Add support for k8s datastore, allow access to new calico resources

Also move files related changes to Dockerfiles, change bootstrap command in order to avoid duplicated pod log entries, updated k8s resources API versions to be compatible with k8s 1.16, change rootwrap filters so that 'get' command would allow querying details about individual resources, switch to python3 Change-Id: I35fe104064b070b510ee2f1b5a4d3c709f1ab94c
2019-11-05 17:01:29 -06:00 · 2019-11-05 17:01:29 -06:00 · b6392c5069
commit b6392c5069
parent 9a3d182d22
15 changed files with 167 additions and 94 deletions
--- a/charts/calicoctl-utility/templates/_functions.tpl
+++ b/charts/calicoctl-utility/templates/_functions.tpl
@ -0,0 +1,24 @@
 {{/*
 Copyright 2019 The Openstack-Helm Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
   http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 {{- define "calico.etcd.tls" -}}
 {{- if or (or .Values.endpoints.etcd.auth.client.tls.crt .Values.endpoints.etcd.auth.client.tls.ca) .Values.endpoints.etcd.auth.client.tls.key -}}
 {{- $_ := required "Must specify all or none of etcd_crt, etcd_ca, etcd_key" .Values.endpoints.etcd.auth.client.tls.crt -}}
 {{- $_ := required "Must specify all or none of etcd_crt, etcd_ca, etcd_key" .Values.endpoints.etcd.auth.client.tls.ca -}}
 {{- $_ := required "Must specify all or none of etcd_crt, etcd_ca, etcd_key" .Values.endpoints.etcd.auth.client.tls.key -}}
 true
 {{- end -}}
 {{- end -}}
--- a/charts/calicoctl-utility/templates/bin/_bootstrap.sh.tpl
+++ b/charts/calicoctl-utility/templates/bin/_bootstrap.sh.tpl
@ -15,5 +15,4 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
-sudo /tmp/override-oslo-rootwrap-logging.sh
+exec sudo socat -d -s -t0 -T0 -u UNIX-RECV:/dev/log,reuseaddr stdout
 exec sudo socat -d -v -s -t0 -T0 -u UNIX-RECV:/dev/log,reuseaddr stdout
--- a/charts/calicoctl-utility/templates/bin/_calicoctl-utility-rootwrap.tpl
+++ b/charts/calicoctl-utility/templates/bin/_calicoctl-utility-rootwrap.tpl
@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 {{/*
 Copyright 2019 The Openstack-Helm Authors.
@ -41,7 +41,7 @@ except IOError:
    exit()
 formatter = logging.Formatter('%(asctime)s ' + host_name + ' ' +
-    os.path.basename(exec_name) + ': ' + 'ActualUser=' + user_id + ': %(message)s')
+    os.path.basename(exec_name) + ': ' + 'ActualUser=' + user_id + ': %(message)s\n')
 handler.setFormatter(formatter)
 root = logging.getLogger()
 root.setLevel(log_level)
--- a/charts/calicoctl-utility/templates/bin/_override-oslo-rootwrap-logging.sh.tpl
+++ b/charts/calicoctl-utility/templates/bin/_override-oslo-rootwrap-logging.sh.tpl
@ -1,26 +0,0 @@
 #!/bin/sh
 {{/*
 Copyright 2019 The Openstack-Helm Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
   http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 {{/*
 These lines will disable extra handler, extra formatter, extra level to the
 root logger by oslo-rootwrap module, imported in _openstack-utility-rootwrap.tpl.
 These lines will get rid of duplicate logs, generated because of the formatter
 attached by oslo-rootwrap.
