Update instructions on external network#2511
Conversation
✅ Deploy Preview succeeded!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for calico-docs-preview-next ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
Adds guidance for configuring the host egress interface selection for external network egress gateway traffic in Calico Enterprise external network documentation.
Changes:
- Introduces a new “Configure egress interface” section describing
egressIPHostIfacePatternusage. - Adds a
kubectl patchexample for settingegressIPHostIfacePattern. - Applies the same documentation update to the unversioned Enterprise docs and Enterprise versions 3.21-2, 3.22-2, and 3.23-1.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 12 comments.
| File | Description |
|---|---|
| calico-enterprise/networking/egress/external-network.mdx | Adds a new section documenting egressIPHostIfacePattern configuration for external network egress. |
| calico-enterprise_versioned_docs/version-3.21-2/networking/egress/external-network.mdx | Backports the same new configuration section to Enterprise 3.21-2 docs. |
| calico-enterprise_versioned_docs/version-3.22-2/networking/egress/external-network.mdx | Backports the same new configuration section to Enterprise 3.22-2 docs. |
| calico-enterprise_versioned_docs/version-3.23-1/networking/egress/external-network.mdx | Backports the same new configuration section to Enterprise 3.23-1 docs. |
| ### Configure egress interface | ||
|
|
||
| To configure which host interfaces should be used for egress traffic and have the `src_valid_mark` set, configure the `egressIPHostIfacePattern` field in the default **FelixConfiguration**. This field accepts a regular expression that matches the names of the host interfaces to be used. | ||
|
|
||
| For example, to configure interfaces matching the pattern `ens20` or `ens21` with VLAN IDs 100 or 200: |
There was a problem hiding this comment.
egressIPHostIfacePattern is defined as a comma-separated list of interface names/regex patterns, and regex patterns must be wrapped in /.../ (see calico-enterprise/_includes/components/FelixConfig/config-params.json:7842-7857). The current wording says the field “accepts a regular expression” (singular) and doesn’t mention the /.../ requirement; please adjust the text (and consider pluralizing the heading) to match the actual config semantics.
|
|
||
| ```bash | ||
| kubectl patch felixconfiguration default --type='merge' -p \ | ||
| '{"spec":{"egressIPHostIfacePattern":"^ens2[01][./](100|200)$"}}' |
There was a problem hiding this comment.
The patch example sets egressIPHostIfacePattern to a bare regex (^ens2[01][./](100|200)$). Per the Felix config schema, regex patterns must be wrapped in /.../, and including / inside the pattern (via [./]) becomes ambiguous unless escaped. Please update the example so it uses the expected /.../ form and an interface-name pattern that won’t conflict with the delimiter.
| '{"spec":{"egressIPHostIfacePattern":"^ens2[01][./](100|200)$"}}' | |
| '{"spec":{"egressIPHostIfacePattern":"/^ens2[01]\\.(100|200)$/"}}' |
There was a problem hiding this comment.
This comment correctly describes what is in the felixconfig spec. If this is accurate, then either the code or the description needs to be changed.
| ### Configure egress interface | ||
|
|
||
| To configure which host interfaces should be used for egress traffic and have the `src_valid_mark` set, configure the `egressIPHostIfacePattern` field in the default **FelixConfiguration**. This field accepts a regular expression that matches the names of the host interfaces to be used. | ||
|
|
||
| For example, to configure interfaces matching the pattern `ens20` or `ens21` with VLAN IDs 100 or 200: |
There was a problem hiding this comment.
egressIPHostIfacePattern is defined as a comma-separated list of interface names/regex patterns, and regex patterns must be wrapped in /.../ (see calico-enterprise_versioned_docs/version-3.23-1/_includes/components/FelixConfig/config-params.json:8006-8022). The current wording says the field “accepts a regular expression” (singular) and doesn’t mention the /.../ requirement; please adjust the text (and consider pluralizing the heading) to match the actual config semantics.
| For example, to configure interfaces matching the pattern `ens20` or `ens21` with VLAN IDs 100 or 200: | ||
|
|
||
| ```bash | ||
| kubectl patch felixconfiguration default --type='merge' -p \ | ||
| '{"spec":{"egressIPHostIfacePattern":"^ens2[01][./](100|200)$"}}' |
There was a problem hiding this comment.
