Mirror Calico OSS 3.32 features into CE next and CC next#2750
Open
ctauchen wants to merge 8 commits into
Open
Conversation
Calico OSS 3.32 adds Kubernetes 1.36 support; mirror the version bump into CE next and CC next compatibility/system-requirements pages. Note: CE 3.23 EP2 test matrix per Confluence is K8s 1.33-1.35; this change reflects upstream Calico support rather than the EP2 test matrix. Upstream: calico/calico OSS 3.32 release notes Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mirror the OSS 3.32 selector-scoped FelixConfiguration support into CE next and CC next reference docs. Adds a "Selector-scoped configuration" section covering the example, precedence rules, overlapping-selector behavior, and restrictions. Upstream: calico/calico#11977, calico/calico#12497 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
CE next already documents the validating admission webhook that enforces tier-based RBAC on (Global)NetworkPolicy and staged-policy CRUD when using native v3 CRDs. Mirror the same wording into CC next so both products describe the admission-webhook enforcement and its known read-side limitation (GET/LIST/WATCH not enforced). The link to ../../operations/native-v3-crds.mdx in CC is added in a later commit in this PR. Upstream: calico/calico#11803 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…iteria and route ops Mirror the OSS 3.32 BGPFilter additions into CC next reference docs to match CE. Adds peerType / priority / communities match criteria and the operations list (addCommunity / prependASPath / setPriority) on both v4 and v6 rule schemas. Adds the new sub-resource sections (Community Match, Operation, AddCommunity, PrependASPath, SetPriority) and the previously missing Prefix Length section that the v4/v6 rules already linked to. Also corrects a typo where the v4 rule cidr field described an IPv6 range. CE was already at this content level (came in via tigera#2612); no CE change in this commit. Upstream: calico/calico#12002 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mirror the OSS 3.32 tier rename into CE next and CC next: - Rename network-policy/policy-tiers/allow-tigera.mdx -> calico-system.mdx in both products - Replace 'allow-tigera' -> 'calico-system' throughout the page body, the tiered-policy / network-policy index / configure-http-proxy / recommended-metrics / operations/disconnect cross-references, and the sidebar entries - Add 301 redirects from /allow-tigera -> /calico-system for the next trees in static/_redirects Versioned trees (calico-enterprise_versioned_docs, calico-cloud_versioned_docs) are intentionally left untouched. Note on applicability: the OSS rename is operator-driven (release notes say it only requires manual policy updates 'If your Calico installation does not use the Tigera Operator, or if you have created custom Network Policies within this Tier'). CE/CC always run the Tigera Operator, so the operator should rename the tier automatically. Confirming with @radixo in the PR thread before merge. Upstream: calico/calico#11842 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Port the CE next KubeVirt pages (index, kubevirt-networking, live-migration-bgp) to CC next under calico-cloud/networking/kubevirt/ and wire them into sidebars-calico-cloud.js mirroring the CE position. CC adjustments versus CE: - Frontmatter / H1 product name swapped to Calico Cloud - Drop the calicoctl install reference in the prerequisites (CC does not surface calicoctl) and replace 'Or using calicoctl' with the kubectl patch path only - All other cross-references kept identical; verified they resolve in calico-cloud/ (bgpconfig, bgppeer, bgpfilter, bgp, bgp-to-workload, ipamconfig, felixconfig, ippool, host-endpoints/overview, host-endpoints/failsafe, installation/api, reference/architecture/design/l3-interconnect-fabric) The OSS 3.32 release notes credit calico/calico#12038 to @nelljerram, but @nelljerram's KubeVirt-adjacent work is OpenStack (out of scope). The substantive KubeVirt live-migration enablement was @song-jiang's BGPFilter route-priority propagation (#12002) and persistent IPAM (#11865). Verification ping for this commit goes to @song-jiang. Upstream: calico/calico#12002, calico/calico#11865 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Port the CE next operations/native-v3-crds.mdx and operations/crd-migration.mdx pages to CC next and wire them into sidebars-calico-cloud.js mirroring the CE position (after the eBPF group, before component-logs). The only edits versus CE are the frontmatter description product-name swaps. The body uses $[prodname] substitution so it renders correctly in CC; helm chart / manifest URLs use $[manifestsUrl] and $[releaseTitle] which are CC-product-aware. Open question for @caseydavenport: Calico Cloud is a SaaS control plane that manages CRDs server-side, so it is unclear how much of the native v3 CRDs install / migration flow applies cleanly to CC-connected clusters. Verification ping on this commit asks whether this content belongs in CC as written, needs a SaaS-specific caveat, or should be dropped entirely. Upstream: calico/calico#10447 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replace the AdminNetworkPolicy / BaselineAdminNetworkPolicy tier sections in CE next and CC next tiered-policy.mdx with the new ClusterNetworkPolicy story from OSS 3.32: - kube-admin tier (auto-created, order 1,000) holds ClusterNetworkPolicy resources with spec.tier: Admin. Sample YAML included. - kube-baseline tier (auto-created, order 10,000,000) holds ClusterNetworkPolicy resources with spec.tier: Baseline. Sample YAML included. - Each section ends with a deprecation note pointing users from the old adminnetworkpolicy / baselineadminnetworkpolicy tier names to the new kube-admin / kube-baseline tier names, and noting that the upstream AdminNetworkPolicy / BaselineAdminNetworkPolicy resources are no longer enforced and must be migrated to ClusterNetworkPolicy before upgrade. This mirrors the OSS 3.32 tiered-policy.mdx content verbatim (s/Calico Open Source/$[prodname]/) so the three product lines stay in sync on the new policy API. Note for @mazdakn: ClusterNetworkPolicy support landed in OSS via calico/calico#10810 (and named-ports support via calico/calico#12227); ANP/BANP removal is calico/calico#11144. Verification ping asks whether the wording above is accurate for CE / CC enforcement of the new resource (e.g., whether managed-platform constraints apply). Upstream: calico/calico#10810, calico/calico#11144, calico/calico#12227 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
✅ Deploy Preview for calico-docs-preview-next ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview succeeded!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR mirrors selected Calico OSS 3.32 documentation updates into Calico Enterprise Next and Calico Cloud Next, covering new resource fields, policy tier naming, Kubernetes version support, native v3 CRD docs, and KubeVirt/BGP guidance.
