Make access_log in http context configurable (#5648)

Author: hafe

docs/content/configuration/global-configuration/configmap-resource.md

@@ -113,6 +113,8 @@ For more information, view the [VirtualServer and VirtualServerRoute resources](
 |ConfigMap Key | Description | Default | Example |
 | ---| ---| ---| --- |
 |*error-log-level* | Sets the global [error log level](https://nginx.org/en/docs/ngx_core_module.html#error_log) for NGINX. | *notice* |  |
+|*access-log* | Sets the directive [access log](https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log). A syslog destination is the only valid value. The value will be set to its default in-case user tries to configure it with location other than a syslog.
+| ``/dev/stdout main`` | ``syslog:server=localhost:514`` |
 |*access-log-off* | Disables the [access log](https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log). | *False* |  |
 |*default-server-access-log-off* | Disables the [access log](https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log) for the default server. If access log is disabled globally (*access-log-off: "True"*), then the default server access log is always disabled. | *False* |  |
 |*log-format* | Sets the custom [log format](https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format) for HTTP and HTTPS traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by *\n*). In that case, the Ingress Controller will replace every *\n* character with a space character. All *'* characters must be escaped. | See the [template file](https://github.com/nginxinc/kubernetes-ingress/blob/v{{< nic-version >}}/internal/configs/version1/nginx.tmpl) for the access log. | [Custom Log Format](https://github.com/nginxinc/kubernetes-ingress/tree/v{{< nic-version >}}/examples/shared-examples/custom-log-format). |

internal/configs/config_params.go

@@ -24,7 +24,7 @@ type ConfigParams struct {
 	Keepalive                              int
 	LBMethod                               string
 	LocationSnippets                       []string
-	MainAccessLogOff                       bool
+	MainAccessLog                          string
 	MainErrorLogLevel                      string
 	MainHTTPSnippets                       []string
 	MainKeepaliveRequests                  int64
@@ -188,6 +188,7 @@ func NewDefaultConfigParams(isPlus bool) *ConfigParams {
 		ProxySendTimeout:              "60s",
 		ClientMaxBodySize:             "1m",
 		SSLRedirect:                   true,
+		MainAccessLog:                 "/dev/stdout main",
 		MainServerNamesHashBucketSize: "256",
 		MainServerNamesHashMaxSize:    "1024",
 		MainMapHashBucketSize:         "256",

internal/configs/configmaps.go

@@ -207,11 +207,21 @@ func ParseConfigMap(cfgm *v1.ConfigMap, nginxPlus bool, hasAppProtect bool, hasA
 		cfgParams.MainErrorLogLevel = errorLogLevel
 	}
 
+	if accessLog, exists := cfgm.Data["access-log"]; exists {
+		if !strings.HasPrefix(accessLog, "syslog:") {
+			glog.Warningf("Configmap %s/%s: Invalid value for key access-log: %q", cfgm.GetNamespace(), cfgm.GetName(), accessLog)
+		} else {
+			cfgParams.MainAccessLog = accessLog
+		}
+	}
+
 	if accessLogOff, exists, err := GetMapKeyAsBool(cfgm.Data, "access-log-off", cfgm); exists {
 		if err != nil {
 			glog.Error(err)
 		} else {
-			cfgParams.MainAccessLogOff = accessLogOff
+			if accessLogOff {
+				cfgParams.MainAccessLog = "off"
+			}
 		}
 	}
 
@@ -514,7 +524,7 @@ func ParseConfigMap(cfgm *v1.ConfigMap, nginxPlus bool, hasAppProtect bool, hasA
 // GenerateNginxMainConfig generates MainConfig.
 func GenerateNginxMainConfig(staticCfgParams *StaticConfigParams, config *ConfigParams) *version1.MainConfig {
 	nginxCfg := &version1.MainConfig{
-		AccessLogOff:                       config.MainAccessLogOff,
+		AccessLog:                          config.MainAccessLog,
 		DefaultServerAccessLogOff:          config.DefaultServerAccessLogOff,
 		DefaultServerReturn:                config.DefaultServerReturn,
 		DisableIPV6:                        staticCfgParams.DisableIPV6,

internal/configs/configmaps_test.go

@@ -203,3 +203,82 @@ func TestParseConfigMapWithoutTLSPassthroughProxyProtocol(t *testing.T) {
 		})
 	}
 }
+
+func TestParseConfigMapAccessLog(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		accessLog    string
+		accessLogOff string
+		want         string
+		msg          string
+	}{
+		{
+			accessLogOff: "False",
+			accessLog:    "syslog:server=localhost:514",
+			want:         "syslog:server=localhost:514",
+			msg:          "Non default access_log",
+		},
+		{
+			accessLogOff: "False",
+			accessLog:    "/tmp/nginx main",
+			want:         "/dev/stdout main",
+			msg:          "access_log to file is not allowed",
+		},
+		{
+			accessLogOff: "True",
+			accessLog:    "/dev/stdout main",
+			want:         "off",
+			msg:          "Disabled access_log",
+		},
+	}
+	nginxPlus := true
+	hasAppProtect := false
+	hasAppProtectDos := false
+	hasTLSPassthrough := false
+	for _, test := range tests {
+		t.Run(test.msg, func(t *testing.T) {
+			cm := &v1.ConfigMap{
+				Data: map[string]string{
+					"access-log":     test.accessLog,
+					"access-log-off": test.accessLogOff,
+				},
+			}
+			result := ParseConfigMap(cm, nginxPlus, hasAppProtect, hasAppProtectDos, hasTLSPassthrough)
+			if result.MainAccessLog != test.want {
+				t.Errorf("want %q, got %q", test.want, result.MainAccessLog)
+			}
+		})
+	}
+}
+
+func TestParseConfigMapAccessLogDefault(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		accessLog    string
+		accessLogOff string
+		want         string
+		msg          string
+	}{
+		{
+			want: "/dev/stdout main",
+			msg:  "Default access_log",
+		},
+	}
+	nginxPlus := true
+	hasAppProtect := false
+	hasAppProtectDos := false
+	hasTLSPassthrough := false
+	for _, test := range tests {
+		t.Run(test.msg, func(t *testing.T) {
+			cm := &v1.ConfigMap{
+				Data: map[string]string{
+					"access-log-off": "False",
+				},
+			}
+			result := ParseConfigMap(cm, nginxPlus, hasAppProtect, hasAppProtectDos, hasTLSPassthrough)
+			if result.MainAccessLog != test.want {
+				t.Errorf("want %q, got %q", test.want, result.MainAccessLog)
+			}
+		})
+	}
+}

internal/configs/version1/__snapshots__/template_test.snap

@@ -34,7 +34,7 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
-    access_log  /dev/stdout  main;
+    access_log /dev/stdout main;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -164,7 +164,8 @@ http {
                     ' "$http_referer" "$http_user_agent"'
                     ;
     app_protect_dos_arb_fqdn arb.test.server.com;
-    access_log  /dev/stdout  main;
+
+    access_log /dev/stdout main;
     app_protect_failure_mode_action pass;
     app_protect_compressed_requests_action pass;
     app_protect_cookie_seed ABCDEFGHIJKLMNOP;
@@ -306,7 +307,8 @@ http {
         '' $sent_http_grpc_status;
     }
     app_protect_enforcer_address enforcer.svc.local;
-    access_log  /dev/stdout  main;
+
+    access_log /dev/stdout main;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -1711,7 +1713,8 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
-    access_log  /dev/stdout  main;
+
+    access_log /dev/stdout main;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -1848,7 +1851,8 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
-    access_log  /dev/stdout  main;
+
+    access_log /dev/stdout main;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -1985,7 +1989,8 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
-    access_log  /dev/stdout  main;
+
+    access_log /dev/stdout main;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -2122,7 +2127,8 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
-    access_log  /dev/stdout  main;
+
+    access_log /dev/stdout main;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -2259,7 +2265,8 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
-    access_log  /dev/stdout  main;
+
+    access_log /dev/stdout main;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -2422,7 +2429,8 @@ http {
                     ' "$http_referer" "$http_user_agent"'
                     ;
     app_protect_dos_arb_fqdn arb.test.server.com;
-    access_log  /dev/stdout  main;
+
+    access_log /dev/stdout main;
     app_protect_failure_mode_action pass;
     app_protect_compressed_requests_action pass;
     app_protect_cookie_seed ABCDEFGHIJKLMNOP;
@@ -2569,7 +2577,8 @@ http {
                         'outcome=$app_protect_dos_outcome, reason=$app_protect_dos_outcome_reason, '
                         'ip_tls=$remote_addr:$app_protect_dos_tls_fp, ';
     app_protect_dos_arb_fqdn arb.test.server.com;
-    access_log  /dev/stdout  main;
+
+    access_log /dev/stdout main;
     app_protect_failure_mode_action pass;
     app_protect_compressed_requests_action pass;
     app_protect_cookie_seed ABCDEFGHIJKLMNOP;
@@ -2722,7 +2731,8 @@ http {
                     ' "$http_referer" "$http_user_agent"'
                     ;
     app_protect_dos_arb_fqdn arb.test.server.com;
-    access_log  /dev/stdout  main;
+
+    access_log /dev/stdout main;
     app_protect_failure_mode_action pass;
     app_protect_compressed_requests_action pass;
     app_protect_cookie_seed ABCDEFGHIJKLMNOP;
@@ -2863,7 +2873,8 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
-    access_log  /dev/stdout  main;
+
+    access_log /dev/stdout main;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -3017,7 +3028,7 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
-    access_log  /dev/stdout  main;
+    access_log /dev/stdout main;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -3138,7 +3149,7 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
-    access_log  /dev/stdout  main;
+    access_log /dev/stdout main;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -3259,7 +3270,7 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
-    access_log  /dev/stdout  main;
+    access_log /dev/stdout main;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -3380,7 +3391,7 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
-    access_log  /dev/stdout  main;
+    access_log /dev/stdout main;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -3501,7 +3512,7 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
-    access_log  /dev/stdout  main;
+    access_log /dev/stdout main;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -3641,7 +3652,7 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
-    access_log  /dev/stdout  main;
+    access_log /dev/stdout main;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -3762,7 +3773,7 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
-    access_log  /dev/stdout  main;
+    access_log /dev/stdout main;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -3884,7 +3895,7 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
-    access_log  /dev/stdout  main;
+    access_log /dev/stdout main;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -4005,7 +4016,7 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
-    access_log  /dev/stdout  main;
+    access_log /dev/stdout main;
 
     sendfile        on;
     #tcp_nopush     on;

internal/configs/version1/config.go

@@ -191,7 +191,7 @@ type Location struct {
 
 // MainConfig describe the main NGINX configuration file.
 type MainConfig struct {
-	AccessLogOff                       bool
+	AccessLog                          string
 	DefaultServerAccessLogOff          bool
 	DefaultServerReturn                string
 	DisableIPV6                        bool

internal/configs/version1/nginx-plus.tmpl

@@ -90,11 +90,7 @@ http {
     app_protect_enforcer_address {{ .AppProtectV5EnforcerAddr }};
     {{- end}}
 
-    {{- if .AccessLogOff}}
-    access_log off;
-    {{- else}}
-    access_log  /dev/stdout  main;
-    {{- end}}
+    access_log {{.AccessLog}};
 
     {{- if .LatencyMetrics}}
     log_format response_time '{"upstreamAddress":"$upstream_addr", "upstreamResponseTime":"$upstream_response_time", "proxyHost":"$proxy_host", "upstreamStatus": "$upstream_status"}';

internal/configs/version1/nginx.tmpl

@@ -62,11 +62,7 @@ http {
         default "{{ .StaticSSLPath }}";
     }
     {{- end }}
-    {{- if .AccessLogOff}}
-    access_log off;
-    {{- else}}
-    access_log  /dev/stdout  main;
-    {{- end}}
+    access_log {{.AccessLog}};
 
     {{- if .LatencyMetrics}}
     log_format response_time '{"upstreamAddress":"$upstream_addr", "upstreamResponseTime":"$upstream_response_time", "proxyHost":"$proxy_host", "upstreamStatus": "$upstream_status"}';