From 4334f4fb20673106bd96fd5328e91bd1055324ae Mon Sep 17 00:00:00 2001
From: Mazdak Nasab <mazdak.nasab@gmail.com>
Date: Wed, 29 Oct 2025 13:51:04 -0700
Subject: [PATCH 1/2] remove validation

---
 pkg/controller/installation/validation.go | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/pkg/controller/installation/validation.go b/pkg/controller/installation/validation.go
index 6ace6dd767..4ed6f845c0 100644
--- a/pkg/controller/installation/validation.go
+++ b/pkg/controller/installation/validation.go
@@ -168,16 +168,8 @@ func validateCustomResource(instance *operatorv1.Installation) error {
 					// Verify the specified encapsulation type is valid.
 					switch pool.Encapsulation {
 					case operatorv1.EncapsulationIPIP, operatorv1.EncapsulationIPIPCrossSubnet:
-						// IPIP currently requires BGP to be running in order to program routes.
-						if instance.Spec.CalicoNetwork.BGP == nil || *instance.Spec.CalicoNetwork.BGP == operatorv1.BGPDisabled {
-							return fmt.Errorf("IPIP encapsulation requires that BGP is enabled")
-						}
 					case operatorv1.EncapsulationVXLAN, operatorv1.EncapsulationVXLANCrossSubnet:
 					case operatorv1.EncapsulationNone:
-						// Unencapsulated currently requires BGP to be running in order to program routes.
-						if instance.Spec.CalicoNetwork.BGP == nil || *instance.Spec.CalicoNetwork.BGP == operatorv1.BGPDisabled {
-							return fmt.Errorf("unencapsulated IP pools require that BGP is enabled")
-						}
 					}
 				case operatorv1.IPAMPluginHostLocal:
 					// The host-local IPAM plugin doesn't support VXLAN.

From 8972ba0cb939d65abca3bbbaddbf2db4f6b31b65 Mon Sep 17 00:00:00 2001
From: Mazdak Nasab <mazdak.nasab@gmail.com>
Date: Thu, 30 Oct 2025 11:22:42 -0700
Subject: [PATCH 2/2] Update

---
 pkg/controller/installation/validation.go             |  7 -------
 pkg/controller/installation/validation_test.go        | 11 +++++++----
 ...ojectcalico.org_kubecontrollersconfigurations.yaml |  2 ++
 3 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/pkg/controller/installation/validation.go b/pkg/controller/installation/validation.go
index 4ed6f845c0..c6fe9b912b 100644
--- a/pkg/controller/installation/validation.go
+++ b/pkg/controller/installation/validation.go
@@ -164,13 +164,6 @@ func validateCustomResource(instance *operatorv1.Installation) error {
 			// Check that the encapsulation mode on the IP pool is compatible with the CNI plugin that is in-use.
 			if instance.Spec.CNI.Type == operatorv1.PluginCalico {
 				switch instance.Spec.CNI.IPAM.Type {
-				case operatorv1.IPAMPluginCalico:
-					// Verify the specified encapsulation type is valid.
-					switch pool.Encapsulation {
-					case operatorv1.EncapsulationIPIP, operatorv1.EncapsulationIPIPCrossSubnet:
-					case operatorv1.EncapsulationVXLAN, operatorv1.EncapsulationVXLANCrossSubnet:
-					case operatorv1.EncapsulationNone:
-					}
 				case operatorv1.IPAMPluginHostLocal:
 					// The host-local IPAM plugin doesn't support VXLAN.
 					switch pool.Encapsulation {
diff --git a/pkg/controller/installation/validation_test.go b/pkg/controller/installation/validation_test.go
index a1ed29e5c4..9768e699b5 100644
--- a/pkg/controller/installation/validation_test.go
+++ b/pkg/controller/installation/validation_test.go
@@ -246,7 +246,10 @@ var _ = Describe("Installation validation tests", func() {
 		Expect(err).NotTo(HaveOccurred())
 	})
 
-	It("should prevent IPIP if BGP is disabled", func() {
+	// Previously, IPIP encapsulation were only possible with BGP enabled,
+	// however, Felix can do the same thing now which means IPIP with BGP disabled
+	// is supported.
+	It("should allow IPIP if BGP is disabled", func() {
 		disabled := operator.BGPDisabled
 		instance.Spec.CalicoNetwork.BGP = &disabled
 		instance.Spec.CalicoNetwork.IPPools = []operator.IPPool{
@@ -258,10 +261,10 @@ var _ = Describe("Installation validation tests", func() {
 			},
 		}
 		err := validateCustomResource(instance)
-		Expect(err).To(HaveOccurred())
+		Expect(err).NotTo(HaveOccurred())
 	})
 
-	It("should prevent IPIP cross-subnet if BGP is disabled", func() {
+	It("should allow IPIP cross-subnet if BGP is disabled", func() {
 		disabled := operator.BGPDisabled
 		instance.Spec.CalicoNetwork.BGP = &disabled
 		instance.Spec.CalicoNetwork.IPPools = []operator.IPPool{
@@ -273,7 +276,7 @@ var _ = Describe("Installation validation tests", func() {
 			},
 		}
 		err := validateCustomResource(instance)
-		Expect(err).To(HaveOccurred())
+		Expect(err).NotTo(HaveOccurred())
 	})
 
 	It("should not error if CalicoNetwork is provided on EKS", func() {
diff --git a/pkg/crds/enterprise/crd.projectcalico.org_kubecontrollersconfigurations.yaml b/pkg/crds/enterprise/crd.projectcalico.org_kubecontrollersconfigurations.yaml
index 886fae2553..32ddb712d4 100644
--- a/pkg/crds/enterprise/crd.projectcalico.org_kubecontrollersconfigurations.yaml
+++ b/pkg/crds/enterprise/crd.projectcalico.org_kubecontrollersconfigurations.yaml
@@ -36,6 +36,7 @@ spec:
                     loadBalancer:
                       properties:
                         assignIPs:
+                          default: AllServices
                           type: string
                       type: object
                     namespace:
@@ -127,6 +128,7 @@ spec:
                         loadBalancer:
                           properties:
                             assignIPs:
+                              default: AllServices
                               type: string
                           type: object
                         namespace: