feat!: switch from promtail to vector (#724)

## Description

BREAKING CHANGE: Noting this as a breaking change as Promtail is removed
and replaced by Vector. If using overrides to setup additional log
targets/endpoints this configuration will need to be updated to Vector's
chart/config formats.

Primary docs on rationale, decision, and impact of this switch are
[here](https://github.com/defenseunicorns/uds-core/blob/vector-add/src/vector/README.md).

## Related Issue

Fixes #377

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed

.github/filters.yaml

@@ -73,8 +73,8 @@ prometheus-stack:
   - "!**/*.gif"
   - "!**/*.svg"
 
-promtail:
-  - "src/promtail/**"
+vector:
+  - "src/vector/**"
   - "!**/*.md"
   - "!**/*.jpg"
   - "!**/*.png"

.vscode/settings.json

@@ -12,7 +12,6 @@
     "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.16.0/uds.schema.json": [
       "uds-bundle.yaml"
     ],
-
     // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
     "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.16.0/tasks.schema.json": [
       "tasks.yaml",
@@ -37,7 +36,6 @@
     "MITM",
     "neuvector",
     "opensource",
-    "promtail",
     "Quarkus",
     "Quickstart",
     "seccomp",
@@ -47,7 +45,7 @@
   "cSpell.enabled": true,
   "[typescript]": {
     "editor.codeActionsOnSave": {
-        "source.organizeImports": "always"
+      "source.organizeImports": "always"
     }
   },
 }

CHANGELOG.md

@@ -972,5 +972,5 @@ PRE RELEASE
 - CONTRIBUTING.md
 - DEVELOPMENT_MAINTENANCE.md
 - LICENSE
-- READEME.md
+- README.md
 - zarf.yaml

README.md

@@ -17,7 +17,7 @@ UDS Core establishes a secure baseline for cloud-native systems and ships with c
 - [Neuvector](https://open-docs.neuvector.com/) - Container Security
 - [Pepr](https://pepr.dev) - UDS policy engine & operator
 - [Prometheus Stack](https://github.com/prometheus-operator/kube-prometheus) - Monitoring
-- [Promtail](https://grafana.com/docs/loki/latest/send-data/promtail/) - Log Aggregation
+- [Vector](https://vector.dev/) - Log Aggregation
 - [Velero](https://velero.io/) - Backup & Restore
 - [UDS Runtime](https://github.com/defenseunicorns/uds-runtime) - Frontend Views & Insights
 

compliance/oscal-component.yaml

@@ -19,7 +19,7 @@ component-definition:
     - href: 'file://./../src/loki/oscal-component.yaml'
     - href: 'file://./../src/neuvector/oscal-component.yaml'
     - href: 'file://./../src/prometheus-stack/oscal-component.yaml'
-    - href: 'file://./../src/promtail/oscal-component.yaml'
+    - href: 'file://./../src/vector/oscal-component.yaml'
     - href: 'file://./../src/velero/oscal-component.yaml'
 
   capabilities:

docs/application-baseline.md

@@ -18,7 +18,7 @@ For optimal deployment and operational efficiency, it is important to deliver a
 | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | **Service Mesh**                   | **[Istio](https://istio.io/):** A powerful service mesh that provides traffic management, load balancing, security, and observability features.                                                                                                                                                                                                                       |
 | **Monitoring**                     | **[Metrics Server](https://kubernetes-sigs.github.io/metrics-server/):** Provides container resource utilization metrics API for Kubernetes clusters. Metrics server is an optional (non-default) component since most Kubernetes distros provide it by default.<br><br>**[Prometheus](https://prometheus.io/):** Scrapes Metrics Server API and application metrics and stores the data in a time-series database for insights into application health and performance.<br><br> **[Grafana](https://grafana.com/grafana/):** Provides visualization and alerting capabilities based on Prometheus's time-series database of metrics. |
-| **Logging**                        | **[Promtail](https://grafana.com/docs/loki/latest/send-data/promtail/):** A companion agent that efficiently gathers and sends container logs to Loki, simplifying log monitoring, troubleshooting, and compliance auditing, enhancing the overall observability of the mission environment.<br><br> **[Loki](https://grafana.com/docs/loki/latest/):** A log aggregation system that allows users to store, search, and analyze logs across their applications. |
+| **Logging**                        | **[Vector](https://vector.dev/):** A companion agent that efficiently gathers and sends container logs to Loki and other storage locations (S3, SIEM tools, etc), simplifying log monitoring, troubleshooting, and compliance auditing, enhancing the overall observability of the mission environment.<br><br> **[Loki](https://grafana.com/docs/loki/latest/):** A log aggregation system that allows users to store, search, and analyze logs across their applications. |
 | **Security and Compliance**        | **[NeuVector](https://open-docs.neuvector.com/):** Offers container-native security, protecting applications against threats and vulnerabilities.<br><br> **[Pepr](https://pepr.dev/):** UDS policy engine and operator for enhanced security and compliance.|
 | **Identity and Access Management** | **[Keycloak](https://www.keycloak.org/):** A robust open-source Identity and Access Management solution, providing centralized authentication, authorization, and user management for enhanced security and control over access to mission-critical resources.|
 | **Backup and Restore**             | **[Velero](https://velero.io/):** Provides backup and restore capabilities for Kubernetes clusters, ensuring data protection and disaster recovery.|

docs/configuration/resource-configuration-and-ha.md

@@ -72,9 +72,19 @@ packages:
 
 ## Logging
 
-### Promtail
+### Vector
 
-By default Promtail runs as a daemonset, automatically scaling across all nodes to ensure logs are captured from each host. Typically Promtail does not need any other modifications, but you can customize its resource configuration by overriding the `resources` helm value (using the component and chart name of `promtail`).
+By default Vector runs as a daemonset, automatically scaling across all nodes to ensure logs are captured from each host. Typically Vector does not need any other modifications, but you can customize its resource configuration by overriding the `resources` helm value (using the component and chart name of `vector`). Vector recommends the below resourcing when running in production:
+
+```yaml
+resources:
+  requests:
+    memory: "64Mi"
+    cpu: "500m"
+  limits:
+    memory: "1024Mi"
+    cpu: "6000m"
+```
 
 ### Loki
 

packages/standard/zarf.yaml

@@ -76,11 +76,11 @@ components:
     import:
       path: ../../src/prometheus-stack
 
-  # Promtail
-  - name: promtail
+  # Vector
+  - name: vector
     required: true
     import:
-      path: ../../src/promtail
+      path: ../../src/vector
 
   # Grafana
   - name: grafana

renovate.json

@@ -23,9 +23,9 @@
       "commitMessageTopic": "istio"
     },
     {
-      "matchFileNames": ["src/promtail/**"],
-      "groupName": "promtail",
-      "commitMessageTopic": "promtail"
+      "matchFileNames": ["src/vector/**"],
+      "groupName": "vector",
+      "commitMessageTopic": "vector"
     },
     {
       "matchFileNames": ["src/velero/**"],

src/grafana/values/values.yaml

@@ -22,6 +22,9 @@ grafana.ini:
     reporting_enabled: false
     check_for_updates: false
     check_for_plugin_updates: false
+    feedback_links_enabled: false
+  plugins:
+    public_key_retrieval_disabled: true
   auth:
     # Disable the login form to force users to use SSO
     disable_login_form: true

src/istio/oscal-component.yaml

@@ -539,7 +539,7 @@ component-definition:
                 # Expected values
                 expected_istiod_port := 15012
                 expected_istiod_protocol := "TCP"
-                required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "promtail", "velero"}
+                required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "vector", "velero"}
 
                 # Validate NetworkPolicy for Istiod in required namespaces
                 validate {

src/loki/chart/templates/uds-package.yaml

@@ -36,12 +36,12 @@ spec:
       - direction: Ingress
         selector:
           app.kubernetes.io/name: loki
-        remoteNamespace: promtail
+        remoteNamespace: vector
         remoteSelector:
-          app.kubernetes.io/name: promtail
+          app.kubernetes.io/name: vector
         ports:
           - 8080
-        description: "Promtail Log Storage"
+        description: "Vector Log Storage"
 
