Merge pull request #3602 from CecileRobertMichon/cherry-pick-3369-1.8

[release-1.8] Pin Calico to v3.25.1

Author: k8s-ci-robot

Makefile

@@ -495,14 +495,18 @@ generate-addons: fetch-calico-manifests ## Generate metric-server, calico calico
 	$(KUSTOMIZE) build $(ADDONS_DIR)/calico-dual-stack > $(ADDONS_DIR)/calico-dual-stack.yaml
 
 # When updating this, make sure to also update the Windows image version in templates/addons/windows/calico.
-CALICO_VERSION := v3.25.0
+export CALICO_VERSION := v3.25.1
 # Where all downloaded Calico manifests are unpacked and stored.
 CALICO_RELEASES := $(ARTIFACTS)/calico
 # Path to manifests directory in a Calico release archive.
 CALICO_RELEASE_MANIFESTS_DIR := release-$(CALICO_VERSION)/manifests
 # Path where Calico manifests are stored which should be used for addons generation.
 CALICO_MANIFESTS_DIR := $(ARTIFACTS)/calico/$(CALICO_RELEASE_MANIFESTS_DIR)
 
+.PHONY: get-calico-version
+get-calico-version: ## Print the Calico version used for CNI in the repo.
+	@echo $(CALICO_VERSION)
+
 .PHONY: fetch-calico-manifests
 fetch-calico-manifests: $(CALICO_MANIFESTS_DIR) ## Get Calico release manifests and unzip them.
 	cp $(CALICO_MANIFESTS_DIR)/calico-vxlan.yaml $(ADDONS_DIR)/calico

Tiltfile

@@ -364,7 +364,7 @@ def deploy_worker_templates(template, substitutions):
         calico_values = "./templates/addons/calico-dual-stack/values.yaml"
     else:
         calico_values = "./templates/addons/calico/values.yaml"
-    flavor_cmd += "; " + helm_cmd + " repo add projectcalico https://docs.tigera.io/calico/charts; " + helm_cmd + " --kubeconfig ./${CLUSTER_NAME}.kubeconfig install calico projectcalico/tigera-operator -f " + calico_values + " --namespace tigera-operator --create-namespace"
+    flavor_cmd += "; " + helm_cmd + " repo add projectcalico https://docs.tigera.io/calico/charts; " + helm_cmd + " --kubeconfig ./${CLUSTER_NAME}.kubeconfig install --version ${CALICO_VERSION} calico projectcalico/tigera-operator -f " + calico_values + " --namespace tigera-operator --create-namespace"
     if "intree-cloud-provider" not in flavor_name and "ipv6" not in flavor_name:  # TODO: remove ipv6 once https://github.com/kubernetes-sigs/cloud-provider-azure/issues/3401 is fixed.
         flavor_cmd += "; " + helm_cmd + " --kubeconfig ./${CLUSTER_NAME}.kubeconfig install --repo https://raw.githubusercontent.com/kubernetes-sigs/cloud-provider-azure/master/helm/repo cloud-provider-azure --generate-name --set infra.clusterName=${CLUSTER_NAME}"
         if "flatcar" in flavor_name:  # append caCetDir location to the cloud-provider-azure helm install command for flatcar flavor

docs/book/src/topics/addons.md

@@ -29,7 +29,7 @@ Then install the Helm chart on the workload cluster:
 
 ```bash
 helm repo add projectcalico https://docs.tigera.io/calico/charts && \
-helm install calico projectcalico/tigera-operator -f https://raw.githubusercontent.com/kubernetes-sigs/cluster-api-provider-azure/main/templates/addons/calico/values.yaml --set-string "installation.calicoNetwork.ipPools[0].cidr=${IPV4_CIDR_BLOCK}" --namespace tigera-operator --create-namespace
+helm install calico projectcalico/tigera-operator --version v3.25.1 -f https://raw.githubusercontent.com/kubernetes-sigs/cluster-api-provider-azure/main/templates/addons/calico/values.yaml --set-string "installation.calicoNetwork.ipPools[0].cidr=${IPV4_CIDR_BLOCK}" --namespace tigera-operator --create-namespace
 ```
 
