Update Calico operator to 1.21, updates CRDs, and roles

[haouc]

What type of PR is this?
This PR is for updating the calico operator to v1.21.

• update operator image tag to 1.21
• update CRDs accordingly
• update cluster roles

Which issue does this PR fix:
In order to avoid the known issue in earlier versions of Calico, we need update Calico to latest version to unblock users.

What does this PR do / Why do we need it:
The known issue blocks users.

If an issue # is not available please add repro steps and logs from IPAMD/CNI showing the issue:

Testing done on this change:

The manifests were templated by helm from charts/aws-calico. The manifests were applied to EKS 1.20 cluster and

NAMESPACE         NAME                                       READY   STATUS    RESTARTS   AGE
calico-system     calico-kube-controllers-7b785959dd-9bnqt   1/1     Running   0          9m19s
calico-system     calico-node-29pw9                          1/1     Running   0          9m19s
calico-system     calico-node-tv8nl                          1/1     Running   0          9m19s
calico-system     calico-typha-77d6d5d8d5-2vlbx              1/1     Running   0          9m19s
calico-system     calico-typha-77d6d5d8d5-llbt7              1/1     Running   0          9m18s
kube-system       aws-node-jkvgr                             1/1     Running   0          72d
kube-system       aws-node-xjgxl                             1/1     Running   0          72d
kube-system       coredns-574cb6ccd7-b58d4                   1/1     Running   0          68d
kube-system       coredns-574cb6ccd7-j7k5r                   1/1     Running   0          68d
kube-system       kube-proxy-f9kwb                           1/1     Running   0          14d
kube-system       kube-proxy-npvc7                           1/1     Running   0          14d
tigera-operator   tigera-operator-7765c5d66f-tqp7d           1/1     Running   3          11m

Updated operator's version to 1.20.1

% kap
NAMESPACE         NAME                                       READY   STATUS    RESTARTS   AGE
calico-system     calico-kube-controllers-5689468587-xhzrp   1/1     Running   0          12m
calico-system     calico-node-92bs9                          1/1     Running   0          12m
calico-system     calico-typha-85d4999f9c-ntvls              1/1     Running   0          12m
kube-system       aws-node-x8jrm                             1/1     Running   0          31m
kube-system       coredns-559b5db75d-j7jk2                   1/1     Running   0          52m
kube-system       coredns-559b5db75d-nrshb                   1/1     Running   0          52m
kube-system       kube-proxy-l5dst                           1/1     Running   0          31m
tigera-operator   tigera-operator-856b4c65b4-csdcd           1/1     Running   0          13m
zhuhz@3c22fb4b2616 amazon-vpc-cni-k8s % k get deploy tigera-operator -n tigera-operator -oyaml | grep image:
                f:image: {}
        image: quay.io/tigera/operator:v1.20.1

Automation added to e2e:

Will this break upgrades or downgrades. Has updating a running cluster been tested?:
on EKS 1.21, Calico operator 1.13.8

amazon-vpc-cni-k8s % kap                                                         
NAMESPACE         NAME                                       READY   STATUS    RESTARTS   AGE
calico-system     calico-kube-controllers-775d9c5554-bt2dg   1/1     Running   0          85s
calico-system     calico-node-6r4zf                          1/1     Running   0          86s
calico-system     calico-node-6wrjn                          1/1     Running   0          85s
calico-system     calico-typha-bbbb8fdc6-k5mr9               1/1     Running   0          86s
kube-system       aws-node-jkvgr                             1/1     Running   0          72d
kube-system       aws-node-xjgxl                             1/1     Running   0          72d
kube-system       coredns-574cb6ccd7-b58d4                   1/1     Running   0          68d
kube-system       coredns-574cb6ccd7-j7k5r                   1/1     Running   0          68d
kube-system       kube-proxy-f9kwb                           1/1     Running   0          14d
kube-system       kube-proxy-npvc7                           1/1     Running   0          14d
tigera-operator   tigera-operator-7fdc45bbbf-n7b58           1/1     Running   0          95s
amazon-vpc-cni-k8s % k get deploy -n tigera-operator   tigera-operator -oyaml | grep image:
                f:image: {}
        image: quay.io/tigera/operator:v1.13.8