The patch example sets egressIPHostIfacePattern to a bare regex (^ens2[01][./](100|200)$). Per the Felix config schema, regex patterns must be wrapped in /.../, and including / inside the pattern (via [./]) becomes ambiguous unless escaped. Please update the example so it uses the expected /.../ form and an interface-name pattern that won’t conflict with the delimiter.
| For example, to configure interfaces matching the pattern `ens20` or `ens21` with VLAN IDs 100 or 200: | |
| ```bash | |
| kubectl patch felixconfiguration default --type='merge' -p \ | |
| '{"spec":{"egressIPHostIfacePattern":"^ens2[01][./](100|200)$"}}' | |
| For example, to configure interfaces named `ens20.100`, `ens20.200`, `ens21.100`, or `ens21.200`: | |
| ```bash | |
| kubectl patch felixconfiguration default --type='merge' -p \ | |
| '{"spec":{"egressIPHostIfacePattern":"/^ens2[01]\.(100|200)$/"}}' |
| '{"spec":{"egressIPHostIfacePattern":"^ens2[01][./](100|200)$"}}' | ||
| ``` | ||
|
|
||
| This ensures that Calico sets the `src_valid_mark` on interfaces matching the specified regex pattern, which is required for proper egress gateway functionality with external networks. |
There was a problem hiding this comment.
This page consistently refers to the product as $[prodname], but this new sentence says “Calico sets…”. For consistency in Calico Enterprise docs (and to avoid ambiguity), replace “Calico” with $[prodname] (or “Felix” if you specifically mean the Felix agent sets the sysctl).
| '{"spec":{"egressIPHostIfacePattern":"^ens2[01][./](100|200)$"}}' | ||
| ``` | ||
|
|
||
| This ensures that Calico sets the `src_valid_mark` on interfaces matching the specified regex pattern, which is required for proper egress gateway functionality with external networks. |
There was a problem hiding this comment.
This page consistently refers to the product as $[prodname] (for example, lines 13 and 22), but this new sentence says “Calico sets…”. For consistency in Calico Enterprise docs (and to avoid ambiguity), replace “Calico” with $[prodname] (or “Felix” if you specifically mean the Felix agent sets the sysctl).
There was a problem hiding this comment.
Yes, best to s/Calico/$[prodname]
|
|
||
| ```bash | ||
| kubectl patch felixconfiguration default --type='merge' -p \ | ||
| '{"spec":{"egressIPHostIfacePattern":"^ens2[01][./](100|200)$"}}' |
There was a problem hiding this comment.
The patch example sets egressIPHostIfacePattern to a bare regex (^ens2[01][./](100|200)$). Per the Felix config schema, regex patterns must be wrapped in /.../, and including / inside the pattern (via [./]) becomes ambiguous unless escaped. Please update the example so it uses the expected /.../ form and an interface-name pattern that won’t conflict with the delimiter.
| '{"spec":{"egressIPHostIfacePattern":"^ens2[01][./](100|200)$"}}' | |
| '{"spec":{"egressIPHostIfacePattern":"/^ens2[01]\.(100|200)$/"}}' |
| '{"spec":{"egressIPHostIfacePattern":"^ens2[01][./](100|200)$"}}' | ||
| ``` | ||
|
|
||
| This ensures that Calico sets the `src_valid_mark` on interfaces matching the specified regex pattern, which is required for proper egress gateway functionality with external networks. |
There was a problem hiding this comment.
