From 3714242d29848435e903da66a569bd40e7526454 Mon Sep 17 00:00:00 2001 From: gsmith-sas <65406958+gsmith-sas@users.noreply.github.com> Date: Thu, 21 Aug 2025 18:22:29 -0400 Subject: [PATCH 01/10] Housekeeping: lint remaining scripts in logging/bin --- logging/bin/deploy_logging_azmonitor.sh | 7 ++- .../bin/deploy_servicemonitors_openshift.sh | 10 ++-- logging/bin/offboard.sh | 26 ++++---- logging/bin/onboard.sh | 37 ++++++------ logging/bin/remove_eventrouter.sh | 14 ++--- logging/bin/remove_logging_azmonitor.sh | 6 +- .../bin/remove_servicemonitors_openshift.sh | 10 ++-- logging/bin/security_create_rbac.sh | 42 ++++++------- logging/bin/security_delete_rbac.sh | 28 +++++---- logging/bin/user.sh | 60 ++++++++++--------- 10 files changed, 125 insertions(+), 115 deletions(-) diff --git a/logging/bin/deploy_logging_azmonitor.sh b/logging/bin/deploy_logging_azmonitor.sh index af5cee40..febe43bd 100755 --- a/logging/bin/deploy_logging_azmonitor.sh +++ b/logging/bin/deploy_logging_azmonitor.sh @@ -3,15 +3,16 @@ # Copyright © 2020, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 -cd "$(dirname $BASH_SOURCE)/../.." +cd "$(dirname "$BASH_SOURCE")/../.." || exit 1 source logging/bin/common.sh # temp file used to capture command output +# shellcheck disable=SC2034 tmpfile=$TMP_DIR/output.txt rm -f tmpfile -if [ "$(kubectl get ns $LOG_NS -o name 2>/dev/null)" == "" ]; then - kubectl create ns $LOG_NS +if [ "$(kubectl get ns "$LOG_NS" -o name 2>/dev/null)" == "" ]; then + kubectl create ns "$LOG_NS" fi set -e diff --git a/logging/bin/deploy_servicemonitors_openshift.sh b/logging/bin/deploy_servicemonitors_openshift.sh index c4822739..0289266d 100755 --- a/logging/bin/deploy_servicemonitors_openshift.sh +++ b/logging/bin/deploy_servicemonitors_openshift.sh @@ -3,10 +3,10 @@ # Copyright © 2021, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 -cd "$(dirname $BASH_SOURCE)/../.." +cd "$(dirname "$BASH_SOURCE")/../.." || exit source logging/bin/common.sh -this_script=`basename "$0"` +this_script=$(basename "$0") log_debug "Script [$this_script] has started [$(date)]" @@ -21,19 +21,19 @@ fi EVENTROUTER_ENABLE=${EVENTROUTER_ENABLE:-true} if [ "$EVENTROUTER_ENABLE" == "true" ]; then # Eventrouter ServiceMonitor - kubectl apply -n $LOG_NS -f monitoring/monitors/kube/podMonitor-eventrouter.yaml + kubectl apply -n "$LOG_NS" -f monitoring/monitors/kube/podMonitor-eventrouter.yaml fi ELASTICSEARCH_ENABLE=${ELASTICSEARCH_ENABLE:-true} if [ "$ELASTICSEARCH_ENABLE" == "true" ]; then # Elasticsearch ServiceMonitor - kubectl apply -n $LOG_NS -f monitoring/monitors/logging/serviceMonitor-elasticsearch.yaml + kubectl apply -n "$LOG_NS" -f monitoring/monitors/logging/serviceMonitor-elasticsearch.yaml fi FLUENT_BIT_ENABLED=${FLUENT_BIT_ENABLED:-true} if [ "$FLUENT_BIT_ENABLED" == "true" ]; then # Fluent Bit ServiceMonitors - kubectl apply -n $LOG_NS -f monitoring/monitors/logging/serviceMonitor-fluent-bit-v2.yaml + kubectl apply -n "$LOG_NS" -f monitoring/monitors/logging/serviceMonitor-fluent-bit-v2.yaml fi log_info "ServiceMonitors have been deployed." diff --git a/logging/bin/offboard.sh b/logging/bin/offboard.sh index 9ade0ba9..bf7e3ac0 100755 --- a/logging/bin/offboard.sh +++ b/logging/bin/offboard.sh @@ -3,14 +3,14 @@ # Copyright © 2021, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 -cd "$(dirname $BASH_SOURCE)/../.." +cd "$(dirname "$BASH_SOURCE")/../.." || exit source logging/bin/common.sh source logging/bin/apiaccess-include.sh source logging/bin/secrets-include.sh source logging/bin/rbac-include.sh -this_script=`basename "$0"` +this_script=$(basename "$0") function show_usage { @@ -40,7 +40,7 @@ POS_PARMS="" while (( "$#" )); do case "$1" in -ns|--namespace) - if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then namespace=$2 shift 2 else @@ -50,7 +50,7 @@ while (( "$#" )); do fi ;; -t|--tenant) - if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then tenant=$2 shift 2 else @@ -63,7 +63,7 @@ while (( "$#" )); do show_usage exit ;; - -*|--*=) # unsupported flags + --*=|-*) # unsupported flags log_error "Unsupported flag $1" >&2 show_usage exit 1 @@ -96,15 +96,16 @@ if [ "$namespace" == "global" ]; then exit 1 fi -validateNamespace $namespace +validateNamespace "$namespace" if [ -n "$tenant" ]; then - validateTenantID $tenant + validateTenantID "$tenant" nst="${namespace}_${tenant}" index_nst="${namespace}-__${tenant}__" else nst="$namespace" + # shellcheck disable=SC2034 index_nst="${namespace}" fi @@ -115,6 +116,7 @@ if [ -n "$tenant" ]; then tenant_description="An OpenSearch Dashboards tenant space for tenant [$tenant] within SAS Viya deployment (namespace) [$namespace]." log_notice "Offboarding tenant [$tenant] within namespace [$namespace] [$(date)]" else + # shellcheck disable=SC2034 tenant_description="An OpenSearch Dashboards tenant space for SAS Viya deployment (namespace) [$namespace]." log_notice "Offboarding namespace [$namespace] [$(date)]" fi @@ -150,14 +152,14 @@ fi # Delete ES index containing tenant content kibana_index_name=".kibana_*_$(echo "$ktenant"|tr -d _)" -response=$(curl -s -o /dev/null -w "%{http_code}" -XDELETE "${es_api_url}/$kibana_index_name" --user $ES_ADMIN_USER:$ES_ADMIN_PASSWD --insecure) +response=$(curl -s -o /dev/null -w "%{http_code}" -XDELETE "${es_api_url}/$kibana_index_name" --user "$ES_ADMIN_USER":"$ES_ADMIN_PASSWD" --insecure) if [[ $response == 2* ]]; then log_info "Deleted index [$kibana_index_name]. [$response]" else log_warn "There was an issue deleting the index [$kibana_index_name] holding content related to OpenSearch Dashboards tenant space [$ktenant]. You may need to manually delete this index. [$response]" fi -response=$(curl -s -o /dev/null -w "%{http_code}" -XDELETE "${es_api_url}/${kibana_index_name}_*" --user $ES_ADMIN_USER:$ES_ADMIN_PASSWD --insecure) +response=$(curl -s -o /dev/null -w "%{http_code}" -XDELETE "${es_api_url}/${kibana_index_name}_*" --user "$ES_ADMIN_USER":"$ES_ADMIN_PASSWD" --insecure) if [[ $response == 2* ]]; then log_info "Deleted index [${kibana_index_name}_*]. [$response]" else @@ -166,13 +168,13 @@ fi # Delete access controls -./logging/bin/security_delete_rbac.sh $namespace $tenant +./logging/bin/security_delete_rbac.sh "$namespace" "$tenant" # Delete Grafana Datasource utility user (if exists) grfds_user="${nst}_grafana_ds" -if user_exists $grfds_user; then +if user_exists "$grfds_user"; then log_verbose "Removing the [$grfds_user] utility account." - delete_user $grfds_user + delete_user "$grfds_user" fi # Reminder that users are not deleted diff --git a/logging/bin/onboard.sh b/logging/bin/onboard.sh index c59cf6e4..7beab11f 100755 --- a/logging/bin/onboard.sh +++ b/logging/bin/onboard.sh @@ -1,16 +1,16 @@ #! /bin/bash -# Copyright © 2021, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. +# Copyright © 2021, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 -cd "$(dirname $BASH_SOURCE)/../.." +cd "$(dirname "$BASH_SOURCE")/../.." || exit source logging/bin/common.sh source logging/bin/apiaccess-include.sh source logging/bin/secrets-include.sh source logging/bin/rbac-include.sh -this_script=`basename "$0"` +this_script=$(basename "$0") function show_usage { @@ -44,7 +44,7 @@ POS_PARMS="" while (( "$#" )); do case "$1" in -ns|--namespace) - if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then namespace=$2 shift 2 else @@ -54,7 +54,7 @@ while (( "$#" )); do fi ;; -t|--tenant) - if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then tenant=$2 shift 2 else @@ -64,7 +64,7 @@ while (( "$#" )); do fi ;; -u|--user) - if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then createuser=true inituser=$2 shift 2 @@ -75,7 +75,7 @@ while (( "$#" )); do fi ;; -p|--password) - if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then initpasswd=$2 shift 2 else @@ -124,12 +124,13 @@ fi validateNamespace "$namespace" if [ -n "$tenant" ]; then - validateTenantID $tenant + validateTenantID "$tenant" nst="${namespace}_${tenant}" index_nst="${namespace}-__${tenant}__" else nst="$namespace" + # shellcheck disable=SC2034 index_nst="${namespace}" fi @@ -175,29 +176,29 @@ fi get_kb_api_url # Import appropriate content into OpenSearch Dashboards tenant space -./logging/bin/import_osd_content.sh logging/osd/common $ktenant +./logging/bin/import_osd_content.sh logging/osd/common "$ktenant" if [ -z "$tenant" ]; then - ./logging/bin/import_osd_content.sh logging/osd/namespace $ktenant + ./logging/bin/import_osd_content.sh logging/osd/namespace "$ktenant" else - ./logging/bin/import_osd_content.sh logging/osd/tenant $ktenant + ./logging/bin/import_osd_content.sh logging/osd/tenant "$ktenant" fi if [ -d "$USER_DIR/logging/osd" ] && [ "$USER_DIR" != "$(pwd)" ]; then export IGNORE_NOT_FOUND="true" - ./logging/bin/import_osd_content.sh $USER_DIR/logging/osd/common $ktenant + ./logging/bin/import_osd_content.sh "$USER_DIR"/logging/osd/common "$ktenant" if [ -z "$tenant" ]; then - ./logging/bin/import_osd_content.sh $USER_DIR/logging/osd/namespace $ktenant + ./logging/bin/import_osd_content.sh "$USER_DIR"/logging/osd/namespace "$ktenant" else - ./logging/bin/import_osd_content.sh $USER_DIR/logging/osd/tenant $ktenant + ./logging/bin/import_osd_content.sh "$USER_DIR"/logging/osd/tenant "$ktenant" fi unset IGNORE_NOT_FOUND fi # Create access controls -./logging/bin/security_create_rbac.sh $namespace $tenant +./logging/bin/security_create_rbac.sh "$namespace" "$tenant" # Create an initial user if [ "$createuser" == "true" ]; then @@ -215,15 +216,15 @@ if [ "$createuser" == "true" ]; then passwdarg="" fi - if user_exists $inituser; then + if user_exists "$inituser"; then log_warn "A user with the requested user name of [$inituser] already exists; the initial user account you requested was NOT created." log_warn "This existing user may have completely different access controls than you intended for the initial user." log_warn "You can create a new user with the appropriate access controls by calling the logging/bin/user.sh script directly." else if [ -z "$tenant" ]; then - ./logging/bin/user.sh CREATE -ns $namespace -u $inituser $passwdarg + ./logging/bin/user.sh CREATE -ns "$namespace" -u "$inituser" "$passwdarg" else - ./logging/bin/user.sh CREATE -ns $namespace -t $tenant -u $inituser $passwdarg + ./logging/bin/user.sh CREATE -ns "$namespace" -t "$tenant" -u "$inituser" "$passwdarg" fi fi else diff --git a/logging/bin/remove_eventrouter.sh b/logging/bin/remove_eventrouter.sh index d89e17c2..c109d643 100755 --- a/logging/bin/remove_eventrouter.sh +++ b/logging/bin/remove_eventrouter.sh @@ -3,24 +3,24 @@ # Copyright © 2020, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 -cd "$(dirname $BASH_SOURCE)/../.." +cd "$(dirname "$BASH_SOURCE")/../.." || exit source logging/bin/common.sh -this_script=`basename "$0"` +this_script=$(basename "$0") log_debug "Script [$this_script] has started [$(date)]" # Copy template files to temp logDir=$TMP_DIR/$LOG_NS -mkdir -p $logDir -cp -R logging/eventrouter/eventrouter.yaml $logDir/eventrouter.yaml +mkdir -p "$logDir" +cp -R logging/eventrouter/eventrouter.yaml "$logDir"/eventrouter.yaml # Replace placeholders log_debug "Replacing logging namespace for files in [$logDir]" if echo "$OSTYPE" | grep 'darwin' > /dev/null 2>&1; then - sed -i '' "s/__LOG_NS__/$LOG_NS/g" $logDir/eventrouter.yaml + sed -i '' "s/__LOG_NS__/$LOG_NS/g" "$logDir"/eventrouter.yaml else - sed -i "s/__LOG_NS__/$LOG_NS/g" $logDir/eventrouter.yaml + sed -i "s/__LOG_NS__/$LOG_NS/g" "$logDir"/eventrouter.yaml fi log_info "Removing Event Router [$(date)]" @@ -30,7 +30,7 @@ if [[ $V4M_CURRENT_VERSION_FULL =~ 1.0 || $V4M_CURRENT_VERSION_FULL =~ 1.1.