters for a cluster id for tigera-linseed using … #3020 (@asincu)
• A few minor cleanups #3019 (@caseydavenport)
• [RS-1431] Allow tigera-network-admin to create secrets #3017 (@gantony)
• Fix push-manifests Makefile target #3015 (@hjiawei)
• [RS-1431] Allow UI admin user to create and patch webhooks-secret #3014 (@gantony)
• Bump calico/go-build to v0.90 #3013 (@hjiawei)
• [RS-1379] RBAC for securityevernwebhooks for the UI. #3009 (@bartolini)
• Additional external ES changes #3008 (@caseydavenport)
• [cherry-pick][1.32] Enable OIDC for multi-tenant setup (#2989) #3006 (@asincu)
• Cherry-pick ebpf ipv6 #3005 (@sridhartigera)
• Automated cherry pick of #2994: Allow operations on felixconfigurations in tigera #3003 (@rene-dekker)
• Update base image and dependencies #3001 (@Behnam-Shobiri)
• [RS-1446] - Cherry pick delete permission for WAF UI #3000 (@mikestephen)
• [RS-1446] - WAF UI needs permission to delete applicationlayers resources #2999 (@mikestephen)
• Pick to v1.32 [EV-4356] createPredicateForObject should react if the generation isn't set #2998 (@electricjesus)
• Allow operations on felixconfigurations in tigera clusterroles in ord… #2994 (@rene-dekker)
• [release-v1.32] Auto pick #2990: Use trusted bundle with root CAs for multi-tenant manager #2993 (@caseydavenport)
• [EV-4356] createPredicateForObject should react if the generation isn… #2992 (@dimitri-nicolo)
• Use trusted bundle with root CAs for multi-tenant manager pods #2990 (@caseydavenport)
• Enable OIDC for multi-tenant setup #2989 (@asincu)
• EV-4126 Add watch for tenant controller #2987 (@vara2504)
• [cherry-pick][v1.32] Es-proxy reached K8S api via Voltron (#2985) #2986 (@asincu)
• Es-proxy reaches K8S api via Voltron #2985 (@asincu)
• Apiserver render, protect against uninitialized Installation resource #2984 (@tmjd)
• [cherry-pick][1.32] Ability to configure per-tenant index names (#2894) #2982 (@asincu)
• Per-tenant elasticsearch configuration #2981 (@caseydavenport)
• Cherry-pick #2975 Add tenant namespace check for multitenant #2980 (@vara2504)
• [release-v1.32] Auto pick #2978: Remove old controller ref for Voltron secret #2979 (@caseydavenport)
• Remove old controller ref for Voltron secret #2978 (@caseydavenport)
• Fix csi daemonset validation #2977 (@tmjd)
• [RS-1209] Webhooks processor deployment in the operator. #2976 (@bartolini)
• Add tenant namespace check for multitenant #2975 (@vara2504)
• [release 1.32] Update x/net #2971 (@Behnam-Shobiri)
• Bump golang.org/x/net from 0.8.0 to 0.17.0 #2970 (@dependabot[bot])
• Update BGPFilter CRD in OS #2966 (@mazdakn)
• Update EE CRDs #2965 (@coutinhop)
• Update CRDs for OSS and enterprise #2964 (@coutinhop)
• [EV-4308] update kb and elastic to 7.17.14 #2956 (@ti-afra)
• [EV-4308] update kb and elastic to 7.17.14 #2955 (@ti-afra)
• [Release v1.32] Update BGPFitler CRDs #2952 (@mazdakn)
• (master) Management cluster installation fixes #2948 (@pasanw)
• Management cluster installation fixes #2947 (@pasanw)
• [release-v1.32] Auto pick #2944: Include tenant namespaces in DNS access policies #2946 (@caseydavenport)
• Changes to support ebpf and ipv6 #2945 (@sridhartigera)
• Include tenant namespaces in DNS access policies #2944 (@caseydavenport)
• Update CRDs and commit #2943 (@rene-dekker)
• Cherry-pick elastic users cleanup controller #2942 (@Josh-Tigera)
