From c858bf93b396c622da3b47b2537691998a98f1c1 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Fri, 17 Nov 2023 14:25:17 +0100 Subject: [PATCH] Tweak Statefulset. (#6) --- pkg/apis/audit/types.go | 12 +- pkg/apis/audit/v1alpha1/defaults.go | 48 ++++++++ pkg/apis/audit/v1alpha1/types.go | 21 +++- .../audit/v1alpha1/zz_generated.conversion.go | 23 ++-- .../audit/v1alpha1/zz_generated.deepcopy.go | 27 +++-- .../audit/v1alpha1/zz_generated.defaults.go | 6 + pkg/apis/audit/zz_generated.deepcopy.go | 27 +++-- pkg/controller/actuator.go | 113 +++++++++++++----- 8 files changed, 212 insertions(+), 65 deletions(-) diff --git a/pkg/apis/audit/types.go b/pkg/apis/audit/types.go index 29a585f..af49b3c 100644 --- a/pkg/apis/audit/types.go +++ b/pkg/apis/audit/types.go @@ -1,6 +1,7 @@ package audit import ( + "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -22,7 +23,10 @@ type AuditConfig struct { // Persistence contains options about the persistent volume used for buffering the audit data // on the filesystem. - Persistence *AuditPersistence + Persistence AuditPersistence + + // Replicas are the amount of replicas used for the buffering audit pods. + Replicas *int32 // WebhookMode allows to select which auditing mode - batching or blocking - should be used. WebhookMode AuditWebhookMode @@ -33,7 +37,7 @@ type AuditConfig struct { type AuditPersistence struct { // Size is the size of the PVC to be used for each replica of the statefulset. - Size *string + Size *resource.Quantity // StorageClassName is the name of the storage class to be used for the PVC. If empty, the default // storage class is used. @@ -62,7 +66,7 @@ type AuditBackendClusterForwarding struct { Enabled bool // FilesystemBufferSize is the maximum disk space for the fluent-bit file sytem buffer. - FilesystemBufferSize string + FilesystemBufferSize *string } type AuditBackendSplunk struct { @@ -70,7 +74,7 @@ type AuditBackendSplunk struct { Enabled bool // FilesystemBufferSize is the maximum disk space for the fluent-bit file sytem buffer. - FilesystemBufferSize string + FilesystemBufferSize *string // Index is the splunk index that should be used. Index string diff --git a/pkg/apis/audit/v1alpha1/defaults.go b/pkg/apis/audit/v1alpha1/defaults.go index 6b9575c..f35050b 100644 --- a/pkg/apis/audit/v1alpha1/defaults.go +++ b/pkg/apis/audit/v1alpha1/defaults.go @@ -1,9 +1,57 @@ package v1alpha1 import ( + "github.com/metal-stack/metal-lib/pkg/pointer" + "k8s.io/apimachinery/pkg/api/resource" "k8s.io/apimachinery/pkg/runtime" ) func addDefaultingFuncs(scheme *runtime.Scheme) error { return RegisterDefaults(scheme) } + +// SetDefaults_AuditPersistence sets the defaults for the AuditPersistence configuration +func SetDefaults_AuditPersistence(persistence *AuditPersistence) { + if persistence.Size == nil { + defaultCacheSize := resource.MustParse("1Gi") + persistence.Size = &defaultCacheSize + } +} + +// SetDefaults_AuditConfig sets the defaults for the AuditConfig configuration +func SetDefaults_AuditConfig(a *AuditConfig) { + if a.Replicas == nil { + a.Replicas = pointer.Pointer(int32(2)) + } + + defaultBackends(a.Backends) +} + +func defaultBackends(backends *AuditBackends) { + if backends == nil { + return + } + + defaultBackendClusterForwarding(backends.ClusterForwarding) + defaultBackendSplunk(backends.Splunk) +} + +func defaultBackendClusterForwarding(backend *AuditBackendClusterForwarding) { + if backend == nil { + return + } + + if backend.FilesystemBufferSize == nil { + backend.FilesystemBufferSize = pointer.Pointer("900M") + } +} + +func defaultBackendSplunk(backend *AuditBackendSplunk) { + if backend == nil { + return + } + + if backend.FilesystemBufferSize == nil { + backend.FilesystemBufferSize = pointer.Pointer("900M") + } +} diff --git a/pkg/apis/audit/v1alpha1/types.go b/pkg/apis/audit/v1alpha1/types.go