[0-2] log_info "Removing instance of Event Router in the kube-system namespace" kubectl delete --ignore-not-found -f logging/eventrouter/eventrouter_kubesystem.yaml else - kubectl delete --ignore-not-found -f $logDir/eventrouter.yaml + kubectl delete --ignore-not-found -f "$logDir"/eventrouter.yaml fi log_debug "Script [$this_script] has completed [$(date)]" diff --git a/logging/bin/remove_logging_azmonitor.sh b/logging/bin/remove_logging_azmonitor.sh index a543e81d..9f1df9ca 100755 --- a/logging/bin/remove_logging_azmonitor.sh +++ b/logging/bin/remove_logging_azmonitor.sh @@ -3,7 +3,7 @@ # Copyright © 2020, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 -cd "$(dirname $BASH_SOURCE)/../.." +cd "$(dirname "$BASH_SOURCE")/../.." || exit source logging/bin/common.sh LOG_DELETE_NAMESPACE_ON_REMOVE=${LOG_DELETE_NAMESPACE_ON_REMOVE:-false} @@ -18,7 +18,7 @@ logging/bin/remove_eventrouter.sh if [ "$LOG_DELETE_NAMESPACE_ON_REMOVE" == "true" ]; then log_info "Deleting the [$LOG_NS] namespace..." - if kubectl delete namespace $LOG_NS --timeout $KUBE_NAMESPACE_DELETE_TIMEOUT; then + if kubectl delete namespace "$LOG_NS" --timeout "$KUBE_NAMESPACE_DELETE_TIMEOUT"; then log_info "[$LOG_NS] namespace and logging components successfully removed" exit 0 else @@ -37,7 +37,7 @@ crds=( secrets all ) empty="true" for crd in "${crds[@]}" do - out=$(kubectl get -n $LOG_NS $crd 2>&1) + out=$(kubectl get -n "$LOG_NS" "$crd" 2>&1) if [[ "$out" =~ 'No resources found' ]]; then : else diff --git a/logging/bin/remove_servicemonitors_openshift.sh b/logging/bin/remove_servicemonitors_openshift.sh index a182af0c..a9f47159 100755 --- a/logging/bin/remove_servicemonitors_openshift.sh +++ b/logging/bin/remove_servicemonitors_openshift.sh @@ -3,10 +3,10 @@ # Copyright © 2021, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 -cd "$(dirname $BASH_SOURCE)/../.." +cd "$(dirname "$BASH_SOURCE")/../.." || exit source logging/bin/common.sh -this_script=`basename "$0"` +this_script=$(basename "$0") log_debug "Script [$this_script] has started [$(date)]" @@ -21,19 +21,19 @@ fi EVENTROUTER_ENABLE=${EVENTROUTER_ENABLE:-true} if [ "$EVENTROUTER_ENABLE" == "true" ]; then # Eventrouter ServiceMonitor - kubectl delete --ignore-not-found -n $LOG_NS -f monitoring/monitors/kube/podMonitor-eventrouter.yaml + kubectl delete --ignore-not-found -n "$LOG_NS" -f monitoring/monitors/kube/podMonitor-eventrouter.yaml fi ELASTICSEARCH_ENABLE=${ELASTICSEARCH_ENABLE:-true} if [ "$ELASTICSEARCH_ENABLE" == "true" ]; then # Elasticsearch ServiceMonitor - kubectl delete --ignore-not-found -n $LOG_NS -f monitoring/monitors/logging/serviceMonitor-elasticsearch.yaml + kubectl delete --ignore-not-found -n "$LOG_NS" -f monitoring/monitors/logging/serviceMonitor-elasticsearch.yaml fi FLUENT_BIT_ENABLED=${FLUENT_BIT_ENABLED:-true} if [ "$FLUENT_BIT_ENABLED" == "true" ]; then # Fluent Bit ServiceMonitors - kubectl delete --ignore-not-found -n $LOG_NS -f monitoring/monitors/logging/serviceMonitor-fluent-bit-v2.yaml + kubectl delete --ignore-not-found -n "$LOG_NS" -f monitoring/monitors/logging/serviceMonitor-fluent-bit-v2.yaml fi log_info "ServiceMonitors have been removed." diff --git a/logging/bin/security_create_rbac.sh b/logging/bin/security_create_rbac.sh index 51716ba7..28cb20c5 100755 --- a/logging/bin/security_create_rbac.sh +++ b/logging/bin/security_create_rbac.sh @@ -23,9 +23,9 @@ # backend role: 'V4MCLUSTER_ADMIN_kibana_users' roles: 'tenant_cluster_admins' and 'search_index_-ALL-' # -cd "$(dirname $BASH_SOURCE)/../.." +cd "$(dirname "$BASH_SOURCE")/../.." || exit source logging/bin/common.sh -this_script=`basename "$0"` +this_script=$(basename "$0") source logging/bin/rbac-include.sh source logging/bin/apiaccess-include.sh @@ -92,7 +92,7 @@ else exit elif [ -n "$tenant" ]; then - validateTenantID $tenant + validateTenantID "$tenant" NST="${namespace}_${tenant}" INDEX_NST="${namespace}-__${tenant}__" @@ -119,19 +119,21 @@ else fi # Copy RBAC templates -cp logging/opensearch/rbac $TMP_DIR -r +cp logging/opensearch/rbac "$TMP_DIR" -r # Replace PLACEHOLDERS -sed -i'.bak' "s/xxIDXPREFIXxx/$INDEX_PREFIX/g" $TMP_DIR/rbac/*.json # IDXPREFIX -sed -i'.bak' "s/xxNAMESPACExx/$namespace/g" $TMP_DIR/rbac/*.json # NAMESPACE -sed -i'.bak' "s/xxTENANTxx/$tenant/g" $TMP_DIR/rbac/*.json # TENANT -sed -i'.bak' "s/xxIDXNSTxx/$INDEX_NST/g" $TMP_DIR/rbac/*.json # NAMESPACE|NAMESPACE-__TENANT__ (used in index names) -sed -i'.bak' "s/xxNSTxx/$NST/g" $TMP_DIR/rbac/*.json # NAMESPACE|NAMESPACE_TENANT (used in RBAC names) +sed -i'.bak' "s/xxIDXPREFIXxx/$INDEX_PREFIX/g" "$TMP_DIR"/rbac/*.json # IDXPREFIX +sed -i'.bak' "s/xxNAMESPACExx/$namespace/g" "$TMP_DIR"/rbac/*.json # NAMESPACE +sed -i'.bak' "s/xxTENANTxx/$tenant/g" "$TMP_DIR"/rbac/*.json # TENANT +sed -i'.bak' "s/xxIDXNSTxx/$INDEX_NST/g" "$TMP_DIR"/rbac/*.json # NAMESPACE|NAMESPACE-__TENANT__ (used in index names) +sed -i'.bak' "s/xxNSTxx/$NST/g" "$TMP_DIR"/rbac/*.json # NAMESPACE|NAMESPACE_TENANT (used in RBAC names) # get admin credentials -export ES_ADMIN_USER=$(kubectl -n $LOG_NS get secret internal-user-admin -o=jsonpath="{.data.username}" |base64 --decode) -export ES_ADMIN_PASSWD=$(kubectl -n $LOG_NS get secret internal-user-admin -o=jsonpath="{.data.password}" |base64 --decode) +# shellcheck disable=SC2155 +export ES_ADMIN_USER=$(kubectl -n "$LOG_NS" get secret internal-user-admin -o=jsonpath="{.data.username}" |base64 --decode) +# shellcheck disable=SC2155 +export ES_ADMIN_PASSWD=$(kubectl -n "$LOG_NS" get secret internal-user-admin -o=jsonpath="{.data.password}" |base64 --decode) # Get Security API URL @@ -144,26 +146,26 @@ fi #index user (controls access to indexes) -ensure_role_exists $ROLENAME $TMP_DIR/rbac/$index_role_template -add_rolemapping $ROLENAME $BE_ROLENAME +ensure_role_exists "$ROLENAME" "$TMP_DIR"/rbac/$index_role_template +add_rolemapping "$ROLENAME" "$BE_ROLENAME" #grafana_ds_user (used by Grafana datasource) -ensure_role_exists v4m_grafana_dsuser $TMP_DIR/rbac/v4m_grafana_dsuser_role.json -add_rolemapping v4m_grafana_dsuser $BE_GFDS_ROLENAME null -add_rolemapping $ROLENAME $BE_GFDS_ROLENAME +ensure_role_exists v4m_grafana_dsuser "$TMP_DIR"/rbac/v4m_grafana_dsuser_role.json +add_rolemapping v4m_grafana_dsuser "$BE_GFDS_ROLENAME" null +add_rolemapping "$ROLENAME" "$BE_GFDS_ROLENAME" #tenant role (controls access to Kibanas tenant spaces) if [ "$create_ktenant_roles" == "true" ]; then - ensure_role_exists tenant_${NST} $TMP_DIR/rbac/$kibana_tenant_role_template - add_rolemapping tenant_${NST} $BE_ROLENAME + ensure_role_exists tenant_"${NST}" "$TMP_DIR"/rbac/$kibana_tenant_role_template + add_rolemapping tenant_"${NST}" "$BE_ROLENAME" fi #kibana_user -ensure_role_exists v4m_kibana_user $TMP_DIR/rbac/v4m_kibana_user_role.json -add_rolemapping v4m_kibana_user $BE_ROLENAME null +ensure_role_exists v4m_kibana_user "$TMP_DIR"/rbac/v4m_kibana_user_role.json +add_rolemapping v4m_kibana_user "$BE_ROLENAME" null log_notice "Access controls created [$(date)]" echo "" diff --git a/logging/bin/security_delete_rbac.sh b/logging/bin/security_delete_rbac.sh index fa3ac25c..1d291569 100755 --- a/logging/bin/security_delete_rbac.sh +++ b/logging/bin/security_delete_rbac.sh @@ -22,9 +22,9 @@ # backend role: 'V4MCLUSTER_ADMIN_kibana_users' roles: 'tenant_cluster_admins' and 'search_index_-ALL-' # -cd "$(dirname $BASH_SOURCE)/../.." +cd "$(dirname "$BASH_SOURCE")/../.." || exit source logging/bin/common.sh -this_script=`basename "$0"` +this_script=$(basename "$0") source logging/bin/rbac-include.sh source logging/bin/apiaccess-include.sh @@ -70,7 +70,7 @@ else validateNamespace "$namespace" if [ -n "$tenant" ]; then - validateTenantID $tenant + validateTenantID "$tenant" NST="${namespace}_${tenant}" @@ -89,8 +89,10 @@ else fi # get admin credentials -export ES_ADMIN_USER=$(kubectl -n $LOG_NS get secret internal-user-admin -o=jsonpath="{.data.username}" |base64 --decode) -export ES_ADMIN_PASSWD=$(kubectl -n $LOG_NS get secret internal-user-admin -o=jsonpath="{.data.password}" |base64 --decode) +# shellcheck disable=SC2155 +export ES_ADMIN_USER=$(kubectl -n "$LOG_NS" get secret internal-user-admin -o=jsonpath="{.data.username}" |base64 --decode) +# shellcheck disable=SC2155 +export ES_ADMIN_PASSWD=$(kubectl -n "$LOG_NS" get secret internal-user-admin -o=jsonpath="{.data.password}" |base64 --decode) # Get Security API URL get_sec_api_url @@ -101,23 +103,23 @@ if [ -z "$sec_api_url" ]; then fi # handle $ROLENAME -if role_exists $ROLENAME; then - delete_rolemappings $ROLENAME - delete_role $ROLENAME +if role_exists "$ROLENAME"; then + delete_rolemappings "$ROLENAME" + delete_role "$ROLENAME" # handle tenant_$NST - delete_rolemappings tenant_${NST} - delete_role tenant_${NST} + delete_rolemappings tenant_"${NST}" + delete_role tenant_"${NST}" else log_verbose "The role [$ROLENAME] does not exist; nothing to delete" fi # handle KIBANA_USER -remove_rolemapping kibana_user $BACKENDROLE # Needed for RBACs created prior to MT support (should be no-op for post MT RBACs) -remove_rolemapping v4m_kibana_user $BACKENDROLE +remove_rolemapping kibana_user "$BACKENDROLE" # Needed for RBACs created prior to MT support (should be no-op for post MT RBACs) +remove_rolemapping v4m_kibana_user "$BACKENDROLE" # handle Grafana Data Source user -remove_rolemapping v4m_grafana_dsuser $GFDS_BACKENDROLE +remove_rolemapping v4m_grafana_dsuser "$GFDS_BACKENDROLE" log_notice "Access controls deleted [$(date)]" echo "" diff --git a/logging/bin/user.sh b/logging/bin/user.sh index 36988a3e..31373726 100755 --- a/logging/bin/user.sh +++ b/logging/bin/user.sh @@ -5,9 +5,9 @@ # SPDX-License-Identifier: Apache-2.0 -cd "$(dirname $BASH_SOURCE)/../.." +cd "$(dirname "$BASH_SOURCE")/../.." source logging/bin/common.sh -this_script=`basename "$0"` +this_script=$(basename "$0") source logging/bin/rbac-include.sh source logging/bin/apiaccess-include.sh @@ -55,7 +55,7 @@ POS_PARMS="" while (( "$#" )); do case "$1" in -ns|--namespace) - if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then namespace=$2 shift 2 else @@ -65,7 +65,7 @@ while (( "$#" )); do fi ;; -t|--tenant) - if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then tenant=$2 shift 2 else @@ -75,7 +75,7 @@ while (( "$#" )); do fi ;; -u|--user|--username) - if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then username=$2 shift 2 else @@ -85,7 +85,7 @@ while (( "$#" )); do fi ;; -p|--password) - if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then password=$2 shift 2 else @@ -122,7 +122,7 @@ if [ "$#" -lt 1 ]; then show_usage exit 1 else - action=$(echo $1|tr '[a-z]' '[A-Z]') + action=$(echo "$1"|tr '[a-z]' '[A-Z]') shift if [ "$action" != "CREATE" ] && [ "$action" != "DELETE" ] ; then @@ -135,7 +135,7 @@ fi log_debug "Action: $action" if [ "$show_usage" == "1" ]; then - show_usage $action + show_usage "$action" exit fi @@ -157,7 +157,7 @@ tenant=$(echo "$tenant"| tr '[:upper:]' '[:lower:]') if [ "$namespace" == "_all_" ] && [ "$tenant" == "_all_" ]; then if [ -z "$username" ] && [ "$grafanads_user" != "true" ]; then log_error "Required parameter USERNAME not specified" - show_usage $action + show_usage "$action" exit 4 fi cluster="true" @@ -168,7 +168,7 @@ else if [ -z "$username" ] && [ -z "$namespace" ]; then log_error "Required parameter(s) NAMESPACE and/or USERNAME not specified" - show_usage $action + show_usage "$action" exit 4 fi fi @@ -176,8 +176,10 @@ fi log_debug "CLUSTER: $cluster NAMESPACE: $namespace TENANT: $tenant NST: $nst USERNAME: $username" # get admin credentials -export ES_ADMIN_USER=$(kubectl -n $LOG_NS get secret internal-user-admin -o=jsonpath="{.data.username}" |base64 --decode) -export ES_ADMIN_PASSWD=$(kubectl -n $LOG_NS get secret internal-user-admin -o=jsonpath="{.data.password}" |base64 --decode) +# shellcheck disable=SC2155 +export ES_ADMIN_USER=$(kubectl -n "$LOG_NS" get secret internal-user-admin -o=jsonpath="{.data.username}" |base64 --decode) +# shellcheck disable=SC2155 +export ES_ADMIN_PASSWD=$(kubectl -n "$LOG_NS" get secret internal-user-admin -o=jsonpath="{.data.password}" |base64 --decode) # Get Security API URL @@ -233,13 +235,13 @@ case "$action" in log_info "Attempting to create user [$username] and grant them access to log messages from $scope [$(date)]" # Check if user exists - if user_exists $username; then + if user_exists "$username"; then log_error "A user with this name [$username] already exists." exit 1 fi #Check if role exists - if ! role_exists $rolename; then + if ! role_exists "$rolename"; then log_error "The expected access control role [$rolename] does NOT exist." if [ "$cluster" != "true" ]; then log_error "You must on-oboard $scope to create required the access control role." @@ -265,31 +267,31 @@ case "$action" in fi exitnow="false" - weakpass="false" + weakpassword="false" loopcounter=1 until [ "$exitnow" == "true" ] do - cp logging/opensearch/rbac/user.json $TMP_DIR/user.json + cp logging/opensearch/rbac/user.json "$TMP_DIR"/user.json # Replace PLACEHOLDERS - sed -i'.bak' "s/xxBEROLExx/$berole/g" $TMP_DIR/user.json # (NAMESPACE|NAMESPACE_TENANT|'V4MCLUSTER_ADMIN') + '_kibana_users' - sed -i'.bak' "s/xxNSCONSTRAINTxx/$nsconstraint/g" $TMP_DIR/user.json # NAMESPACE|'-none-' - sed -i'.bak' "s/xxTCONSTRAINTxx/$tconstraint/g" $TMP_DIR/user.json # TENANT|'-none-' - sed -i'.bak' "s/xxPASSWORDxx/$password/g" $TMP_DIR/user.json # PASSWORD - sed -i'.bak' "s/xxCREATEDBYxx/$this_script/g" $TMP_DIR/user.json # CREATEDBY - sed -i'.bak' "s/xxPWDCHANGEXX/$pwdchangetxt/g" $TMP_DIR/user.json # PASSWORD CHANGE MECHANISM (OSD|change_internal_password.sh script) - sed -i'.bak' "s/xxDATETIMExx/$(date)/g" $TMP_DIR/user.json # DATE + sed -i'.bak' "s/xxBEROLExx/$berole/g" "$TMP_DIR"/user.json # (NAMESPACE|NAMESPACE_TENANT|'V4MCLUSTER_ADMIN') + '_kibana_users' + sed -i'.bak' "s/xxNSCONSTRAINTxx/$nsconstraint/g" "$TMP_DIR"/user.json # NAMESPACE|'-none-' + sed -i'.bak' "s/xxTCONSTRAINTxx/$tconstraint/g" "$TMP_DIR"/user.json # TENANT|'-none-' + sed -i'.bak' "s/xxPASSWORDxx/$password/g" "$TMP_DIR"/user.json # PASSWORD + sed -i'.bak' "s/xxCREATEDBYxx/$this_script/g" "$TMP_DIR"/user.json # CREATEDBY + sed -i'.bak' "s/xxPWDCHANGEXX/$pwdchangetxt/g" "$TMP_DIR"/user.json # PASSWORD CHANGE MECHANISM (OSD|change_internal_password.sh script) + sed -i'.bak' "s/xxDATETIMExx/$(date)/g" "$TMP_DIR"/user.json # DATE - log_debug "Contents of user.json template file after substitutions: \n $(cat $TMP_DIR/user.json)" + log_debug "Contents of user.json template file after substitutions: \n $(cat "$TMP_DIR"/user.json)" #remove any existing instance of this file - rm -f $TMP_DIR/user_create.txt + rm -f "$TMP_DIR"/user_create.txt # Create user - response=$(curl -s -o $TMP_DIR/user_create.txt -w "%{http_code}" -XPUT "$sec_api_url/internalusers/$username" -H 'Content-Type: application/json' -d @$TMP_DIR/user.json --user $ES_ADMIN_USER:$ES_ADMIN_PASSWD --insecure) + response=$(curl -s -o "$TMP_DIR"/user_create.txt -w "%{http_code}" -XPUT "$sec_api_url/internalusers/$username" -H 'Content-Type: application/json' -d @"$TMP_DIR"/user.json --user "$ES_ADMIN_USER":"$ES_ADMIN_PASSWD" --insecure) - if grep -i 'weak password' $TMP_DIR/user_create.txt >/dev/null 2>&1; then + if grep -i 'weak password' "$TMP_DIR"/user_create.txt >/dev/null 2>&1; then log_warn "The password specified for user [$username] did not meet complexity requirements of OpenSearch." log_warn "A randomly generated password will be used instead." log_warn "Check notices below for additional details." @@ -342,7 +344,7 @@ case "$action" in log_info "Attempting to remove user [$username] from the internal user database [$(date)]" # Check if user exists - if ! user_exists $username; then + if ! user_exists "$username"; then log_error "There was an issue deleting the user [$username]; the user does NOT exists." exit 1 else @@ -350,7 +352,7 @@ case "$action" in fi # Delete user - response=$(curl -s -o /dev/null -w "%{http_code}" -XDELETE "$sec_api_url/internalusers/$username" --user $ES_ADMIN_USER:$ES_ADMIN_PASSWD --insecure) + response=$(curl -s -o /dev/null -w "%{http_code}" -XDELETE "$sec_api_url/internalusers/$username" --user "$ES_ADMIN_USER":"$ES_ADMIN_PASSWD" --insecure) if [[ $response != 2* ]]; then log_error "There was an issue deleting the user [$username]. [$response]" exit 1 From e298a3e6178742031ed9ed1bde7cfed26809796c Mon Sep 17 00:00:00 2001 From: gsmith-sas <65406958+gsmith-sas@users.noreply.github.com> Date: Fri, 22 Aug 2025 14:40:53 -0400 Subject: [PATCH 02/10] Linting: shftmt (1) --- logging/bin/deploy_logging_azmonitor.sh | 3 +- .../bin/deploy_servicemonitors_openshift.sh | 16 +- logging/bin/offboard.sh | 172 +++++++++--------- 3 files changed, 93 insertions(+), 98 deletions(-) diff --git a/logging/bin/deploy_logging_azmonitor.sh b/logging/bin/deploy_logging_azmonitor.sh index febe43bd..ce6497c5 100755 --- a/logging/bin/deploy_logging_azmonitor.sh +++ b/logging/bin/deploy_logging_azmonitor.sh @@ -12,7 +12,7 @@ tmpfile=$TMP_DIR/output.txt rm -f tmpfile if [ "$(kubectl get ns "$LOG_NS" -o name 2>/dev/null)" == "" ]; then - kubectl create ns "$LOG_NS" + kubectl create ns "$LOG_NS" fi set -e @@ -26,6 +26,5 @@ log_notice "Deploying logging components to the [$LOG_NS] namespace [$(date)]" log_info "STEP 1: Deploying Fluent Bit" logging/bin/deploy_fluentbit_azmonitor.sh - log_notice "The deployment of logging components has completed [$(date)]" echo "" diff --git a/logging/bin/deploy_servicemonitors_openshift.sh b/logging/bin/deploy_servicemonitors_openshift.sh index 0289266d..45646767 100755 --- a/logging/bin/deploy_servicemonitors_openshift.sh +++ b/logging/bin/deploy_servicemonitors_openshift.sh @@ -14,26 +14,26 @@ log_debug "Script [$this_script] has started [$(date)]" DEPLOY_SERVICEMONITORS=${DEPLOY_SERVICEMONITORS:-false} if [ "$DEPLOY_SERVICEMONITORS" != "true" ]; then - log_info "Environment variable [DEPLOY_SERVICEMONITORS] is not set to 'true'; exiting WITHOUT deploying ServiceMonitors" - exit + log_info "Environment variable [DEPLOY_SERVICEMONITORS] is not set to 'true'; exiting WITHOUT deploying ServiceMonitors" + exit fi EVENTROUTER_ENABLE=${EVENTROUTER_ENABLE:-true} if [ "$EVENTROUTER_ENABLE" == "true" ]; then - # Eventrouter ServiceMonitor - kubectl apply -n "$LOG_NS" -f monitoring/monitors/kube/podMonitor-eventrouter.yaml + # Eventrouter ServiceMonitor + kubectl apply -n "$LOG_NS" -f monitoring/monitors/kube/podMonitor-eventrouter.yaml fi ELASTICSEARCH_ENABLE=${ELASTICSEARCH_ENABLE:-true} if [ "$ELASTICSEARCH_ENABLE" == "true" ]; then - # Elasticsearch ServiceMonitor - kubectl apply -n "$LOG_NS" -f monitoring/monitors/logging/serviceMonitor-elasticsearch.yaml + # Elasticsearch ServiceMonitor + kubectl apply -n "$LOG_NS" -f monitoring/monitors/logging/serviceMonitor-elasticsearch.yaml fi FLUENT_BIT_ENABLED=${FLUENT_BIT_ENABLED:-true} if [ "$FLUENT_BIT_ENABLED" == "true" ]; then - # Fluent Bit ServiceMonitors - kubectl apply -n "$LOG_NS" -f monitoring/monitors/logging/serviceMonitor-fluent-bit-v2.yaml + # Fluent Bit ServiceMonitors + kubectl apply -n "$LOG_NS" -f monitoring/monitors/logging/serviceMonitor-fluent-bit-v2.yaml fi log_info "ServiceMonitors have been deployed." diff --git a/logging/bin/offboard.sh b/logging/bin/offboard.sh index bf7e3ac0..6d4f39ad 100755 --- a/logging/bin/offboard.sh +++ b/logging/bin/offboard.sh @@ -12,73 +12,69 @@ source logging/bin/rbac-include.sh this_script=$(basename "$0") - function show_usage { - log_message "Usage: $this_script --namespace NAMESPACE [--tenant TENANT] [OPTIONS]" - log_message "" - log_message "'Offboards' either the specified SAS Viya deployment (namespace) or the specified tenant within that deployment. This removes the ability to limit admins to the SAS Viya deployment (or a single tenant within a given deployment)." - log_message "The offboarding process deletes the security access controls and the associated OpenSearch Dashboards tenant space (including any saved OpenSearch Dashboards content (e.g. visualizations, dashboards, etc.)." - log_message "" - log_message " Arguments:" - log_message " -ns, --namespace NAMESPACE - (Required) The SAS Viya deployment/Kubernetes Namespace to which access should be removed." - log_message " -t, --tenant TENANT - (Optional) The tenant within the specific SAS Viya deployment/Kubernetes Namespace to which access should be removed." - log_message "" - #log_message " Options:" - #log_message "" + log_message "Usage: $this_script --namespace NAMESPACE [--tenant TENANT] [OPTIONS]" + log_message "" + log_message "'Offboards' either the specified SAS Viya deployment (namespace) or the specified tenant within that deployment. This removes the ability to limit admins to the SAS Viya deployment (or a single tenant within a given deployment)." + log_message "The offboarding process deletes the security access controls and the associated OpenSearch Dashboards tenant space (including any saved OpenSearch Dashboards content (e.g. visualizations, dashboards, etc.)." + log_message "" + log_message " Arguments:" + log_message " -ns, --namespace NAMESPACE - (Required) The SAS Viya deployment/Kubernetes Namespace to which access should be removed." + log_message " -t, --tenant TENANT - (Optional) The tenant within the specific SAS Viya deployment/Kubernetes Namespace to which access should be removed." + log_message "" + #log_message " Options:" + #log_message "" } - # set flag indicating wrapper/driver script being run export LOGGING_DRIVER=true - # #Handle arguments and parameters # POS_PARMS="" while (( "$#" )); do - case "$1" in - -ns|--namespace) - if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then - namespace=$2 - shift 2 - else - log_error "A value for parameter [NAMESPACE] has not been provided." >&2 - show_usage - exit 2 - fi - ;; - -t|--tenant) - if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then - tenant=$2 - shift 2 - else - log_error "A value for parameter [TENANT] has not been provided." >&2 - show_usage - exit 2 - fi - ;; - -h|--help) - show_usage - exit - ;; - --*=|-*) # unsupported flags - log_error "Unsupported flag $1" >&2 - show_usage - exit 1 - ;; - *) # preserve positional arguments - POS_PARMS="$POS_PARMS $1" - shift - ;; - esac + case "$1" in + -ns | --namespace) + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then + namespace=$2 + shift 2 + else + log_error "A value for parameter [NAMESPACE] has not been provided." >&2 + show_usage + exit 2 + fi + ;; + -t | --tenant) + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then + tenant=$2 + shift 2 + else + log_error "A value for parameter [TENANT] has not been provided." >&2 + show_usage + exit 2 + fi + ;; + -h | --help) + show_usage + exit + ;; + --*= | -*) # unsupported flags + log_error "Unsupported flag $1" >&2 + show_usage + exit 1 + ;; + *) # preserve positional arguments + POS_PARMS="$POS_PARMS $1" + shift + ;; + esac done # set positional arguments in their proper place eval set -- "$POS_PARMS" - # No positional parameters are supported if [ "$#" -ge 1 ]; then log_error "Unexpected additional arguments were found; exiting." @@ -87,38 +83,38 @@ if [ "$#" -ge 1 ]; then fi # Convert namespace and tenant to all lower-case -namespace=$(echo "$namespace"| tr '[:upper:]' '[:lower:]') -tenant=$(echo "$tenant"| tr '[:upper:]' '[:lower:]') +namespace=$(echo "$namespace" | tr '[:upper:]' '[:lower:]') +tenant=$(echo "$tenant" | tr '[:upper:]' '[:lower:]') # validation of input args if [ "$namespace" == "global" ]; then - log_error "Invalid namespace value specified; you can NOT offboard the [global] namespace." - exit 1 + log_error "Invalid namespace value specified; you can NOT offboard the [global] namespace." + exit 1 fi validateNamespace "$namespace" if [ -n "$tenant" ]; then - validateTenantID "$tenant" + validateTenantID "$tenant" - nst="${namespace}_${tenant}" - index_nst="${namespace}-__${tenant}__" + nst="${namespace}_${tenant}" + index_nst="${namespace}-__${tenant}__" else - nst="$namespace" - # shellcheck disable=SC2034 - index_nst="${namespace}" + nst="$namespace" + # shellcheck disable=SC2034 + index_nst="${namespace}" fi # OpenSearch Dashboards tenant space ktenant=$nst if [ -n "$tenant" ]; then - tenant_description="An OpenSearch Dashboards tenant space for tenant [$tenant] within SAS Viya deployment (namespace) [$namespace]." - log_notice "Offboarding tenant [$tenant] within namespace [$namespace] [$(date)]" + tenant_description="An OpenSearch Dashboards tenant space for tenant [$tenant] within SAS Viya deployment (namespace) [$namespace]." + log_notice "Offboarding tenant [$tenant] within namespace [$namespace] [$(date)]" else - # shellcheck disable=SC2034 - tenant_description="An OpenSearch Dashboards tenant space for SAS Viya deployment (namespace) [$namespace]." - log_notice "Offboarding namespace [$namespace] [$(date)]" + # shellcheck disable=SC2034 + tenant_description="An OpenSearch Dashboards tenant space for SAS Viya deployment (namespace) [$namespace]." + log_notice "Offboarding namespace [$namespace] [$(date)]" fi # @@ -136,34 +132,34 @@ get_sec_api_url # Delete OpenSearch Dashboards tenant space (if it exists) if kibana_tenant_exists "$ktenant"; then - delete_kibana_tenant "$ktenant" - rc=$? - if [ "$rc" == "0" ]; then - add_notice " " - add_notice " The OpenSearch Dashboards tenant space [$ktenant] has been deleted. " - add_notice " " - else - log_error "Problems were encountered while attempting to delete tenant space [$ktenant]." - exit 1 - fi + delete_kibana_tenant "$ktenant" + rc=$? + if [ "$rc" == "0" ]; then + add_notice " " + add_notice " The OpenSearch Dashboards tenant space [$ktenant] has been deleted. " + add_notice " " + else + log_error "Problems were encountered while attempting to delete tenant space [$ktenant]." + exit 1 + fi else - log_warn "The OpenSearch Dashboards tenant space [$ktenant] does not exist and, therefore, could not be deleted." + log_warn "The OpenSearch Dashboards tenant space [$ktenant] does not exist and, therefore, could not be deleted." fi # Delete ES index containing tenant content -kibana_index_name=".kibana_*_$(echo "$ktenant"|tr -d _)" -response=$(curl -s -o /dev/null -w "%{http_code}" -XDELETE "${es_api_url}/$kibana_index_name" --user "$ES_ADMIN_USER":"$ES_ADMIN_PASSWD" --insecure) +kibana_index_name=".kibana_*_$(echo "$ktenant" | tr -d _)" +response=$(curl -s -o /dev/null -w "%{http_code}" -XDELETE "${es_api_url}/$kibana_index_name" --user "$ES_ADMIN_USER":"$ES_ADMIN_PASSWD" --insecure) if [[ $response == 2* ]]; then - log_info "Deleted index [$kibana_index_name]. [$response]" + log_info "Deleted index [$kibana_index_name]. [$response]" else - log_warn "There was an issue deleting the index [$kibana_index_name] holding content related to OpenSearch Dashboards tenant space [$ktenant]. You may need to manually delete this index. [$response]" + log_warn "There was an issue deleting the index [$kibana_index_name] holding content related to OpenSearch Dashboards tenant space [$ktenant]. You may need to manually delete this index. [$response]" fi -response=$(curl -s -o /dev/null -w "%{http_code}" -XDELETE "${es_api_url}/${kibana_index_name}_*" --user "$ES_ADMIN_USER":"$ES_ADMIN_PASSWD" --insecure) +response=$(curl -s -o /dev/null -w "%{http_code}" -XDELETE "${es_api_url}/${kibana_index_name}_*" --user "$ES_ADMIN_USER":"$ES_ADMIN_PASSWD" --insecure) if [[ $response == 2* ]]; then - log_info "Deleted index [${kibana_index_name}_*]. [$response]" + log_info "Deleted index [${kibana_index_name}_*]. [$response]" else - log_warn "There was an issue deleting the index [${kibana_index_name}_*] holding content related to OpenSearch Dashboards tenant space [$ktenant]. You may need to manually delete this index. [$response]" + log_warn "There was an issue deleting the index [${kibana_index_name}_*] holding content related to OpenSearch Dashboards tenant space [$ktenant]. You may need to manually delete this index. [$response]" fi @@ -173,8 +169,8 @@ fi # Delete Grafana Datasource utility user (if exists) grfds_user="${nst}_grafana_ds" if user_exists "$grfds_user"; then - log_verbose "Removing the [$grfds_user] utility account." - delete_user "$grfds_user" + log_verbose "Removing the [$grfds_user] utility account." + delete_user "$grfds_user" fi # Reminder that users are not deleted @@ -182,7 +178,7 @@ add_notice " " add_notice " The off-boarding process does NOT remove any users. If there " add_notice " are users which are no longer needed after off-boarding the " if [ -n "$tenant" ]; then - add_notice " tenant [$tenant] within the " + add_notice " tenant [$tenant] within the " fi add_notice " SAS Viya deployment/namespace of [$namespace] " add_notice " you must delete those users manually, either through the " @@ -199,7 +195,7 @@ echo "" # Exit with an overall success/failure message if [ -n "$tenant" ]; then - log_notice "Successfully offboarded tenant [$tenant] within namespace [$namespace] [$(date)]" + log_notice "Successfully offboarded tenant [$tenant] within namespace [$namespace] [$(date)]" else - log_notice "Successfully offboarded namespace [$namespace] [$(date)]" + log_notice "Successfully offboarded namespace [$namespace] [$(date)]" fi From ed6308c01bb85f4db009b687bc2c9396b347df1b Mon Sep 17 00:00:00 2001 From: gsmith-sas <65406958+gsmith-sas@users.noreply.github.com> Date: Fri, 22 Aug 2025 16:39:30 -0400 Subject: [PATCH 03/10] Linting: shfmt (2) --- logging/bin/deploy_logging_azmonitor.sh | 2 +- logging/bin/offboard.sh | 87 ++- logging/bin/onboard.sh | 262 +++++---- logging/bin/remove_eventrouter.sh | 15 +- logging/bin/remove_logging_azmonitor.sh | 45 +- .../bin/remove_servicemonitors_openshift.sh | 16 +- logging/bin/security_create_rbac.sh | 176 +++--- logging/bin/security_delete_rbac.sh | 99 ++-- logging/bin/user.sh | 519 +++++++++--------- 9 files changed, 596 insertions(+), 625 deletions(-) diff --git a/logging/bin/deploy_logging_azmonitor.sh b/logging/bin/deploy_logging_azmonitor.sh index ce6497c5..6a6ca164 100755 --- a/logging/bin/deploy_logging_azmonitor.sh +++ b/logging/bin/deploy_logging_azmonitor.sh @@ -11,7 +11,7 @@ source logging/bin/common.sh tmpfile=$TMP_DIR/output.txt rm -f tmpfile -if [ "$(kubectl get ns "$LOG_NS" -o name 2>/dev/null)" == "" ]; then +if [ "$(kubectl get ns "$LOG_NS" -o name 2> /dev/null)" == "" ]; then kubectl create ns "$LOG_NS" fi diff --git a/logging/bin/offboard.sh b/logging/bin/offboard.sh index 6d4f39ad..dd73b60f 100755 --- a/logging/bin/offboard.sh +++ b/logging/bin/offboard.sh @@ -13,17 +13,17 @@ source logging/bin/rbac-include.sh this_script=$(basename "$0") function show_usage { - log_message "Usage: $this_script --namespace NAMESPACE [--tenant TENANT] [OPTIONS]" - log_message "" - log_message "'Offboards' either the specified SAS Viya deployment (namespace) or the specified tenant within that deployment. This removes the ability to limit admins to the SAS Viya deployment (or a single tenant within a given deployment)." - log_message "The offboarding process deletes the security access controls and the associated OpenSearch Dashboards tenant space (including any saved OpenSearch Dashboards content (e.g. visualizations, dashboards, etc.)." - log_message "" - log_message " Arguments:" - log_message " -ns, --namespace NAMESPACE - (Required) The SAS Viya deployment/Kubernetes Namespace to which access should be removed." - log_message " -t, --tenant TENANT - (Optional) The tenant within the specific SAS Viya deployment/Kubernetes Namespace to which access should be removed." - log_message "" - #log_message " Options:" - #log_message "" + log_message "Usage: $this_script --namespace NAMESPACE [--tenant TENANT] [OPTIONS]" + log_message "" + log_message "'Offboards' either the specified SAS Viya deployment (namespace) or the specified tenant within that deployment. This removes the ability to limit admins to the SAS Viya deployment (or a single tenant within a given deployment)." + log_message "The offboarding process deletes the security access controls and the associated OpenSearch Dashboards tenant space (including any saved OpenSearch Dashboards content (e.g. visualizations, dashboards, etc.)." + log_message "" + log_message " Arguments:" + log_message " -ns, --namespace NAMESPACE - (Required) The SAS Viya deployment/Kubernetes Namespace to which access should be removed." + log_message " -t, --tenant TENANT - (Optional) The tenant within the specific SAS Viya deployment/Kubernetes Namespace to which access should be removed." + log_message "" + #log_message " Options:" + #log_message "" } # set flag indicating wrapper/driver script being run @@ -34,41 +34,41 @@ export LOGGING_DRIVER=true # POS_PARMS="" -while (( "$#" )); do +while (("$#")); do case "$1" in - -ns | --namespace) - if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then - namespace=$2 - shift 2 - else - log_error "A value for parameter [NAMESPACE] has not been provided." >&2 - show_usage - exit 2 - fi - ;; - -t | --tenant) - if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then - tenant=$2 - shift 2 - else - log_error "A value for parameter [TENANT] has not been provided." >&2 - show_usage - exit 2 - fi - ;; - -h | --help) + -ns | --namespace) + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then + namespace=$2 + shift 2 + else + log_error "A value for parameter [NAMESPACE] has not been provided." >&2 show_usage - exit - ;; - --*= | -*) # unsupported flags - log_error "Unsupported flag $1" >&2 + exit 2 + fi + ;; + -t | --tenant) + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then + tenant=$2 + shift 2 + else + log_error "A value for parameter [TENANT] has not been provided." >&2 show_usage - exit 1 - ;; - *) # preserve positional arguments - POS_PARMS="$POS_PARMS $1" - shift - ;; + exit 2 + fi + ;; + -h | --help) + show_usage + exit + ;; + --*= | -*) # unsupported flags + log_error "Unsupported flag $1" >&2 + show_usage + exit 1 + ;; + *) # preserve positional arguments + POS_PARMS="$POS_PARMS $1" + shift + ;; esac done @@ -162,7 +162,6 @@ else log_warn "There was an issue deleting the index [${kibana_index_name}_*] holding content related to OpenSearch Dashboards tenant space [$ktenant]. You may need to manually delete this index. [$response]" fi - # Delete access controls ./logging/bin/security_delete_rbac.sh "$namespace" "$tenant" diff --git a/logging/bin/onboard.sh b/logging/bin/onboard.sh index 7beab11f..014cb78a 100755 --- a/logging/bin/onboard.sh +++ b/logging/bin/onboard.sh @@ -12,24 +12,22 @@ source logging/bin/rbac-include.sh this_script=$(basename "$0") - function show_usage { - log_message "Usage: $this_script --namespace NAMESPACE [--tenant TENANT] [OPTIONS]" - log_message "" - log_message "'Onboards' a SAS Viya deployment (namespace) or a specific tenant within that deployment. This process allows admins responsible for a SAS Viya deployment (or a single tenant within a given deployment) to work with log messages collected from the deployment (or tenant within the deployment)." - log_message "The onboarding process creates the security access controls and, optionally, an initial user granted access. In addition, an OpenSearch Dashboards tenant space is created and populated with an initial set of OpenSearch Dashboards content (e.g. visualizations, dashboards, etc.)." - log_message "" - log_message " Arguments:" - log_message " -ns, --namespace NAMESPACE - (Required) The SAS Viya deployment/Kubernetes Namespace to 'on-board' or the namespace in which the tenant to 'on-board' resides." - log_message " -t, --tenant TENANT - (Optional) The tenant within the specified SAS Viya deployment/Kubernetes Namespace to 'on-board'." - log_message "" - log_message " Options:" - log_message " -u, --user [USER] - Create an initial user with access to this OpenSearch Dashboards tenant space. User name is optional, by default its name will combine the OpenSearch Dashboards tenant space name with '_admin'." - log_message " -p, --password PASSWORD - Password for the initial user." - log_message "" + log_message "Usage: $this_script --namespace NAMESPACE [--tenant TENANT] [OPTIONS]" + log_message "" + log_message "'Onboards' a SAS Viya deployment (namespace) or a specific tenant within that deployment. This process allows admins responsible for a SAS Viya deployment (or a single tenant within a given deployment) to work with log messages collected from the deployment (or tenant within the deployment)." + log_message "The onboarding process creates the security access controls and, optionally, an initial user granted access. In addition, an OpenSearch Dashboards tenant space is created and populated with an initial set of OpenSearch Dashboards content (e.g. visualizations, dashboards, etc.)." + log_message "" + log_message " Arguments:" + log_message " -ns, --namespace NAMESPACE - (Required) The SAS Viya deployment/Kubernetes Namespace to 'on-board' or the namespace in which the tenant to 'on-board' resides." + log_message " -t, --tenant TENANT - (Optional) The tenant within the specified SAS Viya deployment/Kubernetes Namespace to 'on-board'." + log_message "" + log_message " Options:" + log_message " -u, --user [USER] - Create an initial user with access to this OpenSearch Dashboards tenant space. User name is optional, by default its name will combine the OpenSearch Dashboards tenant space name with '_admin'." + log_message " -p, --password PASSWORD - Password for the initial user." + log_message "" } - # set flag indicating wrapper/driver script being run export LOGGING_DRIVER=true @@ -41,69 +39,68 @@ createuser=false # POS_PARMS="" -while (( "$#" )); do - case "$1" in - -ns|--namespace) - if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then - namespace=$2 - shift 2 - else - log_error "A value for parameter [NAMESPACE] has not been provided." >&2 +while (("$#")); do + case "$1" in + -ns | --namespace) + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then + namespace=$2 + shift 2 + else + log_error "A value for parameter [NAMESPACE] has not been provided." >&2 + show_usage + exit 2 + fi + ;; + -t | --tenant) + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then + tenant=$2 + shift 2 + else + log_error "A value for parameter [TENANT] has not been provided." >&2 + show_usage + exit 2 + fi + ;; + -u | --user) + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then + createuser=true + inituser=$2 + shift 2 + else + # no initial user name provided, assign default name + createuser=true + shift 1 + fi + ;; + -p | --password) + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then + initpasswd=$2 + shift 2 + else + log_error "A value for parameter [PASSWORD] has not been provided." >&2 + show_usage + exit 2 + fi + ;; + -h | --help) show_usage - exit 2 - fi - ;; - -t|--tenant) - if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then - tenant=$2 - shift 2 - else - log_error "A value for parameter [TENANT] has not been provided." >&2 + exit + ;; + -* | --*=) # unsupported flags + log_error "Unsupported flag $1" >&2 show_usage - exit 2 - fi - ;; - -u|--user) - if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then - createuser=true - inituser=$2 - shift 2 - else - # no initial user name provided, assign default name - createuser=true - shift 1 - fi - ;; - -p|--password) - if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then - initpasswd=$2 - shift 2 - else - log_error "A value for parameter [PASSWORD] has not been provided." >&2 - show_usage - exit 2 - fi - ;; - -h|--help) - show_usage - exit - ;; - -*|--*=) # unsupported flags - log_error "Unsupported flag $1" >&2 - show_usage - exit 1 - ;; + exit 1 + ;; *) # preserve positional arguments - POS_PARMS="$POS_PARMS $1" - shift - ;; - esac + POS_PARMS="$POS_PARMS $1" + shift + ;; + esac done # set positional arguments in their proper place eval set -- "$POS_PARMS" - # No positional parameters (other than ACTION) are supported if [ "$#" -ge 1 ]; then log_error "Unexpected additional arguments were found; exiting." @@ -112,37 +109,37 @@ if [ "$#" -ge 1 ]; then fi # Convert namespace and tenant to all lower-case -namespace=$(echo "$namespace"| tr '[:upper:]' '[:lower:]') -tenant=$(echo "$tenant"| tr '[:upper:]' '[:lower:]') +namespace=$(echo "$namespace" | tr '[:upper:]' '[:lower:]') +tenant=$(echo "$tenant" | tr '[:upper:]' '[:lower:]') # validation of input args if [ "$namespace" == "global" ]; then - log_error "Invalid namespace value specified; you can NOT onboard the [global] namespace." - exit 1 + log_error "Invalid namespace value specified; you can NOT onboard the [global] namespace." + exit 1 fi validateNamespace "$namespace" if [ -n "$tenant" ]; then - validateTenantID "$tenant" + validateTenantID "$tenant" - nst="${namespace}_${tenant}" - index_nst="${namespace}-__${tenant}__" + nst="${namespace}_${tenant}" + index_nst="${namespace}-__${tenant}__" else - nst="$namespace" - # shellcheck disable=SC2034 - index_nst="${namespace}" + nst="$namespace" + # shellcheck disable=SC2034 + index_nst="${namespace}" fi #FUTURE: Allow user to specify OpenSearch Dashboards tenant space name? ktenant=$nst if [ -n "$tenant" ]; then - tenant_description="An OpenSearch Dashboards tenant space for tenant [$tenant] within SAS Viya deployment (namespace) [$namespace]." - log_notice "Onboarding tenant [$tenant] within namespace [$namespace] [$(date)]" + tenant_description="An OpenSearch Dashboards tenant space for tenant [$tenant] within SAS Viya