Making auth access logs optional (#10380)

Co-authored-by: Marcelo Cyreno <812725+marcelocyreno@users.noreply.github.com>
2023-09-07 14:53:40 -07:00 · 2023-09-07 14:53:40 -07:00 · a281bf0bf3
commit a281bf0bf3
parent fb80e6d53f
2 changed files with 7 additions and 0 deletions
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@ -120,6 +120,10 @@ type Configuration struct {
 	// By default this is disabled
 	EnableAccessLogForDefaultBackend bool `json:"enable-access-log-for-default-backend"`

+	// EnableAuthAccessLog enable auth access log
+	// By default this is disabled
+	EnableAuthAccessLog bool `json:"enable-auth-access-log"`
+
 	// AccessLogPath sets the path of the access logs for both http and stream contexts if enabled
 	// http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log
 	// http://nginx.org/en/docs/stream/ngx_stream_log_module.html#access_log
@ -858,6 +862,7 @@ func NewDefault() Configuration {
 		AccessLogPath:                    "/var/log/nginx/access.log",
 		AccessLogParams:                  "",
 		EnableAccessLogForDefaultBackend: false,
+		EnableAuthAccessLog:              false,
 		WorkerCPUAffinity:                "",
 		ErrorLogPath:                     "/var/log/nginx/error.log",
 		BlockCIDRs:                       defBlockEntity,
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@ -1103,7 +1103,9 @@ stream {
            opentelemetry_propagate;
            {{ end }}

+            {{ if not $all.Cfg.EnableAuthAccessLog }}
            access_log off;
+            {{ end }}

            # Ensure that modsecurity will not run on an internal location as this is not accessible from outside
            {{ if $all.Cfg.EnableModsecurity }}