Clean-up of samples/generic-base user.env files (#701)

CHANGELOG.md

@@ -1,6 +1,9 @@
 # SAS Viya Monitoring for Kubernetes
 
 ## Unreleased
+* **Overall**
+  * [CHANGE] Comments added to user.env files within samples/generic-base to clarify security best-practices; other
+cleanup.
 * **Logging**
   * [SECURITY] Set `seccompProfile` to `RuntimeDefault` for OpenSearch, OpenSearch Dashboards and Fluent Bit pods in
 non-OpenShift environments.

logging/user.env

@@ -9,25 +9,25 @@
 # The following flags control whether specific components 
 # of the log monitoring solution are deployed
 
-# Event Router (generates log messages from K8s events)?
-# See https://github.com/heptiolabs/eventrouter for details
-# EVENTROUTER_ENABLE=true
-
-# Elasticsearch
+# OpenSearch
 # ELASTICSEARCH_ENABLE=true
 
-# Elasticsearch Content (ingest pipelines, index mgmt policies, etc.)
+# OpenSearch Content (ingest pipelines, index mgmt policies, etc.)
 # ES_CONTENT_DEPLOY=true
 
 # Elasticsearch Prometheus Exporter
 # ELASTICSEARCH_EXPORTER_ENABLED=true
 
-# Kibana Content (visualizations, dashboards, etc.)
+# OpenSearch Dashboards Content (visualizations, dashboards, etc.)
 # KIBANA_CONTENT_DEPLOY
 
-# Fluent Bit (log collector)
+# Fluent Bit (for collecting pod logs)
 # FLUENT_BIT_ENABLED=true
 
+# Fluent Bit (for collecting Kubernetes Events)
+# FLUENT_BIT_EVENTS_ENABLED=true
+
+
 # OpenShift-specific Settings
 # --------------------------------------------------------------
 # The following set of environment variables are
@@ -40,10 +40,10 @@
 # Create OpenShift Route objects
 # OPENSHIFT_ROUTES_ENABLE=true
 #
-# Create route for the Elasticsearch API endpoint
+# Create route for the OpenSearch API endpoint
 # OPENSHIFT_ES_ROUTE_ENABLE=false
 #
-# Make Kibana accessible via NodePort (port 31033)
+# Make OpenSearch Dashboards accessible via NodePort (port 31033)
 # KB_KNOWN_NODEPORT_ENABLE=false
 #
 # Remove OpenShift artifacts (e.g. custom SCCs)
@@ -64,34 +64,20 @@
 #    containerd  cri           criwithlog
 #    cri-o       cri           criwithlog
 #
-# NOTE: The docker container runtime is deprecated in Kubernetes 1.20
-#       and suport for it is expected to be removed in Kubernetes 1.22.
+# NOTE: The docker container runtime was deprecated in Kubernetes 1.20
+#       and support for it was removed in Kubernetes 1.24.
 #
 # The deployment scripts will automatically determine the 
 # container runtime and set the appropriate log parser.  However,
 # if necessary, you can manually identify the appropriate parser
 # by setting the KUBERNETES_RUNTIME_LOGFMT environment variable.
-# KUBERNETES_RUNTIME_LOGFMT=docker
+# KUBERNETES_RUNTIME_LOGFMT=containerd
 
-# Enables TLS in-cluster for Kibana  (***DEPRECATED 14FEB22**)
-# ------------------------------
-# ***** USE OF THIS ENV VAR HAS BEEN DEPRECATED AND SUPPORT    *****
-# ***** FOR IT WILL BE REMOVED ENTIRELY IN AN UPCOMING RELEASE *****
-# This only affects the communication in-bound to Kibana.  If this is
-# set to true and a TLS cert is not found saved as the expected 
-# Kubernetes secret (logging/kibana-tls-secret), the deployment script 
-# will attempt to use cert-manager to generate one on-the-fly.
-# Note that these on-the-fly certs will likely lead to browser alerts
-# warning of possible security risks when accessing Kibana.
-# LOG_KB_TLS_ENABLE=$TLS_ENABLE
 
 # Use port-forwarding during deployment
 # -------------------------------------
-# If Kibana is not reachable via the end-user URL from the machine on which the deployment
+# If OpenSearch Dashboards is not reachable via the end-user URL from the machine on which the deployment
 # is running, Kubernetes port-forwarding may allow the deployment to overcome this.
-# See 'Issue: Deployment does not complete if Kibana is not reachable from the deployment machine'
-# in the Logging Troubleshooting Guide (Troubleshooting.md in the logging sub-directory of the repo)
-# for more information.
 # LOG_ALWAYS_PORT_FORWARD=true
 
 # Retention Period Settings
@@ -102,21 +88,30 @@
 # Number of Days to retain internal (log monitoring) log messages
 # OPS_LOG_RETENTION_PERIOD=1
 
-# ES Admin Password
+
+# OpenSearch 'logadm' User Settings
+# -----------------------------
+# The OpenSearch 'logadm' user is granted access to *all* log messages in all namespaces and tenant
+# Create the 'logadm' user within the OpenSearch internal usere database?
+# LOG_CREATE_LOGADM_USER=true
+
+# IMPORTANT: SETTING PASSWORDS SECURELY
+# ------------------------------------------
+# Security best-practices discourage storing passwords in files.
+# We have included setting passwords in this sample file
+# only to illustrate the referenced environment variable.  
+# You should set these environment variable via another, 
+# more secure, mechanism.
+
+# OpenSearch Admin Password
 # -----------------
-# Password for the Elasticsearch/Kibana 'admin' user
+# Password for the OpenSearch/OpenSearch Dashboards 'admin' user
 # If not provided, a random password will be generated for this account
 # ES_ADMIN_PASSWD=yourPasswordHere
 
 
-
-# Kibana 'logadm' User Settings
+# OpenSearch 'logadm' User Password
 # -----------------------------
-# The Kibana 'logadm' user is granted access to *all* log messages in all namespaces and tenant
-# Create the 'logadm' user within the Kibana internal usere database?
-# LOG_CREATE_LOGADM_USER=true
-
-# KB 'logadm' User Password
-# Password for the Kibana 'logadm' user
+# Password for the OpenSearch/OpenSearch Dashboards 'logadm' user
 # If not provided, a random password will be generated for this account
 # LOG_LOGADM_PASSWD=yourPasswordHere

monitoring/user.env

@@ -9,26 +9,27 @@
 # LOG_LEVEL_ENABLE=true
 # LOG_COLOR_ENABLE=true
 
-# Deploy components with TLS enabled
-# TLS_ENABLE=false
-
 # deploy_monitoring_cluster.sh options
 # ------------------------------------
 # Cluster monitoring namespace for the Prometheus Operator,
 # Grafana, dashboards, and cluster ServiceMonitors
 # MON_NS=monitoring
 
 # Deploys monitoring components with TLS enabled
-# This setting overrides TLS_ENABLE only for monitoring
-# MON_TLS_ENABLE=false
+# This setting effectively sets TLS_ENABLE only for monitoring
+# MON_TLS_ENABLE=true
+
+# Set this value to 'true' if using path-based ingress and
+# TLS_ENABLE=true or MON_TLS_ENABLE=true
+# MON_TLS_PATH_INGRESS=true
 
 # Enables tolerations and pod affinity to enable the monitoring
 # components to participate in the SAS Viya workload node
 # placement strategy
 # MON_NODE_PLACEMENT_ENABLE=false
 
 # Set to true to force an update of the Prometheus Operator CRDs
-# PROM_OPERATOR_CRD_UPDATE=false
+# PROM_OPERATOR_CRD_UPDATE=true
 
 # The release of the Prometheus Operator CRDs to deploy
 # if PROM_OPERATOR_CRD_UPDATE is true. This version should
@@ -40,23 +41,53 @@
 # Version of the kube-prometheus-stack helm chart to use
 # KUBE_PROM_STACK_CHART_VERSION=45.28.0
 
-# Initial password of the Grafana admin user
-# GRAFANA_ADMIN_PASSWORD=yourPasswordHere
-
 # Additional Grafana datasources
 # LOGGING_DATASOURCE=false
 
