Switch to JSON formatted access logs

.gitattributes

@@ -0,0 +1 @@
+vendor/**/* linguist-generated=true

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang@sha256:d6df8b2e22c9c87fde828b18e0d0d5707bfe03034a49c0bde72ff5a1f5ebb5fe as builder
+FROM golang:1.23.4@sha256:7ea4c9dcb2b97ff8ee80a67db3d44f98c8ffa0d191399197007d8459c1453041 AS builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests

Makefile

@@ -1,7 +1,5 @@
 # Image URL to use all building/pushing image targets
 IMG ?= ${ACC}.dkr.ecr.eu-west-1.amazonaws.com/monzo/egress-operator:manager-$(shell git rev-parse --short head)
-# Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
-CRD_OPTIONS ?= "crd:trivialVersions=true"
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -39,7 +37,7 @@ deploy: manifests
 
 # Generate manifests e.g. CRD, RBAC etc.
 manifests: controller-gen
-	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 
 # Run go fmt against code
 fmt:
@@ -55,7 +53,7 @@ generate: controller-gen
 
 # Build the docker image
 docker-build: test
-	docker build . -t ${IMG}
+	docker buildx build . -t ${IMG} --platform=linux/amd64
 
 # Push the docker image
 docker-push:
@@ -66,14 +64,11 @@ docker-push:
 controller-gen:
 ifeq (, $(shell which controller-gen))
 	@{ \
-	set -e ;\
-	CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
-	cd $$CONTROLLER_GEN_TMP_DIR ;\
-	go mod init tmp ;\
-	go get sigs.k8s.io/controller-tools/cmd/[email protected] ;\
-	rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
+	set -ex ;\
+	mkdir -p bin ;\
+	GOBIN=$$(pwd)/bin go install sigs.k8s.io/controller-tools/cmd/[email protected] ;\
 	}
-CONTROLLER_GEN=$(GOBIN)/controller-gen
+CONTROLLER_GEN=./bin/controller-gen
 else
 CONTROLLER_GEN=$(shell which controller-gen)
 endif

api/v1/externalservice_types.go

@@ -79,6 +79,16 @@ type ExternalServiceSpec struct {
 	// Provides a way to override the global default
 	// +optional
 	ServiceTopologyMode string `json:"serviceTopologyMode,omitempty"`
+
+	// Output admin logs in JSON format as opposed to a text string.
+	// Defaults to false
+	// +optional
+	JsonAdminAccessLogs bool `json:"envoyJsonAdminAccessLogs,omitempty"`
+
+	// Output access logs in JSON format as opposed to a text string.
+	// Defaults to false
+	// +optional
+	JsonClusterAccessLogs bool `json:"envoyJsonClusterAccessLogs,omitempty"`
 }
 
 type ExternalServicePort struct {

config/crd/bases/egress.monzo.com_externalservices.yaml

@@ -1,11 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.4.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.17.0
   name: externalservices.egress.monzo.com
 spec:
   group: egress.monzo.com
@@ -22,14 +20,19 @@ spec:
         description: ExternalService is the Schema for the externalservices API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -40,29 +43,38 @@ spec:
                 description: DnsName is a DNS name target for the external service
                 type: string
               envoyClusterMaxConnections:
-                description: The maximum number of connections that Envoy will establish
-                  to all hosts in an upstream cluster (defaults to 1024). If this
-                  circuit breaker overflows the upstream_cx_overflow counter for the
-                  cluster will increment.
+                description: |-
+                  The maximum number of connections that Envoy will establish to all hosts in an upstream cluster (defaults to 1024).
+                  If this circuit breaker overflows the upstream_cx_overflow counter for the cluster will increment.
                 format: int32
                 type: integer
               envoyDnsRefreshRateS:
                 description: "Corresponds to Envoy's dns_refresh_rate config field
-                  for this cluster, in seconds See\thttps://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto"
+                  for this cluster, in seconds\nSee\thttps://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto"
                 format: int64
                 type: integer
+              envoyJsonAdminAccessLogs:
+                description: |-
+                  Output admin logs in JSON format as opposed to a text string.
+                  Defaults to false
+                type: boolean
+              envoyJsonClusterAccessLogs:
+                description: |-
+                  Output access logs in JSON format as opposed to a text string.
+                  Defaults to false
+                type: boolean
               envoyLogLevel:
                 description: Input to the --log-level command line option. See the
                   help text for the available log levels and the default.
                 type: string
               envoyRespectDnsTTL:
                 description: "Corresponds to Envoy's respect_dns_ttl config field
-                  for this cluster. See\thttps://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto"
+                  for this cluster.\nSee\thttps://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto"
                 type: boolean
               hijackDns:
-                description: 'If true, add a `egress.monzo.com/hijack-dns: true` label
-                  to produced Service objects CoreDNS can watch this label and decide
-                  to rewrite DnsName -> clusterIP'
+                description: |-
+                  If true, add a `egress.monzo.com/hijack-dns: true` label to produced Service objects
+                  CoreDNS can watch this label and decide to rewrite DnsName -> clusterIP
                 type: boolean
               ipOverride:
                 description: When set allows overwriting the A records of the DNS
@@ -90,8 +102,9 @@ spec:
                       format: int32
                       type: integer
                     protocol:
-                      description: The protocol (TCP or UDP) which traffic must match.
-                        If not specified, this field defaults to TCP.
+                      description: |-
+                        The protocol (TCP or UDP) which traffic must match. If not specified, this
+                        field defaults to TCP.
                       type: string
                   type: object
                 type: array
@@ -100,18 +113,28 @@ spec:
                   for gateway pods. Defaults to 100m, 50Mi, 2, 1Gi
                 properties:
                   claims:
-                    description: "Claims lists the names of resources, defined in
-                      spec.resourceClaims, that are used by this container. \n This
-                      is an alpha field and requires enabling the DynamicResourceAllocation
-                      feature gate. \n This field is immutable. It can only be set
-                      for containers."
+                    description: |-
+                      Claims lists the names of resources, defined in spec.resourceClaims,
+                      that are used by this container.
+
+                      This is an alpha field and requires enabling the
+                      DynamicResourceAllocation feature gate.
+
+                      This field is immutable. It can only be set for containers.
                     items:
                       description: ResourceClaim references one entry in PodSpec.ResourceClaims.
                       properties:
                         name:
-                          description: Name must match the name of one entry in pod.spec.resourceClaims
-                            of the Pod where this field is used. It makes that resource
-                            available inside a container.
+                          description: |-
+                            Name must match the name of one entry in pod.spec.resourceClaims of
+                            the Pod where this field is used. It makes that resource available
+                            inside a container.
+                          type: string
+                        request:
+                          description: |-
+                            Request is the name chosen for a request in the referenced claim.
+                            If empty, everything from the claim is made available, otherwise
+                            only the result of this request.
                           type: string
                       required:
                       - name
@@ -127,8 +150,9 @@ spec:
                       - type: string
                       pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                       x-kubernetes-int-or-string: true
-                    description: 'Limits describes the maximum amount of compute resources
-                      allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                    description: |-
+                      Limits describes the maximum amount of compute resources allowed.
+                      More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
                     type: object
                   requests:
                     additionalProperties:
@@ -137,11 +161,11 @@ spec:
                       - type: string
                       pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                       x-kubernetes-int-or-string: true
-                    description: 'Requests describes the minimum amount of compute
-                      resources required. If Requests is omitted for a container,
-                      it defaults to Limits if that is explicitly specified, otherwise
-                      to an implementation-defined value. Requests cannot exceed Limits.
-                      More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                    description: |-
+                      Requests describes the minimum amount of compute resources required.
+                      If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                      otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                      More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
                     type: object
                 type: object
               serviceTopologyMode:
@@ -159,9 +183,3 @@ spec:
         type: object
     served: true
     storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []

config/rbac/kustomization.yaml

@@ -9,3 +9,16 @@ resources:
 - auth_proxy_service.yaml
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
+patches:
+- target:
+    group: rbac.authorization.k8s.io
+    version: v1
+    kind: ClusterRole
+    name: manager-role
+  path: patches/manager_clusterrole_additions.yaml
+- target:
+    group: rbac.authorization.k8s.io
+    version: v1
+    kind: Role
+    name: manager-role
+  path: patches/manager_role_additions.yaml

config/rbac/patches/manager_clusterrole_additions.yaml

@@ -0,0 +1,15 @@
+- op: add
+  path: /rules/0
+  value:
+    apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch

config/rbac/patches/manager_role_additions.yaml

@@ -0,0 +1,13 @@
+- op: add
+  path: /rules/0
+  value:
+    apiGroups:
+      - policy
+    resources:
+      - poddisruptionbudgets
+    verbs:
+      - create
+      - get
+      - list
+      - patch
+      - watch

config/rbac/role.yaml

@@ -1,9 +1,7 @@
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: manager-role
 rules:
 - apiGroups:
@@ -26,49 +24,38 @@ rules:
   - get
   - patch
   - update
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  creationTimestamp: null
   name: manager-role
   namespace: egress-operator-system
 rules:
 - apiGroups:
-  - apps
-  resources:
-  - deployments
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - watch
-- apiGroups:
-  - autoscaling
+  - ""
   resources:
-  - horizontalpodautoscalers
+  - configmaps
+  - services
   verbs:
   - create
   - get
   - list
   - patch
   - watch
 - apiGroups:
-  - ""
+  - apps
   resources:
-  - configmaps
+  - deployments
   verbs:
   - create
   - get
   - list
   - patch
   - watch
 - apiGroups:
-  - ""
+  - autoscaling
   resources:
-  - services
+  - horizontalpodautoscalers
   verbs:
   - create
   - get