14 Apr 2026
Included Calico versions
Calico version: v3.31.5
Calico Enterprise version: v3.22.2
Other changes
- Operator now passes the CA certificate CommonName to Voltron via VOLTRON_CA_SIGNER_NAME, enabling configurable CA issuer identification. #4674 (@rene-dekker)
- Improve TigeraStatus to include more detailed information when readiness and liveness probes fail. #4648 (@caseydavenport)
- Remove logstorage validation warning message for node count exceeding replicas by 1. #4578 (@tianfeng92)
- Add validation for logstorage node count and replicas setting. #4555 (@tianfeng92)
- Fix calico-apiserver TLS errors on upgrade to v3.31 for long-lived clusters.
The operator now correctly reissues certificates with updated SANs when the
apiserver namespace changes, instead of treating legacy operator-signed certs
as user-provided. #4542 (@rene-dekker) - Set correct CA_TRUSTED_NODE_ACCOUNTS namespace on OpenShift #4538 (@electricjesus)
- Fix pod creation failures during manifest-to-operator migration caused by the calico-cni-plugin
ClusterRoleBinding losing its kube-system subject before all nodes are migrated. #4519 (@caseydavenport) - Surface certificate metadata (issuer, expiry, DNS SANs, IP SANs) as annotations and add filtering labels (secret-type, signer) on TLS secrets produced by Secret() and CreateSelfSignedSecret().
Display the Degraded condition's message when runningkubectl get tigerastatus, making it easier to see error details at a glance without needing to describe the resource. #4506 (@rene-dekker) - Bump Elasticsearch and Kibana to 8.19.12. #4501 (@tianfeng92)
- ECK certificates are now rotated 30d before expiry just like all certificates that are managed by this operator. #4484 (@rene-dekker)
- Dropped support to the non-privileged mode and deprecated the
Installation.spec.nonPrivilegedfield. The Operator ignores this setting and will mark Calico as Degraded if it is set to Enabled. #4465 (@lucastigera)