[Audit log forwarding] - update audit-tls secret to IM deployments for audit forwarding support

api/operator/v1alpha1/authentication_types.go

@@ -139,6 +139,8 @@ type ConfigSpec struct {
 	ICPPort                     int32          `json:"icpPort"`
 	FIPSEnabled                 bool           `json:"fipsEnabled"`
 	ROKSEnabled                 bool           `json:"roksEnabled"`
+	AuditUrl                    *string        `json:"auditUrl,omitempty"`
+	AuditSecret                 *string        `json:"auditSecret,omitempty"`
 	IBMCloudSaas                bool           `json:"ibmCloudSaas,omitempty"`
 	OnPremMultipleDeploy        bool           `json:"onPremMultipleDeploy,omitempty"`
 	SaasClientRedirectUrl       string         `json:"saasClientRedirectUrl,omitempty"`

bundle/manifests/ibm-iam-operator.clusterserviceversion.yaml

@@ -79,6 +79,8 @@ metadata:
               "openshiftPort": 443,
               "preferredLogin": "",
               "providerIssuerURL": "",
+              "auditUrl": "",
+              "auditSecret": "",
               "roksEnabled": true,
               "roksURL": "https://roks.domain.name:443",
               "roksUserPrefix": "changeme",

bundle/manifests/operator.ibm.com_authentications.yaml

@@ -228,6 +228,10 @@ spec:
                     type: string
                   providerIssuerURL:
                     type: string
+                  auditUrl:
+                    type: string
+                  auditSecret:
+                    type: string
                   roksEnabled:
                     type: boolean
                   roksURL:

config/crd/bases/operator.ibm.com_authentications.yaml

@@ -219,7 +219,11 @@ spec:
                   preferredLogin:
                     type: string
                   defaultLogin:
-                    type: string 
+                    type: string
+                  auditUrl:
+                    type: string
+                  auditSecret:
+                    type: string
                   providerIssuerURL:
                     type: string
                   roksEnabled:

config/samples/bases/operator_v1alpha1_authentication.yaml

@@ -61,6 +61,8 @@ spec:
     preferredLogin: ''
     defaultLogin: ''
     bootstrapUserId: kubeadmin
+    auditUrl: ''
+    auditSecret: ''
     providerIssuerURL: ''
     claimsSupported: name,family_name,display_name,given_name,preferred_username
     claimsMap: name="givenName" family_name="givenName" given_name="givenName" preferred_username="displayName"

internal/controller/operator/authentication_controller.go

@@ -443,6 +443,7 @@ func (r *AuthenticationReconciler) SetupWithManager(mgr ctrl.Manager) error {
 			}
 		}), builder.WithPredicates(predicate.Or(globalCMPred, productCMPred)),
 	)
+
 	bootstrappedPred := predicate.NewPredicateFuncs(func(o client.Object) bool {
 		return o.GetLabels()[ctrlcommon.ManagerVersionLabel] == version.Version
 	})

internal/controller/operator/configmap.go

@@ -345,6 +345,10 @@ func updatePlatformAuthIDP(_ common.SecondaryReconciler, _ context.Context, obse
 			"LDAP_CTX_POOL_PREFERREDSIZE"),
 		updatesValuesWhen(not(observedKeySet[*corev1.ConfigMap]("MASTER_PATH")),
 			"MASTER_PATH"),
+		updatesValuesWhen(not(observedKeySet[*corev1.ConfigMap]("AUDIT_URL")),
+			"AUDIT_URL"),
+		updatesValuesWhen(not(observedKeySet[*corev1.ConfigMap]("AUDIT_SECRET")),
+			"AUDIT_SECRET"),
 	}
 
 	if v, ok := generated.Data["IS_OPENSHIFT_ENV"]; ok {
@@ -437,6 +441,9 @@ func (r *AuthenticationReconciler) generateAuthIdpConfigMap(clusterInfo *corev1.
 			}
 		}
 
