diff --git a/template/stacks/ref-implementation/openbao-logging.yaml b/template/stacks/ref-implementation/openbao-logging.yaml new file mode 100644 index 0000000..5c26dc7 --- /dev/null +++ b/template/stacks/ref-implementation/openbao-logging.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: openbao-logging-setup + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder + targetRevision: HEAD + path: "stacks/ref-implementation/openbao-logging" + destination: + server: "https://kubernetes.default.svc" + namespace: openbao + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + selfHeal: true + retry: + limit: -1 + backoff: + duration: 15s + factor: 1 + maxDuration: 15s \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml new file mode 100644 index 0000000..20192e3 --- /dev/null +++ b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: openbao-logging-dir + namespace: openbao +spec: + selector: + matchLabels: + app: openbao-logging-dir + template: + metadata: + labels: + app: openbao-logging-dir + spec: + initContainers: + - name: creator + image: busybox + command: ["/bin/sh", "-c"] + args: + - | + set -e + mkdir -p /var/log/openbao + chown 100:100 /var/log/openbao + securityContext: + runAsUser: 0 + volumeMounts: + - name: host-log + mountPath: /var/log + containers: + - name: running-container + image: busybox + command: ["sleep", "2"] + securityContext: + runAsUser: 0 + volumes: + - name: host-log + hostPath: + path: /var/log + type: Directory \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml new file mode 100644 index 0000000..807387b --- /dev/null +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: logrotate-config +data: + logrotate.conf: | + /openbao/logs/openbao/*.log { + size 1M + rotate 7 + missingok + notifempty + postrotate + echo -e "POST / HTTP/1.1\r\nHost: sidecar-script-service.openbao.svc.cluster.local:3030\r\nContent-Length: 0\r\n\r\n" | nc sidecar-script-service.openbao.svc.cluster.local 3030 + endscript + } \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml new file mode 100644 index 0000000..755d6b9 --- /dev/null +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -0,0 +1,43 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: logrotate-cronjob + namespace: openbao +spec: + schedule: "*/2 * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: logrotate + image: skymatic/logrotate:latest + securityContext: + runAsUser: 100 + command: ["/bin/sh", "-c", "logrotate /etc/logrotate.conf && sleep 10"] + volumeMounts: + - name: host-log-storage + mountPath: /openbao/logs + - name: logrotate-config-volume + mountPath: /etc/logrotate.conf + subPath: logrotate.conf + readOnly: true + - name: passwd-volume + mountPath: /etc/passwd + subPath: passwd + - name: status + mountPath: /var/lib + restartPolicy: OnFailure + volumes: + - name: host-log-storage + hostPath: + path: /var/log + type: Directory + - name: logrotate-config-volume + configMap: + name: logrotate-config + - name: passwd-volume + configMap: + name: passwd-user-configmap + - name: status + emptyDir: {} \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao-logging/passwd-user-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/passwd-user-configmap.yaml new file mode 100644 index 0000000..d410b83 --- /dev/null +++ b/template/stacks/ref-implementation/openbao-logging/passwd-user-configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: passwd-user-configmap +data: + passwd: | + root:x:0:0:root:/root:/bin/sh + openbao:x:100:1000::/home/openbao:/sbin/nologin \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml new file mode 100644 index 0000000..c215cd4 --- /dev/null +++ b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: signal-sidecar-script + namespace: openbao +data: + sidecar.sh: | + #!/bin/sh + echo "Sending SIGHUP to OpenBAO..." + kill -SIGHUP $(pidof bao) || echo "OpenBAO process not found" + + start.sh: | + #!/bin/sh + + echo "Starting mini HTTP server on port 3030..." + + while true; do + echo "Waiting for HTTP POST..." + REQUEST=$(nc -l -p 3030) + + echo "$REQUEST" | grep -q "POST /" && { + echo "Received POST request, sending SIGHUP..." + /tmp/sidecar.sh + RESPONSE="HTTP/1.1 200 OK\r\nContent-Length: 26\r\n\r\nSIGHUP sent to OpenBAO" + } || { + RESPONSE="HTTP/1.1 405 Method Not Allowed\r\nContent-Length: 18\r\n\r\nMethod Not Allowed" + } + + echo -e "$RESPONSE" | nc -N localhost 3031 + done \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml new file mode 100644 index 0000000..817ed6c --- /dev/null +++ b/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: sidecar-script-service + namespace: openbao +spec: + selector: + app.kubernetes.io/instance: openbao + component: server + ports: + - protocol: TCP + port: 3030 + targetPort: 3030 diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 0ff72cf..ffbfa43 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -1,9 +1,46 @@ server: + shareProcessNamespace: true + extraContainers: + - name: sidecar + image: alpine:latest + command: ["/bin/sh", "/tmp/start.sh"] + ports: + - containerPort: 3030 + volumeMounts: + - name: sidecar-script + mountPath: /tmp/start.sh + subPath: start.sh + - name: sidecar-script + mountPath: /tmp/sidecar.sh + subPath: sidecar.sh + mode: 0755 + - name: passwd-volume + mountPath: /etc/passwd + subPath: passwd + volumes: + - name: passwd-volume + configMap: + name: passwd-user-configmap + - name: host-log-storage + hostPath: + path: /var/log + type: Directory + - name: sidecar-script + configMap: + name: signal-sidecar-script + defaultMode: 0755 + + volumeMounts: + - mountPath: /openbao/logs + name: host-log-storage + readOnly: false + postStart: - sh - -c - | sleep 10 + rm -rf /openbao/data/* bao operator init >> /tmp/init.txt cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {} echo $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/initial_token.txt @@ -12,6 +49,8 @@ server: echo $(grep "Unseal Key 3:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key3.txt echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt + bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}') rm /tmp/init.txt + bao audit enable -path="file" file file_path=/openbao/logs/openbao/openbao.log ui: enabled: true