feat: manage openbao audit devices

- manage openbao audit devices in the configuration file
- enable audit and audit_raw logs

hieradata/roles/infra/logs/vlinsert.yaml

@@ -14,6 +14,8 @@ victorialogs::node::options:
   envflag.enable: 'true'
   select.disable: 'undef'
   storageNode.tls: 'undef'
+  syslog.listenAddr.tcp: ':21514'
+  syslog.timezone: 'Australia/Sydney'
   storageNode:
     - ausyd1nxvm2108.main.unkin.net:9428
     - ausyd1nxvm2109.main.unkin.net:9428
@@ -45,7 +47,20 @@ consul::services:
         tls_skip_verify: true
         interval: '10s'
         timeout: '1s'
+  syslog:
+    service_name: 'syslog'
+    address: "%{facts.networking.ip}"
+    port: 21514
+    checks:
+      - id: 'vlinsert_syslog_tcp_check'
+        name: 'VictoriaLogs Syslog TCP Check'
+        tcp: "%{facts.networking.fqdn}:21514"
+        interval: '30s'
+        timeout: '5s'
 profiles::consul::client::node_rules:
   - resource: service
     segment: vlinsert
     disposition: write
+  - resource: service
+    segment: syslog
+    disposition: write

hieradata/roles/infra/metrics/vmagent.yaml

@@ -3,6 +3,16 @@ hiera_include:
   - vmcluster::vmagent
 
 vmcluster::vmagent::enable: true
+vmcluster::vmagent::static_targets:
+  vyos_node:
+    targets:
+      - '198.18.21.160:9100'
+    scrape_interval: '15s'
+    metrics_path: '/metrics'
+    scheme: 'http'
+    labels:
+      instance: 'syrtvm0001.main.unkin.net'
+      job: 'vyos_node'
 vmcluster::vmagent::options:
   tls: 'true'
   tlsCertFile: '/etc/pki/tls/vault/certificate.crt'

hieradata/roles/infra/storage/vault.yaml

@@ -4,6 +4,17 @@ profiles::vault::server::members_lookup: true
 profiles::vault::server::data_dir: /data/vault
 profiles::vault::server::manage_storage_dir: true
 profiles::vault::server::tls_disable: false
+profiles::vault::server::audit_devices:
+  - file:
+      audit-file:
+        options:
+          file_path: /data/vault/audit_raw.log
+          log_raw: true
+  - file:
+      audit-file:
+        options:
+          file_path: /data/vault/audit.log
+          log_raw: false
 vault::package_name: openbao
 vault::package_ensure: latest
 

modules/vmcluster/manifests/vmagent.pp

@@ -10,6 +10,7 @@ class vmcluster::vmagent (
   Stdlib::Absolutepath $vars_file = '/etc/default/vmagent',
   String  $consul_node_token      = $facts['consul_node_token'],
   Hash[String, Variant[String, Array[String]]] $options = {},
+  Hash[String, Hash] $static_targets = {},
 ) {
 
   # if enabled, manage this service

modules/vmcluster/templates/vmagent.scrape.yaml.erb

@@ -35,3 +35,28 @@ scrape_configs:
       - source_labels: [__meta_consul_tag_metrics_job]
         target_label: job
         action: replace
+
+<% if @static_targets -%>
+<% @static_targets.each do |job_name, config| -%>
+  - job_name: '<%= job_name %>'
+    static_configs:
+<% config['targets'].each do |target| -%>
+      - targets: ['<%= target %>']
+<% if config['labels'] -%>
+        labels:
+<% config['labels'].each do |label_name, label_value| -%>
+          <%= label_name %>: '<%= label_value %>'
+<% end -%>
+<% end -%>
+<% end -%>
+<% if config['scrape_interval'] -%>
+    scrape_interval: <%= config['scrape_interval'] %>
+<% end -%>
+<% if config['metrics_path'] -%>
+    metrics_path: <%= config['metrics_path'] %>
+<% end -%>
+<% if config['scheme'] -%>
+    scheme: <%= config['scheme'] %>
+<% end -%>
+<% end -%>
+<% end -%>

site/profiles/manifests/vault/server.pp

@@ -15,7 +15,7 @@ class profiles::vault::server (
   Stdlib::Absolutepath $ssl_crt     = '/etc/pki/tls/vault/certificate.crt',
   Stdlib::Absolutepath $ssl_key     = '/etc/pki/tls/vault/private.key',
   Stdlib::Absolutepath $ssl_ca      = '/etc/pki/tls/certs/ca-bundle.crt',
-  Stdlib::Absolutepath $audit_log   = '/var/log/vault_audit.log',
+  Optional[Array[Hash]] $audit_devices = undef,
 ){
 
   # set a datacentre/cluster name
@@ -66,6 +66,7 @@ class profiles::vault::server (
       extra_config       => {
         cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
       },
+      audit              => $audit_devices,
       listener           => [
         {
           tcp => {
@@ -86,13 +87,6 @@ class profiles::vault::server (
       ]
     }
 
-    # ensure the vault audit log exists
-    file { $audit_log:
-      ensure => 'file',
-      owner  => 'vault',
-      group  => 'vault',
-      mode   => '0600',
-    }
 
     service { 'vault':
       ensure    => true,