feat: The traffic in transit between the audit webhook service in the cluster and the components that send audit events to it is encrypted using HTTPS in the kube-audit sub-module. The module will run a script to execute steps mentioned [here](https://cloud.ibm.com/docs/openshift?topic=openshift-health-audit#secure-setup) to generate a private key and approve the certificate using kubectl. To opt out of this and use HTTP instead (not recommended) you can set enable_https_traffic to false.<br>- NOTE: This will enabled by default in the Standard - Integrated setup with configurable services DA variation. Users upgrading to a previous version of the DA will see an update in place which will re-create the kube secret and restart the kube-audit pods to apply the HTTPS configuration (#914)

Author: Aashiq-J

examples/advanced/main.tf

@@ -290,5 +290,5 @@ module "logs_agents" {
     value = module.ocp_base.cluster_id
   }]
   # example of how to add only kube-audit log source path
-  logs_agent_selected_log_source_paths = ["/var/log/audit/*.log"]
+  logs_agent_system_logs = ["/var/log/audit/*.log"]
 }

ibm_catalog.json

@@ -937,6 +937,10 @@
               "key": "enable_kube_audit",
               "hidden": true
             },
+            {
+              "key": "enable_kube_audit_https_traffic",
+              "hidden": true
+            },
             {
               "key": "audit_deployment_name",
               "hidden": true

modules/kube-audit/README.md

@@ -70,6 +70,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [helm_release.kube_audit](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [null_resource.enable_https_traffic](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.set_audit_log_policy](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.set_audit_webhook](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [terraform_data.install_required_binaries](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
@@ -89,6 +90,7 @@ No modules.
 | <a name="input_cluster_config_endpoint_type"></a> [cluster\_config\_endpoint\_type](#input\_cluster\_config\_endpoint\_type) | Specify which type of endpoint to use for for cluster config access: 'default', 'private', 'vpe', 'link'. 'default' value will use the default endpoint of the cluster. | `string` | `"default"` | no |
 | <a name="input_cluster_id"></a> [cluster\_id](#input\_cluster\_id) | The ID of the cluster to deploy the log collection service in. | `string` | n/a | yes |
 | <a name="input_cluster_resource_group_id"></a> [cluster\_resource\_group\_id](#input\_cluster\_resource\_group\_id) | The resource group ID of the cluster. | `string` | n/a | yes |
+| <a name="input_enable_https_traffic"></a> [enable\_https\_traffic](#input\_enable\_https\_traffic) | When set to true, the traffic in transit between the audit webhook service in the cluster and the components that send audit events to it is encrypted using HTTPS. This automates the steps mentioned [here](https://cloud.ibm.com/docs/openshift?topic=openshift-health-audit#secure-setup). Certificate rotation still requires manual intervention to replace the secret and restart the deployment. | `bool` | `true` | no |
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud api key to generate an IAM token. | `string` | n/a | yes |
 | <a name="input_install_required_binaries"></a> [install\_required\_binaries](#input\_install\_required\_binaries) | When set to true, a script will run to check if `kubectl` and `jq` exist on the runtime and if not attempt to download them from the public internet and install them to /tmp. Set to false to skip running this script. | `bool` | `true` | no |
 | <a name="input_region"></a> [region](#input\_region) | The IBM Cloud region where the cluster is provisioned. | `string` | n/a | yes |

modules/kube-audit/helm-charts/kube-audit/templates/deployment.yaml

@@ -21,6 +21,7 @@ spec:
           imagePullPolicy: Always
           ports:
             - containerPort: 3000
+            - containerPort: 4443
           securityContext:
             allowPrivilegeEscalation: false
             runAsNonRoot: true
@@ -29,3 +30,12 @@ spec:
                 - ALL
             seccompProfile:
               type: RuntimeDefault
+          volumeMounts:
+            - mountPath: /certificates
+              name: certificates
+              readOnly: true
+      volumes:
+        - name: certificates
+          secret:
+            secretName: "{{ .Values.metadata.name }}-secret"
+            optional: true

modules/kube-audit/helm-charts/kube-audit/templates/network-policy.yaml

@@ -13,6 +13,8 @@ spec:
     - ports:
         - protocol: TCP
           port: 3000
+        - protocol: TCP
+          port: 4443
       from:
         - namespaceSelector:
             matchLabels:

modules/kube-audit/helm-charts/kube-audit/templates/service.yaml

@@ -9,7 +9,12 @@ spec:
   selector:
     app: "{{ .Values.metadata.name }}"
   ports:
-    - protocol: TCP
+    - name: http
+      protocol: TCP
       port: 80
       targetPort: 3000
+    - name: https
+      protocol: TCP
+      port: 443
+      targetPort: 4443
   type: ClusterIP

modules/kube-audit/main.tf

@@ -10,6 +10,7 @@ resource "terraform_data" "install_required_binaries" {
     audit_namespace                         = var.audit_namespace
     audit_webhook_listener_image            = var.audit_webhook_listener_image
     audit_webhook_listener_image_tag_digest = var.audit_webhook_listener_image_tag_digest
+    enable_https_traffic                    = var.enable_https_traffic
   }
   provisioner "local-exec" {
     command     = "${path.module}/scripts/install-binaries.sh ${local.binaries_path}"
@@ -100,14 +101,30 @@ resource "helm_release" "kube_audit" {
   }
 }
 
+resource "null_resource" "enable_https_traffic" {
+  depends_on = [terraform_data.install_required_binaries, helm_release.kube_audit]
+  count      = var.enable_https_traffic ? 1 : 0
+  triggers = {
+    enable_https_traffic = var.enable_https_traffic
+  }
+  provisioner "local-exec" {
+    command     = "${path.module}/scripts/https_audit.sh ${var.audit_namespace} ${var.audit_deployment_name} ${var.audit_deployment_name}-secret"
+    interpreter = ["/bin/bash", "-c"]
+    environment = {
+      KUBECONFIG = data.ibm_container_cluster_config.cluster_config.config_file_path
+    }
+  }
+}
+
+
 # wait for the kube-audit resources.
 resource "time_sleep" "wait_for_kube_audit" {
-  depends_on      = [helm_release.kube_audit]
+  depends_on      = [null_resource.enable_https_traffic]
   create_duration = "60s"
 }
 
 locals {
-  audit_server = "https://127.0.0.1:2040/api/v1/namespaces/${var.audit_namespace}/services/${var.audit_deployment_name}-service/proxy/post"
+  audit_server = var.enable_https_traffic ? "https://127.0.0.1:2040/api/v1/namespaces/${var.audit_namespace}/services/https:${var.audit_deployment_name}-service:https/proxy/post" : "https://127.0.0.1:2040/api/v1/namespaces/${var.audit_namespace}/services/http:${var.audit_deployment_name}-service:http/proxy/post"
 }
 
 # see [issue](https://github.com/IBM-Cloud/terraform-provider-ibm/issues/6107)
@@ -118,7 +135,8 @@ locals {
 resource "null_resource" "set_audit_webhook" {
   depends_on = [terraform_data.install_required_binaries, time_sleep.wait_for_kube_audit]
   triggers = {
-    audit_log_policy = var.audit_log_policy
+    audit_log_policy     = var.audit_log_policy
+    enable_https_traffic = var.enable_https_traffic
   }
   provisioner "local-exec" {
     command     = "${path.module}/scripts/set_webhook.sh ${var.region} ${var.use_private_endpoint} ${var.cluster_config_endpoint_type} ${var.cluster_id} ${var.cluster_resource_group_id} ${var.audit_log_policy != "default" ? "verbose" : "default"} ${local.binaries_path}"

modules/kube-audit/scripts/https_audit.sh

@@ -0,0 +1,116 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+NAMESPACE=$1
+DEPLOYMENT=$2
+SERVICE="${DEPLOYMENT}-service"
+CSR_NAME="${SERVICE}.${NAMESPACE}"
+SECRET_NAME=${3:-"audit-webhook"}
+# The binaries downloaded by the install-binaries script are located in the /tmp directory.
+export PATH=$PATH:${4:-"/tmp"}
+
+function check_kubectl_cli() {
+    if ! command -v kubectl &>/dev/null; then
+        echo "Error: kubectl is not installed. Exiting."
+        exit 1
+    fi
+}
+
+check_kubectl_cli
+
+echo "Waiting for Service ClusterIP..."
+cluster_ip=$(
+    kubectl wait \
+        --for jsonpath='{.spec.clusterIP}' \
+        --namespace "${NAMESPACE}" \
+        --output jsonpath='{.spec.clusterIP}' \
+        --timeout 5m \
+        svc/"${SERVICE}"
+)
+
+echo "Cluster IP detected: ${cluster_ip}"
+
+function sign_certificate() {
+    echo "Generating private key..."
+    SERVER_KEY="$(openssl genrsa 4096)"
+
+    echo "Generating CSR..."
+    SERVER_CSR="$(
+        openssl req -new \
+            -key <(printf '%s\n' "${SERVER_KEY}") \
+            -config <(
+                cat <<EOF
+[ req ]
+default_bits = 2048
+prompt = no
+default_md = sha256
+req_extensions = req_ext
+distinguished_name = dn
+
+[ dn ]
+CN = system:node:${SERVICE}.${NAMESPACE}.svc
+O = system:nodes
+
+[ req_ext ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = ${SERVICE}.${NAMESPACE}.svc.cluster.local
+DNS.2 = ${SERVICE}.${NAMESPACE}.svc
+IP.1 = ${cluster_ip}
+EOF
+            )
+    )"
+
+    echo "Submitting Kubernetes CSR..."
+    kubectl apply -f - <<EOF
+apiVersion: certificates.k8s.io/v1
+kind: CertificateSigningRequest
+metadata:
+  name: ${CSR_NAME}
+spec:
+  request: $(printf '%s' "${SERVER_CSR}" | base64 | tr -d '\n')
+  signerName: kubernetes.io/kubelet-serving
+  usages:
+  - digital signature
+  - key encipherment
+  - server auth
+EOF
+
+    echo "Approving CSR..."
+    kubectl certificate approve "${CSR_NAME}"
+
+    echo "Waiting for signed certificate..."
+    kubectl wait \
+        --for jsonpath='{.status.certificate}' \
+        --timeout 5m \
+        csr/"${CSR_NAME}"
+
+    SERVER_CERT="$(
+        kubectl get csr/"${CSR_NAME}" \
+            -o jsonpath='{.status.certificate}' | base64 --decode
+    )"
+}
+
+sign_certificate
+
+echo "Creating or replacing TLS secret..."
+kubectl delete secret "${SECRET_NAME}" \
+    --namespace "${NAMESPACE}" \
+    --ignore-not-found
+
+kubectl create secret tls "${SECRET_NAME}" \
+    --namespace "${NAMESPACE}" \
+    --cert <(printf '%s\n' "${SERVER_CERT}") \
+    --key <(printf '%s\n' "${SERVER_KEY}")
+
+echo "Restarting deployment..."
+kubectl rollout restart \
+    --namespace "${NAMESPACE}" \
+    deploy/"${DEPLOYMENT}"
+
+echo "Waiting for rollout to complete..."
+kubectl rollout status \
+    --timeout 1m \
+    --namespace "${NAMESPACE}" \
+    deploy/"${DEPLOYMENT}"

modules/kube-audit/variables.tf

@@ -109,3 +109,10 @@ variable "install_required_binaries" {
   description = "When set to true, a script will run to check if `kubectl` and `jq` exist on the runtime and if not attempt to download them from the public internet and install them to /tmp. Set to false to skip running this script."
   nullable    = false
 }
+
+variable "enable_https_traffic" {
+  type        = bool
+  default     = true
+  description = "When set to true, the traffic in transit between the audit webhook service in the cluster and the components that send audit events to it is encrypted using HTTPS. This automates the steps mentioned [here](https://cloud.ibm.com/docs/openshift?topic=openshift-health-audit#secure-setup). Certificate rotation still requires manual intervention to replace the secret and restart the deployment."
+  nullable    = false
+}

solutions/fully-configurable/main.tf

@@ -310,4 +310,5 @@ module "kube_audit" {
   audit_deployment_name                   = var.audit_deployment_name
   audit_webhook_listener_image            = var.audit_webhook_listener_image
   audit_webhook_listener_image_tag_digest = var.audit_webhook_listener_image_tag_digest
+  enable_https_traffic                    = var.enable_kube_audit_https_traffic
 }