AP: enable FQDN as syslog destination

nginxinc · Nov 1, 2021 · 013a8bc · 013a8bc
1 parent efbd962
commit 013a8bc
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 6 deletions.
diff --git a/examples/appprotect/README.md b/examples/appprotect/README.md
@@ -41,10 +41,11 @@ $ kubectl create -f cafe.yaml
     ```
 4. Create an Ingress Resource:
 
-    Update the `appprotect.f5.com/app-protect-security-log-destination` annotation from `cafe-ingress.yaml` with the ClusterIP of the syslog service. For example, if the IP is `10.101.21.110`:
+    Update the `appprotect.f5.com/app-protect-security-log-destination` annotation from `cafe-ingress.yaml` with the FQDN of the syslog service. 
+    For example, if the service name is `syslog-svc` and it is in the `default` namespace (You can also use the service ClusterIP):
     ```yaml
     . . .
-    appprotect.f5.com/app-protect-security-log-destination: "syslog:server=10.101.21.110:514"
+    appprotect.f5.com/app-protect-security-log-destination: "syslog:server=syslog-svc.default:514"
     ```
     Create the Ingress Resource:
     ```

diff --git a/internal/k8s/appprotect/app_protect_resources.go b/internal/k8s/appprotect/app_protect_resources.go
@@ -73,13 +73,14 @@ func validateAppProtectLogConf(logConf *unstructured.Unstructured) error {
 }
 
 var (
-	logDstEx     = regexp.MustCompile(`(?:syslog:server=((?:\d{1,3}\.){3}\d{1,3}|localhost):\d{1,5})|stderr|(?:\/[\S]+)+`)
+	logDstEx     = regexp.MustCompile(`(?:syslog:server=((?:\d{1,3}\.){3}\d{1,3}|localhost|[a-zA-Z0-9._-]+):\d{1,5})|stderr|(?:\/[\S]+)+`)
 	logDstFileEx = regexp.MustCompile(`(?:\/[\S]+)+`)
+	logDstFQDNEx = regexp.MustCompile(`(?:[a-zA-Z0-9_-]+\.)+[a-zA-Z0-9_-]+`)
 )
 
 // ValidateAppProtectLogDestination validates destination for log configuration
 func ValidateAppProtectLogDestination(dstAntn string) error {
-	errormsg := "Error parsing App Protect Log config: Destination must follow format: syslog:server=<ip-address | localhost>:<port> or stderr or absolute path to file"
+	errormsg := "Error parsing App Protect Log config: Destination must follow format: syslog:server=<ip-address | localhost>:<port> or fqdn or stderr or absolute path to file"
 	if !logDstEx.MatchString(dstAntn) {
 		return fmt.Errorf("%s Log Destination did not follow format", errormsg)
 	}
@@ -105,6 +106,10 @@ func ValidateAppProtectLogDestination(dstAntn string) error {
 		return nil
 	}
 
+	if logDstFQDNEx.MatchString(ipstr) {
+		return nil
+	}
+
 	if net.ParseIP(ipstr) == nil {
 		return fmt.Errorf("Error parsing host: %v is not a valid ip address", ipstr)
 	}

diff --git a/internal/k8s/appprotect/app_protect_resources_test.go b/internal/k8s/appprotect/app_protect_resources_test.go
@@ -315,13 +315,13 @@ func TestValidateAppProtectLogConf(t *testing.T) {
 
 func TestValidateAppProtectLogDestinationAnnotation(t *testing.T) {
 	// Positive test cases
-	posDstAntns := []string{"stderr", "syslog:server=localhost:9000", "syslog:server=10.1.1.2:9000", "/var/log/ap.log"}
+	posDstAntns := []string{"stderr", "syslog:server=localhost:9000", "syslog:server=10.1.1.2:9000", "/var/log/ap.log", "syslog:server=my-syslog-server.my-namespace:515"}
 
 	// Negative test cases item, expected error message
 	negDstAntns := [][]string{
 		{"stdout", "Log Destination did not follow format"},
 		{"syslog:server=localhost:99999", "not a valid port number"},
-		{"syslog:server=999.99.99.99:5678", "is not a valid ip address"},
+		{"syslog:server=mysyslog-server:999", "not a valid ip address"},
 	}
 
 	for _, tCase := range posDstAntns {