Fix Windows requirements: IPPool patch is reverted by operator#2680
Open
caseydavenport wants to merge 3 commits intomainfrom
Open
Fix Windows requirements: IPPool patch is reverted by operator#2680caseydavenport wants to merge 3 commits intomainfrom
caseydavenport wants to merge 3 commits intomainfrom
Conversation
The Linux platform requirements section told users to disable IPIP via 'kubectl patch ippool', but the operator now reconciles IP pools from the Installation and silently reverts those edits. Split the step into Operator and Manifest tabs: the Operator path patches spec.calicoNetwork.ipPools[0].encapsulation on the Installation, and the Manifest path keeps the original IP pool patch. Enterprise gets the same treatment, with the FelixConfiguration ipipEnabled patch under the Manifest tab. Applied to OSS main, v3.32, v3.31 and Enterprise main, v3.23-1, v3.22-2. Fixes #9426
✅ Deploy Preview for calico-docs-preview-next ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
❌ Deploy Preview for tigera failed. Why did it fail? →
|
ctauchen
reviewed
May 1, 2026
Collaborator
ctauchen
left a comment
ctauchen
left a comment
There was a problem hiding this comment.
Some suggested wording, and a question about having manifest paths in CE.
…rprise Chris pointed out that Enterprise doesn't support manifest installs, so the Manifest tab on the Enterprise pages was wrong. Drop it and inline the operator instructions. OSS keeps both tabs. Also reworked the operator wording on both per Chris's suggestion: lead with the patch command, then explain the operator reconciliation behavior, then cover the multi-pool case.
Per Casey's review thread: the choice isn't operator vs manifest install, it's whether the IP pools themselves are managed through the Installation or created directly as IPPool resources. Both can apply on operator installs. Restored the Tabs in the Enterprise pages with the new framing.
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Windows requirements documentation so that disabling IP-in-IP (IPIP) works correctly on operator-managed clusters, where direct IPPool edits are reconciled back by the operator.
Changes:
- Add Operator vs Manifest instructions for disabling IPIP in Calico OSS Windows requirements (main + v3.31 + v3.32).
- For operator installs, switch the documented change from patching
IPPoolto patching theInstallationresource’sspec.calicoNetwork.ipPools[*].encapsulation. - Update Calico Enterprise Windows requirements (main + v3.22-2 + v3.23-1) to use the
Installationpatch approach.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| calico/getting-started/kubernetes/windows-calico/requirements.mdx | Adds Operator/Manifest tabs and updates guidance so operator users patch Installation instead of IPPool. |
| calico_versioned_docs/version-3.31/getting-started/kubernetes/windows-calico/requirements.mdx | Same as OSS main for v3.31 docs. |
| calico_versioned_docs/version-3.32/getting-started/kubernetes/windows-calico/requirements.mdx | Same as OSS main for v3.32 docs. |
| calico-enterprise/getting-started/install-on-clusters/windows-calico/requirements.mdx | Updates Enterprise Windows requirements to patch Installation for encapsulation. |
| calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/windows-calico/requirements.mdx | Same Enterprise update for v3.22-2 docs. |
| calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/requirements.mdx | Same Enterprise update for v3.23-1 docs. |
Comment on lines
+77
to
82
| For `IPPool` resources created directly (not through the `Installation`), patch the `IPPool`: | ||
|
|
||
| ```bash | ||
| kubectl patch ippool default-ipv4-ippool -p '{"spec":{"ipipMode":"Never","vxlanMode":"Always"}}' | ||
| ``` | ||
|
|
Comment on lines
53
to
+60
|
|
||
| - At least four Linux Kubernetes worker nodes to run $[prodname]'s cluster-wide components that meets [Linux system requirements](../requirements.mdx), and is installed with $[prodname] v3.5.0+ | ||
| - Must not be running in eBPF mode | ||
| - VXLAN or BGP without encapsulation is supported if using $[prodname] CNI. IPIP ($[prodname]'s default encapsulation mode) is not supported. Use the following command to turn off IPIP. | ||
| - VXLAN or BGP without encapsulation is supported if using $[prodname] CNI. IPIP ($[prodname]'s default encapsulation mode) is not supported. Turn off IPIP on the default IP pool. | ||
|
|
||
| <Tabs groupId="ip-pool-management"> | ||
| <TabItem label="Operator managed IP pools" value="operator-managed"> | ||
|
|
Comment on lines
53
to
+60
|
|
||
| - At least four Linux Kubernetes worker nodes to run $[prodname]'s cluster-wide components that meets [Linux system requirements](../requirements.mdx), and is installed with $[prodname] v3.5.0+ | ||
| - Must not be running in eBPF mode | ||
| - VXLAN or BGP without encapsulation is supported if using $[prodname] CNI. IPIP ($[prodname]'s default encapsulation mode) is not supported. Use the following command to turn off IPIP. | ||
| - VXLAN or BGP without encapsulation is supported if using $[prodname] CNI. IPIP ($[prodname]'s default encapsulation mode) is not supported. Turn off IPIP on the default IP pool. | ||
|
|
||
| <Tabs groupId="ip-pool-management"> | ||
| <TabItem label="Operator managed IP pools" value="operator-managed"> | ||
|
|
Comment on lines
53
to
+60
|
|
||
| - At least four Linux Kubernetes worker nodes to run $[prodname]'s cluster-wide components that meets [Linux system requirements](../requirements.mdx), and is installed with $[prodname] v3.5.0+ | ||
| - Must not be running in eBPF mode | ||
| - VXLAN or BGP without encapsulation is supported if using $[prodname] CNI. IPIP ($[prodname]'s default encapsulation mode) is not supported. Use the following command to turn off IPIP. | ||
| - VXLAN or BGP without encapsulation is supported if using $[prodname] CNI. IPIP ($[prodname]'s default encapsulation mode) is not supported. Turn off IPIP on the default IP pool. | ||
|
|
||
| <Tabs groupId="ip-pool-management"> | ||
| <TabItem label="Operator managed IP pools" value="operator-managed"> | ||
|
|
| ```bash | ||
| kubectl patch ippool default-ipv4-ippool -p '{"spec":{"ipipMode":"Never","vxlanMode":"Always"}}' | ||
| ``` | ||
|
|
| ```bash | ||
| kubectl patch ippool default-ipv4-ippool -p '{"spec":{"ipipMode":"Never","vxlanMode":"Always"}}' | ||
| ``` | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Windows requirements page tells users to disable IPIP via
kubectl patch ippool default-ipv4-ippool ..., but on operator-managed clusters the operator reconciles IP pools from theInstallationand silently reverts those edits, so the documented step has no effect. That is what projectcalico/calico#9426 hit.Split the encapsulation step into
OperatorandManifesttabs: the operator path patchesspec.calicoNetwork.ipPools[0].encapsulationon theInstallation, and the manifest path keeps the originalIPPoolpatch. Same treatment in Enterprise, where theFelixConfigurationipipEnabledpatch lives under the Manifest tab.Applied to OSS main, v3.32, v3.31 and Enterprise main, v3.23-1, v3.22-2.
Fixes projectcalico/calico#9426