diff --git a/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml b/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml index f2d2b6251..e85301c1b 100644 --- a/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml +++ b/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: kubearmorconfigs.operator.kubearmor.com spec: group: operator.kubearmor.com @@ -43,6 +43,33 @@ spec: spec: description: KubeArmorConfigSpec defines the desired state of KubeArmorConfig properties: + adapters: + properties: + elasticsearch: + properties: + alertsIndex: + type: string + auth: + properties: + allowInsecureTLS: + type: boolean + caCertKey: + type: string + caCertSecretName: + type: string + passwordKey: + type: string + secretName: + type: string + usernameKey: + type: string + type: object + enabled: + type: boolean + url: + type: string + type: object + type: object alertThrottling: type: boolean defaultCapabilitiesPosture: diff --git a/deployments/operator/operator.yaml b/deployments/operator/operator.yaml index 93bd2bc61..8d93ce1f0 100644 --- a/deployments/operator/operator.yaml +++ b/deployments/operator/operator.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: kubearmorconfigs.operator.kubearmor.com spec: group: operator.kubearmor.com @@ -42,6 +42,33 @@ spec: spec: description: KubeArmorConfigSpec defines the desired state of KubeArmorConfig properties: + adapters: + properties: + elasticsearch: + properties: + alertsIndex: + type: string + auth: + properties: + allowInsecureTLS: + type: boolean + caCertKey: + type: string + caCertSecretName: + type: string + passwordKey: + type: string + secretName: + type: string + usernameKey: + type: string + type: object + enabled: + type: boolean + url: + type: string + type: object + type: object alertThrottling: type: boolean defaultCapabilitiesPosture: diff --git a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go index abe45ac35..cfdb7e37b 100644 --- a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go +++ b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go @@ -39,6 +39,26 @@ type RecommendedPolicies struct { ExcludePolicy []string `json:"excludePolicy,omitempty"` } +type ElasticSearchAuth struct { + SecretName string `json:"secretName,omitempty"` + UserNameKey string `json:"usernameKey,omitempty"` + PasswordKey string `json:"passwordKey,omitempty"` + AllowTlsInsecure bool `json:"allowInsecureTLS,omitempty"` + CAcertSecretName string `json:"caCertSecretName,omitempty"` + CaCertKey string `json:"caCertKey,omitempty"` +} + +type ElasticSearchAdapter struct { + Enabled bool `json:"enabled,omitempty"` + Url string `json:"url,omitempty"` + AlertsIndexName string `json:"alertsIndex,omitempty"` + Auth ElasticSearchAuth `json:"auth,omitempty"` +} + +type Adapters struct { + ElasticSearch ElasticSearchAdapter `json:"elasticsearch,omitempty"` +} + // KubeArmorConfigSpec defines the desired state of KubeArmorConfig type KubeArmorConfigSpec struct { // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster @@ -80,6 +100,8 @@ type KubeArmorConfigSpec struct { MaxAlertPerSec int `json:"maxAlertPerSec,omitempty"` // +kubebuilder:validation:Optional ThrottleSec int `json:"throttleSec,omitempty"` + // +kubebuilder:validation:Optional + Adapters Adapters `json:"adapters,omitempty"` } // KubeArmorConfigStatus defines the observed state of KubeArmorConfig diff --git a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/zz_generated.deepcopy.go b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/zz_generated.deepcopy.go index 01d594de5..c73836350 100644 --- a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/zz_generated.deepcopy.go +++ b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/zz_generated.deepcopy.go @@ -12,6 +12,53 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Adapters) DeepCopyInto(out *Adapters) { + *out = *in + out.ElasticSearch = in.ElasticSearch +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Adapters. +func (in *Adapters) DeepCopy() *Adapters { + if in == nil { + return nil + } + out := new(Adapters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ElasticSearchAdapter) DeepCopyInto(out *ElasticSearchAdapter) { + *out = *in + out.Auth = in.Auth +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ElasticSearchAdapter. +func (in *ElasticSearchAdapter) DeepCopy() *ElasticSearchAdapter { + if in == nil { + return nil + } + out := new(ElasticSearchAdapter) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ElasticSearchAuth) DeepCopyInto(out *ElasticSearchAuth) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ElasticSearchAuth. +func (in *ElasticSearchAuth) DeepCopy() *ElasticSearchAuth { + if in == nil { + return nil + } + out := new(ElasticSearchAuth) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImageSpec) DeepCopyInto(out *ImageSpec) { *out = *in @@ -96,6 +143,7 @@ func (in *KubeArmorConfigSpec) DeepCopyInto(out *KubeArmorConfigSpec) { out.KubeArmorControllerImage = in.KubeArmorControllerImage out.KubeRbacProxyImage = in.KubeRbacProxyImage in.Tls.DeepCopyInto(&out.Tls) + out.Adapters = in.Adapters } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeArmorConfigSpec. diff --git a/pkg/KubeArmorOperator/common/defaults.go b/pkg/KubeArmorOperator/common/defaults.go index 970780653..8684a2a50 100644 --- a/pkg/KubeArmorOperator/common/defaults.go +++ b/pkg/KubeArmorOperator/common/defaults.go @@ -139,7 +139,26 @@ var ( }, }, } + + Adapter opv1.Adapters = opv1.Adapters{ + ElasticSearch: opv1.ElasticSearchAdapter{ + Enabled: false, + Url: "", + AlertsIndexName: "kubearmor-alerts", + Auth: opv1.ElasticSearchAuth{ + SecretName: "elastic-secret", + UserNameKey: "username", + PasswordKey: "password", + AllowTlsInsecure: false, + CAcertSecretName: "", + CaCertKey: "ca.crt", + }, + }, + } + + ElasticSearchAdapterCaCertPath = "/cert" ) +var Pointer2True bool = true var ConfigMapData = map[string]string{ ConfigGRPC: "32767", diff --git a/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml b/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml index f2d2b6251..e85301c1b 100644 --- a/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml +++ b/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: kubearmorconfigs.operator.kubearmor.com spec: group: operator.kubearmor.com @@ -43,6 +43,33 @@ spec: spec: description: KubeArmorConfigSpec defines the desired state of KubeArmorConfig properties: + adapters: + properties: + elasticsearch: + properties: + alertsIndex: + type: string + auth: + properties: + allowInsecureTLS: + type: boolean + caCertKey: + type: string + caCertSecretName: + type: string + passwordKey: + type: string + secretName: + type: string + usernameKey: + type: string + type: object + enabled: + type: boolean + url: + type: string + type: object + type: object alertThrottling: type: boolean defaultCapabilitiesPosture: diff --git a/pkg/KubeArmorOperator/internal/controller/cluster.go b/pkg/KubeArmorOperator/internal/controller/cluster.go index 9725d2f9f..a4cfcff44 100644 --- a/pkg/KubeArmorOperator/internal/controller/cluster.go +++ b/pkg/KubeArmorOperator/internal/controller/cluster.go @@ -472,7 +472,81 @@ func (clusterWatcher *ClusterWatcher) UpdateKubearmorRelayEnv(cfg *opv1.KubeArmo Name: "ENABLE_STDOUT_MSGS", Value: common.KubearmorRelayEnvMap[common.EnableStdOutMsgs], }, + { + Name: "ENABLE_DASHBOARDS", + Value: strconv.FormatBool(common.Adapter.ElasticSearch.Enabled), + }, + { + Name: "ES_URL", + Value: common.Adapter.ElasticSearch.Url, + }, + { + Name: "ES_ALERTS_INDEX", + Value: common.Adapter.ElasticSearch.AlertsIndexName, + }, + { + Name: "ES_USERNAME", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: common.Adapter.ElasticSearch.Auth.SecretName, + }, + Key: common.Adapter.ElasticSearch.Auth.UserNameKey, + Optional: &common.Pointer2True, + }, + }, + }, + { + Name: "ES_PASSWORD", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: common.Adapter.ElasticSearch.Auth.SecretName, + }, + Key: common.Adapter.ElasticSearch.Auth.PasswordKey, + Optional: &common.Pointer2True, + }, + }, + }, + } + + ElasticSearchAdapterCaVolume := []corev1.Volume{ + { + Name: "elastic-ca", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: common.Adapter.ElasticSearch.Auth.CAcertSecretName, + }, + }, + }, + } + + ElasticSearchAdapterCaVolumeMount := []corev1.VolumeMount{ + { + Name: "elastic-ca", + MountPath: common.ElasticSearchAdapterCaCertPath, + }, + } + if common.Adapter.ElasticSearch.Auth.CAcertSecretName != "" { + relay.Spec.Template.Spec.Containers[0].Env = append(relay.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{ + Name: "ES_CA_CERT_PATH", + Value: common.ElasticSearchAdapterCaCertPath + "/" + common.Adapter.ElasticSearch.Auth.CaCertKey, + }) + + common.AddOrRemoveVolume(&ElasticSearchAdapterCaVolume, &relay.Spec.Template.Spec.Volumes, common.AddAction) + common.AddOrRemoveVolumeMount(&ElasticSearchAdapterCaVolumeMount, &relay.Spec.Template.Spec.Containers[0].VolumeMounts, common.AddAction) + } else { + common.AddOrRemoveVolume(&ElasticSearchAdapterCaVolume, &relay.Spec.Template.Spec.Volumes, common.DeleteAction) + common.AddOrRemoveVolumeMount(&ElasticSearchAdapterCaVolumeMount, &relay.Spec.Template.Spec.Containers[0].VolumeMounts, common.DeleteAction) } + + if common.Adapter.ElasticSearch.Auth.AllowTlsInsecure { + relay.Spec.Template.Spec.Containers[0].Env = append(relay.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{ + Name: "ES_ALLOW_INSECURE_TLS", + Value: "true", + }) + } + _, err = clusterWatcher.Client.AppsV1().Deployments(common.Namespace).Update(context.Background(), relay, v1.UpdateOptions{}) if err != nil { clusterWatcher.Log.Warnf("Cannot update deployment=%s error=%s", deployments.RelayDeploymentName, err.Error()) @@ -955,6 +1029,42 @@ func UpdatedKubearmorRelayEnv(config *opv1.KubeArmorConfigSpec) bool { updated = true } } + + stringEnableElasticAdapter := strconv.FormatBool(config.Adapters.ElasticSearch.Enabled) + if stringEnableElasticAdapter != "" { + if common.Adapter.ElasticSearch.Enabled != config.Adapters.ElasticSearch.Enabled { + updated = true + common.Adapter.ElasticSearch.Enabled = config.Adapters.ElasticSearch.Enabled + } + if common.Adapter.ElasticSearch.Auth.AllowTlsInsecure != config.Adapters.ElasticSearch.Auth.AllowTlsInsecure { + updated = true + common.Adapter.ElasticSearch.Auth.AllowTlsInsecure = config.Adapters.ElasticSearch.Auth.AllowTlsInsecure + } + if common.Adapter.ElasticSearch.AlertsIndexName != config.Adapters.ElasticSearch.AlertsIndexName { + updated = true + common.Adapter.ElasticSearch.AlertsIndexName = config.Adapters.ElasticSearch.AlertsIndexName + } + if common.Adapter.ElasticSearch.Url != config.Adapters.ElasticSearch.Url { + updated = true + common.Adapter.ElasticSearch.Url = config.Adapters.ElasticSearch.Url + } + if config.Adapters.ElasticSearch.Auth.SecretName != "" && common.Adapter.ElasticSearch.Auth.SecretName != config.Adapters.ElasticSearch.Auth.SecretName { + updated = true + common.Adapter.ElasticSearch.Auth.SecretName = config.Adapters.ElasticSearch.Auth.SecretName + } + if config.Adapters.ElasticSearch.Auth.UserNameKey != "" && common.Adapter.ElasticSearch.Auth.UserNameKey != config.Adapters.ElasticSearch.Auth.UserNameKey { + updated = true + common.Adapter.ElasticSearch.Auth.UserNameKey = config.Adapters.ElasticSearch.Auth.UserNameKey + } + if config.Adapters.ElasticSearch.Auth.PasswordKey != "" && common.Adapter.ElasticSearch.Auth.PasswordKey != config.Adapters.ElasticSearch.Auth.PasswordKey { + updated = true + common.Adapter.ElasticSearch.Auth.PasswordKey = config.Adapters.ElasticSearch.Auth.PasswordKey + } + if config.Adapters.ElasticSearch.Auth.CAcertSecretName != "" && common.Adapter.ElasticSearch.Auth.CAcertSecretName != config.Adapters.ElasticSearch.Auth.CAcertSecretName { + updated = true + common.Adapter.ElasticSearch.Auth.CAcertSecretName = config.Adapters.ElasticSearch.Auth.CAcertSecretName + } + } return updated } diff --git a/pkg/KubeArmorOperator/internal/controller/resources.go b/pkg/KubeArmorOperator/internal/controller/resources.go index b4b8f2208..4fda5c5e9 100644 --- a/pkg/KubeArmorOperator/internal/controller/resources.go +++ b/pkg/KubeArmorOperator/internal/controller/resources.go @@ -7,6 +7,7 @@ import ( "bytes" "context" "fmt" + "strconv" "strings" "time" @@ -533,7 +534,6 @@ func (clusterWatcher *ClusterWatcher) WatchRequiredResources() { // kubearmor-controller and relay-server deployments controller := deployments.GetKubeArmorControllerDeployment(common.Namespace) relayServer := deployments.GetRelayDeployment(common.Namespace) - // update relay env vars relayServer.Spec.Template.Spec.Containers[0].Env = []corev1.EnvVar{ { @@ -548,8 +548,81 @@ func (clusterWatcher *ClusterWatcher) WatchRequiredResources() { Name: "ENABLE_STDOUT_MSGS", Value: common.KubearmorRelayEnvMap[common.EnableStdOutMsgs], }, + { + Name: "ENABLE_DASHBOARDS", + Value: strconv.FormatBool(common.Adapter.ElasticSearch.Enabled), + }, + { + Name: "ES_URL", + Value: common.Adapter.ElasticSearch.Url, + }, + { + Name: "ES_ALERTS_INDEX", + Value: common.Adapter.ElasticSearch.AlertsIndexName, + }, + { + Name: "ES_USERNAME", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: common.Adapter.ElasticSearch.Auth.SecretName, + }, + Key: common.Adapter.ElasticSearch.Auth.UserNameKey, + Optional: &common.Pointer2True, + }, + }, + }, + { + Name: "ES_PASSWORD", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: common.Adapter.ElasticSearch.Auth.SecretName, + }, + Key: common.Adapter.ElasticSearch.Auth.PasswordKey, + Optional: &common.Pointer2True, + }, + }, + }, + } + + ElasticSearchAdapterCaVolume := []corev1.Volume{ + { + Name: "elastic-ca", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: common.Adapter.ElasticSearch.Auth.CAcertSecretName, + }, + }, + }, + } + + ElasticSearchAdapterCaVolumeMount := []corev1.VolumeMount{ + { + Name: "elastic-ca", + MountPath: common.ElasticSearchAdapterCaCertPath, + }, + } + + if common.Adapter.ElasticSearch.Auth.CAcertSecretName != "" { + relayServer.Spec.Template.Spec.Containers[0].Env = append(relayServer.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{ + Name: "ES_CA_CERT_PATH", + Value: common.ElasticSearchAdapterCaCertPath + "/" + common.Adapter.ElasticSearch.Auth.CaCertKey, + }) + + common.AddOrRemoveVolume(&ElasticSearchAdapterCaVolume, &relayServer.Spec.Template.Spec.Volumes, common.AddAction) + common.AddOrRemoveVolumeMount(&ElasticSearchAdapterCaVolumeMount, &relayServer.Spec.Template.Spec.Containers[0].VolumeMounts, common.AddAction) + } else { + common.AddOrRemoveVolume(&ElasticSearchAdapterCaVolume, &relayServer.Spec.Template.Spec.Volumes, common.DeleteAction) + common.AddOrRemoveVolumeMount(&ElasticSearchAdapterCaVolumeMount, &relayServer.Spec.Template.Spec.Containers[0].VolumeMounts, common.DeleteAction) } + if common.Adapter.ElasticSearch.Auth.AllowTlsInsecure { + relayServer.Spec.Template.Spec.Containers[0].Env = append(relayServer.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{ + Name: "ES_ALLOW_INSECURE_TLS", + Value: "true", + }) + } if common.EnableTls { relayServer.Spec.Template.Spec.Containers[0].VolumeMounts = append(relayServer.Spec.Template.Spec.Containers[0].VolumeMounts, common.KubeArmorRelayTlsVolumeMount...)