diff --git a/CHANGELOG.md b/CHANGELOG.md index 1b8daf90..a584f1fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,9 @@ # SAS Viya Monitoring for Kubernetes ## Unreleased +* **Overall** + * [CHANGE] Comments added to user.env files within samples/generic-base to clarify security best-practices; other +cleanup. * **Logging** * [SECURITY] Set `seccompProfile` to `RuntimeDefault` for OpenSearch, OpenSearch Dashboards and Fluent Bit pods in non-OpenShift environments. diff --git a/logging/user.env b/logging/user.env index fc546b8f..182d1602 100644 --- a/logging/user.env +++ b/logging/user.env @@ -9,25 +9,25 @@ # The following flags control whether specific components # of the log monitoring solution are deployed -# Event Router (generates log messages from K8s events)? -# See https://github.com/heptiolabs/eventrouter for details -# EVENTROUTER_ENABLE=true - -# Elasticsearch +# OpenSearch # ELASTICSEARCH_ENABLE=true -# Elasticsearch Content (ingest pipelines, index mgmt policies, etc.) +# OpenSearch Content (ingest pipelines, index mgmt policies, etc.) # ES_CONTENT_DEPLOY=true # Elasticsearch Prometheus Exporter # ELASTICSEARCH_EXPORTER_ENABLED=true -# Kibana Content (visualizations, dashboards, etc.) +# OpenSearch Dashboards Content (visualizations, dashboards, etc.) # KIBANA_CONTENT_DEPLOY -# Fluent Bit (log collector) +# Fluent Bit (for collecting pod logs) # FLUENT_BIT_ENABLED=true +# Fluent Bit (for collecting Kubernetes Events) +# FLUENT_BIT_EVENTS_ENABLED=true + + # OpenShift-specific Settings # -------------------------------------------------------------- # The following set of environment variables are @@ -40,10 +40,10 @@ # Create OpenShift Route objects # OPENSHIFT_ROUTES_ENABLE=true # -# Create route for the Elasticsearch API endpoint +# Create route for the OpenSearch API endpoint # OPENSHIFT_ES_ROUTE_ENABLE=false # -# Make Kibana accessible via NodePort (port 31033) +# Make OpenSearch Dashboards accessible via NodePort (port 31033) # KB_KNOWN_NODEPORT_ENABLE=false # # Remove OpenShift artifacts (e.g. custom SCCs) @@ -64,34 +64,20 @@ # containerd cri criwithlog # cri-o cri criwithlog # -# NOTE: The docker container runtime is deprecated in Kubernetes 1.20 -# and suport for it is expected to be removed in Kubernetes 1.22. +# NOTE: The docker container runtime was deprecated in Kubernetes 1.20 +# and support for it was removed in Kubernetes 1.24. # # The deployment scripts will automatically determine the # container runtime and set the appropriate log parser. However, # if necessary, you can manually identify the appropriate parser # by setting the KUBERNETES_RUNTIME_LOGFMT environment variable. -# KUBERNETES_RUNTIME_LOGFMT=docker +# KUBERNETES_RUNTIME_LOGFMT=containerd -# Enables TLS in-cluster for Kibana (***DEPRECATED 14FEB22**) -# ------------------------------ -# ***** USE OF THIS ENV VAR HAS BEEN DEPRECATED AND SUPPORT ***** -# ***** FOR IT WILL BE REMOVED ENTIRELY IN AN UPCOMING RELEASE ***** -# This only affects the communication in-bound to Kibana. If this is -# set to true and a TLS cert is not found saved as the expected -# Kubernetes secret (logging/kibana-tls-secret), the deployment script -# will attempt to use cert-manager to generate one on-the-fly. -# Note that these on-the-fly certs will likely lead to browser alerts -# warning of possible security risks when accessing Kibana. -# LOG_KB_TLS_ENABLE=$TLS_ENABLE # Use port-forwarding during deployment # ------------------------------------- -# If Kibana is not reachable via the end-user URL from the machine on which the deployment +# If OpenSearch Dashboards is not reachable via the end-user URL from the machine on which the deployment # is running, Kubernetes port-forwarding may allow the deployment to overcome this. -# See 'Issue: Deployment does not complete if Kibana is not reachable from the deployment machine' -# in the Logging Troubleshooting Guide (Troubleshooting.md in the logging sub-directory of the repo) -# for more information. # LOG_ALWAYS_PORT_FORWARD=true # Retention Period Settings @@ -102,21 +88,30 @@ # Number of Days to retain internal (log monitoring) log messages # OPS_LOG_RETENTION_PERIOD=1 -# ES Admin Password + +# OpenSearch 'logadm' User Settings +# ----------------------------- +# The OpenSearch 'logadm' user is granted access to *all* log messages in all namespaces and tenant +# Create the 'logadm' user within the OpenSearch internal usere database? +# LOG_CREATE_LOGADM_USER=true + +# IMPORTANT: SETTING PASSWORDS SECURELY +# ------------------------------------------ +# Security best-practices discourage storing passwords in files. +# We have included setting passwords in this sample file +# only to illustrate the referenced environment variable. +# You should set these environment variable via another, +# more secure, mechanism. + +# OpenSearch Admin Password # ----------------- -# Password for the Elasticsearch/Kibana 'admin' user +# Password for the OpenSearch/OpenSearch Dashboards 'admin' user # If not provided, a random password will be generated for this account # ES_ADMIN_PASSWD=yourPasswordHere - -# Kibana 'logadm' User Settings +# OpenSearch 'logadm' User Password # ----------------------------- -# The Kibana 'logadm' user is granted access to *all* log messages in all namespaces and tenant -# Create the 'logadm' user within the Kibana internal usere database? -# LOG_CREATE_LOGADM_USER=true - -# KB 'logadm' User Password -# Password for the Kibana 'logadm' user +# Password for the OpenSearch/OpenSearch Dashboards 'logadm' user # If not provided, a random password will be generated for this account # LOG_LOGADM_PASSWD=yourPasswordHere diff --git a/monitoring/user.env b/monitoring/user.env index 224c6fc6..57fec8fb 100644 --- a/monitoring/user.env +++ b/monitoring/user.env @@ -9,9 +9,6 @@ # LOG_LEVEL_ENABLE=true # LOG_COLOR_ENABLE=true -# Deploy components with TLS enabled -# TLS_ENABLE=false - # deploy_monitoring_cluster.sh options # ------------------------------------ # Cluster monitoring namespace for the Prometheus Operator, @@ -19,8 +16,12 @@ # MON_NS=monitoring # Deploys monitoring components with TLS enabled -# This setting overrides TLS_ENABLE only for monitoring -# MON_TLS_ENABLE=false +# This setting effectively sets TLS_ENABLE only for monitoring +# MON_TLS_ENABLE=true + +# Set this value to 'true' if using path-based ingress and +# TLS_ENABLE=true or MON_TLS_ENABLE=true +# MON_TLS_PATH_INGRESS=true # Enables tolerations and pod affinity to enable the monitoring # components to participate in the SAS Viya workload node @@ -28,7 +29,7 @@ # MON_NODE_PLACEMENT_ENABLE=false # Set to true to force an update of the Prometheus Operator CRDs -# PROM_OPERATOR_CRD_UPDATE=false +# PROM_OPERATOR_CRD_UPDATE=true # The release of the Prometheus Operator CRDs to deploy # if PROM_OPERATOR_CRD_UPDATE is true. This version should @@ -40,9 +41,6 @@ # Version of the kube-prometheus-stack helm chart to use # KUBE_PROM_STACK_CHART_VERSION=45.28.0 -# Initial password of the Grafana admin user -# GRAFANA_ADMIN_PASSWORD=yourPasswordHere - # Additional Grafana datasources # LOGGING_DATASOURCE=false @@ -50,13 +48,46 @@ # WELCOME_DASH=true # KUBE_DASH=true # VIYA_DASH=true -# VIYA_LOG_DASH=false # PGMONITOR_DASH=true # RABBITMQ_DASH=true # NGINX_DASH=true # LOGGING_DASH=true # USER_DASH=true +# Experimental - Deploys logging-enabled versions of the default dashboards +# for Java, Go, and CAS. Requires the logging datasource to be configured +# either manually or via the LOGGING_DATASOURCE user.env setting +# VIYA_LOGS_DASH=false + +# Set PROM_NODEPORT_ENABLE=true to enable nodeport access +# to Prometheus and Alertmanager. +# Note that neither Prometheus nor Alertmanager provide +# authentication by default. +# PROM_NODEPORT_ENABLE=true + +# deploy_monitoring_openshift.sh options +# -------------------------------------- +# Used when OPENSHIFT_PATH_ROUTES=true +# Fully-qualified route