envoy: add separate proxy log level option (#689)

2025-08-06 10:21:05 +02:00 · 2020-05-11 18:00:11 -06:00 · 2020-05-11 18:00:11 -06:00 · 352c2b851b
commit 352c2b851b
parent af649d3eb0
7 changed files with 52 additions and 10 deletions
--- a/config/options.go
+++ b/config/options.go
@ -43,6 +43,10 @@ type Options struct {
 	// Possible options are "info","warn", and "error". Defaults to "debug".
 	LogLevel string `mapstructure:"log_level" yaml:"log_level,omitempty"`

+	// ProxyLogLevel sets the log level for the proxy service.
+	// Possible options are "info","warn", and "error". Defaults to the value of `LogLevel`.
+	ProxyLogLevel string `mapstructure:"proxy_log_level" yaml:"proxy_log_level,omitempty"`
+
 	// SharedKey is the shared secret authorization key used to mutually authenticate
 	// requests between services.
 	SharedKey string `mapstructure:"shared_secret" yaml:"shared_secret,omitempty"`
--- a/docs/configuration/readme.md
+++ b/docs/configuration/readme.md
@ -110,6 +110,16 @@ If `false`

 Log level sets the global logging level for pomerium. Only logs of the desired level and above will be logged.

+### Proxy Log Level
+
+- Environmental Variable: `PROXY_LOG_LEVEL`
+- Config File Key: `proxy_log_level`
+- Type: `string`
+- Options: `debug` `info` `warn` `error`
+- Default: value of `log_level` or `debug` if both are unset
+
+Log level sets the logging level for the pomerium proxy service. Only logs of the desired level and above will be logged.
+
 ### Insecure Server

 - Environmental Variable: `INSECURE_SERVER`
--- a/internal/controlplane/grpc_accesslog.go
+++ b/internal/controlplane/grpc_accesslog.go
@ -2,6 +2,7 @@ package controlplane

 import (
 	envoy_service_accesslog_v2 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v2"
+
 	"github.com/pomerium/pomerium/internal/log"
 )

--- a/internal/controlplane/grpc_xds.go
+++ b/internal/controlplane/grpc_xds.go
@ -7,8 +7,9 @@ import (
 	"fmt"

 	envoy_service_discovery_v3 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
-	"github.com/pomerium/pomerium/internal/log"
 	"golang.org/x/sync/errgroup"
+
+	"github.com/pomerium/pomerium/internal/log"
 )

 func (srv *Server) registerXDSHandlers() {
@ -91,7 +92,7 @@ func (srv *Server) streamAggregatedResourcesProcessStep(
 			return ctx.Err()
 		}

-		current := srv.currentConfig.Load().(versionedOptions)
+		current := srv.currentConfig.Load()
 		for typeURL, version := range versions {
 			// the versions are different, so the envoy config needs to be updated
 			if version != fmt.Sprint(current.version) {
--- a/internal/controlplane/server.go
+++ b/internal/controlplane/server.go
@ -21,6 +21,18 @@ type versionedOptions struct {
 	version int64
 }

+type atomicVersionedOptions struct {
+	value atomic.Value
+}
+
+func (avo *atomicVersionedOptions) Load() versionedOptions {
+	return avo.value.Load().(versionedOptions)
+}
+
+func (avo *atomicVersionedOptions) Store(options versionedOptions) {
+	avo.value.Store(options)
+}
+
 // A Server is the control-plane gRPC and HTTP servers.
 type Server struct {
 	GRPCListener net.Listener
@ -28,7 +40,7 @@ type Server struct {
 	HTTPListener net.Listener
 	HTTPRouter   *mux.Router

-	currentConfig atomic.Value
+	currentConfig atomicVersionedOptions
 	configUpdated chan struct{}
 }

@ -129,7 +141,7 @@ func (srv *Server) UpdateOptions(options config.Options) error {
 	case <-srv.configUpdated:
 	default:
 	}
-	prev := srv.currentConfig.Load().(versionedOptions)
+	prev := srv.currentConfig.Load()
 	srv.currentConfig.Store(versionedOptions{
 		Options: options,
 		version: prev.version + 1,
--- a/internal/controlplane/xds.go
+++ b/internal/controlplane/xds.go
@ -56,7 +56,22 @@ func (srv *Server) buildDiscoveryResponse(version string, typeURL string, option
 	}
 }

-func (srv *Server) buildAccessLog() *envoy_config_accesslog_v3.AccessLog {
+func (srv *Server) buildAccessLogs(options config.Options) []*envoy_config_accesslog_v3.AccessLog {
+	lvl := options.ProxyLogLevel
+	if lvl == "" {
+		lvl = options.LogLevel
+	}
+	if lvl == "" {
+		lvl = "debug"
+	}
+
+	switch lvl {
+	case "trace", "debug", "info":
+	default:
+		// don't log access requests for levels > info
+		return nil
+	}
+
 	tc, _ := ptypes.MarshalAny(&envoy_extensions_access_loggers_grpc_v3.HttpGrpcAccessLogConfig{
 		CommonConfig: &envoy_extensions_access_loggers_grpc_v3.CommonGrpcAccessLogConfig{
 			LogName: "ingress-http",
@ -69,10 +84,10 @@ func (srv *Server) buildAccessLog() *envoy_config_accesslog_v3.AccessLog {
 			},
 		},
 	})
-	return &envoy_config_accesslog_v3.AccessLog{
+	return []*envoy_config_accesslog_v3.AccessLog{{
 		Name:       "envoy.access_loggers.http_grpc",
 		ConfigType: &envoy_config_accesslog_v3.AccessLog_TypedConfig{TypedConfig: tc},
-	}
+	}}
 }

 func buildAddress(hostport string, defaultPort int) *envoy_config_core_v3.Address {
--- a/internal/controlplane/xds_listeners.go
+++ b/internal/controlplane/xds_listeners.go
@ -4,7 +4,6 @@ import (
 	"encoding/base64"
 	"sort"

-	envoy_config_accesslog_v3 "github.com/envoyproxy/go-control-plane/envoy/config/accesslog/v3"
 	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	envoy_config_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	envoy_config_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
@ -149,7 +148,7 @@ end
 				Name: "envoy.filters.http.router",
 			},
 		},
-		AccessLog: []*envoy_config_accesslog_v3.AccessLog{srv.buildAccessLog()},
+		AccessLog: srv.buildAccessLogs(options),
 	})

 	li := &envoy_config_listener_v3.Listener{