Release v1.16.0

README.md

@@ -5,7 +5,7 @@
 </h1>
 <!-- markdownlint-enable MD033 -->
 
-![Release](https://img.shields.io/badge/Latest%20Release-v1.14.0-blue)
+![Release](https://img.shields.io/badge/Latest%20Release-v1.15.2-blue)
 ![License](https://img.shields.io/github/license/sighupio/fury-kubernetes-networking?label=License)
 ![Slack](https://img.shields.io/badge/slack-@kubernetes/fury-yellow.svg?logo=slack&label=Slack)
 
@@ -29,9 +29,9 @@ Kubernetes Fury Networking provides the following packages:
 
 | Package                    | Version  | Description                                                                                                                                          |
 | -------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [calico](katalog/calico)   | `3.26.3` | [Calico][calico-page] CNI Plugin. For cluster with `< 50` nodes.                                                                                     |
-| [cilium](katalog/cilium)   | `1.14.3` | [Cilium][cilium-page] CNI Plugin. For cluster with `< 200` nodes.                                                                                    |
-| [tigera](katalog/tigera)   | `1.30.7` | [Tigera Operator][tigera-page], a Kubernetes Operator for Calico, provides pre-configured installations for on-prem and for EKS in policy-only mode. |
+| [calico](katalog/calico)   | `3.27.0` | [Calico][calico-page] CNI Plugin. For cluster with `< 50` nodes.                                                                                     |
+| [cilium](katalog/cilium)   | `1.15.2` | [Cilium][cilium-page] CNI Plugin. For cluster with `< 200` nodes.                                                                                    |
+| [tigera](katalog/tigera)   | `1.32.3` | [Tigera Operator][tigera-page], a Kubernetes Operator for Calico, provides pre-configured installations for on-prem and for EKS in policy-only mode. |
 | [ip-masq](katalog/ip-masq) | `2.8.0`  | The `ip-masq-agent` configures iptables rules to implement IP masquerading functionality                                                             |
 
 > The resources in these packages are going to be deployed in `kube-system` namespace. Except for the operator.
@@ -42,9 +42,9 @@ Click on each package to see its full documentation.
 
 | Kubernetes Version |   Compatibility    | Notes           |
 | ------------------ | :----------------: | --------------- |
-| `1.25.x`           | :white_check_mark: | No known issues |
 | `1.26.x`           | :white_check_mark: | No known issues |
 | `1.27.x`           | :white_check_mark: | No known issues |
+| `1.28.x`           | :white_check_mark: | No known issues |
 
 
 Check the [compatibility matrix][compatibility-matrix] for additional information on previous releases of the module.
@@ -67,7 +67,7 @@ Check the [compatibility matrix][compatibility-matrix] for additional informatio
 ```yaml
 bases:
   - name: networking
-    version: "v1.15.0"
+    version: "v1.16.0"
 ```
 
 > See `furyctl` [documentation][furyctl-repo] for additional details about `Furyfile.yml` format.

docs/COMPATIBILITY_MATRIX.md

@@ -1,14 +1,15 @@
 # Compatibility Matrix
 
-| Module Version / Kubernetes Version | 1.24.X             | 1.25.X             | 1.26.X             | 1.27.X             |
-| ----------------------------------- | ------------------ | ------------------ | ------------------ | ------------------ |
-| v1.10.0                             | :white_check_mark: |                    |                    |                    |
-| v1.11.0                             | :white_check_mark: | :white_check_mark: |                    |                    |
-| v1.12.0                             | :white_check_mark: | :white_check_mark: |                    |                    |
-| v1.12.1                             | :white_check_mark: | :white_check_mark: |                    |                    |
-| v1.12.2                             | :white_check_mark: | :white_check_mark: |                    |                    |
-| v1.14.0                             | :white_check_mark: | :white_check_mark: | :white_check_mark: |                    |
-| v1.15.0                             |                    | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| Module Version / Kubernetes Version | 1.24.X             | 1.25.X             | 1.26.X             | 1.27.X             | 1.28.X             |
+| ----------------------------------- | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ |
+| v1.10.0                             | :white_check_mark: |                    |                    |                    |                    |
+| v1.11.0                             | :white_check_mark: | :white_check_mark: |                    |                    |                    |
+| v1.12.0                             | :white_check_mark: | :white_check_mark: |                    |                    |                    |
+| v1.12.1                             | :white_check_mark: | :white_check_mark: |                    |                    |                    |
+| v1.12.2                             | :white_check_mark: | :white_check_mark: |                    |                    |                    |
+| v1.14.0                             | :white_check_mark: | :white_check_mark: | :white_check_mark: |                    |                    |
+| v1.15.0                             |                    | :white_check_mark: | :white_check_mark: | :white_check_mark: |                    |
+| v1.16.0                             |                    |                    | :white_check_mark: | :white_check_mark: | :white_check_mark: |
 
 
 :white_check_mark: Compatible

docs/releases/v1.15.0.md

@@ -10,7 +10,7 @@ This minor release updates some components and adds support to Kubernetes 1.27.
 | ----------------- | -------------------------------------------------------------------------------- | ---------------- |
 | `calico`          | [`v3.26.3`](https://projectcalico.docs.tigera.io/archive/v3.26/release-notes/)   | `v3.26.1`        |
 | `cilium`          | [`v1.14.3`](https://github.com/cilium/cilium/releases/tag/v1.14.3)               | `v1.13.1`        |
-| `ip-masq`         | [`v2.8.0`](https://github.com/kubernetes-sigs/ip-masq-agent/releases/tag/v2.5.0) | No update        |
+| `ip-masq`         | [`v2.8.0`](https://github.com/kubernetes-sigs/ip-masq-agent/releases/tag/v2.8.0) | No update        |
 | `tigera-operator` | [`v1.30.7`](https://github.com/tigera/operator/releases/tag/v1.30.7)             | `v1.30.4`        |
 
 > Please refer the individual release notes to get detailed information on each release.

docs/releases/v1.16.0.md

@@ -0,0 +1,64 @@
+# Networking Core Module Release 1.16.0
+
+Welcome to the latest release of the `Networking` module of [`Kubernetes Fury Distribution`](https://github.com/sighupio/fury-distribution) maintained by team SIGHUP.
+
+This minor release updates some components and adds support to Kubernetes 1.28.
+
+## Component Images 🚢
+
+| Component         | Supported Version                                                                | Previous Version |
+| ----------------- | -------------------------------------------------------------------------------- | ---------------- |
+| `calico`          | [`v3.27.0`](https://docs.tigera.io/calico/3.27/about/)                           | `v3.26.3`        |  
+| `cilium`          | [`v1.15.2`](https://github.com/cilium/cilium/releases/tag/v1.15.2)               | `v1.14.3`        |
+| `ip-masq`         | [`v2.8.0`](https://github.com/kubernetes-sigs/ip-masq-agent/releases/tag/v2.8.0) | No update       |
+| `tigera-operator` | [`v1.32.3`](https://github.com/tigera/operator/releases/tag/v1.32.3)             | `v1.30.7`        |
+
+> Please refer the individual release notes to get detailed information on each release.
+
+## Update Guide 🦮
+
+### Process
+
+If you are using Cilium, read the steps [below](#cilium-upgrade) before proceeding.
+
+1. Just deploy as usual:
+
+```bash
+kustomize build katalog/calico | kubectl apply -f -
+# OR
+kustomize build katalog/tigera/on-prem | kubectl apply -f -
+# OR
+kustomize build katalog/cilium | kubectl apply -f -
+```
+
+#### Cilium upgrade
+Cilium suggested path expect a pre-flight check to be run before any upgrade.
+
+1. Create the resources for the check
+```bash
+kubectl create -f katalog/cilium/tasks/preflight.yaml
+```
+
+2. Ensure that the number of READY pods is the same number of Cilium pods running.
+```text
+kubectl get daemonset -n kube-system | sed -n '1p;/cilium/p'
+NAME                      DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
+cilium                    2         2         2       2            2           <none>          1h20m
+cilium-pre-flight-check   2         2         2       2            2           <none>          7m15s
+```
+
+3. Once the number of READY pods is equal, make sure the Cilium pre-flight deployment is also marked as READY 1/1.
+If it shows READY 0/1, consult the [CNP Validation](https://docs.cilium.io/en/stable/operations/upgrade/#cnp-validation) section in the official docs and resolve issues with the deployment before continuing with the upgrade.
+```text
+kubectl get deployment -n kube-system cilium-pre-flight-check -w
+NAME                      READY   UP-TO-DATE   AVAILABLE   AGE
+cilium-pre-flight-check   1/1     1            0           12s
+```
+
+4. Once the number of READY for the preflight DaemonSet is the same as the number of cilium pods running and the preflight Deployment is marked as READY 1/1 you can delete the cilium-preflight and proceed with the upgrade.
+```bash
+kubectl delete -f cilium-preflight.yaml
+```
+
+
+If you are upgrading from previous versions, please refer to the [`v1.15.0` release notes](https://github.com/sighupio/fury-kubernetes-networking/releases/tag/v1.15.0).

examples/registry-override/calico/kustomization.yaml

@@ -18,3 +18,5 @@ images:
     newName: calico/pod2daemon-flexvol
   - name:  registry.sighup.io/fury/calico/node
     newName: calico/node
+
+

katalog/calico/MAINTENANCE.md

@@ -7,7 +7,7 @@ To update the Calico package with upstream, please follow the next steps:
 1. Download upstream manifests:
 
 ```bash
-export CALICO_VERSION=3.26.1
+export CALICO_VERSION=3.27.0
 curl -L https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests/calico.yaml -o calico-${CALICO_VERSION}.yaml
 ```
 
@@ -20,7 +20,7 @@ Compare the `deploy.yaml` file with the downloaded `calico-${CALICO_VERSION}` fi
 3. Update the `kustomization.yaml` file with the right image versions.
 
 ```bash
-export CALICO_IMAGE_TAG=v3.26.3
+export CALICO_IMAGE_TAG=v3.27.0
 kustomize edit set image docker.io/calico/kube-controllers=registry.sighup.io/fury/calico/kube-controllers:${CALICO_IMAGE_TAG}
 kustomize edit set image docker.io/calico/cni=registry.sighup.io/fury/calico/cni:${CALICO_IMAGE_TAG}
 kustomize edit set image docker.io/calico/node=registry.sighup.io/fury/calico/node:${CALICO_IMAGE_TAG}
@@ -39,7 +39,7 @@ See <https://docs.tigera.io/calico/latest/operations/monitor/monitor-component-m
 1. Download the dashboard from upstream:
 
 ```bash
-export CALICO_VERSION=3.26.3
+export CALICO_VERSION=3.27.0
 # ⚠️ Assuming $PWD == root of the project
 # We take the `felix-dashboard.json` from the downloaded yaml, we are not deploying `typha`, so we don't need its dashboard.
 curl -L https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests/grafana-dashboards.yaml | yq '.data["felix-dashboard.json"]' | sed 's/calico-demo-prometheus/prometheus/g' | jq > ./monitoring/dashboards/felix-dashboard.json

katalog/calico/README.md

@@ -21,17 +21,17 @@ The deployment of Calico consists of a daemon set running on every node (includi
 ## Image repository and tag
 
 - calico images:
-  - `calico/kube-controllers:v3.26.3`.
-  - `calico/cni:v3.26.3`.
-  - `calico/node:v3.26.3`.
+  - `calico/kube-controllers:v3.27.0`.
+  - `calico/cni:v3.27.0`.
+  - `calico/node:v3.27.0`.
 - calico repositories:
   - [https://github.com/projectcalico/kube-controllers](https://github.com/projectcalico/calico/tree/master/kube-controllers).
   - [https://github.com/projectcalico/cni-plugin](https://github.com/projectcalico/calico/tree/master/cni-plugin).
   - [https://github.com/projectcalico/node](https://github.com/projectcalico/calico/tree/master/node).
 
 ## Requirements
 
-- Tested with Kubernetes >= `1.25.X`.
+- Tested with Kubernetes >= `1.26.X`.
 - Tested with Kustomize >= `v3.5.3`.
 - Prometheus Operator, optional if you want to have metrics.
 

