DevFW-CICD/stacks
14
0
Fork 2
Code Issues Pull requests 3 Projects Releases Packages Wiki Activity Actions

IPCEICIS-2952 #20

Closed
Michal.Wrobel wants to merge 107 commits from IPCEI-2952 into development
pull from: IPCEI-2952
merge into: DevFW-CICD:development
Conversation 1 Commits 107 Files changed 8 +216
8 changed files with 216 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
template/stacks/ref-implementation/openbao-logging.yaml Normal file
View file

@ -0,0 +1,29 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: openbao-logging-setup
namespace: argocd
labels:
env: dev
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
targetRevision: HEAD
path: "stacks/ref-implementation/openbao-logging"
destination:
server: "https://kubernetes.default.svc"
namespace: openbao
syncPolicy:
syncOptions:
- CreateNamespace=true
automated:
selfHeal: true
retry:
limit: -1
backoff:
duration: 15s
factor: 1
maxDuration: 15s

39
template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml Normal file
View file

@ -0,0 +1,39 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: openbao-logging-dir
namespace: openbao
spec:
selector:
matchLabels:
app: openbao-logging-dir
template:
metadata:
labels:
app: openbao-logging-dir
spec:
initContainers:
- name: creator
image: busybox
command: ["/bin/sh", "-c"]
args:
- |
set -e
mkdir -p /var/log/openbao
chown 100:100 /var/log/openbao
securityContext:
runAsUser: 0
volumeMounts:
- name: host-log
mountPath: /var/log
containers:
- name: running-container
image: busybox
command: ["sleep", "2"]
securityContext:
runAsUser: 0
volumes:
- name: host-log
hostPath:
path: /var/log
type: Directory

15
template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: logrotate-config
data:
logrotate.conf: |
/openbao/logs/openbao/*.log {
size 1M
rotate 7
missingok
notifempty
postrotate
echo -e "POST / HTTP/1.1\r\nHost: sidecar-script-service.openbao.svc.cluster.local:3030\r\nContent-Length: 0\r\n\r\n" | nc sidecar-script-service.openbao.svc.cluster.local 3030
endscript
}

43
template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml Normal file
View file

@ -0,0 +1,43 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: logrotate-cronjob
namespace: openbao
spec:
schedule: "*/2 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: logrotate
image: skymatic/logrotate:latest
securityContext:
runAsUser: 100
command: ["/bin/sh", "-c", "logrotate /etc/logrotate.conf && sleep 10"]
volumeMounts:
- name: host-log-storage
mountPath: /openbao/logs
- name: logrotate-config-volume
mountPath: /etc/logrotate.conf
subPath: logrotate.conf
readOnly: true
- name: passwd-volume
mountPath: /etc/passwd
subPath: passwd
- name: status
mountPath: /var/lib
restartPolicy: OnFailure
volumes:
- name: host-log-storage
hostPath:
path: /var/log
type: Directory
- name: logrotate-config-volume
configMap:
name: logrotate-config
- name: passwd-volume
configMap:
name: passwd-user-configmap
- name: status
emptyDir: {}

8
template/stacks/ref-implementation/openbao-logging/passwd-user-configmap.yaml Normal file
View file

@ -0,0 +1,8 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: passwd-user-configmap
data:
passwd: |
root:x:0:0:root:/root:/bin/sh
openbao:x:100:1000::/home/openbao:/sbin/nologin

30
template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: signal-sidecar-script
namespace: openbao
data:
sidecar.sh: |
#!/bin/sh
echo "Sending SIGHUP to OpenBAO..."
kill -SIGHUP $(pidof bao) || echo "OpenBAO process not found"
start.sh: |
#!/bin/sh
echo "Starting mini HTTP server on port 3030..."
while true; do
echo "Waiting for HTTP POST..."
REQUEST=$(nc -l -p 3030)
echo "$REQUEST" | grep -q "POST /" && {
echo "Received POST request, sending SIGHUP..."
/tmp/sidecar.sh
RESPONSE="HTTP/1.1 200 OK\r\nContent-Length: 26\r\n\r\nSIGHUP sent to OpenBAO"
} || {
RESPONSE="HTTP/1.1 405 Method Not Allowed\r\nContent-Length: 18\r\n\r\nMethod Not Allowed"
}
echo -e "$RESPONSE" | nc -N localhost 3031
done

13
template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: sidecar-script-service
namespace: openbao
spec:
selector:
app.kubernetes.io/instance: openbao
component: server
ports:
- protocol: TCP
port: 3030
targetPort: 3030

39
template/stacks/ref-implementation/openbao/values.yaml
View file

@ -1,9 +1,46 @@
server: server:
shareProcessNamespace: true
extraContainers:
- name: sidecar
image: alpine:latest
command: ["/bin/sh", "/tmp/start.sh"]
ports:
- containerPort: 3030
volumeMounts:
- name: sidecar-script
mountPath: /tmp/start.sh
subPath: start.sh
- name: sidecar-script
mountPath: /tmp/sidecar.sh
subPath: sidecar.sh
mode: 0755
- name: passwd-volume
mountPath: /etc/passwd
subPath: passwd
volumes:
- name: passwd-volume
configMap:
name: passwd-user-configmap
- name: host-log-storage
hostPath:
path: /var/log
type: Directory
- name: sidecar-script
configMap:
name: signal-sidecar-script
defaultMode: 0755
volumeMounts:
- mountPath: /openbao/logs
name: host-log-storage
readOnly: false
postStart: postStart:
- sh - sh
- -c - -c
- | - |
sleep 10 sleep 10
rm -rf /openbao/data/*
bao operator init >> /tmp/init.txt bao operator init >> /tmp/init.txt
cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {} cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {}
echo $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/initial_token.txt echo $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/initial_token.txt
@ -12,6 +49,8 @@ server:
echo $(grep "Unseal Key 3:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key3.txt echo $(grep "Unseal Key 3:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key3.txt
echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt
echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt
bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')
rm /tmp/init.txt rm /tmp/init.txt
bao audit enable -path="file" file file_path=/openbao/logs/openbao/openbao.log
ui: ui:
enabled: true enabled: true