Changes:
- Renames
allow-tigeradocumentation references tocalico-systemand updates navigation/redirects. - Adds or updates reference content for FelixConfiguration
nodeSelector, BGPFilter fields, native v3 CRDs, and CRD migration. - Adds Calico Cloud KubeVirt networking and live-migration BGP documentation.
Reviewed changes
Copilot reviewed 27 out of 27 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
static/_redirects |
Adds redirects for renamed policy tier pages. |
sidebars-calico-enterprise.js |
Updates CE sidebar to point at calico-system. |
sidebars-calico-cloud.js |
Updates CC sidebar and adds KubeVirt/native CRD pages. |
calico-enterprise/reference/resources/felixconfig.mdx |
Documents selector-scoped FelixConfiguration. |
calico-enterprise/operations/monitor/metrics/recommended-metrics.mdx |
Updates metric examples for calico-system. |
calico-enterprise/network-policy/policy-tiers/tiered-policy.mdx |
Updates tier docs for Kubernetes ClusterNetworkPolicy and calico-system. |
calico-enterprise/network-policy/policy-tiers/calico-system.mdx |
Adds renamed CE system tier page. |
calico-enterprise/network-policy/policy-tiers/allow-tigera.mdx |
Removes old CE tier page. |
calico-enterprise/network-policy/index.mdx |
Updates CE doc card link. |
calico-enterprise/getting-started/compatibility.mdx |
Adds Kubernetes 1.36 support for CE 3.23. |
calico-enterprise/compliance/configure-http-proxy.mdx |
Updates tier reference to calico-system. |
calico-cloud/reference/resources/felixconfig.mdx |
Documents selector-scoped FelixConfiguration. |
calico-cloud/reference/resources/bgpfilter.mdx |
Adds new BGPFilter match criteria and operations. |
calico-cloud/operations/native-v3-crds.mdx |
Adds Cloud native v3 CRD installation guidance. |
calico-cloud/operations/monitor/metrics/recommended-metrics.mdx |
Updates metric examples for calico-system. |
calico-cloud/operations/disconnect.mdx |
Updates tier exception name. |
calico-cloud/operations/crd-migration.mdx |
Adds Cloud CRD migration guidance. |
calico-cloud/networking/kubevirt/live-migration-bgp.mdx |
Adds BGP guidance for KubeVirt live migration. |
calico-cloud/networking/kubevirt/kubevirt-networking.mdx |
Adds KubeVirt networking guidance. |
calico-cloud/networking/kubevirt/index.mdx |
Adds KubeVirt section index page. |
calico-cloud/network-policy/policy-tiers/tiered-policy.mdx |
Updates tier docs for ClusterNetworkPolicy and calico-system. |
calico-cloud/network-policy/policy-tiers/rbac-tiered-policies.mdx |
Adds native v3 CRD RBAC limitation note. |
calico-cloud/network-policy/policy-tiers/calico-system.mdx |
Adds renamed Cloud system tier page. |
calico-cloud/network-policy/policy-tiers/allow-tigera.mdx |
Removes old Cloud tier page. |
calico-cloud/network-policy/index.mdx |
Updates Cloud doc card link. |
calico-cloud/get-started/system-requirements.mdx |
Adds Kubernetes 1.35 and 1.36. |
calico-cloud/compliance/configure-http-proxy.mdx |
Updates tier reference to calico-system. |
|
|
||
| # OSS 3.32 renamed the allow-tigera tier to calico-system. Redirect the old doc paths. | ||
| /calico-enterprise/next/network-policy/policy-tiers/allow-tigera /calico-enterprise/next/network-policy/policy-tiers/calico-system 301 | ||
| /calico-cloud/network-policy/policy-tiers/allow-tigera /calico-cloud/network-policy/policy-tiers/calico-system 301 |
Comment on lines
+58
to
+92
| 1. Add the $[prodname] Helm repo: | ||
|
|
||
| ```bash | ||
| helm repo add projectcalico https://docs.tigera.io/calico/charts | ||
| ``` | ||
|
|
||
| 1. Create the `tigera-operator` namespace: | ||
|
|
||
| ```bash | ||
| kubectl create namespace tigera-operator | ||
| ``` | ||
|
|
||
| 1. Install the v3 CRD chart instead of the default v1 CRD chart: | ||
|
|
||
| ```bash | ||
| helm template calico-crds projectcalico/projectcalico.org.v3 --version $[releaseTitle] | kubectl apply --server-side -f - | ||
