Skip to content

Commit

Permalink
Merge branch 'main' into 797-decompose-istio-oscal-into-oscal-and-val…
Browse files Browse the repository at this point in the history
…idations
  • Loading branch information
CloudBeard authored Sep 25, 2024
2 parents 9bdebee + 1bf2958 commit 43f46c6
Show file tree
Hide file tree
Showing 41 changed files with 443 additions and 421 deletions.
4 changes: 2 additions & 2 deletions .github/filters.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -73,8 +73,8 @@ prometheus-stack:
- "!**/*.gif"
- "!**/*.svg"

promtail:
- "src/promtail/**"
vector:
- "src/vector/**"
- "!**/*.md"
- "!**/*.jpg"
- "!**/*.png"
Expand Down
4 changes: 1 addition & 3 deletions .vscode/settings.json
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@
"https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.16.0/uds.schema.json": [
"uds-bundle.yaml"
],

// renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
"https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.16.0/tasks.schema.json": [
"tasks.yaml",
Expand All @@ -37,7 +36,6 @@
"MITM",
"neuvector",
"opensource",
"promtail",
"Quarkus",
"Quickstart",
"seccomp",
Expand All @@ -47,7 +45,7 @@
"cSpell.enabled": true,
"[typescript]": {
"editor.codeActionsOnSave": {
"source.organizeImports": "always"
"source.organizeImports": "always"
}
},
}
2 changes: 1 addition & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -972,5 +972,5 @@ PRE RELEASE
- CONTRIBUTING.md
- DEVELOPMENT_MAINTENANCE.md
- LICENSE
- READEME.md
- README.md
- zarf.yaml
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ UDS Core establishes a secure baseline for cloud-native systems and ships with c
- [Neuvector](https://open-docs.neuvector.com/) - Container Security
- [Pepr](https://pepr.dev) - UDS policy engine & operator
- [Prometheus Stack](https://github.com/prometheus-operator/kube-prometheus) - Monitoring
- [Promtail](https://grafana.com/docs/loki/latest/send-data/promtail/) - Log Aggregation
- [Vector](https://vector.dev/) - Log Aggregation
- [Velero](https://velero.io/) - Backup & Restore
- [UDS Runtime](https://github.com/defenseunicorns/uds-runtime) - Frontend Views & Insights

Expand Down
2 changes: 1 addition & 1 deletion compliance/oscal-component.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ component-definition:
- href: 'file://./../src/loki/oscal-component.yaml'
- href: 'file://./../src/neuvector/oscal-component.yaml'
- href: 'file://./../src/prometheus-stack/oscal-component.yaml'
- href: 'file://./../src/promtail/oscal-component.yaml'
- href: 'file://./../src/vector/oscal-component.yaml'
- href: 'file://./../src/velero/oscal-component.yaml'

capabilities:
Expand Down
2 changes: 1 addition & 1 deletion docs/application-baseline.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ For optimal deployment and operational efficiency, it is important to deliver a
| ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Service Mesh** | **[Istio](https://istio.io/):** A powerful service mesh that provides traffic management, load balancing, security, and observability features. |
| **Monitoring** | **[Metrics Server](https://kubernetes-sigs.github.io/metrics-server/):** Provides container resource utilization metrics API for Kubernetes clusters. Metrics server is an optional (non-default) component since most Kubernetes distros provide it by default.<br><br>**[Prometheus](https://prometheus.io/):** Scrapes Metrics Server API and application metrics and stores the data in a time-series database for insights into application health and performance.<br><br> **[Grafana](https://grafana.com/grafana/):** Provides visualization and alerting capabilities based on Prometheus's time-series database of metrics. |
| **Logging** | **[Promtail](https://grafana.com/docs/loki/latest/send-data/promtail/):** A companion agent that efficiently gathers and sends container logs to Loki, simplifying log monitoring, troubleshooting, and compliance auditing, enhancing the overall observability of the mission environment.<br><br> **[Loki](https://grafana.com/docs/loki/latest/):** A log aggregation system that allows users to store, search, and analyze logs across their applications. |
| **Logging** | **[Vector](https://vector.dev/):** A companion agent that efficiently gathers and sends container logs to Loki and other storage locations (S3, SIEM tools, etc), simplifying log monitoring, troubleshooting, and compliance auditing, enhancing the overall observability of the mission environment.<br><br> **[Loki](https://grafana.com/docs/loki/latest/):** A log aggregation system that allows users to store, search, and analyze logs across their applications. |
| **Security and Compliance** | **[NeuVector](https://open-docs.neuvector.com/):** Offers container-native security, protecting applications against threats and vulnerabilities.<br><br> **[Pepr](https://pepr.dev/):** UDS policy engine and operator for enhanced security and compliance.|
| **Identity and Access Management** | **[Keycloak](https://www.keycloak.org/):** A robust open-source Identity and Access Management solution, providing centralized authentication, authorization, and user management for enhanced security and control over access to mission-critical resources.|
| **Backup and Restore** | **[Velero](https://velero.io/):** Provides backup and restore capabilities for Kubernetes clusters, ensuring data protection and disaster recovery.|
Expand Down
14 changes: 12 additions & 2 deletions docs/configuration/resource-configuration-and-ha.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,19 @@ To scale Grafana for high availability, its database must be externalized (see [

## Logging

### Promtail
### Vector

By default Promtail runs as a daemonset, automatically scaling across all nodes to ensure logs are captured from each host. Typically Promtail does not need any other modifications, but you can customize its resource configuration by overriding the `resources` helm value (using the component and chart name of `promtail`).
By default Vector runs as a daemonset, automatically scaling across all nodes to ensure logs are captured from each host. Typically Vector does not need any other modifications, but you can customize its resource configuration by overriding the `resources` helm value (using the component and chart name of `vector`). Vector recommends the below resourcing when running in production:

```yaml
resources:
requests:
memory: "64Mi"
cpu: "500m"
limits:
memory: "1024Mi"
cpu: "6000m"
```

### Loki

Expand Down
6 changes: 3 additions & 3 deletions packages/standard/zarf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -76,11 +76,11 @@ components:
import:
path: ../../src/prometheus-stack

# Promtail
- name: promtail
# Vector
- name: vector
required: true
import:
path: ../../src/promtail
path: ../../src/vector

# Grafana
- name: grafana
Expand Down
6 changes: 3 additions & 3 deletions renovate.json
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,9 @@
"commitMessageTopic": "istio"
},
{
"matchFileNames": ["src/promtail/**"],
"groupName": "promtail",
"commitMessageTopic": "promtail"
"matchFileNames": ["src/vector/**"],
"groupName": "vector",
"commitMessageTopic": "vector"
},
{
"matchFileNames": ["src/velero/**"],
Expand Down
3 changes: 3 additions & 0 deletions src/grafana/values/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@ grafana.ini:
reporting_enabled: false
check_for_updates: false
check_for_plugin_updates: false
feedback_links_enabled: false
plugins:
public_key_retrieval_disabled: true
auth:
# Disable the login form to force users to use SSO
disable_login_form: true
Expand Down
6 changes: 3 additions & 3 deletions src/loki/chart/templates/uds-package.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,12 +36,12 @@ spec:
- direction: Ingress
selector:
app.kubernetes.io/name: loki
remoteNamespace: promtail
remoteNamespace: vector
remoteSelector:
app.kubernetes.io/name: promtail
app.kubernetes.io/name: vector
ports:
- 8080
description: "Promtail Log Storage"
description: "Vector Log Storage"

