[Draft]: CSPL-2600: Integrate HashiCorp Vault Support in Splunk Operator #1388
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
October 15, 2024 09:22
Signed-off-by: Vivek Reddy <[email protected]>
vivekr-splunk
changed the title
Signed-off-by: Vivek Reddy <[email protected]>
Signed-off-by: Vivek Reddy <[email protected]>
[CSPL-3298] Remove change splunk operator name step in integration test workflow
feat: [CSPL-3253]: Change default storageClassName value in PVC
Signed-off-by: Vivek Reddy <[email protected]>
Signed-off-by: Vivek Reddy <[email protected]>
Signed-off-by: Vivek Reddy <[email protected]>
Signed-off-by: Vivek Reddy <[email protected]>
Signed-off-by: Vivek Reddy <[email protected]>
* Change error log to info for clarification * update log statement * change log back to error, keep new contents * lowercase error message
CSPL-3256 - Support to configure deployer spec in SHC CRD
…thin Kubernetes Pods (#1407) * adding kubectl splunk plugin Signed-off-by: Vivek Reddy <[email protected]> * Fix code scanning alert no. 32: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * added auto credentials Signed-off-by: Vivek Reddy <[email protected]> * Fix code scanning alert no. 34: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * modularized code with test Signed-off-by: Vivek Reddy <[email protected]> * adding workflow for this Signed-off-by: Vivek Reddy <[email protected]> * adding workflow for this Signed-off-by: Vivek Reddy <[email protected]> * adding name to workflow Signed-off-by: Vivek Reddy <[email protected]> * adding name to workflow Signed-off-by: Vivek Reddy <[email protected]> * adding name to workflow Signed-off-by: Vivek Reddy <[email protected]> * adding branch for test Signed-off-by: Vivek Reddy <[email protected]> --------- Signed-off-by: Vivek Reddy <[email protected]> Co-authored-by: Vivek Reddy <[email protected]> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Arjun Kondur <[email protected]>
…lunk Operator (#1395) * adding cr specific configmap Signed-off-by: Vivek Reddy <[email protected]> * formatting changes * fallback * adding logic for manual update Signed-off-by: Vivek Reddy <[email protected]> * working logic * commenting unit test for now * comment unit test for now * comment unit test in makefile * fixed field manualUpdate in per Cr config Signed-off-by: Vivek Reddy <[email protected]> * add ownership to config * order changed for config creation * fix manualUpdate per CR * unit test cases fixed * CSPL-2983: doc changes Signed-off-by: Vivek Reddy <[email protected]> * fixed unit test cases Signed-off-by: Vivek Reddy <[email protected]> * uncomment unit test Signed-off-by: Vivek Reddy <[email protected]> * adding go mod changes Signed-off-by: Vivek Reddy <[email protected]> * some more changes to go sum * fixed mc list test case * fixed searchhead for dev merge Signed-off-by: Vivek Reddy <[email protected]> * adding per cr changes Signed-off-by: Vivek Reddy <[email protected]> * replaced test label Signed-off-by: Vivek Reddy <[email protected]> * added few doc and code changes Signed-off-by: Vivek Reddy <[email protected]> --------- Signed-off-by: Vivek Reddy <[email protected]> Signed-off-by: Vivek Reddy <[email protected]> Co-authored-by: Vivek Reddy <[email protected]>
…or Kubernetes (#1421) * adding support for distoless Signed-off-by: Vivek Reddy <[email protected]> * adding document changes for distroless Signed-off-by: Vivek Reddy <[email protected]> * adding github workflow for distroless Signed-off-by: Vivek Reddy <[email protected]> * adding github workflow for distroless Signed-off-by: Vivek Reddy <[email protected]> * adding github workflow for distroless Signed-off-by: Vivek Reddy <[email protected]> * adding github workflow for distroless Signed-off-by: Vivek Reddy <[email protected]> * Add workflow to push distroless image. * Add - CSPL-3064 branch to triggers for Arm Distroless Smoke Test WorkFlow * Add - CSPL-3064 branch to triggers for Arm Distroless Smoke Test WorkFlow * Add - CSPL-3064 branch to triggers for Arm Distroless Smoke Test WorkFlow * Remove stuttering from name * Use correct distroless image name * Use correct distroless image name * Comment out vurneability-scan * Comment out vurneability-scan * Use correct naming convention in merge develop to main * Use sidecar in distroless int workflow. * Update manifest path * Update sidecar manifest * Add kustomize patch to deploy sidecar-debug * Fix kustomize * Fix command * Fix sidecar name * supporting debug pod in pipeline Signed-off-by: Vivek Reddy <[email protected]> * renamed sidecar name * Fix distroless-build-test-push-workflow.yml to not build for amd * Fix distroless build test push workflow * fix * comment vurn scan out * Update build push distro workflow * Update distorless-int-test-worfklow * Review suggestions * Remove empty lines from install.md * Remove running on CSPL-3064 --------- Signed-off-by: Vivek Reddy <[email protected]> Co-authored-by: Vivek Reddy <[email protected]> Co-authored-by: igor.grzankowski <[email protected]> Co-authored-by: Igor Grzankowski <[email protected]>
* [create-pull-request] automated change * additional changes * use consistent formatting in ChangeLog.md * bundle clusterserviceversion updates --------- Co-authored-by: rlieberman-splunk <[email protected]> Co-authored-by: rlieberman-splunk <[email protected]>
* update distroless docker image tag * publish distroless image on releas
* Use docker-buildx and make smoke tests run * Add a '.' * Test again * Change env variable value * Trigger int testing * Minimize changes only to smoke tests to start with * Initial changes for graviton smoke tests * Try this * Add the argument again * Try passing build arguments * Add a default value * Hardcode * Change tag * Pull locally * Don't push for graviton * Display operator image * Change eks instance type * Dump version * Describe * Don't need to tag for graviton * Re-run change kust * Avoid describe * Enable everything and try again * Remove push-latest, re-run pipelines * Re-run tests * Enable int tests * Update error logs * Further enhance * Don't use platform in FROM in dockerfile, remove TARGETOSIMAGE, ignore int tests for now * Trigger int and smoke as well * Pull image fix - int tests * Set graviton to true int tests * Re-trigger * Trigger * Re-trigger * Disable int tests for now. * Avoid vul testing for graviton for now * Add support for Ubuntu * Pass as build arg * Echo BASE_OS * Address review comments * Fix docker builds * Change logic for Ubuntu * Test package version * Run without package versions * Fix unattended-upgrades * Build for amd64 as well for pipelines * Remove space * Change to AS * Trigger for 9.2.4 AL2023 ARM * Try installing certificates on SOK container * Trigger both arm and ubuntu. Add cert for ubuntu * Trigger workflows for 9.2.4 AL2023 ARM64 * trigger AL2023 build for splunk 9.2.4 * trigger AL2023 build for splunk 9.3.2 * trigger Ubuntu build for splunk 9.2.4 * trigger Ubuntu build for splunk 9.3.2 * trigger AL2023 build for splunk 9.2.4 * use new label to test app framework tests that hang during teardown * use shorter label for testing tag * trigger integration test for PR * trigger rebuild of sok images for arm64 architectures * trigger rebuild for sok container on linux arm64 * remove build and test workflow for now * trigger rebuild for sok container on ubuntu arm64 * separate suite tag for failing test * get correct standalone for readiness checks * get correct standalone for readiness checks * add sleep for managermc1 failing test case * dump splunk version during consistently check for search head cluster * clean up new workflows * merge commit for pulling splunk enterprise image * re-enable test case, correct merge conflict * feat: [CSPL-3253]: Change default storageClassName value in PVC * add back feature branch for integration test workflow trigger * Initial changes to support deployer spec in SHC CRD * Integration testing enabled * Remove SHC updating phase check * Remove change splunk operator name step in integration test workflow * Trigger int testing again * Fix int test bug * remove specific branch to run integration tests * Add a comment, rename TC. * Add UT and return error if not deployer sts * Add node affinity as well. * [CSPL-3269] Change error log for clarification (#1422) * Change error log to info for clarification * update log statement * change log back to error, keep new contents * lowercase error message * Restore int-test workflow * CSPL-3156: Add kubectl-splunk Plugin for Executing Splunk Commands within Kubernetes Pods (#1407) * adding kubectl splunk plugin Signed-off-by: Vivek Reddy <[email protected]> * Fix code scanning alert no. 32: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * added auto credentials Signed-off-by: Vivek Reddy <[email protected]> * Fix code scanning alert no. 34: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * modularized code with test Signed-off-by: Vivek Reddy <[email protected]> * adding workflow for this Signed-off-by: Vivek Reddy <[email protected]> * adding workflow for this Signed-off-by: Vivek Reddy <[email protected]> * adding name to workflow Signed-off-by: Vivek Reddy <[email protected]> * adding name to workflow Signed-off-by: Vivek Reddy <[email protected]> * adding name to workflow Signed-off-by: Vivek Reddy <[email protected]> * adding branch for test Signed-off-by: Vivek Reddy <[email protected]> --------- Signed-off-by: Vivek Reddy <[email protected]> Co-authored-by: Vivek Reddy <[email protected]> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Arjun Kondur <[email protected]> * CSPL-2966: Feature: Manual App Updates per Custom Resource (CR) in Splunk Operator (#1395) * adding cr specific configmap Signed-off-by: Vivek Reddy <[email protected]> * formatting changes * fallback * adding logic for manual update Signed-off-by: Vivek Reddy <[email protected]> * working logic * commenting unit test for now * comment unit test for now * comment unit test in makefile * fixed field manualUpdate in per Cr config Signed-off-by: Vivek Reddy <[email protected]> * add ownership to config * order changed for config creation * fix manualUpdate per CR * unit test cases fixed * CSPL-2983: doc changes Signed-off-by: Vivek Reddy <[email protected]> * fixed unit test cases Signed-off-by: Vivek Reddy <[email protected]> * uncomment unit test Signed-off-by: Vivek Reddy <[email protected]> * adding go mod changes Signed-off-by: Vivek Reddy <[email protected]> * some more changes to go sum * fixed mc list test case * fixed searchhead for dev merge Signed-off-by: Vivek Reddy <[email protected]> * adding per cr changes Signed-off-by: Vivek Reddy <[email protected]> * replaced test label Signed-off-by: Vivek Reddy <[email protected]> * added few doc and code changes Signed-off-by: Vivek Reddy <[email protected]> --------- Signed-off-by: Vivek Reddy <[email protected]> Signed-off-by: Vivek Reddy <[email protected]> Co-authored-by: Vivek Reddy <[email protected]> * CSPL-3064: Support for Distroless Image Creation in Splunk Operator for Kubernetes (#1421) * adding support for distoless Signed-off-by: Vivek Reddy <[email protected]> * adding document changes for distroless Signed-off-by: Vivek Reddy <[email protected]> * adding github workflow for distroless Signed-off-by: Vivek Reddy <[email protected]> * adding github workflow for distroless Signed-off-by: Vivek Reddy <[email protected]> * adding github workflow for distroless Signed-off-by: Vivek Reddy <[email protected]> * adding github workflow for distroless Signed-off-by: Vivek Reddy <[email protected]> * Add workflow to push distroless image. * Add - CSPL-3064 branch to triggers for Arm Distroless Smoke Test WorkFlow * Add - CSPL-3064 branch to triggers for Arm Distroless Smoke Test WorkFlow * Add - CSPL-3064 branch to triggers for Arm Distroless Smoke Test WorkFlow * Remove stuttering