deployment (namespace) [$namespace]." + log_notice "Onboarding tenant [$tenant] within namespace [$namespace] [$(date)]" else - tenant_description="An OpenSearch Dashboards tenant space for SAS Viya deployment (namespace) [$namespace]." - log_notice "Onboarding namespace [$namespace] [$(date)]" + tenant_description="An OpenSearch Dashboards tenant space for SAS Viya deployment (namespace) [$namespace]." + log_notice "Onboarding namespace [$namespace] [$(date)]" fi # @@ -157,19 +154,19 @@ get_sec_api_url # Create OpenSearch Dashboards tenant space (if it doesn't exist) if ! kibana_tenant_exists "$ktenant"; then - create_kibana_tenant "$ktenant" "$tenant_description" - rc=$? - if [ "$rc" == "0" ]; then - add_notice " " - add_notice " The OpenSearch Dashboards tenant space [$ktenant] was created. " - add_notice " " - else - log_error "Problems were encountered while attempting to create tenant space [$ktenant]." - exit 1 - fi + create_kibana_tenant "$ktenant" "$tenant_description" + rc=$? + if [ "$rc" == "0" ]; then + add_notice " " + add_notice " The OpenSearch Dashboards tenant space [$ktenant] was created. " + add_notice " " + else + log_error "Problems were encountered while attempting to create tenant space [$ktenant]." + exit 1 + fi else - log_error "A OpenSearch Dashboards tenant space [$ktenant] already exists." - exit 1 + log_error "A OpenSearch Dashboards tenant space [$ktenant] already exists." + exit 1 fi # get KIBANA API URL @@ -179,22 +176,22 @@ get_kb_api_url ./logging/bin/import_osd_content.sh logging/osd/common "$ktenant" if [ -z "$tenant" ]; then - ./logging/bin/import_osd_content.sh logging/osd/namespace "$ktenant" + ./logging/bin/import_osd_content.sh logging/osd/namespace "$ktenant" else - ./logging/bin/import_osd_content.sh logging/osd/tenant "$ktenant" + ./logging/bin/import_osd_content.sh logging/osd/tenant "$ktenant" fi if [ -d "$USER_DIR/logging/osd" ] && [ "$USER_DIR" != "$(pwd)" ]; then - export IGNORE_NOT_FOUND="true" - ./logging/bin/import_osd_content.sh "$USER_DIR"/logging/osd/common "$ktenant" + export IGNORE_NOT_FOUND="true" + ./logging/bin/import_osd_content.sh "$USER_DIR"/logging/osd/common "$ktenant" - if [ -z "$tenant" ]; then - ./logging/bin/import_osd_content.sh "$USER_DIR"/logging/osd/namespace "$ktenant" - else - ./logging/bin/import_osd_content.sh "$USER_DIR"/logging/osd/tenant "$ktenant" - fi - unset IGNORE_NOT_FOUND + if [ -z "$tenant" ]; then + ./logging/bin/import_osd_content.sh "$USER_DIR"/logging/osd/namespace "$ktenant" + else + ./logging/bin/import_osd_content.sh "$USER_DIR"/logging/osd/tenant "$ktenant" + fi + unset IGNORE_NOT_FOUND fi # Create access controls @@ -203,32 +200,31 @@ fi # Create an initial user if [ "$createuser" == "true" ]; then - if [ -z "$inituser" ]; then - inituser="${ktenant}_admin" - - else - log_debug "Initial user name [$inituser] provided." - fi - - if [ -n "$initpasswd" ]; then - passwdarg="-p $initpasswd" - else - passwdarg="" - fi - - if user_exists "$inituser"; then - log_warn "A user with the requested user name of [$inituser] already exists; the initial user account you requested was NOT created." - log_warn "This existing user may have completely different access controls than you intended for the initial user." - log_warn "You can create a new user with the appropriate access controls by calling the logging/bin/user.sh script directly." - else - if [ -z "$tenant" ]; then - ./logging/bin/user.sh CREATE -ns "$namespace" -u "$inituser" "$passwdarg" - else - ./logging/bin/user.sh CREATE -ns "$namespace" -t "$tenant" -u "$inituser" "$passwdarg" - fi - fi + if [ -z "$inituser" ]; then + inituser="${ktenant}_admin" + else + log_debug "Initial user name [$inituser] provided." + fi + + if [ -n "$initpasswd" ]; then + passwdarg="-p $initpasswd" + else + passwdarg="" + fi + + if user_exists "$inituser"; then + log_warn "A user with the requested user name of [$inituser] already exists; the initial user account you requested was NOT created." + log_warn "This existing user may have completely different access controls than you intended for the initial user." + log_warn "You can create a new user with the appropriate access controls by calling the logging/bin/user.sh script directly." + else + if [ -z "$tenant" ]; then + ./logging/bin/user.sh CREATE -ns "$namespace" -u "$inituser" "$passwdarg" + else + ./logging/bin/user.sh CREATE -ns "$namespace" -t "$tenant" -u "$inituser" "$passwdarg" + fi + fi else - log_debug "An initial user will NOT be created." + log_debug "An initial user will NOT be created." fi # Write any "notices" to console @@ -241,7 +237,7 @@ echo "" # Exit with an overall success/failure message if [ -n "$tenant" ]; then - log_notice "Successfully onboarded tenant [$tenant] within namespace [$namespace] [$(date)]" + log_notice "Successfully onboarded tenant [$tenant] within namespace [$namespace] [$(date)]" else - log_notice "Successfully onboarded namespace [$namespace] [$(date)]" + log_notice "Successfully onboarded namespace [$namespace] [$(date)]" fi diff --git a/logging/bin/remove_eventrouter.sh b/logging/bin/remove_eventrouter.sh index c109d643..e3873462 100755 --- a/logging/bin/remove_eventrouter.sh +++ b/logging/bin/remove_eventrouter.sh @@ -17,21 +17,16 @@ cp -R logging/eventrouter/eventrouter.yaml "$logDir"/eventrouter.yaml # Replace placeholders log_debug "Replacing logging namespace for files in [$logDir]" - if echo "$OSTYPE" | grep 'darwin' > /dev/null 2>&1; then - sed -i '' "s/__LOG_NS__/$LOG_NS/g" "$logDir"/eventrouter.yaml - else - sed -i "s/__LOG_NS__/$LOG_NS/g" "$logDir"/eventrouter.yaml - fi +v4m_replace "__LOG_NS__" "$LOG_NS" "$logDir"/eventrouter.yaml log_info "Removing Event Router [$(date)]" # Remove existing instance of Event Router in the kube-system namespace (if present). if [[ $V4M_CURRENT_VERSION_FULL =~ 1.0 || $V4M_CURRENT_VERSION_FULL =~ 1.1.[0-2] ]]; then - # Remove existing instance of Event Router in the kube-system namespace (if present). - log_info "Removing instance of Event Router in the kube-system namespace" - kubectl delete --ignore-not-found -f logging/eventrouter/eventrouter_kubesystem.yaml + # Remove existing instance of Event Router in the kube-system namespace (if present). + log_info "Removing instance of Event Router in the kube-system namespace" + kubectl delete --ignore-not-found -f logging/eventrouter/eventrouter_kubesystem.yaml else - kubectl delete --ignore-not-found -f "$logDir"/eventrouter.yaml + kubectl delete --ignore-not-found -f "$logDir"/eventrouter.yaml fi log_debug "Script [$this_script] has completed [$(date)]" - diff --git a/logging/bin/remove_logging_azmonitor.sh b/logging/bin/remove_logging_azmonitor.sh index 9f1df9ca..6dce7e06 100755 --- a/logging/bin/remove_logging_azmonitor.sh +++ b/logging/bin/remove_logging_azmonitor.sh @@ -15,16 +15,15 @@ logging/bin/remove_fluentbit_azmonitor.sh log_info "Removing eventrouter..." logging/bin/remove_eventrouter.sh - if [ "$LOG_DELETE_NAMESPACE_ON_REMOVE" == "true" ]; then - log_info "Deleting the [$LOG_NS] namespace..." - if kubectl delete namespace "$LOG_NS" --timeout "$KUBE_NAMESPACE_DELETE_TIMEOUT"; then - log_info "[$LOG_NS] namespace and logging components successfully removed" - exit 0 - else - log_error "Unable to delete the [$LOG_NS] namespace" - exit 1 - fi + log_info "Deleting the [$LOG_NS] namespace..." + if kubectl delete namespace "$LOG_NS" --timeout "$KUBE_NAMESPACE_DELETE_TIMEOUT"; then + log_info "[$LOG_NS] namespace and logging components successfully removed" + exit 0 + else + log_error "Unable to delete the [$LOG_NS] namespace" + exit 1 + fi fi log_info "Removing components from the [$LOG_NS] namespace..." @@ -33,23 +32,21 @@ log_info "Waiting 60 sec for resources to terminate..." sleep 60 log_info "Checking contents of the [$LOG_NS] namespace:" -crds=( secrets all ) +crds=(secrets all) empty="true" -for crd in "${crds[@]}" -do - out=$(kubectl get -n "$LOG_NS" "$crd" 2>&1) - if [[ "$out" =~ 'No resources found' ]]; then - : - else - empty="false" - log_warn "Found [$crd] resources in the [$LOG_NS] namespace:" - echo "$out" - fi +for crd in "${crds[@]}"; do + out=$(kubectl get -n "$LOG_NS" "$crd" 2>&1) + if [[ $out =~ 'No resources found' ]]; then + : + else + empty="false" + log_warn "Found [$crd] resources in the [$LOG_NS] namespace:" + echo "$out" + fi done if [ "$empty" == "true" ]; then - log_info " The [$LOG_NS] namespace is empty and should be safe to delete." + log_info " The [$LOG_NS] namespace is empty and should be safe to delete." else - log_warn " The [$LOG_NS] namespace is not empty." - log_warn " Examine the resources above before deleting the namespace." + log_warn " The [$LOG_NS] namespace is not empty." + log_warn " Examine the resources above before deleting the namespace." fi - diff --git a/logging/bin/remove_servicemonitors_openshift.sh b/logging/bin/remove_servicemonitors_openshift.sh index a9f47159..0b3f45f7 100755 --- a/logging/bin/remove_servicemonitors_openshift.sh +++ b/logging/bin/remove_servicemonitors_openshift.sh @@ -14,26 +14,26 @@ log_debug "Script [$this_script] has started [$(date)]" DEPLOY_SERVICEMONITORS=${DEPLOY_SERVICEMONITORS:-false} if [ "$DEPLOY_SERVICEMONITORS" != "true" ]; then - log_info "Environment variable [DEPLOY_SERVICEMONITORS] is not set to 'true'; exiting b/c ServiceMonitors were not deployed." - exit + log_info "Environment variable [DEPLOY_SERVICEMONITORS] is not set to 'true'; exiting b/c ServiceMonitors were not deployed." + exit fi EVENTROUTER_ENABLE=${EVENTROUTER_ENABLE:-true} if [ "$EVENTROUTER_ENABLE" == "true" ]; then - # Eventrouter ServiceMonitor - kubectl delete --ignore-not-found -n "$LOG_NS" -f monitoring/monitors/kube/podMonitor-eventrouter.yaml + # Eventrouter ServiceMonitor + kubectl delete --ignore-not-found -n "$LOG_NS" -f monitoring/monitors/kube/podMonitor-eventrouter.yaml fi ELASTICSEARCH_ENABLE=${ELASTICSEARCH_ENABLE:-true} if [ "$ELASTICSEARCH_ENABLE" == "true" ]; then - # Elasticsearch ServiceMonitor - kubectl delete --ignore-not-found -n "$LOG_NS" -f monitoring/monitors/logging/serviceMonitor-elasticsearch.yaml + # Elasticsearch ServiceMonitor + kubectl delete --ignore-not-found -n "$LOG_NS" -f monitoring/monitors/logging/serviceMonitor-elasticsearch.yaml fi FLUENT_BIT_ENABLED=${FLUENT_BIT_ENABLED:-true} if [ "$FLUENT_BIT_ENABLED" == "true" ]; then - # Fluent Bit ServiceMonitors - kubectl delete --ignore-not-found -n "$LOG_NS" -f monitoring/monitors/logging/serviceMonitor-fluent-bit-v2.yaml + # Fluent Bit ServiceMonitors + kubectl delete --ignore-not-found -n "$LOG_NS" -f monitoring/monitors/logging/serviceMonitor-fluent-bit-v2.yaml fi log_info "ServiceMonitors have been removed." diff --git a/logging/bin/security_create_rbac.sh b/logging/bin/security_create_rbac.sh index 28cb20c5..367939d8 100755 --- a/logging/bin/security_create_rbac.sh +++ b/logging/bin/security_create_rbac.sh @@ -30,16 +30,15 @@ this_script=$(basename "$0") source logging/bin/rbac-include.sh source logging/bin/apiaccess-include.sh - function show_usage { - log_message "Usage: $this_script NAMESPACE [TENANT]" - log_message "" - log_message "Creates access controls (e.g. roles, role-mappings, etc.) to limit access to the specified namespace and, optionally, the specified tenant within that namespace." - log_message "" - log_message " NAMESPACE - (Required) The SAS Viya deployment/Kubernetes Namespace for which access controls should be created" - log_message "" - log_message " TENANT - (Optional) The tenant with the SAS Viya deployment/Kubernetes Namespace for which access controls should be created" - log_message "" + log_message "Usage: $this_script NAMESPACE [TENANT]" + log_message "" + log_message "Creates access controls (e.g. roles, role-mappings, etc.) to limit access to the specified namespace and, optionally, the specified tenant within that namespace." + log_message "" + log_message " NAMESPACE - (Required) The SAS Viya deployment/Kubernetes Namespace for which access controls should be created" + log_message "" + log_message " TENANT - (Optional) The tenant with the SAS Viya deployment/Kubernetes Namespace for which access controls should be created" + log_message "" } #TO DO: Move to named args @@ -48,73 +47,73 @@ namespace=${1} tenant=${2} # Convert namespace and tenant to all lower-case -namespace=$(echo "$namespace"| tr '[:upper:]' '[:lower:]') -tenant=$(echo "$tenant"| tr '[:upper:]' '[:lower:]') +namespace=$(echo "$namespace" | tr '[:upper:]' '[:lower:]') +tenant=$(echo "$tenant" | tr '[:upper:]' '[:lower:]') if [ "$namespace" == "_all_" ] && [ "$tenant" == "_all_" ]; then - log_debug "All cluster access RBACs requested" - cluster="true" + log_debug "All cluster access RBACs requested" + cluster="true" else - cluster="false" - log_debug "namespace: $namespace tenant: $tenant" + cluster="false" + log_debug "namespace: $namespace tenant: $tenant" fi create_ktenant_roles=${CREATE_KTENANT_ROLE:-true} if [ "$cluster" == "true" ]; then - # creating cluster-wide RBACs - INDEX_PREFIX=viya_logs - INDEX_NST="*" - ROLENAME=search_index_-ALL- - BE_ROLENAME=V4MCLUSTER_ADMIN_kibana_users - NST="cluster_admins" - BE_GFDS_ROLENAME=V4MCLUSTER_ADMIN_grafana_dsusers - index_role_template="index_role_allcluster.json" - kibana_tenant_role_template="kibana_tenant_clusteradmins_role.json" + # creating