Skip to content

Commit 6268a69

Browse files
committed
[MOSIP-42871]updated persistant volume
Signed-off-by: bhumi46 <thisisbn46@gmail.com>
1 parent df77ba7 commit 6268a69

8 files changed

Lines changed: 310 additions & 21 deletions

File tree

deploy/README.md

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,11 +3,45 @@
33
## Overview
44
Refer [Commons](https://docs.mosip.io/1.2.0/modules/commons).
55

6+
## Features
7+
- **Persistent Storage**: Optional persistent storage for audit logs including WAL (Write-Ahead Log) files
8+
- **Dynamic User Configuration**: Configurable container user with automatic path adjustment
9+
- **Volume Permissions**: Optional init container for proper file permissions
10+
- **SSL Configuration**: Support for both secure and insecure SSL modes
11+
- **Interactive & Non-Interactive**: Support for both interactive prompts and environment variables
12+
613
## Install
14+
15+
### Interactive Mode
16+
```bash
17+
./install.sh
718
```
19+
The script will prompt you for various configuration options.
20+
21+
### Non-Interactive Mode
22+
```bash
23+
# Example with persistent storage
24+
export ENABLE_PERSISTENT_STORAGE=true
25+
export STORAGE_SIZE=2Gi
26+
export ENABLE_VOLUME_PERMISSIONS=true
827
./install.sh
928
```
29+
30+
See [INSTALLATION_EXAMPLES.md](INSTALLATION_EXAMPLES.md) for more examples.
31+
32+
## SSL Configuration
1033
* During the execution of the `install.sh` script, a prompt appears requesting information regarding the presence of a public domain and a valid SSL certificate on the server.
1134
* If the server lacks a public domain and a valid SSL certificate, it is advisable to select the `n` option. Opting it will enable the `init-container` with an `emptyDir` volume and include it in the deployment process.
1235
* The init-container will proceed to download the server's self-signed SSL certificate and mount it to the specified location within the container's Java keystore (i.e., `cacerts`) file.
1336
* This particular functionality caters to scenarios where the script needs to be employed on a server utilizing self-signed SSL certificates.
37+
38+
## Persistent Storage
39+
When enabled, the audit manager will store WAL files persistently at:
40+
```
41+
/var/log/{container_user}/audit/audit-wal-{POD_NAME}.log
42+
```
43+
44+
This integrates with the config server property:
45+
```properties
46+
mosip.kernel.auditmanager.wal-file-path=/var/log/mosip/audit/audit-wal-${POD_NAME}.log
47+
```

deploy/install.sh

Lines changed: 90 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
#!/bin/bash
2-
# Installs all auditmanager helm charts
2+
# Installs all auditmanager helm charts
33
## Usage: ./install.sh [kubeconfig]
44

55
if [ $# -ge 1 ] ; then
@@ -21,26 +21,101 @@ function installing_auditmanager() {
2121
sed -i 's/\r$//' copy_cm.sh
2222
./copy_cm.sh
2323

24-
echo "Do you have public domain & valid SSL? (Y/n) "
25-
echo "Y: if you have public domain & valid ssl certificate"
26-
echo "n: If you don't have a public domain and a valid SSL certificate. Note: It is recommended to use this option only in development environments."
27-
read -p "" flag
24+
ENABLE_INSECURE=''
25+
if [ ! -z "${ENABLE_SSL_INSECURE:-}" ]; then
26+
if [ "$ENABLE_SSL_INSECURE" = "true" ]; then
27+
ENABLE_INSECURE='--set enable_insecure=true'
28+
fi
29+
else
30+
# Interactive mode
31+
echo "Do you have public domain & valid SSL? (Y/n) "
32+
echo "Y: if you have public domain & valid ssl certificate"
33+
echo "n: If you don't have a public domain and a valid SSL certificate. Note: It is recommended to use this option only in development environments."
34+
read -p "" flag
2835

29-
if [ -z "$flag" ]; then
30-
echo "'flag' was provided; EXITING;"
31-
exit 1;
36+
if [ -z "$flag" ]; then
37+
echo "'flag' was NOT provided; EXITING;"
38+
exit 1;
39+
fi
40+
41+
if [ "$flag" = "n" ]; then
42+
ENABLE_INSECURE='--set enable_insecure=true';
43+
fi
3244
fi
33-
ENABLE_INSECURE=''
34-
if [ "$flag" = "n" ]; then
35-
ENABLE_INSECURE='--set enable_insecure=true';
45+
46+
PERSISTENT_STORAGE=''
47+
VOLUME_PERMISSIONS=''
48+
49+
if [ ! -z "${ENABLE_PERSISTENT_STORAGE:-}" ]; then
50+
if [ "$ENABLE_PERSISTENT_STORAGE" = "true" ]; then
51+
PERSISTENT_STORAGE='--set auditLogsPersistence.enabled=true'
52+
53+
if [ ! -z "${STORAGE_SIZE:-}" ]; then
54+
PERSISTENT_STORAGE="$PERSISTENT_STORAGE --set auditLogsPersistence.size=$STORAGE_SIZE"
55+
fi
56+
57+
if [ ! -z "${STORAGE_CLASS:-}" ]; then
58+
PERSISTENT_STORAGE="$PERSISTENT_STORAGE --set auditLogsPersistence.storageClass=$STORAGE_CLASS"
59+
fi
60+
61+
if [ "${ENABLE_VOLUME_PERMISSIONS:-}" = "true" ]; then
62+
VOLUME_PERMISSIONS='--set volumePermissions.enabled=true'
63+
fi
64+
fi
65+
else
66+
echo ""
67+
echo "=== Audit Logs Persistent Storage Configuration ==="
68+
echo "Do you want to enable persistent storage for audit logs (including WAL files)? (Y/n)"
69+
echo "Y: Enable persistent storage"
70+
echo "n: Use ephemeral storage "
71+
read -p "" persistent_flag
72+
73+
if [ "$persistent_flag" != "n" ]; then
74+
echo ""
75+
echo "Enabling persistent storage for audit logs..."
76+
PERSISTENT_STORAGE='--set auditLogsPersistence.enabled=true'
77+
78+
echo ""
79+
echo "Enter storage size for audit logs (default: 1Gi): "
80+
read -p "" storage_size
81+
if [ ! -z "$storage_size" ]; then
82+
PERSISTENT_STORAGE="$PERSISTENT_STORAGE --set auditLogsPersistence.size=$storage_size"
83+
fi
84+
85+
echo ""
86+
echo "Enter storage class name (leave empty for default): "
87+
read -p "" storage_class
88+
if [ ! -z "$storage_class" ]; then
89+
PERSISTENT_STORAGE="$PERSISTENT_STORAGE --set auditLogsPersistence.storageClass=$storage_class"
90+
fi
91+
92+
echo ""
93+
echo "Do you want to enable volume permissions init container? (Y/n)"
94+
echo "Y: Enable init container to set proper permissions"
95+
echo "n: Skip permissions init container"
96+
read -p "" permissions_flag
97+
98+
if [ "$permissions_flag" != "n" ]; then
99+
VOLUME_PERMISSIONS='--set volumePermissions.enabled=true'
100+
fi
101+
fi
36102
fi
37103

38-
echo Installing auditmanager
39-
helm -n $NS install auditmanager mosip/auditmanager --version $CHART_VERSION $ENABLE_INSECURE
104+
echo ""
105+
echo "Installing auditmanager with the following configuration:"
106+
echo "- SSL Configuration: $ENABLE_INSECURE"
107+
echo "- Persistent Storage: $PERSISTENT_STORAGE"
108+
echo "- Volume Permissions: $VOLUME_PERMISSIONS"
109+
echo ""
40110

41-
kubectl -n $NS get deploy -o name | xargs -n1 -t kubectl -n $NS rollout status
111+
# Install auditmanager using helm
112+
helm -n $NS install auditmanager mosip/auditmanager --version $CHART_VERSION \
113+
$ENABLE_INSECURE \
114+
$PERSISTENT_STORAGE \
115+
$VOLUME_PERMISSIONS
42116

43-
echo Installed auditmanager services
117+
kubectl -n $NS get deploy -o name | xargs -n1 -t kubectl -n $NS rollout status
118+
echo "Auditmanager successfully installed"
44119
return 0
45120
}
46121

helm/auditmanager/README.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,26 @@ To install the chart with the release name `auditmanager`.
2828
helm install my-release mosip/auditmanager
2929
```
3030

31+
### Custom Container User
32+
33+
The chart supports dynamic container user configuration. By default, it uses `mosip` as the container user, but you can customize it:
34+
35+
```console
36+
helm install my-release mosip/auditmanager \
37+
--set containerSecurityContext.runAsUser=myuser \
38+
--set auditLogsPersistence.enabled=true
39+
```
40+
41+
This will:
42+
- Create audit logs directory at `/var/log/myuser/audit` inside the container
43+
- Set the WAL file path to `/var/log/myuser/audit/audit-wal-{POD_NAME}.log`
44+
- Configure persistent storage for audit logs
45+
46+
**Note**: When using a custom container user, ensure your Docker image is built with the same user:
47+
```bash
48+
docker build --build-arg container_user=myuser -t your-image .
49+
```
50+
3151
> **Tip**: List all releases using `helm list`
3252
3353
## Uninstalling the Chart

helm/auditmanager/templates/_helpers.tpl

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,4 +57,15 @@ Return podAnnotations
5757
{{- end }}
5858
{{- end -}}
5959

60+
{{/*
61+
Return the PVC name for audit logs
62+
*/}}
63+
{{- define "auditmanager.auditLogsPvcName" -}}
64+
{{- if .Values.auditLogsPersistence.existingClaim -}}
65+
{{- printf "%s" (tpl .Values.auditLogsPersistence.existingClaim $) -}}
66+
{{- else -}}
67+
{{- printf "%s-audit-logs" (include "common.names.fullname" .) -}}
68+
{{- end -}}
69+
{{- end -}}
70+
6071

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
{{- if .Values.auditLogsPersistence.enabled -}}
2+
{{- if not .Values.auditLogsPersistence.existingClaim -}}
3+
kind: PersistentVolumeClaim
4+
apiVersion: v1
5+
metadata:
6+
name: {{ include "auditmanager.auditLogsPvcName" . }}
7+
labels: {{- include "common.labels.standard" . | nindent 4 }}
8+
{{- if .Values.commonLabels }}
9+
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
10+
{{- end }}
11+
annotations:
12+
{{- if .Values.commonAnnotations }}
13+
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
14+
{{- end }}
15+
spec:
16+
accessModes:
17+
{{- range .Values.auditLogsPersistence.accessModes }}
18+
- {{ . | quote }}
19+
{{- end }}
20+
resources:
21+
requests:
22+
storage: {{ .Values.auditLogsPersistence.size | quote }}
23+
{{- if .Values.auditLogsPersistence.storageClass }}
24+
{{- if (eq "-" .Values.auditLogsPersistence.storageClass) }}
25+
storageClassName: ""
26+
{{- else }}
27+
storageClassName: "{{ .Values.auditLogsPersistence.storageClass }}"
28+
{{- end }}
29+
{{- end }}
30+
{{- end -}}
31+
{{- end -}}

helm/auditmanager/templates/deployment.yaml

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,26 @@ spec:
7070
- name: foo
7171
mountPath: bar
7272
{{- end }}
73+
{{- if and .Values.volumePermissions.enabled .Values.auditLogsPersistence.enabled }}
74+
- name: audit-logs-permissions
75+
image: {{ include "auditmanager.volumePermissions.image" . }}
76+
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
77+
command:
78+
- sh
79+
- -c
80+
- |
81+
mkdir -p "/var/log/{{ .Values.containerSecurityContext.runAsUser }}/audit"
82+
chown -R 1001:1001 "/var/log/{{ .Values.containerSecurityContext.runAsUser }}/audit"
83+
chmod -R 755 "/var/log/{{ .Values.containerSecurityContext.runAsUser }}/audit"
84+
securityContext:
85+
runAsUser: 0
86+
{{- if .Values.volumePermissions.resources }}
87+
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
88+
{{- end }}
89+
volumeMounts:
90+
- name: audit-logs
91+
mountPath: "/var/log/{{ .Values.containerSecurityContext.runAsUser }}/audit"
92+
{{- end }}
7393
{{- if .Values.enable_insecure }}
7494
{{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
7595
{{- end }}
@@ -136,6 +156,13 @@ spec:
136156
name: cacerts
137157
subPath: cacerts
138158
{{- end }}
159+
{{- if .Values.auditLogsPersistence.enabled }}
160+
- name: audit-logs
161+
mountPath: "/var/log/{{ .Values.containerSecurityContext.runAsUser }}/audit"
162+
{{- end }}
163+
{{- if .Values.extraVolumeMounts }}
164+
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
165+
{{- end }}
139166
{{- if .Values.sidecars }}
140167
{{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }}
141168
{{- end }}
@@ -144,3 +171,11 @@ spec:
144171
- name: cacerts
145172
emptyDir: {}
146173
{{- end }}
174+
{{- if .Values.auditLogsPersistence.enabled }}
175+
- name: audit-logs
176+
persistentVolumeClaim:
177+
claimName: {{ include "auditmanager.auditLogsPvcName" . }}
178+
{{- end }}
179+
{{- if .Values.extraVolumes }}
180+
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 6 }}
181+
{{- end }}

0 commit comments

Comments
 (0)