Merge pull request 'IPCEICIS-2952' (#31 ) from IPCEICIS-2952 into development

Reviewed-on: #31 Reviewed-by: Daniel.Sy <Daniel.Sy@telekom.de>
Merge branch 'development' into IPCEICIS-2952
2025-05-28 10:30:55 +00:00 · 2025-05-28 09:18:47 +00:00 · 2025-04-24 11:09:29 +02:00 · 2025-04-24 10:51:32 +02:00 · 2025-04-24 10:24:34 +02:00 · 2025-04-24 10:17:25 +02:00
9 changed files with 241 additions and 0 deletions
--- a/template/stacks/monitoring/alloy/values.yaml
+++ b/template/stacks/monitoring/alloy/values.yaml
@ -1,8 +1,21 @@
+controller:
+  volumes:
+    extra:
+    - name: host-log-storage
+      hostPath:
+        path: /var/log
+        type: Directory
 alloy:
  create: false
  name: alloy-config
  key: config.alloy

+  mounts:
+    extra:
+    - mountPath: /openbao/logs
+      name: host-log-storage
+      readOnly: true
+
  uiPathPrefix: "/alloy"

  configMap:
@ -72,6 +85,16 @@ alloy:

      }

+      local.file_match "file_logs" {
+          path_targets = [{"__path__" = "/openbao/logs/openbao/*"}]
+          sync_period = "5s"
+      }
+
+      loki.source.file "local_files" {
+          targets    = local.file_match.file_logs.targets
+          forward_to = [loki.write.local_loki.receiver]
+      }
+
      loki.source.kubernetes "all_pod_logs" {
        targets    = discovery.relabel.pod_logs.output
        forward_to = [loki.write.local_loki.receiver]
--- a/template/stacks/ref-implementation/openbao-logging.yaml
+++ b/template/stacks/ref-implementation/openbao-logging.yaml
@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao-logging-setup
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
+    targetRevision: HEAD
+    path: "stacks/ref-implementation/openbao-logging"
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: openbao
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: -1
+      backoff:
+        duration: 15s
+        factor: 1
+        maxDuration: 15s
--- a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml
+++ b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml
@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: openbao-logging-dir
+  namespace: openbao
+spec:
+  selector:
+    matchLabels:
+      app: openbao-logging-dir
+  template:
+    metadata:
+      labels:
+        app: openbao-logging-dir
+    spec:
+      initContainers:
+      - name: creator
+        image: busybox
+        command: ["/bin/sh", "-c"]
+        args:
+        - |
+          set -e
+          mkdir -p /var/log/openbao
+          chown 100:100 /var/log/openbao
+        securityContext:
+          runAsUser: 0 
+        volumeMounts:
+        - name: host-log
+          mountPath: /var/log
+      containers:
+      - name: running-container
+        image: busybox
+        command: ["sleep", "infinity"]
+        securityContext:
+          runAsUser: 0
+      volumes:
+      - name: host-log
+        hostPath:
+          path: /var/log
+          type: Directory
--- a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml
+++ b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: logrotate-config
+data:
+  logrotate.conf: |
+    /openbao/logs/openbao/*.log {
+      size 50M
+      rotate 7
+      missingok
+      notifempty
+      postrotate
+        echo -e "POST / HTTP/1.1\r\nHost: sidecar-script-service.openbao.svc.cluster.local:3030\r\nContent-Length: 0\r\n\r\n" | nc sidecar-script-service.openbao.svc.cluster.local 3030
+      endscript
+    }
--- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml
+++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml
@ -0,0 +1,45 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: logrotate-cronjob
+  namespace: openbao
+spec:
+  schedule: "0 * * * *"
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: logrotate
+            image: skymatic/logrotate:latest
+            securityContext:
+              runAsUser: 100
+            command: ["/bin/sh", "-c", "logrotate /etc/logrotate.conf && sleep 10"]
+            volumeMounts:
+              - name: host-log-storage
+                mountPath: /openbao/logs
+              - name: logrotate-config-volume
+                mountPath: /etc/logrotate.conf
+                subPath: logrotate.conf
+                readOnly: true
+              - name: passwd-volume
+                mountPath: /etc/passwd
+                subPath: passwd
+              - name: status
+                mountPath: /var/lib
+          restartPolicy: OnFailure
+          volumes:
+          - name: host-log-storage
+            hostPath:
+              path: /var/log
+              type: Directory
+          - name: logrotate-config-volume  
+            configMap:         
+              name: logrotate-config
+          - name: passwd-volume  
+            configMap:         
+              name: passwd-user-configmap
+          - name: status  
+            emptyDir: {}
--- a/template/stacks/ref-implementation/openbao-logging/passwd-user-configmap.yaml
+++ b/template/stacks/ref-implementation/openbao-logging/passwd-user-configmap.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: passwd-user-configmap
+data:
+  passwd: |
+    root:x:0:0:root:/root:/bin/sh
+    openbao:x:100:1000::/home/openbao:/sbin/nologin
--- a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml
+++ b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml
@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: signal-sidecar-script
+  namespace: openbao
+data:
+  sidecar.sh: |
+    #!/bin/sh
+    echo "Sending SIGHUP to OpenBAO..."
