tigera/operator v1.34.0

on GitHub

10 May 2024

Included Calico versions

Calico version: v3.28.0
Calico Enterprise version: v3.19.0-2.0

Enhancements

• Prototype: IP pool controller #3253 (@caseydavenport)
• IP pool controller for more powerful IP pool UX #2658 (@caseydavenport)

Bug fixes

• Fix autodetection of current RKE2 #3168 (@nelljerram)

Other changes

• Update prometheus operator permissions to v0.73.2 #3338 (@rene-dekker)
• Update ILM policy when warm index readonly setting changes #3336 (@gantony)
• Name Packet capture operator v1 CRD as PacketCaptureAPI #3335 (@vara2504)
• Update ILM policy to keep warm tigera_secure_ee_events indices writable #3330 (@gantony)
• Fix annotation data ordering issues from k8s listing in #3328 (@Brian-McM)
• move packet capture watch inside enterpriseCRD exist check #3324 (@vara2504)
• Rev Go to v1.22, Kubernetes to v1.28.9 #3317 (@fasaxc)
• Fix annotations for voltron tls route configuration (too long #3315 (@Brian-McM)
• Remove cloud-controller references #3312 (@gantony)
• Fix security-context for apiserver - audit logs are supported only in Enterprise version #3310 (@mihivagyok)
• Added Add HSTS header to dex and upgrade to 2.39 #3305 (@vara2504)
• Fix broken policy rec req limit reconcilation #3303 (@vara2504)
• Send the list of all ips to egress gateway to support dual stack #3301 (@mazdakn)
• The dashboard name has changed in the installer repo, change #3297 (@rene-dekker)
• Add egress rule to allow dashboards to connect to external Kibana #3295 (@asincu)
• Remove elastic secrets dependency for compliance and only deploy server in a multi-tenant environment #3289 (@asincu)
• Deprecate AWS SG integeration #3279 (@vara2504)
• Remove special key-cert-provisioner image code #3278 (@rene-dekker)
• Make monitor controller aware that there are multi tenant options #3274 (@asincu)
• Switch the backoff to use Ticker #3273 (@tmjd)
• Move Encapsulation validation into IP pool controller #3268 (@caseydavenport)
• Fix secret not available messages #3263 (@rene-dekker)
• Allow intrusion-detection-controller to read alert exceptions #3257 (@gantony)
• Fix setting of resources for the CSI node driver #3255 (@caseydavenport)
• Add container name in comments for Deployments,daemonset and other resources #3250 (@vara2504)
• Disable keep alive for the elasticsearch client #3238 (@Brian-McM)
• Cleanups based on move from coreruleset 3.3.5 to 4.x #3237 (@electricjesus)
• Remove bpf dual stack validation #3236 (@sridhartigera)
• Update libs to patch CVEs #3232 (@rene-dekker)
• Enable Dashboards Controller to know when running in external or internal elastic mode #3231 (@asincu)
• Grant es-kube-controller access managed service per tenant #3230 (@asincu)
• Make resource requests/limits configurable for tigera-guardian #3225 (@vara2504)
• Make resource requests/limits configurable for KB, prometheus, Alert Manager #3224 (@vara2504)
• Fix features annotations #3222 (@lwr20)
• Make resource requests/limits configurable for Application Layer #3216 (@vara2504)
• Set tenant ID for intrusion detection #3214 (@asincu)
• Update elastic stack versions #3211 (@rene-dekker)
• Update the CRDs #3210 (@rene-dekker)
• Make resource requests/limits configurable for compliance components #3209 (@vara2504)
• Move test utilities to test package from utils folder to move ginkgo v1 import #3208 (@Brian-McM)
• Make resource requests/limits configurable for logstorage components #3207 (@vara2504)
• Make resource requests/limits configurable for Logcollector #3206 (@vara2504)
• Make resource request/limits configurable for dex,IDC #3205 (@vara2504)
• Configure voltron routes with TLS Route CRs #3199 (@Brian-McM)
• Filter 'openshift-' namespace from policy recommendation #3196 (@dimitri-nicolo)
• PolicyRecommendation controller overwrites tigera-ca bundle per tenant #3191 (@asincu)
• Add priorityClassName to EgressGateway CRD #3190 (@mazdakn)
• Fix expected files for waf #3189 (@electricjesus)
• Namespace migration - Fix potential namespace migration problem with one node cluster #3188 (@mihivagyok)
