Production: Audit logs

[blackandred]

The idea: I think that on production it would be nice to have audit logs of all operations performed in RKD (when eg. RKD_AUDIT_LOG=true).

Why?

• Increase transparency of administrators operations (knowledge who to ask for help, when his/her changes broken something)
• In emergency cases the administrator can lookup what happened really
• In automated deployment with Ansible in Harbor it can be possible to see what failed during Ansible run

Proposed solution: When RKD_AUDIT_LOG=true in .env is present, then log every command to a log file eg. .rkd/audit-log-2020-05-01.log in a format, example:

[Y-m-d H:i:s] [commit] [SUDO_USER if any else current user] command
[2020-05-01 08:41:31] [9f990a2] [tech.admin] rkd :harbor:service:up --name iwa_ait_api --strategy rolling
[2020-05-01 08:45:00] [9f990a2] [tech.admin] rkd :harbor:gateway:reload :harbor:ssl:reload

Potential issues: Passwords leaking - user must be aware of the risk, documentation should inform about this

[blackandred]

In next stages audit log can also catch events of started/stopped/killed/failed containers (can be handled by Harbor - not as part of RKD of course)

[blackandred]

Idea: An output of each task could be always logged in to files (file per task per execution time for example) when audit log is enabled

[blackandred]

Partially implemented for RKD 1.0, moving to RKD 1.1, cannot afford for so many tasks to release.