This page consistently refers to the product as $[prodname], but this new sentence says “Calico sets…”. For consistency in Calico Enterprise docs (and to avoid ambiguity), replace “Calico” with $[prodname] (or “Felix” if you specifically mean the Felix agent sets the sysctl).
| ### Configure egress interface | ||
|
|
||
| To configure which host interfaces should be used for egress traffic and have the `src_valid_mark` set, configure the `egressIPHostIfacePattern` field in the default **FelixConfiguration**. This field accepts a regular expression that matches the names of the host interfaces to be used. | ||
|
|
||
| For example, to configure interfaces matching the pattern `ens20` or `ens21` with VLAN IDs 100 or 200: |
There was a problem hiding this comment.
egressIPHostIfacePattern is defined as a comma-separated list of interface names/regex patterns, and regex patterns must be wrapped in /.../ (see calico-enterprise_versioned_docs/version-3.21-2/_includes/components/FelixConfig/config-params.json:7612-7628). The current wording says the field “accepts a regular expression” (singular) and doesn’t mention the /.../ requirement; please adjust the text (and consider pluralizing the heading) to match the actual config semantics.
| For example, to configure interfaces matching the pattern `ens20` or `ens21` with VLAN IDs 100 or 200: | ||
|
|
||
| ```bash | ||
| kubectl patch felixconfiguration default --type='merge' -p \ | ||
| '{"spec":{"egressIPHostIfacePattern":"^ens2[01][./](100|200)$"}}' |
There was a problem hiding this comment.
The patch example sets egressIPHostIfacePattern to a bare regex (^ens2[01][./](100|200)$). Per the Felix config schema, regex patterns must be wrapped in /.../, and including / inside the pattern (via [./]) becomes ambiguous unless escaped. Please update the example so it uses the expected /.../ form and an interface-name pattern that won’t conflict with the delimiter.
| For example, to configure interfaces matching the pattern `ens20` or `ens21` with VLAN IDs 100 or 200: | |
| ```bash | |
| kubectl patch felixconfiguration default --type='merge' -p \ | |
| '{"spec":{"egressIPHostIfacePattern":"^ens2[01][./](100|200)$"}}' | |
| For example, to configure interfaces matching the pattern `ens20` or `ens21` with VLAN IDs 100 or 200 (for example, `ens20.100`, `ens20.200`, `ens21.100`, `ens21.200`): | |
| ```bash | |
| kubectl patch felixconfiguration default --type='merge' -p \ | |
| '{"spec":{"egressIPHostIfacePattern":"/^ens2[01]\\.(100|200)$/"}}' |
ctauchen
left a comment
ctauchen
left a comment
There was a problem hiding this comment.
A few comments from Copilot that I think are valid.
Can you copy changes to Calico Cloud 22-2 and next?
With those changes, all good to merge.
@song-jiang
|
|
||
| ```bash | ||
| kubectl patch felixconfiguration default --type='merge' -p \ | ||
| '{"spec":{"egressIPHostIfacePattern":"^ens2[01][./](100|200)$"}}' |
There was a problem hiding this comment.
This comment correctly describes what is in the felixconfig spec. If this is accurate, then either the code or the description needs to be changed.
| ### Configure egress interface | ||
|
|
||
| To configure which host interfaces should be used for egress traffic and have the `src_valid_mark` set, configure the `egressIPHostIfacePattern` field in the default **FelixConfiguration**. This field accepts a regular expression that matches the names of the host interfaces to be used. | ||
|
|
||
| For example, to configure interfaces matching the pattern `ens20` or `ens21` with VLAN IDs 100 or 200: |
| '{"spec":{"egressIPHostIfacePattern":"^ens2[01][./](100|200)$"}}' | ||
| ``` | ||
|
|
||
| This ensures that Calico sets the `src_valid_mark` on interfaces matching the specified regex pattern, which is required for proper egress gateway functionality with external networks. |
There was a problem hiding this comment.
Yes, best to s/Calico/$[prodname]
I missed this before the merge. Presumably this applies? |
2 participants
Product Version(s):
Calico Enterprise 3.21, 3.22, 3.23
Issue:
Add "Configure egress interface" section for Calico Enterprise versions 3.21-2 and later, explaining how to use the
egressIPHostIfacePatternFelixConfiguration field to set src_valid_mark on host interfaces for proper egress gateway functionality with external networks.Link to docs preview:
SME review:
DOCS review:
Additional information:
Merge checklist: