From b78be6dae4ddad717c691eaba2fa68e35839a48d Mon Sep 17 00:00:00 2001 From: Christopher Tauchen Date: Fri, 19 Dec 2025 12:01:59 +0000 Subject: [PATCH 1/5] Prepare for CE 3.22.1 GA release DOCS-2713 --- .../version-3.21-2/variables.js | 2 +- .../version-3.22-2/release-notes/index.mdx | 20 + .../version-3.22-2/releases.json | 538 ++++++++++++++++++ .../version-3.22-2/variables.js | 2 +- docusaurus.config.js | 8 +- src/pages/archive.md | 2 +- static/_redirects | 9 +- 7 files changed, 570 insertions(+), 11 deletions(-) diff --git a/calico-enterprise_versioned_docs/version-3.21-2/variables.js b/calico-enterprise_versioned_docs/version-3.21-2/variables.js index b318cbb875..d5ca8923fe 100644 --- a/calico-enterprise_versioned_docs/version-3.21-2/variables.js +++ b/calico-enterprise_versioned_docs/version-3.21-2/variables.js @@ -7,7 +7,7 @@ const variables = { prodnamedash: 'calico-enterprise', version: 'v3.21', openSourceVersion: releases[0].calico.minor_version.slice(1), - baseUrl: '/calico-enterprise/latest', + baseUrl: '/calico-enterprise/3.21', filesUrl: 'https://downloads.tigera.io/ee/v3.21.5', rpmsUrl: 'https://downloads.tigera.io/ee/rpms/' + releases[0].title.slice(0, 5), tutorialFilesURL: 'https://docs.tigera.io/files', diff --git a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx index 93db8e18df..3afb904c98 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx @@ -167,3 +167,23 @@ This Calico Enterprise release is based on [Calico Open Source 3.31](https://doc #### Upgrading To update an existing installation of Calico Enterprise 3.22, see [Install a patch release](../getting-started/manifest-archive.mdx). + +### Calico Enterprise 3.21.1 general availability release + +December DD, 2025 + +Calico Enterprise 3.22.1 is now available as a general availability release. + +This release is supported for use in production. + +#### Enhancements + +* TBD + +#### Bug fixes + +* TBD + +#### Upgrading +To update an existing installation of Calico Enterprise 3.22, see [Install a patch release](../getting-started/manifest-archive.mdx). + diff --git a/calico-enterprise_versioned_docs/version-3.22-2/releases.json b/calico-enterprise_versioned_docs/version-3.22-2/releases.json index 02bdec714b..e7ac28471b 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/releases.json +++ b/calico-enterprise_versioned_docs/version-3.22-2/releases.json @@ -1,4 +1,273 @@ [ + { + "title": "v3.22.1", + "tigera-operator": { + "version": "v1.40.1", + "image": "tigera/operator", + "registry": "quay.io" + }, + "calico": { + "minor_version": "v3.31", + "archive_path": "archive" + }, + "components": { + "alertmanager": { + "version": "v3.22.1", + "image": "tigera/alertmanager" + }, + "calicoctl": { + "version": "v3.22.1", + "image": "tigera/calicoctl" + }, + "calicoq": { + "version": "v3.22.1", + "image": "tigera/calicoq" + }, + "apiserver": { + "version": "v3.22.1", + "image": "tigera/apiserver" + }, + "kube-controllers": { + "version": "v3.22.1", + "image": "tigera/kube-controllers" + }, + "manager": { + "version": "v3.22.1", + "image": "tigera/manager" + }, + "manager-proxy": { + "version": "v3.22.1", + "image": "tigera/manager-proxy" + }, + "node": { + "version": "v3.22.1", + "image": "tigera/node" + }, + "node-windows": { + "version": "v3.22.1", + "image": "tigera/node-windows" + }, + "queryserver": { + "version": "v3.22.1", + "image": "tigera/queryserver" + }, + "compliance-benchmarker": { + "version": "v3.22.1", + "image": "tigera/compliance-benchmarker" + }, + "compliance-controller": { + "version": "v3.22.1", + "image": "tigera/compliance-controller" + }, + "compliance-reporter": { + "version": "v3.22.1", + "image": "tigera/compliance-reporter" + }, + "compliance-server": { + "version": "v3.22.1", + "image": "tigera/compliance-server" + }, + "compliance-snapshotter": { + "version": "v3.22.1", + "image": "tigera/compliance-snapshotter" + }, + "coreos-alertmanager": { + "version": "v0.28.1" + }, + "coreos-config-reloader": { + "version": "v0.84.0" + }, + "coreos-dex": { + "version": "v2.41.1" + }, + "coreos-fluentd": { + "version": "1.18.0" + }, + "coreos-prometheus": { + "version": "v3.4.1" + }, + "coreos-prometheus-operator": { + "version": "v0.84.0" + }, + "csi": { + "version": "v3.22.1", + "image": "tigera/csi" + }, + "csi-node-driver-registrar": { + "version": "v3.22.1", + "image": "tigera/node-driver-registrar" + }, + "deep-packet-inspection": { + "version": "v3.22.1", + "image": "tigera/deep-packet-inspection" + }, + "dex": { + "version": "v3.22.1", + "image": "tigera/dex" + }, + "dikastes": { + "version": "v3.22.1", + "image": "tigera/dikastes" + }, + "eck-elasticsearch": { + "version": "8.18.4" + }, + "eck-elasticsearch-operator": { + "version": "2.16.1" + }, + "eck-kibana": { + "version": "8.18.4" + }, + "egress-gateway": { + "version": "v3.22.1", + "image": "tigera/egress-gateway" + }, + "elastic-tsee-installer": { + "version": "v3.22.1", + "image": "tigera/intrusion-detection-job-installer" + }, + "elasticsearch": { + "version": "v3.22.1", + "image": "tigera/elasticsearch" + }, + "elasticsearch-metrics": { + "version": "v3.22.1", + "image": "tigera/elasticsearch-metrics" + }, + "elasticsearch-operator": { + "version": "v3.22.1", + "image": "tigera/eck-operator" + }, + "envoy": { + "version": "v3.22.1", + "image": "tigera/envoy" + }, + "envoy-init": { + "version": "v3.22.1", + "image": "tigera/envoy-init" + }, + "es-gateway": { + "version": "v3.22.1", + "image": "tigera/es-gateway" + }, + "firewall-integration": { + "version": "v3.22.1", + "image": "tigera/firewall-integration" + }, + "flexvol": { + "version": "v3.22.1", + "image": "tigera/pod2daemon-flexvol" + }, + "fluentd": { + "version": "v3.22.1", + "image": "tigera/fluentd" + }, + "fluentd-windows": { + "version": "v3.22.1", + "image": "tigera/fluentd-windows" + }, + "gateway-api-envoy-gateway": { + "version": "v3.22.1", + "image": "tigera/envoy-gateway" + }, + "gateway-api-envoy-proxy": { + "version": "v3.22.1", + "image": "tigera/envoy-proxy" + }, + "gateway-api-envoy-ratelimit": { + "version": "v3.22.1", + "image": "tigera/envoy-ratelimit" + }, + "guardian": { + "version": "v3.22.1", + "image": "tigera/guardian" + }, + "ingress-collector": { + "version": "v3.22.1", + "image": "tigera/ingress-collector" + }, + "intrusion-detection-controller": { + "version": "v3.22.1", + "image": "tigera/intrusion-detection-controller" + }, + "key-cert-provisioner": { + "version": "v3.22.1", + "image": "tigera/key-cert-provisioner" + }, + "kibana": { + "version": "v3.22.1", + "image": "tigera/kibana" + }, + "l7-admission-controller": { + "version": "v3.22.1", + "image": "tigera/l7-admission-controller" + }, + "l7-collector": { + "version": "v3.22.1", + "image": "tigera/l7-collector" + }, + "license-agent": { + "version": "v3.22.1", + "image": "tigera/license-agent" + }, + "linseed": { + "version": "v3.22.1", + "image": "tigera/linseed" + }, + "packetcapture": { + "version": "v3.22.1", + "image": "tigera