• [cherry-pick][1.32] Various fixes for multi-tenancy (#2936) #2941 (@asincu)
• Automated cherry pick of #2938: Add a label to the prometheus service, so it can be #2939 (@rene-dekker)
• Add a label to the prometheus service, so it can be referenced in Ser… #2938 (@rene-dekker)
• Various fixes for multi-tenancy #2936 (@asincu)
• Add fluentd-windows prometheus metrics support #2931 (@coutinhop)
• Update apiserver controller to handle old voltron cert format #2924 (@tmjd)
• Guard AD PSP deletion #2918 (@pasanw)
• Add Windows HPC EE support #2914 (@coutinhop)
• Code review feedback #2904 (@caseydavenport)
• Downgrade confusing log #2902 (@caseydavenport)
• Update k8s.io/ to newer patch #2901 (@caseydavenport)
• Linseed single index support #2900 (@caseydavenport)
• [CI-1334] update dns svc discovery for rke2 (#2895) #2898 (@ti-afra)
• Ability to configure per-tenant index names #2894 (@asincu)
• Add egressgatewaypolicies to node RBAC #2893 (@mazdakn)
• Add RBAC for DPI when a management cluster is spin up #2884 (@asincu)
• Remove csr rbac creation from wrong controller; intrusiondetection_co… #2880 (@rene-dekker)
• Remove duplicate code #2878 (@rene-dekker)
• Cluster name will be set by Voltron for a managed cluster #2875 (@asincu)
• update kb & elastic to 7.17.13 #2870 (@ti-afra)
• Fix certificate management due to missing volumemount #2866 (@rene-dekker)
• [EV-3914] Set the controller manager cache RESTMapper back to the DynamicRESTMapper (default changed on k8s upgrade) #2861 (@Brian-McM)
• Fix! Tenant CA secrets needs to be rendered #2860 (@asincu)
• Use baseline PSS for tigera-kibana namespace #2859 (@hjiawei)
• Fix! LogStorage name for tigera-status cannot contain special characters #2856 (@asincu)
• Various multi-tenancy fixes and cleanups #2846 (@caseydavenport)
• Use tenant ID as SAN for tunnel connection #2840 (@asincu)
• Multi-tenant management clusters #2833 (@caseydavenport)
• Relax Linseed Policy in case we have DPI installed #2831 (@asincu)
• Fix for what looks like a copy-paste error #2824 (@rene-dekker)
• update coreruleset to 3.3.5 #2821 (@electricjesus)
• fix policyrecommendationscopes failing dirty-check #2818 (@electricjesus)
• go generate pkg/render/applicationlayer #2816 (@electricjesus)
• [ci-1299][ev-4068] Fix watch that is monitoring the wrong namespace #2814 (@rene-dekker)
• Internal-manager-tls should contain only K8S services #2810 (@asincu)
• Use default non-root SecurityContext for manager #2809 (@hjiawei)
• Automated cherry pick of #2802: Create internal manager tls inside of manager_controller #2806 (@rene-dekker)
• Remove duplicate Felix Health Port for Openshift #2795 (@rene-dekker)
• Ensure logstorage controller is not blocked on certs that need to be updated by other controllers #2790 (@tmjd)
• Add SecurityContext for Prometheus service container #2784 (@hjiawei)
• Fix for EGW deployment in openshift 4.13 #2779 (@sridhartigera)
• Cert fix #2775 (@tmjd)
• update CRD (OSS felixConfiguration) #2765 (@ti-afra)
• update CRD (felixConfiguration) #2759 (@ti-afra)
• Add .PHONY for ut target and ignore ut folder #2758 (@hjiawei)
• Add PSPs for dex and policy recommendation #2757 (@hjiawei)
• Replace github.com/ghodss/yaml with sigs.k8s.io/yaml #2755 (@Juneezee)
• Add watch for managed cluster linseed cert in compliance #2753 (@tmjd)