 # Additional Grafana dashboards
 # WELCOME_DASH=true
 # KUBE_DASH=true
 # VIYA_DASH=true
-# VIYA_LOG_DASH=false
 # PGMONITOR_DASH=true
 # RABBITMQ_DASH=true
 # NGINX_DASH=true
 # LOGGING_DASH=true
 # USER_DASH=true
 
+# Experimental - Deploys logging-enabled versions of the default dashboards
+# for Java, Go, and CAS. Requires the logging datasource to be configured
+# either manually or via the LOGGING_DATASOURCE user.env setting
+# VIYA_LOGS_DASH=false
+
+# Set PROM_NODEPORT_ENABLE=true to enable nodeport access
+# to Prometheus and Alertmanager.
+# Note that neither Prometheus nor Alertmanager provide
+# authentication by default.
+# PROM_NODEPORT_ENABLE=true
+
+# deploy_monitoring_openshift.sh options
+# --------------------------------------
+# Used when OPENSHIFT_PATH_ROUTES=true
+# Fully-qualified route hostname used for Grafana
+# OPENSHIFT_ROUTE_HOST_GRAFANA=grafana.apps.my-openshift-cluster.com
+# URL path where Grafana is available (used if OPENSHIFT_PATH_ROUTES=true)
+# OPENSHIFT_ROUTE_PATH_GRAFANA=/grafana
+
 ## deploy_monitoring_viya.sh options
 # ----------------------------------
 # PUSHGATEWAY_ENABLED=true
+# PUSHGATEWAY_CHART_VERSION:-2.1.6
+# VALIDATE_MONITORS=true
+
+
+# IMPORTANT: SETTING PASSWORDS SECURELY
+# ------------------------------------------
+# Security best-practices discourage storing passwords in files.
+# We have included setting passwords in this sample file
+# only to illustrate the referenced environment variable.  
+# You should set these environment variable via another, 
+# more secure, mechanism.
+
+# Set a specific password for the Grafana admin user
+# Default is to generate a random password
+# GRAFANA_ADMIN_PASSWORD=yourPasswordHere

samples/generic-base/logging/user.env

@@ -9,25 +9,25 @@
 # The following flags control whether specific components 
 # of the log monitoring solution are deployed
 
-# Event Router (generates log messages from K8s events)?
-# See https://github.com/heptiolabs/eventrouter for details
-# EVENTROUTER_ENABLE=true
-
-# Elasticsearch
+# OpenSearch
 # ELASTICSEARCH_ENABLE=true
 
-# Elasticsearch Content (ingest pipelines, index mgmt policies, etc.)
+# OpenSearch Content (ingest pipelines, index mgmt policies, etc.)
 # ES_CONTENT_DEPLOY=true
 
 # Elasticsearch Prometheus Exporter
 # ELASTICSEARCH_EXPORTER_ENABLED=true
 
-# Kibana Content (visualizations, dashboards, etc.)
+# OpenSearch Dashboards Content (visualizations, dashboards, etc.)
 # KIBANA_CONTENT_DEPLOY
 
-# Fluent Bit (log collector)
+# Fluent Bit (for collecting pod logs)
 # FLUENT_BIT_ENABLED=true
 
+# Fluent Bit (for collecting Kubernetes Events)
+# FLUENT_BIT_EVENTS_ENABLED=true
+
+
 # OpenShift-specific Settings
 # --------------------------------------------------------------
 # The following set of environment variables are
@@ -40,10 +40,10 @@
 # Create OpenShift Route objects
 # OPENSHIFT_ROUTES_ENABLE=true
 #
-# Create route for the Elasticsearch API endpoint
+# Create route for the OpenSearch API endpoint
 # OPENSHIFT_ES_ROUTE_ENABLE=false
 #
-# Make Kibana accessible via NodePort (port 31033)
+# Make OpenSearch Dashboards accessible via NodePort (port 31033)
 # KB_KNOWN_NODEPORT_ENABLE=false
 #
 # Remove OpenShift artifacts (e.g. custom SCCs)
@@ -64,34 +64,20 @@
 #    containerd  cri           criwithlog
 #    cri-o       cri           criwithlog
 #
-# NOTE: The docker container runtime is deprecated in Kubernetes 1.20
-#       and suport for it is expected to be removed in Kubernetes 1.22.
+# NOTE: The docker container runtime was deprecated in Kubernetes 1.20
+#       and support for it was removed in Kubernetes 1.24.
 #
 # The deployment scripts will automatically determine the 
 # container runtime and set the appropriate log parser.  However,
 # if necessary, you can manually identify the appropriate parser
 # by setting the KUBERNETES_RUNTIME_LOGFMT environment variable.
-# KUBERNETES_RUNTIME_LOGFMT=docker
+# KUBERNETES_RUNTIME_LOGFMT=containerd
 