hostname used for Grafana +# OPENSHIFT_ROUTE_HOST_GRAFANA=grafana.apps.my-openshift-cluster.com +# URL path where Grafana is available (used if OPENSHIFT_PATH_ROUTES=true) +# OPENSHIFT_ROUTE_PATH_GRAFANA=/grafana + ## deploy_monitoring_viya.sh options # ---------------------------------- # PUSHGATEWAY_ENABLED=true +# PUSHGATEWAY_CHART_VERSION:-2.1.6 +# VALIDATE_MONITORS=true + + +# IMPORTANT: SETTING PASSWORDS SECURELY +# ------------------------------------------ +# Security best-practices discourage storing passwords in files. +# We have included setting passwords in this sample file +# only to illustrate the referenced environment variable. +# You should set these environment variable via another, +# more secure, mechanism. + +# Set a specific password for the Grafana admin user +# Default is to generate a random password +# GRAFANA_ADMIN_PASSWORD=yourPasswordHere diff --git a/samples/generic-base/logging/user.env b/samples/generic-base/logging/user.env index fc546b8f..9378e56f 100644 --- a/samples/generic-base/logging/user.env +++ b/samples/generic-base/logging/user.env @@ -9,25 +9,25 @@ # The following flags control whether specific components # of the log monitoring solution are deployed -# Event Router (generates log messages from K8s events)? -# See https://github.com/heptiolabs/eventrouter for details -# EVENTROUTER_ENABLE=true - -# Elasticsearch +# OpenSearch # ELASTICSEARCH_ENABLE=true -# Elasticsearch Content (ingest pipelines, index mgmt policies, etc.) +# OpenSearch Content (ingest pipelines, index mgmt policies, etc.) # ES_CONTENT_DEPLOY=true # Elasticsearch Prometheus Exporter # ELASTICSEARCH_EXPORTER_ENABLED=true -# Kibana Content (visualizations, dashboards, etc.) +# OpenSearch Dashboards Content (visualizations, dashboards, etc.) # KIBANA_CONTENT_DEPLOY -# Fluent Bit (log collector) +# Fluent Bit (for collecting pod logs) # FLUENT_BIT_ENABLED=true +# Fluent Bit (for collecting Kubernetes Events) +# FLUENT_BIT_EVENTS_ENABLED=true + + # OpenShift-specific Settings # -------------------------------------------------------------- # The following set of environment variables are @@ -40,10 +40,10 @@ # Create OpenShift Route objects # OPENSHIFT_ROUTES_ENABLE=true # -# Create route for the Elasticsearch API endpoint +# Create route for the OpenSearch API endpoint # OPENSHIFT_ES_ROUTE_ENABLE=false # -# Make Kibana accessible via NodePort (port 31033) +# Make OpenSearch Dashboards accessible via NodePort (port 31033) # KB_KNOWN_NODEPORT_ENABLE=false # # Remove OpenShift artifacts (e.g. custom SCCs) @@ -64,34 +64,20 @@ # containerd cri criwithlog # cri-o cri criwithlog # -# NOTE: The docker container runtime is deprecated in Kubernetes 1.20 -# and suport for it is expected to be removed in Kubernetes 1.22. +# NOTE: The docker container runtime was deprecated in Kubernetes 1.20 +# and support for it was removed in Kubernetes 1.24. # # The deployment scripts will automatically determine the # container runtime and set the appropriate log parser. However, # if necessary, you can manually identify the appropriate parser # by setting the KUBERNETES_RUNTIME_LOGFMT environment variable. -# KUBERNETES_RUNTIME_LOGFMT=docker +# KUBERNETES_RUNTIME_LOGFMT=containerd -# Enables TLS in-cluster for Kibana (***DEPRECATED 14FEB22**) -# ------------------------------ -# ***** USE OF THIS ENV VAR HAS BEEN DEPRECATED AND SUPPORT ***** -# ***** FOR IT WILL BE REMOVED ENTIRELY IN AN UPCOMING RELEASE ***** -# This only affects the communication in-bound to Kibana. If this is -# set to true and a TLS cert is not found saved as the expected -# Kubernetes secret (logging/kibana-tls-secret), the deployment script -# will attempt to use cert-manager to generate one on-the-fly. -# Note that these on-the-fly certs will likely lead to browser alerts -# warning of possible security risks when accessing Kibana. -# LOG_KB_TLS_ENABLE=$TLS_ENABLE # Use port-forwarding during deployment # ------------------------------------- -# If Kibana is not reachable via the end-user URL from the machine on which the deployment +# If OpenSearch Dashboards is not reachable via the end-user URL from the machine on which the deployment # is running, Kubernetes port-forwarding may allow the deployment to overcome this. -# See 'Issue: Deployment does not complete if Kibana is not reachable from the deployment machine' -# in the Logging Troubleshooting Guide (Troubleshooting.md in the logging sub-directory of the repo) -# for more information. # LOG_ALWAYS_PORT_FORWARD=true # Retention Period Settings @@ -102,21 +88,30 @@ # Number of Days to retain internal (log monitoring) log messages # OPS_LOG_RETENTION_PERIOD=1 -# ES Admin Password -# ----------------- -# Password for the Elasticsearch/Kibana 'admin' user -# If not provided, a random password will be generated for this account -# ES_ADMIN_PASSWD=yourPasswordHere +# OpenSearch 'logadm' User Settings +# --------------------------------- +# The OpenSearch 'logadm' user is granted access to *all* log messages in all namespaces and tenant +# Create the 'logadm' user within the OpenSearch internal usere database? +# LOG_CREATE_LOGADM_USER=true -# Kibana 'logadm' User Settings -# ----------------------------- -# The Kibana 'logadm' user is granted access to *all* log messages in all namespaces and tenant -# Create the 'logadm' user within the Kibana internal usere database? -# LOG_CREATE_LOGADM_USER=true +# IMPORTANT: SETTING PASSWORDS SECURELY +# ------------------------------------- +# Security best-practices discourage storing passwords in files. +# We have included setting passwords in this sample file +# only to illustrate the referenced environment variable. +# You should set these environment variable via another, +# more secure, mechanism. -# KB 'logadm' User Password -# Password for the Kibana 'logadm' user +# OpenSearch Admin Password +# ------------------------- +# Password for the OpenSearch/OpenSearch Dashboards 'admin' user +# If not provided, a random password will be generated for this account +# ES_ADMIN_PASSWD=yourPasswordHere + +# OpenSearch 'logadm' User Password +# ----------------------------- +# Password for the OpenSearch/OpenSearch Dashboards 'logadm' user # If not provided, a random password will be generated for this account # LOG_LOGADM_PASSWD=yourPasswordHere diff --git a/samples/generic-base/monitoring/user.env b/samples/generic-base/monitoring/user.env index cfbc44ab..57fec8fb 100644 --- a/samples/generic-base/monitoring/user.env +++ b/samples/generic-base/monitoring/user.env @@ -1,6 +1,16 @@ # Configurable options for the monitoring scripts # Use ENV_VAR=value or ENV_VAR="value" +# Global options +# -------------- +# TMP_DIR=/tmp +# HELM_DEBUG=false +# LOG_DEBUG_ENABLE=false +# LOG_LEVEL_ENABLE=true +# LOG_COLOR_ENABLE=true + +# deploy_monitoring_cluster.sh options +# ------------------------------------ # Cluster monitoring namespace for the Prometheus Operator, # Grafana, dashboards, and cluster ServiceMonitors # MON_NS=monitoring @@ -31,10 +41,6 @@ # Version of the kube-prometheus-stack helm chart to use # KUBE_PROM_STACK_CHART_VERSION=45.28.0 -# Set a specific password for the Grafana admin user -# Default is to generate a random password -# GRAFANA_ADMIN_PASSWORD=yourPasswordHere - # Additional Grafana datasources # LOGGING_DATASOURCE=false @@ -72,3 +78,16 @@ # PUSHGATEWAY_ENABLED=true # PUSHGATEWAY_CHART_VERSION:-2.1.6 # VALIDATE_MONITORS=true + + +# IMPORTANT: SETTING PASSWORDS SECURELY +# ------------------------------------------ +# Security best-practices discourage storing passwords in files. +# We have included setting passwords in this sample file +# only to illustrate the referenced environment variable. +# You should set these environment variable via another, +# more secure, mechanism. + +# Set a specific password for the Grafana admin user +# Default is to generate a random password +# GRAFANA_ADMIN_PASSWORD=yourPasswordHere