From 1d304ca6f5d2fcb659877a13104b6125c5bb1a7d Mon Sep 17 00:00:00 2001 From: Seth Malaki Date: Mon, 12 Jan 2026 14:05:46 +0000 Subject: [PATCH] Add DATAPLANE env var to dikastes container in l7-log-collector The dikastes container in the l7-log-collector daemonset was missing the DATAPLANE environment variable, causing it to default to iptables even when nftables mode is configured. This aligns the l7-log-collector behavior with l7-admission-controller and egress-gateway, which already set DATAPLANE based on Installation spec. --- .../applicationlayer/applicationlayer.go | 7 ++++ .../applicationlayer/applicationlayer_test.go | 36 +++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/pkg/render/applicationlayer/applicationlayer.go b/pkg/render/applicationlayer/applicationlayer.go index 7e480cf25c..cb9e6d4d3a 100644 --- a/pkg/render/applicationlayer/applicationlayer.go +++ b/pkg/render/applicationlayer/applicationlayer.go @@ -347,6 +347,12 @@ func (c *component) containers() []corev1.Container { commandArgs = append(commandArgs, "--per-host-alp-enabled") } + // Determine dataplane mode for dikastes + dataplane := "iptables" + if c.config.Installation.IsNftables() { + dataplane = "nftables" + } + dikastes := corev1.Container{ Name: DikastesContainerName, Image: c.config.dikastesImage, @@ -355,6 +361,7 @@ func (c *component) containers() []corev1.Container { Env: []corev1.EnvVar{ {Name: "LOG_LEVEL", Value: "Info"}, {Name: "DIKASTES_SUBSCRIPTION_TYPE", Value: "per-host-policies"}, + {Name: "DATAPLANE", Value: dataplane}, }, VolumeMounts: volMounts, SecurityContext: securitycontext.NewRootContext(true), diff --git a/pkg/render/applicationlayer/applicationlayer_test.go b/pkg/render/applicationlayer/applicationlayer_test.go index 90e8cc9ee9..a1b19230e2 100644 --- a/pkg/render/applicationlayer/applicationlayer_test.go +++ b/pkg/render/applicationlayer/applicationlayer_test.go @@ -488,6 +488,7 @@ var _ = Describe("Tigera Secure Application Layer rendering tests", func() { expectedDikastesEnvs := []corev1.EnvVar{ {Name: "LOG_LEVEL", Value: "Info"}, {Name: "DIKASTES_SUBSCRIPTION_TYPE", Value: "per-host-policies"}, + {Name: "DATAPLANE", Value: "iptables"}, } Expect(len(dikastesEnvs)).To(Equal(len(expectedDikastesEnvs))) @@ -671,6 +672,7 @@ var _ = Describe("Tigera Secure Application Layer rendering tests", func() { expectedDikastesEnvs := []corev1.EnvVar{ {Name: "LOG_LEVEL", Value: "Info"}, {Name: "DIKASTES_SUBSCRIPTION_TYPE", Value: "per-host-policies"}, + {Name: "DATAPLANE", Value: "iptables"}, } Expect(len(dikastesEnvs)).To(Equal(len(expectedDikastesEnvs))) for _, element := range expectedDikastesEnvs { @@ -700,4 +702,38 @@ var _ = Describe("Tigera Secure Application Layer rendering tests", func() { Expect(dikastesVolMounts).To(ContainElement(expected)) } }) + + It("should render dikastes with nftables DATAPLANE when nftables mode is enabled", func() { + // Enable nftables mode in the installation + nftablesMode := operatorv1.LinuxDataplaneNftables + installation.CalicoNetwork = &operatorv1.CalicoNetworkSpec{ + LinuxDataplane: &nftablesMode, + } + + cfg := &applicationlayer.Config{ + PullSecrets: nil, + Installation: installation, + OsType: rmeta.OSTypeLinux, + PerHostALPEnabled: true, + } + + component := applicationlayer.ApplicationLayer(cfg) + resources, _ := component.Objects() + + ds := rtest.GetResource(resources, applicationlayer.ApplicationLayerDaemonsetName, common.CalicoNamespace, "apps", "v1", "DaemonSet").(*appsv1.DaemonSet) + + dikastesContainer := test.GetContainer(ds.Spec.Template.Spec.Containers, "dikastes") + Expect(dikastesContainer).NotTo(BeNil()) + + // Verify DATAPLANE is set to nftables + expectedDikastesEnvs := []corev1.EnvVar{ + {Name: "LOG_LEVEL", Value: "Info"}, + {Name: "DIKASTES_SUBSCRIPTION_TYPE", Value: "per-host-policies"}, + {Name: "DATAPLANE", Value: "nftables"}, + } + Expect(len(dikastesContainer.Env)).To(Equal(len(expectedDikastesEnvs))) + for _, element := range expectedDikastesEnvs { + Expect(dikastesContainer.Env).To(ContainElement(element)) + } + }) })