Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat/vault audit otlp #24

Merged
merged 7 commits into from
May 10, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions NETWORK-POLICIES.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Test network policies
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
Kubernetes and/or Cilium network policies can be applied by enabling the Terraform variables:
```
enable_kubernetes_network_policies = true
enable_cilium_network_policies = true
```

Ensure Minikube/kind has the network plugin enabled and Cilium CNI installed.

## Positive test
Push test metrics to `vault-audit` Loki tenant from `otlp` namespace:
```bash
kubectl run --rm -it debug --image=curlimages/curl -n otlp -- sh
$ curl -X POST http://loki.loki.svc.cluster.local:3100/loki/api/v1/push -H "X-Scope-OrgID: vault-audit" -H "Content-Type: application/json" --data-raw "{\"streams\": [{ \"stream\": { \"foo\": \"bar2\" }, \"values\": [ [ \"$(date +%s)000000000\", \"fizzbuzz-$(date +%s)\" ] ] }]}"
```

## Negative test
Push test metrics to `vault-audit` Loki tenant from `default` namespace:
```bash
kubectl run --rm -it debug --image=curlimages/curl -n default -- sh
$ curl -X POST http://loki.loki.svc.cluster.local:3100/loki/api/v1/push -H "X-Scope-OrgID: vault-audit" -H "Content-Type: application/json" --data-raw "{\"streams\": [{ \"stream\": { \"foo\": \"bar2\" }, \"values\": [ [ \"$(date +%s)000000000\", \"fizzbuzz-$(date +%s)\" ] ] }]}"
```
14 changes: 12 additions & 2 deletions Provisioning/Vault/audit.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,17 @@
resource "vault_audit" "file" {
resource "vault_audit" "stdout" {
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
type = "file"

options = {
file_path = "stdout"
}
}
}

resource "vault_audit" "otel" {
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
type = "socket"
path = "otel_socket"

options = {
address = "opentelemetry-collector.otlp.svc.cluster.local:54525"
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
socket_type = "tcp"
}
}
2 changes: 1 addition & 1 deletion Provisioning/Vault/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ variable "VAULT_TOKEN" {

variable "VAULT_ADDR"{
type = string
default = "https://vault-cli.playground.lab"
default = "https://vault.playground.lab"
description = "Vault address"
}

Expand Down
12 changes: 6 additions & 6 deletions Provisioning/Vault/vault-secrets-operator.tf
Original file line number Diff line number Diff line change
Expand Up @@ -49,21 +49,21 @@ resource "vault_pki_secret_backend_role" "role" {
# This is an example for a workload agnhost fetching a TLS certificate from Vault
# https://raw.githubusercontent.com/hashicorp/vault-secrets-operator/main/config/samples/secrets_v1alpha1_vaultpkisecret_tls.yaml
resource "kubernetes_manifest" "vaultpkisecret" {
manifest = yamldecode(file("./manifests/vaultpkisecret.yaml"))
manifest = yamldecode(file("./manifests/vault-secrets-operator/vaultpkisecret.yaml"))
}
resource "kubernetes_manifest" "pod" {
manifest = yamldecode(file("./manifests/pod.yaml"))
manifest = yamldecode(file("./manifests/vault-secrets-operator/pod.yaml"))
}
resource "kubernetes_manifest" "service" {
manifest = yamldecode(file("./manifests/service.yaml"))
manifest = yamldecode(file("./manifests/vault-secrets-operator/service.yaml"))
}
resource "kubernetes_manifest" "ingress" {
manifest = yamldecode(file("./manifests/ingress.yaml"))
manifest = yamldecode(file("./manifests/vault-secrets-operator/ingress.yaml"))
}
resource "kubernetes_manifest" "vaultconnection" {
manifest = yamldecode(file("./manifests/vaultconnection.yaml"))
manifest = yamldecode(file("./manifests/vault-secrets-operator/vaultconnection.yaml"))
}
resource "kubernetes_manifest" "vaultauth" {
manifest = yamldecode(file("./manifests/vaultauth.yaml"))
manifest = yamldecode(file("./manifests/vault-secrets-operator/vaultauth.yaml"))
}

4 changes: 3 additions & 1 deletion SETUP.md
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,9 @@ To install minikube, follow the [official documentation](https://minikube.sigs.k
After installing minikube, you can create a cluster with the following command:

```bash
minikube start
# start minkube with network plugin to use network policies
# https://kubernetes.io/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy
minikube start --cni=cilium
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
```
MiniKube will automatically configure kubectl to communicate with the cluster and offers commands to manage the cluster under the context `minikube`.

Expand Down
23 changes: 11 additions & 12 deletions USAGE.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,9 @@ export VAULT_K8S_NAMESPACE=<your namespace>
### 4.1. Minikube
Run the following commands to enable ingress:
```bash

minikube addons enable ingress

in0rdr marked this conversation as resolved.
Show resolved Hide resolved
kubectl patch deployment -n ingress-nginx ingress-nginx-controller --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--enable-ssl-passthrough"}]'
```

### 4.2. Kind
[Deploy Metallb](https://kind.sigs.k8s.io/docs/user/loadbalancer) to use an IP in the Docker network (below assumes range `172.19.255.200 - 172.19.255.250`) for load balancing purposes:

Expand All @@ -44,33 +42,34 @@ kubectl patch svc -n ingress-nginx ingress-nginx-controller --type='json' -p='[{

# remove --publish-status-address=localhost, don't set loadbalancer status to localhost (will use IP of ingress)
kubectl patch deployment -n ingress-nginx ingress-nginx-controller --type='json' -p='[{"op": "remove", "path": "/spec/template/spec/containers/0/args/9"}]'
```

## 5. Enable SSL passthrough
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
```bash
# enable ssl passthrough
kubectl patch deployment -n ingress-nginx ingress-nginx-controller --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--enable-ssl-passthrough"}]'
```

## 5. Deploy Vault
## 6. Deploy Vault
Run the following commands to deploy Vault:
```bash
cd Vault-Deployment
terraform init
terraform apply
```

## 6. Unseal Vault
## 7. Unseal Vault
Run the following commands to unseal Vault:
```bash
kubectl exec -n vault vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > ./cluster-keys.json
kubectl exec -n vault vault-0 -- vault operator unseal $(cat ./cluster-keys.json | jq -r ".unseal_keys_b64[]")
kubectl exec -n vault vault-1 -- vault operator unseal $(cat ./cluster-keys.json | jq -r ".unseal_keys_b64[]")
kubectl exec -n vault vault-2 -- vault operator unseal $(cat ./cluster-keys.json | jq -r ".unseal_keys_b64[]")
```
## 7. Login to Vault
## 8. Login to Vault
Run the following commands to login to Vault:
```bash
./add-to-hosts.sh

export VAULT_ADDR=https://vault-cli.playground.lab
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
export VAULT_ADDR=https://vault.playground.lab

export VAULT_TOKEN=$(cat cluster-keys.json | jq -r .root_token)

Expand All @@ -79,7 +78,7 @@ export VAULT_SKIP_VERIFY=true
vault login $VAULT_TOKEN
```

## 8. Create token for Prometheus
## 9. Create token for Prometheus

The Vault /sys/metrics endpoint is authenticated. Prometheus requires a Vault token with sufficient capabilities to successfully consume metrics from the endpoint.

Expand Down Expand Up @@ -117,11 +116,11 @@ Now restart the Prometheus pod to pick up the new token.
kubectl delete pod prometheus-kube-stack-prometheus-kube-prometheus-0
```

## 9. Access Playground
## 10. Access Playground

Go to http://explore.playground.lab/ to get an overview over all applications.

## 10. Provisioning Vault
## 11. Provisioning Vault

Export the Vault token to the environment variable `TF_VAR_VAULT_TOKEN`:
```bash
Expand Down
7 changes: 3 additions & 4 deletions Vault-Deployment/add-to-hosts.sh
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,9 @@ echo -e "### vault playground start ###" | sudo tee -a /etc/hosts
echo -e "#the cleanup script will delete everything between this tags" | sudo tee -a /etc/hosts


add_ingress_to_hosts "vault-ui-ingress" "vault" "vault-ui.playground.lab"
add_ingress_to_hosts "vault-cli-ingress" "vault" "vault-cli.playground.lab"
add_ingress_to_hosts "prometheus-ingress" "$VAULT_K8S_NAMESPACE" "prometheus.playground.lab"
add_ingress_to_hosts "grafana-ingress" "$VAULT_K8S_NAMESPACE" "grafana.playground.lab"
add_ingress_to_hosts "vault" "vault" "vault.playground.lab"
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
add_ingress_to_hosts "kube-stack-prometheus-kube-prometheus" "kube-prometheus-stack" "prometheus.playground.lab"
add_ingress_to_hosts "kube-stack-prometheus-grafana" "kube-prometheus-stack" "grafana.playground.lab"
add_ingress_to_hosts "openldap-stack-ha-ltb-passwd" "$VAULT_K8S_NAMESPACE" "ssl-ldap2.playground.lab"
add_ingress_to_hosts "openldap-stack-ha-phpldapadmin" "$VAULT_K8S_NAMESPACE" "phpldapadmin.playground.lab"
add_ingress_to_hosts "homer" "$VAULT_K8S_NAMESPACE" "explore.playground.lab"
Expand Down
51 changes: 46 additions & 5 deletions Vault-Deployment/helm-install.tf
Original file line number Diff line number Diff line change
Expand Up @@ -63,11 +63,13 @@ resource "kubernetes_secret" "prometheus-monitoring-token" {


resource "helm_release" "prometheus-grafana" {
name = "kube-stack-prometheus"
repository = "https://prometheus-community.github.io/helm-charts"
chart = "kube-prometheus-stack"
namespace = var.namespace
version = "44.2.1"
name = "kube-stack-prometheus"
repository = "https://prometheus-community.github.io/helm-charts"
chart = "kube-prometheus-stack"
create_namespace = true
namespace = "kube-prometheus-stack"
version = "55.0.0"
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
wait = false
in0rdr marked this conversation as resolved.
Show resolved Hide resolved

values = [
file("./values/kube-prometheus-stack-values.yaml")
Expand All @@ -86,6 +88,45 @@ resource "helm_release" "prometheus-grafana" {

}

resource "helm_release" "loki" {
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
name = "loki"
repository = "https://grafana.github.io/helm-charts"
chart = "loki"
version = "5.39.0"
create_namespace = true
namespace = "loki"
wait = false
values = [
file("./values/loki.yaml")
]
}

resource "helm_release" "promtail" {
name = "promtail"
repository = "https://grafana.github.io/helm-charts"
chart = "promtail"
version = "6.15.3"
create_namespace = true
namespace = "promtail"
wait = false
values = [
file("./values/promtail.yaml")
]
}

resource "helm_release" "opentelemetry-collector" {
name = "opentelemetry-collector"
repository = "https://open-telemetry.github.io/opentelemetry-helm-charts"
chart = "opentelemetry-collector"
version = "0.76.0"
create_namespace = true
namespace = "otlp"
wait = false
values = [
file("./values/otlp.yaml")
]
}


resource "helm_release" "open-ldap" {
name = "openldap-stack-ha"
Expand Down
141 changes: 0 additions & 141 deletions Vault-Deployment/ingress.tf

This file was deleted.

Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
# TODO
Loading