Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 38 additions & 1 deletion calico_versioned_docs/version-3.32/release-notes/index.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -243,9 +243,46 @@

To update a previous version of Calico, see [our upgrade guides](../operations/upgrading/index.mdx).

{/*
### Calico Open Source 3.32.1 bug fix release

24 Jun 2026

#### Bug fixes

- HELM: Fixes the tigera-operator chart install instructions, which omitted the step to install Calico CRDs from the separate crd.projectcalico.org.v1 chart. [calico 13043](https://github.com/projectcalico/calico/pull/13043) (@caseydavenport)

Check warning on line 252 in calico_versioned_docs/version-3.32/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Terms] Use 'CRDs?' instead of 'crd'. Raw Output: {"message": "[Vale.Terms] Use 'CRDs?' instead of 'crd'.", "location": {"path": "calico_versioned_docs/version-3.32/release-notes/index.mdx", "range": {"start": {"line": 252, "column": 127}}}, "severity": "WARNING"}

Check warning on line 252 in calico_versioned_docs/version-3.32/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Terms] Use 'Tigera' instead of 'tigera'. Raw Output: {"message": "[Vale.Terms] Use 'Tigera' instead of 'tigera'.", "location": {"path": "calico_versioned_docs/version-3.32/release-notes/index.mdx", "range": {"start": {"line": 252, "column": 19}}}, "severity": "WARNING"}
- Fix manifest-based installs missing kubevirt.io RBAC rules on the calico-cni-plugin and calico-kube-controllers ClusterRoles, which caused KubeVirt VM networking and IPAM garbage collection failures. [calico 12996](https://github.com/projectcalico/calico/pull/12996) (@song-jiang)

Check warning on line 253 in calico_versioned_docs/version-3.32/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Terms] Use 'CNIs?' instead of 'cni'. Raw Output: {"message": "[Vale.Terms] Use 'CNIs?' instead of 'cni'.", "location": {"path": "calico_versioned_docs/version-3.32/release-notes/index.mdx", "range": {"start": {"line": 253, "column": 76}}}, "severity": "WARNING"}

Check warning on line 253 in calico_versioned_docs/version-3.32/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Terms] Use 'KubeVirt' instead of 'kubevirt'. Raw Output: {"message": "[Vale.Terms] Use 'KubeVirt' instead of 'kubevirt'.", "location": {"path": "calico_versioned_docs/version-3.32/release-notes/index.mdx", "range": {"start": {"line": 253, "column": 39}}}, "severity": "WARNING"}
- Fixed a bug where Felix's periodic route resync did not detect (and repair) Calico-owned routes that had been modified in place by another process. Fixed unnecessary reprogramming of unchanged IPv6 multi-path routes on resync, and a corner case where removing an IPAM block route could trigger a spurious conntrack cleanup for a workload owning the block's network address. [calico 12958](https://github.com/projectcalico/calico/pull/12958) (@fasaxc)
- [v3.32] fix(felix): exclude LB-only IPPools from BPF in-pool route flag [calico 12953](https://github.com/projectcalico/calico/pull/12953) (@defo89)

Check warning on line 255 in calico_versioned_docs/version-3.32/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Terms] Use 'Felix' instead of 'felix'. Raw Output: {"message": "[Vale.Terms] Use 'Felix' instead of 'felix'.", "location": {"path": "calico_versioned_docs/version-3.32/release-notes/index.mdx", "range": {"start": {"line": 255, "column": 15}}}, "severity": "WARNING"}
- Fixes a NotFound error when using server-side apply (including Helm 4) to create Calico network policies that don't already exist. [calico 12906](https://github.com/projectcalico/calico/pull/12906) (@caseydavenport)
- Fixes a bug in the eBPF dataplane in which deleting and restoring the local Node resource and restarting Felix could leave the node unable to handle network traffic. [calico 12874](https://github.com/projectcalico/calico/pull/12874) (@tomastigera)

