diff --git a/calico-enterprise_versioned_docs/version-3.21-2/release-notes/index.mdx b/calico-enterprise_versioned_docs/version-3.21-2/release-notes/index.mdx index 32499b8345..820410d14e 100644 --- a/calico-enterprise_versioned_docs/version-3.21-2/release-notes/index.mdx +++ b/calico-enterprise_versioned_docs/version-3.21-2/release-notes/index.mdx @@ -216,3 +216,55 @@ February 6, 2025 To update an existing installation of Calico Enterprise 3.21, see [Install a patch release](../getting-started/manifest-archive.mdx). +### Calico Enterprise 3.21.7 bug fix release + +May 13, 2026 + +#### Enhancements + +* Display the `Degraded` condition's message when running `kubectl get tigerastatus`, making it easier to see error details at a glance without needing to describe the resource. + + ```console + $ kubectl get tigerastatus + NAME AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE + apiserver True False False 4m51s All objects available + calico False False True 106s Pod calico-system/calico-node-tjlnv failed to pull container image for: ebpf-bootstrap + intrusion-detection False False True 11m Error creating TLS certificate: secret tigera-operator/deep-packet-inspection-tls must specify ext key usages: ExtKeyUsageClientAuth, ExtKeyUsageServerAuth + log-storage-access False False True 11m Pod tigera-elasticsearch/tigera-linseed-58745b7574-p6zmx has crash looping container: tigera-linseed + manager True False False 6s All objects available; Warning: user provided certificate "manager-tls" expires in 21 days + ... + ``` + +* Surface certificate metadata (issuer, expiry, DNS SANs, IP SANs) as annotations and add filtering labels (`secret-type`, `signer`) on TLS secrets produced by `Secret()` and `CreateSelfSignedSecret()`. + + ```console + $ kubectl get secrets -n tigera-operator -l operator.tigera.io/signer \ + -o custom-columns='NAME:.metadata.name,EXPIRY:.metadata.annotations.operator\.tigera\.io/cert-expiry,SIGNER:.metadata.annotations.operator\.tigera\.io/cert-signer' + NAME EXPIRY SIGNER + calico-apiserver-certs 2028-05-28T23:56:09Z tigera-operator-signer + calico-kube-controllers-metrics-tls 2028-05-28T23:56:09Z tigera-operator-signer + calico-node-prometheus-client-tls 2028-05-29T18:28:09Z tigera-operator-signer + ... + ``` + +* Added a named "https" port on the calico-manager Service and, when the OpenShift IDP is configured, publish a `tigera-ca-public` Secret in the `calico-system` namespace so that OpenShift's Ingress→Route conversion can produce a reencrypt Route fronting the manager. + +#### Bug fixes + +* Fixed Kibana crashloop when upgrading from Calico Enterprise 3.20 or earlier to 3.21. The orphan `ingest_manager_settings` saved object left by Fleet 7.17 is now discarded during Kibana 8.x saved-object migration. +* ECK certificates are now rotated 30 days before expiry, just like all certificates that are managed by our operator. +* Deprecated the `Installation.spec.nonPrivileged` field. The Operator ignores this setting and will mark Calico as Degraded if it is set to Enabled. +* Fixed the rendering resource limits and requests for Egress Gateway. +* Added validation for the logstorage node count and replicas settings. +* Fixed flow logs so the [`transit_policies` field](../observability/elastic/flow/datatypes.mdx) records pass-only forward and pre-DNAT host-endpoint policies even when all tiers pass without an explicit allow or deny verdict. Applies to iptables, nftables, and BPF dataplanes. +* Fixed flow log aggregation to preserve distinct transit policy traces instead of overwriting them, ensuring accurate policy trace reporting at all aggregation levels. +* Fixed l7-admission-controller webhook returning an invalid response when a pod has the sidecar label but no feature annotations. +* Fixed an issue in the eBPF dataplane where link-local discovery packets were incorrectly dropped during strict reverse path forwarding (RPF) checks. +* Fixed eBPF dataplane not deleting stale NAT conntrack entries from userspace. +* Fixed a panic in Felix's `NetworkSet` processor on invalid CIDRs. +* Fixed the `LoadBalancer` controller to prevent a nil pointer dereference in handleBlockUpdate. +* Multi-NIC support: fix the `projectcalico.org/network` label; strip the namespace prefix added by Multus in recent versions. The prefix was not documented in our docs and, due to using a / separator, it could fail validation when CNI plugin tried to read a multi-NIC endpoint after node reboot causing pods to fail to come back up after reboot. +* Security updates. + +To update an existing installation of Calico Enterprise 3.21, see [Install a patch release](../getting-started/manifest-archive.mdx). + diff --git a/calico-enterprise_versioned_docs/version-3.21-2/releases.json b/calico-enterprise_versioned_docs/version-3.21-2/releases.json index ae04eb8b8b..7f56b2bc3d 100644 --- a/calico-enterprise_versioned_docs/version-3.21-2/releases.json +++ b/calico-enterprise_versioned_docs/version-3.21-2/releases.json @@ -1,4 +1,265 @@ [ + { + "title": "v3.21.7", + "tigera-operator": { + "version": "v1.38.14", + "image": "tigera/operator", + "registry": "quay.io" + }, + "calico": { + "minor_version": "v3.30", + "archive_path": "archive" + }, + "components": { + "alertmanager": { + "version": "v3.21.7", + "image": "tigera/alertmanager" + }, + "calicoctl": { + "version": "v3.21.7", + "image": "tigera/calicoctl" + }, + "calicoq": { + "version": "v3.21.7", + "image": "tigera/calicoq" + }, + "cnx-apiserver": { + "version": "v3.21.7", + "image": "tigera/cnx-apiserver" + }, + "cnx-kube-controllers": { + "version": "v3.21.7", + "image": "tigera/kube-controllers" + }, + "cnx-manager": { + "version": "v3.21.7", + "image": "tigera/cnx-manager" + }, + "cnx-node": { + "version": "v3.21.7", + "image": "tigera/cnx-node" + }, + "cnx-node-windows": { + "version": "v3.21.7", + "image": "tigera/cnx-node-windows" + }, + "cnx-queryserver": { + "version": "v3.21.7", + "image": "tigera/cnx-queryserver" + }, + "compliance-benchmarker": { + "version": "v3.21.7", + "image": "tigera/compliance-benchmarker" + }, + "compliance-controller": { + "version": "v3.21.7", + "image": "tigera/compliance-controller" + }, + "compliance-reporter": { + "version": "v3.21.7", + "image": "tigera/compliance-reporter" + }, + "compliance-server": { + "version": "v3.21.7", + "image": "tigera/compliance-server" + }, + "compliance-snapshotter": { + "version": "v3.21.7", + "image": "tigera/compliance-snapshotter" + }, + "coreos-alertmanager": { + "version": "v0.28.1" + }, + "coreos-config-reloader": { + "version": "v0.91.0" + }, + "coreos-dex": { + "version": "v2.41.1" + }, + "coreos-fluentd": { + "version": "1.19.2" + }, + "coreos-prometheus": { + "version": "v2.55.1" + }, + "coreos-prometheus-operator": { + "version": "v0.91.0" + }, + "csi": { + "version": "v3.21.7", + "image": "tigera/csi" + }, + "csi-node-driver-registrar": { + "version": "v3.21.7", + "image": "tigera/node-driver-registrar" + }, + "deep-packet-inspection": { + "version": "v3.21.7", + "image": "tigera/deep-packet-inspection" + }, + "dex": { + "version": "v3.21.7", + "image": "tigera/dex" + }, + "dikastes": { + "version": "v3.21.7", + "image": "tigera/dikastes" + }, + "eck-elasticsearch": { + "version": "8.19.15" + }, + "eck-elasticsearch-operator": { + "version": "2.16.1" + }, + "eck-kibana": { + "version": "8.19.15" + }, + "egress-gateway": { + "version": "v3.21.7", + "image": "tigera/egress-gateway" + }, + "elastic-tsee-installer": { + "version": "v3.21.7", + "image": "tigera/intrusion-detection-job-installer" + }, + "elasticsearch": { + "version": "v3.21.7", + "image": "tigera/elasticsearch" + }, + "elasticsearch-metrics": { + "version": "v3.21.7", + "image": "tigera/elasticsearch-metrics" + }, + "elasticsearch-operator": { + "version": "v3.21.7", + "image": "tigera/eck-operator" + }, + "envoy": { + "version": "v3.21.7", + "image": "tigera/envoy" + }, + "envoy-init": { + "version": "v3.21.7", + "image": "tigera/envoy-init" + }, + "es-gateway": { + "version": "v3.21.7", + "image": "tigera/es-gateway" + }, + "firewall-integration": { + "version": "v3.21.7", + "image": "tigera/firewall-integration" + }, + "flexvol": { + "version": "v3.21.7", + "image": "tigera/pod2daemon-flexvol" + }, + "fluentd": { + "version": "v3.21.7", + "image": "tigera/fluentd" + }, + "fluentd-windows": { + "version": "v3.21.7", + "image": "tigera/fluentd-windows" + }, + "gateway-api-envoy-gateway": { + "version": "v3.21.7", + "image": "tigera/envoy-gateway" + }, + "gateway-api-envoy-proxy": { + "version": "v3.21.7", + "image": "tigera/envoy-proxy" + }, + "gateway-api-envoy-ratelimit": { + "version": "v3.21.7", + "image": "tigera/envoy-ratelimit" + }, + "guardian": { + "version": "v3.21.7", + "image": "tigera/guardian" + }, + "ingress-collector": { + "version": "v3.21.7", + "image": "tigera/ingress-collector" + }, + "intrusion-detection-controller": { + "version": "v3.21.7", + "image": "tigera/intrusion-detection-controller" + }, + "key-cert-provisioner": { + "version": "v3.21.7", + "image": "tigera/key-cert-provisioner" + }, + "kibana": { + "version": "v3.21.7", + "image": "tigera/kibana" + }, + "l7-admission-controller": { + "version": "v3.21.7", + "image": "tigera/l7-admission-controller" + }, + "l7-collector": { + "version": "v3.21.7", + "image": "tigera/l7-collector" + }, + "license-agent": { + "version": "v3.21.7", + "image": "tigera/license-agent" + }, + "linseed": { + "version": "v3.21.7", + "image": "tigera/linseed" + }, + "packetcapture": { + "version": "v3.21.7", + "image": "tigera/packetcapture" + }, + "policy-recommendation": { + "version": "v3.21.7", + "image": "tigera/policy-recommendation" + }, + "prometheus": { + "version": "v3.21.7", + "image": "tigera/prometheus" + }, + "prometheus-config-reloader": { + "version": "v3.21.7", + "image": "tigera/prometheus-config-reloader" + }, + "prometheus-operator": { + "version": "v3.21.7", + "image": "tigera/prometheus-operator" + }, + "tigera-cni": { + "version": "v3.21.7", + "image": "tigera/cni" + }, + "tigera-cni-windows": { + "version": "v3.21.7", + "image": "tigera/cni-windows" + }, + "tigera-prometheus-service": { + "version": "v3.21.7", + "image": "tigera/prometheus-service" + }, + "typha": { + "version": "v3.21.7", + "image": "tigera/typha" + }, + "ui-apis": { + "version": "v3.21.7", + "image": "tigera/ui-apis" + }, + "voltron": { + "version": "v3.21.7", + "image": "tigera/voltron" + }, + "webhooks-processor": { + "version": "v3.21.7", + "image": "tigera/webhooks-processor" + } + } + }, { "title": "v3.21.6", "tigera-operator": { diff --git a/calico-enterprise_versioned_docs/version-3.21-2/variables.js b/calico-enterprise_versioned_docs/version-3.21-2/variables.js index 517cee45ba..1fb06af958 100644 --- a/calico-enterprise_versioned_docs/version-3.21-2/variables.js +++ b/calico-enterprise_versioned_docs/version-3.21-2/variables.js @@ -2,13 +2,13 @@ const releases = require('./releases.json'); const componentImage = require('../../src/components/utils/componentImage'); const variables = { - releaseTitle: 'v3.21.6', + releaseTitle: 'v3.21.7', prodname: 'Calico Enterprise', prodnamedash: 'calico-enterprise', version: 'v3.21', openSourceVersion: releases[0].calico.minor_version.slice(1), baseUrl: '/calico-enterprise/3.21', - filesUrl: 'https://downloads.tigera.io/ee/v3.21.6', + filesUrl: 'https://downloads.tigera.io/ee/v3.21.7', rpmsUrl: 'https://downloads.tigera.io/ee/rpms/' + releases[0].title.slice(0, 5), tutorialFilesURL: 'https://docs.tigera.io/files', tmpScriptsURL: 'https://docs.tigera.io/calico-enterprise/3.21', @@ -20,7 +20,7 @@ const variables = { rootDirWindows: 'C:\\TigeraCalico', registry: 'quay.io/', envoyVersion: '1.3.2', - chart_version_name: 'v3.21.6-0', + chart_version_name: 'v3.21.7-0', tigeraOperator: releases[0]['tigera-operator'], dikastesVersion: releases[0].components.dikastes.version, releases,