+    kill -SIGHUP $(pidof bao) || echo "OpenBAO process not found"
+
+  start.sh: |
+    #!/bin/sh
+
+    echo "Starting mini HTTP server on port 3030..."
+
+    while true; do
+      echo "Waiting for HTTP POST..."
+      REQUEST=$(nc -l -p 3030)
+
+      echo "$REQUEST" | grep -q "POST /" && {
+        echo "Received POST request, sending SIGHUP..."
+        /tmp/sidecar.sh
+        RESPONSE="HTTP/1.1 200 OK\r\nContent-Length: 26\r\n\r\nSIGHUP sent to OpenBAO"
+      } || {
+        RESPONSE="HTTP/1.1 405 Method Not Allowed\r\nContent-Length: 18\r\n\r\nMethod Not Allowed"
+      }
+
+      echo -e "$RESPONSE" | nc -N localhost 3031
+    done
--- a/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml
+++ b/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml
@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: sidecar-script-service
+  namespace: openbao
+spec:
+  selector:
+    app.kubernetes.io/instance: openbao
+    component: server
+  ports:
+    - protocol: TCP
+      port: 3030
+      targetPort: 3030
--- a/template/stacks/ref-implementation/openbao/values.yaml
+++ b/template/stacks/ref-implementation/openbao/values.yaml
@ -1,9 +1,46 @@
 server:
+  shareProcessNamespace: true
+  extraContainers:
+    - name: sidecar
+      image: alpine:latest
+      command: ["/bin/sh", "/tmp/start.sh"]
+      ports:
+        - containerPort: 3030
+      volumeMounts:
+        - name: sidecar-script
+          mountPath: /tmp/start.sh
+          subPath: start.sh
+        - name: sidecar-script
+          mountPath: /tmp/sidecar.sh
+          subPath: sidecar.sh
+          mode: 0755
+        - name: passwd-volume
+          mountPath: /etc/passwd
+          subPath: passwd
+  volumes:    
+  - name: passwd-volume  
+    configMap:         
+      name: passwd-user-configmap
+  - name: host-log-storage
+    hostPath:
+      path: /var/log
+      type: Directory
+  - name: sidecar-script
+    configMap:
+      name: signal-sidecar-script
+      defaultMode: 0755
+
+  volumeMounts:
+  - mountPath: /openbao/logs
+    name: host-log-storage
+    readOnly: false
+
  postStart:
    - sh
    - -c
    - |
      sleep 10
+      rm -rf /openbao/data/*
      bao operator init >> /tmp/init.txt
      cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {}
      echo $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/initial_token.txt
@ -12,6 +49,8 @@ server:
      echo $(grep "Unseal Key 3:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key3.txt
      echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt
      echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt
+      bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')
      rm /tmp/init.txt
+      bao audit enable -path="file" file file_path=/openbao/logs/openbao/openbao.log
 ui:
  enabled: true
Author	SHA1	Message	Date
Michal.Wrobel	66e846b44a	Merge pull request 'IPCEICIS-2952' (#31 ) from IPCEICIS-2952 into development Reviewed-on: #31 Reviewed-by: Daniel.Sy <Daniel.Sy@telekom.de>	2025-05-28 10:30:55 +00:00
Michal.Wrobel	5e7fddef33	Merge branch 'development' into IPCEICIS-2952	2025-05-28 09:18:47 +00:00
miwr	934d182042	done	2025-04-24 11:09:29 +02:00
