diff --git a/Dockerfiles/nginx.Dockerfile b/Dockerfiles/nginx.Dockerfile index 31ca37f55..761ef04b9 100644 --- a/Dockerfiles/nginx.Dockerfile +++ b/Dockerfiles/nginx.Dockerfile @@ -169,7 +169,7 @@ RUN set -x ; \ zlib-dev \ ; \ \ - mkdir -p /usr/src/nginx-auth-ldap /usr/src/ngx_http_substitutions_filter_module /www /www/logs/nginx ; \ + mkdir -p /usr/src/nginx-auth-ldap /usr/src/ngx_http_substitutions_filter_module /www /www/logs/nginx /var/log/nginx ; \ tar -zxC /usr/src -f /nginx.tar.gz ; \ tar -zxC /usr/src/nginx-auth-ldap --strip=1 -f /nginx-auth-ldap.tar.gz ; \ tar -zxC /usr/src/ngx_http_substitutions_filter_module --strip=1 -f /ngx_http_substitutions_filter_module-master.tar.gz ; \ diff --git a/kubernetes/01-volumes.yml b/kubernetes/01-volumes.yml index 0f9ddf71d..a1256f0a8 100644 --- a/kubernetes/01-volumes.yml +++ b/kubernetes/01-volumes.yml @@ -170,6 +170,49 @@ spec: storage: 50Gi volumeName: config-volume +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: runtime-logs-volume + namespace: malcolm + labels: + namespace: malcolm +spec: + capacity: + storage: 50Gi + volumeMode: Filesystem + accessModes: + - ReadWriteMany + persistentVolumeReclaimPolicy: Retain + storageClassName: nfs + mountOptions: + - nfsvers=4.1 + - soft + - noac + - timeo=600 + - retrans=2 + nfs: + path: /malcolm/runtime-logs + server: 10.9.0.226 + readOnly: false + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: runtime-logs-claim + namespace: malcolm +spec: + storageClassName: nfs + accessModes: + - ReadWriteMany + volumeMode: Filesystem + resources: + requests: + storage: 50Gi + volumeName: runtime-logs-volume + --- apiVersion: v1 kind: PersistentVolume diff --git a/kubernetes/12-filebeat.yml b/kubernetes/12-filebeat.yml index febbf27b0..31c6c9e9c 100644 --- a/kubernetes/12-filebeat.yml +++ b/kubernetes/12-filebeat.yml @@ -76,7 +76,9 @@ spec: name: filebeat-zeek-volume - mountPath: "/suricata" name: filebeat-suricata-volume - # TODO: live nginx-logs from nginx-proxy container + - name: filebeat-nginx-runtime-logs-volume + mountPath: /nginx + subPath: "nginx" volumes: - name: filebeat-var-local-catrust-volume configMap: @@ -93,3 +95,7 @@ spec: - name: filebeat-suricata-volume persistentVolumeClaim: claimName: suricata-claim + - name: filebeat-nginx-runtime-logs-volume + persistentVolumeClaim: + readOnly: true + claimName: runtime-logs-claim \ No newline at end of file diff --git a/kubernetes/99-nginx-proxy.yml b/kubernetes/99-nginx-proxy.yml index e4696de71..e193bc757 100644 --- a/kubernetes/99-nginx-proxy.yml +++ b/kubernetes/99-nginx-proxy.yml @@ -86,6 +86,9 @@ spec: subPath: "auth" - name: nginx-etc-auth-default-volume mountPath: /tmp/auth/default/configmap + - name: nginx-runtime-logs-volume + mountPath: /var/log/nginx + subPath: "nginx" volumes: - name: nginx-etc-nginx-volume configMap: @@ -107,4 +110,7 @@ spec: claimName: config-claim - name: nginx-etc-auth-default-volume configMap: - name: etc-nginx-auth \ No newline at end of file + name: etc-nginx-auth + - name: nginx-runtime-logs-volume + persistentVolumeClaim: + claimName: runtime-logs-claim \ No newline at end of file diff --git a/nginx/scripts/docker_entrypoint.sh b/nginx/scripts/docker_entrypoint.sh index 95a7dd83a..4d96735d7 100755 --- a/nginx/scripts/docker_entrypoint.sh +++ b/nginx/scripts/docker_entrypoint.sh @@ -244,5 +244,7 @@ if [[ ! -f /etc/nginx/auth/htpasswd ]] && [[ -f /tmp/auth/default/htpasswd ]]; t rm -rf /tmp/auth/* || true fi +rm -rf /var/log/nginx/* || true + # start supervisor (which will spawn nginx, stunnel, etc.) or whatever the default command is exec "$@"