Check failure on line 257 in calico_versioned_docs/version-3.32/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [CalicoStyle.Substitutions] Use 'data plane' instead of 'dataplane'. Raw Output: {"message": "[CalicoStyle.Substitutions] Use 'data plane' instead of 'dataplane'.", "location": {"path": "calico_versioned_docs/version-3.32/release-notes/index.mdx", "range": {"start": {"line": 257, "column": 27}}}, "severity": "ERROR"}

Check failure on line 257 in calico_versioned_docs/version-3.32/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'dataplane'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'dataplane'?", "location": {"path": "calico_versioned_docs/version-3.32/release-notes/index.mdx", "range": {"start": {"line": 257, "column": 27}}}, "severity": "ERROR"}
- Fix SNAT being skipped for traffic destined to LoadBalancer-only IPPools by excluding them from the all-ipam-pools ipset. [calico 12858](https://github.com/projectcalico/calico/pull/12858) (@defo89)

Check warning on line 258 in calico_versioned_docs/version-3.32/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Terms] Use 'IPAM' instead of 'ipam'. Raw Output: {"message": "[Vale.Terms] Use 'IPAM' instead of 'ipam'.", "location": {"path": "calico_versioned_docs/version-3.32/release-notes/index.mdx", "range": {"start": {"line": 258, "column": 107}}}, "severity": "WARNING"}
- ebpf - Fix kube-proxy losing the NodePort externalTrafficPolicy=Local route-fixup trigger after a syncer swap, which could cause stale NAT entries on remote backends. [calico 12743](https://github.com/projectcalico/calico/pull/12743) (@tomastigera)

Check failure on line 259 in calico_versioned_docs/version-3.32/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'ebpf'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'ebpf'?", "location": {"path": "calico_versioned_docs/version-3.32/release-notes/index.mdx", "range": {"start": {"line": 259, "column": 3}}}, "severity": "ERROR"}
- Fixes nft binary segfaults in calico/node and the Istio CNI install image when newer nftables is in use elsewhere on the host. [calico 12712](https://github.com/projectcalico/calico/pull/12712) (@caseydavenport)

Check failure on line 260 in calico_versioned_docs/version-3.32/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'nft'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'nft'?", "location": {"path": "calico_versioned_docs/version-3.32/release-notes/index.mdx", "range": {"start": {"line": 260, "column": 9}}}, "severity": "ERROR"}
- Fixed a regression introduced in v3.30 where `RouteSyncDisabled` flag was not being honored by `LinkAddressManager`. [calico 12707](https://github.com/projectcalico/calico/pull/12707) (@mazdakn)
- Fix server-side apply (FluxCD, ArgoCD, `kubectl apply --server-side`) failures on BGPConfiguration resources that set serviceLoadBalancerIPs, serviceExternalIPs, serviceClusterIPs, communities, or prefixAdvertisements. [calico 12705](https://github.com/projectcalico/calico/pull/12705) (@caseydavenport)

Check failure on line 262 in calico_versioned_docs/version-3.32/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'prefixAdvertisements'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'prefixAdvertisements'?", "location": {"path": "calico_versioned_docs/version-3.32/release-notes/index.mdx", "range": {"start": {"line": 262, "column": 200}}}, "severity": "ERROR"}
- ebpf - Fix transient NodePort connection failures when Felix restarts on a node receiving external NodePort traffic. [calico 12694](https://github.com/projectcalico/calico/pull/12694) (@tomastigera)

Check failure on line 263 in calico_versioned_docs/version-3.32/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'ebpf'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'ebpf'?", "location": {"path": "calico_versioned_docs/version-3.32/release-notes/index.mdx", "range": {"start": {"line": 263, "column": 3}}}, "severity": "ERROR"}
- Fixes a Felix panic that could occur when an IP set selector matched both a NetworkSet CIDR and workload IPs contained within it, with nftables as the active dataplane. [calico 12671](https://github.com/projectcalico/calico/pull/12671) (@caseydavenport)

