Update Felix configuraton files for CE

[ctauchen]

Product Version(s):

Issue:

Link to docs preview:

SME review:

• An SME has approved this change.

DOCS review:

• A member of the docs team has approved this change.

Additional information:

Merge checklist:

• Deploy preview inspected wherever changes were made
• Build completed successfully
• Test have passed

[netlify]

✅ Deploy Preview for calico-docs-preview-next ready!

Name	Link
🔨 Latest commit	81912a1
🔍 Latest deploy log	https://app.netlify.com/projects/calico-docs-preview-next/deploys/6981ec1e1a68760008e258f4
😎 Deploy Preview	https://deploy-preview-2507--calico-docs-preview-next.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview succeeded!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	81912a1
🔍 Latest deploy log	https://app.netlify.com/projects/tigera/deploys/6981ec1ec46e4a0008e65d3e
😎 Deploy Preview	https://deploy-preview-2507--tigera.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 67 (🔴 down 1 from production) Accessibility: 98 (no change from production) Best Practices: 92 (no change from production) SEO: 100 (no change from production) PWA: - View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[Copilot]

Pull request overview

This PR updates versioned Calico Enterprise Felix configuration metadata to align with current Enterprise behavior and new features, including Istio ambient mode, policy activity log file settings, cgroup v2 behavior, and eBPF/Maglev tuning.

Changes:

• Add new Felix configuration options for Istio ambient mode/DSCP marking, policy activity log file output, cgroup v2 path override, egress gateway host interface patterns, and Maglev limits in appropriate Enterprise versions.
• Adjust or remove older/deprecated iptables and eBPF options (e.g., iptables lock handling, BPF kube-proxy endpoint slices) and update defaults/enums for nftables and BPF redirect behavior.
• Simplify Prometheus metrics TLS option descriptions and tweak some Go type annotations in the 3.22-2 Enterprise docs.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

File	Description
calico-enterprise_versioned_docs/version-3.23-1/_includes/components/FelixConfig/config-params.json	Adds Istio ambient/DSCP options, policy activity log file controls, Maglev sizing knobs, and updates iptables lock handling/nftables metadata to reflect current Felix behavior.
calico-enterprise_versioned_docs/version-3.22-2/_includes/components/FelixConfig/config-params.json	Backports Istio ambient/DSCP options, refines Prometheus metrics TLS field docs, removes some eBPF options, and extends BPFRedirectToPeer to support L2Only.
calico-enterprise_versioned_docs/version-3.21-2/_includes/components/FelixConfig/config-params.json	Introduces CgroupV2Path and EgressIPHostIfacePattern to document Enterprise-specific Felix behavior for cgroup v2 and egress gateways in this older version.

[Copilot]

For IstioDSCPMark, the YAML metadata is internally inconsistent with the string schema and defaults: YAMLType is set to integer while YAMLSchema/YAMLSchemaHTML say String., and YAMLDefault is empty even though the string/parsed defaults are 23. To avoid confusing users and keep this entry consistent with other DSCP-style fields, please align YAMLType, YAMLSchema/HTML, and YAMLDefault with the actual accepted value formats and the documented default (23).

Suggested change

	"YAMLType": "integer",
	"YAMLSchema": "String.",
	"YAMLEnumValues": null,
	"YAMLSchemaHTML": "String.",
	"YAMLDefault": "",
	"YAMLType": "string",
	"YAMLSchema": "Numeric value: An integer from 0 to 63, representing the 6-bit DSCP code directly; Named value: A case-insensitive string corresponding to a standardized DSCP name (e.g., \"CS0\", \"AF11\", \"AF21\", \"EF\", etc.) as defined in the IANA registry for Differentiated Services Field Codepoints.",
	"YAMLEnumValues": null,
	"YAMLSchemaHTML": "Numeric value: An integer from 0 to 63, representing the 6-bit DSCP code directly; Named value: A case-insensitive string corresponding to a standardized DSCP name (e.g., \"CS0\", \"AF11\", \"AF21\", \"EF\", etc.) as defined in the IANA registry for Differentiated Services Field Codepoints.",
	"YAMLDefault": "23",

[Copilot]

In the IstioDSCPMark description text, the phrase must not be used with other Istio installation is ungrammatical; it should say any other Istio installation or other Istio installations. Please update both the plain-text and HTML descriptions to use correct grammar so the restriction is clear to readers.

