ROSA-12691 New Feature: Log Forwarder

_topic_maps/_topic_map_rosa_hcp.yml

@@ -481,6 +481,8 @@ Distros: openshift-rosa-hcp
 Topics:
 - Name: Adding additional constraints for IP-based AWS role assumption
   File: rosa-adding-additional-constraints-for-ip-based-aws-role-assumption
+- Name: Forwarding control plane logs
+  File: rosa-forwarding-control-plane-logs
 ---
 Name: Authentication and authorization
 Dir: authentication

modules/rosa-create-an-iam-role-policy.adoc

@@ -0,0 +1,50 @@
+// Module included in the following assemblies:
+//
+// * security/rosa-forwarding-control-plane-logs.adoc
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-create-an-iam-role-policy_{context}"]
+= Creating an IAM role and policy
+
+[role="_abstract"]
+When you forward your logs to an Amazon CloudWatch group or S3 bucket, those locations exist outside your control plane. You must create an IAM role and policy so that your log forwarder has the right permissions and capabilities to send these logs to your chosen destination, CloudWatch or S3.
+
+[NOTE]
+====
+To use a CloudWatch group, you must create an IAM role and policy. To use an S3 bucket, you do not need an IAM role and policy. However, if you do not have an IAM role and policy created for the S3 bucket to use, then the encryption for the S3 bucket is limited to Amazon S3 managed keys, `SSE-S3`.
+====
+
+.Procedure
+
+. To enable the log forwarder delivery capability, prepare the IAM policy by creating an `assume-role-policy.json` file. Apply the following IAM policy sample: 
++
+[source,json]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::859037107838:role/ROSA-CentralLogDistributionRole-241c1a86"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
+----
++
+. To enable the log forwarder distribution capability, create an IAM role that must include the `CustomerLogDistribution` name by running the following command: 
++
+[source,terminal] 
+----
+$ aws iam create-role \
+    --role-name CustomerLogDistribution-RH \
+    --assume-role-policy-document file://assume-role-policy.json
+----
+
+.Next steps
+
+After you create an IAM role and policy, you must decide to send your control plane logs to either a CloudWatch log group, an S3 bucket, or both. See the following summary about CloudWatch and S3 to help you decide what you want to do: 
+
+* CloudWatch can help you when you have logs requiring immediate action or organization.  
+* S3 can help you when you have logs needing long-term storage or large-scale data analysis. 

modules/rosa-determine-log-groups.adoc

@@ -0,0 +1,79 @@
+// Module included in the following assemblies:
+//
+// * security/rosa-configuring-the-log-forwarder.adoc
+:_mod-docs-content-type: REFERENCE
+[id="rosa-determine-log-groups_{context}"]
+= Determining what log groups to use 
+
+[role="_abstract"]
+When you forward control plane logs to Amazon CloudWatch or S3, you must decide on what log groups you want to use. Because of the existing AWS pricing for the respective services, you can expect additional costs associated with forwarding and storing your logs in S3 and CloudWatch. When you determine what log group to use, consider these additional costs along with other factors, such as your log retention requirements.
+
+For each log group, you have access to different applications, and these applications can change depending on what you choose to enable and disable with your logs. 
+
+See the following table to help you decide what log groups you need before you begin to forward your control plane logs: 
+
+|====
+| Log group name| Benefit of that log group| Example applications available for that log group  
+
+| API  
+| Records every request made to the cluster. Helps security by detecting unauthorized access attempts.
+a| 
+* `audit-webhook`
+* `kube-apiserver`
+* `oauth-openshift`
+* `openshift-apiserver`
+* `openshift-oauth-apiserver`
+* `packageserver`
+* `validation-webhook`  
+
+| Authentication  
+| Tracks login attempts and requests for tokens. Helps security by recording authenticated user information.
+a| 
+* `ignition-server`
+* `konnectivity-agent`
+
+| Controller manager  
+| Monitors the controllers that manages the state of your clusters. Helps explain the difference among the different cluster states, for example, the `Current`, `Desired`, `Health`, and `Feature` state.
+a| 
+* `aws-ebs-csi-driver-controller`
+* `capi-provider-controller-manager`
+* `catalog-operator`
+* `cloud-controller-manager`
+* `cloud-credential-operator`
+* `cloud-network-config-controller`
+* `cluster-network-operator`
+* `cluster-node-tuning-operator`
+* `cluster-policy-controller`
+* `cluster-version-operator`
+* `control-plane-operator`
+* `control-plane-pki-operator`
+* `csi-snapshot-controller-operator`
+* `csi-snapshot-controller`
+* `dns-operator`
+* `hosted-cluster-config-operator`
+* `ingress-operator`
+* `kube-controller-manager`
+* `machine-approver`
+* `multus-admission-controller`
+* `network-node-identity`
+* `olm-operator`
+* `openshift-controller-manager`
+* `openshift-route-controller-manager`
+* `ovnkube-control-plane`   
+
+| Scheduler    
+| Records the placement of each pod on every node. Helps you understand why pods are in a `Running` or `Pending` state.
+a| 
+* `kube-scheduler`
+
+| Other  
+| Any log group different from `API`, `Authentication`, `Controller manager`, or `Scheduler`. Some other log groups include, `Application`, `Infrastructure`, `Audit`, `Kubernetes API server`, `OpenShift API server`, `OAuth API server`, and `Node`. 
+a| 
+* `certified-operators-catalog`
+* `cluster-api`
+* `community-operators-catalog`
+* `etcd`
+* `private-router`
+* `redhat-marketplace-catalog`
+* `redhat-operators-catalog`    
+|====

modules/rosa-manage-control-plane-log-forwarding.adoc

@@ -0,0 +1,15 @@
+// Module included in the following assemblies:
+//
+// * security/rosa-configuring-the-log-forwarder.adoc
+:_mod-docs-content-type: REFERENCE
+[id="rosa-manage-control-plane-log-forwarding_{context}"]
+= Managing control plane log forwarding 
+
+[role="_abstract"]
+After you configure the {product-title} clusters to use your selected log forwarder for control plane logs, see the following commands to run based on your specific needs. For all of these commands, you must provide the `clusterid` or cluster name in the `--cluster` flag:
+
+`rosa create log-forwarder -c <cluster_name|cluster_id>`:: Configures your {product-title} cluster to use the log forwarder. 
+`rosa list log-forwarder -c <cluster_name|cluster_id>`:: Displays all of the log forwarder configurations for a {product-title} cluster.
+`rosa describe log-forwarder -c <cluster_name|cluster_id> <log-fwd-id>`::  Provides more than the basic details for that specific log forwarder. 
+`rosa edit log-forwarder -c <cluster_name|cluster_id> <log-fwd-id>`:: Enables you to make changes to the log forwarder. With the edit functionality, you can make changes to the following log forwarder fields: groups, applications, and S3 and CloudWatch configurations, depending on type of configuration.  
+`rosa delete log-forwarder -c <cluster_name|cluster_id> <log-fwd-id>`:: Deletes the log forwarder configuration which stops your logs from being forwarded to your chosen destinations. Your logs are not automatically deleted. If you no longer want to store your logs in the S3 bucket or CloudWatch group, you can delete those specific logs. To make changes to the following log forwarder fields, use the delete functionality, then recreate these log forwarder fields, implementing your changes: ID, cluster ID, and the type for S3 and CloudWatch.  

modules/rosa-set-up-cloudwatch-log-group.adoc

@@ -0,0 +1,91 @@
+// Module included in the following assemblies:
+//
+// * security/rosa-forwarding-control-plane-logs.adoc
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-set-up-cloudwatch-log-group_{context}"]
+= Setting up the CloudWatch log group
+
+[role="_abstract"]
+If you have logs requiring immediate action or organization, set up an Amazon CloudWatch log group. 
+
+.Prerequisites
+
+* You have created an IAM role and policy. 
+
+.Procedure
+
+. Create the CloudWatch log group by running the following command: 
++
+[source,terminal]
+----
+$ aws logs create-log-group –log-group-name <your_log_group_name>
+----
++
+. In your {product-title} cluster, configure the log forwarder to use the CloudWatch log group by applying the following JSON sample:  
++
+[source,json]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "CreatePutLogs",
+            "Effect": "Allow",
+            "Action": [
+                "logs:CreateLogStream",
+                "logs:PutLogEvents"
+            ],
+            "Resource": "<your_log_group_arn>:*"
+        },
+        {
+            "Sid": "DescribeLogs",
+            "Effect": "Allow",
+            "Action": [
+                "logs:DescribeLogGroups",
+                "logs:DescribeLogStreams"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+----
++
+. Attach the policy to the CloudWatch role by running the following command: 
++
+[source,terminal]
+----
+$ aws iam put-role-policy \
+    --role-name CustomerLogDistribution-RH \
+    --policy-name Allow-CloudWatch-Writes \
+    --policy-document file://cloudwatch-policy.json
+----
++
+. Configure your {product-title} cluster to forward logs to the CloudWatch log group by applying the following sample YAML list:  
++
+[source,yaml]
+----
+cloudwatch:
+  cloudwatch_log_role_arn: "arn:aws:iam::123456789012:role/RosaCloudWatch"
+  cloudwatch_log_group_name: "rosa-logs"
+  applications: 
+    - "<example_app1>"
+  groups: 
+    - "<example_group1>"
+----
+<example_app1>:: Add one or more applications. For a list of applications, see the table in "Determining what log groups to use".
+<example_group1>:: Add one or more of the following groups: `API`, `Authentication`, `Controller Manager`, `Scheduler`, and `Other`.
+. Enable the log forwarder to send logs to your {product-title} cluster. 
+.. To enable control plane log forwarding on a new cluster, include the log forwarding configuration by running the following command:  
++
+[source,terminal]
+----
+$ rosa create cluster --log-fwd-config="<path_to_file>.yaml"
+----
++
+.. To enable control plane log forwarding on an existing cluster, include the log forwarding configuration by running the following command:    
++
+[source,terminal]
+----
+$ rosa create log-forwarder -c <cluster> --log-fwd-config="<path_to_file>.yaml"
+----
+

modules/rosa-set-up-s3-bucket.adoc

@@ -0,0 +1,88 @@
+// Module included in the following assemblies:
+//
+// * security/rosa-forwarding-control-plane-logs.adoc
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-set-up-s3-bucket_{context}"]
+= Setting up the S3 bucket
+
+[role="_abstract"]
+If you have logs that need long-term storage or large-scale data analysis, set up an Amazon S3 bucket.
+
+.Prerequisites
+
+* If you want to prevent limitations for the managed keys for your S3 bucket, you must have created an IAM role and policy. 
+
+.Procedure
+
+. Create the S3 bucket by running the following command: 
++
+[source,terminal]
+----
+$ aws s3api create-bucket \
+    --bucket <your_s3_bucket_name> \
+    --region <your_aws_region> \
+    --create-bucket-configuration LocationConstraint=<cluster_aws_region>
+----
++
+. Configure the policy for the S3 bucket by applying the following S3 bucket policy sample:  
++
+[source,json]
+----
+ "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AllowCentralLogDistributionWrite",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::859037107838:role/ROSA-CentralLogDistributionRole-241c1a86"
+            },
+            "Action": "s3:PutObject",
+            "Resource": "arn:aws:s3:::<your_s3_bucket_name>/*",
+            "Condition": {
+                "StringEquals": {
+                    "s3:x-amz-acl": "bucket-owner-full-control"
+                }
+            }
+        }
+    ]
+}
+----
++
+. Attach the policy to the S3 role by running the following command: 
++
+[source,terminal]
+----
+$ aws s3api put-bucket-policy \
+    --bucket <your_s3_bucket_name> \
+    --policy file://s3-bucket-policy.json
+----
++
+. Configure your {product-title} cluster to forward logs to the S3 bucket by applying the following sample YAML list:  
++
+[source,yaml]
+----
+s3:
+  s3_config_bucket_name: "my-log-bucket"
+  s3_config_bucket_prefix: "my-bucket-prefix"
+  applications: 
+    - "<example_app1>"
+  groups: 
+    - "<example_group1>"
+----
+<example_app1>:: Add one or more applications. For a list of applications, see the table in "Determining what log groups to use".
+<example_group1>:: Add one or more of the following groups: `API`, `Authentication`, `Controller Manager`, `Scheduler`, and `Other`.
+. Enable the log forwarder to send logs to your {product-title} cluster. 
+.. To enable control plane log forwarding on a new cluster, include the log forwarding configuration by running the following command:   
++
+[source,terminal]
+----
+$ rosa create cluster --log-fwd-config="<path_to_file>.yaml"
+----
++
+.. To enable control plane log forwarding on an existing cluster, include the log forwarding configuration by running the following command:    
++
+[source,terminal]
+----
+$ rosa create log-forwarder -c <cluster> --log-fwd-config="<path_to_file>.yaml"
+----
+

security/rosa-forwarding-control-plane-logs.adoc

@@ -0,0 +1,31 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="rosa-forwarding-control-plane-logs"]
+= Forwarding control plane logs
+
+include::_attributes/attributes-openshift-dedicated.adoc[]
+include::_attributes/common-attributes.adoc[]
+:context: rosa-configuring-the-log-forwarder
+
+toc::[]
+
+[role="_abstract"]
+With {product-title} you have a control plane log forwarder that is a separate system outside your cluster. You can use the control plane log forwarder to send your logs to either an Amazon CloudWatch group or Amazon S3 bucket, depending on your preference. 
+
+Since the {product-title} control plane log forwarder is a managed system, it does not contend for resources against your workloads on your worker nodes. 
+
+[id="prerequisites_{context}"]
+== Prerequisites
+
+* You have installed and configured the latest {rosa-cli} on your installation host.
+* You have installed and configured the latest {aws-first} command-line interface (CLI) on your installation host. 
+
+include::modules/rosa-determine-log-groups.adoc[leveloffset=+1]
+
+include::modules/rosa-create-an-iam-role-policy.adoc[leveloffset=+1]
+
+include::modules/rosa-set-up-cloudwatch-log-group.adoc[leveloffset=+1]
+
+include::modules/rosa-set-up-s3-bucket.adoc[leveloffset=+1]
+
+include::modules/rosa-manage-control-plane-log-forwarding.adoc[leveloffset=+1]
+