 */}}
 sed -i "/rootwrap_logger.setLevel/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py
 sed -i "/handler.setFormatter/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py
 sed -i "/os.path.basename/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py
 sed -i "/rootwrap_logger.addHandler/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py
--- a/charts/calicoctl-utility/templates/bin/_utilscli-sudo.tpl
+++ b/charts/calicoctl-utility/templates/bin/_utilscli-sudo.tpl
@ -14,8 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
-nobody ALL=SETENV: NOPASSWD: /tmp/override-oslo-rootwrap-logging.sh, \
+nobody ALL=SETENV: NOPASSWD: /usr/bin/socat -d -s -t0 -T0 -u \
  /usr/bin/socat -d -v -s -t0 -T0 -u \
  UNIX-RECV\:/dev/log\,reuseaddr stdout, \
  /usr/local/bin/calicoctl-utility-rootwrap /etc/calicoctl/rootwrap.conf *, \
  /usr/local/bin/calicoctl version
--- a/charts/calicoctl-utility/templates/bin/_version_check.sh.tpl
+++ b/charts/calicoctl-utility/templates/bin/_version_check.sh.tpl
@ -36,4 +36,4 @@ function check_version() {
  fi
 }
-sudo calicoctl version | check_version
+utilscli calicoctl version | check_version
--- a/charts/calicoctl-utility/templates/configmap-bin.yaml
+++ b/charts/calicoctl-utility/templates/configmap-bin.yaml
@ -25,9 +25,6 @@ data:
  image-repo-sync.sh: |
 {{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
  override-oslo-rootwrap-logging.sh: |
 {{ tuple "bin/_override-oslo-rootwrap-logging.sh.tpl" . | include  "helm-toolkit.utils.template" | indent 4 }}
  calicoctl-utility-rootwrap: |
 {{ tuple "bin/_calicoctl-utility-rootwrap.tpl" . | include  "helm-toolkit.utils.template" | indent 4 }}
--- a/charts/calicoctl-utility/templates/configmap-etc.yaml
+++ b/charts/calicoctl-utility/templates/configmap-etc.yaml
@ -33,11 +33,15 @@ data:
    kind: CalicoAPIConfig
    metadata:
    spec:
-      datastoreType: "etcdv3"
+      datastoreType: {{ .Values.datastore }}
 {{- if eq .Values.datastore "etcdv3" }}
      etcdEndpoints: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
 {{- if include "calico.etcd.tls" . }}
      etcdCertFile: {{ .Values.endpoints.etcd.auth.client.path.crt }}
      etcdCACertFile: {{ .Values.endpoints.etcd.auth.client.path.ca }}
      etcdKeyFile: {{ .Values.endpoints.etcd.auth.client.path.key }}
 {{- end }}
 {{- end }}
 ---
 apiVersion: v1
--- a/charts/calicoctl-utility/templates/deployment-calicoctl-utility.yaml
+++ b/charts/calicoctl-utility/templates/deployment-calicoctl-utility.yaml
@ -20,7 +20,7 @@ limitations under the License.
 {{- $serviceAccountName := printf "%s" $envAll.Release.Name }}
 {{ tuple $envAll "utility" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ $serviceAccountName }}
@ -34,7 +34,7 @@ subjects:
  namespace: {{ .Release.Namespace }}
 ---
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ $serviceAccountName }}
 rules:
@ -43,18 +43,49 @@ rules:
      - namespaces
      - nodes
      - pods
      - pods/status
      - serviceaccounts
    verbs:
      - get
      - list
      - watch
  - apiGroups: ["extensions"]
    resources:
      - networkpolicies
    verbs:
      - get
      - list
      - watch
  - apiGroups: ["networking.k8s.io"]
    resources:
      - networkpolicies
    verbs:
      - watch
      - list
      - get
  - apiGroups: ["crd.projectcalico.org"]
    resources:
      - globalfelixconfigs
      - bgppeers
      - globalbgpconfigs
      - bgpconfigurations
      - clusterinformations
      - licensekeys
      - felixconfigurations
      - globalthreatfeeds
      - globalnetworkpolicies
      - globalnetworksets
      - networksets
      - remoteclusterconfigurations
      - ippools
      - networkpolicies
      - tiers
      - profiles
      - clusterinformations
      - hostendpoints
      - ipamblocks
      - blockaffinities
      - ipamhandles
    verbs:
      - get
      - list
@ -98,7 +129,7 @@ spec:
              {{- if .Values.conf.utility.match_versions }}
                - /usr/local/bin/version_check.sh
              {{- else }}
-                - sudo
+                - utilscli
                - calicoctl
                - version
              {{- end }}
@ -107,12 +138,13 @@ spec:
          livenessProbe:
            exec:
              command:
-                - sudo
+                - utilscli
                - calicoctl
                - version
            initialDelaySeconds: 5
            periodSeconds: 15
          volumeMounts:
 {{- if and .Values.manifests.secret_certificates (include "calico.etcd.tls" .) }}
            - name: calico-etcd-secrets
              mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
              subPath: tls.ca
@ -125,6 +157,7 @@ spec:
              mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
              subPath: tls.key
              readOnly: true
 {{- end }}
            - name: calicoctl-utility-bin-utilscli
              mountPath: /usr/local/bin/version_check.sh
              subPath: version_check.sh
@ -141,10 +174,6 @@ spec:
              mountPath: /usr/local/bin/calicoctl-utility-rootwrap
              subPath: calicoctl-utility-rootwrap
              readOnly: true
            - name: calicoctl-utility-bin
              mountPath: /tmp/override-oslo-rootwrap-logging.sh
              subPath: override-oslo-rootwrap-logging.sh
              readOnly: true
            - name: calicoctl-utility-sudoers
              mountPath: /etc/sudoers.d/nobody
              subPath: utilscli-sudo
@ -178,8 +207,10 @@ spec:
          configMap:
            name: {{ printf "%s-%s" $envAll.Release.Name "etc" }}
            defaultMode: 0400
 {{- if .Values.manifests.secret_certificates }}
        - name: calico-etcd-secrets
          secret:
            secretName: calico-etcd-secrets
            defaultMode: 0400
 {{- end }}
 {{- end }}
--- a/charts/calicoctl-utility/templates/secret-etcd-certificates.yaml
+++ b/charts/calicoctl-utility/templates/secret-etcd-certificates.yaml
@ -17,14 +17,15 @@ limitations under the License.
 {{- if .Values.manifests.secret_certificates }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
 kind: Secret
 type: kubernetes.io/tls
 metadata:
  name: calico-etcd-secrets
 data:
 {{- if include "calico.etcd.tls" . }}
  tls.ca: {{ .Values.endpoints.etcd.auth.client.tls.ca | default "" | b64enc }}
  tls.key: {{ .Values.endpoints.etcd.auth.client.tls.key | default "" | b64enc }}
  tls.crt: {{ .Values.endpoints.etcd.auth.client.tls.crt | default "" | b64enc }}
 {{- end }}
 {{- end }}
--- a/charts/calicoctl-utility/values.yaml
+++ b/charts/calicoctl-utility/values.yaml
@ -82,6 +82,10 @@ dependencies:
        - endpoint: internal
          service: calico-etcd
 # which data store is used by calico
 # allowed values are: 'kubernetes' or 'etcdv3'
 datastore: kubernetes
 endpoints:
  cluster_domain_suffix: cluster.local
  local_image_registry:
@ -132,38 +136,58 @@ conf:
      # Below are example command filters. access can be restricted by creating a user with less privileges
      # calicoctl_00: CommandFilter, calicoctl, root
      # Below are examples of RegExpFilter. This will restrict available calicoctl options even with admin user
-      calicoctl_help_00: RegExpFilter, calicoctl, root, calicoctl, -h
+      calicoctl_help_000: RegExpFilter, calicoctl, root, calicoctl, -h
-      calicoctl_help_01: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, -h
+      calicoctl_help_010: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, -h
-      calicoctl_get_01: RegExpFilter, calicoctl, root, calicoctl, get, .*
+      calicoctl_get_010: RegExpFilter, calicoctl, root, calicoctl, get, .*
-      calicoctl_get_03: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*
+      calicoctl_get_020: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*
-      calicoctl_get_04: RegExpFilter, calicoctl, root, calicoctl, get, .*, --export
+      calicoctl_get_030: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*
-      calicoctl_get_05: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, --export
+      calicoctl_get_040: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*
-      calicoctl_get_06: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename|-o|--output|-n|--namespace, .*
+      calicoctl_get_050: RegExpFilter, calicoctl, root, calicoctl, get, .*, --export
-      calicoctl_get_07: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename|-o|--output|-n|--namespace, .*
+      calicoctl_get_060: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*, --export
