Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2569

[openshift-logging] Expose only a HTTPS gateway route re-encrypting traffic to service

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • Undefined
    • None
    • None
    • Log Storage, Loki
    • None
    • False
    • None
    • False
    • NEW
    • OBSDA-7 - Adopting Loki as an alternative to Elasticsearch to support more lightweight, easier to manage/operate storage scenarios
    • NEW
    • Logging (LogExp) - Sprint 219, Logging (LogExp) - Sprint 220, Log Storage - Sprint 221, Log Storage - Sprint 222

    Description

      As an Administrator, I want that all public traffic to the LokiStack gateway is using exclusively the HTTPS protocol and traffic to the gateway k8s service is re-encrypted using a reencrypt termination policy.

      Acceptance criteria

      • The Loki-Operator reconciles only an HTTPS route for the LokiStack gateway
      • The HTTPS route is using reencrypt termination policy.

      Developer Notes

      • Adapt the current route spec to use a TLS termination policy re-encrypt. Means TLS termination is done by the router and https is used to communicate with the backend.
      • Expose a new lokistack gateway server for the `tls.server` listener that is annotated with a cert-signing annotation, e.g. 
        service.beta.openshift.io/serving-cert-secret-name: lokistack-dev-gateway-http
      • Ensure the observatorium-api exposes the API only via HTTPS on port 8080, e.g.: 
        -tls.server.cert-file
-tls.server.key-file
      • Ensure the observatorium-api allows healthchecks on port 8080 via HTTPS, e.g.: 
        -tls.healthchecks.server-ca-file
-tls.healthchecks.server-name
      • Ensure all CA references are using the auto-mountend service-ca provided by the ServiceCAOperator (See more details on the docs) 
         /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
      • Ensure TLS for the server listener on port 8080 can be enabled/disabled via feature flag like with the mertrics listener.

      Attachments

        Issue Links

          account is impacted by

          Bug - A problem that impairs or prevents the functions of the product. LOG-2750 [loki-operator] TLS handshake error every 5 seconds

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed
          blocks

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. LOG-2824 Logging console to connect to LokiStack

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              rh-ee-mbouqsim Mohamed-Amine Bouqsimi (Inactive)
              ptsiraki@redhat.com Periklis Tsirakidis
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: