From e245fd0f6b06c59a83062ff57a1868f69072c785 Mon Sep 17 00:00:00 2001 From: Rafal Wegrzycki Date: Wed, 8 Sep 2021 12:35:14 +0200 Subject: [PATCH] AP: enable FQDN as syslog destination --- examples/appprotect/README.md | 5 +++-- internal/k8s/appprotect/app_protect_resources.go | 9 +++++++-- internal/k8s/appprotect/app_protect_resources_test.go | 4 ++-- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/examples/appprotect/README.md b/examples/appprotect/README.md index 74ac0dd4e6..0242142f80 100644 --- a/examples/appprotect/README.md +++ b/examples/appprotect/README.md @@ -41,10 +41,11 @@ $ kubectl create -f cafe.yaml ``` 4. Create an Ingress Resource: - Update the `appprotect.f5.com/app-protect-security-log-destination` annotation from `cafe-ingress.yaml` with the ClusterIP of the syslog service. For example, if the IP is `10.101.21.110`: + Update the `appprotect.f5.com/app-protect-security-log-destination` annotation from `cafe-ingress.yaml` with the FQDN of the syslog service. + For example, if the service name is `syslog-svc` and it is in the `default` namespace (You can also use the service ClusterIP): ```yaml . . . - appprotect.f5.com/app-protect-security-log-destination: "syslog:server=10.101.21.110:514" + appprotect.f5.com/app-protect-security-log-destination: "syslog:server=syslog-svc.default:514" ``` Create the Ingress Resource: ``` diff --git a/internal/k8s/appprotect/app_protect_resources.go b/internal/k8s/appprotect/app_protect_resources.go index 57c5d11b1e..38b845656d 100644 --- a/internal/k8s/appprotect/app_protect_resources.go +++ b/internal/k8s/appprotect/app_protect_resources.go @@ -73,13 +73,14 @@ func validateAppProtectLogConf(logConf *unstructured.Unstructured) error { } var ( - logDstEx = regexp.MustCompile(`(?:syslog:server=((?:\d{1,3}\.){3}\d{1,3}|localhost):\d{1,5})|stderr|(?:\/[\S]+)+`) + logDstEx = regexp.MustCompile(`(?:syslog:server=((?:\d{1,3}\.){3}\d{1,3}|localhost|[a-zA-Z0-9._-]+):\d{1,5})|stderr|(?:\/[\S]+)+`) logDstFileEx = regexp.MustCompile(`(?:\/[\S]+)+`) + logDstFQDNEx = regexp.MustCompile(`(?:[a-zA-Z0-9_-]+\.)+[a-zA-Z0-9_-]+`) ) // ValidateAppProtectLogDestination validates destination for log configuration func ValidateAppProtectLogDestination(dstAntn string) error { - errormsg := "Error parsing App Protect Log config: Destination must follow format: syslog:server=: or stderr or absolute path to file" + errormsg := "Error parsing App Protect Log config: Destination must follow format: syslog:server=: or fqdn or stderr or absolute path to file" if !logDstEx.MatchString(dstAntn) { return fmt.Errorf("%s Log Destination did not follow format", errormsg) } @@ -105,6 +106,10 @@ func ValidateAppProtectLogDestination(dstAntn string) error { return nil } + if logDstFQDNEx.MatchString(ipstr) { + return nil + } + if net.ParseIP(ipstr) == nil { return fmt.Errorf("Error parsing host: %v is not a valid ip address", ipstr) } diff --git a/internal/k8s/appprotect/app_protect_resources_test.go b/internal/k8s/appprotect/app_protect_resources_test.go index 27ac88bf21..5aa7ba8817 100644 --- a/internal/k8s/appprotect/app_protect_resources_test.go +++ b/internal/k8s/appprotect/app_protect_resources_test.go @@ -315,13 +315,13 @@ func TestValidateAppProtectLogConf(t *testing.T) { func TestValidateAppProtectLogDestinationAnnotation(t *testing.T) { // Positive test cases - posDstAntns := []string{"stderr", "syslog:server=localhost:9000", "syslog:server=10.1.1.2:9000", "/var/log/ap.log"} + posDstAntns := []string{"stderr", "syslog:server=localhost:9000", "syslog:server=10.1.1.2:9000", "/var/log/ap.log", "syslog:server=my-syslog-server.my-namespace:515"} // Negative test cases item, expected error message negDstAntns := [][]string{ {"stdout", "Log Destination did not follow format"}, {"syslog:server=localhost:99999", "not a valid port number"}, - {"syslog:server=999.99.99.99:5678", "is not a valid ip address"}, + {"syslog:server=mysyslog-server:999", "not a valid ip address"}, } for _, tCase := range posDstAntns {