Skip to content

DOCS-2549: Update CC L7 logs to use deployment-patch method #2582

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ctauchen wants to merge 1 commit into
base: main
Choose a base branch
from
+47 −24
Open

DOCS-2549: Update CC L7 logs to use deployment-patch method #2582

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 47 additions & 24 deletions calico-cloud/observability/elastic/l7/configure.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,32 +40,36 @@ L7 logs are visible in the web console, service graph, in the HTTP tab.
**Not supported**
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This heading is still using bold text (**Not supported**) rather than a Markdown heading, which is inconsistent with the rest of the page after the heading-hierarchy updates. Consider converting it to a proper heading (for example ### Not supported) so it appears in the TOC and has consistent styling.

Suggested change
**Not supported**
### Not supported

Copilot uses AI. Check for mistakes.
- GKE

**Limitations**
### Limitations

- L7 log collection is not supported for host-networked client pods.
- When selecting and deselecting traffic for L7 log collection, active connections may be disrupted.
* L7 log collection is not compatible with a service mesh such as Istio.
* L7 log collection is not supported for host-networked client pods.
* L7 log collection is supported only on Kubernetes 1.29 and later.

{/*TODO-XREFS-CC
Note removed for CC
*/}
:::important

## How to
When you enable L7 log collection for a deployment, all of that deployment's pods will restart.
Selecting and deselecting traffic for L7 log collection may result in disruptions for active connections.

- [Configure Felix for log data collection](#configure-felix-for-log-data-collection)
- [Configure L7 logs](#configure-l7-logs)
- [View L7 logs in the web console](#view-l7-logs-in-manager-ui)
:::

:::note

L7 logs require a minimum of 1 additional GB of log storage per node, per one-day retention period. Adjust your [Log Storage](../../../operations/logstorage/adjust-log-storage-size.mdx) before you start tasks in the next section.
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "Log Storage" link target appears to be invalid in Calico Cloud docs: calico-cloud/operations/logstorage/adjust-log-storage-size.mdx doesn't exist (there is no operations/logstorage/ section under calico-cloud/operations/). Please update this to an existing Calico Cloud page (or a stable cross-link that exists in this doc set), otherwise the rendered page will contain a broken link.

Suggested change
L7 logs require a minimum of 1 additional GB of log storage per node, per one-day retention period. Adjust your [Log Storage](../../../operations/logstorage/adjust-log-storage-size.mdx) before you start tasks in the next section.
L7 logs require a minimum of 1 additional GB of log storage per node, per one-day retention period. Adjust your [Log Storage](../../../operations/) before you start tasks in the next section.

Copilot uses AI. Check for mistakes.

:::

### Configure Felix for log data collection
## Configure Felix for log data collection

1. Configure L7 log aggregation, retention, and reporting.

For help, see [Felix Configuration documentation](../../../reference/component-resources/node/felix/configuration.mdx#calico-enterprise-specific-configuration).

### Configure L7 logs
## Configure L7 logs

In this step, you will configure L7 logs, select logs for collection, and test the configuration.

**Configure the ApplicationLayer resource for L7 logs**
### Configure the ApplicationLayer resource for L7 logs

1. Create or update the [ApplicationLayer](../../../reference/installation/api.mdx#applicationlayer) resource named, `tigera-secure`.

Expand Down Expand Up @@ -99,25 +103,44 @@ In this step, you will configure L7 logs, select logs for collection, and test t
kubectl rollout status -n calico-system ds/l7-log-collector --timeout=120s
```

**Select traffic for L7 log collection**
### Quickstart: enable log collection on an example app

1. Annotate the services you wish to collect L7 logs as shown.
1. Install Google Microservices Demo

```bash
kubectl annotate svc <service-name> -n <service-namespace> projectcalico.org/l7-logging=true
kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/refs/heads/main/release/kubernetes-manifests.yaml
```

2. To disable the L7 log collection, remove the annotation.
without the `-n <namespace>` flag, it is going to be installed in the `default` namespace. if you wish to install in a different namespace, specify the `-n <namespace>` flag on all other commands in this tutorial from this point on.
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The explanatory sentence starts with lowercase "without"/"if" and reads like a run-on sentence. Please capitalize and split into clearer sentences (and consider calling out explicitly that subsequent commands need -n <namespace> if not using default).

Suggested change
without the `-n <namespace>` flag, it is going to be installed in the `default` namespace. if you wish to install in a different namespace, specify the `-n <namespace>` flag on all other commands in this tutorial from this point on.
Without the `-n <namespace>` flag, this command installs the demo in the `default` namespace. If you want to use a different namespace, add the `-n <namespace>` flag to this command and to all subsequent `kubectl` commands in this tutorial.

Copilot uses AI. Check for mistakes.

1. Patch the `frontend` application deployment to start collecting L7 logs for this application

```bash
kubectl annotate svc <service-name> -n <service-namespace> projectcalico.org/l7-logging-
kubectl patch deployment frontend -p '{"spec":{"template":{"metadata":{"labels":{"applicationlayer.projectcalico.org/sidecar":"true"},"annotations":{"applicationlayer.projectcalico.org/logging":"Enabled"}}}}}'
```
Comment on lines +116 to 120
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This quickstart notes using -n <namespace> when not installing into default, but the kubectl patch deployment frontend ... example doesn’t include a namespace. Please add -n <namespace> (or explicitly state the command assumes default) to prevent users patching the wrong deployment or hitting "not found" errors.

Copilot uses AI. Check for mistakes.

After annotating a service for L7 log collection, only newly-established connections through that service are proxied by Envoy. Connections established before the service is annotated are not proxied or interrupted, and no logs are generated.
The above command applies the following patch:
1. ensures pods in your `frontend` deployment pod template spec has the label `applicationlayer.projectcalico.org/sidecar: true`
1. ensures pods in your `frontend` deployment pod template spec has the following annotations:
- `applicationlayer.projectcalico.org/logging: Enabled`
Comment on lines +122 to +125
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ordered list explaining the patch is hard to read and has grammar issues (e.g., "ensures pods ... has" and lowercase sentence starts). Consider rewriting to refer to the Deployment's pod template (singular) and capitalizing the list items so the explanation is unambiguous.

Suggested change
The above command applies the following patch:
1. ensures pods in your `frontend` deployment pod template spec has the label `applicationlayer.projectcalico.org/sidecar: true`
1. ensures pods in your `frontend` deployment pod template spec has the following annotations:
- `applicationlayer.projectcalico.org/logging: Enabled`
The above command patches the `frontend` Deployment's pod template to:
1. Add the label `applicationlayer.projectcalico.org/sidecar: true`.
1. Add the annotation `applicationlayer.projectcalico.org/logging: Enabled`.

Copilot uses AI. Check for mistakes.

Conversely, when a service is deselected, any previous connections established through the annotated service continue to be proxied by Envoy until they are terminated, and logs are generated.
Deployment pods will then be expected to restart. Monitor its progress with:

```bash
kubectl rollout status deployment frontend
```
Comment on lines +127 to +131
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the demo is installed into a non-default namespace, kubectl rollout status deployment frontend also needs -n <namespace> to match the earlier guidance. Please update the example (or state it assumes default).

Copilot uses AI. Check for mistakes.

[Google Microservices Demo](https://github.com/GoogleCloudPlatform/microservices-demo) includes a load generator. L7 logs should now start displaying log entries that can be viewed via [various UIs](#view-l7-logs-in-the-web-console)

Alternatively, it is possible to test your configuration [manually](#test-your-configuration).

1. To disable L7 log collection, reverse the above patch with the following command.

```bash
kubectl patch deployment frontend --type='json' -p '[{"op":"remove","path":"/spec/template/metadata/labels/applicationlayer.projectcalico.org~1sidecar"},{"op":"remove","path":"/spec/template/metadata/annotations/applicationlayer.projectcalico.org~1logging"}]'
```
Comment on lines +137 to +141
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The disable command kubectl patch deployment frontend --type='json' ... also omits -n <namespace>, even though the preceding note says to use it for non-default installs. Please include the namespace flag here as well (or explicitly state these commands assume the default namespace).

Copilot uses AI. Check for mistakes.

**Test your configuration**
### Test your configuration

1. Identify the path to access your cluster. Where `<path>` can be:

Expand All @@ -131,9 +154,9 @@ Conversely, when a service is deselected, any previous connections established t
curl --head <path to access service>:<optional port>/<path>
```

### View L7 logs in the web console
## View L7 logs in the web console

**Service Graph**
### Service Graph

To view L7 logs in Service Graph:

Expand All @@ -142,7 +165,7 @@ To view L7 logs in Service Graph:

![l7-logs](/img/calico-enterprise/l7-logs.png)

**Kibana**
### Kibana

To view L7 logs by index pattern in Kibana:

Expand Down
Loading