configuration added

2025-03-26 14:44:35 +01:00 · 2025-03-26 14:44:35 +01:00 · d057e9dae1
commit d057e9dae1
parent 7179d2568c
3 changed files with 78 additions and 0 deletions
--- a/template/stacks/ref-implementation/openbao-alloy-configmap.yaml
+++ b/template/stacks/ref-implementation/openbao-alloy-configmap.yaml
@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao-logging-setup
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
+    targetRevision: HEAD
+    path: "stacks/ref-implementation/openbao-logging"
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: openbao
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: -1
+      backoff:
+        duration: 15s
+        factor: 1
+        maxDuration: 15s
--- a/template/stacks/ref-implementation/openbao-logging/sidecar-container-alloy-configmap.yaml
+++ b/template/stacks/ref-implementation/openbao-logging/sidecar-container-alloy-configmap.yaml
@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: sidecar-container-alloy-config
+data:
+  config.alloy: |
+    logging {
+      level  = "info"
+      format = "logfmt"
+    }
+     loki.write "local_loki" {
+      endpoint {
+          url = "http://loki-loki-distributed-gateway.monitoring.svc.cluster.local/loki/api/v1/push"
+      }
+    }
+
+    local.file_match "applogs" {
+      path_targets = [{"__path__" = "/openbao/logs/*"}]
+      sync_period = "5s"
+    }
+
+    loki.source.file "openbao_logs" {
+      targets    = local.file_match.applogs.targets
+      forward_to = [loki.write.local_loki.receiver]
+    }
--- a/template/stacks/ref-implementation/openbao/values.yaml
+++ b/template/stacks/ref-implementation/openbao/values.yaml
@ -1,9 +1,32 @@
 server:
+  extraContainers:    
+    - name: grafana-alloy      
+      image: grafana/alloy:latest      
+      ports:        
+        - containerPort: 12345      
+      securityContext:        
+        runAsUser: 100      
+      volumeMounts:            
+        - name: log-storage              
+          mountPath: /openbao/logs            
+        - name: alloy-data              
+          mountPath: /var/lib/alloy            
+        - name: config-volume              
+          mountPath: /etc/alloy
+  volumes:    
+  - name: log-storage
+    emptyDir: {}    
+  - name: alloy-data    
+    emptyDir: {}    
+  - name: config-volume  
+    configMap:         
+      name: sidecar-container-alloy-config 
  postStart:
    - sh
    - -c
    - |
      sleep 10
+      rm -rf /openbao/data/* # UN-initialises the openbao server (necessary for the new instance to spin up if the pod or container crashes)
      bao operator init >> /tmp/init.txt
      cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {}
      echo $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/initial_token.txt
@ -13,5 +36,6 @@ server:
      echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt
      echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt
      rm /tmp/init.txt
+      bao audit enable file file_path=/var/log/openbao.log # enables the audit
 ui:
  enabled: true