DevFW-CICD/stacks
DevFW-CICD/stacks
Archived
16
0
Fork 2
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Compare commits

base: DevFW-CICD:66e846b44a7f2f878a39001c4b3258450ab28c89
Branches Tags
DevFW-CICD:main
DevFW-CICD:development
DevFW-CICD:local_edpbuilder
DevFW-CICD:IPCEICIS-2951
DevFW-CICD:sso_jobs_push_to_cefor
DevFW-CICD:IPCEICIS-3796
DevFW-CICD:michals-silly-game
DevFW-CICD:django-backstage-template
DevFW-CICD:kindserver_development
DevFW-CICD:update_provider_argocd
DevFW-CICD:IPCEICIS-3110
DevFW-CICD:IPCEICIS-3111
DevFW-CICD:shipping_openbao_logs
DevFW-CICD:root_path_argocd_test
DevFW-CICD:forgego_10_update
DevFW-CICD:IPCEICIS-2435_change_argocd_path_routing_to_domain
DevFW-CICD:IPCEICIS-2643_install_keycloak_and_eso_first
DevFW-CICD:forgejo_runner_configuration_test
DevFW-CICD:helm_hydrate
DevFW-CICD:feature/externaldns_certmanager_test
DevFW-CICD:1.2.0
DevFW-CICD:1.1.1
DevFW-CICD:1.1.0
DevFW-CICD:1.0.0
..
compare: DevFW-CICD:4888c9db935d3e3ddd9155856119920a67d6b952
Branches Tags
DevFW-CICD:main
DevFW-CICD:development
DevFW-CICD:local_edpbuilder
DevFW-CICD:IPCEICIS-2951
DevFW-CICD:sso_jobs_push_to_cefor
DevFW-CICD:IPCEICIS-3796
DevFW-CICD:michals-silly-game
DevFW-CICD:django-backstage-template
DevFW-CICD:kindserver_development
DevFW-CICD:update_provider_argocd
DevFW-CICD:IPCEICIS-3110
DevFW-CICD:IPCEICIS-3111
DevFW-CICD:shipping_openbao_logs
DevFW-CICD:root_path_argocd_test
DevFW-CICD:forgego_10_update
DevFW-CICD:IPCEICIS-2435_change_argocd_path_routing_to_domain
DevFW-CICD:IPCEICIS-2643_install_keycloak_and_eso_first
DevFW-CICD:forgejo_runner_configuration_test
DevFW-CICD:helm_hydrate
DevFW-CICD:feature/externaldns_certmanager_test
DevFW-CICD:1.2.0
DevFW-CICD:1.1.1
DevFW-CICD:1.1.0
DevFW-CICD:1.0.0

No commits in common. "66e846b44a7f2f878a39001c4b3258450ab28c89" and "4888c9db935d3e3ddd9155856119920a67d6b952" have entirely different histories.
66e846b44a ... 4888c9db93

9 changed files with 0 additions and 241 deletions
Show stats Expand all files Collapse all files

23
template/stacks/monitoring/alloy/values.yaml
View file

@ -1,21 +1,8 @@
controller:
volumes:
extra:
- name: host-log-storage
hostPath:
path: /var/log
type: Directory
alloy: alloy:
create: false create: false
name: alloy-config name: alloy-config
key: config.alloy key: config.alloy
mounts:
extra:
- mountPath: /openbao/logs
name: host-log-storage
readOnly: true
uiPathPrefix: "/alloy" uiPathPrefix: "/alloy"
configMap: configMap:
@ -85,16 +72,6 @@ alloy:
} }
local.file_match "file_logs" {
path_targets = [{"__path__" = "/openbao/logs/openbao/*"}]
sync_period = "5s"
}
loki.source.file "local_files" {
targets = local.file_match.file_logs.targets
forward_to = [loki.write.local_loki.receiver]
}
loki.source.kubernetes "all_pod_logs" { loki.source.kubernetes "all_pod_logs" {
targets = discovery.relabel.pod_logs.output targets = discovery.relabel.pod_logs.output
forward_to = [loki.write.local_loki.receiver] forward_to = [loki.write.local_loki.receiver]

29
template/stacks/ref-implementation/openbao-logging.yaml
View file

@ -1,29 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: openbao-logging-setup
namespace: argocd
labels:
env: dev
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/ref-implementation/openbao-logging"
destination:
server: "https://kubernetes.default.svc"
namespace: openbao
syncPolicy:
syncOptions:
- CreateNamespace=true
automated:
selfHeal: true
retry:
limit: -1
backoff:
duration: 15s
factor: 1
maxDuration: 15s

39
template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml
View file

@ -1,39 +0,0 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: openbao-logging-dir
namespace: openbao
spec:
selector:
matchLabels:
app: openbao-logging-dir
template:
metadata:
labels:
app: openbao-logging-dir
spec:
initContainers:
- name: creator
image: busybox
command: ["/bin/sh", "-c"]
args:
- |
set -e
mkdir -p /var/log/openbao
chown 100:100 /var/log/openbao
securityContext:
runAsUser: 0
volumeMounts:
- name: host-log
mountPath: /var/log
containers:
- name: running-container
image: busybox
command: ["sleep", "infinity"]
securityContext:
runAsUser: 0
volumes:
- name: host-log
hostPath:
path: /var/log
type: Directory

15
template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml
View file

@ -1,15 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: logrotate-config
data:
logrotate.conf: |
/openbao/logs/openbao/*.log {
size 50M
rotate 7
missingok
notifempty
postrotate
echo -e "POST / HTTP/1.1\r\nHost: sidecar-script-service.openbao.svc.cluster.local:3030\r\nContent-Length: 0\r\n\r\n" | nc sidecar-script-service.openbao.svc.cluster.local 3030
endscript
}

45
template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml
View file

@ -1,45 +0,0 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: logrotate-cronjob
namespace: openbao
spec:
schedule: "0 * * * *"
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1
jobTemplate:
spec:
template:
spec:
containers:
- name: logrotate
image: skymatic/logrotate:latest
securityContext:
runAsUser: 100
command: ["/bin/sh", "-c", "logrotate /etc/logrotate.conf && sleep 10"]
volumeMounts:
- name: host-log-storage
mountPath: /openbao/logs
- name: logrotate-config-volume
mountPath: /etc/logrotate.conf
subPath: logrotate.conf
readOnly: true
- name: passwd-volume
mountPath: /etc/passwd
subPath: passwd
- name: status
mountPath: /var/lib
restartPolicy: OnFailure
volumes:
- name: host-log-storage
hostPath:
path: /var/log
type: Directory
- name: logrotate-config-volume
configMap:
name: logrotate-config
- name: passwd-volume
configMap:
name: passwd-user-configmap
- name: status
emptyDir: {}

8
template/stacks/ref-implementation/openbao-logging/passwd-user-configmap.yaml
View file

@ -1,8 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: passwd-user-configmap
data:
passwd: |
root:x:0:0:root:/root:/bin/sh
openbao:x:100:1000::/home/openbao:/sbin/nologin

30
template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml
View file

@ -1,30 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: signal-sidecar-script
namespace: openbao
data:
sidecar.sh: |
#!/bin/sh
echo "Sending SIGHUP to OpenBAO..."
kill -SIGHUP $(pidof bao) || echo "OpenBAO process not found"
start.sh: |
#!/bin/sh
echo "Starting mini HTTP server on port 3030..."
while true; do
echo "Waiting for HTTP POST..."
REQUEST=$(nc -l -p 3030)
echo "$REQUEST" | grep -q "POST /" && {
echo "Received POST request, sending SIGHUP..."
/tmp/sidecar.sh
RESPONSE="HTTP/1.1 200 OK\r\nContent-Length: 26\r\n\r\nSIGHUP sent to OpenBAO"
} || {
RESPONSE="HTTP/1.1 405 Method Not Allowed\r\nContent-Length: 18\r\n\r\nMethod Not Allowed"
}
echo -e "$RESPONSE" | nc -N localhost 3031
done

13
template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml
View file

@ -1,13 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: sidecar-script-service
namespace: openbao
spec:
selector:
app.kubernetes.io/instance: openbao
component: server
ports:
- protocol: TCP
port: 3030
targetPort: 3030

39
template/stacks/ref-implementation/openbao/values.yaml
View file

@ -1,46 +1,9 @@
server: server:
shareProcessNamespace: true
extraContainers:
- name: sidecar
image: alpine:latest
command: ["/bin/sh", "/tmp/start.sh"]
ports:
- containerPort: 3030
volumeMounts:
- name: sidecar-script
mountPath: /tmp/start.sh
subPath: start.sh
- name: sidecar-script
mountPath: /tmp/sidecar.sh
subPath: sidecar.sh
mode: 0755
- name: passwd-volume
mountPath: /etc/passwd
subPath: passwd
volumes:
- name: passwd-volume
configMap:
name: passwd-user-configmap
- name: host-log-storage
hostPath:
path: /var/log
type: Directory
- name: sidecar-script
configMap:
name: signal-sidecar-script
defaultMode: 0755
volumeMounts:
- mountPath: /openbao/logs
name: host-log-storage
readOnly: false
postStart: postStart:
- sh - sh
- -c - -c
- | - |
sleep 10 sleep 10
rm -rf /openbao/data/*
bao operator init >> /tmp/init.txt bao operator init >> /tmp/init.txt
cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {} cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {}
echo $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/initial_token.txt echo $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/initial_token.txt
@ -49,8 +12,6 @@ server:
echo $(grep "Unseal Key 3:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key3.txt echo $(grep "Unseal Key 3:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key3.txt
echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt
echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt
bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')
rm /tmp/init.txt rm /tmp/init.txt
bao audit enable -path="file" file file_path=/openbao/logs/openbao/openbao.log
ui: ui:
enabled: true enabled: true