[LOG-2843] tls.cert, tls.key and passphrase are not passed to the fluentd configuration when forwarding logs using syslog over TLS

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: Logging 5.6.0
Affects Version/s: Logging 5.4.3
Component/s: Log Collection
Labels:
- candidate_560
- devel_ack+

Blocked:
False
Blocked Reason:
None
Ready:
False
Docs QE Status:
NEW
QE Status:
VERIFIED
Release Note Text:

Hide
In previous releases of OpenShift Logging, when forwarding logs using syslog over TLS, the configuration for the fluentd log forwarder only contained the 'ca-bundle.crt' entry, but not the 'tls.crt', 'tls.key' or 'passphrase' entries, even if specified in the corresponding ClusterLogForwarder output. This issues has now been addressed and ca-bundle.crt, tls.crt, tls.key and passphrase are all passed to the configuration of the fluentd log forwarder.

Show
In previous releases of OpenShift Logging, when forwarding logs using syslog over TLS, the configuration for the fluentd log forwarder only contained the 'ca-bundle.crt' entry, but not the 'tls.crt', 'tls.key' or 'passphrase' entries, even if specified in the corresponding ClusterLogForwarder output. This issues has now been addressed and ca-bundle.crt, tls.crt, tls.key and passphrase are all passed to the configuration of the fluentd log forwarder.
Steps to Reproduce:
Hide

Deploy RHOL

$ oc get csv -n openshift-logging NAME DISPLAY VERSION REPLACES PHASE cluster-logging.5.4.3 Red Hat OpenShift Logging 5.4.3 Succeeded elasticsearch-operator.5.4.3 OpenShift Elasticsearch Operator 5.4.3 Succeeded

Create a secret containing `ca-bundle.crt`, `tls.crt` and `tls.key` for being used later in the clusterLogForwarder for sending to syslog:

$ oc get secret syslog -o yaml apiVersion: v1 data: ca-bundle.crt: xxxxx tls.crt: xxxxx tls.key: xxxxx kind: Secret metadata: creationTimestamp: "2022-07-20T15:01:27Z" name: syslog namespace: openshift-logging resourceVersion: "7350054" uid: 5a4f01b3-e6f8-4f55-a284-9976217810a6 type: Opaque

Configure clusterLogForwarder for sending logs to rsyslog using tls

$ cat clusterlogforwarder.yaml apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: labels: app.kubernetes.io/instance: logging name: instance namespace: openshift-logging spec: outputs: - name: syslog secret: name: syslog syslog: addLogSource: true facility: syslog rfc: RFC3164 severity: informational type: syslog url: 'tls://localhost:514' pipelines: - inputRefs: - application name: application-logs outputRefs: - syslog $ oc create -f clusterlogforwarder.yaml

Check the fluentd configuration generated that it only contains the `ca-bundle.crt` and not the `tls.key` and `tls.crt`:

$ oc get cm collector -o json |jq '.data."fluent.conf"' -r ... <match journal.** system.var.log**> @type remote_syslog @id syslog_journal host localhost port 514 rfc rfc3164 facility syslog severity informational program ${$.systemd.u.SYSLOG_IDENTIFIER} protocol tcp packet_size 4096 hostname "#{ENV['NODE_NAME']}" tls true ca_file '/var/run/ocp-collector/secrets/syslog/ca-bundle.crt' timeout 60 timeout_exception true keep_alive true keep_alive_idle 75 keep_alive_cnt 9 keep_alive_intvl 7200 <format> @type json </format> <buffer $.systemd.u.SYSLOG_IDENTIFIER> @type file path '/var/lib/fluentd/syslog_journal' flush_mode interval flush_interval 1s flush_thread_count 2 retry_type exponential_backoff retry_wait 1s retry_max_interval 60s retry_timeout 60m queued_chunks_limit_size "#{ENV['BUFFER_QUEUE_LIMIT'] || '32'}" total_limit_size "#{ENV['TOTAL_LIMIT_SIZE_PER_BUFFER'] || '8589934592'}" chunk_limit_size "#{ENV['BUFFER_SIZE_LIMIT'] || '8m'}" overflow_action block disable_chunk_backup true </buffer> </match> <match **> @type remote_syslog @id syslog host localhost port 514 rfc rfc3164 facility syslog severity informational protocol tcp packet_size 4096 hostname "#{ENV['NODE_NAME']}" tls true ca_file '/var/run/ocp-collector/secrets/syslog/ca-bundle.crt' timeout 60 timeout_exception true keep_alive true keep_alive_idle 75 keep_alive_cnt 9 keep_alive_intvl 7200 <format> @type json </format> <buffer> @type file path '/var/lib/fluentd/syslog' flush_mode interval flush_interval 1s flush_thread_count 2 retry_type exponential_backoff retry_wait 1s retry_max_interval 60s retry_timeout 60m queued_chunks_limit_size "#{ENV['BUFFER_QUEUE_LIMIT'] || '32'}" total_limit_size "#{ENV['TOTAL_LIMIT_SIZE_PER_BUFFER'] || '8589934592'}" chunk_limit_size "#{ENV['BUFFER_SIZE_LIMIT'] || '8m'}" overflow_action block disable_chunk_backup true </buffer> </match> </label> ....
Show
Deploy RHOL $ oc get csv -n openshift-logging NAME DISPLAY VERSION REPLACES PHASE cluster-logging.5.4.3 Red Hat OpenShift Logging 5.4.3 Succeeded elasticsearch- operator .5.4.3 OpenShift Elasticsearch Operator 5.4.3 Succeeded Create a secret containing `ca-bundle.crt`, `tls.crt` and `tls.key` for being used later in the clusterLogForwarder for sending to syslog: $ oc get secret syslog -o yaml apiVersion: v1 data: ca-bundle.crt: xxxxx tls.crt: xxxxx tls.key: xxxxx kind: Secret metadata: creationTimestamp: "2022-07-20T15:01:27Z" name: syslog namespace: openshift-logging resourceVersion: "7350054" uid: 5a4f01b3-e6f8-4f55-a284-9976217810a6 type: Opaque Configure clusterLogForwarder for sending logs to rsyslog using tls $ cat clusterlogforwarder.yaml apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: labels: app.kubernetes.io/instance: logging name: instance namespace: openshift-logging spec: outputs: - name: syslog secret: name: syslog syslog: addLogSource: true facility: syslog rfc: RFC3164 severity: informational type: syslog url: 'tls: //localhost:514' pipelines: - inputRefs: - application name: application-logs outputRefs: - syslog $ oc create -f clusterlogforwarder.yaml Check the fluentd configuration generated that it only contains the `ca-bundle.crt` and not the `tls.key` and `tls.crt`: $ oc get cm collector -o json |jq '.data. "fluent.conf" ' -r ... <match journal.** system. var .log**> @type remote_syslog @id syslog_journal host localhost port 514 rfc rfc3164 facility syslog severity informational program ${$.systemd.u.SYSLOG_IDENTIFIER} protocol tcp packet_size 4096 hostname "#{ENV[ 'NODE_NAME' ]}" tls true ca_file '/ var /run/ocp-collector/secrets/syslog/ca-bundle.crt' timeout 60 timeout_exception true keep_alive true keep_alive_idle 75 keep_alive_cnt 9 keep_alive_intvl 7200 <format> @type json </format> <buffer $.systemd.u.SYSLOG_IDENTIFIER> @type file path '/ var /lib/fluentd/syslog_journal' flush_mode interval flush_interval 1s flush_thread_count 2 retry_type exponential_backoff retry_wait 1s retry_max_interval 60s retry_timeout 60m queued_chunks_limit_size "#{ENV[ 'BUFFER_QUEUE_LIMIT' ] || '32' }" total_limit_size "#{ENV[ 'TOTAL_LIMIT_SIZE_PER_BUFFER' ] || '8589934592' }" chunk_limit_size "#{ENV[ 'BUFFER_SIZE_LIMIT' ] || '8m' }" overflow_action block disable_chunk_backup true </buffer> </match> <match **> @type remote_syslog @id syslog host localhost port 514 rfc rfc3164 facility syslog severity informational protocol tcp packet_size 4096 hostname "#{ENV[ 'NODE_NAME' ]}" tls true ca_file '/ var /run/ocp-collector/secrets/syslog/ca-bundle.crt' timeout 60 timeout_exception true keep_alive true keep_alive_idle 75 keep_alive_cnt 9 keep_alive_intvl 7200 <format> @type json </format> <buffer> @type file path '/ var /lib/fluentd/syslog' flush_mode interval flush_interval 1s flush_thread_count 2 retry_type exponential_backoff retry_wait 1s retry_max_interval 60s retry_timeout 60m queued_chunks_limit_size "#{ENV[ 'BUFFER_QUEUE_LIMIT' ] || '32' }" total_limit_size "#{ENV[ 'TOTAL_LIMIT_SIZE_PER_BUFFER' ] || '8589934592' }" chunk_limit_size "#{ENV[ 'BUFFER_SIZE_LIMIT' ] || '8m' }" overflow_action block disable_chunk_backup true </buffer> </match> </label> ....

Sprint:
Log Collection - Sprint 224, Log Collection - Sprint 225, Log Collection - Sprint 226

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

When defined for forwarding logs using the syslog protocol with tls and the secret contains the `ca-bundle.crt`, `tls.key` and `tls.crt`, the real configuration generated for fluentd defines only `ca-bundle.crt` omitting `tls.key` and `tls.cert`.

is cloned by

LOG-3533 tls.cert, tls.key and passphrase are not passed to the fluentd configuration when forwarding logs using syslog over TLS

Closed

links to

[KCS] tls.key and tls.cert not in fluentd real configuration when forwarding logs using syslog tls

openshift/cluster-logging-operator#1643: LOG-2843: tls.key and tls.cert not in fluentd real configuration when forwarding logs using syslog tls

openshift/cluster-logging-operator#1669: LOG-2843, take two. Added client key passphrase

openshift/cluster-logging-operator#1835: [release-5.5] LOG-2843: tls.key and tls.cert not in fluentd real configuration when forwarding logs using syslog tls

openshift/cluster-logging-operator#1839: [release-5.5] LOG-2843, take two. Added client key passphrase

openshift/openshift-tests-private#5743: add case OCP-55014

openshift/openshift-tests-private#7412: [release-4.11]update for rsyslog

ViaQ/logging-fluentd#42: LOG-2843: tls.key and tls.cert not in fluentd real configuration when forwarding logs using syslog tls

mentioned on

Merge request - Updated 2 upstream sources

Merge request - Updated 3 upstream sources

Merge request - Updated US source to: 1c84d31 Merge pull request #1839 from syedriko/syedriko-log2843-take-2-release-5.5-cherrypick

Merge request - Updated US source to: 18b327a Merge pull request #42 from syedriko/syedriko_log2843

Merge request - Updated US source to: 817f413 Merge pull request #1835 from openshift-cherrypick-robot/cherry-pick-1643-to-release-5.5

(4 links to, 7 mentioned on)

GitLab CEE Bot added a comment - 2023/01/30 7:36 PM

CPaaS Service Account mentioned this issue in merge request !728 of openshift-logging / Log Collection Midstream on branch openshift-logging-5.5-rhel-8_upstream_382d8900e3c32fe8434190b9d9cb1343:

Updated US source to: 1c84d31 Merge pull request #1839 from syedriko/syedriko-log2843-take-2-release-5.5-cherrypick

GitLab CEE Bot added a comment - 2023/01/30 7:36 PM CPaaS Service Account mentioned this issue in merge request !728 of openshift-logging / Log Collection Midstream on branch openshift-logging-5.5-rhel-8_ upstream _382d8900e3c32fe8434190b9d9cb1343 : Updated US source to: 1c84d31 Merge pull request #1839 from syedriko/syedriko-log2843-take-2-release-5.5-cherrypick

GitLab CEE Bot added a comment - 2023/01/27 3:03 AM

CPaaS Service Account mentioned this issue in merge request !701 of openshift-logging / Log Collection Midstream on branch openshift-logging-5.5-rhel-8_upstream_942709b698c7a35b98c3d504ecc75746:

Updated US source to: 817f413 Merge pull request #1835 from openshift-cherrypick-robot/cherry-pick-1643-to-release-5.5

GitLab CEE Bot added a comment - 2023/01/27 3:03 AM CPaaS Service Account mentioned this issue in merge request !701 of openshift-logging / Log Collection Midstream on branch openshift-logging-5.5-rhel-8_ upstream _942709b698c7a35b98c3d504ecc75746 : Updated US source to: 817f413 Merge pull request #1835 from openshift-cherrypick-robot/cherry-pick-1643-to-release-5.5

Sergey Yedrikov added a comment - 2023/01/19 8:19 PM

rhn-support-ocasalsa I've cloned this JIRA for 5.5 - https://issues.redhat.com/browse/LOG-3533 and started cherry-picking. Do we need to go as far back as 5.4?

