From c256969bc3dc8af91d6d85ebfc0d614698af51da Mon Sep 17 00:00:00 2001 From: gsmith-sas <65406958+gsmith-sas@users.noreply.github.com> Date: Thu, 5 Dec 2024 18:00:21 -0500 Subject: [PATCH 1/3] Clean-up of samples/generic-base user.env files --- CHANGELOG.md | 3 + logging/user.env | 71 +++++++++++------------- monitoring/user.env | 61 +++++++++++++------- samples/generic-base/logging/user.env | 71 +++++++++++------------- samples/generic-base/monitoring/user.env | 17 ++++-- 5 files changed, 123 insertions(+), 100 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1b8daf90..a584f1fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,9 @@ # SAS Viya Monitoring for Kubernetes ## Unreleased +* **Overall** + * [CHANGE] Comments added to user.env files within samples/generic-base to clarify security best-practices; other +cleanup. * **Logging** * [SECURITY] Set `seccompProfile` to `RuntimeDefault` for OpenSearch, OpenSearch Dashboards and Fluent Bit pods in non-OpenShift environments. diff --git a/logging/user.env b/logging/user.env index fc546b8f..182d1602 100644 --- a/logging/user.env +++ b/logging/user.env @@ -9,25 +9,25 @@ # The following flags control whether specific components # of the log monitoring solution are deployed -# Event Router (generates log messages from K8s events)? -# See https://github.com/heptiolabs/eventrouter for details -# EVENTROUTER_ENABLE=true - -# Elasticsearch +# OpenSearch # ELASTICSEARCH_ENABLE=true -# Elasticsearch Content (ingest pipelines, index mgmt policies, etc.) +# OpenSearch Content (ingest pipelines, index mgmt policies, etc.) # ES_CONTENT_DEPLOY=true # Elasticsearch Prometheus Exporter # ELASTICSEARCH_EXPORTER_ENABLED=true -# Kibana Content (visualizations, dashboards, etc.) +# OpenSearch Dashboards Content (visualizations, dashboards, etc.) # KIBANA_CONTENT_DEPLOY -# Fluent Bit (log collector) +# Fluent Bit (for collecting pod logs) # FLUENT_BIT_ENABLED=true +# Fluent Bit (for collecting Kubernetes Events) +# FLUENT_BIT_EVENTS_ENABLED=true + + # OpenShift-specific Settings # -------------------------------------------------------------- # The following set of environment variables are @@ -40,10 +40,10 @@ # Create OpenShift Route objects # OPENSHIFT_ROUTES_ENABLE=true # -# Create route for the Elasticsearch API endpoint +# Create route for the OpenSearch API endpoint # OPENSHIFT_ES_ROUTE_ENABLE=false # -# Make Kibana accessible via NodePort (port 31033) +# Make OpenSearch Dashboards accessible via NodePort (port 31033) # KB_KNOWN_NODEPORT_ENABLE=false # # Remove OpenShift artifacts (e.g. custom SCCs) @@ -64,34 +64,20 @@ # containerd cri criwithlog # cri-o cri criwithlog # -# NOTE: The docker container runtime is deprecated in Kubernetes 1.20 -# and suport for it is expected to be removed in Kubernetes 1.22. +# NOTE: The docker container runtime was deprecated in Kubernetes 1.20 +# and support for it was removed in Kubernetes 1.24. # # The deployment scripts will automatically determine the # container runtime and set the appropriate log parser. However, # if necessary, you can manually identify the appropriate parser # by setting the KUBERNETES_RUNTIME_LOGFMT environment variable. -# KUBERNETES_RUNTIME_LOGFMT=docker +# KUBERNETES_RUNTIME_LOGFMT=containerd -# Enables TLS in-cluster for Kibana (***DEPRECATED 14FEB22**) -# ------------------------------ -# ***** USE OF THIS ENV VAR HAS BEEN DEPRECATED AND SUPPORT ***** -# ***** FOR IT WILL BE REMOVED ENTIRELY IN AN UPCOMING RELEASE ***** -# This only affects the communication in-bound to Kibana. If this is -# set to true and a TLS cert is not found saved as the expected -# Kubernetes secret (logging/kibana-tls-secret), the deployment script -# will attempt to use cert-manager to generate one on-the-fly. -# Note that these on-the-fly certs will likely lead to browser alerts -# warning