DOCS-2871: Migrate CC Felix config docs to dynamic component system#2560
Merged
ctauchen merged 1 commit intotigera:mainfrom Mar 4, 2026
Merged
Conversation
Replace hand-maintained static HTML tables in Calico Cloud felix config reference docs with the same auto-generated FelixConfig React component already used by OSS and Enterprise. This fixes drifted defaults (e.g. dnsPolicyMode showing Inline instead of DelayDeniedPacket) and ensures CC stays in sync with EE going forward. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
✅ Deploy Preview succeeded!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for calico-docs-preview-next ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR migrates Calico Cloud Felix configuration reference docs from static, manually maintained tables to the existing auto-generated FelixConfig component approach used in other product docs, and updates the sync script so Cloud’s config-params.json can be refreshed from upstream automatically.
Changes:
- Replaced static FelixConfiguration spec/config/env tables in Calico Cloud docs with the
FelixConfigReact component (unversioned + v22-2). - Added Calico Cloud support to
scripts/update-felix-config.shand updated the Makefile messaging. - Introduced Calico Cloud copies of the
FelixConfigcomponent implementation + styles (unversioned + v22-2).
Reviewed changes
Copilot reviewed 12 out of 18 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/update-felix-config.sh | Adds CC versions file parsing and CC download/update routines for config-params.json. |
| Makefile | Updates the update-felix-config target messaging to include Cloud. |
| calico-cloud/reference/resources/felixconfig.mdx | Switches FelixConfiguration spec docs to dynamic FelixConfig rendering and updates DNS policy sections. |
| calico-cloud/reference/component-resources/node/felix/configuration.mdx | Switches config/env reference tables to dynamic FelixConfig rendering. |
| calico-cloud/_includes/components/FelixConfig/index.js | Adds CC FelixConfig React component implementation. |
| calico-cloud/_includes/components/FelixConfig/TableResource.js | Adds CC resource/YAML table renderer. |
| calico-cloud/_includes/components/FelixConfig/TableConfig.js | Adds CC config-file table renderer. |
| calico-cloud/_includes/components/FelixConfig/TableEnv.js | Adds CC env-var table renderer. |
| calico-cloud/_includes/components/FelixConfig/styles.module.css | Adds CC component CSS for tables/tabs spacing. |
| calico-cloud_versioned_docs/version-22-2/reference/resources/felixconfig.mdx | Same migration as unversioned for CC v22-2 FelixConfiguration spec. |
| calico-cloud_versioned_docs/version-22-2/reference/component-resources/node/felix/configuration.mdx | Same migration as unversioned for CC v22-2 config/env reference. |
| calico-cloud_versioned_docs/version-22-2/_includes/components/FelixConfig/index.js | Adds versioned CC v22-2 FelixConfig component implementation. |
| calico-cloud_versioned_docs/version-22-2/_includes/components/FelixConfig/TableResource.js | Adds versioned CC v22-2 resource/YAML table renderer. |
| calico-cloud_versioned_docs/version-22-2/_includes/components/FelixConfig/TableConfig.js | Adds versioned CC v22-2 config-file table renderer. |
| calico-cloud_versioned_docs/version-22-2/_includes/components/FelixConfig/TableEnv.js | Adds versioned CC v22-2 env-var table renderer. |
| calico-cloud_versioned_docs/version-22-2/_includes/components/FelixConfig/styles.module.css | Adds versioned CC v22-2 component CSS. |
Comment on lines
+319
to
333
| | Value | Description | | ||
| | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | ||
| | DelayDeniedPacket | Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. | | ||
| | DelayDNSResponse | Felix delays any DNS response until related IPSets are programmed. This introduces some latency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics are accurate. This is the recommended setting when you are making use of staged policies or policy rule hit statistics. A Linux kernel version of 3.13 or greater is required to use `DelayDNSResponse`. For earlier kernel versions, this value is modified to `DelayDeniedPacket`. | | ||
| | NoDelay | Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. | | ||
|
|
||
| ### NFTablesDNSPolicyMode | ||
| On Windows, or when using the eBPF dataplane, this setting is ignored. Windows always uses `NoDelay` while eBPF has its own [BPFDNSPolicyMode](#bpfdnspolicymode) option. | ||
|
|
||
| | Value | Description | | ||
| | ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | DelayDeniedPacket (default) | Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. | | ||
| | DelayDNSResponse | Felix delays any DNS response until related IPSets are programmed. This introduces some latency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics are accurate. This is the recommended setting when you are making use of staged policies or policy rule hit statistics. | | ||
| | NoDelay | Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. | | ||
| ### BPFDNSPolicyMode | ||
|
|
||
| | Value | Description | | ||
| | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | Inline | Felix does not introduce any delay to any packets. Felix's eBPF programs parse DNS responses and program policy rules immediately, before the DNS response is passed to the application. This only applies to wildcard prefixes: `*.x.y.z` will be processed in this manner, but wildcards such as `x.*.y.z` will not match. A Linux kernel version of 5.17 or greater is required. | | ||
| | NoDelay | Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. | | ||
|
|
There was a problem hiding this comment.
The DNSPolicyMode section no longer documents the Inline option, but the generated config-params (and the field schema) still list Inline as an accepted value. Please add Inline back to the table (and any related notes) so the value reference matches the actual supported enum values.
Comment on lines
+325
to
333
| On Windows, or when using the eBPF dataplane, this setting is ignored. Windows always uses `NoDelay` while eBPF has its own [BPFDNSPolicyMode](#bpfdnspolicymode) option. | ||
|
|
||
| | Value | Description | | ||
| | ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | DelayDeniedPacket (default) | Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. | | ||
| | DelayDNSResponse | Felix delays any DNS response until related IPSets are programmed. This introduces some latency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics are accurate. This is the recommended setting when you are making use of staged policies or policy rule hit statistics. | | ||
| | NoDelay | Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. | | ||
| ### BPFDNSPolicyMode | ||
|
|
||
| | Value | Description | | ||
| | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | Inline | Felix does not introduce any delay to any packets. Felix's eBPF programs parse DNS responses and program policy rules immediately, before the DNS response is passed to the application. This only applies to wildcard prefixes: `*.x.y.z` will be processed in this manner, but wildcards such as `x.*.y.z` will not match. A Linux kernel version of 5.17 or greater is required. | | ||
| | NoDelay | Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. | | ||
|
|
There was a problem hiding this comment.
The doc removes the NFTablesDNSPolicyMode section entirely, but the nftablesDNSPolicyMode field is still present in the FelixConfiguration spec (and dnsPolicyMode explicitly defers to it in nftables mode). Please restore a NFTablesDNSPolicyMode subsection that explains the allowed values and behavior.
Comment on lines
+1
to
+34
| import React, { useState, useEffect } from 'react'; | ||
| import jsonData from './config-params.json'; | ||
| import Tabs from '@theme/Tabs'; | ||
| import TabItem from '@theme/TabItem'; | ||
| import TableResource from './TableResource'; | ||
| import TableConfig from './TableConfig'; | ||
| import TableEnv from './TableEnv'; | ||
| import styles from './styles.module.css'; | ||
|
|
||
| const FelixConfigTable = ({ configType, fieldData }) => { | ||
| let table; | ||
|
|
||
| switch (configType) { | ||
| case 'yaml': | ||
| table = <TableResource fieldData={fieldData} />; | ||
| break; | ||
| case 'config': | ||
| table = <TableConfig fieldData={fieldData} />; | ||
| break; | ||
| case 'env': | ||
| table = <TableEnv fieldData={fieldData} />; | ||
| break; | ||
| default: | ||
| table = <p>Unknown config type</p>; | ||
| } | ||
|
|
||
| return <div>{table}</div>; | ||
| }; | ||
|
|
||
| const FelixConfig = ({ configType, name }) => { | ||
| const matchedGroup = jsonData.Groups.find((group) => group.Name === name); | ||
| // Debugging logs | ||
|
|
||
| if (!matchedGroup) { |
There was a problem hiding this comment.
useState and useEffect are imported but never used, and there’s also a leftover “Debugging logs” comment. Please remove unused imports/comments to keep the component clean and avoid lint/build warnings.
Comment on lines
+1
to
+34
| import React, { useState, useEffect } from 'react'; | ||
| import jsonData from './config-params.json'; | ||
| import Tabs from '@theme/Tabs'; | ||
| import TabItem from '@theme/TabItem'; | ||
| import TableResource from './TableResource'; | ||
| import TableConfig from './TableConfig'; | ||
| import TableEnv from './TableEnv'; | ||
| import styles from './styles.module.css'; | ||
|
|
||
| const FelixConfigTable = ({ configType, fieldData }) => { | ||
| let table; | ||
|
|
||
| switch (configType) { | ||
| case 'yaml': | ||
| table = <TableResource fieldData={fieldData} />; | ||
| break; | ||
| case 'config': | ||
| table = <TableConfig fieldData={fieldData} />; | ||
| break; | ||
| case 'env': | ||
| table = <TableEnv fieldData={fieldData} />; | ||
| break; | ||
| default: | ||
| table = <p>Unknown config type</p>; | ||
| } | ||
|
|
||
| return <div>{table}</div>; | ||
| }; | ||
|
|
||
| const FelixConfig = ({ configType, name }) => { | ||
| const matchedGroup = jsonData.Groups.find((group) => group.Name === name); | ||
| // Debugging logs | ||
|
|
||
| if (!matchedGroup) { |
There was a problem hiding this comment.
useState and useEffect are imported but never used, and there’s also a leftover “Debugging logs” comment. Please remove unused imports/comments to keep the component clean and avoid lint/build warnings.
Comment on lines
+319
to
333
| | Value | Description | | ||
| | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | ||
| | DelayDeniedPacket | Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. | | ||
| | DelayDNSResponse | Felix delays any DNS response until related IPSets are programmed. This introduces some latency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics are accurate. This is the recommended setting when you are making use of staged policies or policy rule hit statistics. A Linux kernel version of 3.13 or greater is required to use `DelayDNSResponse`. For earlier kernel versions, this value is modified to `DelayDeniedPacket`. | | ||
| | NoDelay | Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. | | ||
|
|
||
| ### NFTablesDNSPolicyMode | ||
| On Windows, or when using the eBPF dataplane, this setting is ignored. Windows always uses `NoDelay` while eBPF has its own [BPFDNSPolicyMode](#bpfdnspolicymode) option. | ||
|
|
||
| | Value | Description | | ||
| | ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | DelayDeniedPacket (default) | Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. | | ||
| | DelayDNSResponse | Felix delays any DNS response until related IPSets are programmed. This introduces some latency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics are accurate. This is the recommended setting when you are making use of staged policies or policy rule hit statistics. | | ||
| | NoDelay | Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. | | ||
| ### BPFDNSPolicyMode | ||
|
|
||
| | Value | Description | | ||
| | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | Inline | Felix does not introduce any delay to any packets. Felix's eBPF programs parse DNS responses and program policy rules immediately, before the DNS response is passed to the application. This only applies to wildcard prefixes: `*.x.y.z` will be processed in this manner, but wildcards such as `x.*.y.z` will not match. A Linux kernel version of 5.17 or greater is required. | | ||
| | NoDelay | Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. | | ||
|
|
There was a problem hiding this comment.
The DNSPolicyMode section no longer documents the Inline option, but the generated config-params (and the field schema) still list Inline as an accepted value. Please add Inline back to the table (and any related notes) so the value reference matches the actual supported enum values.
Comment on lines
+325
to
333
| On Windows, or when using the eBPF dataplane, this setting is ignored. Windows always uses `NoDelay` while eBPF has its own [BPFDNSPolicyMode](#bpfdnspolicymode) option. | ||
|
|
||
| | Value | Description | | ||
| | ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | DelayDeniedPacket (default) | Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. | | ||
| | DelayDNSResponse | Felix delays any DNS response until related IPSets are programmed. This introduces some latency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics are accurate. This is the recommended setting when you are making use of staged policies or policy rule hit statistics. | | ||
| | NoDelay | Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. | | ||
| ### BPFDNSPolicyMode | ||
|
|
||
| | Value | Description | | ||
| | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | Inline | Felix does not introduce any delay to any packets. Felix's eBPF programs parse DNS responses and program policy rules immediately, before the DNS response is passed to the application. This only applies to wildcard prefixes: `*.x.y.z` will be processed in this manner, but wildcards such as `x.*.y.z` will not match. A Linux kernel version of 5.17 or greater is required. | | ||
| | NoDelay | Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. | | ||
|
|
There was a problem hiding this comment.
The doc removes the NFTablesDNSPolicyMode section entirely, but the nftablesDNSPolicyMode field is still present in the FelixConfiguration spec (and dnsPolicyMode explicitly defers to it in nftables mode). Please restore a NFTablesDNSPolicyMode subsection that explains the allowed values and behavior.
Collaborator
Author
|
LGTM |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
FelixConfigReact component already used by OSS and EnterprisednsPolicyModeshowingInlineinstead ofDelayDeniedPacket) and ensures CC stays in sync with EE going forwardscripts/update-felix-config.shso futuremake update-felix-configruns pull CC config-params.json from the correct upstream branchesTest plan
yarn startand verify/calico-cloud/reference/resources/felixconfigrenders with dynamic tables/calico-cloud/reference/component-resources/node/felix/configurationrenders with tabbed config/env tablesdnsPolicyModedefault showsDelayDeniedPacket(notInline)GITHUB_TOKEN=... make update-felix-configand verify CC config-params.json files download successfully🤖 Generated with Claude Code