Skip to main content

AWS Dev SIEM Runtime Dependencies

OP-059 wires the AWS dev Helm release so the implemented OP-012 SIEM runtime can run in EKS with the same core dependencies used locally.

What Changed

  • Verified live AWS dev NATS is already running as the oneprotect-nats StatefulSet and Service with JetStream enabled.
  • Added Helm-managed ClickHouse for AWS dev as an in-cluster StatefulSet and Service.
  • Mounted the minimal normalized_log_events ClickHouse schema into /docker-entrypoint-initdb.d.
  • Added CLICKHOUSE_URL to the OneProtect ConfigMap.
  • Added log.event.received to the AWS dev worker event subscription list so the worker can normalize accepted log batches.

Boundaries

  • This is Helm-only AWS dev wiring.
  • No Terraform resources, managed ClickHouse service, AWS IAM change, ALB change, or production analytics-store decision was added.
  • NATS was not reworked; it is already present in AWS dev.
  • No SIEM runtime, rule-engine, receiver, or query-language behavior was changed.

Validation

  • helm template oneprotect deploy/helm/oneprotect -n oneprotect-dev -f deploy/helm/oneprotect/values-aws-dev.yaml
  • make aws-helm-template
  • make validate-contracts
  • make docs-build

Operational Note

ClickHouse is enabled only for AWS dev values. The in-cluster StatefulSet gives the shared development environment OP-012 normalized log search parity; staging and production analytics operations still require a separate explicit decision.

GitLab deploys use the protected AWS_DEV_HELM_VALUES_FILE, not the checked-in values file directly. Before approving an AWS dev Helm deploy, update that protected file with clickhouse.enabled=true, config.clickhouseUrl pointing at http://oneprotect-clickhouse:8123/default, and log.event.received in the worker event subscription list. The chart now fails closed if ClickHouse is enabled without the matching URL and worker subscription.

Keep the AWS dev no-surge rollout strategy from values-aws-dev.yaml in the protected file as well. Once ClickHouse is running, the single-node dev cluster has enough steady-state room but little spare pod capacity for default Deployment surge rollouts.