/packetcapture" + }, + "policy-recommendation": { + "version": "v3.22.1", + "image": "tigera/policy-recommendation" + }, + "prometheus": { + "version": "v3.22.1", + "image": "tigera/prometheus" + }, + "prometheus-config-reloader": { + "version": "v3.22.1", + "image": "tigera/prometheus-config-reloader" + }, + "prometheus-operator": { + "version": "v3.22.1", + "image": "tigera/prometheus-operator" + }, + "tigera-cni": { + "version": "v3.22.1", + "image": "tigera/cni" + }, + "tigera-cni-windows": { + "version": "v3.22.1", + "image": "tigera/cni-windows" + }, + "tigera-prometheus-service": { + "version": "v3.22.1", + "image": "tigera/prometheus-service" + }, + "typha": { + "version": "v3.22.1", + "image": "tigera/typha" + }, + "ui-apis": { + "version": "v3.22.1", + "image": "tigera/ui-apis" + }, + "voltron": { + "version": "v3.22.1", + "image": "tigera/voltron" + }, + "waf-http-filter": { + "version": "v3.22.1", + "image": "tigera/waf-http-filter" + }, + "webhooks-processor": { + "version": "v3.22.1", + "image": "tigera/webhooks-processor" + } + } + }, { "title": "v3.22.0-2.0", "tigera-operator": { @@ -267,5 +536,274 @@ "image": "tigera/webhooks-processor" } } + }, + { + "title": "v3.22.0-1.0", + "tigera-operator": { + "version": "v1.39.0", + "image": "tigera/operator", + "registry": "quay.io" + }, + "calico": { + "minor_version": "v3.30", + "archive_path": "archive" + }, + "components": { + "alertmanager": { + "version": "v3.22.0-1.0", + "image": "tigera/alertmanager" + }, + "calicoctl": { + "version": "v3.22.0-1.0", + "image": "tigera/calicoctl" + }, + "calicoq": { + "version": "v3.22.0-1.0", + "image": "tigera/calicoq" + }, + "cnx-apiserver": { + "version": "v3.22.0-1.0", + "image": "tigera/cnx-apiserver" + }, + "cnx-kube-controllers": { + "version": "v3.22.0-1.0", + "image": "tigera/kube-controllers" + }, + "cnx-manager": { + "version": "v3.22.0-1.0", + "image": "tigera/cnx-manager" + }, + "cnx-manager-proxy": { + "version": "v3.22.0-1.0", + "image": "tigera/cnx-manager-proxy" + }, + "cnx-node": { + "version": "v3.22.0-1.0", + "image": "tigera/cnx-node" + }, + "cnx-node-windows": { + "version": "v3.22.0-1.0", + "image": "tigera/cnx-node-windows" + }, + "cnx-queryserver": { + "version": "v3.22.0-1.0", + "image": "tigera/cnx-queryserver" + }, + "compliance-benchmarker": { + "version": "v3.22.0-1.0", + "image": "tigera/compliance-benchmarker" + }, + "compliance-controller": { + "version": "v3.22.0-1.0", + "image": "tigera/compliance-controller" + }, + "compliance-reporter": { + "version": "v3.22.0-1.0", + "image": "tigera/compliance-reporter" + }, + "compliance-server": { + "version": "v3.22.0-1.0", + "image": "tigera/compliance-server" + }, + "compliance-snapshotter": { + "version": "v3.22.0-1.0", + "image": "tigera/compliance-snapshotter" + }, + "coreos-alertmanager": { + "version": "v0.28.1" + }, + "coreos-config-reloader": { + "version": "v0.84.0" + }, + "coreos-dex": { + "version": "v2.41.1" + }, + "coreos-fluentd": { + "version": "1.18.0" + }, + "coreos-prometheus": { + "version": "v3.4.1" + }, + "coreos-prometheus-operator": { + "version": "v0.84.0" + }, + "csi": { + "version": "v3.22.0-1.0", + "image": "tigera/csi" + }, + "csi-node-driver-registrar": { + "version": "v3.22.0-1.0", + "image": "tigera/node-driver-registrar" + }, + "deep-packet-inspection": { + "version": "v3.22.0-1.0", + "image": "tigera/deep-packet-inspection" + }, + "dex": { + "version": "v3.22.0-1.0", + "image": "tigera/dex" + }, + "dikastes": { + "version": "v3.22.0-1.0", + "image": "tigera/dikastes" + }, + "eck-elasticsearch": { + "version": "8.18.4" + }, + "eck-elasticsearch-operator": { + "version": "2.16.1" + }, + "eck-kibana": { + "version": "8.18.4" + }, + "egress-gateway": { + "version": "v3.22.0-1.0", + "image": "tigera/egress-gateway" + }, + "elastic-tsee-installer": { + "version": "v3.22.0-1.0", + "image": "tigera/intrusion-detection-job-installer" + }, + "elasticsearch": { + "version": "v3.22.0-1.0", + "image": "tigera/elasticsearch" + }, + "elasticsearch-metrics": { + "version": "v3.22.0-1.0", + "image": "tigera/elasticsearch-metrics" + }, + "elasticsearch-operator": { + "version": "v3.22.0-1.0", + "image": "tigera/eck-operator" + }, + "envoy": { + "version": "v3.22.0-1.0", + "image": "tigera/envoy" + }, + "envoy-init": { + "version": "v3.22.0-1.0", + "image": "tigera/envoy-init" + }, + "es-gateway": { + "version": "v3.22.0-1.0", + "image": "tigera/es-gateway" + }, + "firewall-integration": { + "version": "v3.22.0-1.0", + "image": "tigera/firewall-integration" + }, + "flexvol": { + "version": "v3.22.0-1.0", + "image": "tigera/pod2daemon-flexvol" + }, + "fluentd": { + "version": "v3.22.0-1.0", + "image": "tigera/fluentd" + }, + "fluentd-windows": { + "version": "v3.22.0-1.0", + "image": "tigera/fluentd-windows" + }, + "gateway-api-envoy-gateway": { + "version": "v3.22.0-1.0", + "image": "tigera/envoy-gateway" + }, + "gateway-api-envoy-proxy": { + "version": "v3.22.0-1.0", + "image": "tigera/envoy-proxy" + }, + "gateway-api-envoy-ratelimit": { + "version": "v3.22.0-1.0", + "image": "tigera/envoy-ratelimit" + }, + "guardian": { + "version": "v3.22.0-1.0", + "image": "tigera/guardian" + }, + "ingress-collector": { + "version": "v3.22.0-1.0", + "image": "tigera/ingress-collector" + }, + "intrusion-detection-controller": { + "version": "v3.22.0-1.0", + "image": "tigera/intrusion-detection-controller" + }, + "key-cert-provisioner": { + "version": "v3.22.0-1.0", + "image": "tigera/key-cert-provisioner" + }, + "kibana": { + "version": "v3.22.0-1.0", + "image": "tigera/kibana" + }, + "l7-admission-controller": { + "version": "v3.22.0-1.0", + "image": "tigera/l7-admission-controller" + }, + "l7-collector": { + "version": "v3.22.0-1.0", + "image": "tigera/l7-collector" + }, + "license-agent": { + "version": "v3.22.0-1.0", + "image": "tigera/license-agent" + }, + "linseed": { + "version": "v3.22.0-1.0", + "image": "tigera/linseed" + }, + "packetcapture": { + "version": "v3.22.0-1.0", + "image": "tigera/packetcapture" + }, + "policy-recommendation": { + "version": "v3.22.0-1.0", + "image": "tigera/policy-recommendation" + }, + "prometheus": { + "version": "v3.22.0-1.0", + "image": "tigera/prometheus" + }, + "prometheus-config-reloader": { + "version": "v3.22.0-1.0", + "image": "tigera/prometheus-config-reloader" + }, + "prometheus-operator": { + "version": "v3.22.0-1.0", + "image": "tigera/prometheus-operator" + }, + "tigera-cni": { + "version": "v3.22.0-1.0", + "image": "tigera/cni" + }, + "tigera-cni-windows": { + "version": "v3.22.0-1.0", + "image": "tigera/cni-windows" + }, + "tigera-prometheus-service": { + "version": "v3.22.0-1.0", + "image": "tigera/prometheus-service" + }, + "typha": { + "version": "v3.22.0-1.0", + "image": "tigera/typha" + }, + "ui-apis": { + "version": "v3.22.0-1.0", + "image": "tigera/ui-apis" + }, + "voltron": { + "version": "v3.22.0-1.0", + "image": "tigera/voltron" + }, + "waf-http-filter": { + "version": "v3.22.0-1.0", + "image": "tigera/waf-http-filter" + }, + "webhooks-processor": { + "version": "v3.22.0-1.0", + "image": "tigera/webhooks-processor" + } + } } ] diff --git a/calico-enterprise_versioned_docs/version-3.22-2/variables.js b/calico-enterprise_versioned_docs/version-3.22-2/variables.js index c97bef1f14..42aa775c75 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/variables.js +++ b/calico-enterprise_versioned_docs/version-3.22-2/variables.js @@ -7,7 +7,7 @@ const variables = { prodnamedash: 'calico-enterprise', version: 'v3.22', openSourceVersion: releases[0].calico.minor_version.slice(1), - baseUrl: '/calico-enterprise/3.22', + baseUrl: '/calico-enterprise/latest', filesUrl: 'https://downloads.tigera.io/ee/v3.22.0-2.0', rpmsUrl: 'https://downloads.tigera.io/ee/rpms/' + releases[0].title.slice(0, 5), tutorialFilesURL: 'https://docs.tigera.io/files', diff --git a/docusaurus.config.js b/docusaurus.config.js index 338739be37..d6fdb7765d 100644 --- a/docusaurus.config.js +++ b/docusaurus.config.js @@ -441,13 +441,13 @@ export default async function createAsyncConfig() { banner: 'unreleased', }, '3.22-2': { - label: '3.22 (early preview)', - path: '3.22', + label: '3.22 (latest)', + path: 'latest', banner: 'unreleased', }, '3.21-2': { - label: '3.21 (latest)', - path: 'latest', + label: '3.21', + path: '3.21', banner: 'none', }, '3.20-2': { diff --git a/src/pages/archive.md b/src/pages/archive.md index b71941469b..19abe99c25 100644 --- a/src/pages/archive.md +++ b/src/pages/archive.md @@ -33,7 +33,7 @@ description: Links to all versions of product documentation for Calico, Calico E * [Calico Enterprise 3.22](https://docs.tigera.io/calico-enterprise/3.22/about) * [Calico Enterprise 3.21](https://docs.tigera.io/calico-enterprise/3.21/about) * [Calico Enterprise 3.20](https://docs.tigera.io/calico-enterprise/3.20/about) -* [Calico Enterprise 3.19](https://docs.tigera.io/calico-enterprise/3.19/about) +* [Calico Enterprise 3.19](https://archive-ce-3-19.netlify.app/calico-enterprise/3.19/about/) * [Calico Enterprise 3.18](https://archive-ce-3-18.netlify.app/calico-enterprise/3.18/about) * [Calico Enterprise 3.17](https://archive-ce-3-17.netlify.app/calico-enterprise/3.17/about) * [Calico Enterprise 3.16](https://archive-ce-3-16.netlify.app/calico-enterprise/3.16/about-calico-enterprise) diff --git a/static/_redirects b/static/_redirects index 1ebee1ce3d..8112787ef0 100644 --- a/static/_redirects +++ b/static/_redirects @@ -13,7 +13,7 @@ # Splat rule for 'latest' X.Y to 'latest' URL /calico/3.31/* /calico/latest/:splat 302 -/calico-enterprise/3.21/* /calico-enterprise/latest/:splat 302 +/calico-enterprise/3.22/* /calico-enterprise/latest/:splat 302 # Calico OSS pages moved /calico/:version/about/about-calico /calico/:version/about 301 @@ -39,7 +39,8 @@ /calico-enterprise/ /calico-enterprise/latest/about 301 /calico-enterprise/next/ /calico-enterprise/next/about 301 /calico-enterprise/latest/ /calico-enterprise/latest/about 301 -/calico-enterprise/3.21/ /calico-enterprise/latest/about 301 +/calico-enterprise/3.22/ /calico-enterprise/latest/about 301 +/calico-enterprise/3.21/ /calico-enterprise/3.21/about 301 /calico-enterprise/3.20/ /calico-enterprise/3.20/about 301 /calico-enterprise/3.18/ /calico-enterprise/3.18/about 301 /calico-enterprise/3.17/ /calico-enterprise/3.17/about 301 @@ -53,6 +54,7 @@ /calico/3.26/* https://archive-os-3-26.netlify.app/calico/3.26/:splat 301 /calico/3.25/* https://archive-os-3-25.netlify.app/calico/3.25/:splat 301 /calico/3.24/* https://archive-os-3-24.netlify.app/calico/3.24/:splat 301 +/calico-enterprise/3.19/* https://archive-ce-3-19.netlify.app/calico-enterprise/3.19/:splat 301 /calico-enterprise/3.18/* https://archive-ce-3-18.netlify.app/calico-enterprise/3.18/:splat 301 /calico-enterprise/3.17/* https://archive-ce-3-17.netlify.app/calico-enterprise/3.17/:splat 301 /calico-enterprise/3.16/* https://archive-ce-3-16.netlify.app/calico-enterprise/3.16/:splat 301 @@ -63,10 +65,9 @@ # Redirects for pages we've moved after the docs migration -/calico-enterprise/3.22/networking/gateway-api /calico-enterprise/3.22/networking/ingress-gateway/about-calico-ingress-gateway 301 /calico/latest/networking/gateway-api /calico/latest/networking/ingress-gateway/about-calico-ingress-gateway 301 /calico-cloud/networking/gateway-api /calico-cloud/networking/ingress-gateway/about-calico-ingress-gateway 301 -# FOR 3.22 GA: /calico-enterprise/latest/networking/gateway-api /calico-enterprise/latest/networking/ingress-gateway/about-calico-ingress-gateway 301 +/calico-enterprise/latest/networking/gateway-api /calico-enterprise/latest/networking/ingress-gateway/about-calico-ingress-gateway 301 ## Rename 'visibility' directory to 'observability' /:product/:version/visibility/* /:product/:version/observability/:splat 301 From e8a7e516059abb8abc74e0da11aa3b037948ecc3 Mon Sep 17 00:00:00 2001 From: Christopher Tauchen Date: Tue, 16 Dec 2025 14:44:30 +0000 Subject: [PATCH 2/5] Add docs for Istio Ambient Mode DOCS-2798 --- .../compliance/istio/about-istio-ambient.mdx | 46 ++++++ .../compliance/istio/deploy-istio-ambient.mdx | 154 ++++++++++++++++++ .../compliance/istio/about-istio-ambient.mdx | 46 ++++++ .../compliance/istio/deploy-istio-ambient.mdx | 154 ++++++++++++++++++ .../compliance/istio/about-istio-ambient.mdx | 46 ++++++ .../compliance/istio/deploy-istio-ambient.mdx | 154 ++++++++++++++++++ .../version-3.22-2-sidebars.json | 9 + sidebars-calico-cloud.js | 9 + sidebars-calico-enterprise.js | 9 + 9 files changed, 627 insertions(+) create mode 100644 calico-cloud/compliance/istio/about-istio-ambient.mdx create mode 100644 calico-cloud/compliance/istio/deploy-istio-ambient.mdx create mode 100644 calico-enterprise/compliance/istio/about-istio-ambient.mdx create mode 100644 calico-enterprise/compliance/istio/deploy-istio-ambient.mdx create mode 100644 calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx create mode 100644 calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx diff --git a/calico-cloud/compliance/istio/about-istio-ambient.mdx b/calico-cloud/compliance/istio/about-istio-ambient.mdx new file mode 100644 index 0000000000..bd2f8328dd --- /dev/null +++ b/calico-cloud/compliance/istio/about-istio-ambient.mdx @@ -0,0 +1,46 @@ +--- +description: An overview of Calico's bundled version of Istio Ambient Mode +--- + +# Istio Ambient Mode + +You can use $[prodname] to deploy and manage an Istio service mesh on your cluster. +$[prodname] installs Istio in ambient mode, which conserves resources while providing the same robust mTLS encryption for your services. + +## About Istio Ambient Mode + +Istio is a service mesh that manages and secures communication between microservices. +Typically, Istio uses sidecar proxies that are deployed alongside every pod in the service mesh. +At scale, running these sidecar proxies can be difficult to manage and a drain on resources. + +Istio Ambient Mode is a simplified service mesh architecture that