template/stacks/monitoring/alloy/values.yaml

@@ -1,8 +1,21 @@
+controller:
+  volumes:
+    extra:
+    - name: host-log-storage
+      hostPath:
+        path: /var/log
+        type: Directory
 alloy:
   create: false
   name: alloy-config
   key: config.alloy
 
+  mounts:
+    extra:
+    - mountPath: /openbao/logs
+      name: host-log-storage
+      readOnly: true
+
   uiPathPrefix: "/alloy"
 
   configMap:
@@ -72,6 +85,16 @@ alloy:
 
       }
 
+      local.file_match "file_logs" {
+          path_targets = [{"__path__" = "/openbao/logs/openbao/*"}]
+          sync_period = "5s"
+      }
+
+      loki.source.file "local_files" {
+          targets    = local.file_match.file_logs.targets
+          forward_to = [loki.write.local_loki.receiver]
+      }
+
       loki.source.kubernetes "all_pod_logs" {
         targets    = discovery.relabel.pod_logs.output
         forward_to = [loki.write.local_loki.receiver]

template/stacks/ref-implementation/openbao-logging.yaml

@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao-logging-setup
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
+    targetRevision: HEAD
+    path: "stacks/ref-implementation/openbao-logging"
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: openbao
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: -1
+      backoff:
+        duration: 15s
+        factor: 1
+        maxDuration: 15s

template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml

@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: openbao-logging-dir
+  namespace: openbao
+spec:
+  selector:
+    matchLabels:
+      app: openbao-logging-dir
+  template:
+    metadata:
+      labels:
+        app: openbao-logging-dir
+    spec:
+      initContainers:
+      - name: creator
+        image: busybox
+        command: ["/bin/sh", "-c"]
+        args:
+        - |
+          set -e
+          mkdir -p /var/log/openbao
+          chown 100:100 /var/log/openbao
+        securityContext:
+          runAsUser: 0 
+        volumeMounts:
+        - name: host-log
+          mountPath: /var/log
+      containers:
+      - name: running-container
+        image: busybox
+        command: ["sleep", "infinity"]
+        securityContext:
+          runAsUser: 0
+      volumes:
+      - name: host-log
+        hostPath:
+          path: /var/log
+          type: Directory

template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: logrotate-config
+data:
+  logrotate.conf: |
+    /openbao/logs/openbao/*.log {
+      size 50M
+      rotate 7
+      missingok
+      notifempty
+      postrotate
+        echo -e "POST / HTTP/1.1\r\nHost: sidecar-script-service.openbao.svc.cluster.local:3030\r\nContent-Length: 0\r\n\r\n" | nc sidecar-script-service.openbao.svc.cluster.local 3030
+      endscript
+    }

template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml

@@ -0,0 +1,45 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: logrotate-cronjob
+  namespace: openbao
+spec:
+  schedule: "0 * * * *"
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: logrotate
+            image: skymatic/logrotate:latest
+            securityContext:
+              runAsUser: 100
+            command: ["/bin/sh", "-c", "logrotate /etc/logrotate.conf && sleep 10"]
+            volumeMounts:
+              - name: host-log-storage
+                mountPath: /openbao/logs
+              - name: logrotate-config-volume
+                mountPath: /etc/logrotate.conf
+                subPath: logrotate.conf
+                readOnly: true
+              - name: passwd-volume
+                mountPath: /etc/passwd
+                subPath: passwd
+              - name: status
+                mountPath: /var/lib
+          restartPolicy: OnFailure
+          volumes:
+          - name: host-log-storage
+            hostPath:
+              path: /var/log
+              type: Directory
+          - name: logrotate-config-volume  
+            configMap:         
+              name: logrotate-config
+          - name: passwd-volume  
+            configMap:         
+              name: passwd-user-configmap
+          - name: status  
+            emptyDir: {}

template/stacks/ref-implementation/openbao-logging/passwd-user-configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: passwd-user-configmap
+data:
+  passwd: |
+    root:x:0:0:root:/root:/bin/sh
+    openbao:x:100:1000::/home/openbao:/sbin/nologin

template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: signal-sidecar-script
+  namespace: openbao
+data:
+  sidecar.sh: |
+    #!/bin/sh
+    echo "Sending SIGHUP to OpenBAO..."
+    kill -SIGHUP $(pidof bao) || echo "OpenBAO process not found"
+
+  start.sh: |
+    #!/bin/sh
+
+    echo "Starting mini HTTP server on port 3030..."
+
+    while true; do
+      echo "Waiting for HTTP POST..."
+      REQUEST=$(nc -l -p 3030)
+
+      echo "$REQUEST" | grep -q "POST /" && {
+        echo "Received POST request, sending SIGHUP..."
+        /tmp/sidecar.sh
+        RESPONSE="HTTP/1.1 200 OK\r\nContent-Length: 26\r\n\r\nSIGHUP sent to OpenBAO"
+      } || {
+        RESPONSE="HTTP/1.1 405 Method Not Allowed\r\nContent-Length: 18\r\n\r\nMethod Not Allowed"
+      }
+
+      echo -e "$RESPONSE" | nc -N localhost 3031
+    done

template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: sidecar-script-service
+  namespace: openbao
+spec:
+  selector:
+    app.kubernetes.io/instance: openbao
+    component: server
+  ports:
+    - protocol: TCP
+      port: 3030
+      targetPort: 3030

template/stacks/ref-implementation/openbao/values.yaml

@@ -1,9 +1,46 @@
 server:
+  shareProcessNamespace: true
+  extraContainers:
+    - name: sidecar
+      image: alpine:latest
+      command: ["/bin/sh", "/tmp/start.sh"]
+      ports:
+        - containerPort: 3030
+      volumeMounts:
+        - name: sidecar-script
+          mountPath: /tmp/start.sh
+          subPath: start.sh
+        - name: sidecar-script
+          mountPath: /tmp/sidecar.sh
+          subPath: sidecar.sh
+          mode: 0755
+        - name: passwd-volume
+          mountPath: /etc/passwd
+          subPath: passwd
+  volumes:    
+  - name: passwd-volume  
+    configMap:         
+      name: passwd-user-configmap
+  - name: host-log-storage
+    hostPath:
+      path: /var/log
+      type: Directory
+  - name: sidecar-script
+    configMap:
+      name: signal-sidecar-script
+      defaultMode: 0755
+
+  volumeMounts:
+  - mountPath: /openbao/logs
+    name: host-log-storage
+    readOnly: false
+
   postStart:
     - sh
     - -c
     - |
       sleep 10
+      rm -rf /openbao/data/*
       bao operator init >> /tmp/init.txt
       cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {}
       echo $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/initial_token.txt
@@ -12,6 +49,8 @@ server:
       echo $(grep "Unseal Key 3:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key3.txt
       echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt
       echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt
+      bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')
       rm /tmp/init.txt
+      bao audit enable -path="file" file file_path=/openbao/logs/openbao/openbao.log
 ui:
   enabled: true