ecip-observability-stack 1.0.0

package/helm/templates/elasticsearch.yaml

@@ -0,0 +1,68 @@
+{{- /*
+ECIP M08 — Elasticsearch Security Event Index Setup
+Provisions the index template and ILM policy for security events.
+*/ -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: elasticsearch-security-config
+  namespace: {{ .Values.namespace | default "monitoring" }}
+  labels:
+    app: ecip
+    component: elasticsearch
+data:
+  index-template.json: |-
+    {{ .Files.Get "elasticsearch/index-template.json" | nindent 4 }}
+  ilm-policy.json: |-
+    {{ .Files.Get "elasticsearch/ilm-policy.json" | nindent 4 }}
+---
+{{- /* Job to apply index template and ILM policy on install/upgrade */ -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: elasticsearch-setup-{{ .Release.Revision }}
+  namespace: {{ .Values.namespace | default "monitoring" }}
+  labels:
+    app: ecip
+    component: elasticsearch-setup
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-weight: "10"
+    helm.sh/hook-delete-policy: before-hook-creation
+spec:
+  backoffLimit: 3
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: elasticsearch-setup
+          image: curlimages/curl:8.5.0
+          command:
+            - /bin/sh
+            - -c
+            - |
+              ES_URL="{{ .Values.elasticsearch.protocol | default "http" }}://{{ .Values.elasticsearch.host | default "elasticsearch.monitoring" }}:{{ .Values.elasticsearch.port | default 9200 }}"
+
+              echo "Applying ILM policy..."
+              curl -s -X PUT "$ES_URL/_ilm/policy/ecip-security-events-ilm" \
+                -H "Content-Type: application/json" \
+                -d @/config/ilm-policy.json
+
+              echo "Applying index template..."
+              curl -s -X PUT "$ES_URL/_index_template/ecip-security-events" \
+                -H "Content-Type: application/json" \
+                -d @/config/index-template.json
+
+              echo "Creating initial index..."
+              curl -s -X PUT "$ES_URL/ecip-security-events-000001" \
+                -H "Content-Type: application/json" \
+                -d '{"aliases":{"ecip-security-events":{"is_write_index":true}}}'
+
+              echo "Setup complete."
+          volumeMounts:
+            - name: config
+              mountPath: /config
+      volumes:
+        - name: config
+          configMap:
+            name: elasticsearch-security-config

package/helm/templates/grafana-secret.yaml

@@ -0,0 +1,22 @@
+{{- /*
+ECIP M08 — Grafana Admin Secret
+Creates the admin credentials secret if not using ExternalSecrets.
+For production, replace with ExternalSecret pointing to AWS Secrets Manager / Vault.
+*/ -}}
+{{- if not (lookup "v1" "Secret" (.Values.namespace | default "monitoring") (index .Values "kube-prometheus-stack" "grafana" "admin" "existingSecret")) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index .Values "kube-prometheus-stack" "grafana" "admin" "existingSecret" }}
+  namespace: {{ .Values.namespace | default "monitoring" }}
+  labels:
+    app: ecip
+    component: grafana
+type: Opaque
+data:
+  # Base64-encoded. Override in your environment — NEVER commit real credentials.
+  # echo -n 'admin' | base64
+  admin-user: YWRtaW4=
+  # Generate a real password: openssl rand -base64 32 | base64
+  admin-password: CHANGEME_GENERATE_REAL_PASSWORD
+{{- end }}

package/helm/templates/grafana.yaml

@@ -0,0 +1,19 @@
+{{- /*
+ECIP M08 — Grafana Dashboard Provisioning
+Deploys dashboards as ConfigMaps with the grafana_dashboard label
+so the Grafana sidecar picks them up automatically.
+*/ -}}
+{{- range $path, $_ := .Files.Glob "dashboards/*.json" }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ecip-dashboard-{{ base $path | trimSuffix ".json" | lower }}
+  namespace: {{ $.Values.namespace | default "monitoring" }}
+  labels:
+    grafana_dashboard: "1"
+    app: ecip
+data:
+  {{ base $path }}: |-
+    {{ $.Files.Get $path | nindent 4 }}
+---
+{{- end }}

package/helm/templates/loki.yaml

@@ -0,0 +1,33 @@
+{{- /*
+ECIP M08 — Loki Datasource Provisioning (OD-01 Resolution)
+Provisions Loki as a Grafana datasource for general application logs.
+*/ -}}
+{{- if .Values.loki.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-datasource-loki
+  namespace: {{ .Values.namespace | default "monitoring" }}
+  labels:
+    grafana_datasource: "1"
+    app: ecip
+    component: loki
+data:
+  loki-datasource.yaml: |-
+    apiVersion: 1
+    datasources:
+      - name: Loki
+        type: loki
+        access: proxy
+        url: http://loki-gateway.{{ .Values.namespace | default "monitoring" }}:3100
+        uid: loki
+        isDefault: false
+        editable: true
+        jsonData:
+          maxLines: 1000
+          derivedFields:
+            - name: TraceID
+              matcherRegex: '"trace_id":"(\w+)"'
+              url: "$${__value.raw}"
+              datasourceUid: tempo
+{{- end }}

package/helm/templates/otel-collector.yaml

@@ -0,0 +1,119 @@
+{{- /*
+ECIP M08 — OTel Collector Helm Template
+Deploys the OTel Collector as a DaemonSet with OTLP receivers.
+*/ -}}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: otel-collector
+  namespace: {{ .Values.namespace | default "monitoring" }}
+  labels:
+    app.kubernetes.io/name: otel-collector
+    app.kubernetes.io/component: observability
+    app.kubernetes.io/part-of: ecip
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: otel-collector
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: otel-collector
+        ecip.module: M08
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmaps.yaml") . | sha256sum }}
+    spec:
+      serviceAccountName: otel-collector
+      containers:
+        - name: otel-collector
+          image: "{{ .Values.otelCollector.image.repository }}:{{ .Values.otelCollector.image.tag }}"
+          args:
+            - --config=/etc/otel/otel-collector-config.yaml
+          ports:
+            - name: otlp-grpc
+              containerPort: {{ .Values.otelCollector.ports.otlpGrpc }}
+              hostPort: {{ .Values.otelCollector.ports.otlpGrpc }}
+            - name: otlp-http
+              containerPort: {{ .Values.otelCollector.ports.otlpHttp }}
+              hostPort: {{ .Values.otelCollector.ports.otlpHttp }}
+            - name: health
+              containerPort: {{ .Values.otelCollector.healthCheck.port }}
+            - name: metrics
+              containerPort: {{ .Values.otelCollector.ports.metrics }}
+          resources:
+            {{- toYaml .Values.otelCollector.resources | nindent 12 }}
+          volumeMounts:
+            - name: collector-config
+              mountPath: /etc/otel
+              readOnly: true
+          livenessProbe:
+            httpGet:
+              path: /
+              port: {{ .Values.otelCollector.healthCheck.port }}
+            initialDelaySeconds: 10
+            periodSeconds: 15
+          readinessProbe:
+            httpGet:
+              path: /
+              port: {{ .Values.otelCollector.healthCheck.port }}
+            initialDelaySeconds: 5
+            periodSeconds: 10
+      volumes:
+        - name: collector-config
+          configMap:
+            name: otel-collector-config
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: otel-collector
+  namespace: {{ .Values.namespace | default "monitoring" }}
+spec:
+  type: ClusterIP
+  ports:
+    - name: otlp-grpc
+      port: {{ .Values.otelCollector.ports.otlpGrpc }}
+      targetPort: {{ .Values.otelCollector.ports.otlpGrpc }}
+    - name: otlp-http
+      port: {{ .Values.otelCollector.ports.otlpHttp }}
+      targetPort: {{ .Values.otelCollector.ports.otlpHttp }}
+    - name: metrics
+      port: {{ .Values.otelCollector.ports.metrics }}
+      targetPort: {{ .Values.otelCollector.ports.metrics }}
+  selector:
+    app.kubernetes.io/name: otel-collector
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: otel-collector
+  namespace: {{ .Values.namespace | default "monitoring" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: otel-collector
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "namespaces", "nodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: otel-collector
+subjects:
+  - kind: ServiceAccount
+    name: otel-collector
+    namespace: {{ .Values.namespace | default "monitoring" }}
+roleRef:
+  kind: ClusterRole
+  name: otel-collector
+  apiGroup: rbac.authorization.k8s.io

package/helm/templates/prometheus.yaml

@@ -0,0 +1,43 @@
+{{- /*
+ECIP M08 — Prometheus Helm Template
+References the kube-prometheus-stack subchart values.
+This template adds ECIP-specific alert rule ConfigMaps.
+*/ -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.alertRules.configMapName | default "ecip-alert-rules" }}
+  namespace: {{ .Values.namespace | default "monitoring" }}
+  labels:
+    role: alert-rules
+    app: ecip
+    grafana_alert: "1"
+data:
+  {{- range $path, $_ := .Files.Glob "alerts/*.yaml" }}
+  {{ base $path }}: |-
+    {{ $.Files.Get $path | nindent 4 }}
+  {{- end }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ecip-recording-rules
+  namespace: {{ .Values.namespace | default "monitoring" }}
+  labels:
+    role: recording-rules
+    app: ecip
+data:
+  recording-rules.yaml: |-
+    {{ .Files.Get "prometheus/recording-rules.yaml" | nindent 4 }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ecip-scrape-configs
+  namespace: {{ .Values.namespace | default "monitoring" }}
+  labels:
+    app: ecip
+type: Opaque
+stringData:
+  scrape-configs.yaml: |-
+    {{ .Files.Get "prometheus/scrape-configs.yaml" | nindent 4 }}

package/helm/templates/tempo.yaml

@@ -0,0 +1,16 @@
+{{- /*
+ECIP M08 — Grafana Tempo Configuration
+References the tempo-distributed subchart. This template adds
+the Tempo datasource provisioning for Grafana.
+*/ -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-datasource-tempo
+  namespace: {{ .Values.namespace | default "monitoring" }}
+  labels:
+    grafana_datasource: "1"
+    app: ecip
+data:
+  tempo-datasource.yaml: |-
+    {{ .Files.Get "tempo/tempo-datasource.yaml" | nindent 4 }}

package/helm/values.prod.yaml

@@ -0,0 +1,159 @@
+# =============================================================================
+# ECIP M08 — Helm Values (Production Overrides)
+# =============================================================================
+# Overrides for production deployment. Applied on top of values.yaml.
+# Usage: helm upgrade --install ecip-obs ./helm -f helm/values.yaml -f helm/values.prod.yaml
+# =============================================================================
+
+# --- OTel Collector ---
+otelCollector:
+  resources:
+    requests:
+      cpu: 500m
+      memory: 512Mi
+    limits:
+      cpu: 2000m
+      memory: 1024Mi
+
+# --- Prometheus ---
+kube-prometheus-stack:
+  prometheus:
+    prometheusSpec:
+      retention: 30d
+      retentionSize: 50GB
+      resources:
+        requests:
+          cpu: 500m
+          memory: 2Gi
+        limits:
+          cpu: 2000m
+          memory: 8Gi
+      storageSpec:
+        volumeClaimTemplate:
+          spec:
+            storageClassName: gp3
+            accessModes: ["ReadWriteOnce"]
+            resources:
+              requests:
+                storage: 100Gi
+  alertmanager:
+    alertmanagerSpec:
+      resources:
+        requests:
+          cpu: 200m
+          memory: 256Mi
+        limits:
+          cpu: 500m
+          memory: 512Mi
+  grafana:
+    # Production: admin credentials from ExternalSecret (AWS Secrets Manager)
+    admin:
+      existingSecret: ecip-grafana-admin-prod
+      userKey: admin-user
+      passwordKey: admin-password
+    persistence:
+      enabled: true
+      size: 20Gi
+    resources:
+      requests:
+        cpu: 250m
+        memory: 512Mi
+      limits:
+        cpu: 1000m
+        memory: 1Gi
+
+# --- Tempo ---
+tempo-distributed:
+  storage:
+    trace:
+      backend: s3
+      s3:
+        bucket: ecip-tempo-traces-prod
+        endpoint: s3.amazonaws.com
+        region: us-east-1
+  retention:
+    compacted_block_retention: 336h  # 14 days
+  ingester:
+    replicas: 3
+    resources:
+      requests:
+        cpu: 500m
+        memory: 1Gi
+      limits:
+        cpu: 1000m
+        memory: 2Gi
+  distributor:
+    replicas: 3
+    resources:
+      requests:
+        cpu: 500m
+        memory: 512Mi
+      limits:
+        cpu: 1000m
+        memory: 1Gi
+  compactor:
+    replicas: 2
+    resources:
+      requests:
+        cpu: 500m
+        memory: 1Gi
+      limits:
+        cpu: 1000m
+        memory: 2Gi
+
+# --- Elasticsearch ---
+elasticsearch:
+  replicas: 3
+  minimumMasterNodes: 2
+  resources:
+    requests:
+      cpu: 1000m
+      memory: 4Gi
+    limits:
+      cpu: 2000m
+      memory: 8Gi
+  volumeClaimTemplate:
+    resources:
+      requests:
+        storage: 100Gi
+    storageClassName: gp3
+
+# --- Loki (production) ---
+loki:
+  loki:
+    storage:
+      type: s3
+      s3:
+        s3: s3://ecip-loki-logs-prod
+        region: us-east-1
+    commonConfig:
+      replication_factor: 3
+  write:
+    replicas: 3
+    resources:
+      requests:
+        cpu: 500m
+        memory: 1Gi
+      limits:
+        cpu: 1000m
+        memory: 2Gi
+  read:
+    replicas: 3
+    resources:
+      requests:
+        cpu: 500m
+        memory: 1Gi
+      limits:
+        cpu: 1000m
+        memory: 2Gi
+  backend:
+    replicas: 2
+    resources:
+      requests:
+        cpu: 250m
+        memory: 512Mi
+      limits:
+        cpu: 500m
+        memory: 1Gi
+  gateway:
+    replicas: 2

package/helm/values.yaml

@@ -0,0 +1,146 @@
+# =============================================================================
+# ECIP M08 — Helm Values (Dev/Staging Defaults)
+# =============================================================================
+# Production overrides: values.prod.yaml
+# =============================================================================
+
+# --- Feature toggles ---
+prometheus:
+  enabled: true
+tempo:
+  enabled: true
+elasticsearch:
+  enabled: true
+loki:
+  enabled: true
+
+# --- Namespace ---
+namespace: monitoring
+
+# --- OTel Collector ---
+otelCollector:
+  image:
+    repository: otel/opentelemetry-collector-contrib
+    tag: "0.96.0"
+  resources:
+    requests:
+      cpu: 200m
+      memory: 256Mi
+    limits:
+      cpu: 1000m
+      memory: 512Mi
+  healthCheck:
+    port: 13133
+  ports:
+    otlpGrpc: 4317
+    otlpHttp: 4318
+    metrics: 8888
+    zpages: 55679
+
+# --- Prometheus ---
+kube-prometheus-stack:
+  prometheus:
+    prometheusSpec:
+      retention: 7d
+      retentionSize: 10GB
+      resources:
+        requests:
+          cpu: 250m
+          memory: 1Gi
+        limits:
+          cpu: 1000m
+          memory: 4Gi
+      storageSpec:
+        volumeClaimTemplate:
+          spec:
+            storageClassName: standard
+            accessModes: ["ReadWriteOnce"]
+            resources:
+              requests:
+                storage: 20Gi
+  alertmanager:
+    enabled: true
+  grafana:
+    enabled: true
+    # Admin password sourced from K8s Secret — NEVER hardcode in values files
+    admin:
+      existingSecret: ecip-grafana-admin
+      userKey: admin-user
+      passwordKey: admin-password
+    sidecar:
+      dashboards:
+        enabled: true
+        label: grafana_dashboard
+
+# --- Tempo ---
+tempo-distributed:
+  storage:
+    trace:
+      backend: local
+  retention:
+    compacted_block_retention: 168h  # 7 days for dev/staging
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      cpu: 500m
+      memory: 1Gi
+
+# --- Elasticsearch ---
+elasticsearch:
+  replicas: 1
+  minimumMasterNodes: 1
+  host: elasticsearch.monitoring
+  port: 9200
+  protocol: http
+  resources:
+    requests:
+      cpu: 250m
+      memory: 1Gi
+    limits:
+      cpu: 1000m
+      memory: 2Gi
+  volumeClaimTemplate:
+    resources:
+      requests:
+        storage: 20Gi
+
+# --- Dashboard provisioning ---
+dashboards:
+  configMapName: ecip-grafana-dashboards
+  folder: ECIP
+
+# --- Alert rules ---
+alertRules:
+  configMapName: ecip-alert-rules
+
+# --- Loki (general application logs — OD-01 resolution) ---
+loki:
+  enabled: true
+  loki:
+    auth_enabled: false
+    storage:
+      type: filesystem
+    commonConfig:
+      replication_factor: 1
+  singleBinary:
+    replicas: 1
+    resources:
+      requests:
+        cpu: 250m
+        memory: 512Mi
+      limits:
+        cpu: 1000m
+        memory: 1Gi
+    persistence:
+      enabled: true
+      size: 20Gi
+      storageClassName: standard
+  gateway:
+    enabled: true
+  monitoring:
+    selfMonitoring:
+      enabled: false
+    lokiCanary:
+      enabled: false

package/logging-lib/nodejs/package.json

@@ -0,0 +1,57 @@
+{
+  "name": "@ecip-platform/observability",
+  "version": "1.1.0",
+  "description": "OpenTelemetry instrumentation wrapper for ECIP modules",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist/"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run",
+    "test:watch": "vitest watch",
+    "lint": "eslint src/ --ext .ts",
+    "prepublishOnly": "pnpm run build"
+  },
+  "keywords": [
+    "ecip",
+    "observability",
+    "opentelemetry",
+    "logging",
+    "tracing"
+  ],
+  "author": "ECIP Platform Team",
+  "license": "MIT",
+  "dependencies": {
+    "@opentelemetry/api": "^1.7.0",
+    "@opentelemetry/auto-instrumentations-node": "^0.43.0",
+    "@opentelemetry/context-async-hooks": "^1.22.0",
+    "@opentelemetry/exporter-metrics-otlp-http": "^0.48.0",
+    "@opentelemetry/exporter-trace-otlp-grpc": "^0.48.0",
+    "@opentelemetry/exporter-trace-otlp-http": "^0.48.0",
+    "@opentelemetry/instrumentation-grpc": "^0.48.0",
+    "@opentelemetry/instrumentation-http": "^0.48.0",
+    "@opentelemetry/resources": "^1.22.0",
+    "@opentelemetry/sdk-metrics": "^1.22.0",
+    "@opentelemetry/sdk-node": "^0.48.0",
+    "@opentelemetry/sdk-trace-node": "^1.22.0",
+    "@opentelemetry/semantic-conventions": "^1.22.0",
+    "pino": "^8.19.0"
+  },
+  "devDependencies": {
+    "@types/express": "^5.0.6",
+    "@types/node": "^20.11.0",
+    "@typescript-eslint/eslint-plugin": "^6.19.0",
+    "@typescript-eslint/parser": "^6.19.0",
+    "eslint": "^8.56.0",
+    "typescript": "^5.3.0",
+    "vitest": "^1.2.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}