Enable audit pipeline for neutron

This change adds the keystonemiddleware audit paste filter[0]
and enables it for the neutron-server service.
This provides the ability to audit API requests for neutron.

[0] https://docs.openstack.org/keystonemiddleware/latest/audit.html

Change-Id: I86b4df1436ae59bc9a151c28337af7c06c83e45f

neutron/templates/configmap-etc.yaml

@@ -181,6 +181,7 @@ data:
   policy.json: {{ toJson $envAll.Values.conf.policy | b64enc }}
   neutron.conf: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.neutron | b64enc }}
   logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+  api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
   dhcp_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.dhcp_agent | b64enc }}
   l3_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.l3_agent | b64enc }}
   metadata_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.metadata_agent | b64enc }}

neutron/templates/deployment-server.yaml

@@ -98,6 +98,10 @@ spec:
               mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
               subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
               readOnly: true
+            - name: neutron-etc
+              mountPath: /etc/neutron/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
             - name: neutron-etc
               mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
               subPath: ml2_conf.ini

neutron/values.yaml

@@ -785,7 +785,7 @@ conf:
     composite:neutronapi_v2_0:
       use: call:neutron.auth:pipeline_factory
       noauth: cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
-      keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
+      keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken audit keystonecontext extensions neutronapiapp_v2_0
     composite:neutronversions_composite:
       use: call:neutron.auth:pipeline_factory
       noauth: cors http_proxy_to_wsgi neutronversions
@@ -803,6 +803,9 @@ conf:
       paste.filter_factory: neutron.auth:NeutronKeystoneContext.factory
     filter:authtoken:
       paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+    filter:audit:
+      paste.filter_factory: keystonemiddleware.audit:filter_factory
+      audit_map_file: /etc/neutron/api_audit_map.conf
     filter:extensions:
       paste.filter_factory: neutron.api.extensions:plugin_aware_extension_middleware_factory
     app:neutronversions:
@@ -1001,6 +1004,31 @@ conf:
     get_subports: ''
     add_subports: rule:admin_or_owner
     remove_subports: rule:admin_or_owner
+  api_audit_map:
+    DEFAULT:
+      target_endpoint_type: None
+    custom_actions:
+      add_router_interface: update/add
+      remove_router_interface: update/remove
+    path_keywords:
+      floatingips: ip
+      healthmonitors: healthmonitor
+      health_monitors: health_monitor
+      lb: None
+      members: member
+      metering-labels: label
+      metering-label-rules: rule
+      networks: network
+      pools: pool
+      ports: port
+      routers: router
+      quotas: quota
+      security-groups: security-group
+      security-group-rules: rule
+      subnets: subnet
+      vips: vip
+    service_endpoints:
+      network: service/network
   neutron_sudoers: |
     # This sudoers file supports rootwrap for both Kolla and LOCI Images.
     Defaults !requiretty