Skip to content

docs: L7 logs restructure and eBPF collector#2724

Open
lucastigera wants to merge 5 commits into
tigera:mainfrom
lucastigera:core-12726-l7-obs-bpf
Open

docs: L7 logs restructure and eBPF collector#2724
lucastigera wants to merge 5 commits into
tigera:mainfrom
lucastigera:core-12726-l7-obs-bpf

Conversation

@lucastigera
Copy link
Copy Markdown
Contributor

@lucastigera lucastigera commented May 12, 2026
edited
Loading

Summary

Restructures the L7 logs docs section to introduce the new eBPF-based collector alongside the existing Envoy collector, with a shared overview and per-collector enable pages.

The Istio Waypoint collector will land in a follow-up PR — its placeholder page is set to draft: true so it's visible during local development but excluded from production builds.

L7 logs section, after this PR

Sidebar entry File What it is
Overview overview.mdx New. Big picture, value, the available collectors, and a comparison table to help pick one. Carries the shared "before you begin" log-storage note.
Enable eBPF collector enable-ebpf.mdx New. Enable via L7ObservabilityEnabled on FelixConfiguration. Limitations: kernel 5.17+, HTTP/1.0–1.1 only, TLS metadata only.
Enable Waypoint collector enable-waypoint.mdx Placeholder, dev-only. Marked draft: true so it's hidden in production builds. Content lands in the Waypoint PR.
Enable Envoy collector configure.mdx Existing page; sidebar label updated. Still labelled deprecated and being phased out.
Data types datatypes.mdx Refreshed schema reference. New Populated by column. Adds protocol, protocol_version, collector_type, collector_name, and tls_* fields. HTTP-only / TLS-only fields tagged inline (e.g. _HTTP only._ URL that the request was made against.).
Aggregation aggregation.mdx New. Documents the L7LogsFileAggregation* fields (including the new L7LogsFileAggregationTLSSNI) and includes an interactive aggregation playground — a React component (_includes/components/L7AggregationSandbox) where readers toggle aggregator checkboxes and watch sample events regroup with two-tone highlight (green = added / count up, red = removed / count down) and per-group expand/collapse.

Other changes

  • dashboards.mdx, get-started-cem.mdx, kibana.mdx: external "L7 logs" links repointed from configure.mdx (Envoy-only) to the new overview.mdx.
  • alp.mdx: left pointing at configure.mdx#kibana per maintainer note (page will be deprecated).
  • Vale lint clean on the new pages (data plane, Waypoint, plain text).

Open items / known gaps

  • L7ObservabilityEnabled and L7LogsFileAggregationTLSSNI won't render in the Felix Configuration tables until _includes/components/FelixConfig/config-params.json is regenerated from upstream calico-private. Field-level anchors (#L7ObservabilityEnabled, #L7LogsFileAggregationTLSSNI) will activate at that time.
  • Versioned-tree mirroring intentionally not done in this PR — changes land in the next tree (calico-enterprise/) only.

Test plan

  • Local Docusaurus dev build (yarn start-next) compiles and renders all six pages.
  • Sidebar order verified in .docusaurus route data.
  • Aggregation playground toggles cleanly, columns hold their widths, group expand/collapse works.
  • No remaining bare references to renamed files (configure-bpf.mdx, configure-istio-waypoint.mdx, datatypes-wip.mdx, datatypes-legacy.mdx).
  • Vale CI lint passing.
  • Production build (yarn build-next) excludes enable-waypoint.mdx — to be verified by reviewers.

🤖 Generated with Claude Code

@lucastigera @claude
Add WIP docs for eBPF L7 observability
57f4c40 
New L7 observability pages for the eBPF-based collector (tigera/calico-private#11749):
- configure-bpf.mdx: enable via L7ObservabilityEnabled on FelixConfiguration; comparison with the Istio Waypoint collector
- configure-istio-waypoint.mdx: placeholder
- datatypes-wip.mdx: redraft of the L7 schema with a Populated by column and new protocol / collector_name / tls_* fields
- aggregation.mdx: aggregation key fields with an interactive playground component
- sidebar entries for all four pages

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 12, 2026 23:59
@netlify
Copy link
Copy Markdown

netlify Bot commented May 12, 2026
edited
Loading

Deploy Preview for calico-docs-preview-next ready!

Name Link
🔨 Latest commit 1b9cd7c
🔍 Latest deploy log https://app.netlify.com/projects/calico-docs-preview-next/deploys/6a109a74a7b9b7000854c4a8
😎 Deploy Preview https://deploy-preview-2724--calico-docs-preview-next.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify
Copy link
Copy Markdown

netlify Bot commented May 12, 2026
edited
Loading

Deploy Preview for tigera failed. Why did it fail? →

Built without sensitive environment variables

Name Link
🔨 Latest commit 1b9cd7c
🔍 Latest deploy log https://app.netlify.com/projects/tigera/deploys/6a109a74912f350008ae57cf

Copilot AI reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR (marked WIP) introduces draft Calico Enterprise documentation for a new eBPF-based L7 observability collector, including a new L7 log aggregation page with an interactive sandbox component, and wires the new pages into the Enterprise sidebar navigation.

Changes:

  • Adds new draft L7 documentation pages for eBPF configuration, Istio Waypoint (placeholder), aggregation, and an expanded (WIP) L7 schema reference.
  • Introduces a new React component (L7AggregationSandbox) used to provide an interactive aggregation-key playground in docs.
  • Updates the Calico Enterprise sidebar to surface the new L7 pages.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
sidebars-calico-enterprise.js Adds the new L7 doc pages to the Enterprise “L7 logs” sidebar category.
calico-enterprise/observability/elastic/l7/configure-bpf.mdx Draft guide for enabling/viewing eBPF-based L7 logs, including a comparison table and limitations.
calico-enterprise/observability/elastic/l7/configure-istio-waypoint.mdx Placeholder page scaffold for Istio Ambient/Waypoint-based L7 collection.
calico-enterprise/observability/elastic/l7/aggregation.mdx Draft documentation describing FelixConfiguration aggregation fields and embedding an interactive sandbox.
calico-enterprise/observability/elastic/l7/datatypes-wip.mdx Draft schema reference adding eBPF/TLS fields and a “Populated by” column.
calico-enterprise/_includes/components/L7AggregationSandbox/index.js New interactive React component that demonstrates how aggregation settings merge L7 log rows and update count.
Comments suppressed due to low confidence (4)

calico-enterprise/observability/elastic/l7/configure-bpf.mdx:70

  • Same issue as above: L7LogsFileDirectory is a FelixConfiguration (resource) field and should link to reference/resources/felixconfig.mdx#l7LogsFileDirectory (note the lowercase l in the anchor) rather than the Felix config file/env-var page.
The eBPF collector writes L7 events as JSON to a log file on each node. By default the file is at `/var/log/calico/l7logs/l7.log`. The directory is controlled by the [L7LogsFileDirectory](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileDirectory) field on `FelixConfiguration`.

calico-enterprise/observability/elastic/l7/aggregation.mdx:25

  • The per-field links here target .../component-resources/node/felix/configuration.mdx#L7Logs..., but the generated anchors for FelixConfiguration fields use the YAML field names (for example #l7LogsFileAggregationSourceInfo) and live on reference/resources/felixconfig.mdx. Please update the doc path and anchor casing for these aggregation field links so they resolve.
| [L7LogsFileAggregationSourceInfo](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationSourceInfo) | Source aggregated name, namespace, and type appear on each row. | Requests are merged across sources. |
| [L7LogsFileAggregationDestinationInfo](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationDestinationInfo) | Destination aggregated name, namespace, and type appear on each row. | Requests are merged across destinations. |
| [L7LogsFileAggregationServiceInfo](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationServiceInfo) | Destination service name, namespace, and port appear on each row. | Requests are merged across services. |
| [L7LogsFileAggregationHTTPMethod](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationHTTPMethod) | HTTP method appears on each row. | Requests are merged across methods. |
| [L7LogsFileAggregationTrimURL](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationTrimURL) | URL (or a trimmed prefix) appears on each row. Intermediate values trim the query string, then the path, before excluding the URL entirely. | Requests are merged across URLs. |

calico-enterprise/observability/elastic/l7/aggregation.mdx:28

  • These links have the same issue as above (wrong target doc + uppercase anchors). Also, L7LogsFileAggregationTLSSNI does not appear in the current config-params.json data set, so the anchor will remain broken until the FelixConfig JSON is regenerated to include it.
| [L7LogsFileAggregationResponseCode](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationResponseCode) | Response code appears on each row. | Requests are merged across response codes. |
| [L7LogsFileAggregationHTTPHeaderInfo](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationHTTPHeaderInfo) | User agent and request type appear on each row. | Requests are merged across user agents and types. |
| [L7LogsFileAggregationTLSSNI](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationTLSSNI) | TLS Server Name Indication appears on each TLS row. | TLS flows to the same destination are merged regardless of SNI. |

calico-enterprise/observability/elastic/l7/aggregation.mdx:35

  • The second table here also starts rows with ||, which will render as an extra empty column. Use a single leading | for Markdown tables.
| Field | Description |
| --- | --- |
| [L7LogsFileAggregationNumURLPath](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationNumURLPath) | Maximum number of URL path components retained. Default `5`. A negative value disables this truncation. |
| [L7LogsFileAggregationURLCharLimit](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationURLCharLimit) | Maximum URL length in characters; longer URLs are sliced. Default `250`. |