-      calicoctl_get_08: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename|-o|--output|-n|--namespace, .*, --export
+      calicoctl_get_070: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, --export
-      calicoctl_get_09: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename|-o|--output|-n|--namespace, .*, --export
+      calicoctl_get_080: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*, --export
-      calicoctl_get_10: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*
+      calicoctl_get_090: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename|-o|--output|-n|--namespace, .*
-      calicoctl_get_11: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*
+      calicoctl_get_100: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*, -f|--filename|-o|--output|-n|--namespace, .*
-      calicoctl_get_12: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, --export
+      calicoctl_get_110: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename|-o|--output|-n|--namespace, .*
-      calicoctl_get_13: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, --export
+      calicoctl_get_120: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*, -f|--filename|-o|--output|-n|--namespace, .*
-      calicoctl_get_14: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*
+      calicoctl_get_130: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename|-o|--output|-n|--namespace, .*, --export
-      calicoctl_get_15: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*
+      calicoctl_get_140: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*, -f|--filename|-o|--output|-n|--namespace, .*, --export
-      calicoctl_get_16: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*, --export
+      calicoctl_get_150: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename|-o|--output|-n|--namespace, .*, --export
-      calicoctl_get_17: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*, --export
+      calicoctl_get_160: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*, -f|--filename|-o|--output|-n|--namespace, .*, --export
-      calicoctl_get_18: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces
+      calicoctl_get_170: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*
-      calicoctl_get_19: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces
+      calicoctl_get_180: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*, -f|--filename, .*, -o|--output .*
-      calicoctl_get_20: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces, --export
+      calicoctl_get_190: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*
-      calicoctl_get_21: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces, --export
+      calicoctl_get_200: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*, -f|--filename, .*, -o|--output .*
      calicoctl_get_210: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, --export
      calicoctl_get_220: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*, -f|--filename, .*, -o|--output .*, --export
      calicoctl_get_230: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, --export
      calicoctl_get_240: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*, -f|--filename, .*, -o|--output .*, --export
      calicoctl_get_250: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*
      calicoctl_get_260: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*
      calicoctl_get_270: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*
      calicoctl_get_280: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*
      calicoctl_get_290: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*, --export
      calicoctl_get_300: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*, --export
      calicoctl_get_310: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*, --export
      calicoctl_get_320: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*, -f|--filename, .*, -o|--output .*, -n|--namespace, .*, --export
      calicoctl_get_330: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces
      calicoctl_get_340: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*, -f|--filename, .*, -o|--output .*, --all-namespaces
      calicoctl_get_350: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces
      calicoctl_get_360: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*, -f|--filename, .*, -o|--output .*, --all-namespaces
      calicoctl_get_370: RegExpFilter, calicoctl, root, calicoctl, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces, --export
      calicoctl_get_380: RegExpFilter, calicoctl, root, calicoctl, get, .*, .*, -f|--filename, .*, -o|--output .*, --all-namespaces, --export
      calicoctl_get_390: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, -f|--filename, .*, -o|--output .*, --all-namespaces, --export
      calicoctl_get_400: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, get, .*, .*, -f|--filename, .*, -o|--output .*, --all-namespaces, --export
-      calicoctl_convert_00: RegExpFilter, calicoctl, root, calicoctl, convert, -h
+      calicoctl_convert_000: RegExpFilter, calicoctl, root, calicoctl, convert, -h
-      calicoctl_convert_01: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename|-o|--output, .*
+      calicoctl_convert_010: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename|-o|--output, .*
-      calicoctl_convert_02: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename|-o|--output, .*
+      calicoctl_convert_020: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename|-o|--output, .*
-      calicoctl_convert_03: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename|-o|--output, .*, --ignore-validation
+      calicoctl_convert_030: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename|-o|--output, .*, --ignore-validation
-      calicoctl_convert_04: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename|-o|--output, .*, --ignore-validation
+      calicoctl_convert_040: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename|-o|--output, .*, --ignore-validation
-      calicoctl_convert_05: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename, .*, -o|--output, .*
+      calicoctl_convert_050: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename, .*, -o|--output, .*
-      calicoctl_convert_06: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename, .*, -o|--output, .*
+      calicoctl_convert_060: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename, .*, -o|--output, .*
-      calicoctl_convert_07: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename, .*, -o|--output, .*, --ignore-validation
+      calicoctl_convert_070: RegExpFilter, calicoctl, root, calicoctl, convert, -f|--filename, .*, -o|--output, .*, --ignore-validation
-      calicoctl_convert_08: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename, .*, -o|--output, .*, --ignore-validation
+      calicoctl_convert_080: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, convert, -f|--filename, .*, -o|--output, .*, --ignore-validation
      calicoctl_ipam_00: RegExpFilter, calicoctl, root, calicoctl, ipam, show, --ip=.*
      calicoctl_ipam_01: RegExpFilter, calicoctl, root, calicoctl, -l, (?i)panic|fatal|error|warn|info|debug, ipam, show, --ip=.*
@ -207,4 +231,4 @@ manifests:
  configmap_etc_client: true
  deployment_calicoctl_utility: true
  job_image_repo_sync: false
-  secret_certificates: true
+  secret_certificates: false
--- a/images/calicoctl-utility/Dockerfile.alpine
+++ b/images/calicoctl-utility/Dockerfile.alpine
@ -21,10 +21,16 @@ RUN export DEBIAN_FRONTEND=noninteractive \
    && touch /var/lib/dpkg/status \
    && apk update \
    && apk add --update \
-       python python-dev py-pip build-base \
+       python3 python3-dev py3-pip build-base \
-       sudo screen rsyslog \
+       sudo screen \
       wget curl socat \
-    && pip install oslo.rootwrap
+    && pip3 install oslo.rootwrap
 RUN PYTHON_LOCATION=$(pip3 show oslo.rootwrap|grep Location|awk '{print $2}') \
    && sed -i "/rootwrap_logger.setLevel/s/.*/#&/" $PYTHON_LOCATION/oslo_rootwrap/wrapper.py \
    && sed -i "/handler.setFormatter/s/.*/#&/" $PYTHON_LOCATION/oslo_rootwrap/wrapper.py \
    && sed -i "/os.path.basename/s/.*/#&/" $PYTHON_LOCATION/oslo_rootwrap/wrapper.py \
    && sed -i "/rootwrap_logger.addHandler/s/.*/#&/" $PYTHON_LOCATION/oslo_rootwrap/wrapper.py
 RUN mv /calicoctl /usr/local/bin/calicoctl \
    && chmod 0754 /usr/local/bin/calicoctl \
--- a/images/calicoctl-utility/Dockerfile.ubuntu_xenial
+++ b/images/calicoctl-utility/Dockerfile.ubuntu_xenial
@ -24,15 +24,19 @@ RUN set -xe \
    && apt-get update \
    && apt-get install -y --no-install-recommends \
         bash \
         locales \
         moreutils \
         sudo \
         rsyslog \
         python-oslo.rootwrap \
         python3-oslo.rootwrap \
         socat \
    && apt-get clean -y \
    && rm -rf /var/lib/apt/lists/*
 RUN  sed -i "/rootwrap_logger.setLevel/s/.*/#&/" /usr/lib/python3/dist-packages/oslo_rootwrap/wrapper.py \
    && sed -i "/handler.setFormatter/s/.*/#&/" /usr/lib/python3/dist-packages/oslo_rootwrap/wrapper.py \
    && sed -i "/os.path.basename/s/.*/#&/" /usr/lib/python3/dist-packages/oslo_rootwrap/wrapper.py \
    && sed -i "/rootwrap_logger.addHandler/s/.*/#&/" /usr/lib/python3/dist-packages/oslo_rootwrap/wrapper.py
 COPY --from=stage_calicoctl /calicoctl /usr/local/bin/calicoctl
 RUN set -xe \
--- a/images/calicoctl-utility/Dockerfile_calicoq_calicoctl.alpine
+++ b/images/calicoctl-utility/Dockerfile_calicoq_calicoctl.alpine
@ -1,11 +1,11 @@
 ARG DOCKER_REGISTRY=quay.io
 ARG CALICOQ_IMAGE_PREFIX=tigera/calicoq
-ARG CALICOQ_VERSION=v2.3.1
+ARG CALICOQ_VERSION=v2.5.1
 ARG CALICOQ_IMAGE="${DOCKER_REGISTRY}/${CALICOQ_IMAGE_PREFIX}:${CALICOQ_VERSION}"
 ARG CALICOCTL_IMAGE_PREFIX=tigera/calicoctl
-ARG CALICOCTL_VERSION=v2.3.1
+ARG CALICOCTL_VERSION=v2.5.1
 ARG CALICOCTL_IMAGE="${DOCKER_REGISTRY}/${CALICOCTL_IMAGE_PREFIX}:${CALICOCTL_VERSION}"
@ -13,8 +13,8 @@ FROM ${CALICOQ_IMAGE} AS stage_calicoq
 FROM ${CALICOCTL_IMAGE}
-ARG CALICOQ_VERSION=v2.3.1
+ARG CALICOQ_VERSION=v2.5.1
-ARG CALICOCTL_VERSION=v2.3.1
+ARG CALICOCTL_VERSION=v2.5.1
 LABEL org.opencontainers.image.authors='Openstack-Helm Authors' \
    org.opencontainers.image.url='https://opendev.org/airship/porthole/src/branch/master/Dockerfiles/calicoctl-utility' \
@ -32,10 +32,16 @@ RUN set -xe \
    && touch /var/lib/dpkg/status \
    && apk update \
    && apk add --update \
-       python python-dev py-pip build-base \
+       python3 python3-dev py3-pip build-base \
-       sudo vim screen rsyslog \
+       sudo screen \
       wget curl socat \
-    && pip install oslo.rootwrap
+    && pip3 install oslo.rootwrap
 RUN PYTHON_LOCATION=$(pip3 show oslo.rootwrap|grep Location|awk '{print $2}') \
    && sed -i "/rootwrap_logger.setLevel/s/.*/#&/" $PYTHON_LOCATION/oslo_rootwrap/wrapper.py \
    && sed -i "/handler.setFormatter/s/.*/#&/" $PYTHON_LOCATION/oslo_rootwrap/wrapper.py \
    && sed -i "/os.path.basename/s/.*/#&/" $PYTHON_LOCATION/oslo_rootwrap/wrapper.py \
    && sed -i "/rootwrap_logger.addHandler/s/.*/#&/" $PYTHON_LOCATION/oslo_rootwrap/wrapper.py
 COPY --from=stage_calicoq /calicoq /usr/local/bin/calicoq
--- a/images/calicoctl-utility/Dockerfile_calicoq_calicoctl.ubuntu_xenial
+++ b/images/calicoctl-utility/Dockerfile_calicoq_calicoctl.ubuntu_xenial
@ -1,10 +1,10 @@
 ARG FROM=docker.io/ubuntu:xenial
 ARG DOCKER_REGISTRY=quay.io
 ARG CALICOCTL_IMAGE_PREFIX=tigera/calicoctl
-ARG CALICOCTL_VERSION=v2.3.1
+ARG CALICOCTL_VERSION=v2.5.1
 ARG CALICOCTL_IMAGE="${DOCKER_REGISTRY}/${CALICOCTL_IMAGE_PREFIX}:${CALICOCTL_VERSION}"
 ARG CALICOQ_IMAGE_PREFIX=tigera/calicoq
-ARG CALICOQ_VERSION=v2.3.1
+ARG CALICOQ_VERSION=v2.5.1
 ARG CALICOQ_IMAGE="${DOCKER_REGISTRY}/${CALICOQ_IMAGE_PREFIX}:${CALICOQ_VERSION}"
 FROM ${CALICOCTL_IMAGE} as stage_calicoctl
@ -30,15 +30,19 @@ RUN set -xe \
    && apt-get update \
    && apt-get install -y --no-install-recommends \
         bash \
         locales \
         moreutils \
         sudo \
         rsyslog \
         python-oslo.rootwrap \
         python3-oslo.rootwrap \
         socat \
    && apt-get clean -y \
    && rm -rf /var/lib/apt/lists/*
 RUN  sed -i "/rootwrap_logger.setLevel/s/.*/#&/" /usr/lib/python3/dist-packages/oslo_rootwrap/wrapper.py \
    && sed -i "/handler.setFormatter/s/.*/#&/" /usr/lib/python3/dist-packages/oslo_rootwrap/wrapper.py \
    && sed -i "/os.path.basename/s/.*/#&/" /usr/lib/python3/dist-packages/oslo_rootwrap/wrapper.py \
    && sed -i "/rootwrap_logger.addHandler/s/.*/#&/" /usr/lib/python3/dist-packages/oslo_rootwrap/wrapper.py
 COPY --from=stage_calicoctl /calicoctl /usr/local/bin/calicoctl
 COPY --from=stage_calicoq /calicoq /usr/local/bin/calicoq