Merge branch 'master' into gen-release-notes

Makefile

@@ -533,6 +533,7 @@ release-publish: release-prereqs
 	git push origin $(VERSION)
 
 	$(MAKE) release-publish-images IMAGETAG=$(VERSION)
+	$(MAKE) release-github
 
 	@echo "Finalize the GitHub release based on the pushed tag."
 	@echo ""
@@ -543,6 +544,18 @@ release-publish: release-prereqs
 	@echo "  make VERSION=$(VERSION) release-publish-latest"
 	@echo ""
 
+release-github: hack/bin/gh release-notes
+	@echo "Creating github release for $(VERSION)"
+	hack/bin/gh release create $(VERSION) --title $(VERSION) --draft --notes-file $(VERSION)-release-notes.md
+
+GITHUB_CLI_VERSION?=2.62.0
+hack/bin/gh:
+	mkdir -p hack/bin
+	curl -sSL -o hack/bin/gh.tgz https://github.com/cli/cli/releases/download/v$(GITHUB_CLI_VERSION)/gh_$(GITHUB_CLI_VERSION)_linux_amd64.tar.gz
+	tar -zxvf hack/bin/gh.tgz -C hack/bin/ gh_$(GITHUB_CLI_VERSION)_linux_amd64/bin/gh/bin/hub --strip-components=2
+	chmod +x $@
+	rm hack/bin/gh.tgz
+
 # release-prereqs checks that the environment is configured properly to create a release.
 release-prereqs:
 ifndef VERSION
@@ -624,16 +637,18 @@ $(BINDIR)/gen-versions: $(shell find ./hack/gen-versions -type f)
 	sh -c '$(GIT_CONFIG_SSH) \
 	go build -buildvcs=false -o $(BINDIR)/gen-versions ./hack/gen-versions'
 
+# $(1) is the product
+define prep_local_crds
+    $(eval product := $(1))
+	rm -rf pkg/crds/$(product)
+	rm -rf .crds/$(product)
+	mkdir -p pkg/crds/$(product)
+	mkdir -p .crds/$(product)
+endef
+
 # $(1) is the github project
 # $(2) is the branch or tag to fetch
 # $(3) is the directory name to use
-define prep_local_crds
-    $(eval dir := $(1))
-	rm -rf pkg/crds/$(dir)
-	rm -rf .crds/$(dir)
-	mkdir -p pkg/crds/$(dir)
-	mkdir -p .crds/$(dir)
-endef
 define fetch_crds
     $(eval project := $(1))
     $(eval branch := $(2))
@@ -643,7 +658,8 @@ define fetch_crds
 endef
 define copy_crds
     $(eval dir := $(1))
-	@cp .crds/$(dir)/libcalico-go/config/crd/* pkg/crds/$(dir)/ && echo "Copied $(dir) CRDs"
+		$(eval product := $(2))
+	@cp $(dir)/libcalico-go/config/crd/* pkg/crds/$(product)/ && echo "Copied $(product) CRDs"
 endef
 
 .PHONY: read-libcalico-version read-libcalico-enterprise-version
@@ -652,36 +668,40 @@ endef
 .PHONY: prepare-for-calico-crds prepare-for-enterprise-crds
 
 CALICO?=projectcalico/calico
+CALICO_CRDS_DIR?=.crds/calico
+DEFAULT_OS_CRDS_DIR?=.crds/calico
 read-libcalico-calico-version:
 	$(eval CALICO_BRANCH := $(shell $(CONTAINERIZED) $(CALICO_BUILD) \
 	bash -c '$(GIT_CONFIG_SSH) \
 	yq r config/calico_versions.yml components.libcalico-go.version'))
 	if [ -z "$(CALICO_BRANCH)" ]; then echo "libcalico branch not defined"; exit 1; fi
 
 update-calico-crds: fetch-calico-crds
-	$(call copy_crds,"calico")
+	$(call copy_crds, $(CALICO_CRDS_DIR),"calico")
 
 prepare-for-calico-crds:
 	$(call prep_local_crds,"calico")
 
 fetch-calico-crds: prepare-for-calico-crds read-libcalico-calico-version
-	$(call fetch_crds,$(CALICO),$(CALICO_BRANCH),"calico")
+	$(if $(filter $(DEFAULT_OS_CRDS_DIR),$(CALICO_CRDS_DIR)), $(call fetch_crds,$(CALICO),$(CALICO_BRANCH),"calico"))
 
 CALICO_ENTERPRISE?=tigera/calico-private
+ENTERPRISE_CRDS_DIR?=.crds/enterprise
+DEFAULT_EE_CRDS_DIR=.crds/enterprise
 read-libcalico-enterprise-version:
 	$(eval CALICO_ENTERPRISE_BRANCH := $(shell $(CONTAINERIZED) $(CALICO_BUILD) \
 	bash -c '$(GIT_CONFIG_SSH) \
 	yq r config/enterprise_versions.yml components.libcalico-go.version'))
 	if [ -z "$(CALICO_ENTERPRISE_BRANCH)" ]; then echo "libcalico enterprise branch not defined"; exit 1; fi
 
 update-enterprise-crds: fetch-enterprise-crds
-	$(call copy_crds,"enterprise")
+	$(call copy_crds,$(ENTERPRISE_CRDS_DIR),"enterprise")
 
 prepare-for-enterprise-crds:
 	$(call prep_local_crds,"enterprise")
 
 fetch-enterprise-crds: prepare-for-enterprise-crds  read-libcalico-enterprise-version
-	$(call fetch_crds,$(CALICO_ENTERPRISE),$(CALICO_ENTERPRISE_BRANCH),"enterprise")
+	$(if $(filter $(DEFAULT_EE_CRDS_DIR),$(ENTERPRISE_CRDS_DIR)), $(call fetch_crds,$(CALICO_ENTERPRISE),$(CALICO_ENTERPRISE_BRANCH),"enterprise"))
 
 .PHONY: prepull-image
 prepull-image:

hack/maybe-build-release.sh

@@ -9,7 +9,7 @@ fi
 if [[ ! "${tag}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
 	echo "tag ${tag} does not match the format vX.Y.Z"
 	exit 1
-fi	
+fi
 
 if [[ ! "$(git rev-parse --abbrev-ref HEAD)" =~ (release-v*.*|master) ]]; then
 	echo "not on 'master' or 'release-vX.Y'"
@@ -28,3 +28,6 @@ make release VERSION=${tag}
 
 echo "Publish release ${tag}"
 make release-publish-images VERSION=${tag}
+
+echo "Create ${tag} release on GitHub"
+make release-github VERSION=${tag}

pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml

@@ -81,6 +81,25 @@ spec:
                   for debugging purposes. \n Deprecated: Use BPFConnectTimeLoadBalancing
                   [Default: true]"
                 type: boolean
+              bpfConntrackLogLevel:
+                description: 'BPFConntrackLogLevel controls the log level of the BPF
+                  conntrack cleanup program, which runs periodically to clean up expired
+                  BPF conntrack entries. [Default: Off].'
+                enum:
+                - "Off"
+                - Debug
+                type: string
+              bpfConntrackMode:
+                description: 'BPFConntrackCleanupMode controls how BPF conntrack entries
+                  are cleaned up.  `Auto` will use a BPF program if supported, falling
+                  back to userspace if not.  `Userspace` will always use the userspace
+                  cleanup code.  `BPFProgram` will always use the BPF program (failing
+                  if not supported). [Default: Auto]'
+                enum:
+                - Auto
+                - Userspace
+                - BPFProgram
+                type: string
               bpfDSROptoutCIDRs:
                 description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded
                   from DSR. That is, clients in those CIDRs will access service node
@@ -95,7 +114,8 @@ spec:
                   that Calico workload traffic flows over as well as any interfaces
                   that handle incoming traffic to nodeports and services from outside
                   the cluster.  It should not match the workload interfaces (usually
-                  named cali...).
+                  named cali...) or any other special device managed by Calico itself
+                  (e.g., tunnels).
                 type: string
               bpfDisableGROForIfaces:
                 description: BPFDisableGROForIfaces is a regular expression that controls
@@ -217,6 +237,13 @@ spec:
                   connection.  Warning: changing the size of the conntrack map can
                   cause disruption.'
                 type: integer
+              bpfMapSizeConntrackCleanupQueue:
+                description: BPFMapSizeConntrackCleanupQueue sets the size for the
+                  map used to hold NAT conntrack entries that are queued for cleanup.  This
+                  should be big enough to hold all the NAT entries that expire within
+                  one cleanup interval.
+                minimum: 1
+                type: integer
               bpfMapSizeIPSets:
                 description: BPFMapSizeIPSets sets the size for ipsets map.  The IP
                   sets map must be large enough to hold an entry for each endpoint