fix(calico-3.29.yaml): Disable the calico-apiserver 3.29.2 when Valid…

…ating Admission Policy checks until upstream tigrea operator adds the required rules Because we are using tigera-operator during image test we are reliant on tigera-operator setting up all the required rbac rules that are needed for calico-apiserver to run. This is a temporary solution until tigera/operator#3780 is resovled upstream with a new release of tigera-operator. This issue was highlighed in calico-apiserver 3.29.2 when Validating Admission Policy became enabled by default. This patch disables the Validating Admission Policy in calico-apiserver until the issue is resolved. Signed-off-by: philroche <phil.roche@chainguard.dev>
philroche · Feb 20, 2025 · 6a715b2 · 6a715b2
1 parent 06a8469
commit 6a715b2
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/calico-3.29.yaml b/calico-3.29.yaml
@@ -1,7 +1,7 @@
 package:
   name: calico-3.29
   version: "3.29.2"
-  epoch: 0
+  epoch: 1
   description: "Cloud native networking and network security"
   copyright:
     - license: Apache-2.0
@@ -65,6 +65,16 @@ pipeline:
       repository: https://github.com/projectcalico/calico
       tag: v${{package.version}}
       expected-commit: c29210835f7a2795d0791974602c8e1c625c8ca1
+
+  # Because we are using tigera-operator during image test we are reliant on tigera-operator setting
+  # up all the required rbac rules that are needed for calico-apiserver to run. This is a temporary solution
+  # until https://github.com/tigera/operator/issues/3780 is resovled upstream with a new release of tigera-operator.
+  # This issue was highlighed in calico-apiserver 3.29.2 when Validating Admission Policy became enabled by default.
+  # This patch disables the Validating Admission Policy in calico-apiserver until the issue is resolved.
+  - uses: patch
+    with:
+      patches: calico-apiserver-disable-validating-admission-policy.patch
+
   - working-directory: felix
     pipeline:
       # Equivalent to target: "build-bpf"

diff --git a/calico-3.29/calico-apiserver-disable-validating-admission-policy.patch b/calico-3.29/calico-apiserver-disable-validating-admission-policy.patch
@@ -0,0 +1,13 @@
+diff --git a/apiserver/cmd/apiserver/server/options.go b/apiserver/cmd/apiserver/server/options.go
+index 3701a9659..f8637cff6 100644
+--- a/apiserver/cmd/apiserver/server/options.go
++++ b/apiserver/cmd/apiserver/server/options.go
+@@ -68,7 +68,7 @@ func (o *CalicoServerOptions) addFlags(flags *pflag.FlagSet) {
+ 		"If true, prints swagger to stdout and exits.")
+ 	flags.StringVar(&o.SwaggerFilePath, "swagger-file-path", "./",
+ 		"If print-swagger is set true, then write swagger.json to location specified. Default is current directory.")
+-	flags.BoolVar(&o.EnableValidatingAdmissionPolicy, "enable-validating-admission-policy", true,
++	flags.BoolVar(&o.EnableValidatingAdmissionPolicy, "enable-validating-admission-policy", false,
+ 		"If true, establishes watches for ValidatingAdmissionPolicy at startup.")
+ }
+