feat: add vector for FortiGate syslog TLS

kube/clusters/biohazard/flux/kustomization.yaml

@@ -54,6 +54,7 @@ resources:
   - ../../../deploy/core/monitoring/alertmanager/
   - ../../../deploy/core/monitoring/karma/
   - ../../../deploy/core/monitoring/fluentbit/
+  - ../../../deploy/core/monitoring/vector/
   - ../../../deploy/core/monitoring/node-exporter/
   - ../../../deploy/core/monitoring/smartctl-exporter/
   - ../../../deploy/core/monitoring/intel-gpu-exporter/

kube/deploy/core/monitoring/vector/app/config/fortigate.yaml

@@ -0,0 +1,37 @@
+---
+# yaml-language-server: $schema=https://www.schemastore.org/vector.json
+timezone: Asia/Singapore
+data_dir: /data
+sources:
+  fortigate:
+    type: syslog
+    address: "[::]:51401"
+    mode: tcp
+    permit_origin: ["${IP_ROUTER_VLAN_K8S}/32"]
+    max_length: 2048000
+    tls:
+      enabled: true
+      crt_file: /tls/tls.crt
+      key_file: /tls/tls.key
+transforms:
+  fortigate-parse-message:
+    type: remap
+    inputs: [fortigate]
+    source: |
+      . = parse_key_value!(.message)
+sinks:
+  vlogs:
+    inputs: [fortigate-parse-message]
+    type: http
+    uri: http://victoria-logs-victoria-logs-single-server.monitoring.svc.cluster.local:9428/insert/jsonline?_stream_fields=host,type,subtype,vd&_msg_field=message&_time_field=date
+    request:
+      headers:
+        AccountID: "51401"
+        ProjectID: "0"
+    compression: gzip
+    encoding:
+      codec: json
+    framing:
+      method: newline_delimited
+    healthcheck:
+      enabled: false

kube/deploy/core/monitoring/vector/app/config/kustomization.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+configMapGenerator:
+  - name: vector-config
+    namespace: vector
+    files:
+      - fortigate.yaml
+generatorOptions:
+  disableNameSuffixHash: true

kube/deploy/core/monitoring/vector/app/hr.yaml

@@ -0,0 +1,103 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/app-template-4.2.0/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app vector
+  namespace: *app
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 4.2.0
+      sourceRef:
+        name: bjw-s
+        kind: HelmRepository
+        namespace: flux-system
+  values:
+    controllers:
+      fortigate:
+        type: deployment
+        replicas: 2
+        containers:
+          app:
+            image: &img
+              repository: ghcr.io/vectordotdev/vector
+              tag: 0.50.0-distroless-libc@sha256:2f0769913c408e6a21dfd7cad18aa9ca590e77809a2f9c8acb03b295231c2f10
+              args: ["--config", "/config/fortigate.yaml"]
+            env: &env
+              TZ: "${CONFIG_TZ}"
+              KUBE_NODE_NAME:
+                valueFrom:
+                  fieldRef:
+                    fieldPath: spec.nodeName
+              KUBE_NODE_IP:
+                valueFrom:
+                  fieldRef:
+                    fieldPath: status.hostIP
+            securityContext: &sc
+              readOnlyRootFilesystem: true
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+            resources:
+              requests:
+                cpu: "10m"
+              limits:
+                cpu: "1"
+                memory: "512Mi"
+    service:
+      fortigate:
+        controller: fortigate
+        annotations:
+          coredns.io/hostname: "${APP_DNS_VECTOR_FORTIGATE:=vector}"
+          lbipam.cilium.io/ips: "${APP_IP_VECTOR_FORTIGATE:=127.0.0.1}"
+        ports:
+          fortigate-syslog:
+            port: 6514
+            targetPort: 51401
+            protocol: TCP
+    persistence:
+      config:
+        type: configMap
+        name: vector-config
+      data:
+        type: emptyDir
+        medium: Memory
+        sizeLimit: 16Mi
+      tls:
+        type: secret
+        name: short-domain-tls
+        defaultMode: 0400
+    defaultPodOptions:
+      automountServiceAccountToken: false
+      enableServiceLinks: false
+      hostAliases:
+        - ip: "${APP_IP_AUTHENTIK:=127.0.0.1}"
+          hostnames: ["${APP_DNS_AUTHENTIK:=authentik}"]
+      dnsConfig:
+        options:
+          - name: ndots
+            value: "1"
+      hostUsers: false
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: &uid 1000
+        runAsGroup: *uid
+        fsGroup: *uid
+        fsGroupChangePolicy: Always
+        seccompProfile: { type: "RuntimeDefault" }
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: "fuckoff.home.arpa/{{ .Release.Name }}"
+                    operator: DoesNotExist
+    networkpolicies:
+      fortigate:
+        controller: fortigate
+        policyTypes: [Ingress, Egress]
+        rules:
+          ingress: [from: [{ipBlock: {cidr: "${IP_ROUTER_VLAN_K8S}/32"}}]]

kube/deploy/core/monitoring/vector/ks.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: vector-app
+  namespace: flux-system
+  labels: &l
+    app.kubernetes.io/name: "vector"
+spec:
+  targetNamespace: "vector"
+  commonMetadata:
+    labels: *l
+  path: ./kube/deploy/core/monitoring/vector/app
+  components:
+    - ../../../../core/flux-system/alerts/template/
+  dependsOn:
+    - name: crds
+      namespace: flux-system

kube/deploy/core/monitoring/vector/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ns.yaml
+  - ks.yaml

kube/deploy/core/monitoring/vector/ns.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vector
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    pod-security.kubernetes.io/enforce: &ps restricted
+    pod-security.kubernetes.io/audit: *ps
+    pod-security.kubernetes.io/warn: *ps