Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2283

Add a setting to disable verification of TLS certificates

    XMLWordPrintable

Details

    • Insecure Dev Certificates
    • 1
    • True
    • Hide
      This epic was automatically marked as blocked because the resolution for a subtask has been set to Won't Do (or Won't Fix), indicating a functional team cannot support this epic. If you believe this occurred in error, please reach out to the functional team for help in getting this work into their queue.
      Show
      This epic was automatically marked as blocked because the resolution for a subtask has been set to Won't Do (or Won't Fix), indicating a functional team cannot support this epic. If you believe this occurred in error, please reach out to the functional team for help in getting this work into their queue.
    • False
    • Not Selected
    • NEW
    • In Progress
    • Impediment
    • VERIFIED
    • 0
    • 0% 0%
    • Logging (Core) - Sprint 215

    Description

      Use case

      I want to test TLS connections but I don't have valid certificates.

      Development and testing environments often do not have valid certificates signed by a well-known internet CA. Typically development certs

      • are self-signed or have a self-signed CA in their trust chain.
      • do not have a CN that matches the hostname they are installed on.

      Solution

      Add a TLS section to the OutputSpec output configuration for the cluster-logging-operator containing an option to disable verification (InsecureSkipVerify):

      // If InsecureSkipVerify is true, then the TLS client will be configured to ignore errors with certificates.
//
// This option is *not* recommended for production configurations.
InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`

      The setting should be documented as only for testing/debugging purpose, not to be used in production environments.

      Example usage:

      spec:
  outputs:
  - name: example-output
    type: elasticsearch
    url: https://es-with-custom-certificate:9200/
    tls:
      insecureSkipVerify: true

      Attachments

        Issue Links

          is related to

          Task - Represents a small unit of work that is not end-user facing. LOG-2284 Implement tls.insecure for kafka output only

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed

          Task - Represents a small unit of work that is not end-user facing. LOG-2285 [vector] Implement tls.insecure for all output types

          • Undefined - Priority not specified.
          • Closed
          1.
          		 PX Tracker Sub-task Closed Undefined Unassigned
          2.
          		 Docs Tracker Sub-task Closed Undefined Unassigned
          3.
          		 QE Tracker Sub-task Closed Undefined Qiaoling Tang
          4.
          		 TE Tracker Sub-task Closed Undefined Unassigned

          Activity

            People

              rojacob@redhat.com Robert Jacob
              rhn-engineering-aconway Alan Conway
              Qiaoling Tang Qiaoling Tang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: