Make access log pattern configurable for Jira and Confluence when running as non root (#961)

Co-authored-by: Yevhen Ivantsov <[email protected]>

Author: bianchi2

docs/docs/containers/CONFLUENCE.md

@@ -191,6 +191,7 @@ see <https://tomcat.apache.org/tomcat-7.0-doc/config/index.html>.
 You can set the maximum number of days for access logs to be retained before being deleted. The default value of -1 means never delete old files.
 
 * `ATL_TOMCAT_ACCESS_LOGS_MAXDAYS` (default: -1)
+* `ATL_TOMCAT_ACCESS_LOG_PATTERN` (default: `%h %{X-AUSERNAME}o %t &quot;%r&quot; %s %b %D %U %I &quot;%{User-Agent}i&quot;`)
 
 ### JVM configuration
 

docs/docs/containers/JIRA.md

@@ -183,6 +183,7 @@ see https://tomcat.apache.org/tomcat-7.0-doc/config/index.html.
 You can set the maximum number of days for access logs to be retained before being deleted. The default value of -1 means never delete old files.
 
 * `ATL_TOMCAT_ACCESS_LOGS_MAXDAYS` (default: -1)
+* `ATL_TOMCAT_ACCESS_LOG_PATTERN` (default: `%a %{jira.request.id}r %{jira.request.username}r %t "%m %U%q %H" %s %b %D "%{Referer}i" "%{User-Agent}i" "%{jira.request.assession.id}r"`)
 
 ### JVM configuration
 

src/main/charts/confluence/README.md

@@ -104,7 +104,7 @@ Kubernetes: `>=1.21.x-0`
 | confluence.startupProbe.failureThreshold | int | `120` | The number of consecutive failures of the Confluence container startup probe before the pod fails startup checks.  |
 | confluence.startupProbe.initialDelaySeconds | int | `60` | Time to wait before starting the first probe  |
 | confluence.startupProbe.periodSeconds | int | `5` | How often (in seconds) the Confluence container startup probe will run  |
-| confluence.tomcatConfig | object | `{"acceptCount":"100","accessLogMaxDays":"-1","connectionTimeout":"20000","customServerXml":"","debug":"0","enableLookups":"false","generateByHelm":false,"maxHttpHeaderSize":"8192","maxThreads":"100","mgmtPort":"8000","minSpareThreads":"10","port":"8090","protocol":"org.apache.coyote.http11.Http11NioProtocol","proxyInternalIps":null,"proxyName":null,"proxyPort":null,"redirectPort":"8443","requestAttributesEnabled":"false","scheme":null,"secure":null,"stuckThreadDetectionValveThreshold":"60","trustedProxies":null,"uriEncoding":"UTF-8"}` | By default Tomcat's server.xml is generated in the container entrypoint from a template shipped with an official Confluence image. However, server.xml generation may fail if container is not run as root, which is a common case if Confluence is deployed to OpenShift.  |
+| confluence.tomcatConfig | object | `{"acceptCount":"100","accessLogMaxDays":"-1","accessLogPattern":"%h %{X-AUSERNAME}o %t "%r" %s %b %D %U %I "%{User-Agent}i"","connectionTimeout":"20000","customServerXml":"","debug":"0","enableLookups":"false","generateByHelm":false,"maxHttpHeaderSize":"8192","maxThreads":"100","mgmtPort":"8000","minSpareThreads":"10","port":"8090","protocol":"org.apache.coyote.http11.Http11NioProtocol","proxyInternalIps":null,"proxyName":null,"proxyPort":null,"redirectPort":"8443","requestAttributesEnabled":"false","scheme":null,"secure":null,"stuckThreadDetectionValveThreshold":"60","trustedProxies":null,"uriEncoding":"UTF-8"}` | By default Tomcat's server.xml is generated in the container entrypoint from a template shipped with an official Confluence image. However, server.xml generation may fail if container is not run as root, which is a common case if Confluence is deployed to OpenShift.  |
 | confluence.tomcatConfig.customServerXml | string | `""` | Custom server.xml to be mounted into /opt/atlassian/confluence/conf  |
 | confluence.tomcatConfig.generateByHelm | bool | `false` | Mount server.xml as a ConfigMap. Override configuration elements if necessary  |
 | confluence.topologySpreadConstraints | list | `[]` | Defines topology spread constraints for Confluence pods. See details: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/  |

