Log Service
By default, Emissary puts the access logs on stdout; such
that the can be read using kubectl logs. The format of those logs,
and the local destination of them, can be configured using the
envoy_log_ settings in the ambassador Module. However, the
options there only allow for logging local to Emissary’s Pod. By
configuring a LogService, you can configure Emissary to
report its access logs to a remote service, in addition to the usual
ambassador Module configured logging.
The remote access log service (or ALS) must implement the
AccessLogService gRPC interface, defined in Envoy’s als.proto.
---
apiVersion: getambassador.io/v3alpha1
kind: LogService
metadata:
name: example-log-service
spec:
# Common to all Emissary resources
ambassador_id: []string # optional; default is ["default"]
# LogService specific
service: "string" # required
driver: "enum-string:[tcp, http]" # required
driver_config: # required
additional_log_headers: # optional; default is [] (only for `driver: http`)
- header_name: string # required
during_request: boolean # optional; default is true
during_response: boolean # optional; default is true
during_trailer: boolean # optional; default is true
flush_interval_time: int-seconds # optional; default is 1
flush_interval_byte_size: integer # optional; default is 16384
grpc: boolean # optional; default is false
protocol_version: enum # optional; default is v2
-
serviceis where to route the access log gRPC requests to -
driveridentifies which type of accesses to log; HTTP requests ("http") or TLS connections ("tcp"). -
driver_configstores the configuration that is specific to thedriver:-
driver: tcphas no additional configuration; the config must be set asdriver_config: {}. -
driver: httpadditional_log_headersidentifies HTTP headers to include in the access log, and when in the logged-request’s lifecycle to include them.
-
-
flush_interval_timeis the maximum number of seconds to buffer accesses for before sending them to the ALS. The logs will be flushed to the ALS every time this duration is reached, or when the buffered data reachesflush_interval_byte_size, whichever comes first. See the Envoy documentation onbuffer_flush_intervalfor more information. -
flush_interval_byte_sizeis a soft size limit for the access log buffer. The logs will be flushed to the ALS every time the buffered data reaches this size, or wheneverflush_interval_timeelapses, whichever comes first. See the Envoy documentation onbuffer_size_bytesfor more information. -
grpcmust betrue.
protocol_versionControls the gRPC service name used to communicate with theLogService. Allowed values arev2, which uses theenvoy.service.auth.v2.Authorizationservice name; andv3, which uses theenvoy.service.auth.v3.Authorizationservice name.v3cannot be used with theAMBASSADOR_ENVOY_API_VERSION=V2environment variable.
Example
---
apiVersion: getambassador.io/v3alpha1
kind: LogService
metadata:
name: als
spec:
service: "als.default:3000"
driver: http
driver_config: {} # NB: driver_config must be set, even if it's empty
grpc: true # NB: grpc must be true
Transport Protocol Migration
Note: The following information is only applicable to
AuthServicesusingproto: grpcAs of Emissary version 2.3, thev2transport protocol is deprecated and any AuthServices making use of it should migrate tov3before support forv2is removed in a future release.
The following imports simply need to be updated to migrate an AuthService
v2 Imports:
envoyCoreV2 "github.com/datawire/ambassador/pkg/api/envoy/api/v2/core"
envoyAuthV2 "github.com/datawire/ambassador/pkg/api/envoy/service/auth/v2"
envoyType "github.com/datawire/ambassador/pkg/api/envoy/type"
v3 Imports:
envoyCoreV3 "github.com/datawire/ambassador/v2/pkg/api/envoy/config/core/v3"
envoyAuthV3 "github.com/datawire/ambassador/v2/pkg/api/envoy/service/auth/v3"
envoyType "github.com/datawire/ambassador/v2/pkg/api/envoy/type/v3"