DevFW-CICD/stacks
DevFW-CICD/stacks
14
0
Fork 2
Code Issues 1 Pull requests 3 Projects Releases Packages Wiki Activity Actions

IPCEICIS-2952 #31

Merged
Michal.Wrobel merged 113 commits from IPCEICIS-2952 into development 2025-05-28 10:30:56 +00:00
Conversation 2 Commits 113 Files changed 9 +241
Michal.Wrobel commented 2025-04-23 13:24:45 +00:00
Owner
Copy link

See https://jira.telekom-mms.com/browse/IPCEICIS-2289.

There are multiple components needed for the logging of OpenBao audits:

  • openbao-logging.yaml - References the openbao-logging directory.

  • openbao-logging/create-logging-directory.yaml - DaemonSet that creates a directory on the node's hostPath. Since this task has to be done by a priviledged user and we have a non-root policy for pods which doesn't apply to DeamonSets this appears to be the only possible solution.

  • openbao-logging/logrotate-configmap.yaml - Consists of the logrotate.conf file which speciefies how the logrotation should happen. It's mounted to the CronJob.

  • openbao-logging/logrotate-cronjob.yaml - The definition of the CronJob which runs every hour.

  • openbao-logging/passwd-user-configmap.yaml - Needed for identifying as the user openbao:100 which is required to …

  • openbao-logging/sidecar-script-configmap.yaml - Responsible for setting up two scripts: start.sh - for starting a server listening on the port 3030 for the signal from the CronJob; sidecar.sh - for sending the SIGHUP to openbao.

  • openbao-logging/sidecar-script-service.yaml - The service for the sidecar container inside the openbao-0 pod

  • openbao/values.yaml - Sets up a sidecar container called "sidecar" which is allowed to access the bao process and enables a File Audit Device one the node's hostPath.

See https://jira.telekom-mms.com/browse/IPCEICIS-2289. There are multiple components needed for the logging of OpenBao audits: - **openbao-logging.yaml** - References the openbao-logging directory. - **openbao-logging/create-logging-directory.yaml** - DaemonSet that creates a directory on the node's hostPath. Since this task has to be done by a priviledged user and we have a non-root policy for pods which doesn't apply to DeamonSets this appears to be the only possible solution. - **openbao-logging/logrotate-configmap.yaml** - Consists of the logrotate.conf file which speciefies how the logrotation should happen. It's mounted to the CronJob. - **openbao-logging/logrotate-cronjob.yaml** - The definition of the CronJob which runs every hour. - **openbao-logging/passwd-user-configmap.yaml** - Needed for identifying as the user openbao:100 which is required to … - **openbao-logging/sidecar-script-configmap.yaml** - Responsible for setting up two scripts: start.sh - for starting a server listening on the port 3030 for the signal from the CronJob; sidecar.sh - for sending the SIGHUP to openbao. - **openbao-logging/sidecar-script-service.yaml** - The service for the sidecar container inside the openbao-0 pod - **openbao/values.yaml** - Sets up a sidecar container called "sidecar" which is allowed to access the bao process and enables a File Audit Device one the node's hostPath.
Michal.Wrobel added 107 commits 2025-04-23 13:24:45 +00:00 
- mountPath: /var/log
    name: log-storage
    readOnly: false
image: alpine:latest
      command: ["/bin/sh", "-c", "while true; do /usr/sbin/logrotate /etc/logrotate.conf; sleep 60; done"]
      securityContext:
        runAsUser: 100
      volumeMounts:
        - name: host-log-storage
          mountPath: /openbao/logs
        - name: logrotate-config
          mountPath: /etc/logrotate.conf
          subPath: logrotate.conf
#   mountPath: /etc/logrotate.conf
        #   subPath: logrotate.conf
kind: DaemonSet
metadata:
  name: openbao-logging-dir
  namespace: openbao
spec:
  selector:
    matchLabels:
      app: openbao-logging-dir
  template:
    metadata:
      labels:
        app: openbao-logging-dir
    spec:
      initContainers:
      - name: creator
        image: busybox
        command: ["/bin/sh", "-c"]
        args:
        - |
          set -e
          mkdir -p /var/log/openbao
          chown 100:100 /var/log/openbao
        securityContext:
          runAsUser: 0
        volumeMounts:
        - name: host-log
          mountPath: /var/log
      containers:
      - name: running-container
        image: busybox
        command: ["sleep", "infinity"]
      volumes:
      - name: host-log
        hostPath:
          path: /var/log
          type: Directory
image: imroc/logrotate:latest
      env:
        - name: LOGROTATE_FILE_PATTERN
          value: "/var/log/nginx/nginx_*.log"
        - name: LOGROTATE_FILESIZE
          value: "20M"
        - name: LOGROTATE_FILENUM
          value: "10"
        - name: CRON_EXPR
          value: "*/1 * * * *"
        - name: CROND_LOGLEVEL
          value: "7"
mountPath: /etc/logrotate.conf
          subPath: logrotate.conf
          readOnly: true
set -e
          useradd -u 100 logrotate
          chown logrotate:logrotate /var/lib
          tail -f /dev/null
chown 100:100 /var/lib
          tail -f /dev/null
echo "logrotate100:" >> /etc/group
mkdir -p /var/log/openbao
          chown 100:100 /var/log/openbao
          echo "logrotate100💯:/home/logrotate:/bin/sh" >> /etc/passwd
          echo "logrotate100:" >> /etc/group
          chown logrotate:logrotate /var/lib
runAsUser: 0
mkdir -p /var/log/openbao
          chown 100:100 /var/log/openbao
          echo "logrotate100💯:/home/logrotate:/bin/sh" >> /etc/passwd
          echo "logrotate100:" >> /etc/group
          mkdir -p /home/logrotate
          # chown 100:100 /var/lib
mountPath: /var/lib/
image: alpine:latest
chmod o+rwx /etc/group
- chmod o+rwx /etc/passwd
    - chmod o+rwx /etc/group
- |
      chmod o+rwx /etc/passwd
      chmod o+rwx /etc/group
mountPath: /etc/passwd
          subPath: passwd
- name: CRON_SCHEDULE
            value: "0 * * * *"
          - name: TINI_SUBREAPER
            value:
#   mountPath: /var/lib
- name: host-log-storage
          mountPath: /openbao/logs
mountPath: /var/lib
mkdir pupa
image: nginx:latest
      ports:
        - containerPort: 8080
      volumeMounts:
        - name: idecar-script
          mountPath: /etc/nginx
          subPath: nginx.conf
          subPathExpr: 'nginx.conf'
        - name: idecar-script
          mountPath: /tmp/sidecar.sh
          subPath: sidecar.sh
          mode: 0755
        - name: passwd-volume
          mountPath: /etc/passwd
          subPath: passwd
mountPath: /etc/passwd
                subPath: passwd
Michal.Wrobel added 1 commit 2025-04-23 13:29:27 +00:00
requested review from Daniel.Sy 2025-04-23 13:52:43 +00:00
Michal.Wrobel commented 2025-04-23 13:53:18 +00:00
Author
Owner
Copy link

Please squash the commits!

**Please squash the commits!**
Michal.Wrobel added 1 commit 2025-04-24 08:17:27 +00:00
Michal.Wrobel added 1 commit 2025-04-24 08:24:37 +00:00
Michal.Wrobel added 1 commit 2025-04-24 08:51:34 +00:00
Michal.Wrobel added 1 commit 2025-04-24 09:09:32 +00:00
Daniel.Sy approved these changes 2025-04-28 09:11:52 +00:00
Daniel.Sy left a comment
Owner
Copy link

log says:
core: vault is unsealed

log says: core: vault is unsealed
template/stacks/monitoring/alloy/values.yaml
@ -1,0 +2,4 @@
volumes:
extra:
- name: host-log-storage
hostPath:
Daniel.Sy commented 2025-04-25 06:47:24 +00:00
Owner
Copy link

is it necessary to use hostPath? it's bad in many ways and might break if the pod gets moved to another node

is it necessary to use hostPath? it's bad in many ways and might break if the pod gets moved to another node
Michal.Wrobel commented 2025-04-28 09:15:13 +00:00
Author
Owner
Copy link

As denoted in the pinned comments of each of the 4 subtasks here there doesn't seem to be another option.

As denoted in the **pinned comments of each of the 4 subtasks** [here](https://jira.telekom-mms.com/browse/IPCEICIS-2949) there doesn't seem to be another option.
template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml
@ -0,0 +3,4 @@
metadata:
name: logrotate-config
data:
logrotate.conf: |
Daniel.Sy commented 2025-04-25 06:51:56 +00:00
Owner
Copy link

might be nice to make it configurable via helm

might be nice to make it configurable via helm
Michal.Wrobel commented 2025-04-28 09:30:06 +00:00
Author
Owner
Copy link

I think this might be a good idea. My only concern is that all of the other ConfigMap definitions in our product are hardcoded and this would make it not consistent.

I think this might be a good idea. My only concern is that all of the other ConfigMap definitions in our product are hardcoded and this would make it not consistent.
Michal.Wrobel added 1 commit 2025-05-28 09:18:48 +00:00
Michal.Wrobel merged commit 66e846b44a into development 2025-05-28 10:30:56 +00:00
Michal.Wrobel deleted branch IPCEICIS-2952 2025-05-28 10:51:33 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Daniel.Sy
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: DevFW-CICD/stacks#31
No description provided.
Delete branch "IPCEICIS-2952"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?