src/main/charts/confluence/templates/configmap-server-config.yaml

@@ -70,7 +70,7 @@ data:
                      suffix=".log"
                      rotatable="true"
                      maxDays="{{ .Values.confluence.tomcatConfig.accessLogMaxDays | default "-1" }}"
-                     pattern="%h %{X-AUSERNAME}o %t "%r" %s %b %D %U %I "%{User-Agent}i"" />
+                     pattern="{{ .Values.confluence.tomcatConfig.accessLogPattern }}" />
               <Valve className="org.apache.catalina.valves.RemoteIpValve"
                      proxiesHeader="x-forwarded-by"
                      {{- if .Values.confluence.tomcatConfig.proxyInternalIps }}

src/main/charts/confluence/values.yaml

@@ -961,6 +961,7 @@ confluence:
     trustedProxies:
     stuckThreadDetectionValveThreshold: "60"
     accessLogMaxDays: "-1"
+    accessLogPattern: "%h %{X-AUSERNAME}o %t "%r" %s %b %D %U %I "%{User-Agent}i""
     requestAttributesEnabled: "false"
 
     # -- Custom server.xml to be mounted into /opt/atlassian/confluence/conf

src/main/charts/jira/README.md

@@ -137,7 +137,7 @@ Kubernetes: `>=1.21.x-0`
 | jira.startupProbe.failureThreshold | int | `120` | The number of consecutive failures of the Jira container startup probe before the pod fails startup checks.  |
 | jira.startupProbe.initialDelaySeconds | int | `60` | Time to wait before starting the first probe  |
 | jira.startupProbe.periodSeconds | int | `5` | How often (in seconds) the Jira container startup probe will run  |
-| jira.tomcatConfig | object | `{"acceptCount":"100","accessLogMaxDays":"-1","connectionTimeout":"20000","customServerXml":"","enableLookups":"false","generateByHelm":false,"maxHttpHeaderSize":"8192","maxThreads":"100","mgmtPort":"8005","minSpareThreads":"10","port":"8080","protocol":"HTTP/1.1","proxyName":null,"proxyPort":null,"redirectPort":"8443","requestAttributesEnabled":"false","scheme":null,"secure":null,"stuckThreadDetectionValveThreshold":"120"}` | By default Tomcat's server.xml is generated in the container entrypoint from a template shipped with an official Jira image. However, server.xml generation may fail if container is not run as root, which is a common case if Jira is deployed to OpenShift.  |
+| jira.tomcatConfig | object | `{"acceptCount":"100","accessLogMaxDays":"-1","accessLogPattern":"%a %{jira.request.id}r %{jira.request.username}r %t "%m %U%q %H" %s %b %D "%{Referer}i" "%{User-Agent}i" "%{jira.request.assession.id}r"","connectionTimeout":"20000","customServerXml":"","enableLookups":"false","generateByHelm":false,"maxHttpHeaderSize":"8192","maxThreads":"100","mgmtPort":"8005","minSpareThreads":"10","port":"8080","protocol":"HTTP/1.1","proxyName":null,"proxyPort":null,"redirectPort":"8443","requestAttributesEnabled":"false","scheme":null,"secure":null,"stuckThreadDetectionValveThreshold":"120"}` | By default Tomcat's server.xml is generated in the container entrypoint from a template shipped with an official Jira image. However, server.xml generation may fail if container is not run as root, which is a common case if Jira is deployed to OpenShift.  |
 | jira.tomcatConfig.customServerXml | string | `""` | Custom server.xml to be mounted into /opt/atlassian/jira/conf  |
 | jira.tomcatConfig.generateByHelm | bool | `false` | Mount server.xml as a ConfigMap. Override configuration elements if necessary  |
 | jira.topologySpreadConstraints | list | `[]` | Defines topology spread constraints for Jira pods. See details: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/  |

src/main/charts/jira/templates/configmap-server-config.yaml

@@ -86,7 +86,7 @@ data:
           <Valve className="org.apache.catalina.valves.AccessLogValve"
                  maxDays="{{ .Values.jira.tomcatConfig.accessLogMaxDays | default "-1" }}"
                  requestAttributesEnabled="{{ .Values.jira.tomcatConfig.requestAttributesEnabled | default "false" }}"
-                 pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%q %H&quot; %s %b %D &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/>
+                 pattern="{{ .Values.jira.tomcatConfig.accessLogPattern }}"/>
         </Engine>
 
