Skip to content

DOCS-2809: Publish Calico Enterprise 3.22.1 #2474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sujeet-kr merged 9 commits into from
Jan 27, 2026
Merged

DOCS-2809: Publish Calico Enterprise 3.22.1 #2474

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
a86ead5
Prepare for release CE 3.22.1
ctauchen Jan 20, 2026
497f209
Add release notes for v3.22.1
rene-dekker Jan 21, 2026
65f5831
Edit release notes to fix build error
ctauchen Jan 23, 2026
5fa8663
docs: Added release notes for v3.22.1
rene-dekker Jan 23, 2026
96dd53a
Change release date
sabags Jan 27, 2026
09318cd
Add RN for KUBERNETES_SERVICE_HOST
rene-dekker Jan 27, 2026
dae3247
Update operator version and eck-KB/ES version
sabags Jan 27, 2026
e660183
Merge branch 'publish/ce-3.22.1' of github.com:tigera/docs into publi…
sabags Jan 27, 2026
c50ddf3
fix url for private registry in 3.22-2
sujeet-kr Jan 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion calico-enterprise_versioned_docs/version-3.21-2/variables.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ const variables = {
prodnamedash: 'calico-enterprise',
version: 'v3.21',
openSourceVersion: releases[0].calico.minor_version.slice(1),
baseUrl: '/calico-enterprise/latest',
baseUrl: '/calico-enterprise/3.21',
filesUrl: 'https://downloads.tigera.io/ee/v3.21.5',
rpmsUrl: 'https://downloads.tigera.io/ee/rpms/' + releases[0].title.slice(0, 5),
tutorialFilesURL: 'https://docs.tigera.io/files',
Expand Down
57 changes: 57 additions & 0 deletions calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,5 +209,62 @@
As a workaround, avoid enabling WAF/L7 functionalities with eBPF dataplane.

#### Upgrading

To update an existing installation of Calico Enterprise 3.22, see [Install a patch release](../getting-started/manifest-archive.mdx).

### Calico Enterprise 3.22.1 general availability release

January 26, 2026

Calico Enterprise 3.22.1 is now available as a general availability release.

This release is supported for use in production.

#### Breaking changes

* Renamed the name of the certificate bundle in the tigera-ca-bundle configmaps from tigera-ca-bundle.crt to ca.crt. A copy of the operator signer can still be fond in the original location. This only affects users who use this bundle for features that are not managed by the operator in addition to bringing your own certificates.

Check failure on line 225 in calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Tigera' instead of 'tigera'.

Raw Output:
{"message": "[Vale.Terms] Use 'Tigera' instead of 'tigera'.", "location": {"path": "calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx", "range": {"start": {"line": 225, "column": 86}}}, "severity": "ERROR"}

Check failure on line 225 in calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'configmaps'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'configmaps'?", "location": {"path": "calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx", "range": {"start": {"line": 225, "column": 70}}}, "severity": "ERROR"}

Check failure on line 225 in calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Tigera' instead of 'tigera'.

Raw Output:
{"message": "[Vale.Terms] Use 'Tigera' instead of 'tigera'.", "location": {"path": "calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx", "range": {"start": {"line": 225, "column": 53}}}, "severity": "ERROR"}
* Removed the prefix "cnx-" from image names. The new image names can all be found [here](../getting-started/install-on-clusters/private-registry/private-registry-regular.mdx).
* We are requiring kernel support for the x86-64 v3 architecture in this release as we are beginning to migrate to UBI10.

#### Bug fixes

* Fixed an issue causing a panic in Felix when WAF/L7 features are enabled with eBPF dataplane.

Check failure on line 231 in calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'dataplane'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'dataplane'?", "location": {"path": "calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx", "range": {"start": {"line": 231, "column": 86}}}, "severity": "ERROR"}

Check failure on line 231 in calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[CalicoStyle.Substitutions] Use 'data plane' instead of 'dataplane'.

Raw Output:
{"message": "[CalicoStyle.Substitutions] Use 'data plane' instead of 'dataplane'.", "location": {"path": "calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx", "range": {"start": {"line": 231, "column": 86}}}, "severity": "ERROR"}
* Fixed an issue preventing WAF/L7 features to work on hosts without legacy iptables support, such as Openshift 4.20.

Check failure on line 232 in calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Openshift'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'Openshift'?", "location": {"path": "calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx", "range": {"start": {"line": 232, "column": 103}}}, "severity": "ERROR"}
* Fixed an issue where Kibana was making connections to public endpoints.
* Added an egress rule to allow traffic from intrusion detection controller to the tigera-manager deployment. This fixed an issue where traffic would be blocked if the user applies a default deny policy to the namespace.

Check failure on line 234 in calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Tigera' instead of 'tigera'.

Raw Output:
{"message": "[Vale.Terms] Use 'Tigera' instead of 'tigera'.", "location": {"path": "calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx", "range": {"start": {"line": 234, "column": 84}}}, "severity": "ERROR"}
* Fixed an issue where Guardian was missing the certificate of the Calico API server from its CA bundle. This issue only impacted clusters that were created using an older version of the Operator that did not use a centralized signer. (Calico Enterprise v3.12 and older.)
* Fixed an issue that caused local workloads with borrowed IPs lose connectivity when using the eBPF dataplane.

Check failure on line 236 in calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'dataplane'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'dataplane'?", "location": {"path": "calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx", "range": {"start": {"line": 236, "column": 102}}}, "severity": "ERROR"}

Check failure on line 236 in calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[CalicoStyle.Substitutions] Use 'data plane' instead of 'dataplane'.

Raw Output:
{"message": "[CalicoStyle.Substitutions] Use 'data plane' instead of 'dataplane'.", "location": {"path": "calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx", "range": {"start": {"line": 236, "column": 102}}}, "severity": "ERROR"}
* Fixed an issue where the VXLAN overlay VNI is always 0 on the eBPF dataplane. [calico 10625](https://github.com/projectcalico/calico/pull/10625)
* Fixed an issue where fragmented UDP packets were incorrectly handled, leading to denied flows.
* Security updates.


#### Known issues

* Pod restart may be required after initial deployment with Istio Ambient Mode.

When using Calico eBPF dataplane with Istio ambient mode, pods created before ztunnel/istiod are fully ready may experience HBONE tunnel routing failures.
Affected pods show connection resets (curl error 56) or TLS handshake failures when communicating with other ambient-enrolled pods.

Symptoms:
- curl: (56) Recv failure: Connection reset by peer between ambient pods
- ztunnel logs showing received corrupt message of type InvalidContentType
- Traffic works from non-ambient pods and via localhost

Workaround:
Restart affected deployments after enabling ambient mode:
```shell
kubectl rollout restart deployment -n <namespace>
```

Root Cause:
Pods created during initial ambient mode setup may have stale ztunnel INPOD socket state, causing HBONE traffic to route to the application port instead of the ztunnel HBONE listener (port 15008).

* There is a bug in which the image pull secret is not propagated to the target namespace when deploying Istio Ambient Mode.
Affects only users using a private registry.
* IPv4 addresses are not currently accepted as valid values for KUBERNETES_SERVICE_HOST - please use a hostname instead.  This issue will be resolved in the next patch release.


