feat(applicationlayer): WAF observability — gateway audit-log capture + Felix/fluentd event log (EV-6650)#4895
Merged
electricjesus merged 4 commits intoJun 29, 2026
Conversation
4 tasks
electricjesus
force-pushed
the
seth/waf-audit-log-capture-ev6650
branch
from
85bafe8 to
105189d
Compare
electricjesus
force-pushed
the
seth/waf-audit-log-capture-ev6650
branch
from
105189d to
2a110b1
Compare
5 tasks
Wire the EnvoyProxy render so the data-plane Envoy proxy captures the Coraza
WAF filter's audit decision log (EV-6650 WAF observability):
- Tune EnvoyProxy.Spec.Logging.Level to {default: warn, wasm: info} so the
wasm component's "AuditLog:" lines (emitted via proxywasm.LogInfo) surface
in Envoy's application log while the rest stays quiet. Envoy Gateway passes
arbitrary component keys through to --component-log-level, and Envoy
recognises "wasm".
- Append --log-path /access_logs/envoy.log via EnvoyProxy.Spec.ExtraArgs to
redirect Envoy's application log to a file on the existing access-logs
emptyDir (already mounted in both the envoy container, which writes it, and
the l7-log-collector, which reads it). ExtraArgs is used rather than a
container-args Patch, which would replace Envoy Gateway's generated args.
The file is directly under /access_logs (not a subdirectory) because Envoy
does not create --log-path parent directories.
- Set WAF_AUDIT_LOG_PATH=/access_logs/envoy.log on the l7-log-collector init
container so it can tail the file and forward WAF decision records via
PolicySync.ReportWAF.
Refs EV-6650
…gateway data plane The gateway data-plane WAF (design-25) emits Coraza audit events that the l7-collector forwards to Felix via ReportWAF. For those events to reach Elasticsearch they need the same Felix -> waf.log -> fluentd -> linseed pipeline the legacy ApplicationLayer WAF uses, but two of its enablement knobs were never wired for the gateway path: - FelixConfiguration.WAFEventLogsFileEnabled gates Felix's ReportWAF handler and the waf.log file reporter; without it ReportWAF returns "WAFEvents disabled". The ApplicationLayer controller already owns this field, so OR in the GatewayAPI WAF extension state (and add a GatewayAPI watch so toggling it re-reconciles). Also set it in the TPROXYMode upgrade-workaround branch, since it is an independent field. - fluentd-node's in_tail_waf_logs source is gated by the WAF_LOG_FILE env, which the operator never set. Set it alongside FLOW_LOG_FILE / DNS_LOG_FILE; the path is always present and the file only exists when a WAF producer is enabled. Refs EV-6650
electricjesus
force-pushed
the
seth/waf-audit-log-capture-ev6650
branch
from
2a110b1 to
4f6d9a4
Compare
jaderhs
reviewed
Jun 29, 2026
jaderhs
reviewed
Jun 29, 2026
… GatewayAPI read error Review feedback on tigera#4895: - WAF_AUDIT_LOG_PATH could mismatch a user-supplied --log-path. The render respected an ExtraArgs --log-path carried over from a custom base EnvoyProxy but always pointed the l7-log-collector at the default path. The l7-log-collector can only read the shared access-logs volume, so the operator now owns --log-path: ensureExtraArg sets/replaces it to wafAuditLogPath, keeping it consistent with WAF_AUDIT_LOG_PATH by construction. - isGatewayWAFEnabled swallowed every GetGatewayAPI error as "disabled", which would spuriously flip WAFEventLogsFileEnabled off on a transient/RBAC read error. It now returns (bool, error): a missing CR is disabled (no error); any other error propagates so the reconcile requeues instead of churning FelixConfiguration. Refs EV-6650
electricjesus
added a commit
to electricjesus/operator
that referenced
this pull request
Jun 29, 2026
… capture + Felix/fluentd event log (EV-6650) Pre-pick of tigera#4895 (source still OPEN on master). Squashed application of the branch's 3 commits (incl. review feedback: operator owns --log-path; GatewayAPI read error propagated) onto release-v1.43. Reconcile to the real master squash SHA once tigera#4895 merges. Refs EV-6650
jaderhs
reviewed
Jun 29, 2026
| // ensureExtraArg sets "flag value" in an Envoy Gateway ExtraArgs slice (func-e parses each token as | ||
| // a separate element), replacing the value if flag is already present or appending the flag/value | ||
| // pair if not. It copies the slice so it never mutates a slice backing a cached EnvoyProxy object. | ||
| func ensureExtraArg(args []string, flag, value string) []string { |
Contributor
There was a problem hiding this comment.
Nitpick: If the envoy binary supports -- to separate non-option args then this function should not replace args after --
Member
Author
There was a problem hiding this comment.
Good point. ensureExtraArg now stops at a bare --. It only matches the flag among the options before it, and a newly inserted pair goes before the --, so anything after stays put. Specs added for both cases. Done in 74261471b.
jaderhs
approved these changes
Jun 29, 2026
Per review nit: a bare "--" ends option parsing, so the helper must not match or replace a flag that appears after it (there it is a positional, not an option). ensureExtraArg now scans only tokens before "--", and inserts a new flag/value pair before the separator. Adds specs for both cases. Refs EV-6650
electricjesus
added a commit
to electricjesus/operator
that referenced
this pull request
Jun 29, 2026
… capture + Felix/fluentd event log (EV-6650) Pre-pick of tigera#4895 (source still OPEN on master). Squashed application of the branch's commits (incl. review feedback: operator owns --log-path with -- terminator handling; GatewayAPI read error propagated) onto release-v1.43. Reconcile to the real master squash SHA once tigera#4895 merges. Refs EV-6650
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Operator render for the Gateway API WAF observability path (EV-6650), split out of #4821:
pkg/render/gatewayapi/gateway_api.go:EnvoyProxy.Spec.Logging.Level = {default: warn, wasm: info}— surfaces the Coraza WASM filter'sAuditLog:lines in Envoy's application log.EnvoyProxy.Spec.ExtraArgs += --log-path /access_logs/envoy.log— redirects the application log onto the existingaccess-logsemptyDir (ExtraArgs rather than a container-args Patch, which would replace EG's generated args; the path sits directly under/access_logsbecause Envoy doesn't create--log-pathparent dirs).WAF_AUDIT_LOG_PATH=/access_logs/envoy.logon the l7-log-collector, which tails the file and forwards WAF decision records viaPolicySync.ReportWAF.WAFEventLogsFileEnabled(FelixConfiguration) andWAF_LOG_FILE(fluentd) so WAF block / would-block decisions land in thetigera_secure_ee_wafindex.Release Note
For PR author
make gen-filesmake gen-versionsFor PR reviewers
A note for code reviewers - all pull requests must have the following:
release-note-requireddocs-pr-requiredLinked
tigera/designs#25(PMREQ-384)tigera/calico-private#12142(EV-6650) — must merge first