This operator manages Splunk Universal Forwarder. It deploys a daemonset which deploys a pod on each node including the masters. It expects the service account for the namespace can deploy privileged pods. It also needs a secret that holds the forwarder auth.

If you are using Splunk Cloud, credentials can be obtained by downloading a credentials package from the specific Splunk application being used, such as the Universal Forwarder app. The credentials package is a tarball, so first extract the contents with tar xvf splunkclouduf.spl, then add the following fields in outputs.conf

sslCertPath = $SPLUNK_HOME/etc/apps/splunkauth/default/server.pem
sslRootCAPath = $SPLUNK_HOME/etc/apps/splunkauth/default/cacert.pem
sslPassword = <Your SSL Password>

Then create a secret named "splunk-auth" using the extracted spl files and modified outputs.conf:

oc create secret generic splunk-auth --dry-run=client -o yaml \
  --from-file=cacert.pem=/path/to/spl/cacert.pem \
  --from-file=limits.conf=/path/to/spl/limits.conf \
  --from-file=outputs.conf=/path/to/spl/outputs.conf \
  --from-file=server.pem=/path/to/spl/server.pem

The SplunkForwarder CRD explicitly points to the files you want to monitor (currently only supports monitor://).

apiVersion: splunkforwarder.managed.openshift.io/v1alpha1
kind: SplunkForwarder
metadata:
  name: example-splunkforwarder
spec:
  image: dockerimageurl
  imageDigest: sha256:420e5f23b40e8f832cb0a8fdf305e1958c762b301a53ffa96a71a01134e3cff0
  splunkLicenseAccepted: true
  clusterID: optional-cluster-name
  splunkInputs:
  - path: /host/var/log/openshift-apiserver/audit.log
    index: openshift_managed_audit
    whitelist: \.log$
    sourcetype: _json
  - path: /host/var/log/containers/ip-*-*-*-*ec2internal-debug*.log
    index: openshift_managed_debug_node
    whitelist: \.log$
    sourcetype: linux_audit

The image and imageDigest are for the splunk-forwarder image. If useHeavyForwarder is true, heavyForwarderImage and heavyForwarderDigest are used for the splunk-heavyforwarder image. (The CRD supports imageTag for both, but this is deprecated in favor of imageDigest.)

To use the current version, 9.0.4-de405f4a7979-59d2ced, specify the following:

• For splunk-forwarder:

  image: quay.io/app-sre/splunk-forwarder
  imageDigest: sha256:420e5f23b40e8f832cb0a8fdf305e1958c762b301a53ffa96a71a01134e3cff0

• For splunk-heavyforwarder:

  heavyForwarderImage: quay.io/app-sre/splunk-heavyforwarder
  heavyForwarderDigest: sha256:238d2e33c4e1064cd7a5c366b93a2d36285f2397ce79eee7a4a9819e45eaf84f

Run make image-update to update to the current master branch commit of splunk-forwarder-images.

This process will update the Makefile with a new value for FORWARDER_IMAGE_TAG (from the forwarder version, forwarder hash and commit hash) and populate the OLM template with the by-digest URIs for that version.

To use a specific version, use make SFI_UPDATE=<commit/branch/etc> image-update or edit the Makefile by hand and run make image-digests to update the OLM template.

Commit and propose the changes as usual.

This repository is configured to support the testing strategy documented here.

Note that, in addition to creating personal repositories for the operator and OLM registry, you must also create them for splunk-forwarder and splunk-heavyforwarder.

A recent Go distribution (>=1.17) with enabled Go modules.

$ go version
go version go1.17.11 linux/amd64

The Operator is developed using the Operator SDK. Ensure this is installed and available in your $PATH.

v1.21.0 is the minimum-verified version required for splunk-forwarder-operator development.

OperatorSDK releases are avaiable here.

$ operator-sdk version
operator-sdk version: "v1.21.0", commit: "89d21a133750aee994476736fa9523656c793588", kubernetes version: "1.23", go version: "go1.17.10", GOOS: "linux", GOARCH: "amd64"

To run the operator in a local environment (not via a pod running on-cluster), ensure that the following environment variables are set:

export OPERATOR_NAMESPACE=openshift-splunk-forwarder-operator
export WATCH_NAMESPACE=""
export OSDK_FORCE_RUN_MODE="local"