Sergey Yedrikov added a comment - 2023/01/19 8:19 PM rhn-support-ocasalsa I've cloned this JIRA for 5.5 - https://issues.redhat.com/browse/LOG-3533 and started cherry-picking. Do we need to go as far back as 5.4?

Qiaoling Tang added a comment - 2022/10/17 6:51 AM

Test passed using cluster-logging-rhel8-operator/images/v5.6.0-16.

     tls true
     client_cert_key '/var/run/ocp-collector/secrets/rsyslog/tls.key'
     client_cert '/var/run/ocp-collector/secrets/rsyslog/tls.crt'
     ca_file '/var/run/ocp-collector/secrets/rsyslog/ca-bundle.crt'
     client_cert_key_password "#{File.exists?('/var/run/ocp-collector/secrets/rsyslog/passphrase') ? open('/var/run/ocp-collector/secrets/rsyslog/passphrase', 'r') do |f|f.read end : ''}"

Qiaoling Tang added a comment - 2022/10/17 6:51 AM Test passed using cluster-logging-rhel8-operator/images/v5.6.0-16. tls true client_cert_key '/ var /run/ocp-collector/secrets/rsyslog/tls.key' client_cert '/ var /run/ocp-collector/secrets/rsyslog/tls.crt' ca_file '/ var /run/ocp-collector/secrets/rsyslog/ca-bundle.crt' client_cert_key_password "#{File.exists?( '/ var /run/ocp-collector/secrets/rsyslog/passphrase' ) ? open( '/ var /run/ocp-collector/secrets/rsyslog/passphrase' , 'r' ) do |f|f.read end : ''}"

GitLab CEE Bot added a comment - 2022/10/14 7:35 AM

CPaaS Service Account mentioned this issue in merge request !195 of openshift-logging / Log Collection Midstream on branch openshift-logging-5.6-rhel-8_upstream_1caae4555e1335676a8e91aa825c9a14:

Updated 2 upstream sources

GitLab CEE Bot added a comment - 2022/10/14 7:35 AM CPaaS Service Account mentioned this issue in merge request !195 of openshift-logging / Log Collection Midstream on branch openshift-logging-5.6-rhel-8_ upstream _1caae4555e1335676a8e91aa825c9a14 : Updated 2 upstream sources

GitLab CEE Bot added a comment - 2022/10/14 3:26 AM

CPaaS Service Account mentioned this issue in merge request !192 of openshift-logging / Log Collection Midstream on branch openshift-logging-5.6-rhel-8_upstream_eb8fc3a95e5914f9e191c6540bd06be1:

Updated 2 upstream sources

GitLab CEE Bot added a comment - 2022/10/14 3:26 AM CPaaS Service Account mentioned this issue in merge request !192 of openshift-logging / Log Collection Midstream on branch openshift-logging-5.6-rhel-8_ upstream _eb8fc3a95e5914f9e191c6540bd06be1 : Updated 2 upstream sources

Sergey Yedrikov added a comment - 2022/10/14 3:24 AM

qitang@redhat.com The PR that added support for passphrase has merged in the upstream, look for it on your end!

Sergey Yedrikov added a comment - 2022/10/14 3:24 AM qitang@redhat.com The PR that added support for passphrase has merged in the upstream, look for it on your end!

Sergey Yedrikov added a comment - 2022/10/03 4:32 PM

qitang@redhat.com Thanks for catching, I'll add passphrase.

Sergey Yedrikov added a comment - 2022/10/03 4:32 PM qitang@redhat.com Thanks for catching, I'll add passphrase.

Qiaoling Tang added a comment - 2022/09/30 9:19 AM

syedriko_sub@redhat.com I test using latest cluster-logging.v5.6.0, I can see `client_cert_key` and `client_cert` are added into fluent.conf when there have `tls.key` and `tls.crt` in the secret. However, when I add `passphrase` into the secret, I don't see the passphrase in fluent.conf.

