control-plane feat: [CCEE] Configure auditlog for all new regions

Description

We are extending Kyma in CCEE and will also support 5 more regions:

na-us-1
eu-de-2
na-us-2
ap-jp-1
ap-ae-1

The configuration of the provisioner has to be adjusted to support all these regions properly.

EPIC is #backlog/5701

AC:

[ ] Get credentials for new auditlog server instance for
- [x] na-us-1
- [ ] eu-de-2
- [ ] na-us-2
- [ ] ap-jp-1
- [ ] ap-ae-1
[ ] Provisioner supports the new CCEE regions and configures the corresponding Auditlog server correctly in Gardener:
- [x] na-us-1
- [ ] eu-de-2
- [ ] na-us-2
- [ ] ap-jp-1
- [ ] ap-ae-1

Jul 03 '24 10:07 tobiscr

ALS instance config to use for na-us-1 on stage:

tenantID: 8409f001-7b01-42d9-ae30-ad378a224f80
serviceURL: https://api.auditlog.cf.us10.hana.ondemand.com:8081
secretName: ccee-audit-stage-na-us-1

Jul 18 '24 14:07 ebensom

@ebensom

ALS instance config to use for na-us-1 on stage:

tenantID: 8409f001-7b01-42d9-ae30-ad378a224f80
serviceURL: https://api.auditlog.cf.us10.hana.ondemand.com:8081
secretName: ccee-audit-stage-na-us-1

do we have/need an Prod configuration for this region?

Jul 25 '24 08:07 mvshao

Audit Logs are working in na-us-1 region on Stage

Jul 30 '24 10:07 mvshao

Yes, I will create prod ALS instance for this region today/tomorrow, and let you know the details.

Aug 05 '24 10:08 ebensom

ALS instance config to use for na-us-1 on prod:

tenantID: 7115079e-4f2e-4b65-aaac-834b4ccc202a
serviceURL: https://api.auditlog.cf.us10.hana.ondemand.com:8081
secretName: ccee-audit-prod-na-us-1

Aug 05 '24 15:08 ebensom

@ebensom : could we maybe also setup auditlog for all other regions? We would then directly configure them all together so that we are done from our side.

Aug 20 '24 10:08 tobiscr

Sure, setting them up this week.

Aug 21 '24 08:08 ebensom

For eu-de-2, please confure the same instance used for eu-de-1 both on stage and prod.

Aug 21 '24 08:08 ebensom

ALS instance config to use for na-us-2 on stage:

tenantID: 74f8d2c2-4121-4ec9-ba36-e98e9a1269f2
serviceURL: https://api.auditlog.cf.us20.hana.ondemand.com:8081
secretName: ccee-audit-stage-na-us-2

Aug 21 '24 10:08 ebensom

ALS instance config to use for na-us-2 on prod:

tenantID: 777fd979-d836-4d59-aae1-3f8f149438f7
serviceURL: https://api.auditlog.cf.us20.hana.ondemand.com:8081
secretName: ccee-audit-prod-na-us-2

Aug 21 '24 11:08 ebensom

For ap-jp-1, please reuse the existing instances created for Azure japaneast region.

Aug 21 '24 11:08 ebensom

ALS instance config to use for ap-ae-1 and GCP me-central2 on stage (seems it was missed in https://github.com/kyma-project/kyma-environment-broker/issues/556):

tenantID: f4d9ffa0-5866-4417-b90b-42a65dc1dfa1
serviceURL: https://api.auditlog.cf.sa30.hana.ondemand.com:8081
secretName: gcp-audit-stage-me-central2

Aug 21 '24 11:08 ebensom

ALS instance config to use for ap-ae-1 and GCP me-central2 on prod (seems it was missed in https://github.com/kyma-project/kyma-environment-broker/issues/556):

tenantID: 8ffe0862-1c78-4212-b6cc-7b247f2ee16d
serviceURL: https://api.auditlog.cf.sa30.hana.ondemand.com:8081
secretName: gcp-audit-prod-me-central2

Aug 21 '24 12:08 ebensom

Stage configured in internal pr no. 5672

Sep 26 '24 12:09 Disper

succesfully verified that audit logs are working on:

stage/eu-de-2
stage/ap-jp-1
stage/ap-ae-1

Sep 30 '24 08:09 Disper

As for stage/na-us-2 I'm retrieving only empty files. I believe that https://github.tools.sap/kyma/management-plane-config/pull/5697/files should fix it.

Sep 30 '24 08:09 Disper

audit logs are now working also on stage/na-us-2 region.

Sep 30 '24 13:09 Disper

Prod configured for regions:

eu-de-2
na-us-2
ap-jp-1
ap-ae-1

I need to check that everything is working properly

Nov 08 '24 11:11 mvshao

eu-de-2 is working on PROD Screenshot 2024-11-12 at 15 29 32

Nov 12 '24 14:11 mvshao

ap-jp-1 is working on PROD Screenshot 2024-11-13 at 10 52 40

Nov 13 '24 09:11 mvshao

na-us-2 is working on PROD

Nov 14 '24 10:11 mvshao

ap-ae-1 is working on PROD Logs from Audit Log CLI

{
  "uuid": "0c6c82cd-1f1d-492c-b8cb-0035642fb6ca",
  "user": "{\"username\":\"[email protected]\",\"groups\":[\"gardener.cloud:system:viewers\",\"system:authenticated\"]}",
  "time": "2024-11-15T09:26:21.557843Z",
  "id": "cc8260e6-8f26-4855-a572-ffe8bfcc6841",
  "object": {
    "type": "create",
    "id": {
      "requestURI": "/api/v1/namespaces?fieldManager=kubectl-create&fieldValidation=Strict",
      "stage": "ResponseComplete",
      "level": "Request",
      "objectRef": "{\"Resource\":\"namespaces\",\"Namespace\":\"\",\"Name\":\"audit-test-ap-ae-1\",\"UID\":\"\",\"APIGroup\":\"\",\"APIVersion\":\"v1\",\"ResourceVersion\":\"\",\"Subresource\":\"\"}",
      "userAgent": "kubectl/v1.30.3 (darwin/arm64) kubernetes/6fc0a69",
      "responseStatus": "201",
      "requestReceivedTimestamp": "2024-11-15 09:26:21.541477 +0000 UTC",
      "requestObject": "{\"kind\":\"Namespace\",\"apiVersion\":\"v1\",\"metadata\":{\"name\":\"audit-test-ap-ae-1\",\"creationTimestamp\":null,\"labels\":{\"kubernetes.io/metadata.name\":\"audit-test-ap-ae-1\"}},\"spec\":{},\"status\":{\"phase\":\"Active\"}}",
      "shootUID": "b8ba342b-8dbc-4ec7-97cc-126b95cfe471",
      "shootName": "al4-openstack",
      "projectName": "kyma",
      "annotations": "{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"administrator0\\\" of ClusterRole \\\"cluster-admin\\\" to User \\\"[email protected]\\\"\"}"
    }
  },
  "attributes": [
    {
      "name": "",
      "old": "",
      "new": ""
    }
  ],
  "category": "audit.configuration",
  "tenant": "some-tenant",
  "customDetails": {}
}

Nov 15 '24 10:11 mvshao

Succesfully verified that audit logs are working on:

prod/na-us-1
prod/eu-de-2
prod/na-us-2
prod/ap-jp-1
prod/ap-ae-1

Nov 15 '24 10:11 mvshao

Close the issue as all to work was done

Nov 15 '24 11:11 arturskorupa