Comment thread calico-enterprise/observability/elastic/l7/configure-bpf.mdx Outdated
| Additional infrastructure | Waypoint Envoy pods per namespace/service | None — runs inside Felix |
| L7 coverage | Only traffic routed through a waypoint | All TCP traffic on the node |
| Network path overhead | Two extra proxy hops | None |
| Plaintext access | Decrypted at the waypoint (mTLS terminated) | Captured at the kernel TCP layer, before TLS encryption |
Comment thread calico-enterprise/observability/elastic/l7/configure-bpf.mdx Outdated

## Configure L7 logs

Enable the eBPF L7 collector by setting the [L7ObservabilityEnabled](../../../reference/component-resources/node/felix/configuration.mdx#L7ObservabilityEnabled) field to `true` on the default `FelixConfiguration`. The setting is independent of `bpfEnabled` — the collector works with any dataplane.
Comment thread calico-enterprise/observability/elastic/l7/aggregation.mdx Outdated
Comment on lines +17 to +35
The following `FelixConfiguration` fields control the L7 log aggregation key. For accepted values and defaults, follow the link to the [Felix Configuration reference](../../../reference/component-resources/node/felix/configuration.mdx#l7-logs).

| Field | Effect when included | Effect when excluded |
| --- | --- | --- |
| [L7LogsFileAggregationSourceInfo](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationSourceInfo) | Source aggregated name, namespace, and type appear on each row. | Requests are merged across sources. |
| [L7LogsFileAggregationDestinationInfo](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationDestinationInfo) | Destination aggregated name, namespace, and type appear on each row. | Requests are merged across destinations. |
| [L7LogsFileAggregationServiceInfo](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationServiceInfo) | Destination service name, namespace, and port appear on each row. | Requests are merged across services. |
| [L7LogsFileAggregationHTTPMethod](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationHTTPMethod) | HTTP method appears on each row. | Requests are merged across methods. |
| [L7LogsFileAggregationTrimURL](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationTrimURL) | URL (or a trimmed prefix) appears on each row. Intermediate values trim the query string, then the path, before excluding the URL entirely. | Requests are merged across URLs. |
| [L7LogsFileAggregationResponseCode](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationResponseCode) | Response code appears on each row. | Requests are merged across response codes. |
| [L7LogsFileAggregationHTTPHeaderInfo](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationHTTPHeaderInfo) | User agent and request type appear on each row. | Requests are merged across user agents and types. |
| [L7LogsFileAggregationTLSSNI](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationTLSSNI) | TLS Server Name Indication appears on each TLS row. | TLS flows to the same destination are merged regardless of SNI. |

Two additional fields control how the URL is truncated before it enters the aggregation key, rather than whether the URL participates at all:

| Field | Description |
| --- | --- |
| [L7LogsFileAggregationNumURLPath](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationNumURLPath) | Maximum number of URL path components retained. Default `5`. A negative value disables this truncation. |
| [L7LogsFileAggregationURLCharLimit](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationURLCharLimit) | Maximum URL length in characters; longer URLs are sliced. Default `250`. |
Comment thread sidebars-calico-enterprise.js Outdated
Comment on lines +408 to +411
'observability/elastic/l7/configure-istio-waypoint',
'observability/elastic/l7/aggregation',
'observability/elastic/l7/datatypes',
'observability/elastic/l7/datatypes-wip',
Comment thread calico-enterprise/observability/elastic/l7/configure-bpf.mdx Outdated
Comment on lines +29 to +35
| Aspect | Istio Waypoint collector | eBPF L7 collector |
| --- | --- | --- |
| Additional infrastructure | Waypoint Envoy pods per namespace/service | None — runs inside Felix |
| L7 coverage | Only traffic routed through a waypoint | All TCP traffic on the node |
| Network path overhead | Two extra proxy hops | None |
| Plaintext access | Decrypted at the waypoint (mTLS terminated) | Captured at the kernel TCP layer, before TLS encryption |
| Protocol coverage | HTTP/1, HTTP/2, gRPC | HTTP/1.0, HTTP/1.1, TLS handshake metadata |
Comment thread calico-enterprise/observability/elastic/l7/aggregation.mdx Outdated
Comment on lines +19 to +25
| Field | Effect when included | Effect when excluded |
| --- | --- | --- |
| [L7LogsFileAggregationSourceInfo](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationSourceInfo) | Source aggregated name, namespace, and type appear on each row. | Requests are merged across sources. |
| [L7LogsFileAggregationDestinationInfo](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationDestinationInfo) | Destination aggregated name, namespace, and type appear on each row. | Requests are merged across destinations. |
| [L7LogsFileAggregationServiceInfo](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationServiceInfo) | Destination service name, namespace, and port appear on each row. | Requests are merged across services. |
| [L7LogsFileAggregationHTTPMethod](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationHTTPMethod) | HTTP method appears on each row. | Requests are merged across methods. |
| [L7LogsFileAggregationTrimURL](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationTrimURL) | URL (or a trimmed prefix) appears on each row. Intermediate values trim the query string, then the path, before excluding the URL entirely. | Requests are merged across URLs. |
Comment thread calico-enterprise/observability/elastic/l7/datatypes-wip.mdx Outdated
Comment on lines +29 to +33
| Name | Datatype | Populated by | Description |
| ------------------------ | -------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `host` | keyword | All | Name of the node that collected the L7 log entry. |
| `start_time` | date | All | Start time of log collection in Unix timestamp format. |
| `end_time` | date | All | End time of log collection in Unix timestamp format. |
lucastigera and others added 4 commits May 13, 2026 12:27
@lucastigera @claude
Iterate on L7 aggregation sandbox and rename data types pages
dfbad7b 
Aggregation sandbox redesign:
- Group rows by aggregation bucket; expand/collapse to reveal merged events
- Two-tone highlight (green for added/count up, red for removed/count down)
- Color legend above the table; intro/footer condensed
- More diverse sample data spanning cart, payments, and TLS scenarios

Pages:
- Promote the WIP data types page to datatypes.mdx; move the original to datatypes-legacy.mdx
- Add collector_type and protocol_version fields
- Sidebar reordered with "+ " prefix on the new pages and shorter labels (Configure with eBPF, Configure with Istio Waypoint, Aggregation, Data types)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@lucastigera @claude
Fix Vale lint errors on new L7 pages
1eef8f3 
- dataplane / dataplanes → data plane / data planes
- waypoint → Waypoint (Calico term rule)
- Plaintext / plaintext → Plain text / plain text
- Rephrase HTTP pipelining bullet to drop dictionary-rejected words

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@lucastigera @claude
Restructure L7 logs docs: add Overview, rename collector pages
519d74b 
- Add Overview page (overview.mdx) with big picture, value, collectors,
  and a comparison table — moves the shared framing out of per-collector pages
- Rename configure-bpf.mdx → enable-ebpf.mdx, refocus on enablement steps
- Rename configure-istio-waypoint.mdx → enable-waypoint.mdx (placeholder)
- Drop datatypes-legacy.mdx (no inbound references)
- Sidebar labels: Overview, Enable eBPF/Waypoint/Envoy collector, Data types, Aggregation
- Datatypes page: HTTP-only / TLS-only fields tagged inline in the description
- Repoint external "L7 logs" links (dashboards, get-started-cem, kibana) to overview.mdx

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@lucastigera @claude
Hide Istio Waypoint content from production build
1b9cd7c 
The Istio Waypoint collector will land in a separate PR. For now:
- enable-waypoint.mdx: add draft: true; Docusaurus excludes it from production builds and auto-filters the sidebar entry
- overview.mdx, datatypes.mdx: remove inline Waypoint references; leave TODO notes in single-line JSX comments so the next-PR author can find the spots
- overview.mdx: drop the Istio Waypoint column from the comparison table for this PR
- datatypes.mdx: change "Populated by" from "eBPF, Waypoint" to "eBPF"

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@lucastigera lucastigera marked this pull request as ready for review May 22, 2026 18:05
@lucastigera lucastigera requested a review from a team as a code owner May 22, 2026 18:05
@lucastigera lucastigera changed the title WIP: docs for eBPF L7 observability L7 Logs - eBPF collector May 22, 2026
@lucastigera lucastigera changed the title L7 Logs - eBPF collector docs: L7 logs restructure and eBPF collector May 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lucastigera