# Egress for S3 connections
- direction: Egress
Expand Down
38 changes: 19 additions & 19 deletions src/pepr/operator/controllers/exemptions/exemptions.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,13 @@ const prometheusMatcher = {
name: "^neuvector-prometheus-exporter-pod.*",
kind: MatcherKind.Pod,
};
const promtailMatcher = { namespace: "promtail", name: "^promtail-.*", kind: MatcherKind.Pod };
const vectorMatcher = { namespace: "vector", name: "^vector-.*", kind: MatcherKind.Pod };
const exemption1UID = "exemption-1-uid";
const exemption2UID = "exemption-2-uid";
const storedEnforcerMatcher = { ...enforcerMatcher, owner: exemption1UID };
const storedControllerMatcher = { ...controllerMatcher, owner: exemption1UID };
const storedPrometheusMatcher = { ...prometheusMatcher, owner: exemption1UID };
const storedPromtailMatcher = { ...promtailMatcher, owner: exemption2UID };
const storedVectorMatcher = { ...vectorMatcher, owner: exemption2UID };
const neuvectorMockExemption = {
metadata: {
uid: exemption1UID,
Expand Down Expand Up @@ -90,7 +90,7 @@ describe("Test processExemptions() no duplicate matchers in same CR", () => {
// remove RequireNonRootUser from enforcerMatcher
// remove prometheusMatcher
// add DisallowHostNamespaces to controllerMatcher
// add promtailMatcher with RequireNonRootUser
// add vectorMatcher with RequireNonRootUser
const updatedNeuvectorExemption = {
metadata: {
uid: exemption1UID,
Expand All @@ -110,7 +110,7 @@ describe("Test processExemptions() no duplicate matchers in same CR", () => {
],
},
{
matcher: promtailMatcher,
matcher: vectorMatcher,
policies: [Policy.RequireNonRootUser],
},
],
Expand All @@ -120,7 +120,7 @@ describe("Test processExemptions() no duplicate matchers in same CR", () => {
processExemptions(neuvectorMockExemption, WatchPhase.Added);
processExemptions(updatedNeuvectorExemption, WatchPhase.Modified);
expect(ExemptionStore.getByPolicy(Policy.RequireNonRootUser)).toEqual([
{ ...storedPromtailMatcher, owner: exemption1UID },
{ ...storedVectorMatcher, owner: exemption1UID },
]);
expect(ExemptionStore.getByPolicy(Policy.DisallowPrivileged)).toEqual([
storedEnforcerMatcher,
Expand Down Expand Up @@ -360,14 +360,14 @@ describe("Test processExemptions(); phase DELETED", () => {
});

it("Does not remove exemptions set by separate CR from the one being deleted", async () => {
const promtailMockExemption = {
const vectorMockExemption = {
metadata: {
uid: exemption2UID,
},
spec: {
exemptions: [
{
matcher: promtailMatcher,
matcher: vectorMatcher,
policies: [
Policy.DisallowPrivileged,
Policy.DropAllCapabilities,
Expand All @@ -379,12 +379,12 @@ describe("Test processExemptions(); phase DELETED", () => {
} as Exemption;

processExemptions(neuvectorMockExemption, WatchPhase.Added);
processExemptions(promtailMockExemption, WatchPhase.Added);
processExemptions(vectorMockExemption, WatchPhase.Added);
processExemptions(neuvectorMockExemption, WatchPhase.Deleted);

expect(ExemptionStore.getByPolicy(Policy.DisallowPrivileged)).toEqual([storedPromtailMatcher]);
expect(ExemptionStore.getByPolicy(Policy.DropAllCapabilities)).toEqual([storedPromtailMatcher]);
expect(ExemptionStore.getByPolicy(Policy.RequireNonRootUser)).toEqual([storedPromtailMatcher]);
expect(ExemptionStore.getByPolicy(Policy.DisallowPrivileged)).toEqual([storedVectorMatcher]);
expect(ExemptionStore.getByPolicy(Policy.DropAllCapabilities)).toEqual([storedVectorMatcher]);
expect(ExemptionStore.getByPolicy(Policy.RequireNonRootUser)).toEqual([storedVectorMatcher]);
});

it("Does not delete duplicate exemptions if set by separate CRs", async () => {
Expand Down Expand Up @@ -448,43 +448,43 @@ describe("Test processExemptions(); phase DELETED", () => {
},
} as Exemption;

const promtailMockExemption = {
const vectorMockExemption = {
metadata: {
uid: exemption2UID,
},
spec: {
exemptions: [
{
matcher: promtailMatcher,
matcher: vectorMatcher,
policies: [Policy.DisallowPrivileged],
},
],
},
} as Exemption;

