[v3.24] Remove legacy waf-http-filter ext_proc sidecar (PMREQ-384)#4931
Open
electricjesus wants to merge 1 commit into
Open
[v3.24] Remove legacy waf-http-filter ext_proc sidecar (PMREQ-384)#4931electricjesus wants to merge 1 commit into
electricjesus wants to merge 1 commit into
Conversation
The WAF data plane is now the Coraza WASM filter baked into the envoy-proxy image (EV-6701), so the legacy waf-http-filter ext_proc sidecar is dead weight. Rendering it alongside the WASM filter also leaves the envoy-proxy deployment wedged (3/4 ready, serves no traffic). Remove the sidecar init container, its WAF-only volumes (var-log-calico HostPath + the waf-http-filter emptyDir socket) and the envoy-container socket mount, plus the now-orphaned calicoImage reference and the LOGGER_GATEWAY_* env vars. Keep the waf-http-filter-named ServiceAccount, ClusterRoles and per-namespace RoleBindings: they are the shared envoy-proxy pod identity that l7-log-collector reuses for license verification and Gateway-API reads. Renaming them is deferred to a follow-up. Part of PMREQ-384 sidecar deprecation. (cherry picked from commit 5c692a7)
electricjesus
added
kind/bug
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cherry-pick of #4925.
Description
The WAF data plane on Enterprise Gateway moved to the Coraza WASM filter baked into the envoy-proxy image (EV-6701). The old
waf-http-filterext_proc sidecar is no longer how WAF is enforced, butgateway_api.gostill injects it into every Enterprise envoy-proxy deployment. With both running, the proxy pod gets stuck at 3/4 ready and serves no traffic. PMREQ-384 already signed off on deprecating the sidecar.This PR removes the sidecar from the gateway-api render, and nothing else.
Removed:
waf-http-filterinit containervar-log-calicoHostPath and thewaf-http-filteremptyDir socket) and the socket mount on the envoy containercalicoImagefield and its image resolution, which only fed that containerLOGGER_GATEWAY_NAME/LOGGER_GATEWAY_NAMESPACEenv vars, which only that container usedKept on purpose: the
waf-http-filter-named ServiceAccount, the two ClusterRoles, and the per-namespace RoleBindings. The l7-log-collector sidecar runs in the same pod under that identity and still needs it for license checks and Gateway-API reads. Renaming those objects to something l7-appropriate is a separate follow-up.The l7-log-collector render is untouched.
This is an Enterprise-only change to the gateway-api render. It pairs with a calico-private PR that deletes the sidecar binary itself (link below). Merge this one first: the combined
calicobinary keeps the now-unusedwaf-http-filtersubcommand until this lands in a hashrelease, so removing the render first is safe and removing the binary first is not.Companion calico-private PR (draft, merges after this): tigera/calico-private#12308
Test plan
go test ./pkg/render/gatewayapi/passes. The two specs that asserted the sidecar was deployed now assert only l7-log-collector is, and the owning-gateway env test was updated for the new init-container count.go build ./...,go vet ./pkg/render/gatewayapi/, and gofmt are all clean.Cherry-pick re-verified on
release-v1.43: clean pick,go build/go vet/gofmt/go test ./pkg/render/gatewayapi/all pass.Release Note