CI/CD & Automation
Running the agent in CI/CD pipelines
For short-lived environments (ephemeral CI runners, staging environments, test clusters), the Docker image is the fastest path.
# Example: GitLab CI job that starts the agent alongside Vault
services:
- name: vault:latest
alias: vault
- name: registry.gitlab.com/logystera/forwarder:latest
alias: logystera-agent
variables:
LOGYSTERA_ENTITY_TOKEN: $LOGYSTERA_ENTITY_TOKEN
LOGYSTERA_ENTITY_SECRET: $LOGYSTERA_ENTITY_SECRET
LOGYSTERA_CLIENT_ID: ci-agent
LOGYSTERA_CLUSTER_ID: ci
LOGYSTERA_NODE_ID: $CI_JOB_ID
LOGYSTERA_ENVIRONMENT: ci
LOGYSTERA_LOG_PATH: /var/log/vault/audit.log
Store LOGYSTERA_ENTITY_TOKEN and LOGYSTERA_ENTITY_SECRET as protected CI/CD variables — never hardcode them in pipeline configuration.
Kubernetes (sidecar pattern)
Deploy the agent as a sidecar container alongside Vault pods. Both containers share an emptyDir volume for the audit log.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: vault
spec:
template:
spec:
containers:
- name: vault
image: hashicorp/vault:latest
volumeMounts:
- name: audit-logs
mountPath: /var/log/vault
- name: logystera-agent
image: registry.gitlab.com/logystera/forwarder:latest
env:
- name: LOGYSTERA_ENTITY_TOKEN
valueFrom:
secretKeyRef:
name: logystera-credentials
key: entity-token
- name: LOGYSTERA_ENTITY_SECRET
valueFrom:
secretKeyRef:
name: logystera-credentials
key: entity-secret
- name: LOGYSTERA_CLIENT_ID
value: vault-k8s
- name: LOGYSTERA_CLUSTER_ID
value: vault-prod
- name: LOGYSTERA_NODE_ID
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: LOGYSTERA_ENVIRONMENT
value: production
- name: LOGYSTERA_LOG_PATH
value: /var/log/vault/audit.log
volumeMounts:
- name: audit-logs
mountPath: /var/log/vault
readOnly: true
- name: agent-data
mountPath: /var/log/logystera-agent
volumes:
- name: audit-logs
emptyDir: {}
- name: agent-data
emptyDir: {}
Create the credentials secret:
kubectl create secret generic logystera-credentials \
--from-literal=entity-token=YOUR_TOKEN \
--from-literal=entity-secret=YOUR_SECRET
Vault Enterprise HA clusters
For Vault Enterprise with multiple nodes, each node runs its own agent instance. Use the pod name or hostname as LOGYSTERA_NODE_ID to distinguish nodes in the Logystera dashboard.
All nodes in the same cluster should share the same LOGYSTERA_CLUSTER_ID and the same entity credentials.
Automated deployment with Ansible
- name: Install Logystera agent
hosts: vault_servers
become: true
vars:
logystera_entity_token: "{{ vault_logystera_token }}"
logystera_entity_secret: "{{ vault_logystera_secret }}"
tasks:
- name: Download agent package
get_url:
url: https://packages.logystera.com/agent/latest/logystera-agent.deb
dest: /tmp/logystera-agent.deb
- name: Install agent package
apt:
deb: /tmp/logystera-agent.deb
- name: Write agent environment file
template:
src: agent.env.j2
dest: /etc/logystera-agent/agent.env
owner: root
group: logystera-agent
mode: '0640'
- name: Enable and start agent
systemd:
name: logystera-agent
enabled: true
state: started
agent.env.j2 template:
LOGYSTERA_GATEWAY_URL=https://gateway.logystera.com/v1/ingest
LOGYSTERA_ENTITY_TOKEN={{ logystera_entity_token }}
LOGYSTERA_ENTITY_SECRET={{ logystera_entity_secret }}
LOGYSTERA_CLIENT_ID={{ inventory_hostname }}
LOGYSTERA_CLUSTER_ID={{ vault_cluster_id }}
LOGYSTERA_NODE_ID={{ inventory_hostname }}
LOGYSTERA_ENVIRONMENT={{ environment }}
LOGYSTERA_LOG_PATH=/var/log/vault/audit.log