cluster-wide RBACs + INDEX_PREFIX=viya_logs + INDEX_NST="*" + ROLENAME=search_index_-ALL- + BE_ROLENAME=V4MCLUSTER_ADMIN_kibana_users + NST="cluster_admins" + BE_GFDS_ROLENAME=V4MCLUSTER_ADMIN_grafana_dsusers + index_role_template="index_role_allcluster.json" + kibana_tenant_role_template="kibana_tenant_clusteradmins_role.json" else - # creating namespace or tenant limited RBACs - if [ -z "$namespace" ]; then - log_error "Required argument NAMESPACE not specified" - echo "" - show_usage - exit 1 - elif [[ "$namespace" =~ -H|--HELP|-h|--help ]]; then - show_usage - exit - fi - - validateNamespace "$namespace" - - if [[ "$tenant" =~ -H|--HELP|-h|--help ]]; then - show_usage - exit - elif [ -n "$tenant" ]; then - - validateTenantID "$tenant" - - NST="${namespace}_${tenant}" - INDEX_NST="${namespace}-__${tenant}__" - else - NST="$namespace" - INDEX_NST="${namespace}" - fi - - if [ -n "$tenant" ]; then - log_notice "Creating access controls for tenant [$tenant] within namespace [$namespace] [$(date)]" - else - log_notice "Creating access controls for namespace [$namespace] [$(date)]" - fi - - INDEX_PREFIX=viya_logs - ROLENAME=search_index_$NST - BE_ROLENAME=${NST}_kibana_users - BE_GFDS_ROLENAME=${NST}_grafana_dsusers - index_role_template="index_role.json" - kibana_tenant_role_template="kibana_tenant_limited_role.json" - - log_debug "NST: $NST TENANT: $tenant NAMESPACE: $namespace ROLENAME: $ROLENAME" + # creating namespace or tenant limited RBACs + if [ -z "$namespace" ]; then + log_error "Required argument NAMESPACE not specified" + echo "" + show_usage + exit 1 + elif [[ $namespace =~ -H|--HELP|-h|--help ]]; then + show_usage + exit + fi + + validateNamespace "$namespace" + + if [[ $tenant =~ -H|--HELP|-h|--help ]]; then + show_usage + exit + elif [ -n "$tenant" ]; then + + validateTenantID "$tenant" + + NST="${namespace}_${tenant}" + INDEX_NST="${namespace}-__${tenant}__" + else + NST="$namespace" + INDEX_NST="${namespace}" + fi + + if [ -n "$tenant" ]; then + log_notice "Creating access controls for tenant [$tenant] within namespace [$namespace] [$(date)]" + else + log_notice "Creating access controls for namespace [$namespace] [$(date)]" + fi + + INDEX_PREFIX=viya_logs + ROLENAME=search_index_$NST + BE_ROLENAME=${NST}_kibana_users + BE_GFDS_ROLENAME=${NST}_grafana_dsusers + index_role_template="index_role.json" + kibana_tenant_role_template="kibana_tenant_limited_role.json" + + log_debug "NST: $NST TENANT: $tenant NAMESPACE: $namespace ROLENAME: $ROLENAME" fi @@ -122,29 +121,26 @@ fi cp logging/opensearch/rbac "$TMP_DIR" -r # Replace PLACEHOLDERS -sed -i'.bak' "s/xxIDXPREFIXxx/$INDEX_PREFIX/g" "$TMP_DIR"/rbac/*.json # IDXPREFIX -sed -i'.bak' "s/xxNAMESPACExx/$namespace/g" "$TMP_DIR"/rbac/*.json # NAMESPACE -sed -i'.bak' "s/xxTENANTxx/$tenant/g" "$TMP_DIR"/rbac/*.json # TENANT -sed -i'.bak' "s/xxIDXNSTxx/$INDEX_NST/g" "$TMP_DIR"/rbac/*.json # NAMESPACE|NAMESPACE-__TENANT__ (used in index names) -sed -i'.bak' "s/xxNSTxx/$NST/g" "$TMP_DIR"/rbac/*.json # NAMESPACE|NAMESPACE_TENANT (used in RBAC names) - +sed -i'.bak' "s/xxIDXPREFIXxx/$INDEX_PREFIX/g" "$TMP_DIR"/rbac/*.json # IDXPREFIX +sed -i'.bak' "s/xxNAMESPACExx/$namespace/g" "$TMP_DIR"/rbac/*.json # NAMESPACE +sed -i'.bak' "s/xxTENANTxx/$tenant/g" "$TMP_DIR"/rbac/*.json # TENANT +sed -i'.bak' "s/xxIDXNSTxx/$INDEX_NST/g" "$TMP_DIR"/rbac/*.json # NAMESPACE|NAMESPACE-__TENANT__ (used in index names) +sed -i'.bak' "s/xxNSTxx/$NST/g" "$TMP_DIR"/rbac/*.json # NAMESPACE|NAMESPACE_TENANT (used in RBAC names) # get admin credentials # shellcheck disable=SC2155 -export ES_ADMIN_USER=$(kubectl -n "$LOG_NS" get secret internal-user-admin -o=jsonpath="{.data.username}" |base64 --decode) +export ES_ADMIN_USER=$(kubectl -n "$LOG_NS" get secret internal-user-admin -o=jsonpath="{.data.username}" | base64 --decode) # shellcheck disable=SC2155 -export ES_ADMIN_PASSWD=$(kubectl -n "$LOG_NS" get secret internal-user-admin -o=jsonpath="{.data.password}" |base64 --decode) - +export ES_ADMIN_PASSWD=$(kubectl -n "$LOG_NS" get secret internal-user-admin -o=jsonpath="{.data.password}" | base64 --decode) # Get Security API URL get_sec_api_url if [ -z "$sec_api_url" ]; then - log_error "Unable to determine URL to access security API endpoint" - exit 1 + log_error "Unable to determine URL to access security API endpoint" + exit 1 fi - #index user (controls access to indexes) ensure_role_exists "$ROLENAME" "$TMP_DIR"/rbac/$index_role_template add_rolemapping "$ROLENAME" "$BE_ROLENAME" @@ -154,12 +150,11 @@ ensure_role_exists v4m_grafana_dsuser "$TMP_DIR"/rbac/v4m_grafana_dsuser_role.js add_rolemapping v4m_grafana_dsuser "$BE_GFDS_ROLENAME" null add_rolemapping "$ROLENAME" "$BE_GFDS_ROLENAME" - #tenant role (controls access to Kibanas tenant spaces) if [ "$create_ktenant_roles" == "true" ]; then - ensure_role_exists tenant_"${NST}" "$TMP_DIR"/rbac/$kibana_tenant_role_template - add_rolemapping tenant_"${NST}" "$BE_ROLENAME" + ensure_role_exists tenant_"${NST}" "$TMP_DIR"/rbac/$kibana_tenant_role_template + add_rolemapping tenant_"${NST}" "$BE_ROLENAME" fi @@ -170,22 +165,21 @@ add_rolemapping v4m_kibana_user "$BE_ROLENAME" null log_notice "Access controls created [$(date)]" echo "" -add_notice "Assign users the back-end role of [${BE_ROLENAME}] to" -add_notice "grant them access to OpenSearch Dashboards and log messages from" +add_notice "Assign users the back-end role of [${BE_ROLENAME}] to" +add_notice "grant them access to OpenSearch Dashboards and log messages from" if [ "$cluster" == "true" ]; then - add_notice "ALL tenants and ALL namespaces" + add_notice "ALL tenants and ALL namespaces" elif [ -n "$tenant" ]; then - add_notice "ONLY the [$tenant] tenant within the [$namespace] namespace" + add_notice "ONLY the [$tenant] tenant within the [$namespace] namespace" else - add_notice "ONLY the [$namespace] namespace." + add_notice "ONLY the [$namespace] namespace." fi LOGGING_DRIVER=${LOGGING_DRIVER:-false} if [ "$LOGGING_DRIVER" != "true" ]; then - echo "" - log_notice "=================================================================================" - display_notices - log_notice "=================================================================================" - echo "" + echo "" + log_notice "=================================================================================" + display_notices + log_notice "=================================================================================" + echo "" fi - diff --git a/logging/bin/security_delete_rbac.sh b/logging/bin/security_delete_rbac.sh index 1d291569..f1b2c97f 100755 --- a/logging/bin/security_delete_rbac.sh +++ b/logging/bin/security_delete_rbac.sh @@ -33,89 +33,89 @@ namespace=${1} tenant=${2} if [ -z "$namespace" ]; then - log_error "Required argument NAMESPACE not specified" - log_message "" - log_message "Usage: $this_script NAMESPACE" - log_message "" - log_message "Deletes access control artifacts (e.g. roles, role-mappings, etc.) previously created to limit access to the specified namespace." - log_message "" - log_message " NAMESPACE - (Required) The SAS Viya deployment/Kubernetes Namespace for which access controls should be deleted" - log_message " TENANT - (Optional) The tenant with the SAS Viya deployment/Kubernetes Namespace for which access controls should be created" - log_message "" - - exit 1 + log_error "Required argument NAMESPACE not specified" + log_message "" + log_message "Usage: $this_script NAMESPACE" + log_message "" + log_message "Deletes access control artifacts (e.g. roles, role-mappings, etc.) previously created to limit access to the specified namespace." + log_message "" + log_message " NAMESPACE - (Required) The SAS Viya deployment/Kubernetes Namespace for which access controls should be deleted" + log_message " TENANT - (Optional) The tenant with the SAS Viya deployment/Kubernetes Namespace for which access controls should be created" + log_message "" + + exit 1 fi # Convert namespace and tenant to all lower-case -namespace=$(echo "$namespace"| tr '[:upper:]' '[:lower:]') -tenant=$(echo "$tenant"| tr '[:upper:]' '[:lower:]') +namespace=$(echo "$namespace" | tr '[:upper:]' '[:lower:]') +tenant=$(echo "$tenant" | tr '[:upper:]' '[:lower:]') if [ "$namespace" == "_all_" ] && [ "$tenant" == "_all_" ]; then - log_debug "Deleting of All cluster access RBACs requested" - cluster="true" + log_debug "Deleting of All cluster access RBACs requested" + cluster="true" else - cluster="false" + cluster="false" fi if [ "$cluster" == "true" ]; then - # deleting cluster-wide RBACs - ROLENAME="search_index_-ALL-" - BACKENDROLE="V4MCLUSTER_ADMIN_kibana_users" - GFDS_BACKENDROLE="V4MCLUSTER_ADMIN_grafana_dsusers" - NST="cluster_admins" + # deleting cluster-wide RBACs + ROLENAME="search_index_-ALL-" + BACKENDROLE="V4MCLUSTER_ADMIN_kibana_users" + GFDS_BACKENDROLE="V4MCLUSTER_ADMIN_grafana_dsusers" + NST="cluster_admins" else - # deleting namespace or tenant limited RBACs - validateNamespace "$namespace" + # deleting namespace or tenant limited RBACs + validateNamespace "$namespace" - if [ -n "$tenant" ]; then - validateTenantID "$tenant" + if [ -n "$tenant" ]; then + validateTenantID "$tenant" - NST="${namespace}_${tenant}" + NST="${namespace}_${tenant}" - log_notice "Deleting access controls for the [$tenant] tenant within the namespace [$namespace] [$(date)]" + log_notice "Deleting access controls for the [$tenant] tenant within the namespace [$namespace] [$(date)]" - else - NST="$namespace" - log_notice "Deleting access controls for namespace [$namespace] [$(date)]" - fi + else + NST="$namespace" + log_notice "Deleting access controls for namespace [$namespace] [$(date)]" + fi - ROLENAME="search_index_$NST" - BACKENDROLE="${NST}_kibana_users" - GFDS_BACKENDROLE="${NST}_grafana_dsusers" + ROLENAME="search_index_$NST" + BACKENDROLE="${NST}_kibana_users" + GFDS_BACKENDROLE="${NST}_grafana_dsusers" - log_debug "NAMESPACE: $namespace TENANT: $tenant ROLENAME: $ROLENAME BACKENDROLE: $BACKENDROLE GFDS_BACKENDROLE: $GFDS_BACKENDROLE" + log_debug "NAMESPACE: $namespace TENANT: $tenant ROLENAME: $ROLENAME BACKENDROLE: $BACKENDROLE GFDS_BACKENDROLE: $GFDS_BACKENDROLE" fi # get admin credentials # shellcheck disable=SC2155 -export ES_ADMIN_USER=$(kubectl -n "$LOG_NS" get secret internal-user-admin -o=jsonpath="{.data.username}" |base64 --decode) +export ES_ADMIN_USER=$(kubectl -n "$LOG_NS" get secret internal-user-admin -o=jsonpath="{.data.username}" | base64 --decode) # shellcheck disable=SC2155 -export ES_ADMIN_PASSWD=$(kubectl -n "$LOG_NS" get secret internal-user-admin -o=jsonpath="{.data.password}" |base64 --decode) +export ES_ADMIN_PASSWD=$(kubectl -n "$LOG_NS" get secret internal-user-admin -o=jsonpath="{.data.password}" | base64 --decode) # Get Security API URL get_sec_api_url if [ -z "$sec_api_url" ]; then - log_error "Unable to determine URL to access security API endpoint" - exit 1 + log_error "Unable to determine URL to access security API endpoint" + exit 1 fi # handle $ROLENAME if role_exists "$ROLENAME"; then - delete_rolemappings "$ROLENAME" - delete_role "$ROLENAME" + delete_rolemappings "$ROLENAME" + delete_role "$ROLENAME" - # handle tenant_$NST - delete_rolemappings tenant_"${NST}" - delete_role tenant_"${NST}" + # handle tenant_$NST + delete_rolemappings tenant_"${NST}" + delete_role tenant_"${NST}" else - log_verbose "The role [$ROLENAME] does not exist; nothing to delete" + log_verbose "The role [$ROLENAME] does not exist; nothing to delete" fi # handle KIBANA_USER -remove_rolemapping kibana_user "$BACKENDROLE" # Needed for RBACs created prior to MT support (should be no-op for post MT RBACs) +remove_rolemapping kibana_user "$BACKENDROLE" # Needed for RBACs created prior to MT support (should be no-op for post MT RBACs) remove_rolemapping v4m_kibana_user "$BACKENDROLE" # handle Grafana Data Source user @@ -124,10 +124,9 @@ remove_rolemapping v4m_grafana_dsuser "$GFDS_BACKENDROLE" log_notice "Access controls deleted [$(date)]" echo "" if [ "$cluster" == "true" ]; then - log_verbose "You may want to consider deleting users whose *only* role(s) were 'V4MCLUSTER_ADMIN_kibana_users' and/or 'search_index_-ALL-'" + log_verbose "You may want to consider deleting users whose *only* role(s) were 'V4MCLUSTER_ADMIN_kibana_users' and/or 'search_index_-ALL-'" elif [ -n "$tenant" ]; then - log_notice "You should delete any users whose only purpose was to access log messages from the [$tenant] tenant within the [$namespace] namespace " + log_notice "You should delete any users whose only purpose was to access log messages from the [$tenant] tenant within the [$namespace] namespace " else - log_notice "You should delete any users whose only purpose was to access log messages from the [$namespace] namespace " + log_notice "You should delete any users whose only purpose was to access log messages from the [$namespace] namespace " fi - diff --git a/logging/bin/user.sh b/logging/bin/user.sh index 31373726..07310da9 100755 --- a/logging/bin/user.sh +++ b/logging/bin/user.sh @@ -1,10 +1,8 @@ #!