removes the need for a sidecar proxy next to every pod. +Instead, it uses node-level components for shared security and a layered approach for advanced traffic management. +This design saves on computing resources and simplifies operations. + +## About Istio Ambient Mode on Calico + +$[prodname] provides a bundled version of Istio that can be installed and managed by the Tigera Operator. + +This integration automates the lifecycle of the Istio components to reduce manual configuration overhead. +CVEs are addressed as part of the regular $[prodname] patch release cadence. +Administrators provision the Istio service mesh by defining a standard `Istio` custom resource. + +### The enhanced zTunnel proxy + +The zTunnel component in Istio Ambient Mode is a lightweight proxy that runs on every node. + +Its main job is to handle encryption, authentication, and policy enforcement for traffic at Layer 4. + +A challenge in the original Istio Ambient Mode is that when traffic is routed through the zTunnel, it gets placed into a tunnel on a specific port (15008). +This change makes it impossible for existing Layer 3 or Layer 4 network policies (like those from Calico) to see the original destination port of the traffic. + +Calico addresses this by using an enhanced zTunnel that is modified to preserve the original destination port. +This modification allows existing Calico and Kubernetes network policies to continue functioning exactly as they did before, without needing any rewrites, even though the traffic is now encrypted with mTLS. + +These zTunnel enhancements are not compatible with Istio's application-layer Waypoint proxy. +If you deploy Waypoint, the reported destination ports will follow the original behavior. +Existing network policies need to be adapted to allow communication to port 15008. + +## Additional resources +* [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). +* [Ambient and Kubernetes NetworkPolicy](https://istio.io/latest/docs/ambient/usage/networkpolicy/) diff --git a/calico-cloud/compliance/istio/deploy-istio-ambient.mdx b/calico-cloud/compliance/istio/deploy-istio-ambient.mdx new file mode 100644 index 0000000000..4f3c7c2b3f --- /dev/null +++ b/calico-cloud/compliance/istio/deploy-istio-ambient.mdx @@ -0,0 +1,154 @@ +--- +description: This page explains how to deploy Calico's bundled version of Istio in ambient mode. +--- + +# Deploy Istio Ambient Mode on your cluster + +You can deploy Calico's bundled version of Istio in ambient mode to provide mTLS encryption to your workloads. + +## Limitations + +* [Application layer network policies](../../network-policy/application-layer-policies/alp.mdx) are not compatible with the Istio service mesh. +* Istio Ambient Mode does not work together with [workload-based web application firewalls](../../threat/web-application-firewall.mdx). +* The service mesh is not supported for use on clusters that are also part of a [cluster mesh](../../multicluster/index.mdx). +* Destination ports are preserved only when Istio is deployed without Waypoint. + If you deploy Waypoint, all traffic through Waypoint will show port 15008 as its destination port. +* Connect-time load balancing with the eBPF data plane is not compatible with Waypoint. + +## Prerequisites + +* $[prodname] is installed and managed by the Tigera Operator. + +## Install Istio in ambient mode on your cluster + +You can create an Istio service mesh in ambient mode by creating the `Istio` custom resource. + +* To install Istio in ambient mode, apply the `Istio` custom resource to your cluster: + + ```bash + cat < istio.io/dataplane-mode=ambient + ``` + Replace `` with the namespace you want to include in the mesh. + + ```bash title='Adding a service to the Istio service mesh' + kubectl label service --namespace= istio.io/dataplane-mode=ambient + ``` + Replace the following: + * ``: The name of the service you want to include in the mesh. + * ``: The namespace your service is in. + +## Removing Istio + +If you want to remove Istio, first remove the labels you applied to services and namespaces. +When that's done, you can delete the `Istio` custom resource. + +1. Remove the label from namespaces and services by running the following commands: + + ```bash + kubectl label namespaces --all istio.io/dataplane-mode=ambient- + kubectl label services --all --all-namespaces istio.io/dataplane-mode=ambient- + ``` +1. Remove the `Istio` custom resource: + + ```bash + kubectl delete istio.operator.tigera.io default + ``` + +## Troubleshooting commands + +Check whether Istio pods are deployed: + +```bash +kubectl get pods -n calico-system | grep 'istio\|ztunnel' +``` + +Check whether Istio CRDs are deployed: + +```bash +kubectl get crd | grep istio +``` + +Check which services and namespaces are in the mesh: + +* Requires [istioctl](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/). + +```bash +istioctl ztunnel-config workloads -n calico-system +``` + +Check for errors logged by the zTunnel component: + +```bash +ZTUNNEL_PODS=$(kubectl get pod -n calico-system \ + -l app.kubernetes.io/name=ztunnel \ + -o jsonpath='{.items[*].metadata.name}') + +for P in $ZTUNNEL_PODS; do + echo "--- Checking logs for pod: $P ---" + kubectl logs $P -n calico-system 2>/dev/null | \ + grep -i error | \ + grep -i app1 +done +``` + +## Additional resources + +* [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). +* [Configuration options](../../reference/installation/api). \ No newline at end of file diff --git a/calico-enterprise/compliance/istio/about-istio-ambient.mdx b/calico-enterprise/compliance/istio/about-istio-ambient.mdx new file mode 100644 index 0000000000..bd2f8328dd --- /dev/null +++ b/calico-enterprise/compliance/istio/about-istio-ambient.mdx @@ -0,0 +1,46 @@ +--- +description: An overview of Calico's bundled version of Istio Ambient Mode +--- + +# Istio Ambient Mode + +You can use $[prodname] to deploy and manage an Istio service mesh on your cluster. +$[prodname] installs Istio in ambient mode, which conserves resources while providing the same robust mTLS encryption for your services. + +## About Istio Ambient Mode + +Istio is a service mesh that manages and secures communication between microservices. +Typically, Istio uses sidecar proxies that are deployed alongside every pod in the service mesh. +At scale, running these sidecar proxies can be difficult to manage and a drain on resources. + +Istio Ambient Mode is a simplified service mesh architecture that removes the need for a sidecar proxy next to every pod. +Instead, it uses node-level components for shared security and a layered approach for advanced traffic management. +This design saves on computing resources and simplifies operations. + +## About Istio Ambient Mode on Calico + +$[prodname] provides a bundled version of Istio that can be installed and managed by the Tigera Operator. + +This integration automates the lifecycle of the Istio components to reduce manual configuration overhead. +CVEs are addressed as part of the regular $[prodname] patch release cadence. +Administrators provision the Istio service mesh by defining a standard `Istio` custom resource. + +### The enhanced zTunnel proxy + +The zTunnel component in Istio Ambient Mode is a lightweight proxy that runs on every node. + +Its main job is to handle encryption, authentication, and policy enforcement for traffic at Layer 4. + +A challenge in the original Istio Ambient Mode is that when traffic is routed through the zTunnel, it gets placed into a tunnel on a specific port (15008). +This change makes it impossible for existing Layer 3 or Layer 4 network policies (like those from Calico) to see the original destination port of the traffic. + +Calico addresses this by using an enhanced zTunnel that is modified to preserve the original destination port. +This modification allows existing Calico and Kubernetes network policies to continue functioning exactly as they did before, without needing any rewrites, even though the traffic is now encrypted with mTLS. + +These zTunnel enhancements are not compatible with Istio's application-layer Waypoint proxy. +If you deploy Waypoint, the reported destination ports will follow the original behavior. +Existing network policies need to be adapted to allow communication to port 15008. + +## Additional resources +* [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). +* [Ambient and Kubernetes NetworkPolicy](https://istio.io/latest/docs/ambient/usage/networkpolicy/) diff --git a/calico-enterprise/compliance/istio/deploy-istio-ambient.mdx b/calico-enterprise/compliance/istio/deploy-istio-ambient.mdx new file mode 100644 index 0000000000..4f3c7c2b3f --- /dev/null +++ b/calico-enterprise/compliance/istio/deploy-istio-ambient.mdx @@ -0,0 +1,154 @@ +--- +description: This page explains how to deploy Calico's bundled version of Istio in ambient mode. +--- + +# Deploy Istio Ambient Mode on your cluster + +You can deploy Calico's bundled version of Istio in ambient mode to provide mTLS encryption to your workloads. + +## Limitations + +* [Application layer network policies](../../network-policy/application-layer-policies/alp.mdx) are not compatible with the Istio service mesh. +* Istio Ambient Mode does not work together with [workload-based web application firewalls](../../threat/web-application-firewall.mdx). +* The service mesh is not supported for use on clusters that are also part of a [cluster mesh](../../multicluster/index.mdx). +* Destination ports are preserved only when Istio is deployed without Waypoint. + If you deploy Waypoint, all traffic through Waypoint will show port 15008 as its destination port. +* Connect-time load balancing with the eBPF data plane is not compatible with Waypoint. + +## Prerequisites + +* $[prodname] is installed and managed by the Tigera Operator. + +## Install Istio in ambient mode on your cluster + +You can create an Istio service mesh in ambient mode by creating the `Istio` custom resource. + +* To install Istio in ambient mode, apply the `Istio` custom resource to your cluster: + + ```bash + cat < istio.io/dataplane-mode=ambient + ``` + Replace `` with the namespace you want to include in the mesh. + + ```bash title='Adding a service to the Istio service mesh' + kubectl label service --namespace= istio.io/dataplane-mode=ambient + ``` + Replace the following: + * ``: The name of the service you want to include in the mesh. + * ``: The namespace your service is in. + +## Removing Istio + +If you want to remove Istio, first remove the labels you applied to services and namespaces. +When that's done, you can delete the `Istio` custom resource. + +1. Remove the label from namespaces and services by running the following commands: + + ```bash + kubectl label namespaces --all istio.io/dataplane-mode=ambient- + kubectl label services --all --all-namespaces istio.io/dataplane-mode=ambient- + ``` +1. Remove the `Istio` custom resource: + + ```bash + kubectl delete istio.operator.tigera.io default + ``` + +## Troubleshooting commands + +Check whether Istio pods are deployed: + +```bash +kubectl get pods -n calico-system | grep 'istio\|ztunnel' +``` + +Check whether Istio CRDs are deployed: + +```bash +kubectl get crd | grep istio +``` + +Check which services and namespaces are in the mesh: + +* Requires [istioctl](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/). + +```bash +istioctl ztunnel-config workloads -n calico-system +``` + +Check for errors logged by the zTunnel component: + +```bash +ZTUNNEL_PODS=$(kubectl get pod -n calico-system \ + -l app.kubernetes.io/name=ztunnel \ + -o jsonpath='{.items[*].metadata.name}') + +for P in $ZTUNNEL_PODS; do + echo "--- Checking logs for pod: $P ---" + kubectl logs $P -n calico-system 2>/dev/null | \ + grep -i error | \ + grep -i app1 +done +``` + +## Additional resources + +* [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). +* [Configuration options](../../reference/installation/api). \ No newline at end of file diff --git a/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx new file mode 100644 index 0000000000..1487b9aa2f --- /dev/null +++ b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx @@ -0,0 +1,46 @@ +--- +description: An overview of Calico's bundled version of Istio Ambient Mode +--- + +# Istio Ambient Mode + +You can use $[prodname] to deploy and manage an Istio service mesh on your cluster. +$[prodname] installs Istio in ambient mode, which conserves resources while providing the same robust mTLS encryption for your services. + +## About Istio Ambient Mode + +Istio is a service mesh that manages and secures communication between microservices. +Typically, Istio uses sidecar proxies that are deployed alongside every pod in the service mesh. +At scale, running these sidecar proxies can be difficult to manage and a drain on resources. + +Istio Ambient Mode is a simplified service mesh architecture that removes the need for a sidecar proxy next to every pod. +Instead, it uses node-level components for shared security and a layered approach for advanced traffic management. +This design saves on computing resources and simplifies operations. + +## About Istio Ambient Mode on Calico + +$[prodname] provides a bundled version of Istio that can be installed and managed by the Tigera Operator. + +This integration automates the lifecycle of the Istio components to reduce manual configuration overhead. +CVEs are addressed as part of the regular $[prodname] patch release cadence. +Administrators provision the Istio service mesh by defining a standard `Istio` custom resource. + +### The enhanced zTunnel proxy + +The zTunnel component in Istio Ambient Mode is a lightweight proxy that runs on every node. + +Its main job is to handle encryption, authentication, and policy enforcement for traffic at Layer 4. + +A challenge in the original Istio Ambient Mode is that when traffic is routed through the zTunnel, it