miwr	b0834b73cc	/2 * * *	2025-04-24 10:51:32 +02:00
miwr	ed0d1debf4	extra	2025-04-24 10:24:34 +02:00
miwr	b89cfa49fd	alloy config added	2025-04-24 10:17:25 +02:00
Michal.Wrobel	0771b1deb9	Merge branch 'development' into IPCEICIS-2952	2025-04-23 13:29:25 +00:00
miwr	f71729c074	finals touches	2025-04-23 15:22:38 +02:00
miwr	07ff00fce1	almost done	2025-04-23 14:46:27 +02:00
miwr	32f084fcb6	ds renewed	2025-04-23 14:40:14 +02:00
miwr	cee7ba8ff3	- name: passwd-volume mountPath: /etc/passwd subPath: passwd	2025-04-23 14:27:15 +02:00
miwr	feae2ff010	another mistake	2025-04-23 14:19:48 +02:00
miwr	86fb4eefa3	mistake	2025-04-23 14:17:05 +02:00
miwr	596a234192	test	2025-04-23 14:15:44 +02:00
miwr	7e2243d52d	test to ds	2025-04-23 13:59:30 +02:00
miwr	9c8cdbf7a4	no logrotate sidecar container	2025-04-23 13:54:07 +02:00
miwr	01a9c0e0e6	deleted unneccessary container	2025-04-23 13:28:18 +02:00
miwr	58fd63da54	0 * * * *	2025-04-23 13:11:58 +02:00
miwr	d1355e47c8	don't compress	2025-04-23 12:56:56 +02:00
miwr	20a6113403	new changes	2025-04-23 12:01:20 +02:00
miwr	1abbd9b646	&& sleep 10	2025-04-23 11:56:08 +02:00
miwr	7dfefa8ac9	2M	2025-04-23 11:45:26 +02:00
miwr	135844644d	command: ["/bin/sh", "-c", "sleep 10"]	2025-04-23 11:45:10 +02:00
miwr	4d20aeeaac	5 minutes	2025-04-23 11:34:01 +02:00
miwr	84d4f0af07	don't sleep	2025-04-23 11:26:02 +02:00
miwr	700c242cdd	final touches	2025-04-23 11:24:03 +02:00
miwr	e1da09b2cc	push	2025-04-23 10:51:42 +02:00
miwr	d45c89c0b8	3030	2025-04-23 10:32:16 +02:00
miwr	3f6ec41ece	service corrected	2025-04-22 15:52:16 +02:00
miwr	40d1d025a6	new script	2025-04-22 15:13:56 +02:00
miwr	1268e3ea24	unique	2025-04-22 14:50:50 +02:00
miwr	d17861bc87	another try	2025-04-22 14:46:41 +02:00
miwr	87ce37972d	new service	2025-04-22 14:42:37 +02:00
miwr	350e3a804c	nginx.conf	2025-04-22 14:25:44 +02:00
miwr	a9ae743de9	subpath	2025-04-22 14:13:15 +02:00
miwr	529182ee3d	logrotate-cronjob	2025-04-02 15:31:38 +02:00
miwr	dd9ddc8fdb	sidecar-script	2025-04-02 15:26:04 +02:00
miwr	6811280b92	- name: sidecar-nginx image: nginx:latest ports: - containerPort: 8080 volumeMounts: - name: idecar-script mountPath: /etc/nginx subPath: nginx.conf subPathExpr: 'nginx.conf' - name: idecar-script mountPath: /tmp/sidecar.sh subPath: sidecar.sh mode: 0755 - name: passwd-volume mountPath: /etc/passwd subPath: passwd	2025-04-02 15:20:11 +02:00
miwr	949cf77c4e	sighup	2025-04-02 14:53:08 +02:00
miwr	a11947c5e7	kill -SIGHUP $(pidof bao) \|\| echo "OpenBAO process not found"	2025-04-02 14:40:13 +02:00
miwr	853ce17354	app: openbao-0	2025-04-02 14:39:56 +02:00
miwr	8b6b29cb9f	sleep infinity	2025-04-02 14:21:28 +02:00
miwr	4553289695	tmp	2025-04-02 13:59:01 +02:00
miwr	0f229f7adb	sleep infinity	2025-04-02 13:51:28 +02:00
miwr	cfb473659d	command: ["/bin/sh", "-c", "sleep 1000000000000000000000"]	2025-04-02 13:46:04 +02:00
miwr	795d575d5e	kill -SIGHUP $(pidof bao) \|\| echo "OpenBAO process not found" mkdir pupa	2025-04-02 13:38:34 +02:00
miwr	c754dc80bc	signal-sidecar-script	2025-04-02 13:32:15 +02:00
miwr	1a85de6cda	5k	2025-04-02 11:03:54 +02:00
miwr	5db72e2dc0	cronjob	2025-04-02 10:43:10 +02:00
miwr	ca9fd7ba39	- name: status mountPath: /var/lib	2025-04-02 10:08:07 +02:00