katalog/calico/deploy.yaml

@@ -4643,7 +4643,7 @@ spec:
         # It can be deleted if this is a fresh installation, or if you have already
         # upgraded to use calico-ipam.
         - name: upgrade-ipam
-          image: docker.io/calico/cni:v3.26.3
+          image: docker.io/calico/cni:v3.27.0
           imagePullPolicy: IfNotPresent
           command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
           envFrom:
@@ -4671,7 +4671,7 @@ spec:
         # This container installs the CNI binaries
         # and CNI network config file on each node.
         - name: install-cni
-          image: docker.io/calico/cni:v3.26.3
+          image: docker.io/calico/cni:v3.27.0
           imagePullPolicy: IfNotPresent
           command: ["/opt/cni/bin/install"]
           envFrom:
@@ -4714,7 +4714,7 @@ spec:
         # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
         # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
         - name: "mount-bpffs"
-          image: docker.io/calico/node:v3.26.3
+          image: docker.io/calico/node:v3.27.0
           imagePullPolicy: IfNotPresent
           command: ["calico-node", "-init", "-best-effort"]
           volumeMounts:
@@ -4740,7 +4740,7 @@ spec:
         # container programs network policy and routes on each
         # host.
         - name: calico-node
-          image: docker.io/calico/node:v3.26.3
+          image: docker.io/calico/node:v3.27.0
           imagePullPolicy: IfNotPresent
           envFrom:
           - configMapRef:
@@ -4957,7 +4957,7 @@ spec:
       priorityClassName: system-cluster-critical
       containers:
         - name: calico-kube-controllers
-          image: docker.io/calico/kube-controllers:v3.26.3
+          image: docker.io/calico/kube-controllers:v3.27.0
           imagePullPolicy: IfNotPresent
           env:
             # Choose which controllers to run.

katalog/calico/kustomization.yaml

@@ -10,13 +10,13 @@ namespace: kube-system
 images:
 - name: docker.io/calico/cni
   newName: registry.sighup.io/fury/calico/cni
-  newTag: v3.26.3
+  newTag: v3.27.0
 - name: docker.io/calico/kube-controllers
   newName: registry.sighup.io/fury/calico/kube-controllers
-  newTag: v3.26.3
+  newTag: v3.27.0
 - name: docker.io/calico/node
   newName: registry.sighup.io/fury/calico/node
-  newTag: v3.26.3
+  newTag: v3.27.0
 
   # Resources needed for Monitoring
 resources:

katalog/cilium/MAINTENANCE.md

@@ -5,7 +5,10 @@ To update the Cilium package with upstream, please follow the next steps.
 Download the upstream manifests:
 
 ```bash
-helm pull cilium/cilium --version 1.13.3 --untar --untardir /tmp
+helm repo add cilium https://helm.cilium.io/
+helm repo update
+helm search repo cilium/cilium
+helm pull cilium/cilium --version 1.15.2 --untar --untardir /tmp
 ```
 
 Change the tag for the images on the file `MAINTENANCE.values.yaml`, check the new one on `/tmp/cilium/values.yaml

katalog/cilium/MAINTENANCE.values.yaml

@@ -7,7 +7,7 @@
 image:
   override: ~
   repository: "registry.sighup.io/fury/cilium/cilium"
-  tag: "v1.14.3"
+  tag: "v1.15.2"
   useDigest: false
 
 # -- Affinity for cilium-agent.
@@ -76,7 +76,7 @@ hubble:
     image:
       override: ~
       repository: "registry.sighup.io/fury/cilium/hubble-relay"
-      tag: "v1.14.3"
+      tag: "v1.15.2"
 
       useDigest: false
       pullPolicy: "IfNotPresent"
@@ -120,8 +120,9 @@ hubble:
       image:
         override: ~
         repository: "registry.sighup.io/fury/cilium/hubble-ui-backend"
-        tag: "v0.12.1"
+        tag: "v0.13.0"
 
+        useDigest: false
         pullPolicy: "IfNotPresent"
 
       resources: {}
@@ -137,7 +138,8 @@ hubble:
       image:
         override: ~
         repository: "registry.sighup.io/fury/cilium/hubble-ui"
-        tag: "v0.12.1"
+        tag: "v0.13.0"
+        useDigest: false
         pullPolicy: "IfNotPresent"
 
       # -- Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment.
@@ -163,11 +165,6 @@ identityAllocationMode: "crd"
 # @default -- `"5s"`
 identityChangeGracePeriod: ""
 
-# -- Configure whether to install iptables rules to allow for TPROXY
-# (L7 proxy injection), iptables-based masquerading and compatibility
-# with kube-proxy.
-installIptablesRules: true
-
 # -- Install Iptables rules to skip netfilter connection tracking on all pod
 # traffic. This option is only effective when Cilium is running in direct
 # routing and full KPR mode. Moreover, this option cannot be enabled when Cilium
@@ -262,7 +259,7 @@ operator:
   image:
     override: ~
     repository: "registry.sighup.io/fury/cilium/operator"
-    tag: "v1.14.3"
+    tag: "v1.15.2"
 
     useDigest: false
     pullPolicy: "IfNotPresent"