Add a config to surpress amphora logging

Change-Id: I502e701acbaf0e92a64791a632eeb5ae61123bdd

etc/octavia.conf

@@ -164,6 +164,7 @@
 # base_cert_dir = /var/lib/octavia/certs
 # Absolute path to a custom HAProxy template file
 # haproxy_template =
+# connection_logging = True
 # connection_max_retries = 300
 # connection_retry_interval = 5
 # build_rate_limit = -1

octavia/amphorae/drivers/haproxy/rest_api_driver.py

@@ -53,10 +53,12 @@ class HaproxyAmphoraLoadBalancerDriver(
             name=CONF.certificates.cert_manager,
             invoke_on_load=True,
         ).driver
+
         self.jinja = jinja_cfg.JinjaTemplater(
             base_amp_path=CONF.haproxy_amphora.base_path,
             base_crt_dir=CONF.haproxy_amphora.base_cert_dir,
-            haproxy_template=CONF.haproxy_amphora.haproxy_template)
+            haproxy_template=CONF.haproxy_amphora.haproxy_template,
+            connection_logging=CONF.haproxy_amphora.connection_logging)
 
     def update(self, listener, vip):
         LOG.debug("Amphora %s haproxy, updating listener %s, vip %s",

octavia/common/config.py

@@ -231,6 +231,8 @@ haproxy_amphora_opts = [
                default='/var/lib/octavia/certs',
                help=_('Base directory for cert storage.')),
     cfg.StrOpt('haproxy_template', help=_('Custom haproxy template.')),
+    cfg.BoolOpt('connection_logging', default=True,
+                help=_('Set this to False to disable connection logging.')),
     cfg.IntOpt('connection_max_retries',
                default=300,
                help=_('Retry threshold for connecting to amphorae.')),

octavia/common/jinja/haproxy/jinja_cfg.py

@@ -58,7 +58,8 @@ class JinjaTemplater(object):
                  base_crt_dir=None,
                  haproxy_template=None,
                  log_http=None,
-                 log_server=None):
+                 log_server=None,
+                 connection_logging=True):
         """HaProxy configuration generation
 
         :param base_amp_path: Base path for amphora data
@@ -66,6 +67,7 @@ class JinjaTemplater(object):
         :param haproxy_template: Absolute path to Jinja template
         :param log_http: Haproxy HTTP logging path
         :param log_server: Haproxy Server logging path
+        :param connection_logging: enable logging connections in haproxy
         """
 
         self.base_amp_path = base_amp_path or BASE_PATH
@@ -73,6 +75,7 @@ class JinjaTemplater(object):
         self.haproxy_template = haproxy_template or HAPROXY_TEMPLATE
         self.log_http = log_http
         self.log_server = log_server
+        self.connection_logging = connection_logging
 
     def build_config(self, host_amphora, listener, tls_cert,
                      socket_path=None,
@@ -130,7 +133,8 @@ class JinjaTemplater(object):
              'user_group': user_group,
              'stats_sock': socket_path,
              'log_http': self.log_http,
-             'log_server': self.log_server},
+             'log_server': self.log_server,
+             'connection_logging': self.connection_logging},
             constants=constants)
 
     def _transform_loadbalancer(self, host_amphora, loadbalancer, listener,

octavia/common/jinja/haproxy/templates/base.j2

@@ -35,7 +35,11 @@ global
     {% endfor %}
 
 defaults
+    {% if connection_logging %}
     log global
+    {% else %}
+    no log
+    {% endif %}
     retries 3
     option redispatch
 

octavia/tests/unit/common/jinja/haproxy/test_jinja_cfg.py

@@ -753,3 +753,20 @@ class TestHaproxyCfg(base.TestCase):
         exp_codes = '201-200, 205'
         self.assertEqual(
             self.jinja_cfg._expand_expected_codes(exp_codes), set(['205']))
+
+    def test_render_template_no_log(self):
+        j_cfg = jinja_cfg.JinjaTemplater(
+            base_amp_path='/var/lib/octavia',
+            base_crt_dir='/var/lib/octavia/certs',
+            connection_logging=False)
+        defaults = ("defaults\n"
+                    "    no log\n"
+                    "    retries 3\n"
+                    "    option redispatch\n\n")
+        rendered_obj = j_cfg.render_loadbalancer_obj(
+            sample_configs.sample_amphora_tuple(),
+            sample_configs.sample_listener_tuple()
+        )
+        self.assertEqual(
+            sample_configs.sample_base_expected_config(defaults=defaults),
+            rendered_obj)

releasenotes/notes/disable_logging-3b50f388ee2b8127.yaml

@@ -0,0 +1,18 @@
+---
+features:
+  - |
+    The new option `[haproxy_amphora]/connection_logging` will disable logging
+    of connection data if set to False which can improve performance of the
+    load balancer and might aid compliance.
+security:
+  - |
+    Disabling connection logging might make it more difficult to audit
+    systems for unauthorized access, from which IPs it originated, and
+    which assets were compromised.
+other:
+  - |
+    As part of GDPR compliance, connection logs might be considered
+    personal data and might need to follow specific data retention policies.
+    Disabling connection logging might aid in making Octavia compliant by
+    preventing the output of such data. As always, consult with an expert
+    on compliance prior to making changes.