consul/agent/xds/accesslogs/accesslogs.go
R.B. Boyer 3e6f1c1fe1
remove v2 tenancy, catalog, and mesh (#21592)
* remove v2 tenancy, catalog, and mesh

- Inline the v2tenancy experiment to false

- Inline the resource-apis experiment to false

- Inline the hcp-v2-resource-apis experiment to false

- Remove ACL policy templates and rule language changes related to
  workload identities (a v2-only concept) (e.g. identity and
  identity_prefix)

- Update the gRPC endpoint used by consul-dataplane to no longer respond
  specially for v2

- Remove stray v2 references scattered throughout the DNS v1.5 newer
  implementation.

* changelog

* go mod tidy on consul containers

* lint fixes from ENT

---------

Co-authored-by: John Murret <john.murret@hashicorp.com>
2024-09-05 08:50:46 -06:00

187 lines
6.8 KiB
Go

// Copyrigh (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package accesslogs
import (
"fmt"
envoy_accesslog_v3 "github.com/envoyproxy/go-control-plane/envoy/config/accesslog/v3"
envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
envoy_fileaccesslog_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/file/v3"
envoy_streamaccesslog_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/stream/v3"
"google.golang.org/protobuf/types/known/anypb"
"google.golang.org/protobuf/types/known/structpb"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/lib"
)
const (
defaultJSONFormat = `
{
"start_time": "%START_TIME%",
"route_name": "%ROUTE_NAME%",
"method": "%REQ(:METHOD)%",
"path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%",
"protocol": "%PROTOCOL%",
"response_code": "%RESPONSE_CODE%",
"response_flags": "%RESPONSE_FLAGS%",
"response_code_details": "%RESPONSE_CODE_DETAILS%",
"connection_termination_details": "%CONNECTION_TERMINATION_DETAILS%",
"bytes_received": "%BYTES_RECEIVED%",
"bytes_sent": "%BYTES_SENT%",
"duration": "%DURATION%",
"upstream_service_time": "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%",
"x_forwarded_for": "%REQ(X-FORWARDED-FOR)%",
"user_agent": "%REQ(USER-AGENT)%",
"request_id": "%REQ(X-REQUEST-ID)%",
"authority": "%REQ(:AUTHORITY)%",
"upstream_host": "%UPSTREAM_HOST%",
"upstream_cluster": "%UPSTREAM_CLUSTER%",
"upstream_local_address": "%UPSTREAM_LOCAL_ADDRESS%",
"downstream_local_address": "%DOWNSTREAM_LOCAL_ADDRESS%",
"downstream_remote_address": "%DOWNSTREAM_REMOTE_ADDRESS%",
"requested_server_name": "%REQUESTED_SERVER_NAME%",
"upstream_transport_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%"
}
`
)
// MakeAccessLogs returns a fully-hydrated slice of Envoy Access log configurations based
// on the proxy-defaults settings. Currently only one access logger is supported.
// Listeners (as opposed to listener filters) can trigger an access log filter with the boolean.
// Tests are located in agent/xds/listeners_test.go.
func MakeAccessLogs(logs *structs.AccessLogsConfig, isListener bool) ([]*envoy_accesslog_v3.AccessLog, error) {
if logs == nil || !logs.Enabled {
return nil, nil
}
if isListener && logs.DisableListenerLogs {
return nil, nil
}
config, err := getLogger(logs)
if err != nil {
return nil, fmt.Errorf("failed to get logger: %w", err)
}
var filter *envoy_accesslog_v3.AccessLogFilter
name := "Consul Listener Filter Log"
if isListener {
name = "Consul Listener Log"
filter = getListenerAccessLogFilter()
}
newFilter := &envoy_accesslog_v3.AccessLog{
Name: name,
Filter: filter,
ConfigType: &envoy_accesslog_v3.AccessLog_TypedConfig{
TypedConfig: config,
},
}
return []*envoy_accesslog_v3.AccessLog{newFilter}, nil
}
// getLogger returns an individual instance of an Envoy logger based on proxy-defaults
func getLogger(logs *structs.AccessLogsConfig) (*anypb.Any, error) {
logFormat, err := getLogFormat(logs)
if err != nil {
return nil, fmt.Errorf("could not get envoy log format: %w", err)
}
switch logs.Type {
case structs.DefaultLogSinkType, structs.StdOutLogSinkType:
return getStdoutLogger(logFormat)
case structs.StdErrLogSinkType:
return getStderrLogger(logFormat)
case structs.FileLogSinkType:
return getFileLogger(logFormat, logs.Path)
default:
return nil, fmt.Errorf("unsupported log format: %s", logs.Type)
}
}
// getLogFormat returns an Envoy log format object that is compatible with all log sinks.
// If a format is not provided in the proxy-defaults, the default JSON format is used.
func getLogFormat(logs *structs.AccessLogsConfig) (*envoy_core_v3.SubstitutionFormatString, error) {
var format, formatType string
if logs.TextFormat == "" && logs.JSONFormat == "" {
format = defaultJSONFormat
formatType = "json"
} else if logs.JSONFormat != "" {
format = logs.JSONFormat
formatType = "json"
} else {
format = logs.TextFormat
formatType = "text"
}
switch formatType {
case "json":
jsonFormat := structpb.Struct{}
if err := jsonFormat.UnmarshalJSON([]byte(format)); err != nil {
return nil, fmt.Errorf("could not unmarshal JSON format string: %w", err)
}
return &envoy_core_v3.SubstitutionFormatString{
Format: &envoy_core_v3.SubstitutionFormatString_JsonFormat{
JsonFormat: &jsonFormat,
},
}, nil
case "text":
textFormat := lib.EnsureTrailingNewline(format)
return &envoy_core_v3.SubstitutionFormatString{
Format: &envoy_core_v3.SubstitutionFormatString_TextFormatSource{
TextFormatSource: &envoy_core_v3.DataSource{
Specifier: &envoy_core_v3.DataSource_InlineString{
InlineString: textFormat,
},
},
},
}, nil
default:
return nil, fmt.Errorf("invalid log format type")
}
}
// getStdoutLogger returns Envoy's representation of a stdout log sink with the provided format.
func getStdoutLogger(logFormat *envoy_core_v3.SubstitutionFormatString) (*anypb.Any, error) {
return anypb.New(&envoy_streamaccesslog_v3.StdoutAccessLog{
AccessLogFormat: &envoy_streamaccesslog_v3.StdoutAccessLog_LogFormat{
LogFormat: logFormat,
},
})
}
// getStderrLogger returns Envoy's representation of a stderr log sink with the provided format.
func getStderrLogger(logFormat *envoy_core_v3.SubstitutionFormatString) (*anypb.Any, error) {
return anypb.New(&envoy_streamaccesslog_v3.StderrAccessLog{
AccessLogFormat: &envoy_streamaccesslog_v3.StderrAccessLog_LogFormat{
LogFormat: logFormat,
},
})
}
// getFileLogger returns Envoy's representation of a file log sink with the provided format and path to a file.
func getFileLogger(logFormat *envoy_core_v3.SubstitutionFormatString, path string) (*anypb.Any, error) {
return anypb.New(&envoy_fileaccesslog_v3.FileAccessLog{
AccessLogFormat: &envoy_fileaccesslog_v3.FileAccessLog_LogFormat{
LogFormat: logFormat,
},
Path: path,
})
}
// getListenerAccessLogFilter returns a filter that will be used on listeners to decide when a log is emitted.
// Set to "NR" which corresponds to "No route configured for a given request in addition
// to 404 response code, or no matching filter chain for a downstream connection."
func getListenerAccessLogFilter() *envoy_accesslog_v3.AccessLogFilter {
return &envoy_accesslog_v3.AccessLogFilter{
FilterSpecifier: &envoy_accesslog_v3.AccessLogFilter_ResponseFlagFilter{
ResponseFlagFilter: &envoy_accesslog_v3.ResponseFlagFilter{Flags: []string{"NR"}},
},
}
}