VAULT-8732: Add log-file to Vault Agent

.gitignore

@@ -119,3 +119,4 @@ website/components/node_modules
 
 .buildcache/
 .releaser/
+*.log

changelog/17841.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+logging: Vault Agent supports logging to a specified file path via environment variable, CLI or config
+```

command/agent.go

@@ -41,11 +41,11 @@ import (
 	"github.com/hashicorp/vault/command/agent/sink/inmem"
 	"github.com/hashicorp/vault/command/agent/template"
 	"github.com/hashicorp/vault/command/agent/winsvc"
+	"github.com/hashicorp/vault/helper/logging"
 	"github.com/hashicorp/vault/helper/metricsutil"
 	"github.com/hashicorp/vault/internalshared/configutil"
 	"github.com/hashicorp/vault/internalshared/listenerutil"
 	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/helper/logging"
 	"github.com/hashicorp/vault/sdk/helper/useragent"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/sdk/version"
@@ -61,6 +61,12 @@ var (
 	_ cli.CommandAutocomplete = (*AgentCommand)(nil)
 )
 
+const (
+	// flagNameAgentExitAfterAuth is used as an Agent specific flag to indicate
+	// that agent should exit after a single successful auth
+	flagNameAgentExitAfterAuth = "exit-after-auth"
+)
+
 type AgentCommand struct {
 	*BaseCommand
 
@@ -80,6 +86,7 @@ type AgentCommand struct {
 
 	flagConfigs       []string
 	flagLogLevel      string
+	flagLogFile       string
 	flagExitAfterAuth bool
 
 	flagTestVerifyOnly bool
@@ -124,17 +131,24 @@ func (c *AgentCommand) Flags() *FlagSets {
 	})
 
 	f.StringVar(&StringVar{
-		Name:       "log-level",
+		Name:       flagNameLogLevel,
 		Target:     &c.flagLogLevel,
 		Default:    "info",
-		EnvVar:     "VAULT_LOG_LEVEL",
+		EnvVar:     EnvVaultLogLevel,
 		Completion: complete.PredictSet("trace", "debug", "info", "warn", "error"),
 		Usage: "Log verbosity level. Supported values (in order of detail) are " +
 			"\"trace\", \"debug\", \"info\", \"warn\", and \"error\".",
 	})
 
+	f.StringVar(&StringVar{
+		Name:   flagNameLogFile,
+		Target: &c.flagLogFile,
+		EnvVar: EnvVaultLogFile,
+		Usage:  "Path to the log file that Vault should use for logging",
+	})
+
 	f.BoolVar(&BoolVar{
-		Name:    "exit-after-auth",
+		Name:    flagNameAgentExitAfterAuth,
 		Target:  &c.flagExitAfterAuth,
 		Default: false,
 		Usage: "If set to true, the agent will exit with code 0 after a single " +
@@ -193,35 +207,14 @@ func (c *AgentCommand) Run(args []string) int {
 	if c.flagCombineLogs {
 		c.logWriter = os.Stdout
 	}
-	var level log.Level
-	c.flagLogLevel = strings.ToLower(strings.TrimSpace(c.flagLogLevel))
-	switch c.flagLogLevel {
-	case "trace":
-		level = log.Trace
-	case "debug":
-		level = log.Debug
-	case "notice", "info", "":
-		level = log.Info
-	case "warn", "warning":
-		level = log.Warn
-	case "err", "error":
-		level = log.Error
-	default:
-		c.UI.Error(fmt.Sprintf("Unknown log level: %s", c.flagLogLevel))
-		return 1
-	}
-
-	if c.logger == nil {
-		c.logger = logging.NewVaultLoggerWithWriter(c.logWriter, level)
-	}
 
 	// Validation
 	if len(c.flagConfigs) != 1 {
 		c.UI.Error("Must specify exactly one config path using -config")
 		return 1
 	}
 
-	// Load the configuration
+	// Load the configuration file
 	config, err := agentConfig.LoadConfig(c.flagConfigs[0])
 	if err != nil {
 		c.UI.Error(fmt.Sprintf("Error loading configuration from %s: %s", c.flagConfigs[0], err))
@@ -235,6 +228,7 @@ func (c *AgentCommand) Run(args []string) int {
 				"-config flag."))
 		return 1
 	}
+
 	if config.AutoAuth == nil && config.Cache == nil {
 		c.UI.Error("No auto_auth or cache block found in config file")
 		return 1
@@ -243,62 +237,29 @@ func (c *AgentCommand) Run(args []string) int {
 		c.UI.Info("No auto_auth block found in config file, not starting automatic authentication feature")
 	}
 
-	exitAfterAuth := config.ExitAfterAuth
-	f.Visit(func(fl *flag.Flag) {
-		if fl.Name == "exit-after-auth" {
-			exitAfterAuth = c.flagExitAfterAuth
-		}
-	})
+	config = c.aggregateConfig(f, config)
 
-	c.setStringFlag(f, config.Vault.Address, &StringVar{
-		Name:    flagNameAddress,
-		Target:  &c.flagAddress,
-		Default: "https://127.0.0.1:8200",
-		EnvVar:  api.EnvVaultAddress,
-	})
-	config.Vault.Address = c.flagAddress
-	c.setStringFlag(f, config.Vault.CACert, &StringVar{
-		Name:    flagNameCACert,
-		Target:  &c.flagCACert,
-		Default: "",
-		EnvVar:  api.EnvVaultCACert,
-	})
-	config.Vault.CACert = c.flagCACert
-	c.setStringFlag(f, config.Vault.CAPath, &StringVar{
-		Name:    flagNameCAPath,
-		Target:  &c.flagCAPath,
-		Default: "",
-		EnvVar:  api.EnvVaultCAPath,
-	})
-	config.Vault.CAPath = c.flagCAPath
-	c.setStringFlag(f, config.Vault.ClientCert, &StringVar{
-		Name:    flagNameClientCert,
-		Target:  &c.flagClientCert,
-		Default: "",
-		EnvVar:  api.EnvVaultClientCert,
-	})
-	config.Vault.ClientCert = c.flagClientCert
-	c.setStringFlag(f, config.Vault.ClientKey, &StringVar{
-		Name:    flagNameClientKey,
-		Target:  &c.flagClientKey,
-		Default: "",
-		EnvVar:  api.EnvVaultClientKey,
-	})
-	config.Vault.ClientKey = c.flagClientKey
-	c.setBoolFlag(f, config.Vault.TLSSkipVerify, &BoolVar{
-		Name:    flagNameTLSSkipVerify,
-		Target:  &c.flagTLSSkipVerify,
-		Default: false,
-		EnvVar:  api.EnvVaultSkipVerify,
-	})
-	config.Vault.TLSSkipVerify = c.flagTLSSkipVerify
-	c.setStringFlag(f, config.Vault.TLSServerName, &StringVar{
-		Name:    flagTLSServerName,
-		Target:  &c.flagTLSServerName,
-		Default: "",
-		EnvVar:  api.EnvVaultTLSServerName,
-	})
-	config.Vault.TLSServerName = c.flagTLSServerName
+	// Build the logger using level, format and path
+	logLevel, err := logging.ParseLogLevel(config.LogLevel)
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	logFormat, err := logging.ParseLogFormat(config.LogFormat)
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	logCfg := logging.NewLogConfig("agent", logLevel, logFormat, config.LogFile)
+	l, err := logging.Setup(logCfg, c.logWriter)
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	c.logger = l
 
 	infoKeys := make([]string, 0, 10)
 	info := make(map[string]string)
@@ -855,16 +816,16 @@ func (c *AgentCommand) Run(args []string) int {
 		ss := sink.NewSinkServer(&sink.SinkServerConfig{
 			Logger:        c.logger.Named("sink.server"),
 			Client:        ahClient,
-			ExitAfterAuth: exitAfterAuth,
+			ExitAfterAuth: config.ExitAfterAuth,
 		})
 
 		ts := template.NewServer(&template.ServerConfig{
 			Logger:        c.logger.Named("template.server"),
-			LogLevel:      level,
+			LogLevel:      logLevel,
 			LogWriter:     c.logWriter,
 			AgentConfig:   config,
 			Namespace:     templateNamespace,
-			ExitAfterAuth: exitAfterAuth,
+			ExitAfterAuth: config.ExitAfterAuth,
 		})
 
 		g.Add(func() error {
@@ -963,6 +924,84 @@ func (c *AgentCommand) Run(args []string) int {
 	return 0
 }
 
