From 4334f4fb20673106bd96fd5328e91bd1055324ae Mon Sep 17 00:00:00 2001
From: Mazdak Nasab <mazdak.nasab@gmail.com>
Date: Wed, 29 Oct 2025 13:51:04 -0700
Subject: [PATCH 1/4] remove validation

---
 pkg/controller/installation/validation.go | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/pkg/controller/installation/validation.go b/pkg/controller/installation/validation.go
index 6ace6dd767..4ed6f845c0 100644
--- a/pkg/controller/installation/validation.go
+++ b/pkg/controller/installation/validation.go
@@ -168,16 +168,8 @@ func validateCustomResource(instance *operatorv1.Installation) error {
 					// Verify the specified encapsulation type is valid.
 					switch pool.Encapsulation {
 					case operatorv1.EncapsulationIPIP, operatorv1.EncapsulationIPIPCrossSubnet:
-						// IPIP currently requires BGP to be running in order to program routes.
-						if instance.Spec.CalicoNetwork.BGP == nil || *instance.Spec.CalicoNetwork.BGP == operatorv1.BGPDisabled {
-							return fmt.Errorf("IPIP encapsulation requires that BGP is enabled")
-						}
 					case operatorv1.EncapsulationVXLAN, operatorv1.EncapsulationVXLANCrossSubnet:
 					case operatorv1.EncapsulationNone:
-						// Unencapsulated currently requires BGP to be running in order to program routes.
-						if instance.Spec.CalicoNetwork.BGP == nil || *instance.Spec.CalicoNetwork.BGP == operatorv1.BGPDisabled {
-							return fmt.Errorf("unencapsulated IP pools require that BGP is enabled")
-						}
 					}
 				case operatorv1.IPAMPluginHostLocal:
 					// The host-local IPAM plugin doesn't support VXLAN.

From 8972ba0cb939d65abca3bbbaddbf2db4f6b31b65 Mon Sep 17 00:00:00 2001
From: Mazdak Nasab <mazdak.nasab@gmail.com>
Date: Thu, 30 Oct 2025 11:22:42 -0700
Subject: [PATCH 2/4] Update

---
 pkg/controller/installation/validation.go             |  7 -------
 pkg/controller/installation/validation_test.go        | 11 +++++++----
 ...ojectcalico.org_kubecontrollersconfigurations.yaml |  2 ++
 3 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/pkg/controller/installation/validation.go b/pkg/controller/installation/validation.go
index 4ed6f845c0..c6fe9b912b 100644
--- a/pkg/controller/installation/validation.go
+++ b/pkg/controller/installation/validation.go
@@ -164,13 +164,6 @@ func validateCustomResource(instance *operatorv1.Installation) error {
 			// Check that the encapsulation mode on the IP pool is compatible with the CNI plugin that is in-use.
 			if instance.Spec.CNI.Type == operatorv1.PluginCalico {
 				switch instance.Spec.CNI.IPAM.Type {
-				case operatorv1.IPAMPluginCalico:
-					// Verify the specified encapsulation type is valid.
-					switch pool.Encapsulation {
-					case operatorv1.EncapsulationIPIP, operatorv1.EncapsulationIPIPCrossSubnet:
-					case operatorv1.EncapsulationVXLAN, operatorv1.EncapsulationVXLANCrossSubnet:
-					case operatorv1.EncapsulationNone:
-					}
 				case operatorv1.IPAMPluginHostLocal:
 					// The host-local IPAM plugin doesn't support VXLAN.
 					switch pool.Encapsulation {
diff --git a/pkg/controller/installation/validation_test.go b/pkg/controller/installation/validation_test.go
index a1ed29e5c4..9768e699b5 100644
--- a/pkg/controller/installation/validation_test.go
+++ b/pkg/controller/installation/validation_test.go
@@ -246,7 +246,10 @@ var _ = Describe("Installation validation tests", func() {
 		Expect(err).NotTo(HaveOccurred())
 	})
 
-	It("should prevent IPIP if BGP is disabled", func() {
+	// Previously, IPIP encapsulation were only possible with BGP enabled,
+	// however, Felix can do the same thing now which means IPIP with BGP disabled
+	// is supported.
+	It("should allow IPIP if BGP is disabled", func() {
 		disabled := operator.BGPDisabled
 		instance.Spec.CalicoNetwork.BGP = &disabled
 		instance.Spec.CalicoNetwork.IPPools = []operator.IPPool{
@@ -258,10 +261,10 @@ var _ = Describe("Installation validation tests", func() {
 			},
 		}
 		err := validateCustomResource(instance)
-		Expect(err).To(HaveOccurred())
+		Expect(err).NotTo(HaveOccurred())
 	})
 
-	It("should prevent IPIP cross-subnet if BGP is disabled", func() {
+	It("should allow IPIP cross-subnet if BGP is disabled", func() {
 		disabled := operator.BGPDisabled
 		instance.Spec.CalicoNetwork.BGP = &disabled
 		instance.Spec.CalicoNetwork.IPPools = []operator.IPPool{
@@ -273,7 +276,7 @@ var _ = Describe("Installation validation tests", func() {
 			},
 		}
 		err := validateCustomResource(instance)
-		Expect(err).To(HaveOccurred())
+		Expect(err).NotTo(HaveOccurred())
 	})
 
 	It("should not error if CalicoNetwork is provided on EKS", func() {
diff --git a/pkg/crds/enterprise/crd.projectcalico.org_kubecontrollersconfigurations.yaml b/pkg/crds/enterprise/crd.projectcalico.org_kubecontrollersconfigurations.yaml
index 886fae2553..32ddb712d4 100644
--- a/pkg/crds/enterprise/crd.projectcalico.org_kubecontrollersconfigurations.yaml
+++ b/pkg/crds/enterprise/crd.projectcalico.org_kubecontrollersconfigurations.yaml
@@ -36,6 +36,7 @@ spec:
                     loadBalancer:
                       properties:
                         assignIPs:
+                          default: AllServices
                           type: string
                       type: object
                     namespace:
@@ -127,6 +128,7 @@ spec:
                         loadBalancer:
                           properties:
                             assignIPs:
+                              default: AllServices
                               type: string
                           type: object
                         namespace:

From 13796bd8b7f2aac8ccbd1b45b578232936b610c6 Mon Sep 17 00:00:00 2001
From: Mazdak Nasab <mazdak.nasab@gmail.com>
Date: Fri, 30 Jan 2026 14:33:44 -0800
Subject: [PATCH 3/4] use felix backend

---
 pkg/render/node.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/render/node.go b/pkg/render/node.go
index 4aa3ff5ab8..e73064ca30 100644
--- a/pkg/render/node.go
+++ b/pkg/render/node.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2019-2025 Tigera, Inc. All rights reserved.
+// Copyright (c) 2019-2026 Tigera, Inc. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -1588,7 +1588,7 @@ func (c *nodeComponent) nodeEnvVars() []corev1.EnvVar {
 			// VPP comes with its own BGP daemon, so bird should be disabled
 			nodeEnv = append(nodeEnv, corev1.EnvVar{Name: "CALICO_NETWORKING_BACKEND", Value: "none"})
 		} else {
-			nodeEnv = append(nodeEnv, corev1.EnvVar{Name: "CALICO_NETWORKING_BACKEND", Value: "bird"})
+			nodeEnv = append(nodeEnv, corev1.EnvVar{Name: "CALICO_NETWORKING_BACKEND", Value: "felix"})
 		}
 		if mtu != nil {
 			ipipMtu := strconv.Itoa(int(*mtu))

From 5d460f3769fef34ee769ff6faf1a5cb6f05c005f Mon Sep 17 00:00:00 2001
From: Mazdak Nasab <mazdak.nasab@gmail.com>
Date: Fri, 30 Jan 2026 14:58:21 -0800
Subject: [PATCH 4/4] more

---
 pkg/render/node.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkg/render/node.go b/pkg/render/node.go
index e73064ca30..7f2a43ae24 100644
--- a/pkg/render/node.go
+++ b/pkg/render/node.go
@@ -1589,6 +1589,7 @@ func (c *nodeComponent) nodeEnvVars() []corev1.EnvVar {
 			nodeEnv = append(nodeEnv, corev1.EnvVar{Name: "CALICO_NETWORKING_BACKEND", Value: "none"})
 		} else {
 			nodeEnv = append(nodeEnv, corev1.EnvVar{Name: "CALICO_NETWORKING_BACKEND", Value: "felix"})
+			nodeEnv = append(nodeEnv, corev1.EnvVar{Name: "FELIX_PROGRAMCLUSTERROUTES", Value: "Enabled"})
 		}
 		if mtu != nil {
 			ipipMtu := strconv.Itoa(int(*mtu))