-# Enables TLS in-cluster for Kibana  (***DEPRECATED 14FEB22**)
-# ------------------------------
-# ***** USE OF THIS ENV VAR HAS BEEN DEPRECATED AND SUPPORT    *****
-# ***** FOR IT WILL BE REMOVED ENTIRELY IN AN UPCOMING RELEASE *****
-# This only affects the communication in-bound to Kibana.  If this is
-# set to true and a TLS cert is not found saved as the expected 
-# Kubernetes secret (logging/kibana-tls-secret), the deployment script 
-# will attempt to use cert-manager to generate one on-the-fly.
-# Note that these on-the-fly certs will likely lead to browser alerts
-# warning of possible security risks when accessing Kibana.
-# LOG_KB_TLS_ENABLE=$TLS_ENABLE
 
 # Use port-forwarding during deployment
 # -------------------------------------
-# If Kibana is not reachable via the end-user URL from the machine on which the deployment
+# If OpenSearch Dashboards is not reachable via the end-user URL from the machine on which the deployment
 # is running, Kubernetes port-forwarding may allow the deployment to overcome this.
-# See 'Issue: Deployment does not complete if Kibana is not reachable from the deployment machine'
-# in the Logging Troubleshooting Guide (Troubleshooting.md in the logging sub-directory of the repo)
-# for more information.
 # LOG_ALWAYS_PORT_FORWARD=true
 
 # Retention Period Settings
@@ -102,21 +88,30 @@
 # Number of Days to retain internal (log monitoring) log messages
 # OPS_LOG_RETENTION_PERIOD=1
 
-# ES Admin Password
-# -----------------
-# Password for the Elasticsearch/Kibana 'admin' user
-# If not provided, a random password will be generated for this account
-# ES_ADMIN_PASSWD=yourPasswordHere
 
+# OpenSearch 'logadm' User Settings
+# ---------------------------------
+# The OpenSearch 'logadm' user is granted access to *all* log messages in all namespaces and tenant
+# Create the 'logadm' user within the OpenSearch internal usere database?
+# LOG_CREATE_LOGADM_USER=true
 
 
-# Kibana 'logadm' User Settings
-# -----------------------------
-# The Kibana 'logadm' user is granted access to *all* log messages in all namespaces and tenant
-# Create the 'logadm' user within the Kibana internal usere database?
-# LOG_CREATE_LOGADM_USER=true
+# IMPORTANT: SETTING PASSWORDS SECURELY
+# -------------------------------------
+# Security best-practices discourage storing passwords in files.
+# We have included setting passwords in this sample file
+# only to illustrate the referenced environment variable.  
+# You should set these environment variable via another, 
+# more secure, mechanism.
 
-# KB 'logadm' User Password
-# Password for the Kibana 'logadm' user
+# OpenSearch Admin Password
+# -------------------------
+# Password for the OpenSearch/OpenSearch Dashboards 'admin' user
+# If not provided, a random password will be generated for this account
+# ES_ADMIN_PASSWD=yourPasswordHere
+
+# OpenSearch 'logadm' User Password
+# -----------------------------
+# Password for the OpenSearch/OpenSearch Dashboards 'logadm' user
 # If not provided, a random password will be generated for this account
 # LOG_LOGADM_PASSWD=yourPasswordHere