Improve SVID signing logs with more context

pkg/server/api/svid/v1/service.go

@@ -112,13 +112,22 @@ func (s *Service) MintX509SVID(ctx context.Context, req *svidv1.MintX509SVIDRequ
 	if err != nil {
 		return nil, api.MakeErr(log, codes.Internal, "failed to sign X509-SVID", err)
 	}
-	rpccontext.AuditRPCWithFields(ctx, logrus.Fields{
-		telemetry.SPIFFEID:  id.String(),
-		telemetry.DNSName:   strings.Join(csr.DNSNames, ","),
-		telemetry.Subject:   csr.Subject,
+
+	commonX509SVIDLogFields := logrus.Fields{
+		telemetry.SPIFFEID: id.String(),
+		telemetry.DNSName:  strings.Join(csr.DNSNames, ","),
+		telemetry.Subject:  csr.Subject,
+	}
+
+	rpccontext.AddRPCAuditFields(ctx, logrus.Fields{
 		telemetry.ExpiresAt: x509SVID[0].NotAfter.Unix(),
 	})
 
+	rpccontext.AuditRPCWithFields(ctx, commonX509SVIDLogFields)
+	log.WithField(telemetry.Expiration, x509SVID[0].NotAfter.Format(time.RFC3339)).
+		WithFields(commonX509SVIDLogFields).
+		Debug("Signed X509 SVID")
+
 	return &svidv1.MintX509SVIDResponse{
 		Svid: &types.X509SVID{
 			Id:        api.ProtoFromID(id),
@@ -258,6 +267,9 @@ func (s *Service) newX509SVID(ctx context.Context, param *svidv1.NewX509SVIDPara
 		}
 	}
 
+	log.WithField(telemetry.Expiration, x509Svid[0].NotAfter.Format(time.RFC3339)).
+		Debug("Signed X509 SVID")
+
 	return &svidv1.BatchNewX509SVIDResponse_Result{
 		Svid: &types.X509SVID{
 			Id:        entry.SpiffeId,
@@ -300,6 +312,11 @@ func (s *Service) mintJWTSVID(ctx context.Context, protoID *types.SPIFFEID, audi
 		return nil, api.MakeErr(log, codes.Internal, "failed to get JWT-SVID expiry", err)
 	}
 
+	log.WithFields(logrus.Fields{
+		telemetry.Audience:   audience,
+		telemetry.Expiration: expiresAt.Format(time.RFC3339),
+	}).Debug("Server CA successfully signed JWT SVID")
+
 	return &types.JWTSVID{
 		Token:     token,
 		Id:        api.ProtoFromID(id),
@@ -375,6 +392,11 @@ func (s *Service) NewDownstreamX509CA(ctx context.Context, req *svidv1.NewDownst
 		return nil, api.MakeErr(log, codes.Internal, "failed to sign downstream X.509 CA", err)
 	}
 
+	log.WithFields(logrus.Fields{
+		telemetry.SPIFFEID:   x509CASvid[0].URIs[0].String(),
+		telemetry.Expiration: x509CASvid[0].NotAfter.Format(time.RFC3339),
+	}).Debug("Signed X509 CA SVID")
+
 	bundle, err := s.ds.FetchBundle(ctx, s.td.IDString())
 	if err != nil {
 		return nil, api.MakeErr(log, codes.Internal, "failed to fetch bundle", err)

pkg/server/ca/ca.go

@@ -199,15 +199,6 @@ func (ca *CA) SignX509SVID(ctx context.Context, params X509SVIDParams) ([]*x509.
 		return nil, err
 	}
 
-	spiffeID := x509SVID[0].URIs[0].String()
-
-	if !health.IsCheck(ctx) {
-		ca.c.Log.WithFields(logrus.Fields{
-			telemetry.SPIFFEID:   spiffeID,
-			telemetry.Expiration: x509SVID[0].NotAfter.Format(time.RFC3339),
-		}).Debug("Signed X509 SVID")
-	}
-
 	telemetry_server.IncrServerCASignX509Counter(ca.c.Metrics)
 	return x509SVID, nil
 }
@@ -248,13 +239,6 @@ func (ca *CA) SignX509CASVID(ctx context.Context, params X509CASVIDParams) ([]*x
 		return nil, errs.New("unable to create X509 CA SVID: %v", err)
 	}
 
-	spiffeID := cert.URIs[0].String()
-
-	ca.c.Log.WithFields(logrus.Fields{
-		telemetry.SPIFFEID:   spiffeID,
-		telemetry.Expiration: cert.NotAfter.Format(time.RFC3339),
-	}).Debug("Signed X509 CA SVID")
-
 	telemetry_server.IncrServerCASignX509CACounter(ca.c.Metrics)
 
 	return makeSVIDCertChain(x509CA, cert), nil
@@ -282,12 +266,6 @@ func (ca *CA) SignJWTSVID(ctx context.Context, params JWTSVIDParams) (string, er
 	}
 
 	telemetry_server.IncrServerCASignJWTSVIDCounter(ca.c.Metrics)
-	ca.c.Log.WithFields(logrus.Fields{
-		telemetry.Audience:   params.Audience,
-		telemetry.Expiration: expiresAt.Format(time.RFC3339),
-		telemetry.SPIFFEID:   params.SpiffeID,
-	}).Debug("Server CA successfully signed JWT SVID")
-
 	return token, nil
 }
 

pkg/server/server.go

@@ -250,7 +250,6 @@ func (s *Server) loadCatalog(ctx context.Context, metrics telemetry.Metrics, ide
 
 func (s *Server) newCA(metrics telemetry.Metrics, healthChecker health.Checker) *ca.CA {
 	return ca.NewCA(ca.Config{
-		Log:           s.config.Log.WithField(telemetry.SubsystemName, telemetry.CA),
 		Metrics:       metrics,
 		X509SVIDTTL:   s.config.SVIDTTL,
 		JWTIssuer:     s.config.JWTIssuer,

pkg/server/svid/rotator.go

@@ -7,7 +7,9 @@ import (
 	"time"
 
 	"github.com/imkira/go-observer"
+	"github.com/sirupsen/logrus"
 	"github.com/spiffe/spire/pkg/common/idutil"
+	"github.com/spiffe/spire/pkg/common/telemetry"
 	telemetry_server "github.com/spiffe/spire/pkg/common/telemetry/server"
 	"github.com/spiffe/spire/pkg/server/ca"
 )
@@ -94,6 +96,11 @@ func (r *Rotator) rotateSVID(ctx context.Context) (err error) {
 		return err
 	}
 
+	r.c.Log.WithFields(logrus.Fields{
+		telemetry.SPIFFEID:   svid[0].URIs[0].String(),
+		telemetry.Expiration: svid[0].NotAfter.Format(time.RFC3339),
+	}).Debug("Signed X509 SVID")
+
 	r.state.Update(State{
 		SVID: svid,
 		Key:  signer,