Add support for audit log options (openshift#897)

* Add support for audit log options * Add chart options for audit-log
soltysh · May 27, 2017 · 4679685 · 4679685
1 parent 262a94f
commit 4679685
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 2 deletions.
diff --git a/charts/catalog/templates/apiserver-deployment.yaml b/charts/catalog/templates/apiserver-deployment.yaml
@@ -32,6 +32,8 @@ spec:
  cpu: 100m
  memory: 30Mi
  args:
+ - --audit-log-path
+ - {{ .Values.apiserver.audit.logPath }}
  - --admission-control
  - "KubernetesNamespaceLifecycle"
  - --secure-port

diff --git a/charts/catalog/values.yaml b/charts/catalog/values.yaml
@@ -49,6 +49,9 @@ apiserver:
  # and authorization can be useful for quickly getting the walkthrough up and running,
  # but is not suitable for production.
  enabled: false
+ audit:
+ # If specified, audit log goes to specified path.
+ logPath: "/tmp/service-catalog-apiserver-audit.log"
 controllerManager:
  # controller-manager image to use
  image: quay.io/kubernetes-service-catalog/controller-manager:v0.0.8

diff --git a/cmd/apiserver/app/server/options.go b/cmd/apiserver/app/server/options.go
@@ -39,6 +39,8 @@ type ServiceCatalogServerOptions struct {
  AuthorizationOptions *genericserveroptions.DelegatingAuthorizationOptions
  // InsecureOptions are options for serving insecurely.
  InsecureServingOptions *genericserveroptions.ServingOptions
+ // audit options for api server
+ AuditOptions *genericserveroptions.AuditLogOptions
  // EtcdOptions are options for serving with etcd as the backing store
  EtcdOptions *EtcdOptions
  // TPROptions are options for serving with TPR as the backing store
@@ -72,6 +74,7 @@ func (s *ServiceCatalogServerOptions) addFlags(flags *pflag.FlagSet) {
  s.InsecureServingOptions.AddFlags(flags)
  s.EtcdOptions.addFlags(flags)
  s.TPROptions.addFlags(flags)
+ s.AuditOptions.AddFlags(flags)
 }
 
 // StorageType returns the storage type configured on s, or a non-nil error if s holds an

diff --git a/cmd/apiserver/app/server/server.go b/cmd/apiserver/app/server/server.go
@@ -70,6 +70,7 @@ func NewCommandServer(
  AuthenticationOptions: genericserveroptions.NewDelegatingAuthenticationOptions(),
  AuthorizationOptions: genericserveroptions.NewDelegatingAuthorizationOptions(),
  InsecureServingOptions: genericserveroptions.NewInsecureServingOptions(),
+ AuditOptions: genericserveroptions.NewAuditLogOptions(),
  EtcdOptions: NewEtcdOptions(),
  TPROptions: NewTPROptions(),
  StopCh: stopCh,

diff --git a/cmd/apiserver/app/server/util.go b/cmd/apiserver/app/server/util.go
@@ -86,8 +86,10 @@ func buildGenericConfig(s *ServiceCatalogServerOptions) (*genericapiserver.Confi
  glog.Infof("Authentication and authorization disabled for testing purposes")
  }
 
- // TODO: add support for audit log options
- // see https://github.com/kubernetes-incubator/service-catalog/issues/678
+ if err := s.AuditOptions.ApplyTo(genericConfig); err != nil {
+ return nil, nil, err
+ }
+
  // TODO: add support for OpenAPI config
  // see https://github.com/kubernetes-incubator/service-catalog/issues/721
  genericConfig.SwaggerConfig = genericapiserver.DefaultSwaggerConfig()

diff --git a/test/integration/framework.go b/test/integration/framework.go
@@ -89,6 +89,7 @@ func getFreshApiserverAndClient(
  TPROptions: tprOptions,
  AuthenticationOptions: genericserveroptions.NewDelegatingAuthenticationOptions(),
  AuthorizationOptions: genericserveroptions.NewDelegatingAuthorizationOptions(),
+ AuditOptions: genericserveroptions.NewAuditLogOptions(),
  DisableAuth: true,
  StopCh: stopCh,
  StandaloneMode: true, // this must be true because we have no kube server for integration.