$ oc get secret rsyslog -oyaml
apiVersion: v1
data:
  ca-bundle.crt: LS0tLS1CRUdJTiS0tCg==
  passphrase: dGVzdHJlZGFodA==
  tls.crt: LS0tLS1CRUdJTitLQo=
  tls.key: LS0tLS1CRUBLRVktLS0tLQo= 

$ cat fluent.conf 
    tls true
    client_cert_key '/var/run/ocp-collector/secrets/rsyslog/tls.key'
    client_cert '/var/run/ocp-collector/secrets/rsyslog/tls.crt'
    ca_file '/var/run/ocp-collector/secrets/rsyslog/ca-bundle.crt'
    timeout 60

Qiaoling Tang added a comment - 2022/09/30 9:19 AM syedriko_sub@redhat.com I test using latest cluster-logging.v5.6.0, I can see `client_cert_key` and `client_cert` are added into fluent.conf when there have `tls.key` and `tls.crt` in the secret. However, when I add `passphrase` into the secret, I don't see the passphrase in fluent.conf. $ oc get secret rsyslog -oyaml apiVersion: v1 data: ca-bundle.crt: LS0tLS1CRUdJTiS0tCg== passphrase: dGVzdHJlZGFodA== tls.crt: LS0tLS1CRUdJTitLQo= tls.key: LS0tLS1CRUBLRVktLS0tLQo= $ cat fluent.conf tls true client_cert_key '/ var /run/ocp-collector/secrets/rsyslog/tls.key' client_cert '/ var /run/ocp-collector/secrets/rsyslog/tls.crt' ca_file '/ var /run/ocp-collector/secrets/rsyslog/ca-bundle.crt' timeout 60

GitLab CEE Bot added a comment - 2022/09/27 3:22 PM

CPaaS Service Account mentioned this issue in merge request !116 of openshift-logging / Log Collection Midstream on branch openshift-logging-5.6-rhel-8_upstream_cc5ac5e5bfea83f255c33d63fbec3183:

Updated 3 upstream sources

GitLab CEE Bot added a comment - 2022/09/27 3:22 PM CPaaS Service Account mentioned this issue in merge request !116 of openshift-logging / Log Collection Midstream on branch openshift-logging-5.6-rhel-8_ upstream _cc5ac5e5bfea83f255c33d63fbec3183 : Updated 3 upstream sources

Assignee:: Sergey Yedrikov

Reporter:: Oscar Casal Sanchez

QA Contact:: Qiaoling Tang

Votes:: 2 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2022/07/20 3:21 PM

Updated:: 2023/01/31 6:19 AM

Resolved:: 2022/10/17 6:52 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: GitLab CEE Bot added a comment - 2023/01/30 7:36 PM

Expand comment: GitLab CEE Bot added a comment - 2023/01/30 7:36 PM

Collapse comment: GitLab CEE Bot added a comment - 2023/01/27 3:03 AM

Expand comment: GitLab CEE Bot added a comment - 2023/01/27 3:03 AM

Collapse comment: Sergey Yedrikov added a comment - 2023/01/19 8:19 PM

Expand comment: Sergey Yedrikov added a comment - 2023/01/19 8:19 PM

Collapse comment: Qiaoling Tang added a comment - 2022/10/17 6:51 AM

Expand comment: Qiaoling Tang added a comment - 2022/10/17 6:51 AM

Collapse comment: GitLab CEE Bot added a comment - 2022/10/14 7:35 AM

Expand comment: GitLab CEE Bot added a comment - 2022/10/14 7:35 AM

Collapse comment: GitLab CEE Bot added a comment - 2022/10/14 3:26 AM

Expand comment: GitLab CEE Bot added a comment - 2022/10/14 3:26 AM

Collapse comment: Sergey Yedrikov added a comment - 2022/10/14 3:24 AM

Expand comment: Sergey Yedrikov added a comment - 2022/10/14 3:24 AM

Collapse comment: Sergey Yedrikov added a comment - 2022/10/03 4:32 PM

Expand comment: Sergey Yedrikov added a comment - 2022/10/03 4:32 PM

Collapse comment: Qiaoling Tang added a comment - 2022/09/30 9:19 AM

Expand comment: Qiaoling Tang added a comment - 2022/09/30 9:19 AM

Collapse comment: GitLab CEE Bot added a comment - 2022/09/27 3:22 PM

Expand comment: GitLab CEE Bot added a comment - 2022/09/27 3:22 PM

People

Dates