Update Felix configuration data OSS CE#2514
Merged
ctauchen merged 2 commits intotigera:mainfrom Feb 5, 2026
Merged
Conversation
✅ Deploy Preview succeeded!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for calico-docs-preview-next ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Felix configuration data for Calico Open Source (OSS) and Calico Enterprise (CE) products. The changes add new configuration parameters, update existing parameter descriptions and defaults, and remove deprecated configuration options.
Changes:
- Added new Prometheus metrics TLS configuration parameters (CA file, cert file, key file, client auth) to Calico OSS
- Added new BPF Maglev configuration parameters for service load balancing to both OSS and CE
- Changed NFTablesMode default from "Disabled" to "Auto" in both OSS and CE
- Changed BPFRedirectToPeer default from "L2Only" to "Enabled" with updated deprecation notes in OSS
- Removed deprecated configuration parameters (IptablesLockFilePath, IptablesLockTimeout, BPFKubeProxyEndpointSlicesEnabled)
- Added new Istio ambient mode configuration parameters to CE
- Added new policy activity logs file configuration parameters to CE
- Added new log action rate limit configuration parameters to CE
- Updated various parameter descriptions and schemas for clarity
- Fixed trailing newlines in versioned CE documentation files
Reviewed changes
Copilot reviewed 2 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| calico/_includes/components/FelixConfig/config-params.json | Adds TLS configuration for Prometheus metrics, BPF Maglev parameters, updates defaults for nftables and BPF redirect, removes deprecated iptables lock parameters |
| calico-enterprise/_includes/components/FelixConfig/config-params.json | Adds logging rate limits, Istio ambient mode, policy activity logs configuration, BPF Maglev parameters, updates defaults and descriptions, removes deprecated parameters |
| calico-enterprise_versioned_docs/version-3.23-1/_includes/components/FelixConfig/config-params.json | Fixes trailing newline formatting |
| calico-enterprise_versioned_docs/version-3.22-2/_includes/components/FelixConfig/config-params.json | Fixes trailing newline formatting |
| calico-enterprise_versioned_docs/version-3.21-2/_includes/components/FelixConfig/config-params.json | Fixes trailing newline formatting |
| ], | ||
| "YAMLSchemaHTML": "One of: <code>\"Auto\"</code>, <code>\"Disabled\"</code>, <code>\"Enabled\"</code>.", | ||
| "YAMLDefault": "Disabled", | ||
| "YAMLDefault": "Auto", |
There was a problem hiding this comment.
The YAMLDefault field shows "Auto" (capitalized), but the ParsedDefaultJSON shows ""Auto"" (with quotes and capitalized). However, at line 2353, there's an inconsistency where the YAMLDefault is shown as "auto" (lowercase) for the IptablesBackend configuration. These should be consistent in their casing throughout the configuration file.
Suggested change
| "YAMLDefault": "Auto", | |
| "YAMLDefault": "\"Auto\"", |
Comment on lines
+2906
to
+2909
| "Auto", | ||
| "Legacy", | ||
| "Legacy", | ||
| "NFT", |
There was a problem hiding this comment.
The YAMLEnumValues array contains duplicate entries: "Auto" appears twice (lines 2348 and 2906), "Legacy" appears twice (lines 2349 and 2907), and "NFT" appears twice (lines 2350 and 2909). This is clearly a data error in the JSON structure.
Suggested change
| "Auto", | |
| "Legacy", | |
| "Legacy", | |
| "NFT", | |
| "Legacy", |
Comment on lines
+1928
to
+1929
| "Disabled", | ||
| "Enabled" |
There was a problem hiding this comment.
The YAMLEnumValues field shows mixed formats: some entries are plain strings like "Disabled" and "Enabled" (lines 1928-1929), while in other places in the file they use backtick-quoted format like "\"Disabled\"" and "\"Enabled\"". This inconsistency should be resolved for uniformity across the configuration file.