| ``` | ||
|
|
||
| :::note | ||
|
|
||
| This replaces the `crd.projectcalico.org.v1` chart used in the default installation. Do not install both CRD charts. | ||
|
|
||
| ::: | ||
|
|
||
| 1. Install the Tigera Operator: | ||
|
|
||
| ```bash | ||
| helm install $[prodnamedash] projectcalico/tigera-operator --version $[releaseTitle] --namespace tigera-operator | ||
| ``` | ||
|
|
||
| If you have a `values.yaml` with custom configuration: | ||
|
|
||
| ```bash | ||
| helm install $[prodnamedash] projectcalico/tigera-operator --version $[releaseTitle] -f values.yaml --namespace tigera-operator | ||
| ``` |
Comment on lines
+97
to
+114
| 1. Install the v3 CRDs: | ||
|
|
||
| ```bash | ||
| kubectl create -f $[manifestsUrl]/manifests/v3_projectcalico_org.yaml | ||
| ``` | ||
|
|
||
| :::note | ||
|
|
||
| This replaces the `v1_crd_projectcalico_org.yaml` manifest used in the default installation. Do not install both CRD manifests. | ||
|
|
||
| ::: | ||
|
|
||
| 1. Install the Tigera Operator and custom resources: | ||
|
|
||
| ```bash | ||
| kubectl create -f $[manifestsUrl]/manifests/tigera-operator.yaml | ||
| ``` | ||
|
|
|
|
||
| ## Before you begin | ||
|
|
||
| - $[prodname] v3.32+ (or the release that includes the migration controller) |
|
|
||
| ### Validation and defaulting | ||
|
|
||
| When using native `projectcalico.org/v3` CRDs, resource validation and defaulting are handled by native CRD validation and defaulting, as well as ValidatingAdmissionPolicies and MutatingAdmissionPolicies. $[prodname] uses [MutatingAdmissionPolicies](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) for defaulting, which are currently a **beta** Kubernetes feature. You must ensure that the `MutatingAdmissionPolicy` feature gate is enabled on your Kubernetes API server before using native `projectcalico.org/v3` CRDs. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Calico Enterprise 3.23 EP2 picks up the Calico OSS 3.32 stream (confirmed via three Confluence pages: PM/3565355009, ENG/3605364738, ENG/3650289665). This PR mirrors the headline OSS 3.32 reference / how-to content into CE next (
/calico-enterprise/) and CC next (/calico-cloud/) so the two products stay in sync on the new resources, fields, and tiers introduced upstream.No release-notes content is in this PR. Release-notes lines for both products are drafted in a side document and will be incorporated into the appropriate
release-notes/index.mdxpages in a separate PR cut against the EP2 versioned tree.Commit map (one OSS feature per commit, CE + CC together)
nodeSelector(tech preview)allow-tigeratier →calico-systemTwo OSS 3.32 items appeared in the audit but did not produce a commit:
calicoctl ipam configureexample for CC (calico/calico#11971) — CC does not surfacecalicoctldocs at all. ThekubeVirtVMAddressPersistencefield is already documented incalico-cloud/reference/resources/ipamconfig.mdx— no further change needed.Two OSS 3.32 items are intentionally out of scope:
Verification asks for reviewers / upstream authors
I will post a per-commit comment tagging each upstream author asking "Does your work in calico/calico#XXXX apply cleanly to CE/CC as written, or are there caveats (dataplane gating, install mode, license tier, SaaS limitations) we should call out?" The answers may produce follow-up commits or reverts on individual items — particularly:
HostEndpointsUpgradepartial component #9 Native v3 CRDs in CC — Calico Cloud is SaaS and manages CRDs server-side. @caseydavenport, does any of this content apply to CC-connected clusters as written?Test plan
make start-next)grep -rn "allow-tigera" calico-enterprise/ calico-cloud/returns no hits (versioned trees untouched)grep -rn "kube-admin\|kube-baseline\|ClusterNetworkPolicy" calico-enterprise/ calico-cloud/returns hits in tiered-policy.mdx🤖 Generated with Claude Code