miwr	48fb2c1481	size 1M	2025-04-02 09:53:08 +02:00
miwr	a2d2bd9b87	volumeMounts: - name: host-log-storage mountPath: /openbao/logs	2025-04-02 08:59:29 +02:00
miwr	49fdf90dd8	- name: logrotate2	2025-04-01 14:49:40 +02:00
miwr	b5a515c6f9	imroc/logrotate:latest	2025-04-01 14:44:46 +02:00
miwr	485e772016	# - name: status # mountPath: /var/lib	2025-04-01 14:11:35 +02:00
miwr	71a45cc0b8	value: "* * * * *"	2025-04-01 14:04:13 +02:00
miwr	5200aa748c	5k	2025-04-01 13:53:08 +02:00
miwr	29ec426778	delaycompress rmoved	2025-04-01 13:36:33 +02:00
miwr	7b8ea2de6b	status	2025-04-01 13:28:10 +02:00
miwr	ee630c88b9	env: - name: CRON_SCHEDULE value: "0 * * * *" - name: TINI_SUBREAPER value:	2025-04-01 13:18:44 +02:00
miwr	fc6ee8bcae	1M	2025-04-01 12:53:31 +02:00
miwr	c9d72e9f90	should be done	2025-04-01 11:57:46 +02:00
miwr	7cc75f0095	test	2025-04-01 11:44:52 +02:00
miwr	37a9a73664	- name: passwd-volume mountPath: /etc/passwd subPath: passwd	2025-04-01 11:44:19 +02:00
miwr	ad76195004	passwd-user-configmap	2025-04-01 11:35:26 +02:00
miwr	d3b60c036a	extraArgs: "chmod o+rwx /etc/passwd"	2025-04-01 11:20:56 +02:00
miwr	de3194062d	extraArgs: - \| chmod o+rwx /etc/passwd chmod o+rwx /etc/group	2025-04-01 11:16:07 +02:00
miwr	cda3fc8179	extraArgs: - chmod o+rwx /etc/passwd - chmod o+rwx /etc/group	2025-04-01 11:15:20 +02:00
miwr	2dc751b5e3	chmod o+rwx /etc/passwd chmod o+rwx /etc/group	2025-04-01 10:59:09 +02:00
miwr	12a4ed37f7	/etc/group	2025-04-01 10:51:43 +02:00
miwr	77b571b768	chown 100:100 /etc/passwd	2025-04-01 10:50:59 +02:00
miwr	6df0858cdf	- name: init image: alpine:latest	2025-04-01 10:45:20 +02:00
miwr	06fb6d223f	runAsUser: 100	2025-04-01 10:21:07 +02:00
miwr	4f8eb0bc8b	chmod o+rwx /var/log/openbao	2025-04-01 10:05:55 +02:00
miwr	1164768b9f	runAsUser: 1	2025-03-31 15:53:54 +02:00
miwr	f66f437cdf	runAsUser: 100	2025-03-31 15:48:42 +02:00
miwr	ce5bdf0226	runAsUser: 1	2025-03-31 15:35:06 +02:00
miwr	56c5cc2620	- name: alloy-data mountPath: /var/lib/	2025-03-31 15:24:21 +02:00
miwr	458414e779	set -e mkdir -p /var/log/openbao chown 100:100 /var/log/openbao echo "logrotate❌100💯:/home/logrotate:/bin/sh" >> /etc/passwd echo "logrotate❌100:" >> /etc/group mkdir -p /home/logrotate # chown 100:100 /var/lib	2025-03-31 15:09:30 +02:00
miwr	8eae08aaa9	securityContext: runAsUser: 0	2025-03-31 15:04:11 +02:00
miwr	ba9452e03c	chown 100:100 /var/lib	2025-03-31 14:55:39 +02:00
miwr	888d32c403	set -e mkdir -p /var/log/openbao chown 100:100 /var/log/openbao echo "logrotate❌100💯:/home/logrotate:/bin/sh" >> /etc/passwd echo "logrotate❌100:" >> /etc/group chown logrotate:logrotate /var/lib	2025-03-31 14:49:48 +02:00
miwr	6f3effeaf5	# bao audit enable file file_path=stdout	2025-03-31 14:49:09 +02:00
miwr	fd02d55dda	bao audit enable file file_path=stdout	2025-03-31 14:26:58 +02:00
miwr	63b17c9e32	echo "logrotate❌100💯:/home/logrotate:/bin/sh" >> /etc/passwd echo "logrotate❌100:" >> /etc/group	2025-03-31 14:10:34 +02:00
miwr	f13bf825ff	set -e chown 100:100 /var/lib tail -f /dev/null	2025-03-31 14:03:43 +02:00
miwr	abd7da5cd3	image: alpine:latest	2025-03-31 13:58:12 +02:00
miwr	a42df6275c	restart policy removed	2025-03-31 13:50:24 +02:00