const promtailUpdatedMockExemption = {
const vectorUpdatedMockExemption = {
metadata: {
uid: exemption2UID,
},
spec: {
exemptions: [
{
matcher: promtailMatcher,
matcher: vectorMatcher,
policies: [Policy.DisallowPrivileged, Policy.RequireNonRootUser],
},
],
},
} as Exemption;

processExemptions(neuvectorMockExemption, WatchPhase.Added);
processExemptions(promtailMockExemption, WatchPhase.Added);
processExemptions(promtailUpdatedMockExemption, WatchPhase.Modified);
processExemptions(vectorMockExemption, WatchPhase.Added);
processExemptions(vectorUpdatedMockExemption, WatchPhase.Modified);

expect(ExemptionStore.getByPolicy(Policy.RequireNonRootUser)).toEqual([
storedEnforcerMatcher,
storedPromtailMatcher,
storedVectorMatcher,
]);
expect(ExemptionStore.getByPolicy(Policy.DropAllCapabilities)).toEqual([storedEnforcerMatcher]);
expect(ExemptionStore.getByPolicy(Policy.DisallowPrivileged)).toEqual([storedPromtailMatcher]);
expect(ExemptionStore.getByPolicy(Policy.DisallowPrivileged)).toEqual([storedVectorMatcher]);
});
});
2 changes: 1 addition & 1 deletion src/pepr/policies/exemptions/index.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ describe("test registering exemptions", () => {
const req = {
Raw: {
metadata: {
name: "promtail",
name: "vector",
namespace: "monitoring",
},
},
Expand Down
45 changes: 17 additions & 28 deletions src/pepr/zarf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -52,31 +52,20 @@ components:
actions:
onDeploy:
before:
- cmd: ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-api-token meta.helm.sh/release-name=module --overwrite || true
mute: true
- cmd: ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-module meta.helm.sh/release-name=module --overwrite || true
mute: true
- cmd: ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-tls meta.helm.sh/release-name=module --overwrite || true
mute: true
- cmd: ./zarf tools kubectl annotate serviceaccount -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
mute: true
- cmd: ./zarf tools kubectl annotate clusterrolebinding pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
mute: true
- cmd: ./zarf tools kubectl annotate clusterrole pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
mute: true
- cmd: ./zarf tools kubectl annotate role -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true
mute: true
- cmd: ./zarf tools kubectl annotate rolebinding -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true
mute: true
- cmd: ./zarf tools kubectl annotate service -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
mute: true
- cmd: ./zarf tools kubectl annotate service -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true
mute: true
- cmd: ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
mute: true
- cmd: ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true
mute: true
- cmd: ./zarf tools kubectl annotate mutatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
mute: true
- cmd: ./zarf tools kubectl annotate validatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
mute: true
- mute: true
description: "Update helm ownership for Pepr resources if necessary during the upgrade"
cmd: |
./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-api-token meta.helm.sh/release-name=module --overwrite || true
./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-module meta.helm.sh/release-name=module --overwrite || true
./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-tls meta.helm.sh/release-name=module --overwrite || true
./zarf tools kubectl annotate serviceaccount -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
./zarf tools kubectl annotate clusterrolebinding pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
./zarf tools kubectl annotate clusterrole pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
./zarf tools kubectl annotate role -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true
./zarf tools kubectl annotate rolebinding -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true
./zarf tools kubectl annotate service -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
./zarf tools kubectl annotate service -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true
./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true
./zarf tools kubectl annotate mutatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
./zarf tools kubectl annotate validatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
1 change: 0 additions & 1 deletion src/promtail/README.md

This file was deleted.

18 changes: 0 additions & 18 deletions src/promtail/chart/templates/service.yaml

This file was deleted.

24 changes: 0 additions & 24 deletions src/promtail/chart/templates/uds-exemption.yaml

This file was deleted.

Loading

0 comments on commit 43f46c6

Please sign in to comment.