From 37766cae7feeecf7daf4dcb7e01f57a4df90ea94 Mon Sep 17 00:00:00 2001 From: Seth Malaki Date: Mon, 27 Jan 2025 21:04:29 +0000 Subject: [PATCH 1/3] remove -waf-log-file flag (#3722) * remove -waf-log-file flag * fix copyright * make generate --- ...projectcalico.org_felixconfigurations.yaml | 19 +++++++++++++++++++ .../applicationlayer/applicationlayer.go | 3 +-- .../applicationlayer/applicationlayer_test.go | 3 +-- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml b/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml index dda59d7c3e..9b28ec463d 100644 --- a/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml @@ -445,6 +445,25 @@ spec: - Enabled - Disabled type: string + flowLogsCollectorDebugTrace: + description: |- + When FlowLogsCollectorDebugTrace is set to true, enables the logs in the collector to be + printed in their entirety. + type: boolean + flowLogsFlushInterval: + description: FlowLogsFlushInterval configures the interval at which + Felix exports flow logs. + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + flowLogsGoldmaneServer: + description: FlowLogGoldmaneServer is the flow server endpoint to + which flow data should be published. + type: string + flowLogsMaxOriginalIPsIncluded: + description: FlowLogsMaxOriginalIPsIncluded specifies the number of + unique IP addresses (if relevant) that should be included in Flow + logs. + type: integer genericXDPEnabled: description: 'GenericXDPEnabled enables Generic XDP so network cards that don''t support XDP offload or driver modes can use XDP. This diff --git a/pkg/render/applicationlayer/applicationlayer.go b/pkg/render/applicationlayer/applicationlayer.go index 8dfbfe890e..78f01a6640 100644 --- a/pkg/render/applicationlayer/applicationlayer.go +++ b/pkg/render/applicationlayer/applicationlayer.go @@ -1,4 +1,4 @@ -// Copyright (c) 2021-2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2021-2025 Tigera, Inc. All rights reserved. // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -312,7 +312,6 @@ func (c *component) containers() []corev1.Container { if c.config.PerHostWAFEnabled || c.config.SidecarInjectionEnabled { commandArgs = append( commandArgs, - "--waf-log-file", filepath.Join(CalicologsVolumePath, "waf", "waf.log"), "--waf-ruleset-file", filepath.Join(ModSecurityRulesetVolumePath, "tigera.conf"), ) if c.config.PerHostWAFEnabled { diff --git a/pkg/render/applicationlayer/applicationlayer_test.go b/pkg/render/applicationlayer/applicationlayer_test.go index bc7a93a1ad..13f592175f 100644 --- a/pkg/render/applicationlayer/applicationlayer_test.go +++ b/pkg/render/applicationlayer/applicationlayer_test.go @@ -1,4 +1,4 @@ -// Copyright (c) 2021-2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2021-2025 Tigera, Inc. All rights reserved. // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -657,7 +657,6 @@ var _ = Describe("Tigera Secure Application Layer rendering tests", func() { dikastesArgs := dikastesContainer.Command expectedDikastesArgs := []string{ "--per-host-waf-enabled", - "--waf-log-file", filepath.Join(applicationlayer.CalicologsVolumePath, "waf", "waf.log"), "--waf-ruleset-file", filepath.Join(applicationlayer.ModSecurityRulesetVolumePath, "tigera.conf"), } for _, element := range expectedDikastesArgs { From e7baf65fb1cabc991bc503289c8fdbfd89235c56 Mon Sep 17 00:00:00 2001 From: Seth Malaki Date: Mon, 27 Jan 2025 21:40:17 +0000 Subject: [PATCH 2/3] make generate --- ...projectcalico.org_felixconfigurations.yaml | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml b/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml index 9b28ec463d..dda59d7c3e 100644 --- a/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml @@ -445,25 +445,6 @@ spec: - Enabled - Disabled type: string - flowLogsCollectorDebugTrace: - description: |- - When FlowLogsCollectorDebugTrace is set to true, enables the logs in the collector to be - printed in their entirety. - type: boolean - flowLogsFlushInterval: - description: FlowLogsFlushInterval configures the interval at which - Felix exports flow logs. - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - flowLogsGoldmaneServer: - description: FlowLogGoldmaneServer is the flow server endpoint to - which flow data should be published. - type: string - flowLogsMaxOriginalIPsIncluded: - description: FlowLogsMaxOriginalIPsIncluded specifies the number of - unique IP addresses (if relevant) that should be included in Flow - logs. - type: integer genericXDPEnabled: description: 'GenericXDPEnabled enables Generic XDP so network cards that don''t support XDP offload or driver modes can use XDP. This From 032783eb73d80762424dd260f77d5dbac8c43f49 Mon Sep 17 00:00:00 2001 From: Walter