From 2c5e5187305695c5dad30a3a16abebd30979e8ae Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Sun, 15 Sep 2024 21:26:15 -0700 Subject: [PATCH 01/10] accept certs from dir instead of .arg Signed-off-by: Nianyu Shen --- .arg.template | 1 - Dockerfile | 17 ++++++++++++----- Earthfile | 20 +++----------------- README.md | 3 +-- earthly.sh | 4 ++-- test/test-two-node.sh | 1 - 6 files changed, 18 insertions(+), 28 deletions(-) diff --git a/.arg.template b/.arg.template index da6e377..cd2770e 100644 --- a/.arg.template +++ b/.arg.template @@ -8,7 +8,6 @@ ISO_NAME=palette-edge-installer ARCH=amd64 HTTPS_PROXY= HTTP_PROXY= -PROXY_CERT_PATH= UPDATE_KERNEL=false CLUSTERCONFIG=spc.tgz CIS_HARDENING=false diff --git a/Dockerfile b/Dockerfile index db0dbf3..738030c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,16 +7,23 @@ ARG HTTP_PROXY ARG HTTPS_PROXY ARG NO_PROXY -COPY sc.cr[t] /tmp/sc.crt -RUN if [ "${OS_DISTRIBUTION}" = "ubuntu" ] && [ "${PROXY_CERT_PATH}" != "" ]; then \ - cp /tmp/sc.crt /etc/ssl/certs && \ +WORKDIR /certs +COPY certs/ /certs/ +RUN if [ "${OS_DISTRIBUTION}" = "ubuntu" ]; then \ + cp -f /certs/ /usr/local/share/ca-certificates/ && \ update-ca-certificates; \ fi -RUN if [ "${OS_DISTRIBUTION}" = "opensuse-leap" ] && [ "${PROXY_CERT_PATH}" != "" ]; then \ - cp /tmp/sc.crt /usr/share/pki/trust/anchors && \ +RUN if [ "${OS_DISTRIBUTION}" = "opensuse-leap" ]; then \ + cp -f /certs/ /tmp//usr/share/pki/trust/anchors/ && \ update-ca-certificates; \ fi +RUN if [ "${OS_DISTRIBUTION}" = "rhel" ]; then \ + cp -f /certs/ /etc/pki/ca-trust/source/anchors/ && \ + update-ca-trust; \ + fi +RUN rm -rf /certs + ########################### Add any other image customizations here ####################### #### Examples #### diff --git a/Earthfile b/Earthfile index 675f633..4d35027 100644 --- a/Earthfile +++ b/Earthfile @@ -48,7 +48,6 @@ ARG NO_PROXY ARG http_proxy=${HTTP_PROXY} ARG https_proxy=${HTTPS_PROXY} ARG no_proxy=${NO_PROXY} -ARG PROXY_CERT_PATH ARG UPDATE_KERNEL=false ARG ETCD_VERSION="v3.5.13" @@ -173,10 +172,8 @@ build-provider-images-fips: BASE_ALPINE: COMMAND - IF [ ! -z $PROXY_CERT_PATH ] - COPY sc.crt /etc/ssl/certs - RUN update-ca-certificates - END + COPY --if-exists certs/ /etc/ssl/certs/ + RUN update-ca-certificates RUN apk add curl iso-image-rootfs: @@ -592,7 +589,7 @@ kairos-provider-image: # base build image used to create the base image for all other image types base-image: - FROM DOCKERFILE --build-arg BASE=$BASE_IMAGE --build-arg PROXY_CERT_PATH=$PROXY_CERT_PATH \ + FROM DOCKERFILE --build-arg BASE=$BASE_IMAGE \ --build-arg OS_DISTRIBUTION=$OS_DISTRIBUTION --build-arg OS_VERSION=$OS_VERSION \ --build-arg HTTP_PROXY=$HTTP_PROXY --build-arg HTTPS_PROXY=$HTTPS_PROXY \ --build-arg NO_PROXY=$NO_PROXY . @@ -633,12 +630,6 @@ base-image: pro attach $UBUNTU_PRO_KEY END - # Add proxy certificate if present - IF [ ! -z $PROXY_CERT_PATH ] - COPY sc.crt /etc/ssl/certs - RUN update-ca-certificates - END - RUN apt-get update && \ apt-get install --no-install-recommends kbd zstd vim iputils-ping bridge-utils curl tcpdump ethtool rsyslog logrotate -y @@ -677,11 +668,6 @@ base-image: # OS == Opensuse ELSE IF [ "$OS_DISTRIBUTION" = "opensuse-leap" ] && [ "$ARCH" = "amd64" ] - # Add proxy certificate if present - IF [ ! -z $PROXY_CERT_PATH ] - COPY sc.crt /usr/share/pki/trust/anchors - RUN update-ca-certificates - END # Enable or Disable Kernel Updates IF [ "$UPDATE_KERNEL" = "false" ] RUN zypper al kernel-de* diff --git a/README.md b/README.md index 4664dbc..a5d3bae 100644 --- a/README.md +++ b/README.md @@ -129,8 +129,7 @@ cp .arg.template .arg | FIPS_ENABLED | to generate FIPS compliant binaries. `true` or `false` | string | `false` | | HTTP_PROXY | URL of the HTTP Proxy server to be used if needed (Optional) | string | | | HTTPS_PROXY | URL of the HTTPS Proxy server to be used if needed (Optional) | string | | -| NO_PROXY | URLS that should be excluded from proxying (Optional) | string | | -| PROXY_CERT_PATH | Absolute path of the SSL Proxy certificate in PEM format if needed (Optional) | string | | +| NO_PROXY | URLS that should be excluded from proxying (Optional) | string | | | UPDATE_KERNEL | Determines whether to upgrade the Kernel version to the latest from the upstream OS provider | boolean | `false` | | DISABLE_SELINUX | Disable selinux in the operating system. Some applications (like Kubevirt) do not like selinux | boolean | `true` | | CLUSTERCONFIG | Path of the cluster config | string | | diff --git a/earthly.sh b/earthly.sh index a9ff8a2..fd8bb37 100755 --- a/earthly.sh +++ b/earthly.sh @@ -11,12 +11,12 @@ function build_with_proxy() { docker stop earthly-buildkitd fi # start earthly buildkitd - docker run -d --privileged --name earthly-buildkitd -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm -t -e GLOBAL_CONFIG="$global_config" -e BUILDKIT_TCP_TRANSPORT_ENABLED=true -e http_proxy=$HTTP_PROXY -e https_proxy=$HTTPS_PROXY -e HTTPS_PROXY=$HTTPS_PROXY -e HTTP_PROXY=$HTTP_PROXY -e NO_PROXY=$NO_PROXY -e no_proxy=$no_proxy -e EARTHLY_GIT_CONFIG=$gitconfig -v "$PROXY_CERT_PATH:/usr/local/share/ca-certificates/sc.crt:ro" -v earthly-tmp:/tmp/earthly:rw -p 8372:8372 $SPECTRO_PUB_REPO/earthly/buildkitd:$EARTHLY_VERSION + docker run -d --privileged --name earthly-buildkitd -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm -t -e GLOBAL_CONFIG="$global_config" -e BUILDKIT_TCP_TRANSPORT_ENABLED=true -e http_proxy=$HTTP_PROXY -e https_proxy=$HTTPS_PROXY -e HTTPS_PROXY=$HTTPS_PROXY -e HTTP_PROXY=$HTTP_PROXY -e NO_PROXY=$NO_PROXY -e no_proxy=$no_proxy -e EARTHLY_GIT_CONFIG=$gitconfig -v "$(pwd)/certs:/usr/local/share/ca-certificates:ro" -v earthly-tmp:/tmp/earthly:rw -p 8372:8372 $SPECTRO_PUB_REPO/earthly/buildkitd:$EARTHLY_VERSION # Update the CA certificates in the container docker exec -it earthly-buildkitd update-ca-certificates # Run Earthly in Docker to create artifacts Variables are passed from the .arg file - docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -e EARTHLY_BUILDKIT_HOST=tcp://0.0.0.0:8372 -e BUILDKIT_TLS_ENABLED=false -v "$(pwd)":/workspace -v "$PROXY_CERT_PATH:/workspace/sc.crt:ro" $SPECTRO_PUB_REPO/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" + docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -e EARTHLY_BUILDKIT_HOST=tcp://0.0.0.0:8372 -e BUILDKIT_TLS_ENABLED=false -v "$(pwd)":/workspace $SPECTRO_PUB_REPO/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" } function build_without_proxy() { diff --git a/test/test-two-node.sh b/test/test-two-node.sh index c84607e..dd0c259 100755 --- a/test/test-two-node.sh +++ b/test/test-two-node.sh @@ -65,7 +65,6 @@ ISO_NAME=palette-edge-installer ARCH=amd64 HTTPS_PROXY= HTTP_PROXY= -PROXY_CERT_PATH= UPDATE_KERNEL=false EOF } From 869791fc9301b0e0931191f4765e373e5e7caaf0 Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Sun, 15 Sep 2024 21:27:42 -0700 Subject: [PATCH 02/10] fix cp Signed-off-by: Nianyu Shen --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 738030c..d45a4b9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,16 +10,16 @@ ARG NO_PROXY WORKDIR /certs COPY certs/ /certs/ RUN if [ "${OS_DISTRIBUTION}" = "ubuntu" ]; then \ - cp -f /certs/ /usr/local/share/ca-certificates/ && \ + cp -f /certs/* /usr/local/share/ca-certificates/ && \ update-ca-certificates; \ fi RUN if [ "${OS_DISTRIBUTION}" = "opensuse-leap" ]; then \ - cp -f /certs/ /tmp//usr/share/pki/trust/anchors/ && \ + cp -f /certs/* /tmp//usr/share/pki/trust/anchors/ && \ update-ca-certificates; \ fi RUN if [ "${OS_DISTRIBUTION}" = "rhel" ]; then \ - cp -f /certs/ /etc/pki/ca-trust/source/anchors/ && \ + cp -f /certs/* /etc/pki/ca-trust/source/anchors/ && \ update-ca-trust; \ fi RUN rm -rf /certs From 5b4f596ea5ec0ae9ebc74a8933f01832bd5b4883 Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Sun, 15 Sep 2024 21:37:44 -0700 Subject: [PATCH 03/10] add precommit Signed-off-by: Nianyu Shen --- .pre-commit-config.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..c3b658a --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,24 @@ +# install pre-commit on your system and then +# run pre-commit install in this repository. +# You can by pass commit hooks with: +# git commit -n +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.5.0 + hooks: + - id: check-yaml + stages: [commit] + - id: check-json + stages: [commit] + - id: check-toml + stages: [commit] + - id: check-merge-conflict + stages: [commit] + - id: check-case-conflict + stages: [commit] + - id: detect-private-key + stages: [commit] + - repo: https://github.com/crate-ci/typos + rev: v1.24.5 + hooks: + - id: typos From 4e9baadf02e34c4b871a4d7df3f81b41e7488077 Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Sun, 15 Sep 2024 21:40:59 -0700 Subject: [PATCH 04/10] fix typo --- .arg.template | 2 +- README.md | 6 +++--- cis-harden/harden.sh | 4 ++-- earthly.sh | 4 ++-- overlay/files/etc/rsyslog.d/49-stylus.conf | 2 +- rhel-core-images/README.md | 2 +- test/templates/two-node-cluster-profile.json.tmpl | 2 +- test/templates/two-node-master-master.json.tmpl | 2 +- test/test-two-node.sh | 4 ++-- ubuntu-fips/dracut-broken-iscsi-ubuntu-20.patch | 2 +- 10 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.arg.template b/.arg.template index cd2770e..79b5fba 100644 --- a/.arg.template +++ b/.arg.template @@ -19,6 +19,6 @@ EDGE_CUSTOM_CONFIG=.edge-custom-config.yaml # For enabling Secure Boot with Full Disk Encryption # IS_UKI=true # MY_ORG="ACME Corporation" -# UKI_BRING_YOUR_OWN_KEYS=false # See sb-private-ca/howto.md for instructions on bringing your own certiticates +# UKI_BRING_YOUR_OWN_KEYS=false # See sb-private-ca/howto.md for instructions on bringing your own certificates # INCLUDE_MS_SECUREBOOT_KEYS=true # Adds Microsoft Secure Boot certificates; if you export existing keys from a device, you typically won't need this # AUTO_ENROLL_SECUREBOOT_KEYS=false # Set to true to automatically enroll certificates on devices in Setup Mode, useful for flashing devices without user interaction diff --git a/README.md b/README.md index a5d3bae..c392ab8 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ From the Base Image, the provider image is used to package in the Kubernetes dis ### Installer Image -From the base image, this image is used to provide the initial flashing of a device (bare-metal or virtual machine). This image contains the user-data configuration that has been provided in `user-data`. It will also contain the contents of any content bundle for pre-staged builds. Pre-staged builds can be used to embed all of the artifacts that are required to build a cluster. These artifacts include Helm charts, manifests, and container images. These images are loaded into containerd when the cluster is initialized elminating the need for the initial download. For more information on how to build pre-loaded content checkout the Palette Docs at [Build your Own Content](https://docs.spectrocloud.com/clusters/edge/edgeforge-workflow/build-content-bundle). +From the base image, this image is used to provide the initial flashing of a device (bare-metal or virtual machine). This image contains the user-data configuration that has been provided in `user-data`. It will also contain the contents of any content bundle for pre-staged builds. Pre-staged builds can be used to embed all of the artifacts that are required to build a cluster. These artifacts include Helm charts, manifests, and container images. These images are loaded into containerd when the cluster is initialized eliminating the need for the initial download. For more information on how to build pre-loaded content checkout the Palette Docs at [Build your Own Content](https://docs.spectrocloud.com/clusters/edge/edgeforge-workflow/build-content-bundle). ### Custom Configuration @@ -219,7 +219,7 @@ docker push ttl.sh/ubuntu:k3s-1.25.2-v4.2.3-demo 12. Create a cluster profile using the command output. Use the [Model Edge Cluster Profile](https://docs.spectrocloud.com/clusters/edge/site-deployment/model-profile) to help you complete this step. -13. Flash VM or Baremetal device with the generated ISO. Refer to the [Prepare Edge Host for Installation](https://docs.spectrocloud.com/clusters/edge/site-deployment/stage) guide for additonal guidance. +13. Flash VM or Baremetal device with the generated ISO. Refer to the [Prepare Edge Host for Installation](https://docs.spectrocloud.com/clusters/edge/site-deployment/stage) guide for additional guidance. 14. Register the Edge host with Palette. Checkout the [Register Edge Host](https://docs.spectrocloud.com/clusters/edge/site-deployment/site-installation/edge-host-registration) guide. @@ -394,7 +394,7 @@ To display user audit entries on the Local UI dashboard, audit entries must be l Example syslog entry ``` -<189>1 2024-07-23T15:35:32.644461+00:00 edge-ce0a38422e4662887313fb673bbfb2a2 stylus-audit[2911]: 2911 - - {"edgeHostId":"edge-ce0a38422e4662887313fb6 73bbfb2a2","contentMsg":"kairos password reset failed","action":"activity","actor":"kairos","actorType":"user","resourceId":"kairos","resourceName":"kairos","resourceKi nd":"user"} +<189>1 2024-07-23T15:35:32.644461+00:00 edge-ce0a38422e4662887313fb673bbfb2a2 stylus-audit[2911]: 2911 - - {"edgeHostId":"edge-ce0a38422e4662887313fb6 73bbfb2a2","contentMsg":"kairos password reset failed","action":"activity","actor":"kairos","actorType":"user","resourceId":"kairos","resourceName":"kairos","resourceKi and":"user"} ``` Entries without these keys in the MSG part of RFC 5424 will still be logged to the stylus-audit.log file but will not be displayed on LocalUI. \ No newline at end of file diff --git a/cis-harden/harden.sh b/cis-harden/harden.sh index bb04965..52d575f 100755 --- a/cis-harden/harden.sh +++ b/cis-harden/harden.sh @@ -517,7 +517,7 @@ harden_system() { echo "Error out if there are users with empty password" cat /etc/shadow |awk -F : '($2 == "" ){ exit 1}' if [[ $? -ne 0 ]]; then - echo "Users present with empty password. Remove the user or set pasword for the users" + echo "Users present with empty password. Remove the user or set password for the users" exit 1 fi @@ -540,7 +540,7 @@ harden_system() { fi done - echo "Remove cron and at deny files anf have allow files in place" + echo "Remove cron and at deny files and have allow files in place" rm -f /etc/cron.deny rm -f /etc/at.deny touch /etc/cron.allow diff --git a/earthly.sh b/earthly.sh index fd8bb37..9865b03 100755 --- a/earthly.sh +++ b/earthly.sh @@ -62,7 +62,7 @@ SPECTRO_PUB_REPO=gcr.io/spectro-images-public EARTHLY_VERSION=v0.8.5 source .arg ALPINE_IMG=$SPECTRO_PUB_REPO/canvos/alpine:3.20 -### Verify Depencies +### Verify Dependencies # Check if Docker is installed if command -v docker >/dev/null 2>&1; then echo "version: $(docker -v)" @@ -97,7 +97,7 @@ if [[ "$1" == "+uki-genkey" ]]; then ./keys.sh secure-boot/ fi -# if $1 is in oen of the following values, print the output for use in Palette Profile. +# if $1 is in one of the following values, print the output for use in Palette Profile. targets=("+build-provider-images" "+build-provider-images-fips" "+build-all-images") for arg in "${targets[@]}"; do if [[ "$1" == "$arg" ]]; then diff --git a/overlay/files/etc/rsyslog.d/49-stylus.conf b/overlay/files/etc/rsyslog.d/49-stylus.conf index fc71256..a3fe62e 100644 --- a/overlay/files/etc/rsyslog.d/49-stylus.conf +++ b/overlay/files/etc/rsyslog.d/49-stylus.conf @@ -4,7 +4,7 @@ $PrivDropToGroup root # default config has $Umask 0022 set. That breaks any config related to masks and modes. $Umask 0000 -# Mesage format as per rfc5424. +# Message format as per rfc5424. $template ForwardFormat,"<%pri%>1 %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag% %procid% - - %msg%\n" # route messages with facility local7 and severity notice to /var/log/stylus-audit.log diff --git a/rhel-core-images/README.md b/rhel-core-images/README.md index cfe5a1c..3ad1d88 100644 --- a/rhel-core-images/README.md +++ b/rhel-core-images/README.md @@ -28,7 +28,7 @@ This scenario is for the environment where Red Hat Satellite must be used and ac 2. Mirror Kairos framework image (`quay.io/kairos/framework:v2.7.41`) to the internal Container registry. Provide image path for the build process by using argument `KAIROS_FRAMEWORK_IMAGE`. -3. Have the following repostiories synced and available on Red Hat Satellite: +3. Have the following repositories synced and available on Red Hat Satellite: For RHEL9: * rhel-9-for-x86_64-appstream-rpms diff --git a/test/templates/two-node-cluster-profile.json.tmpl b/test/templates/two-node-cluster-profile.json.tmpl index 5f68898..3c71a4e 100644 --- a/test/templates/two-node-cluster-profile.json.tmpl +++ b/test/templates/two-node-cluster-profile.json.tmpl @@ -32,7 +32,7 @@ "layer": "k8s", "version": "_____place_holder_____", "tag": "_____place_holder_____", - "values": "cluster:\n config: |\n flannel-backend: host-gw\n disable-network-policy: true\n disable:\n - traefik\n - local-storage\n - servicelb\n - metrics-server\n\n # configure the pod cidr range\n cluster-cidr: \"192.170.0.0/16\"\n\n # configure service cidr range\n service-cidr: \"192.169.0.0/16\"\n\n # etcd snapshot frequency and number of snapshot retained\n etcd-snapshot-schedule-cron: 0 */1 * * *\n etcd-snapshot-retention: 12\n\n # kubeconfig must be in run for the stylus operator to manage the cluster\n write-kubeconfig: /run/kubeconfig\n write-kubeconfig-mode: 600\n\n # additional component settings to harden installation\n kube-apiserver-arg:\n - anonymous-auth=true\n - profiling=false\n - disable-admission-plugins=AlwaysAdmit\n - default-not-ready-toleration-seconds=20\n - default-unreachable-toleration-seconds=20\n - enable-admission-plugins=AlwaysPullImages,NamespaceLifecycle,ServiceAccount,NodeRestriction,DefaultTolerationSeconds\n - audit-log-path=/var/log/apiserver/audit.log\n - audit-policy-file=/etc/kubernetes/audit-policy.yaml\n - audit-log-maxage=30\n - audit-log-maxbackup=10\n - audit-log-maxsize=100\n - authorization-mode=RBAC,Node\n - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\n kube-controller-manager-arg:\n - profiling=false\n - terminated-pod-gc-threshold=25\n - use-service-account-credentials=true\n - feature-gates=RotateKubeletServerCertificate=true\n - node-monitor-period=5s\n - node-monitor-grace-period=20s\n kube-scheduler-arg:\n - profiling=false\n kubelet-arg:\n - read-only-port=0\n - event-qps=0\n - feature-gates=RotateKubeletServerCertificate=true\n - protect-kernel-defaults=true\n - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\n - rotate-server-certificates=true\nstages:\n initramfs:\n - sysctl:\n vm.overcommit_memory: 1\n kernel.panic: 10\n kernel.panic_on_oops: 1\n kernel.printk: \"0 4 0 7\"\n - directories:\n - path: \"/var/log/apiserver\"\n permissions: 0644\n files:\n - path: /etc/hosts\n permission: \"0644\"\n content: |\n 127.0.0.1 localhost\n - path: \"/etc/kubernetes/audit-policy.yaml\"\n owner_string: \"root\"\n permission: 0600\n content: |\n apiVersion: audit.k8s.io/v1\n kind: Policy\n rules:\n - level: None\n users: [\"system:kube-proxy\"]\n verbs: [\"watch\"]\n resources:\n - group: \"\" # core\n resources: [\"endpoints\", \"services\", \"services/status\"]\n - level: None\n users: [\"system:unsecured\"]\n namespaces: [\"kube-system\"]\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"configmaps\"]\n - level: None\n users: [\"kubelet\"] # legacy kubelet identity\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes\", \"nodes/status\"]\n - level: None\n userGroups: [\"system:nodes\"]\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes\", \"nodes/status\"]\n - level: None\n users:\n - system:kube-controller-manager\n - system:kube-scheduler\n - system:serviceaccount:kube-system:endpoint-controller\n verbs: [\"get\", \"update\"]\n namespaces: [\"kube-system\"]\n resources:\n - group: \"\" # core\n resources: [\"endpoints\"]\n - level: None\n users: [\"system:apiserver\"]\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"namespaces\", \"namespaces/status\", \"namespaces/finalize\"]\n - level: None\n users: [\"cluster-autoscaler\"]\n verbs: [\"get\", \"update\"]\n namespaces: [\"kube-system\"]\n resources:\n - group: \"\" # core\n resources: [\"configmaps\", \"endpoints\"]\n # Don't log HPA fetching metrics.\n - level: None\n users:\n - system:kube-controller-manager\n verbs: [\"get\", \"list\"]\n resources:\n - group: \"metrics.k8s.io\"\n # Don't log these read-only URLs.\n - level: None\n nonResourceURLs:\n - /healthz*\n - /version\n - /swagger*\n # Don't log events requests.\n - level: None\n resources:\n - group: \"\" # core\n resources: [\"events\"]\n # node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes\n - level: Request\n users: [\"kubelet\", \"system:node-problem-detector\", \"system:serviceaccount:kube-system:node-problem-detector\"]\n verbs: [\"update\",\"patch\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes/status\", \"pods/status\"]\n omitStages:\n - \"RequestReceived\"\n - level: Request\n userGroups: [\"system:nodes\"]\n verbs: [\"update\",\"patch\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes/status\", \"pods/status\"]\n omitStages:\n - \"RequestReceived\"\n # deletecollection calls can be large, don't log responses for expected namespace deletions\n - level: Request\n users: [\"system:serviceaccount:kube-system:namespace-controller\"]\n verbs: [\"deletecollection\"]\n omitStages:\n - \"RequestReceived\"\n # Secrets, ConfigMaps, and TokenReviews can contain sensitive \u0026 binary data,\n # so only log at the Metadata level.\n - level: Metadata\n resources:\n - group: \"\" # core\n resources: [\"secrets\", \"configmaps\"]\n - group: authentication.k8s.io\n resources: [\"tokenreviews\"]\n omitStages:\n - \"RequestReceived\"\n # Get repsonses can be large; skip them.\n - level: Request\n verbs: [\"get\", \"list\", \"watch\"]\n resources:\n - group: \"\" # core\n - group: \"admissionregistration.k8s.io\"\n - group: \"apiextensions.k8s.io\"\n - group: \"apiregistration.k8s.io\"\n - group: \"apps\"\n - group: \"authentication.k8s.io\"\n - group: \"authorization.k8s.io\"\n - group: \"autoscaling\"\n - group: \"batch\"\n - group: \"certificates.k8s.io\"\n - group: \"extensions\"\n - group: \"metrics.k8s.io\"\n - group: \"networking.k8s.io\"\n - group: \"policy\"\n - group: \"rbac.authorization.k8s.io\"\n - group: \"settings.k8s.io\"\n - group: \"storage.k8s.io\"\n omitStages:\n - \"RequestReceived\"\n # Default level for known APIs\n - level: RequestResponse\n resources:\n - group: \"\" # core\n - group: \"admissionregistration.k8s.io\"\n - group: \"apiextensions.k8s.io\"\n - group: \"apiregistration.k8s.io\"\n - group: \"apps\"\n - group: \"authentication.k8s.io\"\n - group: \"authorization.k8s.io\"\n - group: \"autoscaling\"\n - group: \"batch\"\n - group: \"certificates.k8s.io\"\n - group: \"extensions\"\n - group: \"metrics.k8s.io\"\n - group: \"networking.k8s.io\"\n - group: \"policy\"\n - group: \"rbac.authorization.k8s.io\"\n - group: \"settings.k8s.io\"\n - group: \"storage.k8s.io\"\n omitStages:\n - \"RequestReceived\"\n # Default level for all other requests.\n - level: Metadata\n omitStages:\n - \"RequestReceived\"\npack:\n palette:\n config:\n oidc:\n identityProvider: noauth", + "values": "cluster:\n config: |\n flannel-backend: host-gw\n disable-network-policy: true\n disable:\n - traefik\n - local-storage\n - servicelb\n - metrics-server\n\n # configure the pod cidr range\n cluster-cidr: \"192.170.0.0/16\"\n\n # configure service cidr range\n service-cidr: \"192.169.0.0/16\"\n\n # etcd snapshot frequency and number of snapshot retained\n etcd-snapshot-schedule-cron: 0 */1 * * *\n etcd-snapshot-retention: 12\n\n # kubeconfig must be in run for the stylus operator to manage the cluster\n write-kubeconfig: /run/kubeconfig\n write-kubeconfig-mode: 600\n\n # additional component settings to harden installation\n kube-apiserver-arg:\n - anonymous-auth=true\n - profiling=false\n - disable-admission-plugins=AlwaysAdmit\n - default-not-ready-toleration-seconds=20\n - default-unreachable-toleration-seconds=20\n - enable-admission-plugins=AlwaysPullImages,NamespaceLifecycle,ServiceAccount,NodeRestriction,DefaultTolerationSeconds\n - audit-log-path=/var/log/apiserver/audit.log\n - audit-policy-file=/etc/kubernetes/audit-policy.yaml\n - audit-log-maxage=30\n - audit-log-maxbackup=10\n - audit-log-maxsize=100\n - authorization-mode=RBAC,Node\n - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\n kube-controller-manager-arg:\n - profiling=false\n - terminated-pod-gc-threshold=25\n - use-service-account-credentials=true\n - feature-gates=RotateKubeletServerCertificate=true\n - node-monitor-period=5s\n - node-monitor-grace-period=20s\n kube-scheduler-arg:\n - profiling=false\n kubelet-arg:\n - read-only-port=0\n - event-qps=0\n - feature-gates=RotateKubeletServerCertificate=true\n - protect-kernel-defaults=true\n - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\n - rotate-server-certificates=true\nstages:\n initramfs:\n - sysctl:\n vm.overcommit_memory: 1\n kernel.panic: 10\n kernel.panic_on_oops: 1\n kernel.printk: \"0 4 0 7\"\n - directories:\n - path: \"/var/log/apiserver\"\n permissions: 0644\n files:\n - path: /etc/hosts\n permission: \"0644\"\n content: |\n 127.0.0.1 localhost\n - path: \"/etc/kubernetes/audit-policy.yaml\"\n owner_string: \"root\"\n permission: 0600\n content: |\n apiVersion: audit.k8s.io/v1\n kind: Policy\n rules:\n - level: None\n users: [\"system:kube-proxy\"]\n verbs: [\"watch\"]\n resources:\n - group: \"\" # core\n resources: [\"endpoints\", \"services\", \"services/status\"]\n - level: None\n users: [\"system:unsecured\"]\n namespaces: [\"kube-system\"]\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"configmaps\"]\n - level: None\n users: [\"kubelet\"] # legacy kubelet identity\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes\", \"nodes/status\"]\n - level: None\n userGroups: [\"system:nodes\"]\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes\", \"nodes/status\"]\n - level: None\n users:\n - system:kube-controller-manager\n - system:kube-scheduler\n - system:serviceaccount:kube-system:endpoint-controller\n verbs: [\"get\", \"update\"]\n namespaces: [\"kube-system\"]\n resources:\n - group: \"\" # core\n resources: [\"endpoints\"]\n - level: None\n users: [\"system:apiserver\"]\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"namespaces\", \"namespaces/status\", \"namespaces/finalize\"]\n - level: None\n users: [\"cluster-autoscaler\"]\n verbs: [\"get\", \"update\"]\n namespaces: [\"kube-system\"]\n resources:\n - group: \"\" # core\n resources: [\"configmaps\", \"endpoints\"]\n # Don't log HPA fetching metrics.\n - level: None\n users:\n - system:kube-controller-manager\n verbs: [\"get\", \"list\"]\n resources:\n - group: \"metrics.k8s.io\"\n # Don't log these read-only URLs.\n - level: None\n nonResourceURLs:\n - /healthz*\n - /version\n - /swagger*\n # Don't log events requests.\n - level: None\n resources:\n - group: \"\" # core\n resources: [\"events\"]\n # node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes\n - level: Request\n users: [\"kubelet\", \"system:node-problem-detector\", \"system:serviceaccount:kube-system:node-problem-detector\"]\n verbs: [\"update\",\"patch\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes/status\", \"pods/status\"]\n omitStages:\n - \"RequestReceived\"\n - level: Request\n userGroups: [\"system:nodes\"]\n verbs: [\"update\",\"patch\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes/status\", \"pods/status\"]\n omitStages:\n - \"RequestReceived\"\n # deletecollection calls can be large, don't log responses for expected namespace deletions\n - level: Request\n users: [\"system:serviceaccount:kube-system:namespace-controller\"]\n verbs: [\"deletecollection\"]\n omitStages:\n - \"RequestReceived\"\n # Secrets, ConfigMaps, and TokenReviews can contain sensitive \u0026 binary data,\n # so only log at the Metadata level.\n - level: Metadata\n resources:\n - group: \"\" # core\n resources: [\"secrets\", \"configmaps\"]\n - group: authentication.k8s.io\n resources: [\"tokenreviews\"]\n omitStages:\n - \"RequestReceived\"\n # Get responses can be large; skip them.\n - level: Request\n verbs: [\"get\", \"list\", \"watch\"]\n resources:\n - group: \"\" # core\n - group: \"admissionregistration.k8s.io\"\n - group: \"apiextensions.k8s.io\"\n - group: \"apiregistration.k8s.io\"\n - group: \"apps\"\n - group: \"authentication.k8s.io\"\n - group: \"authorization.k8s.io\"\n - group: \"autoscaling\"\n - group: \"batch\"\n - group: \"certificates.k8s.io\"\n - group: \"extensions\"\n - group: \"metrics.k8s.io\"\n - group: \"networking.k8s.io\"\n - group: \"policy\"\n - group: \"rbac.authorization.k8s.io\"\n - group: \"settings.k8s.io\"\n - group: \"storage.k8s.io\"\n omitStages:\n - \"RequestReceived\"\n # Default level for known APIs\n - level: RequestResponse\n resources:\n - group: \"\" # core\n - group: \"admissionregistration.k8s.io\"\n - group: \"apiextensions.k8s.io\"\n - group: \"apiregistration.k8s.io\"\n - group: \"apps\"\n - group: \"authentication.k8s.io\"\n - group: \"authorization.k8s.io\"\n - group: \"autoscaling\"\n - group: \"batch\"\n - group: \"certificates.k8s.io\"\n - group: \"extensions\"\n - group: \"metrics.k8s.io\"\n - group: \"networking.k8s.io\"\n - group: \"policy\"\n - group: \"rbac.authorization.k8s.io\"\n - group: \"settings.k8s.io\"\n - group: \"storage.k8s.io\"\n omitStages:\n - \"RequestReceived\"\n # Default level for all other requests.\n - level: Metadata\n omitStages:\n - \"RequestReceived\"\npack:\n palette:\n config:\n oidc:\n identityProvider: noauth", "registry": { "metadata": { "uid": "_____place_holder_____", diff --git a/test/templates/two-node-master-master.json.tmpl b/test/templates/two-node-master-master.json.tmpl index 1dcd625..557da4b 100644 --- a/test/templates/two-node-master-master.json.tmpl +++ b/test/templates/two-node-master-master.json.tmpl @@ -74,7 +74,7 @@ "tag": "_____place_holder_____", "name": "edge-k3s", "type": "spectro", - "values": "cluster:\n config: |\n flannel-backend: host-gw\n disable-network-policy: true\n disable:\n - traefik\n - local-storage\n - servicelb\n - metrics-server\n\n # configure the pod cidr range\n cluster-cidr: \"192.170.0.0/16\"\n\n # configure service cidr range\n service-cidr: \"192.169.0.0/16\"\n\n # etcd snapshot frequency and number of snapshot retained\n etcd-snapshot-schedule-cron: 0 */1 * * *\n etcd-snapshot-retention: 12\n\n # kubeconfig must be in run for the stylus operator to manage the cluster\n write-kubeconfig: /run/kubeconfig\n write-kubeconfig-mode: 600\n\n # additional component settings to harden installation\n kube-apiserver-arg:\n - anonymous-auth=true\n - profiling=false\n - disable-admission-plugins=AlwaysAdmit\n - default-not-ready-toleration-seconds=20\n - default-unreachable-toleration-seconds=20\n - enable-admission-plugins=AlwaysPullImages,NamespaceLifecycle,ServiceAccount,NodeRestriction,DefaultTolerationSeconds\n - audit-log-path=/var/log/apiserver/audit.log\n - audit-policy-file=/etc/kubernetes/audit-policy.yaml\n - audit-log-maxage=30\n - audit-log-maxbackup=10\n - audit-log-maxsize=100\n - authorization-mode=RBAC,Node\n - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\n kube-controller-manager-arg:\n - profiling=false\n - terminated-pod-gc-threshold=25\n - use-service-account-credentials=true\n - feature-gates=RotateKubeletServerCertificate=true\n - node-monitor-period=5s\n - node-monitor-grace-period=20s\n kube-scheduler-arg:\n - profiling=false\n kubelet-arg:\n - read-only-port=0\n - event-qps=0\n - feature-gates=RotateKubeletServerCertificate=true\n - protect-kernel-defaults=true\n - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\n - rotate-server-certificates=true\nstages:\n initramfs:\n - sysctl:\n vm.overcommit_memory: 1\n kernel.panic: 10\n kernel.panic_on_oops: 1\n kernel.printk: \"0 4 0 7\"\n - directories:\n - path: \"/var/log/apiserver\"\n permissions: 0644\n files:\n - path: /etc/hosts\n permission: \"0644\"\n content: |\n 127.0.0.1 localhost\n - path: \"/etc/kubernetes/audit-policy.yaml\"\n owner_string: \"root\"\n permission: 0600\n content: |\n apiVersion: audit.k8s.io/v1\n kind: Policy\n rules:\n - level: None\n users: [\"system:kube-proxy\"]\n verbs: [\"watch\"]\n resources:\n - group: \"\" # core\n resources: [\"endpoints\", \"services\", \"services/status\"]\n - level: None\n users: [\"system:unsecured\"]\n namespaces: [\"kube-system\"]\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"configmaps\"]\n - level: None\n users: [\"kubelet\"] # legacy kubelet identity\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes\", \"nodes/status\"]\n - level: None\n userGroups: [\"system:nodes\"]\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes\", \"nodes/status\"]\n - level: None\n users:\n - system:kube-controller-manager\n - system:kube-scheduler\n - system:serviceaccount:kube-system:endpoint-controller\n verbs: [\"get\", \"update\"]\n namespaces: [\"kube-system\"]\n resources:\n - group: \"\" # core\n resources: [\"endpoints\"]\n - level: None\n users: [\"system:apiserver\"]\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"namespaces\", \"namespaces/status\", \"namespaces/finalize\"]\n - level: None\n users: [\"cluster-autoscaler\"]\n verbs: [\"get\", \"update\"]\n namespaces: [\"kube-system\"]\n resources:\n - group: \"\" # core\n resources: [\"configmaps\", \"endpoints\"]\n # Don't log HPA fetching metrics.\n - level: None\n users:\n - system:kube-controller-manager\n verbs: [\"get\", \"list\"]\n resources:\n - group: \"metrics.k8s.io\"\n # Don't log these read-only URLs.\n - level: None\n nonResourceURLs:\n - /healthz*\n - /version\n - /swagger*\n # Don't log events requests.\n - level: None\n resources:\n - group: \"\" # core\n resources: [\"events\"]\n # node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes\n - level: Request\n users: [\"kubelet\", \"system:node-problem-detector\", \"system:serviceaccount:kube-system:node-problem-detector\"]\n verbs: [\"update\",\"patch\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes/status\", \"pods/status\"]\n omitStages:\n - \"RequestReceived\"\n - level: Request\n userGroups: [\"system:nodes\"]\n verbs: [\"update\",\"patch\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes/status\", \"pods/status\"]\n omitStages:\n - \"RequestReceived\"\n # deletecollection calls can be large, don't log responses for expected namespace deletions\n - level: Request\n users: [\"system:serviceaccount:kube-system:namespace-controller\"]\n verbs: [\"deletecollection\"]\n omitStages:\n - \"RequestReceived\"\n # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,\n # so only log at the Metadata level.\n - level: Metadata\n resources:\n - group: \"\" # core\n resources: [\"secrets\", \"configmaps\"]\n - group: authentication.k8s.io\n resources: [\"tokenreviews\"]\n omitStages:\n - \"RequestReceived\"\n # Get repsonses can be large; skip them.\n - level: Request\n verbs: [\"get\", \"list\", \"watch\"]\n resources:\n - group: \"\" # core\n - group: \"admissionregistration.k8s.io\"\n - group: \"apiextensions.k8s.io\"\n - group: \"apiregistration.k8s.io\"\n - group: \"apps\"\n - group: \"authentication.k8s.io\"\n - group: \"authorization.k8s.io\"\n - group: \"autoscaling\"\n - group: \"batch\"\n - group: \"certificates.k8s.io\"\n - group: \"extensions\"\n - group: \"metrics.k8s.io\"\n - group: \"networking.k8s.io\"\n - group: \"policy\"\n - group: \"rbac.authorization.k8s.io\"\n - group: \"settings.k8s.io\"\n - group: \"storage.k8s.io\"\n omitStages:\n - \"RequestReceived\"\n # Default level for known APIs\n - level: RequestResponse\n resources:\n - group: \"\" # core\n - group: \"admissionregistration.k8s.io\"\n - group: \"apiextensions.k8s.io\"\n - group: \"apiregistration.k8s.io\"\n - group: \"apps\"\n - group: \"authentication.k8s.io\"\n - group: \"authorization.k8s.io\"\n - group: \"autoscaling\"\n - group: \"batch\"\n - group: \"certificates.k8s.io\"\n - group: \"extensions\"\n - group: \"metrics.k8s.io\"\n - group: \"networking.k8s.io\"\n - group: \"policy\"\n - group: \"rbac.authorization.k8s.io\"\n - group: \"settings.k8s.io\"\n - group: \"storage.k8s.io\"\n omitStages:\n - \"RequestReceived\"\n # Default level for all other requests.\n - level: Metadata\n omitStages:\n - \"RequestReceived\"\npack:\n palette:\n config:\n oidc:\n identityProvider: noauth", + "values": "cluster:\n config: |\n flannel-backend: host-gw\n disable-network-policy: true\n disable:\n - traefik\n - local-storage\n - servicelb\n - metrics-server\n\n # configure the pod cidr range\n cluster-cidr: \"192.170.0.0/16\"\n\n # configure service cidr range\n service-cidr: \"192.169.0.0/16\"\n\n # etcd snapshot frequency and number of snapshot retained\n etcd-snapshot-schedule-cron: 0 */1 * * *\n etcd-snapshot-retention: 12\n\n # kubeconfig must be in run for the stylus operator to manage the cluster\n write-kubeconfig: /run/kubeconfig\n write-kubeconfig-mode: 600\n\n # additional component settings to harden installation\n kube-apiserver-arg:\n - anonymous-auth=true\n - profiling=false\n - disable-admission-plugins=AlwaysAdmit\n - default-not-ready-toleration-seconds=20\n - default-unreachable-toleration-seconds=20\n - enable-admission-plugins=AlwaysPullImages,NamespaceLifecycle,ServiceAccount,NodeRestriction,DefaultTolerationSeconds\n - audit-log-path=/var/log/apiserver/audit.log\n - audit-policy-file=/etc/kubernetes/audit-policy.yaml\n - audit-log-maxage=30\n - audit-log-maxbackup=10\n - audit-log-maxsize=100\n - authorization-mode=RBAC,Node\n - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\n kube-controller-manager-arg:\n - profiling=false\n - terminated-pod-gc-threshold=25\n - use-service-account-credentials=true\n - feature-gates=RotateKubeletServerCertificate=true\n - node-monitor-period=5s\n - node-monitor-grace-period=20s\n kube-scheduler-arg:\n - profiling=false\n kubelet-arg:\n - read-only-port=0\n - event-qps=0\n - feature-gates=RotateKubeletServerCertificate=true\n - protect-kernel-defaults=true\n - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\n - rotate-server-certificates=true\nstages:\n initramfs:\n - sysctl:\n vm.overcommit_memory: 1\n kernel.panic: 10\n kernel.panic_on_oops: 1\n kernel.printk: \"0 4 0 7\"\n - directories:\n - path: \"/var/log/apiserver\"\n permissions: 0644\n files:\n - path: /etc/hosts\n permission: \"0644\"\n content: |\n 127.0.0.1 localhost\n - path: \"/etc/kubernetes/audit-policy.yaml\"\n owner_string: \"root\"\n permission: 0600\n content: |\n apiVersion: audit.k8s.io/v1\n kind: Policy\n rules:\n - level: None\n users: [\"system:kube-proxy\"]\n verbs: [\"watch\"]\n resources:\n - group: \"\" # core\n resources: [\"endpoints\", \"services\", \"services/status\"]\n - level: None\n users: [\"system:unsecured\"]\n namespaces: [\"kube-system\"]\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"configmaps\"]\n - level: None\n users: [\"kubelet\"] # legacy kubelet identity\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes\", \"nodes/status\"]\n - level: None\n userGroups: [\"system:nodes\"]\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes\", \"nodes/status\"]\n - level: None\n users:\n - system:kube-controller-manager\n - system:kube-scheduler\n - system:serviceaccount:kube-system:endpoint-controller\n verbs: [\"get\", \"update\"]\n namespaces: [\"kube-system\"]\n resources:\n - group: \"\" # core\n resources: [\"endpoints\"]\n - level: None\n users: [\"system:apiserver\"]\n verbs: [\"get\"]\n resources:\n - group: \"\" # core\n resources: [\"namespaces\", \"namespaces/status\", \"namespaces/finalize\"]\n - level: None\n users: [\"cluster-autoscaler\"]\n verbs: [\"get\", \"update\"]\n namespaces: [\"kube-system\"]\n resources:\n - group: \"\" # core\n resources: [\"configmaps\", \"endpoints\"]\n # Don't log HPA fetching metrics.\n - level: None\n users:\n - system:kube-controller-manager\n verbs: [\"get\", \"list\"]\n resources:\n - group: \"metrics.k8s.io\"\n # Don't log these read-only URLs.\n - level: None\n nonResourceURLs:\n - /healthz*\n - /version\n - /swagger*\n # Don't log events requests.\n - level: None\n resources:\n - group: \"\" # core\n resources: [\"events\"]\n # node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes\n - level: Request\n users: [\"kubelet\", \"system:node-problem-detector\", \"system:serviceaccount:kube-system:node-problem-detector\"]\n verbs: [\"update\",\"patch\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes/status\", \"pods/status\"]\n omitStages:\n - \"RequestReceived\"\n - level: Request\n userGroups: [\"system:nodes\"]\n verbs: [\"update\",\"patch\"]\n resources:\n - group: \"\" # core\n resources: [\"nodes/status\", \"pods/status\"]\n omitStages:\n - \"RequestReceived\"\n # deletecollection calls can be large, don't log responses for expected namespace deletions\n - level: Request\n users: [\"system:serviceaccount:kube-system:namespace-controller\"]\n verbs: [\"deletecollection\"]\n omitStages:\n - \"RequestReceived\"\n # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,\n # so only log at the Metadata level.\n - level: Metadata\n resources:\n - group: \"\" # core\n resources: [\"secrets\", \"configmaps\"]\n - group: authentication.k8s.io\n resources: [\"tokenreviews\"]\n omitStages:\n - \"RequestReceived\"\n # Get responses can be large; skip them.\n - level: Request\n verbs: [\"get\", \"list\", \"watch\"]\n resources:\n - group: \"\" # core\n - group: \"admissionregistration.k8s.io\"\n - group: \"apiextensions.k8s.io\"\n - group: \"apiregistration.k8s.io\"\n - group: \"apps\"\n - group: \"authentication.k8s.io\"\n - group: \"authorization.k8s.io\"\n - group: \"autoscaling\"\n - group: \"batch\"\n - group: \"certificates.k8s.io\"\n - group: \"extensions\"\n - group: \"metrics.k8s.io\"\n - group: \"networking.k8s.io\"\n - group: \"policy\"\n - group: \"rbac.authorization.k8s.io\"\n - group: \"settings.k8s.io\"\n - group: \"storage.k8s.io\"\n omitStages:\n - \"RequestReceived\"\n # Default level for known APIs\n - level: RequestResponse\n resources:\n - group: \"\" # core\n - group: \"admissionregistration.k8s.io\"\n - group: \"apiextensions.k8s.io\"\n - group: \"apiregistration.k8s.io\"\n - group: \"apps\"\n - group: \"authentication.k8s.io\"\n - group: \"authorization.k8s.io\"\n - group: \"autoscaling\"\n - group: \"batch\"\n - group: \"certificates.k8s.io\"\n - group: \"extensions\"\n - group: \"metrics.k8s.io\"\n - group: \"networking.k8s.io\"\n - group: \"policy\"\n - group: \"rbac.authorization.k8s.io\"\n - group: \"settings.k8s.io\"\n - group: \"storage.k8s.io\"\n omitStages:\n - \"RequestReceived\"\n # Default level for all other requests.\n - level: Metadata\n omitStages:\n - \"RequestReceived\"\npack:\n palette:\n config:\n oidc:\n identityProvider: noauth", "manifests": [] }, { diff --git a/test/test-two-node.sh b/test/test-two-node.sh index dd0c259..cfc6823 100755 --- a/test/test-two-node.sh +++ b/test/test-two-node.sh @@ -207,7 +207,7 @@ function get_ready_edge_hosts() { ' { "filter": { - "conjuction": "and", + "conjunction": "and", "filterGroups": [ { "conjunction": "and", @@ -273,7 +273,7 @@ function destroy_edge_hosts() { ' { "filter": { - "conjuction": "and", + "conjunction": "and", "filterGroups": [ { "conjunction": "and", diff --git a/ubuntu-fips/dracut-broken-iscsi-ubuntu-20.patch b/ubuntu-fips/dracut-broken-iscsi-ubuntu-20.patch index 7fba713..6f7be89 100644 --- a/ubuntu-fips/dracut-broken-iscsi-ubuntu-20.patch +++ b/ubuntu-fips/dracut-broken-iscsi-ubuntu-20.patch @@ -7,7 +7,7 @@ index 59ea5e089..fe40547d1 100755 echo "Before=dracut-initqueue.service" ) > "${initdir}/$systemdsystemunitdir/iscsid.service.d/dracut.conf" + -+ # The iscsi deamon does not need to wait for any storage inside initrd ++ # The iscsi daemon does not need to wait for any storage inside initrd + mkdir -p "${initdir}/$systemdsystemunitdir/iscsid.socket.d" + ( + echo "[Unit]" From b480139bbdbfe31b7ead4da49cce3b5e2e7cdd30 Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Sun, 15 Sep 2024 21:54:20 -0700 Subject: [PATCH 05/10] add .gitkeep to certs --- certs/.gitkeep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 certs/.gitkeep diff --git a/certs/.gitkeep b/certs/.gitkeep new file mode 100644 index 0000000..e69de29 From ab1e69d960886bb6a007d061bffdc5b9390b0738 Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Mon, 23 Sep 2024 15:50:59 -0700 Subject: [PATCH 06/10] force update certs before running earthly cmds Signed-off-by: Nianyu Shen --- earthly-cert.sh | 6 ++++++ earthly.sh | 5 +++-- 2 files changed, 9 insertions(+), 2 deletions(-) create mode 100755 earthly-cert.sh diff --git a/earthly-cert.sh b/earthly-cert.sh new file mode 100755 index 0000000..b3b7ebc --- /dev/null +++ b/earthly-cert.sh @@ -0,0 +1,6 @@ +#!/bin/sh +# uncomment the line below to enable debug mode +set -x + +update-ca-certificates +earthly $@ \ No newline at end of file diff --git a/earthly.sh b/earthly.sh index 9865b03..0596889 100755 --- a/earthly.sh +++ b/earthly.sh @@ -16,7 +16,7 @@ function build_with_proxy() { docker exec -it earthly-buildkitd update-ca-certificates # Run Earthly in Docker to create artifacts Variables are passed from the .arg file - docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -e EARTHLY_BUILDKIT_HOST=tcp://0.0.0.0:8372 -e BUILDKIT_TLS_ENABLED=false -v "$(pwd)":/workspace $SPECTRO_PUB_REPO/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" + docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -e EARTHLY_BUILDKIT_HOST=tcp://0.0.0.0:8372 -e BUILDKIT_TLS_ENABLED=false -v "$(pwd)/certs:/usr/local/share/ca-certificates:ro" -v "$(pwd)":/workspace --entrypoint /workspace/earthly-cert.sh $SPECTRO_PUB_REPO/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" } function build_without_proxy() { @@ -75,7 +75,8 @@ if ! docker run --rm --privileged $ALPINE_IMG sh -c 'echo "Privileged container exit 1 fi if [ -z "$HTTP_PROXY" ] && [ -z "$HTTPS_PROXY"]; then - build_without_proxy "$@" + # build_without_proxy "$@" + build_with_proxy "$@" else build_with_proxy "$@" fi From 315b75618e2efa8ee726d4ca5bcafd04442df5a3 Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Mon, 23 Sep 2024 15:52:10 -0700 Subject: [PATCH 07/10] remove debug lines Signed-off-by: Nianyu Shen --- earthly.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/earthly.sh b/earthly.sh index 0596889..0565dbd 100755 --- a/earthly.sh +++ b/earthly.sh @@ -75,8 +75,7 @@ if ! docker run --rm --privileged $ALPINE_IMG sh -c 'echo "Privileged container exit 1 fi if [ -z "$HTTP_PROXY" ] && [ -z "$HTTPS_PROXY"]; then - # build_without_proxy "$@" - build_with_proxy "$@" + build_without_proxy "$@" else build_with_proxy "$@" fi From e626bb186b5e72f9bdce461250ca00881112a9fc Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Wed, 23 Oct 2024 13:40:00 -0700 Subject: [PATCH 08/10] update Signed-off-by: Nianyu Shen --- earthly-entrypoint.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/earthly-entrypoint.sh b/earthly-entrypoint.sh index 96412c2..8f949b4 100755 --- a/earthly-entrypoint.sh +++ b/earthly-entrypoint.sh @@ -1,7 +1,6 @@ #!/bin/sh # uncomment the line below to enable debug mode set -ex -cp /workspace/sc.crt /usr/local/share/ca-certificates/sc.crt update-ca-certificates # reference: https://github.com/earthly/earthly/blob/main/earthly-entrypoint.sh From 708e2591ceff0bb126f3b070ef76bc08b2ac7056 Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Sun, 10 Nov 2024 20:43:59 -0800 Subject: [PATCH 09/10] fix: typo Signed-off-by: Nianyu Shen --- Dockerfile | 2 +- README.md | 66 +++++++++++++++++++++++++++++------------------------- 2 files changed, 37 insertions(+), 31 deletions(-) diff --git a/Dockerfile b/Dockerfile index d45a4b9..4f8efb0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,7 +14,7 @@ RUN if [ "${OS_DISTRIBUTION}" = "ubuntu" ]; then \ update-ca-certificates; \ fi RUN if [ "${OS_DISTRIBUTION}" = "opensuse-leap" ]; then \ - cp -f /certs/* /tmp//usr/share/pki/trust/anchors/ && \ + cp -f /certs/* /usr/share/pki/trust/anchors/ && \ update-ca-certificates; \ fi diff --git a/README.md b/README.md index 3a1ce79..332dc76 100644 --- a/README.md +++ b/README.md @@ -115,29 +115,29 @@ cp .arg.template .arg 7. Modify the `.arg` file as needed. Primarily, you must define the tag you want to use for your images. For example, if the operating system is `ubuntu` and the tag is `demo`, the image artefact will name as `ttl.sh/ubuntu:k3s-1.25.2-v3.4.3-demo`. The **.arg** file defines the following variables: -| Parameter | Description | Type | Default Value | -| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | ------------------------ | -| CUSTOM_TAG | Environment name for provider image tagging. The default value is `demo`. | String | `demo` | -| IMAGE_REGISTRY | Image registry name that will store the image artifacts. The default value points to the _ttl.sh_ image registry, an anonymous and ephemeral Docker image registry where images live for a maximum of 24 hours by default. If you wish to make the images exist longer than 24 hours, you can use any other image registry to suit your needs. | String | `ttl.sh` | -| OS_DISTRIBUTION | OS distribution of your choice. For example, it can be `ubuntu`, `opensuse-leap`, `rhel` or `sles` | String | `ubuntu` | -| IMAGE_REPO | Image repository name in your chosen registry. | String | `$OS_DISTRIBUTION` | -| OS_VERSION | OS version. For Ubuntu, the possible values are `20`, and `22`. Whereas for openSUSE Leap, the possible value is `15.6`. For sles, possible values are `5.4`. This example uses `22` for Ubuntu. | String | `22` | -| K8S_DISTRIBUTION | Kubernetes distribution name. It can be one of these: `k3s`, `rke2`, `kubeadm`, or `kubeadm-fips`. | String | `k3s` | -| ISO_NAME | Name of the Edge installer ISO image. In this example, the name is _palette-edge-installer_. | String | `palette-edge-installer` | -| ARCH | Type of platform to use for the build. Used for Cross Platform Build (arm64 to amd64 as example). | string | `amd64` | -| BASE_IMAGE | Base image to be used for building installer and provider images. | String | | -| FIPS_ENABLED | to generate FIPS compliant binaries. `true` or `false` | string | `false` | -| HTTP_PROXY | URL of the HTTP Proxy server to be used if needed (Optional) | string | | -| HTTPS_PROXY | URL of the HTTPS Proxy server to be used if needed (Optional) | string | | -| NO_PROXY | URLS that should be excluded from proxying (Optional) | string | | -| UPDATE_KERNEL | Determines whether to upgrade the Kernel version to the latest from the upstream OS provider | boolean | `false` | -| DISABLE_SELINUX | Disable selinux in the operating system. Some applications (like Kubevirt) do not like selinux | boolean | `true` | -| CLUSTERCONFIG | Path of the cluster config | string | | -| IS_UKI | Build UKI(Trusted boot) images | boolean | `false` | -| UKI_BRING_YOUR_OWN_KEYS | Bring your own public/private key pairs if this is set to true. Otherwise, CanvOS will generate the key pair. | boolean | `false` | -| INCLUDE_MS_SECUREBOOT_KEYS | Include Microsoft 3rd Party UEFI CA certificate in generated keys | boolean | `true` | -| AUTO_ENROLL_SECUREBOOT_KEYS | Auto enroll SecureBoot keys when device boots up and is in setup mode of secure boot | boolean | `true` | -| EDGE_CUSTOM_CONFIG | Path to edge custom configuration file | string | `.edge-custom-config.yaml` | +| Parameter | Description | Type | Default Value | +| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------------------------- | +| CUSTOM_TAG | Environment name for provider image tagging. The default value is `demo`. | String | `demo` | +| IMAGE_REGISTRY | Image registry name that will store the image artifacts. The default value points to the _ttl.sh_ image registry, an anonymous and ephemeral Docker image registry where images live for a maximum of 24 hours by default. If you wish to make the images exist longer than 24 hours, you can use any other image registry to suit your needs. | String | `ttl.sh` | +| OS_DISTRIBUTION | OS distribution of your choice. For example, it can be `ubuntu`, `opensuse-leap`, `rhel` or `sles` | String | `ubuntu` | +| IMAGE_REPO | Image repository name in your chosen registry. | String | `$OS_DISTRIBUTION` | +| OS_VERSION | OS version. For Ubuntu, the possible values are `20`, and `22`. Whereas for openSUSE Leap, the possible value is `15.6`. For sles, possible values are `5.4`. This example uses `22` for Ubuntu. | String | `22` | +| K8S_DISTRIBUTION | Kubernetes distribution name. It can be one of these: `k3s`, `rke2`, `kubeadm`, or `kubeadm-fips`. | String | `k3s` | +| ISO_NAME | Name of the Edge installer ISO image. In this example, the name is _palette-edge-installer_. | String | `palette-edge-installer` | +| ARCH | Type of platform to use for the build. Used for Cross Platform Build (arm64 to amd64 as example). | string | `amd64` | +| BASE_IMAGE | Base image to be used for building installer and provider images. | String | | +| FIPS_ENABLED | to generate FIPS compliant binaries. `true` or `false` | string | `false` | +| HTTP_PROXY | URL of the HTTP Proxy server to be used if needed (Optional) | string | | +| HTTPS_PROXY | URL of the HTTPS Proxy server to be used if needed (Optional) | string | | +| NO_PROXY | URLS that should be excluded from proxying (Optional) | string | | +| UPDATE_KERNEL | Determines whether to upgrade the Kernel version to the latest from the upstream OS provider | boolean | `false` | +| DISABLE_SELINUX | Disable selinux in the operating system. Some applications (like Kubevirt) do not like selinux | boolean | `true` | +| CLUSTERCONFIG | Path of the cluster config | string | | +| IS_UKI | Build UKI(Trusted boot) images | boolean | `false` | +| UKI_BRING_YOUR_OWN_KEYS | Bring your own public/private key pairs if this is set to true. Otherwise, CanvOS will generate the key pair. | boolean | `false` | +| INCLUDE_MS_SECUREBOOT_KEYS | Include Microsoft 3rd Party UEFI CA certificate in generated keys | boolean | `true` | +| AUTO_ENROLL_SECUREBOOT_KEYS | Auto enroll SecureBoot keys when device boots up and is in setup mode of secure boot | boolean | `true` | +| EDGE_CUSTOM_CONFIG | Path to edge custom configuration file | string | `.edge-custom-config.yaml` | 1. (Optional) If you are building the images behind a proxy server, you may need to modify your docker daemon settings to let it use your proxy server. You can refer this [tutorial](https://docs.docker.com/config/daemon/systemd/#httphttps-proxy). @@ -325,7 +325,7 @@ earthly --push +build-all-images ### Building Installer Image with public key for verifying signed content -1. Copy the .edge.custom-config.yaml.template file to .edge.custom-config.yaml +1. Copy the .edge.custom-config.yaml.template file to .edge.custom-config.yaml ```shell cp .edge.custom-config.yaml.template .edge.custom-config.yaml @@ -334,6 +334,7 @@ cp .edge.custom-config.yaml.template .edge.custom-config.yaml 2. Edit the property signing.publicKey in `.edge.custom-config.yaml` 3. Include the following property in `.arg` file + ``` ... @@ -346,34 +347,38 @@ EDGE_CUSTOM_CONFIG=/path/to/.edge.custom-config.yaml earthly --push +build-all-images ``` - ### Audit Logs User Customisation #### Configuration + rsyslog config file: `overlay/files/etc/rsyslog.d/49-stylus.conf` copied to `/etc/rsyslog.d/49-stylus.conf` logrotate config file: `overlay/files/etc/logrotate.d/stylus.conf` copied to `/etc/logrotate.d/stylus.conf` #### Send stylus audit events to user file + Users can log stylus audit events to additional files, in addition to `/var/log/stylus-audit.log`. To log stylus audit events to custom files, create a configuration file in the `overlay/files/etc/rsyslog.d` directory named `.conf` (must be before `49-stylus.conf` lexicographically). Example: `48-audit.conf` Users can use the following configuration as a base for their filtering logic. replace `` with the desired file name + ``` $PrivDropToUser root $PrivDropToGroup root if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $syslogtag contains 'stylus-audit') then { action( - type="omfile" - file="" + type="omfile" + file="" ) } ``` #### Send user application audit events to stylus audit file + To include user application audit events in the `/var/log/stylus-audit.log` file, add the following to the same configuration file (e.g. `48-audit.conf`) or create a new config file before `49-stylus.conf`: `` : user application name or tag + ``` $PrivDropToUser root $PrivDropToGroup root @@ -381,8 +386,8 @@ $Umask 0000 $template ForwardFormat,"<%pri%>1 %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag% %procid% - - %msg%\n" if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $syslogtag contains '') then { action( - type="omfile" - file="/var/log/stylus-audit.log" + type="omfile" + file="/var/log/stylus-audit.log" FileCreateMode="0600" fileowner="root" template="ForwardFormat" @@ -393,8 +398,9 @@ if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $s To display user audit entries on the Local UI dashboard, audit entries must be logged in RFC 5424 format with the message (`msg`) part in JSON format. This JSON message must include the following keys: `edgeHostId`, `contentMsg`, `action`, `actor`, `actorType`, `resourceId`, `resourceName`, `resourceKind` Example syslog entry + ``` -<189>1 2024-07-23T15:35:32.644461+00:00 edge-ce0a38422e4662887313fb673bbfb2a2 stylus-audit[2911]: 2911 - - {"edgeHostId":"edge-ce0a38422e4662887313fb6 73bbfb2a2","contentMsg":"kairos password reset failed","action":"activity","actor":"kairos","actorType":"user","resourceId":"kairos","resourceName":"kairos","resourceKi and":"user"} +<189>1 2024-07-23T15:35:32.644461+00:00 edge-ce0a38422e4662887313fb673bbfb2a2 stylus-audit[2911]: 2911 - - {"edgeHostId":"edge-ce0a38422e4662887313fb6 73bbfb2a2","contentMsg":"kairos password reset failed","action":"activity","actor":"kairos","actorType":"user","resourceId":"kairos","resourceName":"kairos","resourceKind":"user"} ``` Entries without these keys in the MSG part of RFC 5424 will still be logged to the stylus-audit.log file but will not be displayed on LocalUI. From 3209636b293e2ff3700b9548e3544ffe6e8c1f4a Mon Sep 17 00:00:00 2001 From: Nianyu Shen Date: Mon, 11 Nov 2024 02:47:18 -0800 Subject: [PATCH 10/10] fix: workaround to support deprecated field PROXY_CERT_PATH Signed-off-by: Nianyu Shen --- earthly.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/earthly.sh b/earthly.sh index 92042b0..d28c922 100755 --- a/earthly.sh +++ b/earthly.sh @@ -94,6 +94,14 @@ PE_VERSION=$(git describe --abbrev=0 --tags) SPECTRO_PUB_REPO=us-docker.pkg.dev/palette-images EARTHLY_VERSION=v0.8.15 source .arg + +# Workaround to support deprecated field PROXY_CERT_PATH +if [ -n "$PROXY_CERT_PATH" ]; then + echo "PROXY_CERT_PATH is deprecated. Please place your certificates in the certs directory." + echo "Copying the certificates from $PROXY_CERT_PATH to certs/" + cp $PROXY_CERT_PATH certs/ +fi + ALPINE_IMG=$SPECTRO_PUB_REPO/edge/canvos/alpine:3.20 ### Verify Dependencies # Check if Docker is installed