v1.39.3

22 Sep 2025

Included Calico versions

Calico version: v3.30.2
Calico Enterprise version: v3.22.0-1.0

Note

This version of Operator is an internal release to support Calico Cloud customers and does not have any user-visible changes.

v1.36.14

18 Sep 2025

Included Calico versions

Calico version: v3.29.6
Calico Enterprise version: v3.20.6

Other changes

• This change updates the Dex client configuration to support Single Page Applications (SPAs) code flow with PKCE.
  The 'X-Frame-Options' header was changed from 'DENY' to 'SAMEORIGIN'. #4139 (@rene-dekker)

v1.39.2

17 Sep 2025

Included Calico versions

Calico version: v3.30.2
Calico Enterprise version: v3.22.0-1.0

Other changes

• The impersonation permissions on guardian are made configurable through the ManagementClusterConnection resource. #4154 (@rene-dekker)

v1.36.13

03 Sep 2025

Included Calico versions

Calico version: v3.29.5
Calico Enterprise version: v3.20.6

Other changes

• Fixed a race condition when checking if the calico-node DaemonSet has completed its rollout before enabling BPF. #4084 (@lucastigera)
• Adds the silent-callback URL to the redirectURIs list, so the UI can prolong a session for the user. #4076 (@rene-dekker)

v1.38.6

12 Jun 2025

Included Calico versions

Calico version: v3.30.3
Calico Enterprise version: v3.21.2

Note

This version of Operator is released to support installing Calico v3.30.3 and does not include any other changes.

v1.34.14

22 Aug 2025

Included Calico versions

Calico version: v3.28.5
Calico Enterprise version: v3.19.8

Other changes

• Fixed a race condition when checking if the calico-node DaemonSet has completed its rollout before enabling BPF. #4083 (@lucastigera)
• Adds the silent-callback URL to the redirectURIs list, so the UI can prolong a session for the user. #4075 (@rene-dekker)
• Increase the lifecycle.poll_interval for Elasticsearch. In a case where a cluster has many indices, the default setting can cause ES performance issues. #3999 (@rene-dekker)

v1.39.1

14 Aug 2025

Included Calico versions

Calico version: v3.30.2
Calico Enterprise version: v3.22.0-1.0

Note

This version of Operator is a bug fix release which does not introduce support for any newer versions of Calico or Calico Enterprise.

Bug Fixes

• Fixed a race condition when checking if the calico-node DaemonSet has completed its rollout before enabling BPF. #4082 (@lucastigera)

v1.38.5

08 Aug 2025

Included Calico versions

Calico version: v3.30.2
Calico Enterprise version: v3.21.2

Bug fixes

• Fixed a race condition when checking if the calico-node DaemonSet has completed its rollout before enabling BPF. #4080 (@lucastigera)

Other changes

• Upgrade Elasticsearch and Kibana to 8.18.4 #4067 (@rene-dekker)

v1.39.0

06 Aug 2025

Included Calico versions

Calico version: v3.30.2
Calico Enterprise version: v3.22.0-1.0

Enhancements and changes

• Fixed an issue that prevented the operator from detecting HTTP proxies set on the Guardian container. #4041 (@pasanw)
• Fix security contexts for init containers when certificate management is enabled, so the certificates have the right permissions set on them. #4029 (@rene-dekker)
• Operator now annotates Guardian pods with cluster version information #4024 (@vara2504)
• Increase the lifecycle.poll_interval for Elasticsearch. In a case where a cluster has many indices, the default setting can cause ES performance issues. #3996 (@rene-dekker)
• Component Migration: To support a minimal footprint and simplify resource management, the calico-apiserver component and its associated resources have been moved from the calico-apiserver namespace to the calico-system namespace in Calico OSS . #3989 (@vara2504)
• Don't modify user-provided registry in Installation specification. #3976 (@caseydavenport)
• Add nodes CA to goldmanes trusted bundle to support legacy / BYO node certificates that weren't signed by the operator #3973 (@Brian-McM)
• Component Migration: To support a minimal footprint and simplify resource management, the tigera-apiserver component and its associated resources have been moved from the tigera-system namespace to the calico-system namespace #3960 (@vara2504)
• Calico Enterprise now supports archiving logs from non-cluster hosts. Additional stores (e.g. S3, Splunk, Syslog) configured on the LogCollector resource will have non-cluster logs forwarded to them by default. A HostScope parameter has been added to each additional store spec to configure which hosts will have their logs forwarded to the specified store. #3954 (@pasanw)
• Allow non-cluster host process to list and update HEPs #3942 (@hjiawei)
• Use correct cluster domain for Goldmane #3941 (@caseydavenport)
• Added a new parameter in the Installation CR - TLSCipherSuites that will allow users to configure ciphers. #3938 (@lucastigera)
• Allow the migration to operator-based installation when loadbalancer kube-controller is enabled #3933 (@MichalFupso)
• Fix migrating a ebpf cluster from manual to operator. #3932 (@sridhartigera)
• Don't run kube-controllers if there are no enabled controllers #3917 (@caseydavenport)
• Use explicit verbs in tiered policy passthrough to prevent admission controllers from blocking object creation. #3887 (@caseydavenport)
• Update Envoy Gateway from v1.2.6 to v1.3.2 #3891 (@nelljerram)
• Extend the Installation resource to allow specifying directories for installing CNI binaries and configuration files #3882 (@a-yohe1)
• Set explicit DNS nameservers for calico/node when needed #3866 (@caseydavenport)
• Skip Typha scaling checks when we're terminating #3862 (@caseydavenport)
• Don't block the controller is authentication is not ready to prevent a mutual dependency. #3854 (@rene-dekker)
• The GatewayAPI CR now allows controlling the type and properties of the external load balancer that is provisioned for each Gateway. It also has enhanced configurability in other ways, including the number of replicas provisioned for each Gateway, or whether to provision a DaemonSet instead of a Deployment. #3852 (@nelljerram)
• Wait for defaulter to run before validation #3851 (@jsturtevant)
• Add notifications flag to disable notifications in the UI #3848 (@WilliamTigera)
• Fix certificate management with ECK 2.16.1. #3814 (@rene-dekker)

v1.36.12

18 Jul 2025

Included Calico versions

Calico version: v3.29.5
Calico Enterprise version: v3.20.5

Other changes

• Increase the lifecycle.poll_interval for Elasticsearch. In a case where a cluster has many indices, the default setting can cause ES performance issues. #3998 (@rene-dekker)