diff --git a/internal/settings/consts.go b/internal/settings/consts.go new file mode 100644 index 0000000..7cd918b --- /dev/null +++ b/internal/settings/consts.go @@ -0,0 +1,6 @@ +package settings + +const ( + LogLevelDebug = "debug" + LogLevelInfo = "info" +) diff --git a/internal/settings/flags.go b/internal/settings/flags.go index 258498c..70cad5c 100644 --- a/internal/settings/flags.go +++ b/internal/settings/flags.go @@ -6,6 +6,7 @@ func (s Settings) BindFlags(fs *flag.FlagSet) { flag.StringVar(&s.MetricsAddress, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&s.ProbeAddress, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.StringVar(&s.AuthServerAddress, "address", ":8082", "The address the authorization service binds to.") + flag.StringVar(&s.AccessLogLevel, "access-log-level", "info", "The Cerberus access log level (debug will print all requests and headers)") flag.StringVar(&s.TLS.CertPath, "tls-cert-path", "", "grpc Authentication server TLS certificate") flag.StringVar(&s.TLS.KeyPath, "tls-key-path", "", "grpc Authentication server TLS key") diff --git a/internal/settings/settings.go b/internal/settings/settings.go index d216779..75a9b49 100644 --- a/internal/settings/settings.go +++ b/internal/settings/settings.go @@ -6,6 +6,7 @@ type Settings struct { AuthServerAddress string `yaml:"bindAddress" env:"BIND_ADDRESS" env-default:":8082" env-description:"The address the authorization service binds to."` MetricsAddress string `yaml:"metricsBindAddress" env:"METRICS_BIND_ADDRESS" env-default:":8080" env-description:"The address the metric endpoint binds to."` ProbeAddress string `yaml:"healthProbeBindAddress" env:"PROBE_BIND_ADDRESS" env-default:":8081" env-description:"The address the probe endpoint binds to."` + AccessLogLevel string `yaml:"accessLogLevel" env:"ACCESS_LOG_LEVEL" env-default:"info" env-description:"The Cerberus access log level (debug will print all requests and headers)"` TLS struct { CertPath string `yaml:"certPath" env:"AUTH_SERVER_TLS_CERT_PATH" env-default:"" env-description:"grpc Authentication server TLS certificate file path"` diff --git a/main.go b/main.go index 5918a59..4647f83 100644 --- a/main.go +++ b/main.go @@ -243,6 +243,7 @@ func setupAuthenticationServer(st settings.Settings) (net.Listener, *grpc.Server authenticator := auth.NewAuthenticator( setupLog.WithName("cerberus.authenticator"), + st, ) auth.RegisterServer(srv, authenticator) diff --git a/pkg/auth/authenticator.go b/pkg/auth/authenticator.go index 93e1b81..9c37cd9 100644 --- a/pkg/auth/authenticator.go +++ b/pkg/auth/authenticator.go @@ -2,6 +2,7 @@ package auth import ( "context" + "fmt" "net/http" "net/url" "strings" @@ -11,6 +12,7 @@ import ( "github.com/asaskevich/govalidator" "github.com/go-logr/logr" "github.com/snapp-incubator/Cerberus/api/v1alpha1" + "github.com/snapp-incubator/Cerberus/internal/settings" "github.com/snapp-incubator/Cerberus/internal/tracing" "go.opentelemetry.io/otel/attribute" otelcodes "go.opentelemetry.io/otel/codes" @@ -25,6 +27,7 @@ const downstreamDeadlineOffset = 50 * time.Microsecond // Authenticator can generate cache from Kubernetes API server // and it implements envoy.CheckRequest interface type Authenticator struct { + settings settings.Settings logger logr.Logger httpClient *http.Client @@ -145,6 +148,17 @@ func (a *Authenticator) Check(ctx context.Context, request *Request) (finalRespo start_time := time.Now() wsvc, ns, reason := readRequestContext(request) + // access logs + defer func() { + if a.settings.AccessLogLevel == settings.LogLevelDebug { + a.logger.Info("check request result", + "request", fmt.Sprintf("%#v", *request), + "response", fmt.Sprintf("%#v", *finalResponse), + "duration", fmt.Sprintf("%vms", time.Since(start_time).Milliseconds()), + ) + } + }() + // generate opentelemetry span with given parameters parentCtx := tracing.ReadParentSpanFromRequest(ctx, request.Request) ctx, span := tracing.StartSpan(parentCtx, "CheckFunction", @@ -228,12 +242,13 @@ func defineValidators() []AuthenticationValidation { // NewAuthenticator creates new Authenticator object with given logger. // currently it's not returning any error -func NewAuthenticator(logger logr.Logger) *Authenticator { +func NewAuthenticator(logger logr.Logger, st settings.Settings) *Authenticator { a := Authenticator{ logger: logger, httpClient: &http.Client{}, } a.validators = defineValidators() + a.settings = st return &a } diff --git a/pkg/auth/authenticator_cache.go b/pkg/auth/authenticator_cache.go index 400d113..fb08b70 100644 --- a/pkg/auth/authenticator_cache.go +++ b/pkg/auth/authenticator_cache.go @@ -102,11 +102,11 @@ func retrieveObjects( l client.ObjectList, c client.Client, ctx context.Context, - listOpts ...*client.ListOptions, + listOpts ...client.ListOption, ) error { t := time.Now() metricsLabel := reflect.TypeOf(l).Elem().String() - err := c.List(ctx, l) + err := c.List(ctx, l, listOpts...) fetchObjectListLatency.With(AddKindLabel(nil, metricsLabel)).Observe(time.Since(t).Seconds()) return err }