security-logs.yaml

---
#
# Secrets in "/{{ site_name }}":
#
# * fluent_es_host (optional): enable elasticsearch output
# * fluent_es_index: Index option (when used, 'node-' or 'kube-' prefix is added)
# * fluent_es_*: elasticsearch output additional options (tls, http_user, ...)
#
# * fluent_gelf_host (optional): enable graylog output
# * fluent_gelf_mode (optional, "tls", "tcp", or "udp")
# * fluent_gelf_*: graylog output additional options
#
# Secrets in "/{{ site_name }}" related to TLS:
#
# * fluent_secrets_ca (optional): propagated to /secrets/fluent.ca
# * fluent_secrets_crt (optional): propagated to /secrets/fluent.crt
# * fluent_secrets_key (optional): propagated to /secrets/fluent.key
# * fluent_*_tls (optional): "On"
# * fluent_*_tls.ca_file (optional): "/secrets/fluent.ca"
# * fluent_*_tls.crt_file (optional): "/secrets/fluent.crt"
# * fluent_*_tls.key_file (optional): "/secrets/fluent.key"
# * fluent_*_tls.key_password (optional)
# * fluent_*_tls.verify (optional)
# * fluent_*_tls.verify_hostname (optional): "On"
# * fluent_*_tls.vhost (optional)
#
# Self-sign certificate HOWTO (for TLS clients): [1]
#
# openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout self_signed.key -out self_signed.crt -subj "/CN=test.host.net"
#
# [1] https://docs.fluentbit.io/manual/administration/transport-security#tips-and-tricks
#
# For GELF: add self_signed.crt to authorized client certificates directory.
#
- name: Fluent Bit Configuration
  hosts: master[0]
  become: true
  vars:
    namespace: fluent-bit
    version: "0.47.10" # app 3.1.9
  tasks:
    - name: Configure helm repo
      shell: |-
        helm repo add fluent https://fluent.github.io/helm-charts
        helm repo update
      changed_when: true
      when: "'fluent' not in ansible_local.helm_repos | map(attribute='name') | list"
    - name: Get Secrets from Vault
      set_fact:
        secrets: "{{ lookup('community.hashi_vault.hashi_vault', (vault_mount_point, 'site-' + site_name) | join('/'),
          token_validate=false) }}"
    - name: Debug Secrets
      debug:
        msg: "{{ item.key }} = {{ item.value }}"
      loop: "{{ secrets | dict2items }}"
    - name: Set Fluent TLS Fact From Secrets
      set_fact:
        fluent_has_tls: "{{ 'fluent_secrets_ca' in secrets or 'fluent_secrets_crt' in secrets or 'fluent_secrets_key' in secrets }}"
    - name: Check fluent-bit namespace
      command:
        cmd: kubectl get namespace {{ namespace }}
      changed_when: false
      register: fluent_ns
      ignore_errors: true
    - name: Create fluent-bit namespace
      command:
        cmd: kubectl create namespace {{ namespace }}
      changed_when: true
      when: fluent_ns.rc == 1
    - name: Create Fluent TLS Secrets File
      template:
        src: templates/fluent-bit-secrets.yaml.j2
        dest: /tmp/fluent-bit-secrets.yaml
        mode: 0600
      when: fluent_has_tls
    - name: Create Fluent TLS Secrets Object
      command:
        cmd: kubectl apply -f /tmp/fluent-bit-secrets.yaml
      environment:
        KUBECONFIG: /etc/kubernetes/admin.conf
        PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
      changed_when: true
      when: fluent_has_tls
    - name: Fluent Bit Configuration
      template:
        src: templates/fluent-bit.yaml.j2
        dest: /tmp/fluent-bit.yaml
        mode: 0600
    - name: Deploy/upgrade Fluent Bit
      shell: |-
        helm status --namespace {{ namespace }} fluent-bit
        if [ $? -ne 0 ]; then
            helm install --create-namespace --namespace {{ namespace }} \
                -f /tmp/fluent-bit.yaml \
                fluent-bit fluent/fluent-bit
        else
            helm upgrade --namespace {{ namespace }} \
                -f /tmp/fluent-bit.yaml \
                fluent-bit fluent/fluent-bit
        fi
      environment:
        KUBECONFIG: /etc/kubernetes/admin.conf
        PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
      changed_when: true
      when: true