als (#46)

* Access Logging Server support

README.md

@@ -32,8 +32,16 @@ cat resources/envoy.yaml |sed 's/$IP/'$(docker inspect -f '{{range .NetworkSetti
 
 Then run the envoy proxy:
 ```
-docker run --rm -it -p 10000:10000 -p 10001:10001 -p 9901:9901 --network roxprox -v "$(PWD)/resources/envoy-withip.yaml":/etc/envoy/envoy.yaml envoyproxy/envoy:v1.14.1
+docker run --rm -it -p 10000:10000 -p 10001:10001 -p 9901:9901 --network roxprox -v "$(PWD)/resources/envoy-withip.yaml":/etc/envoy/envoy.yaml envoyproxy/envoy:v1.15-latest
 ```
+
+## Run access log serve
+```
+cd  resources/access-log-server
+make docker
+docker run --rm -it -p 9001:9001 --network roxprox --name als als
+```
+
 ## Configuration
 You can configure endpoints using yaml definitions. Below are example yaml definitions that you can put in your data/ folder.
 
@@ -84,6 +92,17 @@ spec:
         port: 443
 ```
 
+### ALS
+```
+api: proxy.in4it.io/v1
+kind: accessLogServer
+metadata:
+    name: accessLogServerExample
+spec:
+    address: "als"
+    port: 9001
+```
+
 ### Authn
 ```
 api: proxy.in4it.io/v1

go.mod

@@ -4,7 +4,8 @@ go 1.12
 
 require (
 	github.com/aws/aws-sdk-go v1.32.10
-	github.com/envoyproxy/go-control-plane v0.9.6-0.20200618221453-226baa5cddab
+	github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354 // indirect
+	github.com/envoyproxy/go-control-plane v0.9.6
 	github.com/ghodss/yaml v1.0.0
 	github.com/gogo/protobuf v1.3.1
 	github.com/golang/protobuf v1.4.2

go.sum

@@ -11,6 +11,8 @@ github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f h1:WBZRG4aNOuI15bLRrC
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200313221541-5f7e5dd04533 h1:8wZizuKuZVu5COB7EsBYxBQz8nRcXXn5d4Gt91eJLvU=
 github.com/cncf/udpa/go v0.0.0-20200313221541-5f7e5dd04533/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354 h1:9kRtNpqLHbZVO/NNxhHp2ymxFxsHOe3x2efJGn//Tas=
+github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/envoyproxy/envoy v1.14.1 h1:iqLWWa0bsImtur3PIm59jEczqu8/7q8JbNx1eFidLJA=
@@ -20,13 +22,16 @@ github.com/envoyproxy/go-control-plane v0.8.0/go.mod h1:GSSbY9P1neVhdY7G4wu+IK1r
 github.com/envoyproxy/go-control-plane v0.8.4 h1:moNlmfa71yZkzDxAb4Fz5qwaW1giZmTtwn6P/gYIK6E=
 github.com/envoyproxy/go-control-plane v0.8.4/go.mod h1:XB9+ce7x+IrsjgIVnRnql0O61gj/np0/bGDfhJI3sCU=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.2 h1:GJ5MKABRjz+QuET1GHm0KD9HC/mAzb3g2FznLQ0aThc=
 github.com/envoyproxy/go-control-plane v0.9.2/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/go-control-plane v0.9.5 h1:lRJIqDD8yjV1YyPRqecMdytjDLs2fTXq363aCib5xPU=
 github.com/envoyproxy/go-control-plane v0.9.5/go.mod h1:OXl5to++W0ctG+EHWTFUjiypVxC/Y4VLc/KFU+al13s=
 github.com/envoyproxy/go-control-plane v0.9.6-0.20200618221453-226baa5cddab h1:ALuQRm7L5dY+9HEFlo5il+sENgolnfjWRHKSf8TgYf4=
 github.com/envoyproxy/go-control-plane v0.9.6-0.20200618221453-226baa5cddab/go.mod h1:JvuSsUgXzeWfLVfAe9OeW40eBtd+E8yMydqNm0iuBxs=
+github.com/envoyproxy/go-control-plane v0.9.6 h1:GgblEiDzxf5ajlAZY4aC8xp7DwkrGfauFNMGdB2bBv0=
+github.com/envoyproxy/go-control-plane v0.9.6/go.mod h1:GFqM7v0B62MraO4PWRedIbhThr/Rf7ev6aHOOPXeaDA=
 github.com/envoyproxy/protoc-gen-validate v0.0.0-20190405222122-d6164de49109 h1:FNgqGzbOm637YKRbYGKb9cqGo8i50++w/LWvMau7jrw=
 github.com/envoyproxy/protoc-gen-validate v0.0.0-20190405222122-d6164de49109/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/envoyproxy/protoc-gen-validate v0.0.14 h1:YBW6/cKy9prEGRYLnaGa4IDhzxZhRCtKsax8srGKDnM=
@@ -147,6 +152,7 @@ google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ij
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1 h1:wdKvqQk7IttEw92GoRyKG2IDrUIpgpj6H6m81yfeMW0=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.30.0 h1:M5a8xTlYTxwMn5ZFkwhRabsygDY5G8TYLyQDBxJNAxE=
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=

pkg/api/accesslogserver.go

@@ -0,0 +1,14 @@
+package api
+
+type AccessLogServer struct {
+	API      string              `json:"api" yaml:"api"`
+	Kind     string              `json:"kind" yaml:"kind"`
+	Metadata Metadata            `json:"metadata" yaml:"metadata"`
+	Spec     AccessLogServerSpec `json:"spec" yaml:"spec"`
+}
+type AccessLogServerSpec struct {
+	Address                        string   `json:"address" yaml:"address"`
+	Port                           int64    `json:"port" yaml:"port"`
+	AdditionalRequestHeadersToLog  []string `json:"additionalRequestHeadersToLog" yaml:"additionalRequestHeadersToLog"`
+	AdditionalResponseHeadersToLog []string `json:"additionalResponseHeadersToLog" yaml:"additionalResponseHeadersToLog"`
+}

pkg/envoy/accesslogserver.go

@@ -0,0 +1,82 @@
+package envoy
+
+import (
+	core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+
+	alf "github.com/envoyproxy/go-control-plane/envoy/config/accesslog/v3"
+	api "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
+	als "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/grpc/v3"
+	"github.com/envoyproxy/go-control-plane/pkg/wellknown"
+	"github.com/golang/protobuf/ptypes"
+)
+
+type AccessLogServer struct{}
+
+func newAccessLogServer() *AccessLogServer {
+	return &AccessLogServer{}
+}
+
+func (c *AccessLogServer) updateListenersWithAccessLogServer(cache *WorkQueueCache, params AccessLogServerParams) error {
+	// update listener
+	for listenerKey := range cache.listeners {
+		ll := cache.listeners[listenerKey].(*api.Listener)
+		for filterchainID := range ll.FilterChains {
+			for filterID := range ll.FilterChains[filterchainID].Filters {
+				// get manager
+				manager, err := getManager((ll.FilterChains[filterchainID].Filters[filterID].ConfigType).(*api.Filter_TypedConfig))
+				if err != nil {
+					return err
+				}
+				accessLogConfig, err := c.getAccessLoggerConfig(params)
+				if err != nil {
+					return err
+				}
+
+				manager.AccessLog = accessLogConfig
+
+				// update manager in cache
+				pbst, err := ptypes.MarshalAny(&manager)
+				if err != nil {
+					return err
+				}
+				ll.FilterChains[filterchainID].Filters[filterID].ConfigType = &api.Filter_TypedConfig{
+					TypedConfig: pbst,
+				}
+			}
+		}
+	}
+
+	return nil
+}
+
+func (c *AccessLogServer) getAccessLoggerConfig(params AccessLogServerParams) ([]*alf.AccessLog, error) {
+	if params.Name != "" {
+		alsConfig := &als.HttpGrpcAccessLogConfig{
+			CommonConfig: &als.CommonGrpcAccessLogConfig{
+				TransportApiVersion: core.ApiVersion_V3,
+				LogName:             params.Name,
+				GrpcService: &core.GrpcService{
+					TargetSpecifier: &core.GrpcService_EnvoyGrpc_{
+						EnvoyGrpc: &core.GrpcService_EnvoyGrpc{
+							ClusterName: params.Name,
+						},
+					},
+				},
+			},
+			AdditionalRequestHeadersToLog:  params.AdditionalRequestHeadersToLog,
+			AdditionalResponseHeadersToLog: params.AdditionalResponseHeadersToLog,
+		}
+		alsConfigPbst, err := ptypes.MarshalAny(alsConfig)
+		if err != nil {
+			return nil, err
+		}
+
+		return []*alf.AccessLog{{
+			Name: wellknown.HTTPGRPCAccessLog,
+			ConfigType: &alf.AccessLog_TypedConfig{
+				TypedConfig: alsConfigPbst,
+			},
+		}}, nil
+	}
+	return nil, nil
+}

pkg/envoy/listener.go

@@ -6,6 +6,7 @@ import (
 	"sort"
 	"strings"
 
+	alf "github.com/envoyproxy/go-control-plane/envoy/config/accesslog/v3"
 	core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	api "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	route "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
@@ -24,8 +25,9 @@ const Error_NoFilterChainFound = "NoFilterChainFound"
 const Error_NoFilterFound = "NoFilterFound"
 
 type Listener struct {
-	httpFilter []*hcm.HttpFilter
-	tracing    *hcm.HttpConnectionManager_Tracing
+	httpFilter         []*hcm.HttpFilter
+	tracing            *hcm.HttpConnectionManager_Tracing
+	accessLoggerConfig []*alf.AccessLog
 }
 
 func newListener() *Listener {
@@ -35,6 +37,8 @@ func newListener() *Listener {
 			Name: "envoy.filters.http.router",
 		},
 	}
+	listener.accessLoggerConfig = []*alf.AccessLog{}
+
 	return listener
 }
 
@@ -467,6 +471,7 @@ func (l *Listener) newManager(routeName string, virtualHosts []*route.VirtualHos
 			},
 		},
 		HttpFilters: httpFilters,
+		AccessLog:   l.accessLoggerConfig,
 	}
 	if l.tracing != nil {
 		httpConnectionManager.Tracing = l.tracing
@@ -715,6 +720,21 @@ func (l *Listener) updateDefaultCompressionSetting(compressionParams Compression
 	updateHTTPFilterWithConfig(&l.httpFilter, "envoy.filters.http.compressor", compressorFilterEncoded)
 }
 
+func (l *Listener) updateDefaultAccessLogServer(accessLogServerParams AccessLogServerParams) {
+	c := newAccessLogServer()
+	accessLoggerConfig, err := c.getAccessLoggerConfig(accessLogServerParams)
+	if err != nil {
+		logger.Errorf("Couldn't get access logger config: %s", err)
+		return
+	}
+	if accessLoggerConfig == nil {
+		return
+	}
+
+	l.accessLoggerConfig = accessLoggerConfig
+
+}
+
 func (l *Listener) newHTTPRouterFilter() []*hcm.HttpFilter {
 	return l.httpFilter
 }

pkg/envoy/testdata/test-accesslogserver.yaml

@@ -0,0 +1,7 @@
+api: proxy.in4it.io/v1
+kind: accessLogServer
+metadata:
+  name: accessLogServerExample
+spec:
+  address: "localhost"
+  port: 9001

pkg/envoy/types.go

@@ -6,18 +6,19 @@ import (
 )
 
 type WorkQueueItem struct {
-	id                string
-	Action            string
-	DependsOn         string
-	DependsOnItemIDs  []string
-	TLSParams         TLSParams
-	ClusterParams     ClusterParams
-	ListenerParams    ListenerParams
-	ChallengeParams   ChallengeParams
-	CreateCertParams  CreateCertParams
-	TracingParams     TracingParams
-	CompressionParams CompressionParams
-	state             string
+	id                    string
+	Action                string
+	DependsOn             string
+	DependsOnItemIDs      []string
+	TLSParams             TLSParams
+	ClusterParams         ClusterParams
+	ListenerParams        ListenerParams
+	ChallengeParams       ChallengeParams
+	CreateCertParams      CreateCertParams
+	TracingParams         TracingParams
+	CompressionParams     CompressionParams
+	AccessLogServerParams AccessLogServerParams
+	state                 string
 }
 
 type WorkQueueCache struct {
@@ -132,6 +133,12 @@ type CompressionParams struct {
 	DisableOnEtagHeader bool
 }
 
+type AccessLogServerParams struct {
+	Name                           string
+	AdditionalRequestHeadersToLog  []string
+	AdditionalResponseHeadersToLog []string
+}
+
 type DirectResponse struct {
 	Status uint32
 	Body   string

pkg/envoy/workqueue.go

@@ -13,19 +13,20 @@ import (
 )
 
 type WorkQueue struct {
-	cs             chan WorkQueueSubmissionState
-	c              chan WorkQueueItem
-	callback       *Callback
-	cache          WorkQueueCache
-	cert           *Cert
-	listener       *Listener
-	jwtProvider    *JwtProvider
-	authzFilter    *AuthzFilter
-	tracing        *Tracing
-	compression    *Compression
-	cluster        *Cluster
-	acmeContact    string
-	latestSnapshot cache.Snapshot
+	cs              chan WorkQueueSubmissionState
+	c               chan WorkQueueItem
+	callback        *Callback
+	cache           WorkQueueCache
+	cert            *Cert
+	listener        *Listener
+	jwtProvider     *JwtProvider
+	authzFilter     *AuthzFilter
+	tracing         *Tracing
+	compression     *Compression
+	accessLogServer *AccessLogServer
+	cluster         *Cluster
+	acmeContact     string
+	latestSnapshot  cache.Snapshot
 }
 
 func NewWorkQueue(s storage.Storage, acmeContact string) (*WorkQueue, error) {
@@ -42,15 +43,16 @@ func NewWorkQueue(s storage.Storage, acmeContact string) (*WorkQueue, error) {
 	}
 
 	w := &WorkQueue{
-		c:           c,
-		cs:          cs,
-		cert:        cert,
-		listener:    newListener(),
-		cluster:     newCluster(),
-		jwtProvider: newJwtProvider(),
-		authzFilter: newAuthzFilter(),
-		tracing:     newTracing(),
-		compression: newCompression(),
+		c:               c,
+		cs:              cs,
+		cert:            cert,
+		listener:        newListener(),
+		cluster:         newCluster(),
+		jwtProvider:     newJwtProvider(),
+		authzFilter:     newAuthzFilter(),
+		tracing:         newTracing(),
+		compression:     newCompression(),
+		accessLogServer: newAccessLogServer(),
 	}
 
 	// run queue to resolve dependencies
@@ -211,6 +213,18 @@ func (w *WorkQueue) Submit(items []WorkQueueItem) (string, error) {
 				item.state = "finished"
 			}
 			updateXds = true
+		case "updateListenersWithAccessLogServer":
+			// update default listener route
+			w.listener.updateDefaultAccessLogServer(item.AccessLogServerParams)
+			// update existing listeners
+			err := w.accessLogServer.updateListenersWithAccessLogServer(&w.cache, item.AccessLogServerParams)
+			if err != nil {
+				item.state = "error"
+				logger.Errorf("updateListenersWithAccessLogServer error: %s", err)
+			} else {
+				item.state = "finished"
+			}
+			updateXds = true
 		case "updateListenerWithChallenge":
 			err := w.listener.updateListenerWithChallenge(&w.cache, item.ChallengeParams)
 			if err != nil {