Skip to content

[v3.24] feat(applicationlayer): WAF observability — gateway audit-log capture + Felix/fluentd event log (EV-6650)#4976

Merged
electricjesus merged 1 commit into
tigera:release-v1.43from
electricjesus:seth/waf-obs-ev6650-v1.43
Jun 29, 2026
Merged

[v3.24] feat(applicationlayer): WAF observability — gateway audit-log capture + Felix/fluentd event log (EV-6650)#4976
electricjesus merged 1 commit into
tigera:release-v1.43from
electricjesus:seth/waf-obs-ev6650-v1.43

Conversation

@electricjesus

@electricjesus electricjesus commented Jun 29, 2026
edited
Loading

Copy link
Copy Markdown
Member

Cherry-pick of #4895.

Description

Operator render for the Gateway API WAF observability path (EV-6650), split out of #4821:

  • Audit-log capture (gateway proxy render)pkg/render/gatewayapi/gateway_api.go:
    • EnvoyProxy.Spec.Logging.Level = {default: warn, wasm: info} — surfaces the Coraza WASM filter's AuditLog: lines in Envoy's application log.
    • EnvoyProxy.Spec.ExtraArgs += --log-path /access_logs/envoy.log — redirects the application log onto the existing access-logs emptyDir (ExtraArgs rather than a container-args Patch, which would replace EG's generated args; the path sits directly under /access_logs because Envoy doesn't create --log-path parent dirs).
    • WAF_AUDIT_LOG_PATH=/access_logs/envoy.log on the l7-log-collector, which tails the file and forwards WAF decision records via PolicySync.ReportWAF.
  • Felix + fluentd event-log legsWAFEventLogsFileEnabled (FelixConfiguration) and WAF_LOG_FILE (fluentd) so WAF block / would-block decisions land in the tigera_secure_ee_waf index.

Release Note

Add operator render for Gateway API WAF observability (EV-6650): capture the Coraza audit log from the gateway proxy, and enable the Felix + fluentd legs (WAFEventLogsFileEnabled, WAF_LOG_FILE) so WAF block / would-block decisions land in the tigera_secure_ee_waf index.

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files
  • If changing versions, run make gen-versions

For PR reviewers

A note for code reviewers - all pull requests must have the following:

  • Milestone set according to targeted release.
  • Appropriate labels:
    • release-note-required
    • docs-pr-required

Linked

@electricjesus electricjesus requested a review from a team as a code owner June 29, 2026 08:18
@marvin-tigera marvin-tigera added this to the v1.43.0 milestone Jun 29, 2026
@electricjesus electricjesus force-pushed the seth/waf-obs-ev6650-v1.43 branch from d04fd0c to 85fde91 Compare June 29, 2026 10:04
@electricjesus
[v3.24] feat(applicationlayer): WAF observability — gateway audit-log…
fe6508e 
… capture + Felix/fluentd event log (EV-6650)

Pre-pick of tigera#4895 (source still OPEN on master).
Squashed application of the branch's commits (incl. review feedback: operator owns
--log-path with -- terminator handling; GatewayAPI read error propagated) onto
release-v1.43. Reconcile to the real master squash SHA once tigera#4895 merges.

Refs EV-6650
@electricjesus electricjesus force-pushed the seth/waf-obs-ev6650-v1.43 branch from 85fde91 to fe6508e Compare June 29, 2026 10:25
@electricjesus electricjesus merged commit a32efa3 into tigera:release-v1.43 Jun 29, 2026
4 checks passed
@electricjesus electricjesus deleted the seth/waf-obs-ev6650-v1.43 branch June 29, 2026 10:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jaderhs jaderhs jaderhs approved these changes

Assignees

No one assigned

Labels

docs-pr-required release-note-required

Projects

None yet

Milestone

v1.43.0

Development

Successfully merging this pull request may close these issues.

3 participants

@electricjesus @jaderhs @marvin-tigera