+		// Found AUDIT variables
+		reqLogger.Info("Found audit variables", "AuditUrl", authCR.Spec.Config.AuditUrl, "AuditSecret", authCR.Spec.Config.AuditSecret)
+
 		// Set the path for SAML connections
 		var masterPath string
 		if masterPath, err = r.getMasterPath(ctx, ctrl.Request{NamespacedName: common.GetObjectKey(s.GetPrimary())}); err != nil {
@@ -466,6 +473,8 @@ func (r *AuthenticationReconciler) generateAuthIdpConfigMap(clusterInfo *corev1.
 				"AUDIT_ENABLED_IDPROVIDER":           "false",
 				"AUDIT_ENABLED_IDMGMT":               "false",
 				"AUDIT_DETAIL":                       "false",
+				"AUDIT_URL":                          *authCR.Spec.Config.AuditUrl,
+				"AUDIT_SECRET":                       *authCR.Spec.Config.AuditSecret,
 				"LOG_LEVEL_IDPROVIDER":               "info",
 				"LOG_LEVEL_AUTHSVC":                  "info",
 				"LOG_LEVEL_IDMGMT":                   "info",

internal/controller/operator/containers.go

@@ -632,7 +632,7 @@ func buildIdentityProviderContainer(instance *operatorv1alpha1.Authentication, i
 		"LDAP_SEARCH_CACHE_SIZE", "LDAP_SEARCH_CACHE_TIMEOUT", "LDAP_CTX_POOL_INITSIZE", "LDAP_CTX_POOL_MAXSIZE",
 		"LDAP_CTX_POOL_TIMEOUT", "LDAP_CTX_POOL_WAITTIME", "LDAP_CTX_POOL_PREFERREDSIZE", "LDAP_SEARCH_CACHE_ENABLED",
 		"LDAP_SEARCH_CACHE_SIZELIMIT", "LDAP_SEARCH_EXCLUDE_WILDCARD_CHARS", "LDAP_SEARCH_SIZE_LIMIT",
-		"LDAP_SEARCH_TIME_LIMIT", "LDAP_SEARCH_CN_ATTR_ONLY", "LDAP_SEARCH_ID_ATTR_ONLY",
+		"LDAP_SEARCH_TIME_LIMIT", "LDAP_SEARCH_CN_ATTR_ONLY", "LDAP_SEARCH_ID_ATTR_ONLY", "AUDIT_URL",
 		"DB_CONNECT_TIMEOUT", "DB_IDLE_TIMEOUT", "DB_CONNECT_MAX_RETRIES", "DB_POOL_MIN_SIZE", "DB_POOL_MAX_SIZE", "DB_SSL_MODE", "SEQL_LOGGING"}
 	idpEnvVars := buildIdpEnvVars(idpEnvVarList)
 
@@ -700,29 +700,8 @@ func buildIdentityProviderContainer(instance *operatorv1alpha1.Authentication, i
 				Drop: []corev1.Capability{"ALL"},
 			},
 		},
-		Resources: *resources,
-		VolumeMounts: []corev1.VolumeMount{
-			{
-				Name:      "auth-key",
-				MountPath: "/opt/ibm/identity-provider/server/boot/auth-key",
-			},
-			{
-				Name:      "identity-provider-cert",
-				MountPath: "/opt/ibm/identity-provider/certs",
-			},
-			{
-				Name:      "saml-cert",
-				MountPath: "/certs/saml-certs",
-			},
-			{
-				Name:      "pgsql-certs",
-				MountPath: "/certs/pgsql",
-			},
-			{
-				Name:      "pgsql-client-cred",
-				MountPath: "/pgsql/clientinfo",
-			},
-		},
+		Resources:    *resources,
+		VolumeMounts: buildIdentityProviderVolumeMounts(instance.Spec.Config.AuditSecret),
 		ReadinessProbe: &corev1.Probe{
 			ProbeHandler: corev1.ProbeHandler{
 				Exec: &corev1.ExecAction{
@@ -994,7 +973,7 @@ func buildIdentityManagerContainer(instance *operatorv1alpha1.Authentication, id
 		"ROKS_ENABLED", "ROKS_USER_PREFIX", "IDENTITY_AUTH_DIRECTORY_URL", "OIDC_ISSUER_URL", "BOOTSTRAP_USERID", "CLUSTER_NAME", "HTTP_ONLY", "LDAP_SEARCH_SIZE_LIMIT", "LDAP_SEARCH_TIME_LIMIT",
 		"LDAP_SEARCH_CN_ATTR_ONLY", "LDAP_SEARCH_ID_ATTR_ONLY", "LDAP_SEARCH_EXCLUDE_WILDCARD_CHARS", "IGNORE_LDAP_FILTERS_VALIDATION", "AUTH_SVC_LDAP_CONFIG_TIMEOUT",
 		"SCIM_LDAP_SEARCH_SIZE_LIMIT", "SCIM_LDAP_SEARCH_TIME_LIMIT", "SCIM_ASYNC_PARALLEL_LIMIT", "SCIM_GET_DISPLAY_FOR_GROUP_USERS", "ATTR_MAPPING_FROM_CONFIG", "SCIM_AUTH_CACHE_MAX_SIZE", "SCIM_AUTH_CACHE_TTL_VALUE",
-		"DB_CONNECT_TIMEOUT", "DB_IDLE_TIMEOUT", "DB_CONNECT_MAX_RETRIES", "DB_POOL_MIN_SIZE", "DB_POOL_MAX_SIZE", "DB_SSL_MODE", "SEQL_LOGGING"}
+		"DB_CONNECT_TIMEOUT", "DB_IDLE_TIMEOUT", "DB_CONNECT_MAX_RETRIES", "DB_POOL_MIN_SIZE", "DB_POOL_MAX_SIZE", "DB_SSL_MODE", "SEQL_LOGGING", "AUDIT_URL"}
 
