Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2110

[release-5.3] EO Self-generated certificates issue with Kibana when "logging.openshift.io/elasticsearch-cert-management: true" annotation is used

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • Logging 5.3.2
    • Logging 5.3.2
    • Log Storage
    • None
    • False
    • False
    • NEW
    • NEW
    • Logging (LogExp) - Sprint 212

    Description

      Description

      KIbana can't establish connection to the Elasticsearch with error: 

      {"type":"log","@timestamp":"2021-12-21T15:24:17Z","tags":["warning","elasticsearch","admin"],"pid":116,"message":"Unable to revive connection: https://elasticsearch.openshift-logging.svc:9200/"}
{"type":"log","@timestamp":"2021-12-21T15:24:17Z","tags":["warning","elasticsearch","admin"],"pid":116,"message":"No living connections"}

      In same time in Elasticsearch/proxy container got error:

      2021/12/21 15:33:51 http: TLS handshake error from 10.131.0.119:44492: tls: failed to verify client certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Logging Signing CA")

      In Elasticsearch operator pod logs:

      {"_ts":"2021-12-21T14:24:30.262503062Z","_level":"0","_component":"elasticsearch-operator_controller_kibana-controller","_message":"Reconciler error","_error":{"msg":"did not receive hashvalue for trusted CA value"},"name":"kibana","namespace":"openshift-logging"}

      Route Kibana also unavailable.

      How to reproduce

      Deploy CLO from PR: pull/1265

      Workaround: 

      oc delete deployment/kibana secret/kibana secret/kibana-proxy -n openshift-logging

      after recreating deployment and secrets, kibana pod can connect to the Elasticsearch and router works well.

      Possible issue

      A possible problem can be in race-condition for certificate generation, looks like Kibana and Elasticsearch certificates signed by different CA (signing-elasticsearch secret updated several times).

      Attachments

        Issue Links

          blocks

          Task - Represents a small unit of work that is not end-user facing. LOG-1923 Refactor CLO to request certificates from EO instead of creating them

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          clones

          Bug - A problem that impairs or prevents the functions of the product. LOG-2093 EO Self-generated certificates issue with Kibana when "logging.openshift.io/elasticsearch-cert-management: true" annotation is used

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          GitHub openshift/elasticsearch-operator#822: LOG-2093: adding a mutex to the functions which call certificate generation

          GitHub openshift/elasticsearch-operator#823: [release-5.3] LOG-2110: add a mutex to function generating certificates

          Activity

            People

              rhn-support-anli Anping Li
              vparfono Vitalii Parfonov
              Anping Li Anping Li
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: