docs: L7 logs restructure and eBPF collector

[lucastigera]

Summary

Restructures the L7 logs docs section to introduce the new eBPF-based collector alongside the existing Envoy collector, with a shared overview and per-collector enable pages.

The Istio Waypoint collector will land in a follow-up PR — its placeholder page is set to draft: true so it's visible during local development but excluded from production builds.

L7 logs section, after this PR

Sidebar entry	File	What it is
Overview	overview.mdx	New. Big picture, value, the available collectors, and a comparison table to help pick one. Carries the shared "before you begin" log-storage note.
Enable eBPF collector	enable-ebpf.mdx	New. Enable via L7ObservabilityEnabled on FelixConfiguration. Limitations: kernel 5.17+, HTTP/1.0–1.1 only, TLS metadata only.
Enable Waypoint collector	enable-waypoint.mdx	Placeholder, dev-only. Marked draft: true so it's hidden in production builds. Content lands in the Waypoint PR.
Enable Envoy collector	configure.mdx	Existing page; sidebar label updated. Still labelled deprecated and being phased out.
Data types	datatypes.mdx	Refreshed schema reference. New Populated by column. Adds protocol, protocol_version, collector_type, collector_name, and tls_* fields. HTTP-only / TLS-only fields tagged inline (e.g. _HTTP only._ URL that the request was made against.).
Aggregation	aggregation.mdx	New. Documents the L7LogsFileAggregation* fields (including the new L7LogsFileAggregationTLSSNI) and includes an interactive aggregation playground — a React component (_includes/components/L7AggregationSandbox) where readers toggle aggregator checkboxes and watch sample events regroup with two-tone highlight (green = added / count up, red = removed / count down) and per-group expand/collapse.

Other changes

• dashboards.mdx, get-started-cem.mdx, kibana.mdx: external "L7 logs" links repointed from configure.mdx (Envoy-only) to the new overview.mdx.
• alp.mdx: left pointing at configure.mdx#kibana per maintainer note (page will be deprecated).
• Vale lint clean on the new pages (data plane, Waypoint, plain text).

Open items / known gaps

• L7ObservabilityEnabled and L7LogsFileAggregationTLSSNI won't render in the Felix Configuration tables until _includes/components/FelixConfig/config-params.json is regenerated from upstream calico-private. Field-level anchors (#L7ObservabilityEnabled, #L7LogsFileAggregationTLSSNI) will activate at that time.
• Versioned-tree mirroring intentionally not done in this PR — changes land in the next tree (calico-enterprise/) only.

Test plan

• Local Docusaurus dev build (yarn start-next) compiles and renders all six pages.
• Sidebar order verified in .docusaurus route data.
• Aggregation playground toggles cleanly, columns hold their widths, group expand/collapse works.
• No remaining bare references to renamed files (configure-bpf.mdx, configure-istio-waypoint.mdx, datatypes-wip.mdx, datatypes-legacy.mdx).
• Vale CI lint passing.
• Production build (yarn build-next) excludes enable-waypoint.mdx — to be verified by reviewers.

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for calico-docs-preview-next ready!

Name	Link
🔨 Latest commit	ae6947f
🔍 Latest deploy log	https://app.netlify.com/projects/calico-docs-preview-next/deploys/6a10e3a1c8811300087a876c
😎 Deploy Preview	https://deploy-preview-2724--calico-docs-preview-next.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

❌ Deploy Preview for tigera failed. Why did it fail? →

Built without sensitive environment variables

Name	Link
🔨 Latest commit	ae6947f
🔍 Latest deploy log	https://app.netlify.com/projects/tigera/deploys/6a10e3a11e3841000812982c

[Copilot]

Pull request overview

This PR (marked WIP) introduces draft Calico Enterprise documentation for a new eBPF-based L7 observability collector, including a new L7 log aggregation page with an interactive sandbox component, and wires the new pages into the Enterprise sidebar navigation.

Changes:

• Adds new draft L7 documentation pages for eBPF configuration, Istio Waypoint (placeholder), aggregation, and an expanded (WIP) L7 schema reference.
• Introduces a new React component (L7AggregationSandbox) used to provide an interactive aggregation-key playground in docs.
• Updates the Calico Enterprise sidebar to surface the new L7 pages.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
sidebars-calico-enterprise.js	Adds the new L7 doc pages to the Enterprise “L7 logs” sidebar category.
calico-enterprise/observability/elastic/l7/configure-bpf.mdx	Draft guide for enabling/viewing eBPF-based L7 logs, including a comparison table and limitations.
calico-enterprise/observability/elastic/l7/configure-istio-waypoint.mdx	Placeholder page scaffold for Istio Ambient/Waypoint-based L7 collection.
calico-enterprise/observability/elastic/l7/aggregation.mdx	Draft documentation describing FelixConfiguration aggregation fields and embedding an interactive sandbox.
calico-enterprise/observability/elastic/l7/datatypes-wip.mdx	Draft schema reference adding eBPF/TLS fields and a “Populated by” column.
calico-enterprise/_includes/components/L7AggregationSandbox/index.js	New interactive React component that demonstrates how aggregation settings merge L7 log rows and update count.

Comments suppressed due to low confidence (4)

calico-enterprise/observability/elastic/l7/configure-bpf.mdx:70

• Same issue as above: L7LogsFileDirectory is a FelixConfiguration (resource) field and should link to reference/resources/felixconfig.mdx#l7LogsFileDirectory (note the lowercase l in the anchor) rather than the Felix config file/env-var page.

The eBPF collector writes L7 events as JSON to a log file on each node. By default the file is at `/var/log/calico/l7logs/l7.log`. The directory is controlled by the [L7LogsFileDirectory](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileDirectory) field on `FelixConfiguration`.

calico-enterprise/observability/elastic/l7/aggregation.mdx:25

• The per-field links here target .../component-resources/node/felix/configuration.mdx#L7Logs..., but the generated anchors for FelixConfiguration fields use the YAML field names (for example #l7LogsFileAggregationSourceInfo) and live on reference/resources/felixconfig.mdx. Please update the doc path and anchor casing for these aggregation field links so they resolve.

| [L7LogsFileAggregationSourceInfo](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationSourceInfo) | Source aggregated name, namespace, and type appear on each row. | Requests are merged across sources. |
| [L7LogsFileAggregationDestinationInfo](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationDestinationInfo) | Destination aggregated name, namespace, and type appear on each row. | Requests are merged across destinations. |
| [L7LogsFileAggregationServiceInfo](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationServiceInfo) | Destination service name, namespace, and port appear on each row. | Requests are merged across services. |
| [L7LogsFileAggregationHTTPMethod](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationHTTPMethod) | HTTP method appears on each row. | Requests are merged across methods. |
| [L7LogsFileAggregationTrimURL](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationTrimURL) | URL (or a trimmed prefix) appears on each row. Intermediate values trim the query string, then the path, before excluding the URL entirely. | Requests are merged across URLs. |

calico-enterprise/observability/elastic/l7/aggregation.mdx:28

• These links have the same issue as above (wrong target doc + uppercase anchors). Also, L7LogsFileAggregationTLSSNI does not appear in the current config-params.json data set, so the anchor will remain broken until the FelixConfig JSON is regenerated to include it.

| [L7LogsFileAggregationResponseCode](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationResponseCode) | Response code appears on each row. | Requests are merged across response codes. |
| [L7LogsFileAggregationHTTPHeaderInfo](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationHTTPHeaderInfo) | User agent and request type appear on each row. | Requests are merged across user agents and types. |
| [L7LogsFileAggregationTLSSNI](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationTLSSNI) | TLS Server Name Indication appears on each TLS row. | TLS flows to the same destination are merged regardless of SNI. |

calico-enterprise/observability/elastic/l7/aggregation.mdx:35

• The second table here also starts rows with ||, which will render as an extra empty column. Use a single leading | for Markdown tables.

| Field | Description |
| --- | --- |
| [L7LogsFileAggregationNumURLPath](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationNumURLPath) | Maximum number of URL path components retained. Default `5`. A negative value disables this truncation. |
| [L7LogsFileAggregationURLCharLimit](../../../reference/component-resources/node/felix/configuration.mdx#L7LogsFileAggregationURLCharLimit) | Maximum URL length in characters; longer URLs are sliced. Default `250`. |

[ctauchen]

rm

[ctauchen]

Might be worth saying what a collector actually is.

[ctauchen]

It's not clear what the distinction is between type and name. Are you saying we can have an epbf type called A and another ebpf type called B?

[ctauchen]

This should not be buried in a note. Probably best as a prerequisite to each 'enable' procedure.

For clarity, consider working through an example. "For example, if you want to maintain a 7-day retention period for a three-node cluster, you need to add at least 21 GB to your existing log storage."

[ctauchen]

The file name is misleading. Perhaps enable-ebpf-collector or simlar.

[ctauchen]

same for waypoint.

[ctauchen]

Is there an expectation that it wouldn't be cleaned up? I'm wondering if we can remove all of this.

[ctauchen]

For a single step procedure, use an unordered list:

Suggested change

	Enable the eBPF L7 collector by setting the [L7ObservabilityEnabled](../../../reference/component-resources/node/felix/configuration.mdx#L7ObservabilityEnabled) field to `true` on the default `FelixConfiguration`. The setting is independent of `bpfEnabled` — the collector works with any data plane.
	* Enable the eBPF L7 collector by setting the [L7ObservabilityEnabled](../../../reference/component-resources/node/felix/configuration.mdx#L7ObservabilityEnabled) field to `true` on the default `FelixConfiguration`. The setting is independent of `bpfEnabled` — the collector works with any data plane.

[ctauchen]

Suggested change

	## Additional information
	* L7 log data types

[ctauchen]

I think this can all move to a single line after the enable step.

This could also act as a verification step, come to think of it.

1. To verify that L7 logs are being collected, look for output in the default log file location on each node:

[ctauchen]

I think the new component is handy for illustrating how aggregation works. At this stage, I have two thoughts.

1. To what extent is this L7-specific? I get that the fields may be different, but it seems that the main idea here is to help people understand aggregation generally, not L7 aggregation. If that's the case, perhaps it would be better to use a tool like this in a general doc about aggregation?

2. For me, it would be useful to see all parts of this dynamic in action. 1) a full list of all the communications 2) the configuration (as a code block, rendered dynamically according to the checkboxes, and 3) the actual flow logs (what the log would actually look like, not the isolated terms as cells in a table.