[hermes] Add log-router for data plane audit events#11330
Conversation
Adds log-router as an opt-in component (disabled by default) for routing data plane audit events from RabbitMQ to customer Ceph/S3 buckets. - StatefulSet with WAL persistence for crash recovery - PostgreSQL via postgresql-ng dependency for tenant configuration - Keystone audit_admin role for config API RBAC - Prometheus metrics scraping on port 8080 - PodDisruptionBudget and headless service for StatefulSet - CI test values with minimal resources
notque
requested review from
Kuckkuck,
ashifnihalb,
ibakshay,
joluc,
notandy,
olandr,
richardtief,
timojohlo,
trouaux and
viennaa
as code owners
There was a problem hiding this comment.
New audit_admin Keystone role scoped to ccadmin/cloud_admin project
Sorry, but this makes no sense. A role is not scoped to anything - it exists by itself. It can be assigned to a user and project, and then the user can get a bearer token on the project with this role, and go to hermes with it.
What you do is probably a rule that utilizes this combination... but to that i have comments inline.
The original policy.json restricted all config operations to ccadmin/cloud_admin scope, preventing customers from managing their own data plane event routing. Add project-scoped and domain-scoped rules matching the existing hermes audit_viewer pattern so customers with audit_admin can manage their own config. Remove the cloud_admin project block and all role assignments from the seed — cloud admins get access through cluster policy rules, and the service user doesn't need audit_admin.
notque
force-pushed
the
hermes_log-router-integration
branch
from
acf130d to
5bc3899
Compare
|
@bbobrov I've attempted to change this to what I've actually intended as we discussed on the call. Tomorrow if you have time, I'd appreciate your consideration on it, and again thank you for giving me a proper check. |
bbobrov
left a comment
bbobrov
left a comment
There was a problem hiding this comment.
from authorization pov this looks now better, thanks
LeoZhangZXZ
force-pushed
the
hermes_log-router-integration
branch
from
81c4a0f to
fc5d471
Compare
LeoZhangZXZ
force-pushed
the
hermes_log-router-integration
branch
from
2d60324 to
575a584
Compare
# Conflicts: # openstack/hermes/Chart.lock
LeoZhangZXZ
force-pushed
the
hermes_log-router-integration
branch
2 times, most recently
from
89fedec to
3ffb488
Compare
LeoZhangZXZ
force-pushed
the
hermes_log-router-integration
branch
2 times, most recently
from
ea450ab to
e59eb6e
Compare
# Conflicts: # openstack/hermes/Chart.yaml
viennaa
left a comment
viennaa
left a comment
There was a problem hiding this comment.
Thanks for providing the log-router PR. Couple of remarks before it can go live.
| log_router: {} | ||
| users: | ||
| log_router: {} |
There was a problem hiding this comment.
according to postgresql-ng they shall not include _. will fail
| log_router: {} | |
| users: | |
| log_router: {} | |
| log-router: {} | |
| users: | |
| log-router: {} |
| name: '{{ $.Release.Name }}-pguser-log-router' | ||
| key: postgres-password | ||
| - name: LOG_ROUTER_DB_URL | ||
| value: "postgres://log-router:$(LOG_ROUTER_DB_PASSWORD)@{{ $.Release.Name }}-postgresql.{{ $.Release.Namespace }}.svc:5432/log-router?sslmode=disable" |
There was a problem hiding this comment.
ideally the log-router occurrences of these strings go into values.yaml. if log-router-postgresql values change, this fails silently.
values.yaml:
logRouter:
db:
user: log-router
name: log-router
| emptyDir: {} | ||
| initContainers: | ||
| - name: fix-permissions | ||
| image: {{ required ".Values.init_image is missing" .Values.logRouter.init_image }} |
There was a problem hiding this comment.
Different values are checked here, is this on purpose?
|
@viennaa thanks for the review, good catch |
6 participants
Summary
logRouter.enabled: falseby default)to the hermes chart for routing data plane audit events to customer Ceph/S3 buckets
dataplane.auditRabbitMQ queue (separate fromthe existing
notifications.infocontrol plane queue)audit_adminKeystone roleNew Files
templates/log-router-statefulset.yaml— StatefulSet with WAL PVCtemplates/log-router-configmap.yaml— Non-secret config + policy.jsontemplates/log-router-secret.yaml— RabbitMQ, S3, Keystone credentialstemplates/log-router-service.yaml— ClusterIP + headless servicetemplates/log-router-pdb.yaml— PodDisruptionBudgettemplates/_log-router-utils.tpl— Image helper + common env varsModified Files
Chart.yaml— postgresql-ng dependency, version bump to 0.2.0values.yaml— logRouter + log-router-postgresql sectionskeystone-seed.yaml— audit_admin role (conditional on logRouter.enabled)ci/test-values.yaml— log-router test overridesTest plan
helm templaterenders cleanly withlogRouter.enabled: false(no log-router resources)helm templaterenders cleanly withlogRouter.enabled: trueand test values