updated to Calico operator 1.21

amazon-vpc-cni-k8s % kap
NAMESPACE         NAME                                       READY   STATUS    RESTARTS   AGE
calico-system     calico-kube-controllers-7b785959dd-wkhgw   1/1     Running   0          3m35s
calico-system     calico-node-829vx                          1/1     Running   0          3m35s
calico-system     calico-node-jv656                          1/1     Running   0          3m45s
calico-system     calico-typha-77787d7798-drtv6              1/1     Running   0          3m45s
calico-system     calico-typha-77787d7798-w45kg              1/1     Running   0          3m45s
kube-system       aws-node-jkvgr                             1/1     Running   0          72d
kube-system       aws-node-xjgxl                             1/1     Running   0          72d
kube-system       coredns-574cb6ccd7-b58d4                   1/1     Running   0          68d
kube-system       coredns-574cb6ccd7-j7k5r                   1/1     Running   0          68d
kube-system       kube-proxy-f9kwb                           1/1     Running   0          14d
kube-system       kube-proxy-npvc7                           1/1     Running   0          14d
tigera-operator   tigera-operator-7765c5d66f-dbwpq           1/1     Running   0          4m5s
zhuhz@3c22fb4b2616 amazon-vpc-cni-k8s % k get -n tigera-operator   tigera-operator-7fdc45bbbf-n7b58 -oyaml | grep image:
error: the server doesn't have a resource type "tigera-operator-7fdc45bbbf-n7b58"
zhuhz@3c22fb4b2616 amazon-vpc-cni-k8s % k get deploy -n tigera-operator   tigera-operator -oyaml | grep image:          
                f:image: {}
        image: quay.io/tigera/operator:v1.21.0

Does this change require updates to the CNI daemonset config files to work?:

no
Does this PR introduce any user-facing change?:

no

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[jayanthvn]

/cc @tmjd

[tmjd]

@haouc could you include what you used as the source for these changes? did you base them off github.com/projectcalico/calico release-v3.20 branch, master branch, the v3.20.0 tag, or something else?

[haouc]

Hey @tmjd
Sure. I am using https://github.com/projectcalico/calico and based off tag: v3.20.0. Thanks.

calico % git log
commit e9a2c0d394da952e401aab707b8a200a2abe7da8 (HEAD -> release-v3.20.0, tag: v3.20.0)
Author: Casey Davenport <davenport.cas@gmail.com>
Date:   Fri Jul 30 13:33:32 2021 -0700

    Updates for v3.20.0

commit daa0dec3513d022b8e4e73b4b68aaa1af866eef6
Merge: cb0bfd4d be9ce37f
Author: marvin-tigera <marvin-tigera@users.noreply.github.com>
Date:   Thu Jul 29 13:56:45 2021 -0700

    Merge pull request #4793 from coutinhop/pedro-calicoctl-clusterinfo-rbac-3.20
    
    Add clusterinformations 'get' permissions to operator for openshift

[haouc]

@tmjd Can you take a look at the PR? please let me know if you need any other information. Thanks.

[tmjd]

The changes are looking like what I would expect, though I haven't compared them exactly, all the changes look like what I would reasonably expect.
Sorry for the delay on reviewing this PR. I was waiting on reviewing because I wanted to suggest that you use the v1.20 operator release instead of v1.21 because that is what was tested with the Calico v3.20 release. But because I believe there is a bug in v1.20.0 with AWS CNI I was trying to wait until the v1.20.1 patch release was available which addresses the bug and I believe will be available soon.

[tmjd]

I think you should update this list to match what is in the release-v3.20 branch https://github.com/projectcalico/calico/blob/75797b545f786f6955387d1ce51fd8de69f7500e/_includes/charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator.yaml#L102
You should make do this in the order: create, patch, list, get, watch
That way future updates will hopefully not show any changes.

[haouc]

@tmjd I have updated the PR. The operator is using 1.20.1 now. Could you take a look? Thanks.

[tmjd]

LGTM

[jayanthvn]

lgtm, but please make sure charts version is upgraded.

[jayanthvn]

Looks good...Thanks.