[calico] Make version 3.26.1 default (#10416)

* [calico] Make version 3.26.1 default * [calico] Separate calico-node and calico-cni-plugin service accounts See: https://github.com/projectcalico/calico/pull/7106
1 year ago · 6b34e3ef08
5 changed files with 59 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -168,7 +168,7 @@ Note: Upstart/SysV init based OS types are not supported.
  - [cri-o](http://cri-o.io/) v1.27 (experimental: see [CRI-O Note](docs/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
  - [cni-plugins](https://github.com/containernetworking/plugins) v1.2.0
  - [calico](https://github.com/projectcalico/calico) v3.25.2
  - [calico](https://github.com/projectcalico/calico) v3.26.1
  - [cilium](https://github.com/cilium/cilium) v1.13.4
  - [flannel](https://github.com/flannel-io/flannel) v0.22.0
  - [kube-ovn](https://github.com/alauda/kube-ovn) v1.11.5
--- a/roles/download/defaults/main/main.yml
+++ b/roles/download/defaults/main/main.yml
@ -100,7 +100,7 @@ github_image_repo: "ghcr.io"
 # TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults
 # after migration to container download
 calico_version: "v3.25.2"
 calico_version: "v3.26.1"
 calico_ctl_version: "{{ calico_version }}"
 calico_cni_version: "{{ calico_version }}"
 calico_flexvol_version: "{{ calico_version }}"
--- a/roles/network_plugin/calico/templates/calico-cr.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-cr.yml.j2
@ -1,6 +1,39 @@
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: calico-cni-plugin
 rules:
  - apiGroups: [""]
    resources:
      - pods
      - nodes
      - namespaces
    verbs:
      - get
  - apiGroups: [""]
    resources:
      - pods/status
    verbs:
      - patch
  - apiGroups: ["crd.projectcalico.org"]
    resources:
      - blockaffinities
      - ipamblocks
      - ipamhandles
      - clusterinformations
      - ippools
      - ipreservations
      - ipamconfigs
    verbs:
      - get
      - list
      - create
      - update
      - delete
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: calico-node
  namespace: kube-system
@ -78,6 +111,7 @@ rules:
      - globalfelixconfigs
      - felixconfigurations
      - bgppeers
      - bgpfilters
      - globalbgpconfigs
      - bgpconfigurations
      - ippools
@ -164,6 +198,6 @@ rules:
    resources:
      - serviceaccounts/token
    resourceNames:
      - calico-node
      - calico-cni-plugin
    verbs:
      - create
--- a/roles/network_plugin/calico/templates/calico-crb.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-crb.yml.j2
@ -11,3 +11,18 @@ subjects:
 - kind: ServiceAccount
  name: calico-node
  namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: calico-cni-plugin
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: calico-cni-plugin
 subjects:
 - kind: ServiceAccount
  name: calico-cni-plugin
  namespace: kube-system
--- a/roles/network_plugin/calico/templates/calico-node-sa.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node-sa.yml.j2
@ -4,3 +4,10 @@ kind: ServiceAccount
 metadata:
  name: calico-node
  namespace: kube-system
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: calico-cni-plugin
  namespace: kube-system