Suggested change
| "Disabled", | |
| "Enabled" | |
| "`\"Disabled\"`", | |
| "`\"Enabled\"`" |
Comment on lines
+3920
to
+3930
| "YAMLSchema": "One of: `\"Disabled\"`, `\"Enabled\"`.", | ||
| "YAMLEnumValues": [ | ||
| "`\"Disabled\"`", | ||
| "`\"Enabled\"`", | ||
| "`\"L2Only\"`" | ||
| "`\"Enabled\"`" | ||
| ], | ||
| "YAMLSchemaHTML": "One of: <code>\"Disabled\"</code>, <code>\"Enabled\"</code>, <code>\"L2Only\"</code>.", | ||
| "YAMLDefault": "L2Only", | ||
| "YAMLSchemaHTML": "One of: <code>\"Disabled\"</code>, <code>\"Enabled\"</code>.", | ||
| "YAMLDefault": "Enabled", | ||
| "Required": true, | ||
| "OnParseFailure": "ReplaceWithDefault", | ||
| "AllowedConfigSources": "All", | ||
| "Description": "Controls which whether it is allowed to forward straight to the\npeer side of the workload devices. It is allowed for any host L2 devices by default\n(L2Only), but it breaks TCP dump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or Wireguard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.", | ||
| "DescriptionHTML": "<p>Controls which whether it is allowed to forward straight to the\npeer side of the workload devices. It is allowed for any host L2 devices by default\n(L2Only), but it breaks TCP dump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or Wireguard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.</p>", | ||
| "Description": "Controls whether traffic may be forwarded directly to the peer side of a workload’s device.\nNote that the legacy \"L2Only\" option is now deprecated and if set it is treated like \"Enabled.\nSetting this option to \"Enabled\" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard),\nwhich can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path.\nAs a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic.", |
There was a problem hiding this comment.
The description states that the legacy "L2Only" option is deprecated and treated like "Enabled", but the StringSchema and YAMLEnumValues still list only "Disabled" and "Enabled" (not "L2Only"). If "L2Only" is still accepted for backward compatibility, it should be included in the schema enumeration. If it's truly removed, the description should clarify that it's no longer accepted.
Comment on lines
+3930
to
+3931
| "Description": "Controls whether traffic may be forwarded directly to the peer side of a workload’s device.\nNote that the legacy \"L2Only\" option is now deprecated and if set it is treated like \"Enabled.\nSetting this option to \"Enabled\" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard),\nwhich can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path.\nAs a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic.", | ||
| "DescriptionHTML": "<p>Controls whether traffic may be forwarded directly to the peer side of a workload’s device.\nNote that the legacy \"L2Only\" option is now deprecated and if set it is treated like \"Enabled.\nSetting this option to \"Enabled\" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard),\nwhich can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path.\nAs a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic.</p>", |
There was a problem hiding this comment.
There's a missing closing quotation mark in the description. The text reads 'Note that the legacy "L2Only" option is now deprecated and if set it is treated like "Enabled.' - this should end with a closing quotation mark after "Enabled".
Suggested change
| "Description": "Controls whether traffic may be forwarded directly to the peer side of a workload’s device.\nNote that the legacy \"L2Only\" option is now deprecated and if set it is treated like \"Enabled.\nSetting this option to \"Enabled\" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard),\nwhich can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path.\nAs a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic.", | |
| "DescriptionHTML": "<p>Controls whether traffic may be forwarded directly to the peer side of a workload’s device.\nNote that the legacy \"L2Only\" option is now deprecated and if set it is treated like \"Enabled.\nSetting this option to \"Enabled\" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard),\nwhich can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path.\nAs a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic.</p>", | |
| "Description": "Controls whether traffic may be forwarded directly to the peer side of a workload’s device.\nNote that the legacy \"L2Only\" option is now deprecated and if set it is treated like \"Enabled\".\nSetting this option to \"Enabled\" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard),\nwhich can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path.\nAs a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic.", | |
| "DescriptionHTML": "<p>Controls whether traffic may be forwarded directly to the peer side of a workload’s device.\nNote that the legacy \"L2Only\" option is now deprecated and if set it is treated like \"Enabled\".\nSetting this option to \"Enabled\" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard),\nwhich can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path.\nAs a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic.</p>", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Product Version(s):
Issue:
Link to docs preview:
SME review:
DOCS review:
Additional information:
Merge checklist: