Implement OTEL audit logging in Admin API

- Add audit logging middleware to Admin API, capturing WHO/WHAT/WHEN for every request via `go-otel-audit`
- Refactor shared `CreateOtelAuditMsg` to accept caller-specific operation description, access level, and identities (previously hardcoded to Frontend values)
- Share response writer to capture status codes with frontend
- Add `audit.connectSocket` config for mdsd socket connection

[ARO-24628](https://issues.redhat.com/browse/ARO-24628)

Signed-off-by: Gerd Oberlechner <goberlec@redhat.com>

Author: geoberle

.yamllint.yml

@@ -5,6 +5,7 @@ yaml-files:
 ignore:
 - 'acrpull/deploy/templates/deployment.yaml'
 - 'admin/deploy/templates/ext-authz.authorizationpolicy.yaml'
+- 'admin/deploy/templates/admin.deployment.yaml'
 - 'frontend/deploy/templates/ext-authz.authorizationpolicy.yaml'
 - 'frontend/deploy/templates/allow-ingress.authorizationpolicy.yaml'
 - 'frontend/deploy/templates/frontend.deployment.yaml'

admin/deploy/templates/admin.deployment.yaml

@@ -58,6 +58,8 @@ spec:
           value: "/secrets/fpa-cert/bundle"
         - name: FPA_CLIENT_ID
           value: "{{ .Values.fpa.clientId }}"
+        - name: AUDIT_CONNECT_SOCKET
+          value: "{{ .Values.audit.connectSocket }}"
         ports:
         - containerPort: 8443
           name: http
@@ -97,10 +99,20 @@ spec:
         - name: fpa-cert
           mountPath: /secrets/fpa-cert
           readOnly: true
+        {{- if .Values.audit.connectSocket }}
+        - name: mdsd-asa-run-vol
+          mountPath: /var/run/mdsd
+        {{- end }}
       volumes:
       - name: fpa-cert
         csi:
           driver: secrets-store.csi.k8s.io
           readOnly: true
           volumeAttributes:
             secretProviderClass: fpa-cert
+      {{- if .Values.audit.connectSocket }}
+      - name: mdsd-asa-run-vol
+        hostPath:
+          path: /var/run/mdsd
+          type: Directory
+      {{- end }}

admin/server/cmd/server/options.go

@@ -17,10 +17,13 @@ package server
 import (
 	"context"
 	"fmt"
+	"log/slog"
 	"net"
 	"os"
 	"time"
 
+	"github.com/go-logr/logr"
+	"github.com/microsoft/go-otel-audit/audit/base"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/spf13/cobra"
 
@@ -31,6 +34,7 @@ import (
 	sdk "github.com/openshift-online/ocm-sdk-go"
 
 	"github.com/Azure/ARO-HCP/admin/server/server"
+	"github.com/Azure/ARO-HCP/internal/audit"
 	"github.com/Azure/ARO-HCP/internal/database"
 	"github.com/Azure/ARO-HCP/internal/fpa"
 	"github.com/Azure/ARO-HCP/internal/ocm"
@@ -39,8 +43,9 @@ import (
 
 func DefaultOptions() *RawOptions {
 	return &RawOptions{
-		Port:        8443,
-		MetricsPort: 8444,
+		Port:              8443,
+		MetricsPort:       8444,
+		AuditLogQueueSize: 2048,
 	}
 }
 
@@ -56,6 +61,8 @@ type RawOptions struct {
 	KustoEndpoint      string
 	FpaCertBundlePath  string
 	FpaClientID        string
+	AuditLogQueueSize  int
+	AuditConnectSocket bool
 }
 
 func (opts *RawOptions) BindOptions(cmd *cobra.Command) error {
@@ -68,6 +75,8 @@ func (opts *RawOptions) BindOptions(cmd *cobra.Command) error {
 	cmd.Flags().StringVar(&opts.KustoEndpoint, "kusto-endpoint", getEnv("KUSTO_ENDPOINT", opts.KustoEndpoint), "Endpoint of the Kusto cluster.")
 	cmd.Flags().StringVar(&opts.FpaClientID, "fpa-client-id", getEnv("FPA_CLIENT_ID", opts.FpaClientID), "Client ID of the FPA application.")
 	cmd.Flags().StringVar(&opts.FpaCertBundlePath, "fpa-cert-bundle-path", getEnv("FPA_CERT_BUNDLE_PATH", opts.FpaCertBundlePath), "Path to the FPA certificate bundle.")
+	cmd.Flags().IntVar(&opts.AuditLogQueueSize, "audit-log-queue-size", opts.AuditLogQueueSize, "Log queue size for audit logging client.")
+	cmd.Flags().BoolVar(&opts.AuditConnectSocket, "audit-connect-socket", os.Getenv("AUDIT_CONNECT_SOCKET") == "true", "Connect to mdsd audit socket.")
 	return nil
 }
 
@@ -97,6 +106,7 @@ type completedOptions struct {
 	ClusterServiceClient   ocm.ClusterServiceClientSpec
 	KustoClient            *kusto.Client
 	FpaCredentialRetriever fpa.FirstPartyApplicationTokenCredentialRetriever
+	AuditClient            audit.Client
 }
 
 type Options struct {
@@ -176,6 +186,19 @@ func (o *ValidatedOptions) Complete(ctx context.Context) (*Options, error) {
 		return nil, fmt.Errorf("failed to create the FPA token credentials: %w", err)
 	}
 
+	// Create audit client
+	logger := utils.LoggerFromContext(ctx)
+	slogLogger := slog.New(logr.ToSlogHandler(logger))
+	auditClient, err := audit.NewOtelAuditClient(
+		audit.CreateConn(o.AuditConnectSocket),
+		base.WithLogger(slogLogger),
+		base.WithSettings(base.Settings{
+			QueueSize: o.AuditLogQueueSize,
+		}))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create audit client: %w", err)
+	}
+
 	return &Options{
 		completedOptions: &completedOptions{
 			Port:                   o.Port,
@@ -185,6 +208,7 @@ func (o *ValidatedOptions) Complete(ctx context.Context) (*Options, error) {
 			ClusterServiceClient:   csClient,
 			KustoClient:            kustoClient,
 			FpaCredentialRetriever: fpaCredentialRetriever,
+			AuditClient:            auditClient,
 		},
 	}, nil
 }
@@ -213,6 +237,7 @@ func (opts *Options) Run(ctx context.Context) error {
 		opts.ClusterServiceClient,
 		opts.KustoClient,
 		opts.FpaCredentialRetriever,
+		opts.AuditClient,
 	)
 
 	runErrCh := make(chan error)

admin/server/go.mod

@@ -8,9 +8,11 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.2.0
 	github.com/go-logr/logr v1.4.3
+	github.com/microsoft/go-otel-audit v0.2.2
 	github.com/openshift-online/ocm-sdk-go v0.1.494
 	github.com/prometheus/client_golang v1.23.2
 	github.com/spf13/cobra v1.10.2
+	github.com/stretchr/testify v1.11.1
 )
 
 require (
@@ -19,6 +21,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/data/azcosmos v1.4.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
+	github.com/Azure/retry v0.0.0-20250221010952-92c9290cea0f // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
@@ -29,19 +32,23 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/evanphx/json-patch v5.9.11+incompatible // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/go-json-experiment/json v0.0.0-20250517221953-25912455fbc8 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
 	github.com/golang/glog v1.2.5 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/css v1.0.1 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jedib0t/go-pretty/v6 v6.6.7 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/microcosm-cc/bluemonday v1.0.27 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
@@ -53,11 +60,14 @@ require (
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.66.1 // indirect
 	github.com/prometheus/procfs v0.17.0 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/samber/lo v1.52.0 // indirect
+	github.com/sanity-io/litter v1.5.8 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
-	github.com/stretchr/testify v1.11.1 // indirect
+	github.com/vmihailenco/msgpack/v4 v4.3.13 // indirect
+	github.com/vmihailenco/tagparser v0.1.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/bridges/prometheus v0.62.0 // indirect
@@ -85,10 +95,12 @@ require (
 	go.uber.org/mock v0.6.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	golang.org/x/crypto v0.46.0 // indirect
+	golang.org/x/exp v0.0.0-20250911091902-df9299821621 // indirect
 	golang.org/x/net v0.47.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
 	golang.org/x/sys v0.39.0 // indirect
 	golang.org/x/text v0.32.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect
 	google.golang.org/grpc v1.76.0 // indirect