Support file-based envoy access logs via proxy-defaults for API gateway and sidecar proxies

control-plane/api-gateway/gatekeeper/deployment.go

@@ -5,7 +5,9 @@ package gatekeeper
 
 import (
 	"context"
+	"fmt"
 	"strconv"
+	"strings"
 
 	"github.com/go-logr/logr"
 	"github.com/google/go-cmp/cmp"
@@ -22,6 +24,8 @@ import (
 	"github.com/hashicorp/consul-k8s/control-plane/api-gateway/common"
 	"github.com/hashicorp/consul-k8s/control-plane/api/v1alpha1"
 	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
+	"github.com/hashicorp/consul-k8s/control-plane/consul"
+	capi "github.com/hashicorp/consul/api"
 )
 
 const (
@@ -110,6 +114,18 @@ func (g *Gatekeeper) deployment(gateway gwv1beta1.Gateway, gcc v1alpha1.GatewayC
 
 	volumes, mounts := volumesAndMounts(gateway)
 
+	//Checking whether an additional volume is required for access logs defined in the proxy-defaults.
+	accessLogPath, err := g.getAccessLogPathFromProxyDefaults()
+	if err != nil {
+		g.Log.Error(err, "error fetching proxy defaults for access logs")
+		return nil, err
+	}
+
+	if accessLogPath != "" {
+		volumes = append(volumes, accessLogVolume())
+		mounts = append(mounts, accessLogVolumeMount(accessLogPath))
+	}
+
 	container, err := consulDataplaneContainer(metrics, config, gcc, gateway, mounts)
 	if err != nil {
 		return nil, err
@@ -318,3 +334,38 @@ func deploymentReplicas(gcc v1alpha1.GatewayClassConfig, currentReplicas *int32)
 	}
 	return &instanceValue
 }
+
+// fetches the global proxy-defaults config from consul and checks if access logs are enabled.
+// If enabled and of type file, it returns the access log path to be used for creating volume mount.
+func (g *Gatekeeper) getAccessLogPathFromProxyDefaults() (string, error) {
+	// If no ConsulConfig is provided, skip fetching proxy-defaults.
+	if g.ConsulConfig == nil {
+		return "", nil
+	}
+
+	consulClient, err := consul.NewClient(g.ConsulConfig.APIClientConfig, g.ConsulConfig.APITimeout)
+	if err != nil {
+		return "", fmt.Errorf("unable to connect with consul client %s", err)
+	}
+
+	cfgEntry, _, err := consulClient.ConfigEntries().Get(capi.ProxyDefaults, capi.ProxyConfigGlobal, nil)
+	if err != nil && !strings.Contains(err.Error(), "404") {
+		return "", fmt.Errorf("error checking global proxy-defaults: %s", err)
+	}
+
+	if err != nil && strings.Contains(err.Error(), "404") {
+		return "", nil
+	}
+
+	proxyDefaults, ok := cfgEntry.(*capi.ProxyConfigEntry)
+	if !ok {
+		return "", fmt.Errorf("unexpected type for proxy-defaults: %T", cfgEntry)
+	}
+
+	if proxyDefaults.AccessLogs.Enabled {
+		if proxyDefaults.AccessLogs.Type == capi.FileLogSinkType {
+			return proxyDefaults.AccessLogs.Path, nil
+		}
+	}
+	return "", nil
+}

control-plane/api-gateway/gatekeeper/volumes.go

@@ -4,6 +4,8 @@
 package gatekeeper
 
 import (
+	"path/filepath"
+
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/gateway-api/apis/v1beta1"
 
@@ -47,3 +49,21 @@ func volumesAndMounts(gateway v1beta1.Gateway) ([]corev1.Volume, []corev1.Volume
 
 	return volumes, mounts
 }
+
+const accessLogVolumeName = "envoy-access-logs"
+
+func accessLogVolume() corev1.Volume {
+	return corev1.Volume{
+		Name: accessLogVolumeName,
+		VolumeSource: corev1.VolumeSource{
+			EmptyDir: &corev1.EmptyDirVolumeSource{Medium: corev1.StorageMediumDefault},
+		},
+	}
+}
+
+func accessLogVolumeMount(path string) corev1.VolumeMount {
+	return corev1.VolumeMount{
+		Name:      accessLogVolumeName,
+		MountPath: filepath.Dir(path),
+	}
+}