From 1e4155f8ed3053197d8abbe83f233e01b173ad71 Mon Sep 17 00:00:00 2001
From: German Eichberger <German.eichberger@rackspace.com>
Date: Mon, 7 May 2018 14:16:30 -0700
Subject: [PATCH] Add a config to surpress amphora logging

Change-Id: I502e701acbaf0e92a64791a632eeb5ae61123bdd
---
 etc/octavia.conf                               |  1 +
 .../drivers/haproxy/rest_api_driver.py         |  4 +++-
 octavia/common/config.py                       |  2 ++
 octavia/common/jinja/haproxy/jinja_cfg.py      |  8 ++++++--
 octavia/common/jinja/haproxy/templates/base.j2 |  4 ++++
 .../common/jinja/haproxy/test_jinja_cfg.py     | 17 +++++++++++++++++
 .../disable_logging-3b50f388ee2b8127.yaml      | 18 ++++++++++++++++++
 7 files changed, 51 insertions(+), 3 deletions(-)
 create mode 100644 releasenotes/notes/disable_logging-3b50f388ee2b8127.yaml

diff --git a/etc/octavia.conf b/etc/octavia.conf
index 218115e459..88e17452d1 100644
--- a/etc/octavia.conf
+++ b/etc/octavia.conf
@@ -164,6 +164,7 @@
 # base_cert_dir = /var/lib/octavia/certs
 # Absolute path to a custom HAProxy template file
 # haproxy_template =
+# connection_logging = True
 # connection_max_retries = 300
 # connection_retry_interval = 5
 # build_rate_limit = -1
diff --git a/octavia/amphorae/drivers/haproxy/rest_api_driver.py b/octavia/amphorae/drivers/haproxy/rest_api_driver.py
index 7722eb0417..ff9e08cfdf 100644
--- a/octavia/amphorae/drivers/haproxy/rest_api_driver.py
+++ b/octavia/amphorae/drivers/haproxy/rest_api_driver.py
@@ -53,10 +53,12 @@ class HaproxyAmphoraLoadBalancerDriver(
             name=CONF.certificates.cert_manager,
             invoke_on_load=True,
         ).driver
+
         self.jinja = jinja_cfg.JinjaTemplater(
             base_amp_path=CONF.haproxy_amphora.base_path,
             base_crt_dir=CONF.haproxy_amphora.base_cert_dir,
-            haproxy_template=CONF.haproxy_amphora.haproxy_template)
+            haproxy_template=CONF.haproxy_amphora.haproxy_template,
+            connection_logging=CONF.haproxy_amphora.connection_logging)
 
     def update(self, listener, vip):
         LOG.debug("Amphora %s haproxy, updating listener %s, vip %s",
diff --git a/octavia/common/config.py b/octavia/common/config.py
index c2ae6368f6..28ba348a03 100644
--- a/octavia/common/config.py
+++ b/octavia/common/config.py
@@ -231,6 +231,8 @@ haproxy_amphora_opts = [
                default='/var/lib/octavia/certs',
                help=_('Base directory for cert storage.')),
     cfg.StrOpt('haproxy_template', help=_('Custom haproxy template.')),
+    cfg.BoolOpt('connection_logging', default=True,
+                help=_('Set this to False to disable connection logging.')),
     cfg.IntOpt('connection_max_retries',
                default=300,
                help=_('Retry threshold for connecting to amphorae.')),
diff --git a/octavia/common/jinja/haproxy/jinja_cfg.py b/octavia/common/jinja/haproxy/jinja_cfg.py
index 0f0690f63e..091d6c473b 100644
--- a/octavia/common/jinja/haproxy/jinja_cfg.py
+++ b/octavia/common/jinja/haproxy/jinja_cfg.py
@@ -58,7 +58,8 @@ class JinjaTemplater(object):
                  base_crt_dir=None,
                  haproxy_template=None,
                  log_http=None,
-                 log_server=None):
+                 log_server=None,
+                 connection_logging=True):
         """HaProxy configuration generation
 
