Add splunk audit configuration for metal-api. (#514)

Gerrit91 · web-flow · commit d461a0dcbb83 · 2026-01-26T14:58:10.000+01:00
diff --git a/control-plane/roles/metal/README.md b/control-plane/roles/metal/README.md
@@ -182,25 +182,36 @@ You can look up all the default values of this role [here](defaults/main.yaml).
 
 Configuration for metal-api:
 
-| Name                                 | Mandatory | Description                                                                |
-| ------------------------------------ | --------- | -------------------------------------------------------------------------- |
-| metal_auditing_timescaledb_enabled   |           | Whether to deploy or not to configure timescaledb auditing. Default false. |
-| metal_auditing_timescaledb_host      |           | The timescaledb host                                                       |
-| metal_auditing_timescaledb_port      |           | The timescaledb port                                                       |
-| metal_auditing_timescaledb_db        |           | The timescaledb database name                                              |
-| metal_auditing_timescaledb_user      |           | The timescaledb user                                                       |
-| metal_auditing_timescaledb_password  |           | The timescaledb password                                                   |
-| metal_auditing_timescaledb_retention |           | The timescaledb retention period, only configurable at first startup       |
-| metal_auditing_search_backend        |           | Explicitly sets a configured audit backend to be used for search           |
+| Name                                 | Mandatory | Description                                                          |
+| ------------------------------------ | --------- | -------------------------------------------------------------------- |
+| metal_auditing_timescaledb_enabled   |           | Whether or not to configure timescaledb auditing. Default false.     |
+| metal_auditing_timescaledb_host      |           | The timescaledb host                                                 |
+| metal_auditing_timescaledb_port      |           | The timescaledb port                                                 |
+| metal_auditing_timescaledb_db        |           | The timescaledb database name                                        |
+| metal_auditing_timescaledb_user      |           | The timescaledb user                                                 |
+| metal_auditing_timescaledb_password  |           | The timescaledb password                                             |
+| metal_auditing_timescaledb_retention |           | The timescaledb retention period, only configurable at first startup |
+| metal_auditing_search_backend        |           | Explicitly sets a configured audit backend to be used for search     |
+
+| Name                              | Mandatory | Description                                                     |
+| --------------------------------- | --------- | --------------------------------------------------------------- |
+| metal_auditing_splunk_enabled     |           | Whetheror not to configure timescaledb auditing. Default false. |
+| metal_auditing_splunk_endpoint    |           | The splunk endpoint.                                            |
+| metal_auditing_splunk_hec_token   |           | The splunk hec token.                                           |
+| metal_auditing_splunk_source      |           | The splunk source.                                              |
+| metal_auditing_splunk_source_type |           | The splunk source type.                                         |
+| metal_auditing_splunk_index       |           | The splunk index.                                               |
+| metal_auditing_splunk_host        |           | The splunk host.                                                |
+| metal_auditing_splunk_ca          |           | The splunk CA (not encoded).                                    |
 
 Configuration for metal-apiserver:
 
-| Name                                           | Mandatory | Description                                                               |
-| ---------------------------------------------- | --------- | ------------------------------------------------------------------------- |
-| metal_apiserver_auditing_enabled               |           | Whether to deploy or not to configure timescaledb auditing. Default true. |
-| metal_apiserver_auditing_timescaledb_host      |           | The timescaledb host                                                      |
-| metal_apiserver_auditing_timescaledb_port      |           | The timescaledb port                                                      |
-| metal_apiserver_auditing_timescaledb_db        |           | The timescaledb database name                                             |
-| metal_apiserver_auditing_timescaledb_user      |           | The timescaledb user                                                      |
-| metal_apiserver_auditing_timescaledb_password  |           | The timescaledb password                                                  |
-| metal_apiserver_auditing_timescaledb_retention |           | The timescaledb retention period, only configurable at first startup      |
+| Name                                           | Mandatory | Description                                                          |
+| ---------------------------------------------- | --------- | -------------------------------------------------------------------- |
+| metal_apiserver_auditing_enabled               |           | Whether or not to configure timescaledb auditing. Default true.       |
+| metal_apiserver_auditing_timescaledb_host      |           | The timescaledb host                                                 |
+| metal_apiserver_auditing_timescaledb_port      |           | The timescaledb port                                                 |
+| metal_apiserver_auditing_timescaledb_db        |           | The timescaledb database name                                        |
+| metal_apiserver_auditing_timescaledb_user      |           | The timescaledb user                                                 |
+| metal_apiserver_auditing_timescaledb_password  |           | The timescaledb password                                             |
+| metal_apiserver_auditing_timescaledb_retention |           | The timescaledb retention period, only configurable at first startup |
diff --git a/control-plane/roles/metal/defaults/main.yaml b/control-plane/roles/metal/defaults/main.yaml
@@ -152,4 +152,13 @@ metal_auditing_timescaledb_user: "postgres"
 metal_auditing_timescaledb_password: "change-me"
 metal_auditing_timescaledb_retention: "14 days"
 
+metal_auditing_splunk_enabled: false
+metal_auditing_splunk_endpoint:
+metal_auditing_splunk_hec_token:
+metal_auditing_splunk_source:
+metal_auditing_splunk_source_type:
+metal_auditing_splunk_index:
+metal_auditing_splunk_host:
+metal_auditing_splunk_ca:
+
 metal_auditing_search_backend:
diff --git a/control-plane/roles/metal/templates/metal-values.j2 b/control-plane/roles/metal/templates/metal-values.j2
@@ -239,7 +239,7 @@ metal_apiserver:
     password: {{ metal_apiserver_redis_password }}
   admin_subjects: {{ metal_apiserver_admin_subjects | to_json }}
   auditing:
-    enabled:  {{ 'true' if metal_apiserver_auditing_enabled else 'false' }}
+    enabled: {{ 'true' if metal_apiserver_auditing_enabled else 'false' }}
     timescaledb:
       host: {{ metal_apiserver_auditing_timescaledb_host }}
       port: {{ metal_apiserver_auditing_timescaledb_port }}
@@ -264,6 +264,17 @@ auditing:
     password: "{{ metal_auditing_timescaledb_password }}"
     retention: "{{ metal_auditing_timescaledb_retention }}"
 {% endif %}
+{% if metal_auditing_splunk_enabled %}
+  splunk:
+    enabled: true
+    endpoint: "{{ metal_auditing_splunk_endpoint }}"
+    hec: "{{ metal_auditing_splunk_hec_token }}"
+    source: "{{ metal_auditing_splunk_source | default('', true) }}"
+    source_type: "{{ metal_auditing_splunk_source_type | default('', true) }}"
+    index: "{{ metal_auditing_splunk_index | default('', true) }}"
+    host: "{{ metal_auditing_splunk_host | default('', true) }}"
+    ca: "{{ (metal_auditing_splunk_ca | b64encode) | default('', true) }}"
+{% endif %}
 
 metal_registry_auth_enabled: "{{ metal_registry_auth_enabled }}"
 metal_registry_auth:
