Environment Changes

Steps to configure changes in the environment for deploying the tools

Step-1: Update the domain name

Step-2: Modify the role attribute path for Grafana access

Step-3: Modify the retention, storage size, cluster name and targets based on the specific requirements

Step-4: Adjust the volume size and update the retention period accordingly

Optional: S3 bucket configuraation(Recommended for prod)

Caution: Use the sub claim instead of aud when setting up Web Identity (OIDC) IAM roles to ensure correct identity matching.

Step-4a: Create an AWS Web Identity (OIDC) IAM role with the following policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AccessToLokiBucket",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<s3-bucket>",
                "arn:aws:s3:::<s3-bucket>/*"
            ]
        }
    ]
}

Step-4b: Update S3 details & role ARN in the below config.

# deploy-as-code/helm/environments/egov-demo.yaml
loki:
  persistence:
    enabled: true
    accessModes:
      - ReadWriteOnce
    size: 10Gi
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: <s3-role-arn>    ## AWS arn for s3 role 
  additionalConfigs:
    schema_config:
      configs:
        - from: 2020-10-24
          store: boltdb-shipper
          object_store: s3                         ## AWS s3 as storage
          schema: v11
          index:
            prefix: index_
            period: 24h
    storage_config:
      boltdb_shipper:
        active_index_directory: /data/loki/index
        cache_location: /data/loki/index_cache
        shared_store: s3                           ## AWS s3 as storage
        cache_ttl: 24h
      aws:
        s3: s3://<region>/<s3-bucket>              ## s3 region & bucket
    compactor:
      working_directory: /data/loki/boltdb-shipper-compactor
      shared_store: s3                             ## AWS s3 as storage
      retention_enabled: true
      compaction_interval: 168h                    ## compaction in hours
    table_manager:
      retention_deletes_enabled: true
      retention_period: 168h                       ## retention in hours

Note: Refer to the official docs for detailed configuration.

Step-5: Make the required changes in the env-secrets file

Changes to the Alertmanager configuration in the env-secrets.yaml file.

Step-6: OAuth app configuration

Step-7: Authentication configuration for Grafana in env-secrets.yaml

Sample Env-Secrets File

cluster-configs:
   secrets:
       db:
           username: postgres
           password: test123
           flywayUsername: postgres
           flywayPassword: test123
       egov-filestore:
           awskey: jdfbjdfjvnbvdk
           awssecretkey: bxjcsvbvncajsb
       user:
           username: admin
           password: demo
       egov-enc-service:
           master_password: demo
           master_salt: q7.fr.cr
           master_initialvector: 9J&asfgrU-H2
       egov-notification-sms:
           username: demo
           password: demo
       egov-pg-service:
           axis_merchant_accesscode: demo
           axis_merchant_id: demo
           axis_merchant_pwd: demo
           axis_merchant_secretkey: demo
           axis_merchant_user: demo
           payu_merchant_key: demo
           payu_merchant_salt: demo
       egov-notification-mail:
           mailsenderusername: demo@demo
           mailsenderpassword: demo
       egov-location:
           gmapskey: jbsdbvxvcmbsmnx
       kafka:
           clusterID: HshRPdVrcvxWoB4kuTdEbawtq
       elasticsearch:
           password: <Password>
       oauth2:
           clientSecret: <Client Sec ID>    
           clientID: <Client ID>
       grafana:
           clientID: <OAuth-key>    ##change ID
           clientSecret: <OAuth-token> #change secrets key
       git-sync:
           ssh: |-
               -----BEGIN RSA PRIVATE KEY-----
               MIIEpAIBAAKCAQEAxMn4y2irJKb/dAQr4FZtiBbX+VfgeNWDO6Ure90CA+f5QcjL
               i0SHAbpvZ+PAPwZcYZMiOE7hdRh1xSiY7u1GQPcm1ZIboKSYahafq41XFzYGG3hk
               6GHC0RPPGhW4TQ8PWbUiReSndn2VE/VY+3DItS6kSwKazqfBWVqXZ9fkAQ0yUFT1
               M1rsdIZoeei9NH48UyDD4U2x/BEHMneElQbibwDuBrN/6DSzlIcgOMhePf272Nsf
               GOL/SA2YJx6k7gDHjEDZ/pz6MT9XjVcDjP9y8f2udObrzIopv3C0jRZp+rKM6PFU
               sLCtJSRoohmmYlexixhMFS/kAPP6Q8VyHeUcWwIDAQABAoIBAQCBZiW460yOP1l+
               mjeXvn0rnYnKpaQvEIbIs6VSP1NR6jmWrkhZfWghFMyozbPePXqFltBLomLSMpFO
               YZGemls14M6iZP7RtSmbqOC5V6lK0/VUHuiLfa0y+gmWp22XDi4T2O1+dApB+fYL
               N6uZOuJfcRoLUN0mwlx7OvyQBgAhR7r0eePcV+yvk35qSVlKw9KreAytvE9fmLcZ
               pH4jKSOFibAsDYYz9oVnwo5+aVvYl3oU2TyLwQFKmkZyKJsMOWtGw4+MVRO5/xre
               WzuR8QNY/z7/A2MNQlO4KjEqkv4m/z6lh9WaDXO+PbCRRARbFcS4ZUJgXgPhtFz3
               wiyXxExxAoGBAOP/GKktpUVMqtE3sXlJ4xS2l7e9w1t9kyceElXZl2FSJkqJe9Bt
               PJ9FdjbB4wlxF985PkOByvOQwsGMcuMOF+BlHW/KcA2LR2vsoBY6zGTJB35YqD2V
               lpdI3az0RugrYTCi3pHq/GVAc9h+V9S4+SvsuIZfrfXV+OwkeFh6gmG9AoGBANz1
               nbgdQk5ZIJJvr5Y0Hn2fTKGyvHsiu/MNL5axaYxD1BUAdPdW9x7nsI42ayIzERGr
               lLkO4YF4kC52LZj/wo3UlYq8ERMyH6tLnD4j/aFy4bqYAco89H43DBDAq59DTcM6
               2tF+VzTNaANI4bvOTnjMTmLEJ4zRDUnb9vkAX3v3AoGAQtjVUyz16waagrMQjt4x
               /S23+ABkWdvMnEh92bvtXXRnk60Rpz+P6abFDTL1rRwCgslWzxYr+hO0dmkGejn0
               mC8tXUx+ZAo1C5iaK0pcCSTD1LCLy1qjh4GutPn+HC4z1b27Ag9ipxEppg0NFWqS
               a+WBCKze5VgyHpJm0pJAzgUCgYASs6tMyRUyonKSUmevM+wcv93xlbpERdVYphYQ
               ECYZ3CfYOzirMq4p7HxSHSMGOwJH15j37N2DYtv5QsFrQMKL1KFvo6liUYzCp9yq
               mcs+3gVjELieEHi1Mh2QUW51RXIQgyvALYxeCMCz/ng0uCqGKOy9iVK7pXoVdUu7
               GZ/7UwKBgQDcgSKcRk17AZ5w6cTGV+POpTnHCwq8cC37t8YBRLBqXgbQObVGViYp
               D+t2DZeZ22VQCXbyBE8NTMi/9c+Zo+uguAe8tzroxhAP9uzsHw6qTb7QHQHZ/CPK
               wBkBi92ZelIXkby0L8ljdQKEDbhPc8MBpinoIQgJurbZvdvS9zhjuljLssw==
               -----END RSA PRIVATE KEY-----
           known_hosts: github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDsskzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
       alertmanager:
           config:
               global:
                   slack_api_url: https://hooks.slack.com     ##change the slack api url
                   resolve_timeout: 5m
               route:
                   group_by:
                       - alertname
                   group_wait: 30s
                   receiver: slack-notification
                   group_interval: 5m
                   repeat_interval: 10m
                   routes:
                       - receiver: slack-notification
                         match_re:
                           severity: warning|critical
                         continue: true
                       - receiver: email-notification
                         match:
                           severity: critical
               receivers:
                   - name: slack-notification
                     slack_configs:
                       - channel: '<slack-channel>'     ##change the slack channel name 
                         send_resolved: true
                         username: Alertmanager
                         title: |
                           [{{ .Status | toUpper }}{{ if eq .Status "firing" }}:{{ .Alerts.Firing | len }}{{ end }}] {{ .CommonLabels.alertname }}
                         text: |-
                           {{ range .Alerts -}}
                           {{- "\n" -}}
                           *Alert:* {{ .Annotations.summary }}
                           {{ if .Labels.severity }}*Severity:* `{{ .Labels.severity }}`{{ end }}
                           *Cluster:* {{ .Labels.cluster }}
                           *Details:*
                           {{ .Annotations.description }}
                           {{ end }}
                         color: |-
                           {{ if eq .Status "firing" -}}
                             {{ if eq .CommonLabels.severity "warning" -}}
                               warning
                             {{- else if eq .CommonLabels.severity "critical" -}}
                               danger
                             {{- else -}}
                               #439FE0
                             {{- end -}}
                           {{ else -}}
                             good
                           {{- end }}
                   - name: email-notification
                     email_configs:
                       - to: <Email ID>    ##change the Email ID to get the alert in the Email
                         from: <Email ID>
                         smarthost: smtp.gmail.com:587
                         auth_username: <Email ID>           # Ex: [email protected]
                         auth_password: <Password>           # Ex: mujp cgjj fhdv wieu
                         send_resolved: true
                         headers:
                           subject: |
                               [{{ .Status | toUpper }}{{ if eq .Status "firing" }}:{{ .Alerts.Firing | len }}{{ end }}] {{ .CommonLabels.cluster }} - {{ .CommonLabels.alertname }}
                         html: |-
                           <html>
                           <head>
                           <title>Alert!</title>
                           </head>
                           <body>
                           {{ range .Alerts }}
                           <ul>
                           <li> <b>Alert Name:</b> {{ .Labels.alertname }} </li>
                           <li> <b>Severity:</b> {{ if eq .Labels.severity "critical" }}<b style="color:red;">CRITICAL</b>{{ else if eq .Labels.severity "warning" }}<b style="color:orange;">WARNING</b>{{ else }}<b>{{ .Labels.severity | toUpper }}</b>{{ end }} </li>
                           <li> <b>Summary:-</b> {{ .Annotations.summary }} </li>
                           <li> <b>Cluster:-</b> {{ .Labels.cluster }} </li>
                           <li> <b>Details:</b>
                             <p style="margin-left: 20px; white-space: pre-wrap;"> {{ .Annotations.description }} </p>
                           </li>
                           </ul><br>
                           {{ end }}
                           </body></html>
                       

Create KMS Key & Configure SOPs

Follow the below steps to create a KMS key and configure SOPs for encryption and decryption.

1. Create IAM User & Attach Policies

  • Go to AWS Management Console.

  • Go to IAM and click Policies on the left-hand side of the toolbar.

  • Click Create Policy and then press Next. Click on JSON add the below policy and click Next.

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Sid": "AllowCreateRole",

           "Effect": "Allow",

           "Action": "iam:CreateRole",

           "Resource": "arn:aws:iam::349271159511:role/*"

       }

   ]

}
  • Give the name to the policy and Create Policy.

  • Now click on Users in the console on the left side.

  • Click Add User, provide the name of the specific user and click Next.

  • In permission options click Attach Policies directly. Select Administration Access, AWSKeyManagementServicePoweruser and also attach the policy which you have created in the previous steps and then click Next.

  • Verify the name of the user and the 3 policies attached or not and then click Create User.

2. Create KMS Key

  • Go to AWS Management Console.

  • Go to KMS and Custom Managed Keys. Click Create Key.

  • In Configure Key, use the default options and then click Next. Provide Name in alias and the give the administrator access to the IAM user created in the previous step. Select the users to give permissions to encrypt and decrypt using this key and then click Next.

  • Attach the below policy in the key policy and then click finish. Make sure to provide the IAM user you created in the below-highlighted placeholder.

{

   "Version": "2012-10-17",

   "Id": "key-consolepolicy-3",

   "Statement": [

       {

           "Sid": "Enable IAM User Permissions",

           "Effect": "Allow",

           "Principal": {

               "AWS": "arn:aws:iam::349271159511:root"

           },

           "Action": "kms:*",

           "Resource": "*"

       },

       {

           "Sid": "Allow access for Key Administrators",

           "Effect": "Allow",

           "Principal": {

               "AWS": "arn:aws:iam::349271159511:role/aws-reserved/sso.amazonaws.com/ap-south-1/AWSReservedSSO_AdministratorAccess_3b9b4bb9eebf66ac"

           },

           "Action": [

               "kms:Create*",

               "kms:Describe*",

               "kms:Enable*",

               "kms:List*",

               "kms:Put*",

               "kms:Update*",

               "kms:Revoke*",

               "kms:Disable*",

               "kms:Get*",

               "kms:Delete*",

               "kms:TagResource",

               "kms:UntagResource",

               "kms:ScheduleKeyDeletion",

               "kms:CancelKeyDeletion"

           ],

           "Resource": "*"

       },

       {

           "Sid": "Allow use of the key",

           "Effect": "Allow",

           "Principal": {

               "AWS": "arn:aws:iam::349271159511:user/<IAM USER>"

           },

           "Action": [

               "kms:Decrypt",

               "kms:DescribeKey"

           ],

           "Resource": "arn:aws:kms:ap-south-1:349271159511:key/29adbf26-7b85-4469-8c9e-f8050fd19a8e"

       },

       {

           "Sid": "Allow attachment of persistent resources",

           "Effect": "Allow",

           "Principal": {

               "AWS": "arn:aws:iam::349271159511:role/aws-reserved/sso.amazonaws.com/ap-south-1/AWSReservedSSO_AdministratorAccess_3b9b4bb9eebf66ac"

           },

           "Action": [

               "kms:CreateGrant",

               "kms:ListGrants",

               "kms:RevokeGrant"

           ],

           "Resource": "*",

           "Condition": {

               "Bool": {

                   "kms:GrantIsForAWSResource": "true"

               }

           }

       }

   ]

}
  • Copy the arn value after creating the KMS Key.

3. Placing the KMS arn value in the deployment manifest file

  • Go to the below code and add the arn key in .sops.yaml file.

DIGIT-DevOps/blob/DIGIT-2.9LTS-monitoring/deploy-as-code/charts/.sops.yaml
  • Next, cd to deploy-as-code and run the below command.

sops --encrypt --in-place charts/env-secrets.yaml
  • Now to see the encrypted secrets. We can decrypt the secrets using the below command.

sops -d environments/env-secrets.yaml

Last updated

Was this helpful?