 ### For IPv6 Clusters
@@ -44,7 +44,7 @@ Then install the Helm chart on the workload cluster:
 
 ```bash
 helm repo add projectcalico https://docs.tigera.io/calico/charts && \
-helm install calico projectcalico/tigera-operator -f https://raw.githubusercontent.com/kubernetes-sigs/cluster-api-provider-azure/main/templates/addons/calico-ipv6/values.yaml  --set-string "installation.calicoNetwork.ipPools[0].cidr=${IPV6_CIDR_BLOCK}" --namespace tigera-operator --create-namespace
+helm install calico projectcalico/tigera-operator --version v3.25.1 -f https://raw.githubusercontent.com/kubernetes-sigs/cluster-api-provider-azure/main/templates/addons/calico-ipv6/values.yaml  --set-string "installation.calicoNetwork.ipPools[0].cidr=${IPV6_CIDR_BLOCK}" --namespace tigera-operator --create-namespace
 ```
 
 ### For Dual-Stack Clusters
@@ -60,7 +60,7 @@ Then install the Helm chart on the workload cluster:
 
 ```bash
 helm repo add projectcalico https://docs.tigera.io/calico/charts && \
-helm install calico projectcalico/tigera-operator -f https://raw.githubusercontent.com/kubernetes-sigs/cluster-api-provider-azure/main/templates/addons/calico-dual-stack/values.yaml --set-string "installation.calicoNetwork.ipPools[0].cidr=${IPV4_CIDR_BLOCK}","installation.calicoNetwork.ipPools[1].cidr=${IPV6_CIDR_BLOCK}" --namespace tigera-operator --create-namespace
+helm install calico projectcalico/tigera-operator --version v3.25.1 -f https://raw.githubusercontent.com/kubernetes-sigs/cluster-api-provider-azure/main/templates/addons/calico-dual-stack/values.yaml --set-string "installation.calicoNetwork.ipPools[0].cidr=${IPV4_CIDR_BLOCK}","installation.calicoNetwork.ipPools[1].cidr=${IPV6_CIDR_BLOCK}" --namespace tigera-operator --create-namespace
 ```
 
 <aside class="note">

scripts/ci-e2e.sh

@@ -71,7 +71,9 @@ export AZURE_LOCATION_GPU="${AZURE_LOCATION_GPU:-$(capz::util::get_random_region
 export AZURE_LOCATION_EDGEZONE="${AZURE_LOCATION_EDGEZONE:-$(capz::util::get_random_region_edgezone)}"
 export AZURE_CONTROL_PLANE_MACHINE_TYPE="${AZURE_CONTROL_PLANE_MACHINE_TYPE:-"Standard_B2s"}"
 export AZURE_NODE_MACHINE_TYPE="${AZURE_NODE_MACHINE_TYPE:-"Standard_B2s"}"
-export KIND_EXPERIMENTAL_DOCKER_NETWORK="bridge"
+CALICO_VERSION=$(make get-calico-version)
+export CALICO_VERSION
+
 
 capz::util::generate_ssh_key
 

scripts/ci-entrypoint.sh

@@ -180,7 +180,8 @@ install_calico() {
         rm kubeadm-config-kube-system
     fi
     # install Calico CNI
-    echo "Installing Calico CNI via helm"
+    CALICO_VERSION=$(make get-calico-version)
+    echo "Installing Calico CNI ${CALICO_VERSION} via helm"
     if [[ "${CIDR0:-}" =~ .*:.* ]]; then
         echo "Cluster CIDR is IPv6"
         CALICO_VALUES_FILE="${REPO_ROOT}/templates/addons/calico-ipv6/values.yaml"
@@ -194,7 +195,7 @@ install_calico() {
         CALICO_VALUES_FILE="${REPO_ROOT}/templates/addons/calico/values.yaml"
         CIDR_STRING_VALUES="installation.calicoNetwork.ipPools[0].cidr=${CIDR0}"
     fi
-    "${HELM}" upgrade calico --install --repo https://docs.tigera.io/calico/charts tigera-operator -f "${CALICO_VALUES_FILE}" --set-string "${CIDR_STRING_VALUES}" --namespace calico-system
+    "${HELM}" upgrade calico --install --repo https://docs.tigera.io/calico/charts --version "${CALICO_VERSION}" tigera-operator -f "${CALICO_VALUES_FILE}" --set-string "${CIDR_STRING_VALUES}" --namespace calico-system
 }
 
 # install_cloud_provider_azure installs OOT cloud-provider-azure componentry onto the Cluster.

templates/addons/calico-dual-stack.yaml

@@ -4351,7 +4351,7 @@ spec:
           value: node
         - name: DATASTORE_TYPE
           value: kubernetes
-        image: docker.io/calico/kube-controllers:v3.25.0
+        image: docker.io/calico/kube-controllers:v3.25.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           exec:
@@ -4428,7 +4428,7 @@ spec:
         - configMapRef:
             name: kubernetes-services-endpoint
             optional: true
-        image: docker.io/calico/typha:v3.25.0
+        image: docker.io/calico/typha:v3.25.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:
@@ -4546,7 +4546,7 @@ spec:
         - configMapRef:
             name: kubernetes-services-endpoint
             optional: true
-        image: docker.io/calico/node:v3.25.0
+        image: docker.io/calico/node:v3.25.1
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -4621,7 +4621,7 @@ spec:
         - configMapRef:
             name: kubernetes-services-endpoint
             optional: true
-        image: docker.io/calico/cni:v3.25.0
+        image: docker.io/calico/cni:v3.25.1
         imagePullPolicy: IfNotPresent
         name: install-cni
         securityContext:
@@ -4635,7 +4635,7 @@ spec:
         - calico-node
         - -init
         - -best-effort
-        image: docker.io/calico/node:v3.25.0
+        image: docker.io/calico/node:v3.25.1
         imagePullPolicy: IfNotPresent
         name: mount-bpffs
         securityContext:

templates/addons/calico-ipv6.yaml

@@ -4340,7 +4340,7 @@ spec:
           value: node
         - name: DATASTORE_TYPE
           value: kubernetes
-        image: docker.io/calico/kube-controllers:v3.25.0
+        image: docker.io/calico/kube-controllers:v3.25.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           exec:
@@ -4417,7 +4417,7 @@ spec:
         - configMapRef:
             name: kubernetes-services-endpoint
             optional: true
-        image: docker.io/calico/typha:v3.25.0
+        image: docker.io/calico/typha:v3.25.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:
@@ -4535,7 +4535,7 @@ spec:
         - configMapRef:
             name: kubernetes-services-endpoint
             optional: true
-        image: docker.io/calico/node:v3.25.0
+        image: docker.io/calico/node:v3.25.1
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -4610,7 +4610,7 @@ spec:
         - configMapRef:
             name: kubernetes-services-endpoint
             optional: true
-        image: docker.io/calico/cni:v3.25.0
+        image: docker.io/calico/cni:v3.25.1
         imagePullPolicy: IfNotPresent
         name: install-cni
         securityContext:
@@ -4624,7 +4624,7 @@ spec:
         - calico-node
         - -init
         - -best-effort
-        image: docker.io/calico/node:v3.25.0
+        image: docker.io/calico/node:v3.25.1
         imagePullPolicy: IfNotPresent
         name: mount-bpffs
         securityContext:

templates/addons/calico-ipv6/calico-policy-only.yaml

@@ -4441,7 +4441,7 @@ spec:
         # This container installs the CNI binaries
         # and CNI network config file on each node.
         - name: install-cni
-          image: docker.io/calico/cni:v3.25.0
+          image: docker.io/calico/cni:v3.25.1
           imagePullPolicy: IfNotPresent
           command: ["/opt/cni/bin/install"]
           envFrom:
@@ -4478,7 +4478,7 @@ spec:
         # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
         # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
         - name: "mount-bpffs"
-          image: docker.io/calico/node:v3.25.0
+          image: docker.io/calico/node:v3.25.1
           imagePullPolicy: IfNotPresent
           command: ["calico-node", "-init", "-best-effort"]
           volumeMounts:
@@ -4504,7 +4504,7 @@ spec:
         # container programs network policy and routes on each
         # host.
         - name: calico-node
-          image: docker.io/calico/node:v3.25.0
+          image: docker.io/calico/node:v3.25.1
           imagePullPolicy: IfNotPresent
           envFrom:
           - configMapRef:
@@ -4692,7 +4692,7 @@ spec:
       priorityClassName: system-cluster-critical
       containers:
         - name: calico-kube-controllers
-          image: docker.io/calico/kube-controllers:v3.25.0
+          image: docker.io/calico/kube-controllers:v3.25.1
           imagePullPolicy: IfNotPresent
           env:
             # Choose which controllers to run.
@@ -4776,7 +4776,7 @@ spec:
       securityContext:
         fsGroup: 65534
       containers:
-      - image: docker.io/calico/typha:v3.25.0
+      - image: docker.io/calico/typha:v3.25.1
         imagePullPolicy: IfNotPresent
         name: calico-typha
         ports:

templates/addons/calico.yaml

@@ -4355,7 +4355,7 @@ spec:
           value: node
         - name: DATASTORE_TYPE
           value: kubernetes
-        image: docker.io/calico/kube-controllers:v3.25.0
+        image: docker.io/calico/kube-controllers:v3.25.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           exec:
@@ -4468,7 +4468,7 @@ spec:
         - configMapRef:
             name: kubernetes-services-endpoint
             optional: true
-        image: docker.io/calico/node:v3.25.0
+        image: docker.io/calico/node:v3.25.1
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -4540,7 +4540,7 @@ spec:
         - configMapRef:
             name: kubernetes-services-endpoint
             optional: true
-        image: docker.io/calico/cni:v3.25.0
+        image: docker.io/calico/cni:v3.25.1
         imagePullPolicy: IfNotPresent
         name: upgrade-ipam
         securityContext:
@@ -4575,7 +4575,7 @@ spec:
         - configMapRef:
             name: kubernetes-services-endpoint
             optional: true
-        image: docker.io/calico/cni:v3.25.0
+        image: docker.io/calico/cni:v3.25.1
         imagePullPolicy: IfNotPresent
         name: install-cni
         securityContext:
@@ -4589,7 +4589,7 @@ spec:
         - calico-node
         - -init
         - -best-effort
-        image: docker.io/calico/node:v3.25.0
+        image: docker.io/calico/node:v3.25.1
         imagePullPolicy: IfNotPresent
         name: mount-bpffs
         securityContext:

templates/addons/calico/calico-vxlan.yaml

@@ -4440,7 +4440,7 @@ spec:
         # It can be deleted if this is a fresh installation, or if you have already
         # upgraded to use calico-ipam.
         - name: upgrade-ipam
-          image: docker.io/calico/cni:v3.25.0
+          image: docker.io/calico/cni:v3.25.1
           imagePullPolicy: IfNotPresent
           command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
           envFrom:
@@ -4468,7 +4468,7 @@ spec:
         # This container installs the CNI binaries
         # and CNI network config file on each node.
         - name: install-cni
-          image: docker.io/calico/cni:v3.25.0
+          image: docker.io/calico/cni:v3.25.1
           imagePullPolicy: IfNotPresent
           command: ["/opt/cni/bin/install"]
           envFrom:
@@ -4511,7 +4511,7 @@ spec:
         # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
         # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
         - name: "mount-bpffs"
-          image: docker.io/calico/node:v3.25.0
+          image: docker.io/calico/node:v3.25.1
           imagePullPolicy: IfNotPresent
           command: ["calico-node", "-init", "-best-effort"]
           volumeMounts:
@@ -4537,7 +4537,7 @@ spec:
         # container programs network policy and routes on each
         # host.
         - name: calico-node
-          image: docker.io/calico/node:v3.25.0
+          image: docker.io/calico/node:v3.25.1
           imagePullPolicy: IfNotPresent
           envFrom:
           - configMapRef:
@@ -4752,7 +4752,7 @@ spec:
       priorityClassName: system-cluster-critical
       containers:
         - name: calico-kube-controllers
-          image: docker.io/calico/kube-controllers:v3.25.0
+          image: docker.io/calico/kube-controllers:v3.25.1
           imagePullPolicy: IfNotPresent
           env:
             # Choose which controllers to run.