of possible security risks when accessing Kibana. -# LOG_KB_TLS_ENABLE=$TLS_ENABLE # Use port-forwarding during deployment # ------------------------------------- -# If Kibana is not reachable via the end-user URL from the machine on which the deployment +# If OpenSearch Dashboards is not reachable via the end-user URL from the machine on which the deployment # is running, Kubernetes port-forwarding may allow the deployment to overcome this. -# See 'Issue: Deployment does not complete if Kibana is not reachable from the deployment machine' -# in the Logging Troubleshooting Guide (Troubleshooting.md in the logging sub-directory of the repo) -# for more information. # LOG_ALWAYS_PORT_FORWARD=true # Retention Period Settings @@ -102,21 +88,30 @@ # Number of Days to retain internal (log monitoring) log messages # OPS_LOG_RETENTION_PERIOD=1 -# ES Admin Password + +# OpenSearch 'logadm' User Settings +# ----------------------------- +# The OpenSearch 'logadm' user is granted access to *all* log messages in all namespaces and tenant +# Create the 'logadm' user within the OpenSearch internal usere database? +# LOG_CREATE_LOGADM_USER=true + +# IMPORTANT: SETTING PASSWORDS SECURELY +# ------------------------------------------ +# Security best-practices discourage storing passwords in files. +# We have included setting passwords in this sample file +# only to illustrate the referenced environment variable. +# You should set these environment variable via another, +# more secure, mechanism. + +# OpenSearch Admin Password # ----------------- -# Password for the Elasticsearch/Kibana 'admin' user +# Password for the OpenSearch/OpenSearch Dashboards 'admin' user # If not provided, a random password will be generated for this account # ES_ADMIN_PASSWD=yourPasswordHere - -# Kibana 'logadm' User Settings +# OpenSearch 'logadm' User Password # ----------------------------- -# The Kibana 'logadm' user is granted access to *all* log messages in all namespaces and tenant -# Create the 'logadm' user within the Kibana internal usere database? -# LOG_CREATE_LOGADM_USER=true - -# KB 'logadm' User Password -# Password for the Kibana 'logadm' user +# Password for the OpenSearch/OpenSearch Dashboards 'logadm' user # If not provided, a random password will be generated for this account # LOG_LOGADM_PASSWD=yourPasswordHere diff --git a/monitoring/user.env b/monitoring/user.env index 224c6fc6..1dfb7dc1 100644 --- a/monitoring/user.env +++ b/monitoring/user.env @@ -1,26 +1,17 @@ # Configurable options for the monitoring scripts # Use ENV_VAR=value or ENV_VAR="value" -# Global options -# -------------- -# TMP_DIR=/tmp -# HELM_DEBUG=false -# LOG_DEBUG_ENABLE=false -# LOG_LEVEL_ENABLE=true -# LOG_COLOR_ENABLE=true - -# Deploy components with TLS enabled -# TLS_ENABLE=false - -# deploy_monitoring_cluster.sh options -# ------------------------------------ # Cluster monitoring namespace for the Prometheus Operator, # Grafana, dashboards, and cluster ServiceMonitors # MON_NS=monitoring # Deploys monitoring components with TLS enabled -# This setting overrides TLS_ENABLE only for monitoring -# MON_TLS_ENABLE=false +# This setting effectively sets TLS_ENABLE only for monitoring +# MON_TLS_ENABLE=true + +# Set this value to 'true' if using path-based ingress and +# TLS_ENABLE=true or MON_TLS_ENABLE=true +# MON_TLS_PATH_INGRESS=true # Enables tolerations and pod affinity to enable the monitoring # components to participate in the SAS Viya workload node @@ -28,7 +19,7 @@ # MON_NODE_PLACEMENT_ENABLE=false # Set to true to force an update of the Prometheus Operator CRDs -# PROM_OPERATOR_CRD_UPDATE=false +# PROM_OPERATOR_CRD_UPDATE=true # The release of the Prometheus Operator CRDs to deploy # if PROM_OPERATOR_CRD_UPDATE is true. This version should @@ -40,9 +31,6 @@ # Version of the kube-prometheus-stack