PMREQ-384: deprecate waf-http-filter ext_proc sidecar#3
Draft
electricjesus wants to merge 1 commit into
Draft
Conversation
The CRD-driven Coraza WASM data plane (PMREQ-384 v1) replaces the legacy waf-http-filter ext_proc sidecar entirely. Per design#25 walkthrough 2026-05-12 (Phil sign-off on AI-4/AI-5), drop the sidecar render path from the gateway-api operator render. Removed: - wafHTTPFilter init container injection on every envoy-proxy pod - /var/run/waf-http-filter socket volume + mounts on the envoy container - /var/log/calico hostPath volume (was only consumed by the sidecar) - wafHTTPFilterImage field + ResolveImages plumbing for the calico CombinedCalicoImage component reference - tokenreviews verb on the cluster-scoped ClusterRole (per-request license enforcement moved to the kube-controllers reconciler) Kept (Walter's tigera#4690 reuses them for L7 log collector enrichment): - waf-http-filter ServiceAccount (per Gateway namespace) — proxy pod identity for namespaced Gateway-API reads - waf-http-filter-cluster-scoped ClusterRole (licensekeys verb only) - waf-http-filter-gateway-resources ClusterRole + per-namespace RoleBindings - gatewayNamespacesCRB The L7 log collector init container, /access_logs + felix-sync volumes, serviceAccountName patch on the envoy deployment, and the access-log telemetry config are unaffected. Logs-to-felix replacement for WAF-specific events is tracked separately in tigera/gateway-extensions-controller/docs/planning/briefs/2026-05-12-sidecar-deprecation-brief.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Drops the legacy
waf-http-filterext_proc sidecar render path frompkg/render/gatewayapi/. The CRD-driven Coraza WASM data plane (PMREQ-384 v1) is the WAF enforcement path now. Per design#25 walkthrough 2026-05-12, PM (Phil) signed off AI-4/AI-5; AI-6 captures the design + brief + this PR.Base:
radixo:gatewayapi-deployment-enterprise(mirrored here asradixo-gatewayapi-deployment-enterprise-base). Held in this fork until tigera#4690, tigera#4779, tigera#4821 merge.What changes
Removed (sidecar-only)
wafHTTPFilterinit container injection on every envoy-proxy pod/var/run/waf-http-filtersocket volume + mount on the envoy container/var/log/calicohostPath volume (only the sidecar consumed it)wafHTTPFilterImagestruct field + ResolveImages call forcomponents.CombinedCalicoImagetokenreviews createrule onwaf-http-filter-cluster-scopedClusterRole — license enforcement moved to the kube-controllers reconciler before EEP generationKept (Walter's tigera#4690 reuses for l7-log-collector / proxy-pod identity)
waf-http-filterServiceAccount in each Gateway namespacewaf-http-filter-cluster-scopedClusterRole (licensekeys get,watchonly)waf-http-filter-gateway-resourcesClusterRole + per-namespace RoleBindingswaf-http-filter-gateway-namespacesClusterRoleBindingserviceAccountName: waf-http-filterpatch on the envoy Deploymentl7-log-collectorinit container +/access_logs+felix-syncvolumesNet diff:
pkg/render/gatewayapi/gateway_api.go-138 / +46;pkg/render/gatewayapi/gateway_api_test.go-83 / +12.Verification on
seth-ez-a3b5Image:
gcr.io/tigera-dev/seth/tigera-operator:pmreq-384-no-sidecar-2026-05-19-v1(sha256:27aa83786abc…).EnvoyProxy/tigera-gateway-classinitContainers:[l7-log-collector]onlywaf-test-gwproxy pod: 3/3 Running (was 4/4) — containers:envoy,shutdown-manager, initl7-log-collectorwaf-http-filtercontainers: zeroGET /get→ 200GET /get?id=1' OR '1'='1→ 403 (WASM Coraza)Follow-ups (out of scope of this PR)
licensekeysverb + removewaf-http-filter-cluster-scopedClusterRole andwaf-http-filter-gateway-namespacesCRB once l7-log-collector binary in calico-private confirms it no longer needs runtime license access (separate calico-private PR).waf-http-filterSA + ClusterRole names — misleading after sidecar removal (audit-sweep follow-up).Coordination
03-operator-integration.md §Sidecar Deprecation).tigera/gateway-extensions-controller/docs/planning/briefs/2026-05-12-sidecar-deprecation-brief.md.Test plan
go test ./pkg/render/gatewayapi/...greengo test ./pkg/controller/gatewayapi/...greenseth-ez-a3b5(above)licensekeysrule