Suggested change

	"Description": "Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith other Istio installation.",
	"DescriptionHTML": "<p>Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith other Istio installation.</p>",
	"Description": "Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith any other Istio installation.",
	"DescriptionHTML": "<p>Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith any other Istio installation.</p>",

[Copilot]

For IstioDSCPMark, the YAML metadata is internally inconsistent with the string schema and defaults: YAMLType is set to integer while YAMLSchema/YAMLSchemaHTML say String., and YAMLDefault is empty even though the string/parsed defaults are 23. To avoid confusing users and keep this entry consistent with other DSCP-style fields, please align YAMLType, YAMLSchema/HTML, and YAMLDefault with the actual accepted value formats and the documented default (23).

Suggested change

	"YAMLType": "integer",
	"YAMLSchema": "String.",
	"YAMLEnumValues": null,
	"YAMLSchemaHTML": "String.",
	"YAMLDefault": "",
	"YAMLType": "string",
	"YAMLSchema": "Numeric value: An integer from 0 to 63, representing the 6-bit DSCP code directly; Named value: A case-insensitive string corresponding to a standardized DSCP name (e.g., \"CS0\", \"AF11\", \"AF21\", \"EF\", etc.) as defined in the IANA registry for Differentiated Services Field Codepoints.",
	"YAMLEnumValues": null,
	"YAMLSchemaHTML": "Numeric value: An integer from 0 to 63, representing the 6-bit DSCP code directly; Named value: A case-insensitive string corresponding to a standardized DSCP name (e.g., \"CS0\", \"AF11\", \"AF21\", \"EF\", etc.) as defined in the IANA registry for Differentiated Services Field Codepoints.",
	"YAMLDefault": "23",

[Copilot]

In the IstioDSCPMark description text, the phrase must not be used with other Istio installation is ungrammatical; it should say any other Istio installation or other Istio installations. Please update both the plain-text and HTML descriptions to use correct grammar so the restriction is clear to readers.

Suggested change

	"Description": "Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith other Istio installation.",
	"DescriptionHTML": "<p>Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith other Istio installation.</p>",
	"Description": "Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith any other Istio installation.",
	"DescriptionHTML": "<p>Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith any other Istio installation.</p>",

[Copilot]

For BPFRedirectToPeer, the documented defaults conflict with the prose description: StringDefault/YAMLDefault are "Disabled", but the description states that forwarding from host L2 devices is allowed "by default (L2Only)". Please update either the default fields or the description text so they agree on the actual default behavior for this option.

Suggested change

	"Description": "Controls which whether it is allowed to forward straight to the\npeer side of the workload devices. It is allowed for any host L2 devices by default\n(L2Only), but it breaks TCP dump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or Wireguard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.",
	"DescriptionHTML": "<p>Controls which whether it is allowed to forward straight to the\npeer side of the workload devices. It is allowed for any host L2 devices by default\n(L2Only), but it breaks TCP dump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or Wireguard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.</p>",
	"Description": "Controls which whether it is allowed to forward straight to the\npeer side of the workload devices. When set to L2Only, it is allowed for any host L2 devices,\nbut it breaks TCP dump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or Wireguard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.",
	"DescriptionHTML": "<p>Controls which whether it is allowed to forward straight to the\npeer side of the workload devices. When set to L2Only, it is allowed for any host L2 devices,\nbut it breaks TCP dump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or Wireguard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.</p>",

[Copilot]

The BPFRedirectToPeer description contains a few wording issues that make it harder to read: Controls which whether it is allowed is grammatically incorrect, TCP dump should be tcpdump (or at least be consistent with other docs), and Wireguard should be WireGuard. Please tidy up the text (and matching HTML) to fix these typos while keeping the semantics the same.

Suggested change

	"Description": "Controls which whether it is allowed to forward straight to the\npeer side of the workload devices. It is allowed for any host L2 devices by default\n(L2Only), but it breaks TCP dump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or Wireguard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.",
	"DescriptionHTML": "<p>Controls which whether it is allowed to forward straight to the\npeer side of the workload devices. It is allowed for any host L2 devices by default\n(L2Only), but it breaks TCP dump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or Wireguard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.</p>",
	"Description": "Controls whether it is allowed to forward straight to the\npeer side of the workload devices. It is allowed for any host L2 devices by default\n(L2Only), but it breaks tcpdump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or WireGuard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.",
	"DescriptionHTML": "<p>Controls whether it is allowed to forward straight to the\npeer side of the workload devices. It is allowed for any host L2 devices by default\n(L2Only), but it breaks tcpdump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or WireGuard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.</p>",