       # Egress for S3 connections
       - direction: Egress

src/pepr/operator/controllers/exemptions/exemptions.spec.ts

@@ -20,13 +20,13 @@ const prometheusMatcher = {
   name: "^neuvector-prometheus-exporter-pod.*",
   kind: MatcherKind.Pod,
 };
-const promtailMatcher = { namespace: "promtail", name: "^promtail-.*", kind: MatcherKind.Pod };
+const vectorMatcher = { namespace: "vector", name: "^vector-.*", kind: MatcherKind.Pod };
 const exemption1UID = "exemption-1-uid";
 const exemption2UID = "exemption-2-uid";
 const storedEnforcerMatcher = { ...enforcerMatcher, owner: exemption1UID };
 const storedControllerMatcher = { ...controllerMatcher, owner: exemption1UID };
 const storedPrometheusMatcher = { ...prometheusMatcher, owner: exemption1UID };
-const storedPromtailMatcher = { ...promtailMatcher, owner: exemption2UID };
+const storedVectorMatcher = { ...vectorMatcher, owner: exemption2UID };
 const neuvectorMockExemption = {
   metadata: {
     uid: exemption1UID,
@@ -90,7 +90,7 @@ describe("Test processExemptions() no duplicate matchers in same CR", () => {
     // remove RequireNonRootUser from enforcerMatcher
     // remove prometheusMatcher
     // add DisallowHostNamespaces to controllerMatcher
-    // add promtailMatcher with RequireNonRootUser
+    // add vectorMatcher with RequireNonRootUser
     const updatedNeuvectorExemption = {
       metadata: {
         uid: exemption1UID,
@@ -110,7 +110,7 @@ describe("Test processExemptions() no duplicate matchers in same CR", () => {
             ],
           },
           {
-            matcher: promtailMatcher,
+            matcher: vectorMatcher,
             policies: [Policy.RequireNonRootUser],
           },
         ],
@@ -120,7 +120,7 @@ describe("Test processExemptions() no duplicate matchers in same CR", () => {
     processExemptions(neuvectorMockExemption, WatchPhase.Added);
     processExemptions(updatedNeuvectorExemption, WatchPhase.Modified);
     expect(ExemptionStore.getByPolicy(Policy.RequireNonRootUser)).toEqual([
-      { ...storedPromtailMatcher, owner: exemption1UID },
+      { ...storedVectorMatcher, owner: exemption1UID },
     ]);
     expect(ExemptionStore.getByPolicy(Policy.DisallowPrivileged)).toEqual([
       storedEnforcerMatcher,
@@ -360,14 +360,14 @@ describe("Test processExemptions(); phase DELETED", () => {
   });
 
   it("Does not remove exemptions set by separate CR from the one being deleted", async () => {
-    const promtailMockExemption = {
+    const vectorMockExemption = {
       metadata: {
         uid: exemption2UID,
       },
       spec: {
         exemptions: [
           {
-            matcher: promtailMatcher,
+            matcher: vectorMatcher,
             policies: [
               Policy.DisallowPrivileged,
               Policy.DropAllCapabilities,
@@ -379,12 +379,12 @@ describe("Test processExemptions(); phase DELETED", () => {
     } as Exemption;
 
     processExemptions(neuvectorMockExemption, WatchPhase.Added);
-    processExemptions(promtailMockExemption, WatchPhase.Added);
+    processExemptions(vectorMockExemption, WatchPhase.Added);
     processExemptions(neuvectorMockExemption, WatchPhase.Deleted);
 
-    expect(ExemptionStore.getByPolicy(Policy.DisallowPrivileged)).toEqual([storedPromtailMatcher]);
-    expect(ExemptionStore.getByPolicy(Policy.DropAllCapabilities)).toEqual([storedPromtailMatcher]);
-    expect(ExemptionStore.getByPolicy(Policy.RequireNonRootUser)).toEqual([storedPromtailMatcher]);
+    expect(ExemptionStore.getByPolicy(Policy.DisallowPrivileged)).toEqual([storedVectorMatcher]);
+    expect(ExemptionStore.getByPolicy(Policy.DropAllCapabilities)).toEqual([storedVectorMatcher]);
+    expect(ExemptionStore.getByPolicy(Policy.RequireNonRootUser)).toEqual([storedVectorMatcher]);
   });
 
   it("Does not delete duplicate exemptions if set by separate CRs", async () => {
@@ -448,43 +448,43 @@ describe("Test processExemptions(); phase DELETED", () => {
       },
     } as Exemption;
 
