Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat/vault audit otlp #24

Merged
merged 7 commits into from
May 10, 2024
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions Provisioning/Vault/audit.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,17 @@
resource "vault_audit" "file" {
resource "vault_audit" "stdout" {
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
type = "file"

options = {
file_path = "stdout"
}
}
}

resource "vault_audit" "otel" {
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
type = "socket"
path = "otel_socket"

options = {
address = "opentelemetry-collector.otlp.svc.cluster.local:54525"
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
socket_type = "tcp"
}
}
19 changes: 10 additions & 9 deletions USAGE.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,9 @@ export VAULT_K8S_NAMESPACE=<your namespace>
### 4.1. Minikube
Run the following commands to enable ingress:
```bash

minikube addons enable ingress

in0rdr marked this conversation as resolved.
Show resolved Hide resolved
kubectl patch deployment -n ingress-nginx ingress-nginx-controller --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--enable-ssl-passthrough"}]'
```

### 4.2. Kind
[Deploy Metallb](https://kind.sigs.k8s.io/docs/user/loadbalancer) to use an IP in the Docker network (below assumes range `172.19.255.200 - 172.19.255.250`) for load balancing purposes:

Expand All @@ -44,28 +42,31 @@ kubectl patch svc -n ingress-nginx ingress-nginx-controller --type='json' -p='[{

# remove --publish-status-address=localhost, don't set loadbalancer status to localhost (will use IP of ingress)
kubectl patch deployment -n ingress-nginx ingress-nginx-controller --type='json' -p='[{"op": "remove", "path": "/spec/template/spec/containers/0/args/9"}]'
```

## 5. Enable SSL passthrough
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
```bash
# enable ssl passthrough
kubectl patch deployment -n ingress-nginx ingress-nginx-controller --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--enable-ssl-passthrough"}]'
```

## 5. Deploy Vault
## 6. Deploy Vault
Run the following commands to deploy Vault:
```bash
cd Vault-Deployment
terraform init
terraform apply
```

## 6. Unseal Vault
## 7. Unseal Vault
Run the following commands to unseal Vault:
```bash
kubectl exec -n vault vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > ./cluster-keys.json
kubectl exec -n vault vault-0 -- vault operator unseal $(cat ./cluster-keys.json | jq -r ".unseal_keys_b64[]")
kubectl exec -n vault vault-1 -- vault operator unseal $(cat ./cluster-keys.json | jq -r ".unseal_keys_b64[]")
kubectl exec -n vault vault-2 -- vault operator unseal $(cat ./cluster-keys.json | jq -r ".unseal_keys_b64[]")
```
## 7. Login to Vault
## 8. Login to Vault
Run the following commands to login to Vault:
```bash
./add-to-hosts.sh
Expand All @@ -79,7 +80,7 @@ export VAULT_SKIP_VERIFY=true
vault login $VAULT_TOKEN
```

## 8. Create token for Prometheus
## 9. Create token for Prometheus

The Vault /sys/metrics endpoint is authenticated. Prometheus requires a Vault token with sufficient capabilities to successfully consume metrics from the endpoint.

Expand Down Expand Up @@ -117,11 +118,11 @@ Now restart the Prometheus pod to pick up the new token.
kubectl delete pod prometheus-kube-stack-prometheus-kube-prometheus-0
```

## 9. Access Playground
## 10. Access Playground

Go to http://explore.playground.lab/ to get an overview over all applications.

## 10. Provisioning Vault
## 11. Provisioning Vault

Export the Vault token to the environment variable `TF_VAR_VAULT_TOKEN`:
```bash
Expand Down
40 changes: 40 additions & 0 deletions Vault-Deployment/helm-install.tf
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ resource "helm_release" "prometheus-grafana" {
chart = "kube-prometheus-stack"
namespace = var.namespace
version = "44.2.1"
wait = false

values = [
file("./values/kube-prometheus-stack-values.yaml")
Expand All @@ -86,6 +87,45 @@ resource "helm_release" "prometheus-grafana" {

}

resource "helm_release" "loki" {
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
name = "loki"
repository = "https://grafana.github.io/helm-charts"
chart = "loki"
version = "5.39.0"
create_namespace = true
namespace = "loki"
wait = false
values = [
file("./values/loki.yaml")
]
}

resource "helm_release" "promtail" {
name = "promtail"
repository = "https://grafana.github.io/helm-charts"
chart = "promtail"
version = "6.15.3"
create_namespace = true
namespace = "promtail"
wait = false
values = [
file("./values/promtail.yaml")
]
}

resource "helm_release" "opentelemetry-collector" {
name = "opentelemetry-collector"
repository = "https://open-telemetry.github.io/opentelemetry-helm-charts"
chart = "opentelemetry-collector"
version = "0.76.0"
create_namespace = true
namespace = "otlp"
wait = false
values = [
file("./values/otlp.yaml")
]
}


resource "helm_release" "open-ldap" {
name = "openldap-stack-ha"
Expand Down
24 changes: 23 additions & 1 deletion Vault-Deployment/values/kube-prometheus-stack-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -867,7 +867,7 @@ grafana:

## Configure additional grafana datasources (passed through tpl)
## ref: http://docs.grafana.org/administration/provisioning/#datasources
additionalDataSources: []
additionalDataSources:
# - name: prometheus-sample
# access: proxy
# basicAuth: true
Expand All @@ -881,6 +881,28 @@ grafana:
# url: https://{{ printf "%s-prometheus.svc" .Release.Name }}:9090
# version: 1

# https://grafana.com/docs/grafana/latest/datasources/loki
- name: Promtail
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
type: loki
access: proxy
url: http://loki.loki.svc.cluster.local:3100
orgId: 1
jsonData:
maxLines: 1000
httpHeaderName1: "X-Scope-OrgID"
secureJsonData:
httpHeaderValue1: "promtail"
- name: Vault Audit Log
type: loki
access: proxy
url: http://loki.loki.svc.cluster.local:3100
orgId: 1
jsonData:
maxLines: 1000
httpHeaderName1: "X-Scope-OrgID"
secureJsonData:
httpHeaderValue1: "vault-audit"

## Passed to grafana subchart and used by servicemonitor below
##
service:
Expand Down
16 changes: 16 additions & 0 deletions Vault-Deployment/values/loki.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
# https://grafana.com/docs/loki/latest/setup/install/helm/install-monolithic
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
loki:
commonConfig:
replication_factor: 1
storage:
type: 'filesystem'
analytics:
reporting_enabled: false
# https://grafana.com/docs/loki/latest/operations/multi-tenancy
# Loki defaults to running in multi-tenant mode. Multi-tenant mode
# is set in the configuration with auth_enabled: true.
auth_enabled: true

singleBinary:
replicas: 1
25 changes: 25 additions & 0 deletions Vault-Deployment/values/otlp.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
---
mode: "deployment"
replicaCount: 1
config:
receivers:
tcplog:
listen_address: "0.0.0.0:54525"
exporters:
loki:
endpoint: "http://loki.loki.svc.cluster.local:3100/loki/api/v1/push"
headers:
# Send everything to the vault-audit tenant_id
# https://grafana.com/docs/loki/latest/operations/multi-tenancy
"X-Scope-OrgID": vault-audit
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
service:
pipelines:
logs:
receivers: [tcplog]
exporters: [loki]
ports:
tcplog:
enabled: true
containerPort: 54525
servicePort: 54525
protocol: TCP
6 changes: 6 additions & 0 deletions Vault-Deployment/values/promtail.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
config:
clients:
- url: http://loki.loki.svc.cluster.local:3100/loki/api/v1/push
# Send everything to the promtail tenant_id
# https://grafana.com/docs/loki/latest/operations/multi-tenancy
tenant_id: promtail