Check failure on line 264 in calico_versioned_docs/version-3.32/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [CalicoStyle.Substitutions] Use 'data plane' instead of 'dataplane'. Raw Output: {"message": "[CalicoStyle.Substitutions] Use 'data plane' instead of 'dataplane'.", "location": {"path": "calico_versioned_docs/version-3.32/release-notes/index.mdx", "range": {"start": {"line": 264, "column": 161}}}, "severity": "ERROR"}

Check failure on line 264 in calico_versioned_docs/version-3.32/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'dataplane'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'dataplane'?", "location": {"path": "calico_versioned_docs/version-3.32/release-notes/index.mdx", "range": {"start": {"line": 264, "column": 161}}}, "severity": "ERROR"}
- Fix that certain internal API key types were non-comparable, requiring workarounds in various places. [calico 11958](https://github.com/projectcalico/calico/pull/11958) (@fasaxc)
- Fix panic in calico/node on s390x architecture. [calico 11312](https://github.com/projectcalico/calico/pull/11312) (@vivkong)

#### Other changes

- Bump bundled third-party images (Envoy Gateway to v1.8.0, Envoy proxy, Envoy ratelimit, node-driver-registrar, Istio to 1.29.4) and their golang.org/x and spdystream dependencies to remediate CVE-2026-33814 and CVE-2026-35469. [calico 13030](https://github.com/projectcalico/calico/pull/13030) (@lucastigera)

Check failure on line 270 in calico_versioned_docs/version-3.32/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'ratelimit'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'ratelimit'?", "location": {"path": "calico_versioned_docs/version-3.32/release-notes/index.mdx", "range": {"start": {"line": 270, "column": 80}}}, "severity": "ERROR"}
- Prevent deletion of built-in tiers in CRD mode. [calico 12982](https://github.com/projectcalico/calico/pull/12982) (@caseydavenport)
- calico/node now refreshes the CNI plugin's kubeconfig immediately when the pod's projected ServiceAccount token is rotated, closing a 6-12h window where an externally-invalidated token could cause CNI ADD to fail with "Unauthorized" until the calico-node pod was restarted. [calico 12940](https://github.com/projectcalico/calico/pull/12940) (@skoryk-oleksandr)
- HELM: Detect the served MutatingAdmissionPolicy API version and render MutatingAdmissionPolicy/MutatingAdmissionPolicyBinding accordingly (v1 on Kubernetes 1.36+, v1alpha1 when only the alpha API is served), defaulting to v1beta1. [calico 12877](https://github.com/projectcalico/calico/pull/12877) (@caseydavenport)
- Support CGO Enabled builds for ppc64le [calico 12768](https://github.com/projectcalico/calico/pull/12768) (@kishen-v)
- kube-controllers, goldmane: use default secure pprof server (localhost only). Use `kubectl port-forward` for remote access. [calico 12633](https://github.com/projectcalico/calico/pull/12633) (@Behnam-Shobiri)

Check warning on line 275 in calico_versioned_docs/version-3.32/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Terms] Use 'Goldmane' instead of 'goldmane'. Raw Output: {"message": "[Vale.Terms] Use 'Goldmane' instead of 'goldmane'.", "location": {"path": "calico_versioned_docs/version-3.32/release-notes/index.mdx", "range": {"start": {"line": 275, "column": 21}}}, "severity": "WARNING"}
- Felix: reduce memory used for handling Typha reconnection. Avoid converting all datastore keys to string, store the already-used key structs instead. [calico 11947](https://github.com/projectcalico/calico/pull/11947) (@fasaxc)
- Deprecating HostMetadataUpdate, HostMetadataRemove, HostMetadataV6Update, and HostMetadataV6Remove internal protobuf messages in favor of HostMedataV4V6Update and HostMetadaV4V6 messages. [calico 11284](https://github.com/projectcalico/calico/pull/11284) (@mazdakn)

#### Updating

To update a previous version of Calico, see [our upgrade guides](../operations/upgrading/index.mdx).