helm chart to use # KUBE_PROM_STACK_CHART_VERSION=45.28.0 -# Initial password of the Grafana admin user -# GRAFANA_ADMIN_PASSWORD=yourPasswordHere - # Additional Grafana datasources # LOGGING_DATASOURCE=false @@ -50,13 +38,46 @@ # WELCOME_DASH=true # KUBE_DASH=true # VIYA_DASH=true -# VIYA_LOG_DASH=false # PGMONITOR_DASH=true # RABBITMQ_DASH=true # NGINX_DASH=true # LOGGING_DASH=true # USER_DASH=true +# Experimental - Deploys logging-enabled versions of the default dashboards +# for Java, Go, and CAS. Requires the logging datasource to be configured +# either manually or via the LOGGING_DATASOURCE user.env setting +# VIYA_LOGS_DASH=false + +# Set PROM_NODEPORT_ENABLE=true to enable nodeport access +# to Prometheus and Alertmanager. +# Note that neither Prometheus nor Alertmanager provide +# authentication by default. +# PROM_NODEPORT_ENABLE=true + +# deploy_monitoring_openshift.sh options +# -------------------------------------- +# Used when OPENSHIFT_PATH_ROUTES=true +# Fully-qualified route hostname used for Grafana +# OPENSHIFT_ROUTE_HOST_GRAFANA=grafana.apps.my-openshift-cluster.com +# URL path where Grafana is available (used if OPENSHIFT_PATH_ROUTES=true) +# OPENSHIFT_ROUTE_PATH_GRAFANA=/grafana + ## deploy_monitoring_viya.sh options # ---------------------------------- # PUSHGATEWAY_ENABLED=true +# PUSHGATEWAY_CHART_VERSION:-2.1.6 +# VALIDATE_MONITORS=true + + +# IMPORTANT: SETTING PASSWORDS SECURELY +# ------------------------------------------ +# Security best-practices discourage storing passwords in files. +# We have included setting passwords in this sample file +# only to illustrate the referenced environment variable. +# You should set these environment variable via another, +# more secure, mechanism. + +# Set a specific password for the Grafana admin user +# Default is to generate a random password +# GRAFANA_ADMIN_PASSWORD=yourPasswordHere diff --git a/samples/generic-base/logging/user.env b/samples/generic-base/logging/user.env index fc546b8f..182d1602 100644 --- a/samples/generic-base/logging/user.env +++ b/samples/generic-base/logging/user.env @@ -9,25 +9,25 @@ # The following flags control whether specific components # of the log monitoring solution are deployed -# Event Router (generates log messages from K8s events)? -# See https://github.com/heptiolabs/eventrouter for details -# EVENTROUTER_ENABLE=true - -# Elasticsearch +# OpenSearch # ELASTICSEARCH_ENABLE=true -# Elasticsearch Content (ingest pipelines, index mgmt policies, etc.) +# OpenSearch Content (ingest pipelines, index mgmt policies, etc.) # ES_CONTENT_DEPLOY=true # Elasticsearch Prometheus Exporter # ELASTICSEARCH_EXPORTER_ENABLED=true -# Kibana Content (visualizations, dashboards, etc.) +# OpenSearch Dashboards Content (visualizations, dashboards, etc.) # KIBANA_CONTENT_DEPLOY -# Fluent Bit (log collector) +# Fluent Bit (for collecting pod logs) # FLUENT_BIT_ENABLED=true +# Fluent Bit (for collecting Kubernetes Events) +# FLUENT_BIT_EVENTS_ENABLED=true + + # OpenShift-specific Settings # -------------------------------------------------------------- # The following set of environment variables are @@ -40,10 +40,10 @@ # Create OpenShift Route objects # OPENSHIFT_ROUTES_ENABLE=true # -# Create route for the Elasticsearch API endpoint +# Create route for the OpenSearch API endpoint # OPENSHIFT_ES_ROUTE_ENABLE=false # -# Make Kibana accessible via NodePort (port 31033) +# Make OpenSearch Dashboards accessible via NodePort (port 31033) # KB_KNOWN_NODEPORT_ENABLE=false # # Remove OpenShift artifacts (e.g. custom SCCs) @@ -64,34 +64,20 @@ # containerd cri criwithlog # cri-o cri criwithlog # -# NOTE: The docker container runtime is deprecated in Kubernetes 1.20 -# and suport for it is expected to be removed in Kubernetes 1.22. +# NOTE: The docker container runtime was deprecated in Kubernetes 