gets placed into a tunnel on a specific port (15008). +This change makes it impossible for existing Layer 3 or Layer 4 network policies (like those from Calico) to see the original destination port of the traffic. + +Calico addresses this by using an enhanced zTunnel that is modified to preserve the original destination port. +This modification allows existing Calico and Kubernetes network policies to continue functioning exactly as they did before, without needing any rewrites, even though the traffic is now encrypted with mTLS. + +These zTunnel enhancements are not compatible with Istio's application-layer Waypoint proxy. +If you deploy Waypoint, the reported destination ports will follow the original behavior. +Existing network policies need to be adapted to allow communication to port 15008. + +## Additional resources +* [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). +* [Ambient and Kubernetes NetworkPolicy](https://istio.io/latest/docs/ambient/usage/networkpolicy/) \ No newline at end of file diff --git a/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx new file mode 100644 index 0000000000..4f3c7c2b3f --- /dev/null +++ b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx @@ -0,0 +1,154 @@ +--- +description: This page explains how to deploy Calico's bundled version of Istio in ambient mode. +--- + +# Deploy Istio Ambient Mode on your cluster + +You can deploy Calico's bundled version of Istio in ambient mode to provide mTLS encryption to your workloads. + +## Limitations + +* [Application layer network policies](../../network-policy/application-layer-policies/alp.mdx) are not compatible with the Istio service mesh. +* Istio Ambient Mode does not work together with [workload-based web application firewalls](../../threat/web-application-firewall.mdx). +* The service mesh is not supported for use on clusters that are also part of a [cluster mesh](../../multicluster/index.mdx). +* Destination ports are preserved only when Istio is deployed without Waypoint. + If you deploy Waypoint, all traffic through Waypoint will show port 15008 as its destination port. +* Connect-time load balancing with the eBPF data plane is not compatible with Waypoint. + +## Prerequisites + +* $[prodname] is installed and managed by the Tigera Operator. + +## Install Istio in ambient mode on your cluster + +You can create an Istio service mesh in ambient mode by creating the `Istio` custom resource. + +* To install Istio in ambient mode, apply the `Istio` custom resource to your cluster: + + ```bash + cat < istio.io/dataplane-mode=ambient + ``` + Replace `` with the namespace you want to include in the mesh. + + ```bash title='Adding a service to the Istio service mesh' + kubectl label service --namespace= istio.io/dataplane-mode=ambient + ``` + Replace the following: + * ``: The name of the service you want to include in the mesh. + * ``: The namespace your service is in. + +## Removing Istio + +If you want to remove Istio, first remove the labels you applied to services and namespaces. +When that's done, you can delete the `Istio` custom resource. + +1. Remove the label from namespaces and services by running the following commands: + + ```bash + kubectl label namespaces --all istio.io/dataplane-mode=ambient- + kubectl label services --all --all-namespaces istio.io/dataplane-mode=ambient- + ``` +1. Remove the `Istio` custom resource: + + ```bash + kubectl delete istio.operator.tigera.io default + ``` + +## Troubleshooting commands + +Check whether Istio pods are deployed: + +```bash +kubectl get pods -n calico-system | grep 'istio\|ztunnel' +``` + +Check whether Istio CRDs are deployed: + +```bash +kubectl get crd | grep istio +``` + +Check which services and namespaces are in the mesh: + +* Requires [istioctl](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/). + +```bash +istioctl ztunnel-config workloads -n calico-system +``` + +Check for errors logged by the zTunnel component: + +```bash +ZTUNNEL_PODS=$(kubectl get pod -n calico-system \ + -l app.kubernetes.io/name=ztunnel \ + -o jsonpath='{.items[*].metadata.name}') + +for P in $ZTUNNEL_PODS; do + echo "--- Checking logs for pod: $P ---" + kubectl logs $P -n calico-system 2>/dev/null | \ + grep -i error | \ + grep -i app1 +done +``` + +## Additional resources + +* [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). +* [Configuration options](../../reference/installation/api). \ No newline at end of file diff --git a/calico-enterprise_versioned_sidebars/version-3.22-2-sidebars.json b/calico-enterprise_versioned_sidebars/version-3.22-2-sidebars.json index 0d9cb699ad..41171a2d06 100644 --- a/calico-enterprise_versioned_sidebars/version-3.22-2-sidebars.json +++ b/calico-enterprise_versioned_sidebars/version-3.22-2-sidebars.json @@ -588,6 +588,15 @@ "id": "compliance/index" }, "items": [ + { + "type": "category", + "label": "Istio Ambient Mode", + "link": null, + "items": [ + "compliance/istio/about-istio-ambient", + "compliance/istio/deploy-istio-ambient" + ] + }, "compliance/enable-compliance", "compliance/overview", "compliance/compliance-reports-cis", diff --git a/sidebars-calico-cloud.js b/sidebars-calico-cloud.js index a04a34fea4..d57e0e6adb 100644 --- a/sidebars-calico-cloud.js +++ b/sidebars-calico-cloud.js @@ -306,6 +306,15 @@ module.exports = { label: 'Compliance and security', link: {type: 'doc', id: 'compliance/index'}, items: [ + { + type: 'category', + label: 'Istio Ambient Mode', + link: null, + items: [ + 'compliance/istio/about-istio-ambient', + 'compliance/istio/deploy-istio-ambient', + ], + }, 'compliance/enable-compliance', 'compliance/overview', 'compliance/compliance-reports-cis', diff --git a/sidebars-calico-enterprise.js b/sidebars-calico-enterprise.js index 8d0106d7e1..04f1c99d2d 100644 --- a/sidebars-calico-enterprise.js +++ b/sidebars-calico-enterprise.js @@ -463,6 +463,15 @@ module.exports = { label: 'Compliance and security', link: { type: 'doc', id: 'compliance/index' }, items: [ + { + type: 'category', + label: 'Istio Ambient Mode', + link: null, + items: [ + 'compliance/istio/about-istio-ambient', + 'compliance/istio/deploy-istio-ambient', + ], + }, 'compliance/enable-compliance', 'compliance/overview', 'compliance/compliance-reports-cis', From 55766acd02ccd3d47b5bc716d18e1c4f629c8aae Mon Sep 17 00:00:00 2001 From: Christopher Tauchen Date: Mon, 22 Dec 2025 15:15:00 +0000 Subject: [PATCH 3/5] Updates for CE 3.22.1 release Add tech preview status for Istio Ambient, Fix variables.js, Add Isto to release notes. --- calico-cloud/compliance/istio/about-istio-ambient.mdx | 7 +++++++ calico-cloud/compliance/istio/deploy-istio-ambient.mdx | 7 +++++++ .../compliance/istio/about-istio-ambient.mdx | 7 +++++++ .../compliance/istio/deploy-istio-ambient.mdx | 7 +++++++ .../compliance/istio/about-istio-ambient.mdx | 9 ++++++++- .../compliance/istio/deploy-istio-ambient.mdx | 7 +++++++ .../version-3.22-2/release-notes/index.mdx | 7 +++++++ .../version-3.22-2/variables.js | 6 +++--- 8 files changed, 53 insertions(+), 4 deletions(-) diff --git a/calico-cloud/compliance/istio/about-istio-ambient.mdx b/calico-cloud/compliance/istio/about-istio-ambient.mdx index bd2f8328dd..67d3c6587f 100644 --- a/calico-cloud/compliance/istio/about-istio-ambient.mdx +++ b/calico-cloud/compliance/istio/about-istio-ambient.mdx @@ -7,6 +7,13 @@ description: An overview of Calico's bundled version of Istio Ambient Mode You can use $[prodname] to deploy and manage an Istio service mesh on your cluster. $[prodname] installs Istio in ambient mode, which conserves resources while providing the same robust mTLS encryption for your services. +:::note + +Istio Ambient Mode is a tech preview feature. +Tech preview features are subject to significant changes before they become GA. + +::: + ## About Istio Ambient Mode Istio is a service mesh that manages and secures communication between microservices. diff --git a/calico-cloud/compliance/istio/deploy-istio-ambient.mdx b/calico-cloud/compliance/istio/deploy-istio-ambient.mdx index 4f3c7c2b3f..a2f650eb59 100644 --- a/calico-cloud/compliance/istio/deploy-istio-ambient.mdx +++ b/calico-cloud/compliance/istio/deploy-istio-ambient.mdx @@ -6,6 +6,13 @@ description: This page explains how to deploy Calico's bundled version of Istio You can deploy Calico's bundled version of Istio in ambient mode to provide mTLS encryption to your workloads. +:::note + +Istio Ambient Mode is a tech preview feature. +Tech preview features are subject to significant changes before they become GA. + +::: + ## Limitations * [Application layer network policies](../../network-policy/application-layer-policies/alp.mdx) are not compatible with the Istio service mesh. diff --git a/calico-enterprise/compliance/istio/about-istio-ambient.mdx b/calico-enterprise/compliance/istio/about-istio-ambient.mdx index bd2f8328dd..67d3c6587f 100644 --- a/calico-enterprise/compliance/istio/about-istio-ambient.mdx +++ b/calico-enterprise/compliance/istio/about-istio-ambient.mdx @@ -7,6 +7,13 @@ description: An overview of Calico's bundled version of Istio Ambient Mode You can use $[prodname] to deploy and manage an Istio service mesh on your cluster. $[prodname] installs Istio in ambient mode, which conserves resources while providing the same robust mTLS encryption for your services. +:::note + +Istio Ambient Mode is a tech preview feature. +Tech preview features are subject to significant changes before they become GA. + +::: + ## About Istio Ambient Mode Istio is a service mesh that manages and secures communication between microservices. diff --git a/calico-enterprise/compliance/istio/deploy-istio-ambient.mdx b/calico-enterprise/compliance/istio/deploy-istio-ambient.mdx index 4f3c7c2b3f..a2f650eb59 100644 --- a/calico-enterprise/compliance/istio/deploy-istio-ambient.mdx +++ b/calico-enterprise/compliance/istio/deploy-istio-ambient.mdx @@ -6,6 +6,13 @@ description: This page explains how to deploy Calico's bundled version of Istio You can deploy Calico's bundled version of Istio in ambient mode to provide mTLS encryption to your workloads. +:::note + +Istio Ambient Mode is a tech preview feature. +Tech preview features are subject to significant changes before they become GA. + +::: + ## Limitations * [Application layer network policies](../../network-policy/application-layer-policies/alp.mdx) are not compatible with the Istio service mesh. diff --git a/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx index 1487b9aa2f..67d3c6587f 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx @@ -7,6 +7,13 @@ description: An overview of Calico's bundled version of Istio Ambient Mode You can use $[prodname] to deploy and manage an Istio service mesh on your cluster. $[prodname] installs Istio in ambient mode, which conserves resources while providing the same robust mTLS encryption for your services. +:::note + +Istio Ambient Mode is a tech preview feature. +Tech preview features are subject to significant changes before they become GA. + +::: + ## About Istio Ambient Mode Istio is a service mesh that manages and secures communication between microservices. @@ -43,4 +50,4 @@ Existing network policies need to be adapted to allow communication to port 1500 ## Additional resources * [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). -* [Ambient and Kubernetes NetworkPolicy](https://istio.io/latest/docs/ambient/usage/networkpolicy/) \ No newline at end of file +* [Ambient and Kubernetes NetworkPolicy](https://istio.io/latest/docs/ambient/usage/networkpolicy/) diff --git a/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx index 4f3c7c2b3f..a2f650eb59 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx @@ -6,6 +6,13 @@ description: This page explains how to deploy Calico's bundled version of Istio You can deploy Calico's bundled version of Istio in ambient mode to provide mTLS encryption to your workloads. +:::note + +Istio Ambient Mode is a tech preview feature. +Tech preview features are subject to significant changes before they become GA. + +::: + ## Limitations * [Application layer network policies](../../network-policy/application-layer-policies/alp.mdx) are not compatible with the Istio service mesh. diff --git a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx index 3afb904c98..e9ad426440 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx @@ -30,6 +30,10 @@ This release adds customization options for specifying external load balancers f For more information, see [Customize gateway deployment and features](../networking/ingress-gateway/customize-ingress-gateway.mdx#customize-gateway-deployment-and-features). +### Istio Ambient Mode (tech preview) +Calico now provides a bundled version of Istio in ambient mode, a sidecarless architecture that delivers robust mTLS encryption and service mesh security while significantly reducing resource consumption and operational overhead. This implementation, managed by the Tigera Operator, features an enhanced zTunnel proxy that preserves original destination ports to ensure existing Calico and Kubernetes network policies continue to function seamlessly without requiring rewrites. + +For more information, see [Istio Ambient Mode](../compliance/istio/about-istio-ambient.mdx). ### HTTP header-based matching for application layer policies This release includes support for HTTP header-based matching for application layer policies. @@ -176,6 +180,9 @@ Calico Enterprise 3.22.1 is now available as a general availability release. This release is supported for use in production. +This release adds the following features: +* [Istio Ambient Mode](#istio-ambient-mode-tech-preview) + #### Enhancements * TBD diff --git a/calico-enterprise_versioned_docs/version-3.22-2/variables.js b/calico-enterprise_versioned_docs/version-3.22-2/variables.js index 42aa775c75..996835be68 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/variables.js +++ b/calico-enterprise_versioned_docs/version-3.22-2/variables.js @@ -2,13 +2,13 @@ const releases = require('./releases.json'); const componentImage = require('../../src/components/utils/componentImage'); const variables = { - releaseTitle: 'v3.22.0-2.0', + releaseTitle: 'v3.22.1', prodname: 'Calico Enterprise', prodnamedash: 'calico-enterprise', version: 'v3.22', openSourceVersion: releases[0].calico.minor_version.slice(1), baseUrl: '/calico-enterprise/latest', - filesUrl: 'https://downloads.tigera.io/ee/v3.22.0-2.0', + filesUrl: 'https://downloads.tigera.io/ee/v3.22.1', rpmsUrl: 'https://downloads.tigera.io/ee/rpms/' + releases[0].title.slice(0, 5), tutorialFilesURL: 'https://docs.tigera.io/files', tmpScriptsURL: 'https://docs.tigera.io/calico-enterprise/3.22', @@ -20,7 +20,7 @@ const variables = { rootDirWindows: 'C:\\TigeraCalico', registry: 'quay.io/', envoyVersion: '1.5.0', - chart_version_name: 'v3.22.0-2.0-0', + chart_version_name: 'v3.22.1-0', tigeraOperator: releases[0]['tigera-operator'], dikastesVersion: releases[0].components.dikastes.version, releases, From 9e028567098ce5b352dde1f53ac3a11b6af3b522 Mon Sep 17 00:00:00 2001 From: Christopher Tauchen Date: Mon, 22 Dec 2025 15:28:37 +0000 Subject: [PATCH 4/5] Update release date and add known issue --- .../version-3.22-2/release-notes/index.mdx | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx index e9ad426440..23537c7dff 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx @@ -172,7 +172,7 @@ This Calico Enterprise release is based on [Calico Open Source 3.31](https://doc To update an existing installation of Calico Enterprise 3.22, see [Install a patch release](../getting-started/manifest-archive.mdx). -### Calico Enterprise 3.21.1 general availability release +### Calico Enterprise 3.22.1 general availability release December DD, 2025 @@ -187,6 +187,12 @@ This release adds the following features: * TBD +#### Known issues + +* If you use the nftables data plane with L7 features (WAF or L7 logging) on a platform without legacy iptables support, such as OpenShift 4.20, these capabilities will fail to initialize. + This occurs because some Calico images are missing the required nftables binaries and incorrectly rely on legacy iptables modules that have been removed from newer operating systems. + As a workaround, ensure your host platform has legacy iptables kernel modules installed and loaded until a full fix is delivered in an upcoming patch release. + #### Bug fixes * TBD From 56802239c99a439acfe786516d6943190faf0000 Mon Sep 17 00:00:00 2001 From: Christopher Tauchen Date: Mon, 22 Dec 2025 17:03:42 +0000 Subject: [PATCH 5/5] Change bad link --- .../getting-started/install-on-clusters/rancher.mdx | 2 +- .../getting-started/install-on-clusters/rancher.mdx | 2 +- .../getting-started/install-on-clusters/rancher.mdx | 2 +- .../getting-started/install-on-clusters/rancher.mdx | 2 +- .../getting-started/install-on-clusters/rancher.mdx | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/calico-enterprise/getting-started/install-on-clusters/rancher.mdx b/calico-enterprise/getting-started/install-on-clusters/rancher.mdx index bd9cc8fe3b..5dcd1ea2a2 100644 --- a/calico-enterprise/getting-started/install-on-clusters/rancher.mdx +++ b/calico-enterprise/getting-started/install-on-clusters/rancher.mdx @@ -29,7 +29,7 @@ The geeky details of what you get: - Configure your cluster for $[prodname] CNI - - Create a [Cluster Config File](https://rancher.com/docs/rancher/en/cluster-provisioning/rke-clusters/options/#cluster-config-file). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. + - Create a [Cluster Config File](https://rke.docs.rancher.com/example-yamls). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. :::note diff --git a/calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/rancher.mdx b/calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/rancher.mdx index e4c2518bdf..0d22af31f4 100644 --- a/calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/rancher.mdx +++ b/calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/rancher.mdx @@ -29,7 +29,7 @@ The geeky details of what you get: - Configure your cluster for $[prodname] CNI - - Create a [Cluster Config File](https://ranchermanager.docs.rancher.com/reference-guides/cluster-configuration/rancher-server-configuration/rke1-cluster-configuration#rke-cluster-config-file-reference). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. + - Create a [Cluster Config File](https://rke.docs.rancher.com/example-yamls). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. :::note diff --git a/calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/rancher.mdx b/calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/rancher.mdx index e4c2518bdf..0d22af31f4 100644 --- a/calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/rancher.mdx +++ b/calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/rancher.mdx @@ -29,7 +29,7 @@ The geeky details of what you get: - Configure your cluster for $[prodname] CNI - - Create a [Cluster Config File](https://ranchermanager.docs.rancher.com/reference-guides/cluster-configuration/rancher-server-configuration/rke1-cluster-configuration#rke-cluster-config-file-reference). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. + - Create a [Cluster Config File](https://rke.docs.rancher.com/example-yamls). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. :::note diff --git a/calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/rancher.mdx b/calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/rancher.mdx index 9c601c1736..5dcd1ea2a2 100644 --- a/calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/rancher.mdx +++ b/calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/rancher.mdx @@ -29,7 +29,7 @@ The geeky details of what you get: - Configure your cluster for $[prodname] CNI - - Create a [Cluster Config File](https://ranchermanager.docs.rancher.com/reference-guides/cluster-configuration/rancher-server-configuration/rke1-cluster-configuration#rke-cluster-config-file-reference). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. + - Create a [Cluster Config File](https://rke.docs.rancher.com/example-yamls). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. :::note diff --git a/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/rancher.mdx b/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/rancher.mdx index bd9cc8fe3b..5dcd1ea2a2 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/rancher.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/rancher.mdx @@ -29,7 +29,7 @@ The geeky details of what you get: - Configure your cluster for $[prodname] CNI - - Create a [Cluster Config File](https://rancher.com/docs/rancher/en/cluster-provisioning/rke-clusters/options/#cluster-config-file). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. + - Create a [Cluster Config File](https://rke.docs.rancher.com/example-yamls). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. :::note