miwr	5a802be864	- \| set -e useradd -u 100 logrotate chown logrotate:logrotate /var/lib tail -f /dev/null	2025-03-31 13:45:05 +02:00
miwr	bc6ed363e2	logrotate-priviledges	2025-03-31 13:38:33 +02:00
miwr	631be775f5	chown logrotate:logrotate /var/lib/logrotate.status	2025-03-31 13:28:37 +02:00
miwr	0107666fe2	logrotate-config-volume	2025-03-31 12:31:38 +02:00
miwr	e5ccae1aab	- name: logrotate-config mountPath: /etc/logrotate.conf subPath: logrotate.conf readOnly: true	2025-03-31 12:22:35 +02:00
miwr	f6d1842876	image: skymatic/logrotate:latest	2025-03-31 12:14:19 +02:00
miwr	508ecd3f12	imagePullPolicy: IfNotPresent	2025-03-31 12:07:24 +02:00
miwr	5e47caaee1	- name: logrotate image: imroc/logrotate:latest env: - name: LOGROTATE_FILE_PATTERN value: "/var/log/nginx/nginx_.log" - name: LOGROTATE_FILESIZE value: "20M" - name: LOGROTATE_FILENUM value: "10" - name: CRON_EXPR value: "/1 * * * *" - name: CROND_LOGLEVEL value: "7"	2025-03-31 11:54:31 +02:00
miwr	0485a8fb76	image: skymatic/logrotate:latest	2025-03-31 11:42:14 +02:00
miwr	17f578dde2	blacklabelops/logrotate	2025-03-31 11:20:56 +02:00
miwr	a35aefc376	image: debian:stable-slim	2025-03-31 11:07:40 +02:00
miwr	398c94fbc8	alpine:latest	2025-03-31 11:02:11 +02:00
miwr	30f0c6f218	debian:stable-slim	2025-03-31 10:54:23 +02:00
miwr	06303ef355	bao audit enable -path="file" file file_path=/openbao/logs/openbao/openbao.log	2025-03-31 10:30:15 +02:00
miwr	08471dee47	bao audit enable -path="file" file file_path=/var/log/openbao/openbao.log	2025-03-31 10:25:48 +02:00
miwr	881b65fcec	apiVersion: apps/v1 kind: DaemonSet metadata: name: openbao-logging-dir namespace: openbao spec: selector: matchLabels: app: openbao-logging-dir template: metadata: labels: app: openbao-logging-dir spec: initContainers: - name: creator image: busybox command: ["/bin/sh", "-c"] args: - \| set -e mkdir -p /var/log/openbao chown 100:100 /var/log/openbao securityContext: runAsUser: 0 volumeMounts: - name: host-log mountPath: /var/log containers: - name: running-container image: busybox command: ["sleep", "infinity"] volumes: - name: host-log hostPath: path: /var/log type: Directory	2025-03-31 10:19:39 +02:00
miwr	3853370a8c	# - name: logrotate-config # mountPath: /etc/logrotate.conf # subPath: logrotate.conf	2025-03-31 10:10:59 +02:00
miwr	6acd284b83	- name: logrotate image: alpine:latest command: ["/bin/sh", "-c", "while true; do /usr/sbin/logrotate /etc/logrotate.conf; sleep 60; done"] securityContext: runAsUser: 100 volumeMounts: - name: host-log-storage mountPath: /openbao/logs - name: logrotate-config mountPath: /etc/logrotate.conf subPath: logrotate.conf	2025-03-31 10:03:59 +02:00
miwr	c79114f463	# bao audit enable file file_path=stdout	2025-03-27 13:43:26 +01:00
miwr	6a5be1257c	bao audit enable file file_path=stdout	2025-03-27 13:19:45 +01:00
miwr	1cb714aabb	volumeMounts: - mountPath: /var/log name: log-storage readOnly: false	2025-03-26 15:51:24 +01:00
miwr	450b5ff1a8	# removed	2025-03-26 15:42:15 +01:00
miwr	aaaf905edc	# rm -rf /openbao/data/*	2025-03-26 15:40:05 +01:00
miwr	bd89c91d52	forgot to add login	2025-03-26 15:31:49 +01:00
miwr	a9ad7c1c5c	comments deleted	2025-03-26 15:24:19 +01:00
miwr	d057e9dae1	configuration added	2025-03-26 14:44:35 +01:00