• Adds PolicySetupTimeoutSeconds option to CalicoNetwork #3186 (@aaaaaaaalex)
• Sort logstorage secrets map to ensure consistent order #3185 (@tmjd)
• Remove auth that was not supported since ee v3.4 #3184 (@rene-dekker)
• Enable BPF without disruption #3183 (@song-jiang)
• Add support for TKG 2.4.1 #3179 (@rene-dekker)
• Include Windows nodes in image list command #3177 (@tmjd)
• Decrease the validity of JWTs issued by Dex to 15m #3175 (@rene-dekker)
• Add back esgateway certificate to the trusted bundle #3174 (@asincu)
• Report dashboard status #3173 (@asincu)
• Refactor to set kube network based on cni type instead of provider #3166 (@davidgiga1993)
• Fix static files check failure #3163 (@electricjesus)
• Fixes for ES Gateway #3162 (@tmjd)
• Disable packetcapture-api in multitenant environment #3160 (@vara2504)
• WAF integration fixes / improvements #3158 (@electricjesus)
• Do not ignore non-migrated nodes for typha scheduling #3156 (@mihivagyok)
• Update copyrights #3149 (@Brian-McM)
• Update K8s pins to 0.27.9 and controller-runtime to 0.15.3 / fix incompatibilities #3146 (@Brian-McM)
• Fix the Compliance namespace in Voltron's proxy targets #3145 (@rene-dekker)
• Update envoy config template #3144 (@hjiawei)
• Dex binary changed location inside of Dockerfile #3143 (@rene-dekker)
• Deploy es-kube-controllers in a multi-tenant environment #3142 (@asincu)
• Ensure degraded status is cleared for tiers controller #3139 (@pasanw)
• Migrate job installer to run inside elasticsearch namespace #3137 (@asincu)
• Fix trusted-bundle conflict in ES secret controller #3135 (@caseydavenport)
• Report TigeraStatus for tiers #3130 (@pasanw)
• Fix panic that can be caused when removing the logstorage resource. #3128 (@rene-dekker)
• Add tigera operator scheme to the unit tests for authn. #3127 (@rene-dekker)
• Bump Elasticsearch and Kibana versions to v7.17.16 #3126 (@hjiawei)
• Support zeroed kube-controllers metric port #3120 (@pasanw)
• Consolidate tigera status for all log storage controllers #3118 (@vara2504)
• Webhooks-controller should now be rendered on management clusters. #3115 (@bartolini)
• Automated cherry pick of #3107: Update coreos stack to reduce CVEs #3109 (@rene-dekker)
• Update tigera-apiserver probes #3102 (@pasanw)
• Update golang/x/crypto #3101 (@Behnam-Shobiri)
• Intrusion detection forwarder needs permission to snapshot its state #3096 (@caseydavenport)
• Update CRDs: FelixConfigurations #3094 (@tmjd)
• Fix FLOW_LOG_FILE fluentd env var for Windows #3090 (@coutinhop)
• Fix CNI plugin configuration issue #3087 (@Tamas-Biro1)
• Fix host port validation to properly respect 'disabled' #3085 (@caseydavenport)
• Update CRDs #3083 (@rene-dekker)
• Use common calico base and unify Dockerfiles #3079 (@hjiawei)
• Automated cherry pick of #3072: CSR Image must be instantiated #3073 (@rene-dekker)
• Add extra LDAP secret validation #3069 (@rene-dekker)
• Fix felix crds #3066 (@vara2504)
• Resource config for Manager and PolicyRec #3061 (@vara2504)
• Add design / code guidelines document #3057 (@caseydavenport)
• Fix missing logging arguments for dikastes #3056 (@electricjesus)
• Linseed cluster id is no longer required. #3055 (@bartolini)
• Remove curator #3054 (@Josh-Tigera)
• Linseed misconfiguration for Webhooks in MCM configuration #3053 (@bartolini)
• Add linseedDeployment in Tenant CR #3051 (@vara2504)
• Configure manager to properly impersonate when communicating with managed clusters #3050 (@caseydavenport)
• Update kibanaURL name in tenant CR #3048 (@vara2504)
• Fix kubefwd URL #3043 (@binarysta)
• Configure Linux OS affinity for policy-recommendation #3042 (@vara2504)
• Remove some RBAC resources that are unused in multi-tenant envs #3041 (@caseydavenport)
• Fix release by preventing overwriting IMAGE_REGISTRY #3037 (@rene-dekker)
• Update release documentation to clarify github milestone creation #3036 (@tmjd)
• Change rollout settings for Fluentd to speed up rollout, while avoiding too much contention on huge clusters #3032 (@rene-dekker)
• Allow linseed to read secrets in tigera-operator namespace #3024 (@asincu)