#### Upgrading

To update an existing installation of Calico Enterprise 3.22, see [Install a patch release](../getting-started/manifest-archive.mdx).
263 changes: 262 additions & 1 deletion calico-enterprise_versioned_docs/version-3.22-2/releases.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,266 @@
[
{
{
"title": "v3.22.1",
"tigera-operator": {
"version": "v1.40.5",
"image": "tigera/operator",
"registry": "quay.io"
},
"calico": {
"minor_version": "v3.31",
"archive_path": "archive"
},
"components": {
"alertmanager": {
"version": "v3.22.1",
"image": "tigera/alertmanager"
},
"calicoctl": {
"version": "v3.22.1",
"image": "tigera/calicoctl"
},
"calicoq": {
"version": "v3.22.1",
"image": "tigera/calicoq"
},
"apiserver": {
"version": "v3.22.1",
"image": "tigera/apiserver"
},
"kube-controllers": {
"version": "v3.22.1",
"image": "tigera/kube-controllers"
},
"manager": {
"version": "v3.22.1",
"image": "tigera/manager"
},
"node": {
"version": "v3.22.1",
"image": "tigera/node"
},
"node-windows": {
"version": "v3.22.1",
"image": "tigera/node-windows"
},
"queryserver": {
"version": "v3.22.1",
"image": "tigera/queryserver"
},
"compliance-benchmarker": {
"version": "v3.22.1",
"image": "tigera/compliance-benchmarker"
},
"compliance-controller": {
"version": "v3.22.1",
"image": "tigera/compliance-controller"
},
"compliance-reporter": {
"version": "v3.22.1",
"image": "tigera/compliance-reporter"
},
"compliance-server": {
"version": "v3.22.1",
"image": "tigera/compliance-server"
},
"compliance-snapshotter": {
"version": "v3.22.1",
"image": "tigera/compliance-snapshotter"
},
"coreos-alertmanager": {
"version": "v0.28.1"
},
"coreos-config-reloader": {
"version": "v0.84.0"
},
"coreos-dex": {
"version": "v2.41.1"
},
"coreos-fluentd": {
"version": "1.18.0"
},
"coreos-prometheus": {
"version": "v3.4.1"
},
"coreos-prometheus-operator": {
"version": "v0.84.0"
},
"csi": {
"version": "v3.22.1",
"image": "tigera/csi"
},
"csi-node-driver-registrar": {
"version": "v3.22.1",
"image": "tigera/node-driver-registrar"
},
"deep-packet-inspection": {
"version": "v3.22.1",
"image": "tigera/deep-packet-inspection"
},
"dex": {
"version": "v3.22.1",
"image": "tigera/dex"
},
"dikastes": {
"version": "v3.22.1",
"image": "tigera/dikastes"
},
"eck-elasticsearch": {
"version": "8.19.10"
},
"eck-elasticsearch-operator": {
"version": "2.16.1"
},
"eck-kibana": {
"version": "8.19.10"
},
"egress-gateway": {
"version": "v3.22.1",
"image": "tigera/egress-gateway"
},
"elastic-tsee-installer": {
"version": "v3.22.1",
"image": "tigera/intrusion-detection-job-installer"
},
"elasticsearch": {
"version": "v3.22.1",
"image": "tigera/elasticsearch"
},
"elasticsearch-metrics": {
"version": "v3.22.1",
"image": "tigera/elasticsearch-metrics"
},
"elasticsearch-operator": {
"version": "v3.22.1",
"image": "tigera/eck-operator"
},
"envoy": {
"version": "v3.22.1",
"image": "tigera/envoy"
},
"es-gateway": {
"version": "v3.22.1",
"image": "tigera/es-gateway"
},
"firewall-integration": {
"version": "v3.22.1",
"image": "tigera/firewall-integration"
},
"flexvol": {
"version": "v3.22.1",
"image": "tigera/pod2daemon-flexvol"
},
"fluentd": {
"version": "v3.22.1",
"image": "tigera/fluentd"
},
"fluentd-windows": {
"version": "v3.22.1",
"image": "tigera/fluentd-windows"
},
"gateway-api-envoy-gateway": {
"version": "v3.22.1",
"image": "tigera/envoy-gateway"
},
"gateway-api-envoy-proxy": {
"version": "v3.22.1",
"image": "tigera/envoy-proxy"
},
"gateway-api-envoy-ratelimit": {
"version": "v3.22.1",
"image": "tigera/envoy-ratelimit"
},
"guardian": {
"version": "v3.22.1",
"image": "tigera/guardian"
},
"ingress-collector": {
"version": "v3.22.1",
"image": "tigera/ingress-collector"
},
"intrusion-detection-controller": {
"version": "v3.22.1",
"image": "tigera/intrusion-detection-controller"
},
"key-cert-provisioner": {
"version": "v3.22.1",
"image": "tigera/key-cert-provisioner"
},
"kibana": {
"version": "v3.22.1",
"image": "tigera/kibana"
},
"l7-admission-controller": {
"version": "v3.22.1",
"image": "tigera/l7-admission-controller"
},
"l7-collector": {
"version": "v3.22.1",
"image": "tigera/l7-collector"
},
"license-agent": {
"version": "v3.22.1",
"image": "tigera/license-agent"
},
"linseed": {
"version": "v3.22.1",
"image": "tigera/linseed"
},
"packetcapture": {
"version": "v3.22.1",
"image": "tigera/packetcapture"
},
"policy-recommendation": {
"version": "v3.22.1",
"image": "tigera/policy-recommendation"
},
"prometheus": {
"version": "v3.22.1",
"image": "tigera/prometheus"
},
"prometheus-config-reloader": {
"version": "v3.22.1",
"image": "tigera/prometheus-config-reloader"
},
"prometheus-operator": {
"version": "v3.22.1",
"image": "tigera/prometheus-operator"
},
"tigera-cni": {
"version": "v3.22.1",
"image": "tigera/cni"
},
"tigera-cni-windows": {
"version": "v3.22.1",
"image": "tigera/cni-windows"
},
"tigera-prometheus-service": {
"version": "v3.22.1",
"image": "tigera/prometheus-service"
},
"typha": {
"version": "v3.22.1",
"image": "tigera/typha"
},
"ui-apis": {
"version": "v3.22.1",
"image": "tigera/ui-apis"
},
"voltron": {
"version": "v3.22.1",
"image": "tigera/voltron"
},
"waf-http-filter": {
"version": "v3.22.1",
"image": "tigera/waf-http-filter"
},
"webhooks-processor": {
"version": "v3.22.1",
"image": "tigera/webhooks-processor"
}
}
},
{
"title": "v3.22.0-3.0",
"tigera-operator": {
"version": "v1.40.4",
Expand Down
8 changes: 4 additions & 4 deletions calico-enterprise_versioned_docs/version-3.22-2/variables.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,13 @@ const releases = require('./releases.json');
const componentImage = require('../../src/components/utils/componentImage');