       </Service>

src/main/charts/jira/values.yaml

@@ -825,6 +825,7 @@ jira:
     maxHttpHeaderSize: "8192"
     stuckThreadDetectionValveThreshold: "120"
     accessLogMaxDays: "-1"
+    accessLogPattern: "%a %{jira.request.id}r %{jira.request.username}r %t "%m %U%q %H" %s %b %D "%{Referer}i" "%{User-Agent}i" "%{jira.request.assession.id}r""
     requestAttributesEnabled: "false"
 
     # -- Custom server.xml to be mounted into /opt/atlassian/jira/conf

src/test/java/test/ServerConfigTest.java

@@ -263,4 +263,30 @@ void additional_connector_overrides(Product product) throws Exception {
         assertThat(serverConfigMap.getConfigMapData().path("server.xml")).hasTextContaining("secure=\"true\"");
         assertThat(serverConfigMap.getConfigMapData().path("server.xml")).hasTextContaining("URIEncoding=\"UTF-9\"");
     }
+
+    @ParameterizedTest
+    @EnumSource(value = Product.class, names = {"confluence", "jira"}, mode = EnumSource.Mode.INCLUDE)
+    void access_log_pattern_default(Product product) throws Exception {
+        final var resources = helm.captureKubeResourcesFromHelmChart(product, Map.of(
+                product.name() + ".tomcatConfig.generateByHelm", "true"
+        ));
+        String expectedPattern;
+        if (product == Product.confluence) {
+            expectedPattern = "pattern=\"%h %{X-AUSERNAME}o %t "%r" %s %b %D %U %I "%{User-Agent}i"";
+        } else expectedPattern = "pattern=\"%a %{jira.request.id}r %{jira.request.username}r %t "%m %U%q %H" %s %b %D "%{Referer}i" "%{User-Agent}i" "%{jira.request.assession.id}r"";
+
+        KubeResource serverConfigMap = resources.get(Kind.ConfigMap, product.getHelmReleaseName() + "-server-config");
+        assertThat(serverConfigMap.getConfigMapData().path("server.xml")).hasTextContaining(expectedPattern);
+    }
+
+    @ParameterizedTest
+    @EnumSource(value = Product.class, names = {"confluence", "jira"}, mode = EnumSource.Mode.INCLUDE)
+    void access_log_pattern_overrides(Product product) throws Exception {
+        final var resources = helm.captureKubeResourcesFromHelmChart(product, Map.of(
+                product.name() + ".tomcatConfig.generateByHelm", "true",
+                product.name() + ".tomcatConfig.accessLogPattern", "%%"
+        ));
+        KubeResource serverConfigMap = resources.get(Kind.ConfigMap, product.getHelmReleaseName() + "-server-config");
+        assertThat(serverConfigMap.getConfigMapData().path("server.xml")).hasTextContaining("%%");
+    }
 }

src/test/resources/expected_helm_output/bitbucket/output.yaml

@@ -165,7 +165,7 @@ data:
         image:
           pullPolicy: IfNotPresent
           repository: atlassian/bitbucket-mesh
-          tag: 3.4.0
+          tag: 3.4.1
         nodeAutoRegistration: false
         nodeSelector: {}
         podAnnotations: {}
@@ -601,7 +601,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config-jvm: e4aa354a8937cd7fc2a42a8c3d76df9db3ce13533fc820b9aadf79123d502aea
+        checksum/config-jvm: 43829441bdc498da898213f3137e92733710729b8d5c7203b3233a8b589f837d
       labels:
         app.kubernetes.io/name: bitbucket-mesh
         app.kubernetes.io/instance: unittest-bitbucket
@@ -722,7 +722,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config-jvm: b6283cca4ebdaceb0aa7da41b3d406dea0129a95c99f25448b3a41e83df4d674
+        checksum/config-jvm: 292bf7b1ecb603b29737433657afaad632a4f70a8127b8042add339194de8741
       labels:
         helm.sh/chart: bitbucket-1.22.4
         app.kubernetes.io/name: bitbucket