Neto Date: Thu, 30 Jan 2025 18:56:45 +0100 Subject: [PATCH 3/3] Change felixconfig WAFEventLogsFileEnabled when necessary (#3742) * Change felixconfig WAFEventLogsFileEnabled when necessary * file generation * generate files --- pkg/apis/crd.projectcalico.org/v1/felixconfig.go | 6 +++++- .../crd.projectcalico.org/v1/zz_generated.deepcopy.go | 5 +++++ .../applicationlayer/applicationlayer_controller.go | 9 +++++++-- .../crd.projectcalico.org_felixconfigurations.yaml | 8 ++++++++ 4 files changed, 25 insertions(+), 3 deletions(-) diff --git a/pkg/apis/crd.projectcalico.org/v1/felixconfig.go b/pkg/apis/crd.projectcalico.org/v1/felixconfig.go index fd94a3746c..d31934bbec 100644 --- a/pkg/apis/crd.projectcalico.org/v1/felixconfig.go +++ b/pkg/apis/crd.projectcalico.org/v1/felixconfig.go @@ -1,4 +1,4 @@ -// Copyright (c) 2017-2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2017-2025 Tigera, Inc. All rights reserved. // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -408,6 +408,10 @@ type FelixConfigurationSpec struct { // `[fd00:83a6::12]:5353`.Note that Felix (calico-node) will need RBAC permission to read the details of // each service specified by a `k8s-service:...` form. [Default: "k8s-service:kube-dns"]. DNSTrustedServers *[]string `json:"dnsTrustedServers,omitempty"` + + // WAFEventLogsFileEnabled controls logging WAFEvent logs to a file. If false no WAFEvent logging to file will occur. + // [Default: false] + WAFEventLogsFileEnabled *bool `json:"wafEventLogsFileEnabled,omitempty"` } type RouteTableRange struct { diff --git a/pkg/apis/crd.projectcalico.org/v1/zz_generated.deepcopy.go b/pkg/apis/crd.projectcalico.org/v1/zz_generated.deepcopy.go index c224263ca7..b9a0aa2f95 100644 --- a/pkg/apis/crd.projectcalico.org/v1/zz_generated.deepcopy.go +++ b/pkg/apis/crd.projectcalico.org/v1/zz_generated.deepcopy.go @@ -712,6 +712,11 @@ func (in *FelixConfigurationSpec) DeepCopyInto(out *FelixConfigurationSpec) { copy(*out, *in) } } + if in.WAFEventLogsFileEnabled != nil { + in, out := &in.WAFEventLogsFileEnabled, &out.WAFEventLogsFileEnabled + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FelixConfigurationSpec. diff --git a/pkg/controller/applicationlayer/applicationlayer_controller.go b/pkg/controller/applicationlayer/applicationlayer_controller.go index 3929e80253..9c01050e5f 100644 --- a/pkg/controller/applicationlayer/applicationlayer_controller.go +++ b/pkg/controller/applicationlayer/applicationlayer_controller.go @@ -1,4 +1,4 @@ -// Copyright (c) 2021-2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2021-2025 Tigera, Inc. All rights reserved. // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -569,19 +569,24 @@ func (r *ReconcileApplicationLayer) patchFelixConfiguration(ctx context.Context, policySyncPrefix := r.getPolicySyncPathPrefix(&fc.Spec, al) policySyncPrefixSetDesired := fc.Spec.PolicySyncPathPrefix == policySyncPrefix tproxyModeSetDesired := fc.Spec.TPROXYMode != nil && *fc.Spec.TPROXYMode == tproxyMode + wafEventLogsFileEnabled := al != nil && ((al.Spec.SidecarInjection != nil && *al.Spec.SidecarInjection == operatorv1.SidecarEnabled) || + (al.Spec.WebApplicationFirewall != nil && *al.Spec.WebApplicationFirewall == operatorv1.WAFEnabled)) + wafEventLogsFileEnabledDesired := fc.Spec.WAFEventLogsFileEnabled != nil && *fc.Spec.WAFEventLogsFileEnabled == wafEventLogsFileEnabled // If tproxy mode is already set to desired state return false to indicate patch not needed. - if policySyncPrefixSetDesired && tproxyModeSetDesired { + if policySyncPrefixSetDesired && tproxyModeSetDesired && wafEventLogsFileEnabledDesired { return false, nil } fc.Spec.TPROXYMode = &tproxyMode fc.Spec.PolicySyncPathPrefix = policySyncPrefix + fc.Spec.WAFEventLogsFileEnabled = &wafEventLogsFileEnabled log.Info( "Patching FelixConfiguration: ", "policySyncPathPrefix", fc.Spec.PolicySyncPathPrefix, "tproxyMode", string(tproxyMode), + "wafEventLogsFileEnabled", wafEventLogsFileEnabled, ) return true, nil }) diff --git a/pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml b/pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml index 628dee2be5..cba5ba3e46 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml @@ -330,6 +330,14 @@ spec: information about the BPF policy programs, which can be examined with the calico-bpf command-line tool. type: boolean + bpfProfiling: + description: |- + BPFProfiling controls profiling of BPF programs. At the monent, it can be + Disabled or Enabled. [Default: Disabled] + enum: + - Enabled + - Disabled + type: string bpfRedirectToPeer: description: 'BPFRedirectToPeer controls which whether it is allowed to forward straight to the peer side of the workload devices. It