ROX-16735: Add vector.dev Helm chart

dp-terraform/helm/rhacs-terraform/.gitignore

@@ -0,0 +1,2 @@
+# Ignore downloaded external Helm bundles, built with `helm dependencies build`.
+*.tgz

dp-terraform/helm/rhacs-terraform/Chart.lock

@@ -0,0 +1,15 @@
+dependencies:
+- name: cloudwatch
+  repository: ""
+  version: 0.1.0
+- name: observability
+  repository: ""
+  version: 0.1.0
+- name: logging
+  repository: ""
+  version: 0.1.0
+- name: vector
+  repository: https://helm.vector.dev
+  version: 0.21.1
+digest: sha256:b7a38cdf9e620cb5a3d1b8df74108a395061aaae1c34ec910047a9d3eaeca718
+generated: "2023-05-16T10:17:55.96889856+02:00"

dp-terraform/helm/rhacs-terraform/Chart.yaml

@@ -26,8 +26,15 @@ appVersion: "0.4.0"
 # List of sub-charts and other dependencies
 dependencies:
   - name: cloudwatch
+    version: "0.1.0"
     condition: cloudwatch.enabled
   - name: observability
+    version: "0.1.0"
     condition: observability.enabled
   - name: logging
+    version: "0.1.0"
     condition: logging.enabled
+  - name: vector
+    version: "0.21.1"
+    repository: "https://helm.vector.dev"
+    condition: vector.enabled

dp-terraform/helm/rhacs-terraform/terraform_cluster.sh

@@ -112,6 +112,8 @@ if [[ "${OPERATOR_USE_UPSTREAM}" == "true" ]]; then
     OPERATOR_SOURCE="rhacs-operators"
 fi
 
+load_external_config "audit-logs--${CLUSTER_NAME}" VECTOR_
+
 # TODO(ROX-16771): Move this to env-specific values.yaml files
 # TODO(ROX-16645): set acsOperator.enabled to false
 invoke_helm "${SCRIPT_DIR}" rhacs-terraform \
@@ -157,7 +159,14 @@ invoke_helm "${SCRIPT_DIR}" rhacs-terraform \
   --set observability.observatorium.metricsClientId="${OBSERVABILITY_OBSERVATORIUM_METRICS_CLIENT_ID}" \
   --set observability.observatorium.metricsSecret="${OBSERVABILITY_OBSERVATORIUM_METRICS_SECRET}" \
   --set observability.pagerduty.key="${OBSERVABILITY_PAGERDUTY_ROUTING_KEY}" \
-  --set observability.deadMansSwitch.url="${OBSERVABILITY_DEAD_MANS_SWITCH_URL}"
+  --set observability.deadMansSwitch.url="${OBSERVABILITY_DEAD_MANS_SWITCH_URL}" \
+  --set vector.enabled=false \
+  --set vector.service.annotations.rhacs\\.redhat\\.com/cluster-name="${CLUSTER_NAME}" \
+  --set vector.service.annotations.rhacs\\.redhat\\.com/environment="${ENVIRONMENT}" \
+  --set vector.customConfig.sinks.aws_s3.region="${CLUSTER_REGION}" \
+  --set vector.customConfig.sinks.aws_s3.bucket="${VECTOR_BUCKET:-}" \
+  --set vector.secrets.generic.aws_access_key_id="${VECTOR_ACCESSKEY:-}" \
+  --set vector.secrets.generic.aws_secret_access_key="${VECTOR_SECRETACCESSKEY:-}"
 
 # To uninstall an existing release:
 # helm uninstall rhacs-terraform --namespace rhacs

dp-terraform/helm/rhacs-terraform/values.yaml

@@ -33,7 +33,7 @@ fleetshardSync:
     securityGroup: ""
     performanceInsights: true
   aws:
-    region: "us-east-1"  # TODO(2023-05-01): Remove the default value here as we now set it explicitly
+    region: "us-east-1" # TODO(2023-05-01): Remove the default value here as we now set it explicitly
     roleARN: ""
   telemetry:
     storage:
@@ -91,3 +91,85 @@ logging:
   aws:
     accessKeyId: ""
     secretAccessKey: ""
+
+vector:
+  role: "Aggregator"
+  service:
+    annotations:
+      rhacs.redhat.com/cluster-name: ""
+      rhacs.redhat.com/environment: ""
+      service.beta.openshift.io/serving-cert-secret-name: rhacs-vector-tls-secret
+  podLabels:
+    app: rhacs-vector
+  affinity:
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        - labelSelector:
+            matchExpressions:
+              - key: app
+                operator: In
+                values:
+                  - rhacs-vector
+          topologyKey: "topology.kubernetes.io/zone"
+  persistence:
+    enabled: true
+    size: 300Mi
+  replicas: 3
+  extraVolumes:
+    - name: service-tls-secret
+      projected:
+        sources:
+          - secret:
+              name: rhacs-vector-tls-secret
+  extraVolumeMounts:
+    - name: service-tls-secret
+      mountPath: /etc/vector/tls
+      readOnly: true
+  customConfig:
+    sources:
+      http_server:
+        type: "http_server"
+        address: "0.0.0.0:8888"
+        decoding:
+          codec: "json"
+        tls:
+          enabled: true
+          ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
+          crt_file: "/etc/vector/tls/tls.crt"
+          key_file: "/etc/vector/tls/tls.key"
+    sinks:
+      aws_s3:
+        type: "aws_s3"
+        region: ""
+        bucket: ""
+        key_prefix: '{{ "{{" }} .tenant_id {{ "}}" }}/%F/'
+        inputs: ["http_server"]
+        compression: none
+        filename_extension: "json"
+        healthcheck:
+          enabled: false
+        batch:
+          timeout_secs: 60
+          max_size: 2621440
+        buffer:
+          type: disk
+          max_size: 283115520
+          when_full: block
+        encoding:
+          codec: "json"
+  fullnameOverride: rhacs-vector
+  secrets:
+    generic:
+      aws_access_key_id: ""
+      aws_secret_access_key: ""
+  env:
+    - name: AWS_ACCESS_KEY_ID
+      valueFrom:
+        secretKeyRef:
+          name: rhacs-vector
+          key: aws_access_key_id
+    - name: AWS_SECRET_ACCESS_KEY
+      valueFrom:
+        secretKeyRef:
+          name: rhacs-vector
+          key: aws_secret_access_key

scripts/lib/helm.sh

@@ -6,6 +6,11 @@ function invoke_helm() {
     local -r release="${1}"
     shift
 
+    helm repo add vector "https://helm.vector.dev"
+
+    # Build the external dependencies like the vector helm chart bundle.
+    helm dependencies build
+
     if [[ "${ENVIRONMENT}" == "dev" ]]; then
         # Dev env is special, as there is no real dev cluster. Instead
         # we just run lint to smoke test the chart.