EV-6388: L7 logging through Istio Waypoint Proxy#4769
Draft
alexh-tigera wants to merge 2 commits into
Draft
Conversation
Adds automatic L7 logging for every Gateway using the istio-waypoint GatewayClass. The istio controller now creates three static resources in the Istio root namespace (calico-system) and Istio's deployment controller applies them as class-level defaults to all waypoints cluster-wide: - tigera-waypoint-l7-defaults ConfigMap injects the l7-collector sidecar (with --mode=waypoint on the existing ComponentL7Collector image) and the shared emptyDir + Felix CSI volumes into every waypoint pod. - tigera-waypoint-l7-als EnvoyFilter enables gRPC ALS on main_internal. - tigera-waypoint-l7-srcport EnvoyFilter captures the Forwarded header on connect_terminate and propagates the client IP as filter state. A small typed EnvoyFilter struct is introduced so the component handler (which casts to metav1.ObjectMetaAccessor) can manage the resources without taking on the networking.istio.io client-go dependency. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
alexh-tigera
force-pushed
the
EV-6388-capture-l7-logs-through-waypoint-proxy
branch
from
96823e4 to
7514ec0
Compare
The L7 ambient waypoint pod's l7-collector sidecar dials Felix's nodeagent socket, which Felix only opens when policySyncPathPrefix is set. Have the istio controller program the field as part of its reconcile, mirroring the applicationlayer controller's existing patching path. The two controllers coordinate explicitly via shared predicates in pkg/controller/utils/policy_sync.go: each side's deletion path consults the other's CR before clearing the field, so neither strands the other. The customer-override branch (any non-default value) is preserved verbatim by both. Bonus: setIstioFelixConfiguration and the two existing configurators now return (changed, error) so utils.PatchFelixConfiguration's no-op short- circuit fires when nothing changed, instead of churning the FC on every reconcile. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds automatic L7 logging for every Gateway using the istio-waypoint GatewayClass. The istio controller now creates three static resources in the Istio root namespace (calico-system) and Istio's deployment controller applies them as class-level defaults to all waypoints cluster-wide:
A small typed EnvoyFilter struct is introduced so the component handler (which casts to metav1.ObjectMetaAccessor) can manage the resources without taking on the networking.istio.io client-go dependency.
Description
Release Note
For PR author
make gen-filesmake gen-versionsFor PR reviewers
A note for code reviewers - all pull requests must have the following:
kind/bugif this is a bugfix.kind/enhancementif this is a a new feature.enterpriseif this PR applies to Calico Enterprise only.