/bin/bash - # Copyright © 2020, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 - cd "$(dirname "$BASH_SOURCE")/../.." source logging/bin/common.sh this_script=$(basename "$0") @@ -13,105 +11,105 @@ source logging/bin/rbac-include.sh source logging/bin/apiaccess-include.sh function show_usage { - which_action=$1 - case "$which_action" in + which_action=$1 + case "$which_action" in "CREATE") - log_message "" - log_message "Usage: $this_script CREATE [REQUIRED_PARAMETERS] [OPTIONS] " - log_message "" - log_message "Creates a user in the internal user database and limits their access to only log messages from the specified namespace and, optionally, more narrowly, to the specified tenant within the specified namespace" - log_message "" - log_message " -ns, --namespace NAMESPACE - (Required) The SAS Viya deployment/Kubernetes Namespace to which this user should be granted access" - log_message " -t, --tenant TENANT - (Optional) The tenant within the specific SAS Viya deployment/Kubernetes Namespace to which this user should be granted access." - log_message " -u, --user USERNAME - (Optional) The username to be created (default: [NAMESPACE]|[NAMESPACE_TENANT]_admin)" - log_message " -p, --password PASSWORD - (Optional) The password for the newly created account (default: [USERNAME])" - echo "" - ;; + log_message "" + log_message "Usage: $this_script CREATE [REQUIRED_PARAMETERS] [OPTIONS] " + log_message "" + log_message "Creates a user in the internal user database and limits their access to only log messages from the specified namespace and, optionally, more narrowly, to the specified tenant within the specified namespace" + log_message "" + log_message " -ns, --namespace NAMESPACE - (Required) The SAS Viya deployment/Kubernetes Namespace to which this user should be granted access" + log_message " -t, --tenant TENANT - (Optional) The tenant within the specific SAS Viya deployment/Kubernetes Namespace to which this user should be granted access." + log_message " -u, --user USERNAME - (Optional) The username to be created (default: [NAMESPACE]|[NAMESPACE_TENANT]_admin)" + log_message " -p, --password PASSWORD - (Optional) The password for the newly created account (default: [USERNAME])" + echo "" + ;; "DELETE") - log_message "Usage: $this_script DELETE [REQUIRED_PARAMETERS]" - log_message "" - log_message "Removes the specified user from the internal user database" - log_message "" - log_message " -u, --user USERNAME - (Required) The username to be deleted." - ;; + log_message "Usage: $this_script DELETE [REQUIRED_PARAMETERS]" + log_message "" + log_message "Removes the specified user from the internal user database" + log_message "" + log_message " -u, --user USERNAME - (Required) The username to be deleted." + ;; *) - log_message "" - log_message "Usage: $this_script ACTION [REQUIRED_PARAMETERS] [OPTIONS] " - log_message "" - log_message "Creates or deletes a user in the internal user database. Newly created users are granted permission limiting their access to log messages for the specified namespace, and, optionally, to a specific tenant within that namespace." - log_message "" - log_message " ACTION - (Required) one of the following actions: [CREATE, DELETE]" - log_message "" - log_message " Additional help information, including details of required and optional parameters, can be displayed by submitting the command: $this_script ACTION --help" - echo "" - ;; - esac + log_message "" + log_message "Usage: $this_script ACTION [REQUIRED_PARAMETERS] [OPTIONS] " + log_message "" + log_message "Creates or deletes a user in the internal user database. Newly created users are granted permission limiting their access to log messages for the specified namespace, and, optionally, to a specific tenant within that namespace." + log_message "" + log_message " ACTION - (Required) one of the following actions: [CREATE, DELETE]" + log_message "" + log_message " Additional help information, including details of required and optional parameters, can be displayed by submitting the command: $this_script ACTION --help" + echo "" + ;; + esac } set -e POS_PARMS="" -while (( "$#" )); do - case "$1" in - -ns|--namespace) - if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then - namespace=$2 - shift 2 - else - log_error "Error: A value for parameter [Namespace] has not been provided." >&2 - show_usage - exit 2 - fi - ;; - -t|--tenant) - if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then - tenant=$2 - shift 2 - else - log_error "Error: A value for parameter [Tenant] has not been provided." >&2 - show_usage - exit 2 - fi - ;; - -u|--user|--username) - if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then - username=$2 - shift 2 - else - log_error "Error: A value for parameter [User] has not been provided." >&2 - show_usage - exit 2 - fi - ;; - -p|--password) - if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then - password=$2 - shift 2 - else - log_error "Error: A value for parameter [Password] has not been provided." >&2 +while (("$#")); do + case "$1" in + -ns | --namespace) + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then + namespace=$2 + shift 2 + else + log_error "Error: A value for parameter [Namespace] has not been provided." >&2 + show_usage + exit 2 + fi + ;; + -t | --tenant) + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then + tenant=$2 + shift 2 + else + log_error "Error: A value for parameter [Tenant] has not been provided." >&2 + show_usage + exit 2 + fi + ;; + -u | --user | --username) + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then + username=$2 + shift 2 + else + log_error "Error: A value for parameter [User] has not been provided." >&2 + show_usage + exit 2 + fi + ;; + -p | --password) + if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then + password=$2 + shift 2 + else + log_error "Error: A value for parameter [Password] has not been provided." >&2 + show_usage + exit 2 + fi + ;; + -g | --grafanads) + grafanads_user="true" + shift + ;; + -h | --help) + show_usage=1 + shift + ;; + -* | --*=) # unsupported flags + log_error "Error: Unsupported flag $1" >&2 show_usage exit 2 - fi - ;; - -g|--grafanads) - grafanads_user="true" - shift - ;; - -h|--help) - show_usage=1 - shift - ;; - -*|--*=) # unsupported flags - log_error "Error: Unsupported flag $1" >&2 - show_usage - exit 2 - ;; + ;; *) # preserve positional arguments - POS_PARMS="$POS_PARMS $1" - shift - ;; - esac + POS_PARMS="$POS_PARMS $1" + shift + ;; + esac done # set positional arguments in their proper place @@ -122,21 +120,21 @@ if [ "$#" -lt 1 ]; then show_usage exit 1 else - action=$(echo "$1"|tr '[a-z]' '[A-Z]') - shift - - if [ "$action" != "CREATE" ] && [ "$action" != "DELETE" ] ; then - log_error "Invalid action [$action] specified; exiting" - show_usage - exit 1 - fi + action=$(echo "$1" | tr '[a-z]' '[A-Z]') + shift + + if [ "$action" != "CREATE" ] && [ "$action" != "DELETE" ]; then + log_error "Invalid action [$action] specified; exiting" + show_usage + exit 1 + fi fi log_debug "Action: $action" if [ "$show_usage" == "1" ]; then - show_usage "$action" - exit + show_usage "$action" + exit fi # No positional parameters (other than ACTION) are supported @@ -146,231 +144,224 @@ if [ "$#" -ge 1 ]; then exit 4 fi - log_debug "POS_PARMS: $POS_PARMS" # Convert namespace and tenant to all lower-case -namespace=$(echo "$namespace"| tr '[:upper:]' '[:lower:]') -tenant=$(echo "$tenant"| tr '[:upper:]' '[:lower:]') - +namespace=$(echo "$namespace" | tr '[:upper:]' '[:lower:]') +tenant=$(echo "$tenant" | tr '[:upper:]' '[:lower:]') if [ "$namespace" == "_all_" ] && [ "$tenant" == "_all_" ]; then - if [ -z "$username" ] && [ "$grafanads_user" != "true" ]; then - log_error "Required parameter USERNAME not specified" - show_usage "$action" - exit 4 - fi - cluster="true" - namespace='' - tenant='' + if [ -z "$username" ] && [ "$grafanads_user" != "true" ]; then + log_error "Required parameter USERNAME not specified" + show_usage "$action" + exit 4 + fi + cluster="true" + namespace='' + tenant='' else - cluster="false" + cluster="false" - if [ -z "$username" ] && [ -z "$namespace" ]; then - log_error "Required parameter(s) NAMESPACE and/or USERNAME not specified" - show_usage "$action" - exit 4 - fi + if [ -z "$username" ] && [ -z "$namespace" ]; then + log_error "Required parameter(s) NAMESPACE and/or USERNAME not specified" + show_usage "$action" + exit 4 + fi fi log_debug "CLUSTER: $cluster NAMESPACE: $namespace TENANT: $tenant NST: $nst USERNAME: $username" # get admin credentials # shellcheck disable=SC2155 -export ES_ADMIN_USER=$(kubectl -n "$LOG_NS" get secret internal-user-admin -o=jsonpath="{.data.username}" |base64 --decode) +export ES_ADMIN_USER=$(kubectl -n "$LOG_NS" get secret internal-user-admin -o=jsonpath="{.data.username}" | base64 --decode) # shellcheck disable=SC2155 -export ES_ADMIN_PASSWD=$(kubectl -n "$LOG_NS" get secret internal-user-admin -o=jsonpath="{.data.password}" |base64 --decode) - +export ES_ADMIN_PASSWD=$(kubectl -n "$LOG_NS" get secret internal-user-admin -o=jsonpath="{.data.password}" | base64 --decode) # Get Security API URL get_sec_api_url if [ -z "$sec_api_url" ]; then - log_error "Unable to determine URL to access security API endpoint" - exit 1 + log_error "Unable to determine URL to access security API endpoint" + exit 1 fi - case "$action" in - CREATE) - if [ "$cluster" == "true" ]; then - if [ "$grafanads_user" == "true" ]; then +CREATE) + if [ "$cluster" == "true" ]; then + if [ "$grafanads_user" == "true" ]; then berole="V4MCLUSTER_ADMIN_grafana_dsusers" pwdchangetxt="Do NOT use OpenSearch Dashboards or API, MUST re-run Grafana datasource creation script" - else + else berole="V4MCLUSTER_ADMIN_kibana_users" - fi - rolename="search_index_-ALL-" - scope="ALL namespaces" - else - if [ -z "$namespace" ]; then + fi + rolename="search_index_-ALL-" + scope="ALL namespaces" + else + if [ -z "$namespace" ]; then log_error "Required argument NAMESPACE no specified" echo "" show_usage CREATE exit 1 - fi + fi - if [ -n "$tenant" ]; then + if [ -n "$tenant" ]; then nst="${namespace}_${tenant}" scope="the tenant [$tenant] within the namespace [$namespace]" - else + else nst="$namespace" scope="namespace [$namespace]" - fi + fi - rolename=search_index_$nst + rolename=search_index_$nst - if [ "$grafanads_user" == "true" ]; then + if [ "$grafanads_user" == "true" ]; then berole="${nst}_grafana_dsusers" pwdchangetxt="Do NOT use OpenSearch Dashboards or API, MUST re-run Grafana datasource creation script" - else + else berole="${nst}_kibana_users" if [ -z "$username" ]; then - username="${nst}_admin" + username="${nst}_admin" fi - fi - fi + fi + fi - log_info "Attempting to create user [$username] and grant them access to log messages from $scope [$(date)]" + log_info "Attempting to create user [$username] and grant them access to log messages from $scope [$(date)]" - # Check if user exists - if user_exists "$username"; then - log_error "A user with this name [$username] already exists." - exit 1 - fi + # Check if user exists + if user_exists "$username"; then + log_error "A user with this name [$username] already exists." + exit 1 + fi - #Check if role exists - if ! role_exists "$rolename"; then - log_error "The expected access control role [$rolename] does NOT exist." - if [ "$cluster" != "true" ]; then + #Check if role exists + if ! role_exists "$rolename"; then + log_error "The expected access control role [$rolename] does NOT exist." + if [ "$cluster" != "true" ]; then log_error "You must on-oboard $scope to create required the access control role." - fi - exit 1 - fi - - password=${password:-$username} - - if [ -z "$namespace" ]; then - nsconstraint="-none-" - else - nsconstraint=$namespace - fi - if [ -z "$tenant" ]; then - tconstraint="-none-" - else - tconstraint=$tenant - fi - - if [ -z "$pwdchangetxt" ]; then - pwdchangetxt="Use OpenSearch Dashboards or API" - fi - - exitnow="false" - weakpassword="false" - loopcounter=1 - until [ "$exitnow" == "true" ] - do - - cp logging/opensearch/rbac/user.json "$TMP_DIR"/user.json - # Replace PLACEHOLDERS - sed -i'.bak' "s/xxBEROLExx/$berole/g" "$TMP_DIR"/user.json # (NAMESPACE|NAMESPACE_TENANT|'V4MCLUSTER_ADMIN') + '_kibana_users' - sed -i'.bak' "s/xxNSCONSTRAINTxx/$nsconstraint/g" "$TMP_DIR"/user.json # NAMESPACE|'-none-' - sed -i'.bak' "s/xxTCONSTRAINTxx/$tconstraint/g" "$TMP_DIR"/user.json # TENANT|'-none-' - sed -i'.bak' "s/xxPASSWORDxx/$password/g" "$TMP_DIR"/user.json # PASSWORD - sed -i'.bak' "s/xxCREATEDBYxx/$this_script/g" "$TMP_DIR"/user.json # CREATEDBY - sed -i'.bak' "s/xxPWDCHANGEXX/$pwdchangetxt/g" "$TMP_DIR"/user.json # PASSWORD CHANGE MECHANISM (OSD|change_internal_password.sh script) - sed -i'.bak' "s/xxDATETIMExx/$(date)/g" "$TMP_DIR"/user.json # DATE - - log_debug "Contents of user.json template file after substitutions: \n $(cat "$TMP_DIR"/user.json)" - - - #remove any existing instance of this file - rm -f "$TMP_DIR"/user_create.txt - - # Create user - response=$(curl -s -o "$TMP_DIR"/user_create.txt -w "%{http_code}" -XPUT "$sec_api_url/internalusers/$username" -H 'Content-Type: application/json' -d @"$TMP_DIR"/user.json --user "$ES_ADMIN_USER":"$ES_ADMIN_PASSWD" --insecure) - - if grep -i 'weak password' "$TMP_DIR"/user_create.txt >/dev/null 2>&1; then + fi + exit 1 + fi + + password=${password:-$username} + + if [ -z "$namespace" ]; then + nsconstraint="-none-" + else + nsconstraint=$namespace + fi + if [ -z "$tenant" ]; then + tconstraint="-none-" + else + tconstraint=$tenant + fi + + if [ -z "$pwdchangetxt" ]; then + pwdchangetxt="Use OpenSearch Dashboards or API" + fi + + exitnow="false" + weakpassword="false" + loopcounter=1 + until [ "$exitnow" == "true" ]; do + + cp logging/opensearch/rbac/user.json "$TMP_DIR"/user.json + # Replace PLACEHOLDERS + sed -i'.bak' "s/xxBEROLExx/$berole/g" "$TMP_DIR"/user.json # (NAMESPACE|NAMESPACE_TENANT|'V4MCLUSTER_ADMIN') + '_kibana_users' + sed -i'.bak' "s/xxNSCONSTRAINTxx/$nsconstraint/g" "$TMP_DIR"/user.json # NAMESPACE|'-none-' + sed -i'.bak' "s/xxTCONSTRAINTxx/$tconstraint/g" "$TMP_DIR"/user.json # TENANT|'-none-' + sed -i'.bak' "s/xxPASSWORDxx/$password/g" "$TMP_DIR"/user.json # PASSWORD + sed -i'.bak' "s/xxCREATEDBYxx/$this_script/g" "$TMP_DIR"/user.json # CREATEDBY + sed -i'.bak' "s/xxPWDCHANGEXX/$pwdchangetxt/g" "$TMP_DIR"/user.json # PASSWORD CHANGE MECHANISM (OSD|change_internal_password.sh script) + sed -i'.bak' "s/xxDATETIMExx/$(date)/g" "$TMP_DIR"/user.json # DATE + + log_debug "Contents of user.json template file after substitutions: \n $(cat "$TMP_DIR"/user.json)" + + #remove any existing instance of this file + rm -f "$TMP_DIR"/user_create.txt + + # Create user + response=$(curl -s -o "$TMP_DIR"/user_create.txt -w "%{http_code}" -XPUT "$sec_api_url/internalusers/$username" -H 'Content-Type: application/json' -d @"$TMP_DIR"/user.json --user "$ES_ADMIN_USER":"$ES_ADMIN_PASSWD" --insecure) + + if grep -i 'weak password' "$TMP_DIR"/user_create.txt > /dev/null 2>&1; then log_warn "The password specified for user [$username] did not meet complexity requirements of OpenSearch." log_warn "A randomly generated password will be used instead." log_warn "Check notices below for additional details." weakpassword="true" password="$(randomPassword)" exitnow="false" - else + else exitnow="true" - fi + fi - ((loopcounter++)) + ((loopcounter++)) - if [[ $loopcounter -gt 3 ]]; then + if [[ $loopcounter -gt 3 ]]; then exitnow='true' log_debug "Weak password check looped too many times [$loopcounter]" - else + else log_debug "Weak password check loop [$loopcounter]" - fi - done - - if [[ $response != 2* ]]; then - log_error "There was an issue creating the user [$username]. [$response]" - exit 1 - else - log_info "User [$username] created. [$response]" - fi - log_notice "User [$username] added to internal user database [$(date)]" - add_notice " " - add_notice "User [$username] added to internal user database. " - - if [ "$weakpassword" == "true" ]; then - add_notice '+------------------------------------------------------------------------------+' - add_notice '|.............IMPORTANT NOTICE: REQUESTED PASSWORD REJECTED....................|' - add_notice '+------------------------------------------------------------------------------+' - add_notice "The specified password failed the complexity requirements of OpenSearch." - add_notice "The password [$password] was generated randomly for [$username]." - add_notice "$pwdchangetxt to change the password later." - fi - add_notice " " - - ;; - DELETE) - if [ -z "$username" ]; then - log_error "Required argument USERNAME not specified" - echo "" - show_usage DELETE - exit 1 - fi - - log_info "Attempting to remove user [$username] from the internal user database [$(date)]" - - # Check if user exists - if ! user_exists "$username"; then - log_error "There was an issue deleting the user [$username]; the user does NOT exists." - exit 1 - else - log_debug "User [$username] exists." - fi - - # Delete user - response=$(curl -s -o /dev/null -w "%{http_code}" -XDELETE "$sec_api_url/internalusers/$username" --user "$ES_ADMIN_USER":"$ES_ADMIN_PASSWD" --insecure) - if [[ $response != 2* ]]; then - log_error "There was an issue deleting the user [$username]. [$response]" - exit 1 - else - log_info "User [$username] deleted. [$response]" - log_notice "User [$username] removed from internal user database [$(date)]" - fi - ;; - *) - log_error "Invalid action specified" - exit 1 - ;; + fi + done + + if [[ $response != 2* ]]; then + log_error "There was an issue creating the user [$username]. [$response]" + exit 1 + else + log_info "User [$username] created. [$response]" + fi + log_notice "User [$username] added to internal user database [$(date)]" + add_notice " " + add_notice "User [$username] added to internal user database. " + + if [ "$weakpassword" == "true" ]; then + add_notice '+------------------------------------------------------------------------------+' + add_notice '|.............IMPORTANT NOTICE: REQUESTED PASSWORD REJECTED....................|' + add_notice '+------------------------------------------------------------------------------+' + add_notice "The specified password failed the complexity requirements of OpenSearch." + add_notice "The password [$password] was generated randomly for [$username]." + add_notice "$pwdchangetxt to change the password later." + fi + add_notice " " + + ;; +DELETE) + if [ -z "$username" ]; then + log_error "Required argument USERNAME not specified" + echo "" + show_usage DELETE + exit 1 + fi + + log_info "Attempting to remove user [$username] from the internal user database [$(date)]" + + # Check if user exists + if ! user_exists "$username"; then + log_error "There was an issue deleting the user [$username]; the user does NOT exists." + exit 1 + else + log_debug "User [$username] exists." + fi + + # Delete user + response=$(curl -s -o /dev/null -w "%{http_code}" -XDELETE "$sec_api_url/internalusers/$username" --user "$ES_ADMIN_USER":"$ES_ADMIN_PASSWD" --insecure) + if [[ $response != 2* ]]; then + log_error "There was an issue deleting the user [$username]. [$response]" + exit 1 + else + log_info "User [$username] deleted. [$response]" + log_notice "User [$username] removed from internal user database [$(date)]" + fi + ;; +*) + log_error "Invalid action specified" + exit 1 + ;; esac - LOGGING_DRIVER=${LOGGING_DRIVER:-false} if [ "$LOGGING_DRIVER" != "true" ]; then - echo "" - display_notices - echo "" + echo "" + display_notices + echo "" fi From 1c4f9e65f9c2401a21a50b398642e1564695231f Mon Sep 17 00:00:00 2001 From: gsmith-sas <65406958+gsmith-sas@users.noreply.github.com> Date: Fri, 22 Aug 2025 17:26:34 -0400 Subject: [PATCH 04/10] Linting: shfmt (3) --- logging/bin/onboard.sh | 3 +++ logging/bin/remove_eventrouter.sh | 2 +- logging/bin/user.sh | 3 ++- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/logging/bin/onboard.sh b/logging/bin/onboard.sh index 014cb78a..13985418 100755 --- a/logging/bin/onboard.sh +++ b/logging/bin/onboard.sh @@ -40,6 +40,7 @@ createuser=false POS_PARMS="" while (("$#")); do + # shellcheck disable=SC2221,SC2222 case "$1" in -ns | --namespace) if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then @@ -218,7 +219,9 @@ if [ "$createuser" == "true" ]; then log_warn "You can create a new user with the appropriate access controls by calling the logging/bin/user.sh script directly." else if [ -z "$tenant" ]; then + set -x ./logging/bin/user.sh CREATE -ns "$namespace" -u "$inituser" "$passwdarg" + set +x else ./logging/bin/user.sh CREATE -ns "$namespace" -t "$tenant" -u "$inituser" "$passwdarg" fi diff --git a/logging/bin/remove_eventrouter.sh b/logging/bin/remove_eventrouter.sh index e3873462..4fde6879 100755 --- a/logging/bin/remove_eventrouter.sh +++ b/logging/bin/remove_eventrouter.sh @@ -17,7 +17,7 @@ cp -R logging/eventrouter/eventrouter.yaml "$logDir"/eventrouter.yaml # Replace placeholders log_debug "Replacing logging namespace for files in [$logDir]" -v4m_replace "__LOG_NS__" "$LOG_NS" "$logDir"/eventrouter.yaml +v4m_replace "__LOG_NS__" "$LOG_NS" "$logDir"/eventrouter.yaml log_info "Removing Event Router [$(date)]" # Remove existing instance of Event Router in the kube-system namespace (if present). diff --git a/logging/bin/user.sh b/logging/bin/user.sh index 07310da9..d6a00e1e 100755 --- a/logging/bin/user.sh +++ b/logging/bin/user.sh @@ -51,6 +51,7 @@ set -e POS_PARMS="" while (("$#")); do + # shellcheck disable=SC2221,SC2222 case "$1" in -ns | --namespace) if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then @@ -120,7 +121,7 @@ if [ "$#" -lt 1 ]; then show_usage exit 1 else - action=$(echo "$1" | tr '[a-z]' '[A-Z]') + action=$(echo "$1" | tr 'a-z' 'A-Z') shift if [ "$action" != "CREATE" ] && [ "$action" != "DELETE" ]; then From d3af1305739b2c3701e34dee1988cc49d7f21663 Mon Sep 17 00:00:00 2001 From: gsmith-sas <65406958+gsmith-sas@users.noreply.github.com> Date: Fri, 22 Aug 2025 17:33:08 -0400 Subject: [PATCH 05/10] Cleanup: remove unneeded temp file --- logging/bin/deploy_logging_azmonitor.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/logging/bin/deploy_logging_azmonitor.sh b/logging/bin/deploy_logging_azmonitor.sh index 6a6ca164..26976bf6 100755 --- a/logging/bin/deploy_logging_azmonitor.sh +++ b/logging/bin/deploy_logging_azmonitor.sh @@ -6,11 +6,6 @@ cd "$(dirname "$BASH_SOURCE")/../.." || exit 1 source logging/bin/common.sh -# temp file used to capture command output -# shellcheck disable=SC2034 -tmpfile=$TMP_DIR/output.txt -rm -f tmpfile - if [ "$(kubectl get ns "$LOG_NS" -o name 2> /dev/null)" == "" ]; then kubectl create ns "$LOG_NS" fi From ec881d4c47fe4b2a377936478376334bfcc2c083 Mon Sep 17 00:00:00 2001 From: gsmith-sas <65406958+gsmith-sas@users.noreply.github.com> Date: Fri, 22 Aug 2025 17:38:39 -0400 Subject: [PATCH 06/10] remove debugging code --- logging/bin/onboard.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/logging/bin/onboard.sh b/logging/bin/onboard.sh index 13985418..7f32163b 100755 --- a/logging/bin/onboard.sh +++ b/logging/bin/onboard.sh @@ -219,9 +219,7 @@ if [ "$createuser" == "true" ]; then log_warn "You can create a new user with the appropriate access controls by calling the logging/bin/user.sh script directly." else if [ -z "$tenant" ]; then - set -x ./logging/bin/user.sh CREATE -ns "$namespace" -u "$inituser" "$passwdarg" - set +x else ./logging/bin/user.sh CREATE -ns "$namespace" -t "$tenant" -u "$inituser" "$passwdarg" fi From c9965d0aa60a7ce52da3bedb586f1da77cb75af3 Mon Sep 17 00:00:00 2001 From: gsmith-sas <65406958+gsmith-sas@users.noreply.github.com> Date: Fri, 22 Aug 2025 17:44:10 -0400 Subject: [PATCH 07/10] Linting: caved to the linters demands --- logging/bin/user.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/logging/bin/user.sh b/logging/bin/user.sh index d6a00e1e..92790b40 100755 --- a/logging/bin/user.sh +++ b/logging/bin/user.sh @@ -121,7 +121,7 @@ if [ "$#" -lt 1 ]; then show_usage exit 1 else - action=$(echo "$1" | tr 'a-z' 'A-Z') + action=$(echo "$1" | tr "[:lower:]" "[:upper:]") shift if [ "$action" != "CREATE" ] && [ "$action" != "DELETE" ]; then From 3f2ea2fcc6eb83e4c13d4f694fb7b6ddc0e5d6ef Mon Sep 17 00:00:00 2001 From: gsmith-sas <65406958+gsmith-sas@users.noreply.github.com> Date: Mon, 25 Aug 2025 17:47:10 -0400 Subject: [PATCH 08/10] [FIX] Correct handling of unavailable API endpoint in deploy_opensearch_content.sh --- CHANGELOG.md | 4 ++++ logging/bin/deploy_opensearch_content.sh | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 173e247c..49946375 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,8 @@ # SAS Viya Monitoring for Kubernetes +## unreleased +* **Logging** + * [FIX] Corrected handling of unavailable API endpoint in deploy_opensearch_content.sh + ## Version 1.2.41 (19AUG2025) * **Metrics** diff --git a/logging/bin/deploy_opensearch_content.sh b/logging/bin/deploy_opensearch_content.sh index 0302e6dc..6e2a2188 100755 --- a/logging/bin/deploy_opensearch_content.sh +++ b/logging/bin/deploy_opensearch_content.sh @@ -25,8 +25,6 @@ log_info "Loading Content into OpenSearch" # temp file used to capture command output tmpfile=$TMP_DIR/output.txt -set -e - # check for pre-reqs # Confirm namespace exists @@ -169,6 +167,8 @@ function add_ism_template { fi } +set -e + LOG_RETENTION_PERIOD="${LOG_RETENTION_PERIOD:-3}" set_retention_period viya_logs_idxmgmt_policy LOG_RETENTION_PERIOD add_ism_template "viya_logs_idxmgmt_policy" "viya_logs-*" 100 From e4085bda64d4551598caf5da3b8982d271efa157 Mon Sep 17 00:00:00 2001 From: gsmith-sas <65406958+gsmith-sas@users.noreply.github.com> Date: Mon, 25 Aug 2025 18:15:49 -0400 Subject: [PATCH 09/10] linting --- logging/bin/deploy_opensearch_content.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/logging/bin/deploy_opensearch_content.sh b/logging/bin/deploy_opensearch_content.sh index 6e2a2188..9a656cc1 100755 --- a/logging/bin/deploy_opensearch_content.sh +++ b/logging/bin/deploy_opensearch_content.sh @@ -23,6 +23,7 @@ fi log_info "Loading Content into OpenSearch" # temp file used to capture command output +# shellcheck disable=SC2034 tmpfile=$TMP_DIR/output.txt # check for pre-reqs From fa6d0d095275f4a2ab542947c1b859e9f2e4984b Mon Sep 17 00:00:00 2001 From: gsmith-sas <65406958+gsmith-sas@users.noreply.github.com> Date: Tue, 26 Aug 2025 11:25:33 -0400 Subject: [PATCH 10/10] Minor tweak --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 49946375..5ac817a4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,5 @@ # SAS Viya Monitoring for Kubernetes -## unreleased +## Unreleased * **Logging** * [FIX] Corrected handling of unavailable API endpoint in deploy_opensearch_content.sh