         :param base_amp_path: Base path for amphora data
@@ -66,6 +67,7 @@ class JinjaTemplater(object):
         :param haproxy_template: Absolute path to Jinja template
         :param log_http: Haproxy HTTP logging path
         :param log_server: Haproxy Server logging path
+        :param connection_logging: enable logging connections in haproxy
         """
 
         self.base_amp_path = base_amp_path or BASE_PATH
@@ -73,6 +75,7 @@ class JinjaTemplater(object):
         self.haproxy_template = haproxy_template or HAPROXY_TEMPLATE
         self.log_http = log_http
         self.log_server = log_server
+        self.connection_logging = connection_logging
 
     def build_config(self, host_amphora, listener, tls_cert,
                      socket_path=None,
@@ -130,7 +133,8 @@ class JinjaTemplater(object):
              'user_group': user_group,
              'stats_sock': socket_path,
              'log_http': self.log_http,
-             'log_server': self.log_server},
+             'log_server': self.log_server,
+             'connection_logging': self.connection_logging},
             constants=constants)
 
     def _transform_loadbalancer(self, host_amphora, loadbalancer, listener,
diff --git a/octavia/common/jinja/haproxy/templates/base.j2 b/octavia/common/jinja/haproxy/templates/base.j2
index 84631345b2..3aad721e19 100644
--- a/octavia/common/jinja/haproxy/templates/base.j2
+++ b/octavia/common/jinja/haproxy/templates/base.j2
@@ -35,7 +35,11 @@ global
     {% endfor %}
 
 defaults
+    {% if connection_logging %}
     log global
+    {% else %}
+    no log
+    {% endif %}
     retries 3
     option redispatch
 
diff --git a/octavia/tests/unit/common/jinja/haproxy/test_jinja_cfg.py b/octavia/tests/unit/common/jinja/haproxy/test_jinja_cfg.py
index 7a27ae471d..e2d2aa6752 100644
--- a/octavia/tests/unit/common/jinja/haproxy/test_jinja_cfg.py
+++ b/octavia/tests/unit/common/jinja/haproxy/test_jinja_cfg.py
@@ -753,3 +753,20 @@ class TestHaproxyCfg(base.TestCase):
         exp_codes = '201-200, 205'
         self.assertEqual(
             self.jinja_cfg._expand_expected_codes(exp_codes), set(['205']))
+
+    def test_render_template_no_log(self):
+        j_cfg = jinja_cfg.JinjaTemplater(
+            base_amp_path='/var/lib/octavia',
+            base_crt_dir='/var/lib/octavia/certs',
+            connection_logging=False)
+        defaults = ("defaults\n"
+                    "    no log\n"
+                    "    retries 3\n"
+                    "    option redispatch\n\n")
+        rendered_obj = j_cfg.render_loadbalancer_obj(
+            sample_configs.sample_amphora_tuple(),
+            sample_configs.sample_listener_tuple()
+        )
+        self.assertEqual(
+            sample_configs.sample_base_expected_config(defaults=defaults),
+            rendered_obj)
diff --git a/releasenotes/notes/disable_logging-3b50f388ee2b8127.yaml b/releasenotes/notes/disable_logging-3b50f388ee2b8127.yaml
new file mode 100644
index 0000000000..c0d9f2d717
--- /dev/null
+++ b/releasenotes/notes/disable_logging-3b50f388ee2b8127.yaml
@@ -0,0 +1,18 @@
+---
+features:
+  - |
+    The new option `[haproxy_amphora]/connection_logging` will disable logging
+    of connection data if set to False which can improve performance of the
+    load balancer and might aid compliance.
+security:
+  - |
+    Disabling connection logging might make it more difficult to audit
+    systems for unauthorized access, from which IPs it originated, and
+    which assets were compromised.
+other:
+  - |
+    As part of GDPR compliance, connection logs might be considered
+    personal data and might need to follow specific data retention policies.
+    Disabling connection logging might aid in making Octavia compliant by
+    preventing the output of such data. As always, consult with an expert
+    on compliance prior to making changes.