1.20 +# and support for it was removed in Kubernetes 1.24. # # The deployment scripts will automatically determine the # container runtime and set the appropriate log parser. However, # if necessary, you can manually identify the appropriate parser # by setting the KUBERNETES_RUNTIME_LOGFMT environment variable. -# KUBERNETES_RUNTIME_LOGFMT=docker +# KUBERNETES_RUNTIME_LOGFMT=containerd -# Enables TLS in-cluster for Kibana (***DEPRECATED 14FEB22**) -# ------------------------------ -# ***** USE OF THIS ENV VAR HAS BEEN DEPRECATED AND SUPPORT ***** -# ***** FOR IT WILL BE REMOVED ENTIRELY IN AN UPCOMING RELEASE ***** -# This only affects the communication in-bound to Kibana. If this is -# set to true and a TLS cert is not found saved as the expected -# Kubernetes secret (logging/kibana-tls-secret), the deployment script -# will attempt to use cert-manager to generate one on-the-fly. -# Note that these on-the-fly certs will likely lead to browser alerts -# warning of possible security risks when accessing Kibana. -# LOG_KB_TLS_ENABLE=$TLS_ENABLE # Use port-forwarding during deployment # ------------------------------------- -# If Kibana is not reachable via the end-user URL from the machine on which the deployment +# If OpenSearch Dashboards is not reachable via the end-user URL from the machine on which the deployment # is running, Kubernetes port-forwarding may allow the deployment to overcome this. -# See 'Issue: Deployment does not complete if Kibana is not reachable from the deployment machine' -# in the Logging Troubleshooting Guide (Troubleshooting.md in the logging sub-directory of the repo) -# for more information. # LOG_ALWAYS_PORT_FORWARD=true # Retention Period Settings @@ -102,21 +88,30 @@ # Number of Days to retain internal (log monitoring) log messages # OPS_LOG_RETENTION_PERIOD=1 -# ES Admin Password + +# OpenSearch 'logadm' User Settings +# ----------------------------- +# The OpenSearch 'logadm' user is granted access to *all* log messages in all namespaces and tenant +# Create the 'logadm' user within the OpenSearch internal usere database? +# LOG_CREATE_LOGADM_USER=true + +# IMPORTANT: SETTING PASSWORDS SECURELY +# ------------------------------------------ +# Security best-practices discourage storing passwords in files. +# We have included setting passwords in this sample file +# only to illustrate the referenced environment variable. +# You should set these environment variable via another, +# more secure, mechanism. + +# OpenSearch Admin Password # ----------------- -# Password for the Elasticsearch/Kibana 'admin' user +# Password for the OpenSearch/OpenSearch Dashboards 'admin' user # If not provided, a random password will be generated for this account # ES_ADMIN_PASSWD=yourPasswordHere - -# Kibana 'logadm' User Settings +# OpenSearch 'logadm' User Password # ----------------------------- -# The Kibana 'logadm' user is granted access to *all* log messages in all namespaces and tenant -# Create the 'logadm' user within the Kibana internal usere database? -# LOG_CREATE_LOGADM_USER=true - -# KB 'logadm' User Password -# Password for the Kibana 'logadm' user +# Password for the OpenSearch/OpenSearch Dashboards 'logadm' user # If not provided, a random password will be generated for this account # LOG_LOGADM_PASSWD=yourPasswordHere diff --git a/samples/generic-base/monitoring/user.env b/samples/generic-base/monitoring/user.env index cfbc44ab..1dfb7dc1 100644 --- a/samples/generic-base/monitoring/user.env +++ b/samples/generic-base/monitoring/user.env @@ -31,10 +31,6 @@ # Version of the kube-prometheus-stack helm chart to use # KUBE_PROM_STACK_CHART_VERSION=45.28.0 -# Set a specific password for the Grafana admin user -# Default is to generate a random password -# GRAFANA_ADMIN_PASSWORD=yourPasswordHere - # Additional Grafana datasources # LOGGING_DATASOURCE=false @@ -72,3 +68,16 @@ # PUSHGATEWAY_ENABLED=true # PUSHGATEWAY_CHART_VERSION:-2.1.6 # VALIDATE_MONITORS=true + + +# IMPORTANT: SETTING PASSWORDS SECURELY +# ------------------------------------------ +# Security best-practices discourage storing passwords in files. +# We have included setting passwords in this sample file +# only to illustrate the referenced environment variable. +# You should set these environment variable via another, +# more secure, mechanism. + +# Set a specific password for the Grafana admin user +# Default is to generate a random password +# GRAFANA_ADMIN_PASSWORD=yourPasswordHere From 5dfdc16125a7001c7ff1eb05b585b020aac3b736 Mon Sep 17 00:00:00 2001 From: gsmith-sas <65406958+gsmith-sas@users.noreply.github.com> Date: Thu, 5 Dec 2024 18:03:42 -0500 Subject: [PATCH 2/3] tweaks --- samples/generic-base/logging/user.env | 8 ++++---- samples/generic-base/monitoring/user.env | 10 ++++++++++ 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/samples/generic-base/logging/user.env b/samples/generic-base/logging/user.env index 182d1602..9378e56f 100644 --- a/samples/generic-base/logging/user.env +++ b/samples/generic-base/logging/user.env @@ -90,13 +90,14 @@ # OpenSearch 'logadm' User Settings -# ----------------------------- +# --------------------------------- # The OpenSearch 'logadm' user is granted access to *all* log messages in all namespaces and tenant # Create the 'logadm' user within the OpenSearch internal usere database? # LOG_CREATE_LOGADM_USER=true + # IMPORTANT: SETTING PASSWORDS SECURELY -# ------------------------------------------ +# ------------------------------------- # Security best-practices discourage storing passwords in files. # We have included setting passwords in this sample file # only to illustrate the referenced environment variable. @@ -104,12 +105,11 @@ # more secure, mechanism. # OpenSearch Admin Password -# ----------------- +# ------------------------- # Password for the OpenSearch/OpenSearch Dashboards 'admin' user # If not provided, a random password will be generated for this account # ES_ADMIN_PASSWD=yourPasswordHere - # OpenSearch 'logadm' User Password # ----------------------------- # Password for the OpenSearch/OpenSearch Dashboards 'logadm' user diff --git a/samples/generic-base/monitoring/user.env b/samples/generic-base/monitoring/user.env index 1dfb7dc1..57fec8fb 100644 --- a/samples/generic-base/monitoring/user.env +++ b/samples/generic-base/monitoring/user.env @@ -1,6 +1,16 @@ # Configurable options for the monitoring scripts # Use ENV_VAR=value or ENV_VAR="value" +# Global options +# -------------- +# TMP_DIR=/tmp +# HELM_DEBUG=false +# LOG_DEBUG_ENABLE=false +# LOG_LEVEL_ENABLE=true +# LOG_COLOR_ENABLE=true + +# deploy_monitoring_cluster.sh options +# ------------------------------------ # Cluster monitoring namespace for the Prometheus Operator, # Grafana, dashboards, and cluster ServiceMonitors # MON_NS=monitoring From f62f6e26c0cba4a7bbaf3ab5c65350e49f33cd8d Mon Sep 17 00:00:00 2001 From: gsmith-sas <65406958+gsmith-sas@users.noreply.github.com> Date: Thu, 5 Dec 2024 18:14:35 -0500 Subject: [PATCH 3/3] More tweaks --- monitoring/user.env | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/monitoring/user.env b/monitoring/user.env index 1dfb7dc1..57fec8fb 100644 --- a/monitoring/user.env +++ b/monitoring/user.env @@ -1,6 +1,16 @@ # Configurable options for the monitoring scripts # Use ENV_VAR=value or ENV_VAR="value" +# Global options +# -------------- +# TMP_DIR=/tmp +# HELM_DEBUG=false +# LOG_DEBUG_ENABLE=false +# LOG_LEVEL_ENABLE=true +# LOG_COLOR_ENABLE=true + +# deploy_monitoring_cluster.sh options +# ------------------------------------ # Cluster monitoring namespace for the Prometheus Operator, # Grafana, dashboards, and cluster ServiceMonitors # MON_NS=monitoring