Calico v3.28.[0-1] checksums and change calico default version (#11234)

* make calico api server manifest backward compatible with version older than 3.27.3 Add 3.28.1 checksums Add 3.28.0 checksums Change default version to 3.27.3 * change default calico version to 3.28.1 * Set mount type to DirectoryOrCreate for hostPath needed by Calico
2 months ago · 924a979955
5 changed files with 35 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -167,7 +167,7 @@ Note: Upstart/SysV init based OS types are not supported.
  - [cri-o](http://cri-o.io/) v1.30.3 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
  - [cni-plugins](https://github.com/containernetworking/plugins) v1.2.0
-  - [calico](https://github.com/projectcalico/calico) v3.27.3
+  - [calico](https://github.com/projectcalico/calico) v3.28.1
  - [cilium](https://github.com/cilium/cilium) v1.15.4
  - [flannel](https://github.com/flannel-io/flannel) v0.22.0
  - [kube-ovn](https://github.com/alauda/kube-ovn) v1.12.21
--- a/roles/kubespray-defaults/defaults/main/checksums.yml
+++ b/roles/kubespray-defaults/defaults/main/checksums.yml
@ -466,6 +466,8 @@ cni_binary_checksums:
    v1.0.0: 1a055924b1b859c54a97dc14894ecaa9b81d6d949530b9544f0af4173f5a8f2a
 calicoctl_binary_checksums:
  arm:
+    v3.28.1: 0
+    v3.28.0: 0
    v3.27.3: 0
    v3.27.2: 0
    v3.27.1: 0
@ -488,6 +490,8 @@ calicoctl_binary_checksums:
    v3.23.5: 0
    v3.23.4: 0
  arm64:
+    v3.28.1: c062d13534498a427c793a4a9190be4df3cf796a3feb29e4a501e1d6f48daa7c
+    v3.28.0: c4ca8563d2a920729116a3a30171c481580c8c447938ce974ce14d7ce25a31bf
    v3.27.3: 1fc5f58a18d8b1c487b4663fc5cbe23b45bd9d31617debd309f6dfac7c11a8ef
    v3.27.2: 0fd1f65a511338cf9940835987d420c94ab95b5386288ba9673b736a4d347463
    v3.27.1: 0
@ -510,6 +514,8 @@ calicoctl_binary_checksums:
    v3.23.5: 0941ad0deeb03d8fda96340948cdbc15d14062086438150cf3ec5ee2767b22c3
    v3.23.4: c54b7d122d9315bbab1a88707b7168a0934a80c4f2a94c9e871bcc8a8cf11c11
  amd64:
+    v3.28.1: 22ec5727c38dbe19001792b4ca64ac760a6e2985d5c1a231d919dbebe5bca171
+    v3.28.0: 4ea270699e67ca29e5533ddb0a68d370cb0005475796c7e841f83047da6297b6
    v3.27.3: e22b8bb41684f8ffb5143b50bf3b2ab76985604d774d397cfb6fb11d8a19f326
    v3.27.2: 692f69dc656e41cd35e23e24f56c98c4aeeb723fed129985b46f71e6eb5e1594
    v3.27.1: 0
@ -532,6 +538,8 @@ calicoctl_binary_checksums:
    v3.23.5: 4c777881709ddaabcf4b56dcbe683125d7ed5743c036fee9273c5295e522082f
    v3.23.4: 1ea0d3b6543645612e8239978878b6adefdb7619a16ecbdb8e6dc2687538f689
  ppc64le:
+    v3.28.1: 985caad36fed7b883a2cd4cf91e556974bcca95fe4e6b7ff4cb64d8d8fbe9223
+    v3.28.0: 0789cb0d1478ec3f0a44db265b19042be9dfc18bc1776343c7ea8d246561d12b
    v3.27.3: 5f2ac510c0ec31ec4c02ff2660f2502b68b655616d5b766a51bd99d2e3604fbc
    v3.27.2: f918bb88de1d01de3d143e1e75d0ee1256f247c5cbabec7d665aaf8d1fd3cc6c
    v3.27.1: 0
@ -599,6 +607,8 @@ ciliumcli_binary_checksums:
    v0.15.16: 0
    v0.15.15: 0
 calico_crds_archive_checksums:
+  v3.28.1: c56f1530e7ded9d5b4afb9d83a7a24da6d2959ef7ad38521813f1c2bf138182d
+  v3.28.0: ee721337db0cd847e91aae1cdfd420596896ebcb865575fd913c2f12ac2cdb76
  v3.27.3: d11a32919bff389f642af5df8180ad3cec586030decd35adb2a7d4a8aa3b298e
  v3.27.2: 8154bb4aad887f2a5500b505fe203a918f72c4e602b04c688c4b94f76a26e925
  v3.27.1: 76abb0db222af279e3514cfae02be9259097b565bbb2ffcb776ca00566480edb
--- a/roles/kubespray-defaults/defaults/main/download.yml
+++ b/roles/kubespray-defaults/defaults/main/download.yml
@ -100,7 +100,7 @@ github_image_repo: "ghcr.io"

 # TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults
 # after migration to container download
-calico_version: "v3.27.3"
+calico_version: "v3.28.1"
 calico_ctl_version: "{{ calico_version }}"
 calico_cni_version: "{{ calico_version }}"
 calico_flexvol_version: "{{ calico_version }}"
--- a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
@ -72,6 +72,15 @@ spec:
          initialDelaySeconds: 90
          periodSeconds: 10
        name: calico-apiserver
+{% if calico_version is version('v3.28.0', '>=') %}
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 5443
+            scheme: HTTPS
+          timeoutSeconds: 5
+          periodSeconds: 60
+{% else %}
        readinessProbe:
          exec:
            command:
@ -79,6 +88,7 @@ spec:
          failureThreshold: 5
          initialDelaySeconds: 5
          periodSeconds: 10
+{% endif %}
        securityContext:
          privileged: false
          runAsUser: 0
@ -173,7 +183,16 @@ rules:
  - create
  - update
  - delete
-
+{% if calico_version is version('v3.28.0', '>=') %}
+- apiGroups:
+  - policy
+  resourceNames:
+  - calico-apiserver
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+{% endif %}
 ---

 apiVersion: rbac.authorization.k8s.io/v1
--- a/roles/network_plugin/calico/templates/calico-node.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node.yml.j2
@ -411,9 +411,11 @@ spec:
        - name: var-run-calico
          hostPath:
            path: /var/run/calico
+            type: DirectoryOrCreate
        - name: var-lib-calico
          hostPath:
            path: /var/lib/calico
+            type: DirectoryOrCreate
        # Used to install CNI.
        - name: cni-net-dir
          hostPath:
@ -421,6 +423,7 @@ spec:
        - name: cni-bin-dir
          hostPath:
            path: /opt/cni/bin
+            type: DirectoryOrCreate
 {% if calico_datastore == "etcd" %}
        # Mount in the etcd TLS secrets.
        - name: etcd-certs