Skip to content

Commit

Permalink
Feat/vault audit otlp (#24)
Browse files Browse the repository at this point in the history
* doc(usage): simplify ssl passthrough instructions
* feat: add loki, promtail and otlp
* feat(vso): move files to dir
* feat: configure ingress w/ yaml
* feat: add network policies
* feat: use github svc icon
* feat: comment otlp config file
  • Loading branch information
in0rdr authored May 10, 2024
1 parent f68a4b2 commit 1ff11d7
Show file tree
Hide file tree
Showing 27 changed files with 320 additions and 245 deletions.
22 changes: 22 additions & 0 deletions NETWORK-POLICIES.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Test network policies
Kubernetes and/or Cilium network policies can be applied by enabling the Terraform variables:
```
enable_kubernetes_network_policies = true
enable_cilium_network_policies = true
```

Ensure Minikube/kind has the network plugin enabled and Cilium CNI installed.

## Positive test
Push test metrics to `vault-audit` Loki tenant from `otlp` namespace:
```bash
kubectl run --rm -it debug --image=curlimages/curl -n otlp -- sh
$ curl -X POST http://loki.loki.svc.cluster.local:3100/loki/api/v1/push -H "X-Scope-OrgID: vault-audit" -H "Content-Type: application/json" --data-raw "{\"streams\": [{ \"stream\": { \"foo\": \"bar2\" }, \"values\": [ [ \"$(date +%s)000000000\", \"fizzbuzz-$(date +%s)\" ] ] }]}"
```

## Negative test
Push test metrics to `vault-audit` Loki tenant from `default` namespace:
```bash
kubectl run --rm -it debug --image=curlimages/curl -n default -- sh
$ curl -X POST http://loki.loki.svc.cluster.local:3100/loki/api/v1/push -H "X-Scope-OrgID: vault-audit" -H "Content-Type: application/json" --data-raw "{\"streams\": [{ \"stream\": { \"foo\": \"bar2\" }, \"values\": [ [ \"$(date +%s)000000000\", \"fizzbuzz-$(date +%s)\" ] ] }]}"
```
14 changes: 12 additions & 2 deletions Provisioning/Vault/audit.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,17 @@
resource "vault_audit" "file" {
resource "vault_audit" "stdout" {
type = "file"

options = {
file_path = "stdout"
}
}
}

resource "vault_audit" "otel" {
type = "socket"
path = "otel_socket"

options = {
address = "opentelemetry-collector.otlp.svc.cluster.local:54525"
socket_type = "tcp"
}
}
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
2 changes: 1 addition & 1 deletion Provisioning/Vault/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ variable "VAULT_TOKEN" {

variable "VAULT_ADDR"{
type = string
default = "https://vault-cli.playground.lab"
default = "https://vault.playground.lab"
description = "Vault address"
}

Expand Down
12 changes: 6 additions & 6 deletions Provisioning/Vault/vault-secrets-operator.tf
Original file line number Diff line number Diff line change
Expand Up @@ -49,21 +49,21 @@ resource "vault_pki_secret_backend_role" "role" {
# This is an example for a workload agnhost fetching a TLS certificate from Vault
# https://raw.githubusercontent.com/hashicorp/vault-secrets-operator/main/config/samples/secrets_v1alpha1_vaultpkisecret_tls.yaml
resource "kubernetes_manifest" "vaultpkisecret" {
manifest = yamldecode(file("./manifests/vaultpkisecret.yaml"))
manifest = yamldecode(file("./manifests/vault-secrets-operator/vaultpkisecret.yaml"))
}
resource "kubernetes_manifest" "pod" {
manifest = yamldecode(file("./manifests/pod.yaml"))
manifest = yamldecode(file("./manifests/vault-secrets-operator/pod.yaml"))
}
resource "kubernetes_manifest" "service" {
manifest = yamldecode(file("./manifests/service.yaml"))
manifest = yamldecode(file("./manifests/vault-secrets-operator/service.yaml"))
}
resource "kubernetes_manifest" "ingress" {
manifest = yamldecode(file("./manifests/ingress.yaml"))
manifest = yamldecode(file("./manifests/vault-secrets-operator/ingress.yaml"))
}
resource "kubernetes_manifest" "vaultconnection" {
manifest = yamldecode(file("./manifests/vaultconnection.yaml"))
manifest = yamldecode(file("./manifests/vault-secrets-operator/vaultconnection.yaml"))
}
resource "kubernetes_manifest" "vaultauth" {
manifest = yamldecode(file("./manifests/vaultauth.yaml"))
manifest = yamldecode(file("./manifests/vault-secrets-operator/vaultauth.yaml"))
}

4 changes: 3 additions & 1 deletion SETUP.md
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,9 @@ To install minikube, follow the [official documentation](https://minikube.sigs.k
After installing minikube, you can create a cluster with the following command:

```bash
minikube start
# start minkube with network plugin to use network policies
# https://kubernetes.io/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy
minikube start --cni=cilium
```
MiniKube will automatically configure kubectl to communicate with the cluster and offers commands to manage the cluster under the context `minikube`.

Expand Down
23 changes: 11 additions & 12 deletions USAGE.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,9 @@ export VAULT_K8S_NAMESPACE=<your namespace>
### 4.1. Minikube
Run the following commands to enable ingress:
```bash

minikube addons enable ingress

kubectl patch deployment -n ingress-nginx ingress-nginx-controller --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--enable-ssl-passthrough"}]'
```

### 4.2. Kind
[Deploy Metallb](https://kind.sigs.k8s.io/docs/user/loadbalancer) to use an IP in the Docker network (below assumes range `172.19.255.200 - 172.19.255.250`) for load balancing purposes:

Expand All @@ -44,33 +42,34 @@ kubectl patch svc -n ingress-nginx ingress-nginx-controller --type='json' -p='[{

# remove --publish-status-address=localhost, don't set loadbalancer status to localhost (will use IP of ingress)
kubectl patch deployment -n ingress-nginx ingress-nginx-controller --type='json' -p='[{"op": "remove", "path": "/spec/template/spec/containers/0/args/9"}]'
```

## 5. Enable SSL passthrough
```bash
# enable ssl passthrough
kubectl patch deployment -n ingress-nginx ingress-nginx-controller --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--enable-ssl-passthrough"}]'
```

## 5. Deploy Vault
## 6. Deploy Vault
Run the following commands to deploy Vault:
```bash
cd Vault-Deployment
terraform init
terraform apply
```

## 6. Unseal Vault
## 7. Unseal Vault
Run the following commands to unseal Vault:
```bash
kubectl exec -n vault vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > ./cluster-keys.json
kubectl exec -n vault vault-0 -- vault operator unseal $(cat ./cluster-keys.json | jq -r ".unseal_keys_b64[]")
kubectl exec -n vault vault-1 -- vault operator unseal $(cat ./cluster-keys.json | jq -r ".unseal_keys_b64[]")
kubectl exec -n vault vault-2 -- vault operator unseal $(cat ./cluster-keys.json | jq -r ".unseal_keys_b64[]")
```
## 7. Login to Vault
## 8. Login to Vault
Run the following commands to login to Vault:
```bash
./add-to-hosts.sh

export VAULT_ADDR=https://vault-cli.playground.lab
export VAULT_ADDR=https://vault.playground.lab

export VAULT_TOKEN=$(cat cluster-keys.json | jq -r .root_token)

Expand All @@ -79,7 +78,7 @@ export VAULT_SKIP_VERIFY=true
vault login $VAULT_TOKEN
```

## 8. Create token for Prometheus
## 9. Create token for Prometheus

The Vault /sys/metrics endpoint is authenticated. Prometheus requires a Vault token with sufficient capabilities to successfully consume metrics from the endpoint.

Expand Down Expand Up @@ -117,11 +116,11 @@ Now restart the Prometheus pod to pick up the new token.
kubectl delete pod prometheus-kube-stack-prometheus-kube-prometheus-0
```

## 9. Access Playground
## 10. Access Playground

Go to http://explore.playground.lab/ to get an overview over all applications.

## 10. Provisioning Vault
## 11. Provisioning Vault

Export the Vault token to the environment variable `TF_VAR_VAULT_TOKEN`:
```bash
Expand Down
7 changes: 3 additions & 4 deletions Vault-Deployment/add-to-hosts.sh
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,9 @@ echo -e "### vault playground start ###" | sudo tee -a /etc/hosts
echo -e "#the cleanup script will delete everything between this tags" | sudo tee -a /etc/hosts


add_ingress_to_hosts "vault-ui-ingress" "vault" "vault-ui.playground.lab"
add_ingress_to_hosts "vault-cli-ingress" "vault" "vault-cli.playground.lab"
add_ingress_to_hosts "prometheus-ingress" "$VAULT_K8S_NAMESPACE" "prometheus.playground.lab"
add_ingress_to_hosts "grafana-ingress" "$VAULT_K8S_NAMESPACE" "grafana.playground.lab"
add_ingress_to_hosts "vault" "vault" "vault.playground.lab"
add_ingress_to_hosts "kube-stack-prometheus-kube-prometheus" "kube-prometheus-stack" "prometheus.playground.lab"
add_ingress_to_hosts "kube-stack-prometheus-grafana" "kube-prometheus-stack" "grafana.playground.lab"
add_ingress_to_hosts "openldap-stack-ha-ltb-passwd" "$VAULT_K8S_NAMESPACE" "ssl-ldap2.playground.lab"
add_ingress_to_hosts "openldap-stack-ha-phpldapadmin" "$VAULT_K8S_NAMESPACE" "phpldapadmin.playground.lab"
add_ingress_to_hosts "homer" "$VAULT_K8S_NAMESPACE" "explore.playground.lab"
Expand Down
51 changes: 46 additions & 5 deletions Vault-Deployment/helm-install.tf
Original file line number Diff line number Diff line change
Expand Up @@ -63,11 +63,13 @@ resource "kubernetes_secret" "prometheus-monitoring-token" {


resource "helm_release" "prometheus-grafana" {
name = "kube-stack-prometheus"
repository = "https://prometheus-community.github.io/helm-charts"
chart = "kube-prometheus-stack"
namespace = var.namespace
version = "44.2.1"
name = "kube-stack-prometheus"
repository = "https://prometheus-community.github.io/helm-charts"
chart = "kube-prometheus-stack"
create_namespace = true
namespace = "kube-prometheus-stack"
version = "55.0.0"
wait = false

values = [
file("./values/kube-prometheus-stack-values.yaml")
Expand All @@ -86,6 +88,45 @@ resource "helm_release" "prometheus-grafana" {

}

resource "helm_release" "loki" {
name = "loki"
repository = "https://grafana.github.io/helm-charts"
chart = "loki"
version = "5.39.0"
create_namespace = true
namespace = "loki"
wait = false
values = [
file("./values/loki.yaml")
]
}

resource "helm_release" "promtail" {
name = "promtail"
repository = "https://grafana.github.io/helm-charts"
chart = "promtail"
version = "6.15.3"
create_namespace = true
namespace = "promtail"
wait = false
values = [
file("./values/promtail.yaml")
]
}

resource "helm_release" "opentelemetry-collector" {
name = "opentelemetry-collector"
repository = "https://open-telemetry.github.io/opentelemetry-helm-charts"
chart = "opentelemetry-collector"
version = "0.76.0"
create_namespace = true
namespace = "otlp"
wait = false
values = [
file("./values/otlp.yaml")
]
}


resource "helm_release" "open-ldap" {
name = "openldap-stack-ha"
Expand Down
141 changes: 0 additions & 141 deletions Vault-Deployment/ingress.tf

This file was deleted.

Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
# TODO
Loading

0 comments on commit 1ff11d7

Please sign in to comment.