 	idpEnvVars := buildIdpEnvVars(idpEnvVarList)
 
@@ -1068,29 +1047,8 @@ func buildIdentityManagerContainer(instance *operatorv1alpha1.Authentication, id
 				Drop: []corev1.Capability{"ALL"},
 			},
 		},
-		Resources: *resources,
-		VolumeMounts: []corev1.VolumeMount{
-			{
-				Name:      "cluster-ca",
-				MountPath: "/opt/ibm/identity-mgmt/certs",
-			},
-			{
-				Name:      "platform-identity-management",
-				MountPath: "/opt/ibm/identity-mgmt/server/certs",
-			},
-			{
-				Name:      "scim-ldap-attributes-mapping",
-				MountPath: "/opt/ibm/identity-mgmt/config/scim-config",
-			},
-			{
-				Name:      "pgsql-certs",
-				MountPath: "/certs/pgsql",
-			},
-			{
-				Name:      "pgsql-client-cred",
-				MountPath: "/pgsql/clientinfo",
-			},
-		},
+		Resources:    *resources,
+		VolumeMounts: buildIdentityManagerVolumeMounts(instance.Spec.Config.AuditSecret),
 		ReadinessProbe: &corev1.Probe{
 			ProbeHandler: corev1.ProbeHandler{
 				Exec: &corev1.ExecAction{
@@ -1184,3 +1142,70 @@ func buildInitContainerEnvVars(envVarList []string, configmapName string) []core
 	}
 	return envVars
 }
+
+func buildIdentityManagerVolumeMounts(auditSecretName *string) []corev1.VolumeMount {
+	volumeMounts := []corev1.VolumeMount{
+		{
+			Name:      "cluster-ca",
+			MountPath: "/opt/ibm/identity-mgmt/certs",
+		},
+		{
+			Name:      "platform-identity-management",
+			MountPath: "/opt/ibm/identity-mgmt/server/certs",
+		},
+		{
+			Name:      "scim-ldap-attributes-mapping",
+			MountPath: "/opt/ibm/identity-mgmt/config/scim-config",
+		},
+		{
+			Name:      "pgsql-certs",
+			MountPath: "/certs/pgsql",
+		},
+		{
+			Name:      "pgsql-client-cred",
+			MountPath: "/pgsql/clientinfo",
+		},
+	}
+	if auditSecretName != nil {
+		newVolMount := corev1.VolumeMount{
+			Name:      IMAuditTLSVolume,
+			MountPath: "/certs/audit-tls",
+		}
+		volumeMounts = append(volumeMounts, newVolMount)
+	}
+
+	return volumeMounts
+}
+
+func buildIdentityProviderVolumeMounts(auditSecretName *string) []corev1.VolumeMount {
+	volumeMounts := []corev1.VolumeMount{
+		{
+			Name:      "auth-key",
+			MountPath: "/opt/ibm/identity-provider/server/boot/auth-key",
+		},
+		{
+			Name:      "identity-provider-cert",
+			MountPath: "/opt/ibm/identity-provider/certs",
+		},
+		{
+			Name:      "saml-cert",
+			MountPath: "/certs/saml-certs",
+		},
+		{
+			Name:      "pgsql-certs",
+			MountPath: "/certs/pgsql",
+		},
+		{
+			Name:      "pgsql-client-cred",
+			MountPath: "/pgsql/clientinfo",
+		},
+	}
+	if auditSecretName != nil && *auditSecretName != "" {
+		newVolMount := corev1.VolumeMount{
+			Name:      IMAuditTLSVolume,
+			MountPath: "/certs/audit-tls",
+		}
+		volumeMounts = append(volumeMounts, newVolMount)
+	}
+	return volumeMounts
+}