+// aggregateConfig ensures that the config object accurately reflects the desired
+// settings as configured by the user. It applies the relevant config setting based
+// on the precedence (env var overrides file config, cli overrides env var).
+// It mutates the config object supplied and returns the updated object.
+func (c *AgentCommand) aggregateConfig(f *FlagSets, config *agentConfig.Config) *agentConfig.Config {
+	f.Visit(func(fl *flag.Flag) {
+		if fl.Name == flagNameAgentExitAfterAuth {
+			config.ExitAfterAuth = c.flagExitAfterAuth
+		}
+	})
+
+	c.setStringFlag(f, config.LogFile, &StringVar{
+		Name:   flagNameLogFile,
+		EnvVar: EnvVaultLogFile,
+		Target: &c.flagLogFile,
+	})
+	config.LogFile = c.flagLogFile
+
+	c.setStringFlag(f, config.LogLevel, &StringVar{
+		Name:   flagNameLogLevel,
+		EnvVar: EnvVaultLogLevel,
+		Target: &c.flagLogLevel,
+	})
+	config.LogLevel = c.flagLogLevel
+
+	c.setStringFlag(f, config.Vault.Address, &StringVar{
+		Name:    flagNameAddress,
+		Target:  &c.flagAddress,
+		Default: "https://127.0.0.1:8200",
+		EnvVar:  api.EnvVaultAddress,
+	})
+	config.Vault.Address = c.flagAddress
+	c.setStringFlag(f, config.Vault.CACert, &StringVar{
+		Name:    flagNameCACert,
+		Target:  &c.flagCACert,
+		Default: "",
+		EnvVar:  api.EnvVaultCACert,
+	})
+	config.Vault.CACert = c.flagCACert
+	c.setStringFlag(f, config.Vault.CAPath, &StringVar{
+		Name:    flagNameCAPath,
+		Target:  &c.flagCAPath,
+		Default: "",
+		EnvVar:  api.EnvVaultCAPath,
+	})
+	config.Vault.CAPath = c.flagCAPath
+	c.setStringFlag(f, config.Vault.ClientCert, &StringVar{
+		Name:    flagNameClientCert,
+		Target:  &c.flagClientCert,
+		Default: "",
+		EnvVar:  api.EnvVaultClientCert,
+	})
+	config.Vault.ClientCert = c.flagClientCert
+	c.setStringFlag(f, config.Vault.ClientKey, &StringVar{
+		Name:    flagNameClientKey,
+		Target:  &c.flagClientKey,
+		Default: "",
+		EnvVar:  api.EnvVaultClientKey,
+	})
+	config.Vault.ClientKey = c.flagClientKey
+	c.setBoolFlag(f, config.Vault.TLSSkipVerify, &BoolVar{
+		Name:    flagNameTLSSkipVerify,
+		Target:  &c.flagTLSSkipVerify,
+		Default: false,
+		EnvVar:  api.EnvVaultSkipVerify,
+	})
+	config.Vault.TLSSkipVerify = c.flagTLSSkipVerify
+	c.setStringFlag(f, config.Vault.TLSServerName, &StringVar{
+		Name:    flagTLSServerName,
+		Target:  &c.flagTLSServerName,
+		Default: "",
+		EnvVar:  api.EnvVaultTLSServerName,
+	})
+	config.Vault.TLSServerName = c.flagTLSServerName
+
+	return config
+}
+
 // verifyRequestHeader wraps an http.Handler inside a Handler that checks for
 // the request header that is used for SSRF protection.
 func verifyRequestHeader(handler http.Handler) http.Handler {

command/agent/config/config.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"net"
 	"os"
 	"strings"
@@ -38,6 +37,7 @@ type Config struct {
 	DisableKeepAlivesCaching    bool                       `hcl:"-"`
 	DisableKeepAlivesTemplating bool                       `hcl:"-"`
 	DisableKeepAlivesAutoAuth   bool                       `hcl:"-"`
+	LogFile                     string                     `hcl:"log_file"`
 }
 
 const (
@@ -173,7 +173,7 @@ func LoadConfig(path string) (*Config, error) {
 	}
 
 	// Read the file
-	d, err := ioutil.ReadFile(path)
+	d, err := os.ReadFile(path)
 	if err != nil {
 		return nil, err
 	}

command/agent/config/config_test.go

@@ -230,6 +230,7 @@ func TestLoadConfigFile(t *testing.T) {
 				NumRetries: 12,
 			},
 		},
+		LogFile: "/var/log/vault/vault-agent.log",
 	}
 
 	config.Prune()

command/agent/config/test-fixtures/config-embedded-type.hcl

@@ -1,4 +1,5 @@
 pid_file = "./pidfile"
+log_file = "/var/log/vault/vault-agent.log"
 
 auto_auth {
 	method "aws" {

command/agent/config/test-fixtures/config.hcl

@@ -1,4 +1,5 @@
 pid_file = "./pidfile"
+log_file = "/var/log/vault/vault-agent.log"
 
 auto_auth {
 	method {