from name * Use correct distroless image name * Use correct distroless image name * Comment out vurneability-scan * Comment out vurneability-scan * Use correct naming convention in merge develop to main * Use sidecar in distroless int workflow. * Update manifest path * Update sidecar manifest * Add kustomize patch to deploy sidecar-debug * Fix kustomize * Fix command * Fix sidecar name * supporting debug pod in pipeline Signed-off-by: Vivek Reddy <[email protected]> * renamed sidecar name * Fix distroless-build-test-push-workflow.yml to not build for amd * Fix distroless build test push workflow * fix * comment vurn scan out * Update build push distro workflow * Update distorless-int-test-worfklow * Review suggestions * Remove empty lines from install.md * Remove running on CSPL-3064 --------- Signed-off-by: Vivek Reddy <[email protected]> Co-authored-by: Vivek Reddy <[email protected]> Co-authored-by: igor.grzankowski <[email protected]> Co-authored-by: Igor Grzankowski <[email protected]> * Splunk Operator 2.7.1 release (#1426) * [create-pull-request] automated change * additional changes * use consistent formatting in ChangeLog.md * bundle clusterserviceversion updates --------- Co-authored-by: rlieberman-splunk <[email protected]> Co-authored-by: rlieberman-splunk <[email protected]> * Update distroless RC and release tags (#1433) * update distroless docker image tag * publish distroless image on releas --------- Signed-off-by: Vivek Reddy <[email protected]> Signed-off-by: Vivek Reddy <[email protected]> Co-authored-by: Arjun Kondur <[email protected]> Co-authored-by: Arjun Kondur <[email protected]> Co-authored-by: rlieberman-splunk <[email protected]> Co-authored-by: Patryk Wasielewski <[email protected]> Co-authored-by: patrykw-splunk <[email protected]> Co-authored-by: vivekr-splunk <[email protected]> Co-authored-by: Vivek Reddy <[email protected]> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: igor.grzankowski <[email protected]> Co-authored-by: Igor Grzankowski <[email protected]> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: rlieberman-splunk <[email protected]>
Signed-off-by: Vivek Reddy <[email protected]>
Signed-off-by: Vivek Reddy <[email protected]>
vivekr-splunk
requested review from
rlieberman-splunk,
patrykw-splunk and
Igor-splunk
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
This PR introduces the integration of HashiCorp Vault into the Splunk Operator, providing enhanced security and flexibility in managing secrets. Users can now choose between Kubernetes Secrets or HashiCorp Vault for storing and injecting Splunk secrets. Key changes and features include:
Key Features:
Vault Integration in Custom Resource:
VaultIntegrationstruct in the Splunk CRD, allowing users to enable Vault integration and specify the Vault role and secret path.enabled,role, andsecretPathto configure Vault usage.Vault Injection Annotations for StatefulSets:
InjectVaultSecretfunction to add Vault Agent injector annotations to StatefulSets managed by the Splunk Operator./mnt/splunk-secrets, consistent with the current Kubernetes Secrets path.Vault Client Integration:
getVaultSecretVersion) to retrieve the current version of secrets from Vault, ensuring updated secrets are injected.Support for Both Kubernetes Secrets and Vault:
Predefined Vault Keys:
hec_token,idxc_secret,pass4SymmKey,password, andshc_secret.How to Test the Changes:
Install and Configure Vault on Kubernetes:
splunk-service-account).Deploy Splunk Custom Resource:
Test Secret Rotation:
Switch Between Kubernetes Secrets and Vault:
Summary:
This PR significantly enhances the security of Splunk deployments by integrating HashiCorp Vault into the Splunk Operator, allowing users to seamlessly manage secrets using Vault or Kubernetes Secrets. This flexibility provides improved compliance, security, and operational ease.
Verification:
Documentation:
Testing:
Let me know if there are any questions or if further changes are needed!