{/*
### Calico Open Source 3.32.2 bug fix release

DD MMMM YYYY

#### Bug fixes
Expand Down
98 changes: 98 additions & 0 deletions calico_versioned_docs/version-3.32/releases.json
Original file line number Diff line number Diff line change
@@ -1,4 +1,102 @@
[
{
"title": "v3.32.1",
"tigera-operator": {
"image": "tigera/operator",
"registry": "quay.io",
"version": "v1.42.3"
},
"components": {
"calico/typha": {
"version": "v3.32.1",
"registry": "quay.io"
},
"calico/ctl": {
"version": "v3.32.1",
"registry": "quay.io"
},
"calico/node": {
"version": "v3.32.1",
"registry": "quay.io"
},
"calico/node-windows": {
"version": "v3.32.1",
"registry": "quay.io"
},
"calico/cni": {
"version": "v3.32.1",
"registry": "quay.io"
},
"calico/cni-windows": {
"version": "v3.32.1",
"registry": "quay.io"
},
"calico/apiserver": {
"version": "v3.32.1",
"registry": "quay.io"
},
"calico/kube-controllers": {
"version": "v3.32.1",
"registry": "quay.io"
},
"calico/envoy-gateway": {
"version": "v3.32.1",
"registry": "quay.io"
},
"calico/envoy-proxy": {
"version": "v3.32.1",
"registry": "quay.io"
},
"calico/envoy-ratelimit": {
"version": "v3.32.1",
"registry": "quay.io"
},
"calico/flannel-migration-controller": {
"version": "v3.32.1",
"registry": "quay.io"
},
"flannel": {
"version": "v0.24.4",
"registry": "docker.io"
},
"calico/dikastes": {
"version": "v3.32.1",
"registry": "quay.io"
},
"flexvol": {
"version": "v3.32.1",
"registry": "quay.io"
},
"calico/csi": {
"version": "v3.32.1",
"registry": "quay.io"
},
"calico/node-driver-registrar": {
"version": "v3.32.1",
"registry": "quay.io"
},
"calico/pod2daemon-flexvol": {
"version": "v3.32.1",
"registry": "quay.io"
},
"calico/key-cert-provisioner": {
"version": "v3.32.1",
"registry": "quay.io"
},
"calico/goldmane": {
"version": "v3.32.1",
"registry": "quay.io"
},
"calico/whisker": {
"version": "v3.32.1",
"registry": "quay.io"
},
"calico/whisker-backend": {
"version": "v3.32.1",
"registry": "quay.io"
}
}
},
{
"title": "v3.32.0",
"tigera-operator": {
Expand Down
6 changes: 3 additions & 3 deletions calico_versioned_docs/version-3.32/variables.js
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
const releases = require('./releases.json');

const variables = {
releaseTitle: 'v3.32.0',
releaseTitle: 'v3.32.1',
prodname: 'Calico',
prodnamedash: 'calico',
version: 'v3.32',
Expand All @@ -16,11 +16,11 @@ const variables = {
noderunning: 'calico-node',
rootDirWindows: 'C:\\CalicoWindows',
ppa_repo_name: 'calico-3.32',
manifestsUrl: 'https://raw.githubusercontent.com/projectcalico/calico/v3.32.0',
manifestsUrl: 'https://raw.githubusercontent.com/projectcalico/calico/v3.32.1',
releases,
registry: '',
vppbranch: 'v3.32.0',
envoyVersion: '1.5.6',
envoyVersion: '1.8.0',
tigeraOperator: releases[0]['tigera-operator'],
tigeraOperatorVersionShort: releases[0]['tigera-operator'].version.split('.').slice(0, 2).join('.'),
imageNames: {
Expand Down
Loading