gerrit-monitoring/documentation/config-management.md

# Config Management

The configuration in the `config.yaml` contains secrets and should not be openly
accessible. To secure the data contained within it, the values can be encrypted
using a tool called [`sops`](https://github.com/mozilla/sops). This tool will use
a GPG-key to encrypt the values of the yaml file. Having the PGP-key also allows
to decrypt the values and work with the file. As long as the key is not compromised,
the encrypted file can be shared securly between collaborators.

The process of using `sops` is described below.

## Install `sops`

On OSX, `sops` can be installed using brew:

```sh
brew install sops
```

Install `gpg`:

```sh
brew install gpg
```

You might need to add this to your `.bashrc` or `.zshrc` to enable `sops` to work
correctly with `gpg` [1]:

```sh
GPG_TTY=$(tty)
export GPG_TTY
```

## Create GPG-key (first time only)

Create a key by running the following command and following the instructions on
the screen:

```sh
gpg --gen-key
```

## Encrypt the config-file

Run the following command to encode the file:

```sh
sops \
  --encrypt \
  --in-place \
  --encrypted-regex '(password|htpasswd|cert|key|apiUrl|caCert|secret|accessToken)$' \
  --pgp \
    `gpg --fingerprint "$EMAIL" | \
     grep pub -A 1 | \
     grep -v pub | \
     sed s/\ //g` \
  $FILE_TO_ENCODE
```

`$EMAIL` refers to the email used during the creation of the GPG key.

Alternatively, the `gerrit-monitoring.py encrypt`-script can be used to encrypt
the file:

```sh
pipenv run python ./gerrit-monitoring.py \
  --config config.yaml \
  encrypt \
  --pgp "abcde1234"
```

The gpg-key used to encrypt the file can be selected by giving the fingerprint,
key ID or part of the unique ID to the `--pgp`-argument. This identifier has to
be unique among the keys in the GPG keystore.

## Decrypt file

To decrypt the file, run:

```sh
sops --in-place -d $FILE_TO_DECODE
```

## Export GPG-key

For other developers or build servers to be able to decrypt the configuration,
the key has to be exported:

```sh
gpg --export -a "$EMAIL" > public.key
gpg --export-secret-key -a "$EMAIL" > private.key
```

On the receiving computer the key has to be imported by running:

```sh
gpg --import public.key
gpg --allow-secret-key-import --import private.key
```

## Links

[1] https://github.com/mozilla/sops/issues/304
Move internal project to open source This change adds the current status of a project that aims to create a simple monitoring setup to monitor Gerrit servers, which was developed internally at SAP. The project provides an opinionated and basic configuration for helm charts that can be used to install Loki, Prometheus and Grafana on a Kubernetes cluster. Scripts to easily apply the configuration and install the whole setup are provided as well. The contributions so far were done by (with number of commits) 80 Thomas Draebing 11 Matthias Sohn 2 Saša Živkov Change-Id: I8045780446edfb3c0dc8287b8f494505e338e066 2020-03-11 12:46:52 +00:00			`# Config Management`

			The configuration in the `config.yaml` contains secrets and should not be openly
			`accessible. To secure the data contained within it, the values can be encrypted`
			using a tool called [`sops`](https://github.com/mozilla/sops). This tool will use
			`a GPG-key to encrypt the values of the yaml file. Having the PGP-key also allows`
			`to decrypt the values and work with the file. As long as the key is not compromised,`
			`the encrypted file can be shared securly between collaborators.`

			The process of using `sops` is described below.

			## Install `sops`

			On OSX, `sops` can be installed using brew:

			```sh
			`brew install sops`
			```

			Install `gpg`:

			```sh
			`brew install gpg`
			```

			You might need to add this to your `.bashrc` or `.zshrc` to enable `sops` to work
			correctly with `gpg` [1]:

			```sh
			`GPG_TTY=$(tty)`
			`export GPG_TTY`
			```

			`## Create GPG-key (first time only)`

			`Create a key by running the following command and following the instructions on`
			`the screen:`

			```sh
			`gpg --gen-key`
			```

			`## Encrypt the config-file`

			`Run the following command to encode the file:`

			```sh
			`sops \`
			`--encrypt \`
			`--in-place \`
Use object store to store chunks created by Loki The chunks created by Loki were stored in a persistent volume. This does not scale well, since volumes cannot easily be resized in Kubernetes. Also, at least the ext4-filesystem had issues, when large numbers of logs were saved. These issues are due to the dir_index as discussed in [1]. An object store provides a more scalable and cheaper solution. Loki supports S3 as an object storage and also other object stores that understand the S3 API like Ceph or OpenStack Swift. [1] https://github.com/grafana/loki/issues/1502 Change-Id: Id55095c3b6659f40708712c1a494753dbcab7686 2020-03-19 08:55:18 +00:00			`--encrypted-regex '(password\|htpasswd\|cert\|key\|apiUrl\|caCert\|secret\|accessToken)$' \`
Move internal project to open source This change adds the current status of a project that aims to create a simple monitoring setup to monitor Gerrit servers, which was developed internally at SAP. The project provides an opinionated and basic configuration for helm charts that can be used to install Loki, Prometheus and Grafana on a Kubernetes cluster. Scripts to easily apply the configuration and install the whole setup are provided as well. The contributions so far were done by (with number of commits) 80 Thomas Draebing 11 Matthias Sohn 2 Saša Živkov Change-Id: I8045780446edfb3c0dc8287b8f494505e338e066 2020-03-11 12:46:52 +00:00			`--pgp \`
			`gpg --fingerprint "$EMAIL" \| \
			`grep pub -A 1 \| \`
			`grep -v pub \| \`
			sed s/\ //g` \
			`$FILE_TO_ENCODE`
			```

			`$EMAIL` refers to the email used during the creation of the GPG key.

Rewrite the scripts in python The scripts were written in bash. Using bash became quite unwieldy. Python by nature can deal well with yaml and is thus better suited in dealing with the yaml-based configuration files. This change rewrites the original scripts staying as close as possible to the original ones. Right now, the python scripts call subprocesses a lot to work with the tools, which were already used before. At least for yaml- templating there may be better tools that have a python integration, which could be used in the future. Change-Id: Ida16318445a05dcfdada9c7a56a391e4827f02e7 2020-03-13 08:39:41 +00:00			Alternatively, the `gerrit-monitoring.py encrypt`-script can be used to encrypt
			`the file:`
Move internal project to open source This change adds the current status of a project that aims to create a simple monitoring setup to monitor Gerrit servers, which was developed internally at SAP. The project provides an opinionated and basic configuration for helm charts that can be used to install Loki, Prometheus and Grafana on a Kubernetes cluster. Scripts to easily apply the configuration and install the whole setup are provided as well. The contributions so far were done by (with number of commits) 80 Thomas Draebing 11 Matthias Sohn 2 Saša Živkov Change-Id: I8045780446edfb3c0dc8287b8f494505e338e066 2020-03-11 12:46:52 +00:00
			```sh
Rewrite the scripts in python The scripts were written in bash. Using bash became quite unwieldy. Python by nature can deal well with yaml and is thus better suited in dealing with the yaml-based configuration files. This change rewrites the original scripts staying as close as possible to the original ones. Right now, the python scripts call subprocesses a lot to work with the tools, which were already used before. At least for yaml- templating there may be better tools that have a python integration, which could be used in the future. Change-Id: Ida16318445a05dcfdada9c7a56a391e4827f02e7 2020-03-13 08:39:41 +00:00			`pipenv run python ./gerrit-monitoring.py \`
			`--config config.yaml \`
			`encrypt \`
			`--pgp "abcde1234"`
Move internal project to open source This change adds the current status of a project that aims to create a simple monitoring setup to monitor Gerrit servers, which was developed internally at SAP. The project provides an opinionated and basic configuration for helm charts that can be used to install Loki, Prometheus and Grafana on a Kubernetes cluster. Scripts to easily apply the configuration and install the whole setup are provided as well. The contributions so far were done by (with number of commits) 80 Thomas Draebing 11 Matthias Sohn 2 Saša Živkov Change-Id: I8045780446edfb3c0dc8287b8f494505e338e066 2020-03-11 12:46:52 +00:00			```

Rewrite the scripts in python The scripts were written in bash. Using bash became quite unwieldy. Python by nature can deal well with yaml and is thus better suited in dealing with the yaml-based configuration files. This change rewrites the original scripts staying as close as possible to the original ones. Right now, the python scripts call subprocesses a lot to work with the tools, which were already used before. At least for yaml- templating there may be better tools that have a python integration, which could be used in the future. Change-Id: Ida16318445a05dcfdada9c7a56a391e4827f02e7 2020-03-13 08:39:41 +00:00			`The gpg-key used to encrypt the file can be selected by giving the fingerprint,`
			key ID or part of the unique ID to the `--pgp`-argument. This identifier has to
			`be unique among the keys in the GPG keystore.`
Move internal project to open source This change adds the current status of a project that aims to create a simple monitoring setup to monitor Gerrit servers, which was developed internally at SAP. The project provides an opinionated and basic configuration for helm charts that can be used to install Loki, Prometheus and Grafana on a Kubernetes cluster. Scripts to easily apply the configuration and install the whole setup are provided as well. The contributions so far were done by (with number of commits) 80 Thomas Draebing 11 Matthias Sohn 2 Saša Živkov Change-Id: I8045780446edfb3c0dc8287b8f494505e338e066 2020-03-11 12:46:52 +00:00
			`## Decrypt file`

			`To decrypt the file, run:`

			```sh
			`sops --in-place -d $FILE_TO_DECODE`
			```

			`## Export GPG-key`

			`For other developers or build servers to be able to decrypt the configuration,`
			`the key has to be exported:`

			```sh
			`gpg --export -a "$EMAIL" > public.key`
			`gpg --export-secret-key -a "$EMAIL" > private.key`
			```

			`On the receiving computer the key has to be imported by running:`

			```sh
			`gpg --import public.key`
			`gpg --allow-secret-key-import --import private.key`
			```

			`## Links`

			`[1] https://github.com/mozilla/sops/issues/304`