const variables = {
releaseTitle: 'v3.22.0-3.0',
releaseTitle: 'v3.22.1',
prodname: 'Calico Enterprise',
prodnamedash: 'calico-enterprise',
version: 'v3.22',
openSourceVersion: releases[0].calico.minor_version.slice(1),
baseUrl: '/calico-enterprise/3.22',
filesUrl: 'https://downloads.tigera.io/ee/v3.22.0-3.0',
baseUrl: '/calico-enterprise/latest',
filesUrl: 'https://downloads.tigera.io/ee/v3.22.1',
rpmsUrl: 'https://downloads.tigera.io/ee/rpms/' + releases[0].title.slice(0, 5),
tutorialFilesURL: 'https://docs.tigera.io/files',
tmpScriptsURL: 'https://docs.tigera.io/calico-enterprise/3.22',
Expand All @@ -20,7 +20,7 @@ const variables = {
rootDirWindows: 'C:\\TigeraCalico',
registry: 'quay.io/',
envoyVersion: '1.5.0',
chart_version_name: 'v3.22.0-3.0-0',
chart_version_name: 'v3.22.1-0',
tigeraOperator: releases[0]['tigera-operator'],
dikastesVersion: releases[0].components.dikastes.version,
releases,
Expand Down
14 changes: 7 additions & 7 deletions docusaurus.config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -435,22 +435,22 @@ export default async function createAsyncConfig() {
path: 'calico-enterprise',
routeBasePath: 'calico-enterprise',
editCurrentVersion: true,
onlyIncludeVersions: [...nextVersion, '3.22-2','3.21-2', '3.20-2', '3.19-2'],
lastVersion: '3.21-2',
onlyIncludeVersions: [...nextVersion, '3.22-2','3.21-2','3.20-2'],
lastVersion: '3.22-2',
versions: {
current: {
label: 'Next',
path: 'next',
banner: 'unreleased',
},
'3.22-2': {
label: '3.22 (early preview)',
path: '3.22',
banner: 'unreleased',
label: '3.22 (latest)',
path: 'latest',
banner: 'none',
},
'3.21-2': {
label: '3.21 (latest)',
path: 'latest',
label: '3.21',
path: '3.21',
banner: 'none',
},
'3.20-2': {
Expand Down
Loading
Loading