Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow backend to send to private networks and fix splunk certificate verification #21

Merged
merged 5 commits into from
Mar 25, 2024
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ check-generate:

.PHONY: generate
generate: $(HELM)
@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/generate.sh ./charts/... ./cmd/... ./pkg/...
@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/generate-sequential.sh ./charts/... ./cmd/... ./pkg/...
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why does this change do?


.PHONY: generate-in-docker
generate-in-docker: revendor $(HELM) $(YQ)
Expand Down
17 changes: 7 additions & 10 deletions example/shoot.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,11 @@ spec:
# splunk:
# enabled: true
# index: <splunk index>
# host: splunk-endpoint.example.com
# host: <splunk hec host>
# port: "443"
# secretResourceName: splunk-secret
# tls: true
# tlshost: <hostname for splunk host if needed for tls sni|certificate verification>
# resources:
# - name: splunk-secret
# resourceRef:
Expand All @@ -40,9 +41,6 @@ spec:
# name: splunk-secret
networking:
type: calico
providerConfig:
apiVersion: calico.networking.extensions.gardener.cloud/v1alpha1
kind: NetworkConfig
provider:
type: local
workers:
Expand All @@ -56,16 +54,15 @@ spec:
maxSurge: 1
maxUnavailable: 0
kubernetes:
version: 1.26.0
kubelet:
seccompDefault: true
serializeImagePulls: false
registryPullQPS: 10
registryBurst: 20
protectKernelDefaults: true
streamingConnectionIdleTimeout: 5m
# kubeAPIServer:
# auditConfig:
# auditPolicy:
# configMapRef:
# name: custom-audit-policy
kubeAPIServer:
auditConfig:
auditPolicy:
configMapRef:
name: custom-audit-policy
5 changes: 4 additions & 1 deletion pkg/apis/audit/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ type AuditBackendSplunk struct {
// Index is the splunk index that should be used.
Index string

// Host ist the hostname of the splunk HEC endpoint.
// Host is the hostname or IP of the splunk HEC endpoint.
Host string

// Port ist the port on which the HEC endpoint is listening.
Expand All @@ -95,4 +95,7 @@ type AuditBackendSplunk struct {

// TlsEnabled determines whether TLS should be used to communicate to the HEC endpoint.
TlsEnabled bool

// TlsHost is the hostname that fluent-bit should request through SNI when connecting to a site that serves different hostnames under one IP.
TlsHost string
}
5 changes: 4 additions & 1 deletion pkg/apis/audit/v1alpha1/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ type AuditBackendSplunk struct {
// Index is the splunk index that should be used.
Index string `json:"index"`

// Host ist the hostname of the splunk HEC endpoint.
// Host is the hostname or IP of the splunk HEC endpoint.
Host string `json:"host"`

// Port ist the port on which the HEC endpoint is listening.
Expand All @@ -116,4 +116,7 @@ type AuditBackendSplunk struct {

// TlsEnabled determines whether TLS should be used to communicate to the HEC endpoint.
TlsEnabled bool `json:"tls"`

// TlsHost is the hostname that fluent-bit should request through SNI when connecting to a site that serves different hostnames under one IP.
TlsHost string `json:"tlshost,omitempty"`
}
2 changes: 2 additions & 0 deletions pkg/apis/audit/v1alpha1/zz_generated.conversion.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 9 additions & 5 deletions pkg/controller/audit/actuator.go
Original file line number Diff line number Diff line change
Expand Up @@ -391,6 +391,7 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S
"app": "audit-webhook-backend",
"networking.gardener.cloud/from-prometheus": "allowed",
"networking.gardener.cloud/to-dns": "allowed",
"networking.gardener.cloud/to-private-networks": "allowed",
"networking.gardener.cloud/to-public-networks": "allowed",
"networking.gardener.cloud/from-shoot-apiserver": "allowed",
"networking.resources.gardener.cloud/to-audit-cluster-forwarding-vpn-gateway-tcp-9876": "allowed",
Expand Down Expand Up @@ -767,12 +768,11 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S
if auditConfig.Backends.Splunk.TlsEnabled {
splunkConfig["tls"] = "on"
splunkConfig["tls.verify"] = "on"
if auditConfig.Backends.Splunk.TlsHost != "" {
splunkConfig["tls.vhost"] = auditConfig.Backends.Splunk.TlsHost
}
}

fluentbitConfigMap.Data["splunk.backend.conf"] = fluentbitconfig.Config{
Output: []fluentbitconfig.Output{splunkConfig},
}.Generate()

splunkSecret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "audit-splunk-secret",
Expand All @@ -797,7 +797,7 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S

caFile := splunkSecretFromResources.Data[v1alpha1.SplunkSecretCaFileKey]
if len(caFile) > 0 {
splunkConfig["tls.ca_file "] = "/backends/splunk/certs/ca.crt"
splunkConfig["tls.ca_file"] = "/backends/splunk/certs/ca.crt"

splunkSecret.Data["ca.crt"] = caFile

Expand All @@ -824,6 +824,10 @@ func seedObjects(auditConfig *v1alpha1.AuditConfig, secrets map[string]*corev1.S
auditwebhookStatefulSet.Spec.Template.ObjectMeta.Annotations["checksum/splunk-secret"] = utils.ComputeSecretChecksum(splunkSecret.Data)

objects = append(objects, splunkSecret)

fluentbitConfigMap.Data["splunk.backend.conf"] = fluentbitconfig.Config{
Output: []fluentbitconfig.Output{splunkConfig},
}.Generate()
}

auditwebhookStatefulSet.Spec.Template.ObjectMeta.Annotations["checksum/secret-"+auditWebhookConfigSecret.Name] = utils.ComputeSecretChecksum(auditWebhookConfigSecret.Data)
Expand Down
Loading