-    const promtailMockExemption = {
+    const vectorMockExemption = {
       metadata: {
         uid: exemption2UID,
       },
       spec: {
         exemptions: [
           {
-            matcher: promtailMatcher,
+            matcher: vectorMatcher,
             policies: [Policy.DisallowPrivileged],
           },
         ],
       },
     } as Exemption;
 
-    const promtailUpdatedMockExemption = {
+    const vectorUpdatedMockExemption = {
       metadata: {
         uid: exemption2UID,
       },
       spec: {
         exemptions: [
           {
-            matcher: promtailMatcher,
+            matcher: vectorMatcher,
             policies: [Policy.DisallowPrivileged, Policy.RequireNonRootUser],
           },
         ],
       },
     } as Exemption;
 
     processExemptions(neuvectorMockExemption, WatchPhase.Added);
-    processExemptions(promtailMockExemption, WatchPhase.Added);
-    processExemptions(promtailUpdatedMockExemption, WatchPhase.Modified);
+    processExemptions(vectorMockExemption, WatchPhase.Added);
+    processExemptions(vectorUpdatedMockExemption, WatchPhase.Modified);
 
     expect(ExemptionStore.getByPolicy(Policy.RequireNonRootUser)).toEqual([
       storedEnforcerMatcher,
-      storedPromtailMatcher,
+      storedVectorMatcher,
     ]);
     expect(ExemptionStore.getByPolicy(Policy.DropAllCapabilities)).toEqual([storedEnforcerMatcher]);
-    expect(ExemptionStore.getByPolicy(Policy.DisallowPrivileged)).toEqual([storedPromtailMatcher]);
+    expect(ExemptionStore.getByPolicy(Policy.DisallowPrivileged)).toEqual([storedVectorMatcher]);
   });
 });

src/pepr/policies/exemptions/index.spec.ts

@@ -34,7 +34,7 @@ describe("test registering exemptions", () => {
     const req = {
       Raw: {
         metadata: {
-          name: "promtail",
+          name: "vector",
           namespace: "monitoring",
         },
       },

src/pepr/zarf.yaml

@@ -52,31 +52,20 @@ components:
     actions:
       onDeploy:
         before:
-          - cmd: ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-api-token meta.helm.sh/release-name=module --overwrite || true
-            mute: true
-          - cmd: ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-module meta.helm.sh/release-name=module --overwrite || true
-            mute: true
-          - cmd: ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-tls meta.helm.sh/release-name=module --overwrite || true
-            mute: true
-          - cmd: ./zarf tools kubectl annotate serviceaccount -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
-            mute: true
-          - cmd: ./zarf tools kubectl annotate clusterrolebinding pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
-            mute: true
-          - cmd: ./zarf tools kubectl annotate clusterrole pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
-            mute: true
-          - cmd: ./zarf tools kubectl annotate role -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true
-            mute: true
-          - cmd: ./zarf tools kubectl annotate rolebinding -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true
-            mute: true
-          - cmd: ./zarf tools kubectl annotate service -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
-            mute: true
-          - cmd: ./zarf tools kubectl annotate service -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true
-            mute: true
-          - cmd: ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
-            mute: true
-          - cmd: ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true
-            mute: true
-          - cmd: ./zarf tools kubectl annotate mutatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
-            mute: true
-          - cmd: ./zarf tools kubectl annotate validatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
-            mute: true
+          - mute: true
+            description: "Update helm ownership for Pepr resources if necessary during the upgrade"
+            cmd: |
+              ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-api-token meta.helm.sh/release-name=module --overwrite || true
+              ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-module meta.helm.sh/release-name=module --overwrite || true
+              ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-tls meta.helm.sh/release-name=module --overwrite || true
+              ./zarf tools kubectl annotate serviceaccount -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
+              ./zarf tools kubectl annotate clusterrolebinding pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
+              ./zarf tools kubectl annotate clusterrole pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
+              ./zarf tools kubectl annotate role -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true
+              ./zarf tools kubectl annotate rolebinding -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true
+              ./zarf tools kubectl annotate service -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
+              ./zarf tools kubectl annotate service -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true
+              ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
+              ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true
+              ./zarf tools kubectl annotate mutatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
+              ./zarf tools kubectl annotate validatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true