index ebd4fa1..7857cbf 100644 --- a/pkg/apis/audit/v1alpha1/types.go +++ b/pkg/apis/audit/v1alpha1/types.go @@ -1,6 +1,7 @@ package v1alpha1 import ( + "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -30,33 +31,43 @@ type AuditConfig struct { // Persistence contains options about the persistent volume used for buffering the audit data // on the filesystem. - Persistence *AuditPersistence `json:"persistence,omitempty"` + Persistence AuditPersistence `json:"persistence"` + + // Replicas are the amount of replicas used for the buffering audit pods. + // +optional + Replicas *int32 `json:"replicas,omitempty"` // WebhookMode allows to select which auditing mode - batching or blocking - should be used. - WebhookMode AuditWebhookMode `json:"webhookMode,omitempty"` + WebhookMode AuditWebhookMode `json:"webhookMode"` // Backends contains the settings for the various backends. + // +optional Backends *AuditBackends `json:"backends,omitempty"` } type AuditPersistence struct { // Size is the size of the PVC to be used for each replica of the statefulset. - Size *string `json:"size,omitempty"` + // +optional + Size *resource.Quantity `json:"size,omitempty"` // StorageClassName is the name of the storage class to be used for the PVC. If empty, the default // storage class is used. + // +optional StorageClassName *string `json:"storageClassName,omitempty"` } type AuditBackends struct { // Log outputs the log data on stdout of the webhook pod. It is mainly intended for debugging / testing purposes. + // +optional Log *AuditBackendLog `json:"log,omitempty"` // ClusterForwarding will forward the audit data to a pod in the shoot where they are printed to stdout and can be // picked up by the log collecting solution of the cluster operator's choice. + // +optional ClusterForwarding *AuditBackendClusterForwarding `json:"clusterForwarding,omitempty"` // Splunk will forward the audit data to a splunk HEC endpoint. + // +optional Splunk *AuditBackendSplunk `json:"splunk,omitempty"` // Possible backends that would be helpful as well: @@ -77,14 +88,14 @@ type AuditBackendClusterForwarding struct { Enabled bool `json:"enabled"` // FilesystemBufferSize is the maximum disk space for the fluent-bit file sytem buffer. - FilesystemBufferSize string `json:"bufferSize,omitempty"` + FilesystemBufferSize *string `json:"bufferSize,omitempty"` } type AuditBackendSplunk struct { // Enabled allows to turn this backend on. Enabled bool `json:"enabled"` // FilesystemBufferSize is the maximum disk space for the fluent-bit file sytem buffer. - FilesystemBufferSize string `json:"bufferSize,omitempty"` + FilesystemBufferSize *string `json:"bufferSize,omitempty"` // Index is the splunk index that should be used. Index string `json:"index"` diff --git a/pkg/apis/audit/v1alpha1/zz_generated.conversion.go b/pkg/apis/audit/v1alpha1/zz_generated.conversion.go index 070e405..95143d2 100644 --- a/pkg/apis/audit/v1alpha1/zz_generated.conversion.go +++ b/pkg/apis/audit/v1alpha1/zz_generated.conversion.go @@ -13,6 +13,7 @@ import ( unsafe "unsafe" audit "github.com/metal-stack/gardener-extension-audit/pkg/apis/audit" + resource "k8s.io/apimachinery/pkg/api/resource" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -89,7 +90,7 @@ func RegisterConversions(s *runtime.Scheme) error { func autoConvert_v1alpha1_AuditBackendClusterForwarding_To_audit_AuditBackendClusterForwarding(in *AuditBackendClusterForwarding, out *audit.AuditBackendClusterForwarding, s conversion.Scope) error { out.Enabled = in.Enabled - out.FilesystemBufferSize = in.FilesystemBufferSize + out.FilesystemBufferSize = (*string)(unsafe.Pointer(in.FilesystemBufferSize)) return nil } @@ -100,7 +101,7 @@ func Convert_v1alpha1_AuditBackendClusterForwarding_To_audit_AuditBackendCluster func autoConvert_audit_AuditBackendClusterForwarding_To_v1alpha1_AuditBackendClusterForwarding(in *audit.AuditBackendClusterForwarding, out *AuditBackendClusterForwarding, s conversion.Scope) error { out.Enabled = in.Enabled - out.FilesystemBufferSize = in.FilesystemBufferSize + out.FilesystemBufferSize = (*string)(unsafe.Pointer(in.FilesystemBufferSize)) return nil } @@ -131,7 +132,7 @@ func Convert_audit_AuditBackendLog_To_v1alpha1_AuditBackendLog(in *audit.AuditBa func autoConvert_v1alpha1_AuditBackendSplunk_To_audit_AuditBackendSplunk(in *AuditBackendSplunk, out *audit.AuditBackendSplunk, s conversion.Scope) error { out.Enabled = in.Enabled - out.FilesystemBufferSize = in.FilesystemBufferSize + out.FilesystemBufferSize = (*string)(unsafe.Pointer(in.FilesystemBufferSize)) out.Index = in.Index out.Host = in.Host out.Port = in.Port @@ -147,7 +148,7 @@ func Convert_v1alpha1_AuditBackendSplunk_To_audit_AuditBackendSplunk(in *AuditBa func autoConvert_audit_AuditBackendSplunk_To_v1alpha1_AuditBackendSplunk(in *audit.AuditBackendSplunk, out *AuditBackendSplunk, s conversion.Scope) error { out.Enabled = in.Enabled - out.FilesystemBufferSize = in.FilesystemBufferSize + out.FilesystemBufferSize = (*string)(unsafe.Pointer(in.FilesystemBufferSize)) out.Index = in.Index out.Host = in.Host out.Port = in.Port @@ -186,7 +187,10 @@ func Convert_audit_AuditBackends_To_v1alpha1_AuditBackends(in *audit.AuditBacken } func autoConvert_v1alpha1_AuditConfig_To_audit_AuditConfig(in *AuditConfig, out *audit.AuditConfig, s conversion.Scope) error { - out.Persistence = (*audit.AuditPersistence)(unsafe.Pointer(in.Persistence)) + if err := Convert_v1alpha1_AuditPersistence_To_audit_AuditPersistence(&in.Persistence, &out.Persistence, s); err != nil { + return err + } + out.Replicas = (*int32)(unsafe.Pointer(in.Replicas)) out.WebhookMode = audit.AuditWebhookMode(in.WebhookMode) out.Backends = (*audit.AuditBackends)(unsafe.Pointer(in.Backends)) return nil @@ -198,7 +202,10 @@ func Convert_v1alpha1_AuditConfig_To_audit_AuditConfig(in *AuditConfig, out *aud } func autoConvert_audit_AuditConfig_To_v1alpha1_AuditConfig(in *audit.AuditConfig, out *AuditConfig, s conversion.Scope) error { - out.Persistence = (*AuditPersistence)(unsafe.Pointer(in.Persistence)) + if err := Convert_audit_AuditPersistence_To_v1alpha1_AuditPersistence(&in.Persistence, &out.Persistence, s); err != nil { + return err + } + out.Replicas = (*int32)(unsafe.Pointer(in.Replicas)) out.WebhookMode = AuditWebhookMode(in.WebhookMode) out.Backends = (*AuditBackends)(unsafe.Pointer(in.Backends)) return nil @@ -210,7 +217,7 @@ func Convert_audit_AuditConfig_To_v1alpha1_AuditConfig(in *audit.AuditConfig, ou } func autoConvert_v1alpha1_AuditPersistence_To_audit_AuditPersistence(in *AuditPersistence, out *audit.AuditPersistence, s conversion.Scope) error { - out.Size = (*string)(unsafe.Pointer(in.Size)) + out.Size = (*resource.Quantity)(unsafe.Pointer(in.Size)) out.StorageClassName = (*string)(unsafe.Pointer(in.StorageClassName)) return nil } @@ -221,7 +228,7 @@ func Convert_v1alpha1_AuditPersistence_To_audit_AuditPersistence(in *AuditPersis } func autoConvert_audit_AuditPersistence_To_v1alpha1_AuditPersistence(in *audit.AuditPersistence, out *AuditPersistence, s conversion.Scope) error { - out.Size = (*string)(unsafe.Pointer(in.Size)) + out.Size = (*resource.Quantity)(unsafe.Pointer(in.Size)) out.StorageClassName = (*string)(unsafe.Pointer(in.StorageClassName)) return nil } diff --git a/pkg/apis/audit/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/audit/v1alpha1/zz_generated.deepcopy.go index bd9be55..81ddae6 100644 --- a/pkg/apis/audit/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/audit/v1alpha1/zz_generated.deepcopy.go @@ -16,6 +16,11 @@ import ( // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AuditBackendClusterForwarding) DeepCopyInto(out *AuditBackendClusterForwarding) { *out = *in + if in.FilesystemBufferSize != nil { + in, out := &in.FilesystemBufferSize, &out.FilesystemBufferSize + *out = new(string) + **out = **in + } return } @@ -48,6 +53,11 @@ func (in *AuditBackendLog) DeepCopy() *AuditBackendLog { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AuditBackendSplunk) DeepCopyInto(out *AuditBackendSplunk) { *out = *in + if in.FilesystemBufferSize != nil { + in, out := &in.FilesystemBufferSize, &out.FilesystemBufferSize + *out = new(string) + **out = **in + } return } @@ -72,12 +82,12 @@ func (in *AuditBackends) DeepCopyInto(out *AuditBackends) { if in.ClusterForwarding != nil { in, out := &in.ClusterForwarding, &out.ClusterForwarding *out = new(AuditBackendClusterForwarding) - **out = **in + (*in).DeepCopyInto(*out) } if in.Splunk != nil { in, out := &in.Splunk, &out.Splunk *out = new(AuditBackendSplunk) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -96,10 +106,11 @@ func (in *AuditBackends) DeepCopy() *AuditBackends { func (in *AuditConfig) DeepCopyInto(out *AuditConfig) { *out = *in out.TypeMeta = in.TypeMeta - if in.Persistence != nil { - in, out := &in.Persistence, &out.Persistence - *out = new(AuditPersistence) - (*in).DeepCopyInto(*out) + in.Persistence.DeepCopyInto(&out.Persistence) + if in.Replicas != nil { + in, out := &in.Replicas, &out.Replicas + *out = new(int32) + **out = **in } if in.Backends != nil { in, out := &in.Backends, &out.Backends @@ -132,8 +143,8 @@ func (in *AuditPersistence) DeepCopyInto(out *AuditPersistence) { *out = *in if in.Size != nil { in, out := &in.Size, &out.Size - *out = new(string) - **out = **in + x := (*in).DeepCopy() + *out = &x } if in.StorageClassName != nil { in, out := &in.StorageClassName, &out.StorageClassName diff --git a/pkg/apis/audit/v1alpha1/zz_generated.defaults.go b/pkg/apis/audit/v1alpha1/zz_generated.defaults.go index 2458c9f..ccce6b2 100644 --- a/pkg/apis/audit/v1alpha1/zz_generated.defaults.go +++ b/pkg/apis/audit/v1alpha1/zz_generated.defaults.go @@ -17,5 +17,11 @@ import ( // Public to allow building arbitrary schemes. // All generated defaulters are covering - they call all nested defaulters. func RegisterDefaults(scheme *runtime.Scheme) error { + scheme.AddTypeDefaultingFunc(&AuditConfig{}, func(obj interface{}) { SetObjectDefaults_AuditConfig(obj.(*AuditConfig)) }) return nil } + +func SetObjectDefaults_AuditConfig(in *AuditConfig) { + SetDefaults_AuditConfig(in) + SetDefaults_AuditPersistence(&in.Persistence) +} diff --git a/pkg/apis/audit/zz_generated.deepcopy.go b/pkg/apis/audit/zz_generated.deepcopy.go index b0a8848..979304c 100644 --- a/pkg/apis/audit/zz_generated.deepcopy.go +++ b/pkg/apis/audit/zz_generated.deepcopy.go @@ -16,6 +16,11 @@ import ( // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AuditBackendClusterForwarding) DeepCopyInto(out *AuditBackendClusterForwarding) { *out = *in + if in.FilesystemBufferSize != nil { + in, out := &in.FilesystemBufferSize, &out.FilesystemBufferSize + *out = new(string) + **out = **in + } return } @@ -48,6 +53,11 @@ func (in *AuditBackendLog) DeepCopy() *AuditBackendLog { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AuditBackendSplunk) DeepCopyInto(out *AuditBackendSplunk) { *out = *in + if in.FilesystemBufferSize != nil { + in, out := &in.FilesystemBufferSize, &out.FilesystemBufferSize + *out = new(string) + **out = **in + } return } @@ -72,12 +82,12 @@ func (in *AuditBackends) DeepCopyInto(out *AuditBackends) { if in.ClusterForwarding != nil { in, out := &in.ClusterForwarding, &out.ClusterForwarding *out = new(AuditBackendClusterForwarding) - **out = **in + (*in).DeepCopyInto(*out) } if in.Splunk != nil { in, out := &in.Splunk, &out.Splunk *out = new(AuditBackendSplunk) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -96,10 +106,11 @@ func (in *AuditBackends) DeepCopy() *AuditBackends { func (in *AuditConfig) DeepCopyInto(out *AuditConfig) { *out = *in out.TypeMeta = in.TypeMeta - if in.Persistence != nil { - in, out := &in.Persistence, &out.Persistence - *out = new(AuditPersistence) - (*in).DeepCopyInto(*out) + in.Persistence.DeepCopyInto(&out.Persistence) + if in.Replicas != nil { + in, out := &in.Replicas, &out.Replicas + *out = new(int32) + **out = **in } if in.Backends != nil { in, out := &in.Backends, &out.Backends @@ -132,8 +143,8 @@ func (in *AuditPersistence) DeepCopyInto(out *AuditPersistence) { *out = *in if in.Size != nil { in, out := &in.Size, &out.Size - *out = new(string) - **out = **in + x := (*in).DeepCopy() + *out = &x } if in.StorageClassName != nil { in, out := &in.StorageClassName, &out.StorageClassName diff --git a/pkg/controller/actuator.go b/pkg/controller/actuator.go index ae4614d..94471e6 100644 --- a/pkg/controller/actuator.go +++ b/pkg/controller/actuator.go @@ -38,16 +38,11 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" + policyv1 "k8s.io/api/policy/v1" rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -const ( - defaultPersistenceSize = "1Gi" - defaultForwardingBufferSize = "900M" - defaultSplunkBufferSize = "900M" -) - // NewActuator returns an actuator responsible for Extension resources. func NewActuator(config config.ControllerConfiguration) extension.Actuator { return &actuator{ @@ -82,14 +77,6 @@ func (a *actuator) Reconcile(ctx context.Context, log logr.Logger, ex *extension } } - if auditConfig.Persistence == nil { - auditConfig.Persistence = &v1alpha1.AuditPersistence{} - } - - if auditConfig.Persistence.Size == nil { - auditConfig.Persistence.Size = pointer.Pointer(defaultPersistenceSize) - } - if auditConfig.Backends == nil { auditConfig.Backends = &v1alpha1.AuditBackends{ Log: &v1alpha1.AuditBackendLog{ @@ -278,11 +265,6 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S return nil, fmt.Errorf("unable to generate webhook kubeconfig: %w", err) } - size, err := resource.ParseQuantity(pointer.SafeDeref(auditConfig.Persistence.Size)) - if err != nil { - return nil, fmt.Errorf("unable to parse persistence size as kubernetes quantity: %w", err) - } - var ( fluentbitConfigMap = &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ @@ -298,6 +280,9 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S "storage.checksum": "off", "storage.max_chunks_up": "128", "storage.backlog.mem_limit": "5M", + "http_server": "on", + "http_listen": "0.0.0.0", + "http_port": "2020", }, Input: []fluentbitconfig.Input{ map[string]string{ @@ -330,7 +315,7 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S Labels: map[string]string{}, }, Spec: appsv1.StatefulSetSpec{ - Replicas: pointer.Pointer(int32(2)), + Replicas: getReplicas(cluster, auditConfig.Replicas), ServiceName: "audit-webhook-backend", Selector: &metav1.LabelSelector{ MatchLabels: map[string]string{ @@ -349,6 +334,9 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S }, Annotations: map[string]string{ "scheduler.alpha.kubernetes.io/critical-pod": "", + "prometheus.io/scrape": "true", + "prometheus.io/port": "2020", + "prometheus.io/path": "/api/v1/metrics/prometheus", }, }, Spec: corev1.PodSpec{ @@ -360,6 +348,37 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S "--storage_path=/data", "--config=/config/fluent-bit.conf", }, + Ports: []corev1.ContainerPort{ + { + ContainerPort: 2020, + }, + }, + ReadinessProbe: &corev1.Probe{ + ProbeHandler: corev1.ProbeHandler{ + HTTPGet: &corev1.HTTPGetAction{ + Path: "/api/v1/metrics/prometheus", + Port: intstr.FromInt(2020), + }, + }, + }, + LivenessProbe: &corev1.Probe{ + ProbeHandler: corev1.ProbeHandler{ + HTTPGet: &corev1.HTTPGetAction{ + Path: "/", + Port: intstr.FromInt(2020), + }, + }, + }, + Resources: corev1.ResourceRequirements{ + Requests: corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("200m"), + corev1.ResourceMemory: resource.MustParse("512Mi"), + }, + Limits: corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("1"), + corev1.ResourceMemory: resource.MustParse("1Gi"), // should never be reached because max_chunks_up and chunk_size is smaller than 1Gi + }, + }, VolumeMounts: []corev1.VolumeMount{ { Name: "config", @@ -372,6 +391,23 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S }, }, }, + Affinity: &corev1.Affinity{ + PodAntiAffinity: &corev1.PodAntiAffinity{ + PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{ + { + Weight: 100, + PodAffinityTerm: corev1.PodAffinityTerm{ + LabelSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app": "audit-webhook-backend", + }, + }, + TopologyKey: "kubernetes.io/hostname", + }, + }, + }, + }, + }, Volumes: []corev1.Volume{ { Name: "config", @@ -398,7 +434,7 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S StorageClassName: auditConfig.Persistence.StorageClassName, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ - corev1.ResourceStorage: size, + corev1.ResourceStorage: *auditConfig.Persistence.Size, }, }, }, @@ -430,6 +466,19 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S }, }, }, + &policyv1.PodDisruptionBudget{ + ObjectMeta: metav1.ObjectMeta{ + Name: "audit-webhook-backend", + Namespace: namespace, + Labels: map[string]string{ + "app": "audit-webhook-backend", + }, + }, + Spec: policyv1.PodDisruptionBudgetSpec{ + MinAvailable: utils.IntStrPtrFromInt(1), + Selector: auditwebhookStatefulSet.Spec.Selector, + }, + }, } if pointer.SafeDeref(auditConfig.Backends.Log).Enabled { @@ -453,7 +502,7 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S forwardingConfig := map[string]string{ "match": "audit", "name": "forward", - "storage.total_limit_size": defaultForwardingBufferSize, + "storage.total_limit_size": pointer.SafeDeref(auditConfig.Backends.ClusterForwarding.FilesystemBufferSize), "host": "audit-cluster-forwarding-vpn-gateway", "port": "9876", "require_ack_response": "True", @@ -467,10 +516,6 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S "tls.vhost": "audittailer", } - if auditConfig.Backends.ClusterForwarding.FilesystemBufferSize != "" { - forwardingConfig["storage.total_limit_size"] = auditConfig.Backends.ClusterForwarding.FilesystemBufferSize - } - fluentbitConfigMap.Data["clusterforwarding.backend.conf"] = fluentbitconfig.Config{ Output: []fluentbitconfig.Output{forwardingConfig}, }.Generate() @@ -502,7 +547,7 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S Namespace: namespace, }, Spec: appsv1.DeploymentSpec{ - Replicas: pointer.Pointer(int32(1)), + Replicas: getReplicas(cluster, pointer.Pointer(int32(1))), Selector: &metav1.LabelSelector{ MatchLabels: map[string]string{ "app": "audit-cluster-forwarding-vpn-gateway", @@ -632,7 +677,7 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S splunkConfig := map[string]string{ "match": "audit", "name": "splunk", - "storage.total_limit_size": defaultSplunkBufferSize, + "storage.total_limit_size": pointer.SafeDeref(auditConfig.Backends.Splunk.FilesystemBufferSize), "host": auditConfig.Backends.Splunk.Host, "port": auditConfig.Backends.Splunk.Port, "splunk_token": "${SPLUNK_HEC_TOKEN}", @@ -644,10 +689,6 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S "event_host": cluster.ObjectMeta.Name, } - if auditConfig.Backends.Splunk.FilesystemBufferSize != "" { - splunkConfig["storage.total_limit_size"] = auditConfig.Backends.Splunk.FilesystemBufferSize - } - if auditConfig.Backends.Splunk.TlsEnabled { splunkConfig["tls"] = "on" splunkConfig["tls.verify"] = "on" @@ -992,3 +1033,11 @@ func shootObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1. }, }, nil } + +func getReplicas(cluster *extensions.Cluster, wokenUp *int32) *int32 { + if controller.IsHibernated(cluster) { + return pointer.Pointer(int32(0)) + } + + return wokenUp +}