(pick v1.37) remove -waf-log-file flag (#3722) [do not merge yet]

pkg/apis/crd.projectcalico.org/v1/felixconfig.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2017-2024 Tigera, Inc. All rights reserved.
+// Copyright (c) 2017-2025 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -408,6 +408,10 @@ type FelixConfigurationSpec struct {
 	// `[fd00:83a6::12]:5353`.Note that Felix (calico-node) will need RBAC permission to read the details of
 	// each service specified by a `k8s-service:...` form. [Default: "k8s-service:kube-dns"].
 	DNSTrustedServers *[]string `json:"dnsTrustedServers,omitempty"`
+
+	// WAFEventLogsFileEnabled controls logging WAFEvent logs to a file. If false no WAFEvent logging to file will occur.
+	// [Default: false]
+	WAFEventLogsFileEnabled *bool `json:"wafEventLogsFileEnabled,omitempty"`
 }
 
 type RouteTableRange struct {

pkg/controller/applicationlayer/applicationlayer_controller.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2021-2024 Tigera, Inc. All rights reserved.
+// Copyright (c) 2021-2025 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -569,19 +569,24 @@ func (r *ReconcileApplicationLayer) patchFelixConfiguration(ctx context.Context,
 		policySyncPrefix := r.getPolicySyncPathPrefix(&fc.Spec, al)
 		policySyncPrefixSetDesired := fc.Spec.PolicySyncPathPrefix == policySyncPrefix
 		tproxyModeSetDesired := fc.Spec.TPROXYMode != nil && *fc.Spec.TPROXYMode == tproxyMode
+		wafEventLogsFileEnabled := al != nil && ((al.Spec.SidecarInjection != nil && *al.Spec.SidecarInjection == operatorv1.SidecarEnabled) ||
+			(al.Spec.WebApplicationFirewall != nil && *al.Spec.WebApplicationFirewall == operatorv1.WAFEnabled))
+		wafEventLogsFileEnabledDesired := fc.Spec.WAFEventLogsFileEnabled != nil && *fc.Spec.WAFEventLogsFileEnabled == wafEventLogsFileEnabled
 
 		// If tproxy mode is already set to desired state return false to indicate patch not needed.
-		if policySyncPrefixSetDesired && tproxyModeSetDesired {
+		if policySyncPrefixSetDesired && tproxyModeSetDesired && wafEventLogsFileEnabledDesired {
 			return false, nil
 		}
 
 		fc.Spec.TPROXYMode = &tproxyMode
 		fc.Spec.PolicySyncPathPrefix = policySyncPrefix
+		fc.Spec.WAFEventLogsFileEnabled = &wafEventLogsFileEnabled
 
 		log.Info(
 			"Patching FelixConfiguration: ",
 			"policySyncPathPrefix", fc.Spec.PolicySyncPathPrefix,
 			"tproxyMode", string(tproxyMode),
+			"wafEventLogsFileEnabled", wafEventLogsFileEnabled,
 		)
 		return true, nil
 	})

pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml

@@ -330,6 +330,14 @@ spec:
                   information about the BPF policy programs, which can be examined
                   with the calico-bpf command-line tool.
                 type: boolean
+              bpfProfiling:
+                description: |-
+                  BPFProfiling controls profiling of BPF programs. At the monent, it can be
+                  Disabled or Enabled. [Default: Disabled]
+                enum:
+                - Enabled
+                - Disabled
+                type: string
               bpfRedirectToPeer:
                 description: 'BPFRedirectToPeer controls which whether it is allowed
                   to forward straight to the peer side of the workload devices. It

pkg/render/applicationlayer/applicationlayer.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2021-2024 Tigera, Inc. All rights reserved.
+// Copyright (c) 2021-2025 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -312,7 +312,6 @@ func (c *component) containers() []corev1.Container {
 		if c.config.PerHostWAFEnabled || c.config.SidecarInjectionEnabled {
 			commandArgs = append(
 				commandArgs,
-				"--waf-log-file", filepath.Join(CalicologsVolumePath, "waf", "waf.log"),
 				"--waf-ruleset-file", filepath.Join(ModSecurityRulesetVolumePath, "tigera.conf"),
 			)
 			if c.config.PerHostWAFEnabled {

pkg/render/applicationlayer/applicationlayer_test.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2021-2024 Tigera, Inc. All rights reserved.
+// Copyright (c) 2021-2025 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -657,7 +657,6 @@ var _ = Describe("Tigera Secure Application Layer rendering tests", func() {
 		dikastesArgs := dikastesContainer.Command
 		expectedDikastesArgs := []string{
 			"--per-host-waf-enabled",
-			"--waf-log-file", filepath.Join(applicationlayer.CalicologsVolumePath, "waf", "waf.log"),
 			"--waf-ruleset-file", filepath.Join(applicationlayer.ModSecurityRulesetVolumePath, "tigera.conf"),
 		}
 		for _, element := range expectedDikastesArgs {