-
Bug
-
Resolution: Done
-
Minor
-
Logging 5.6.0
-
False
-
None
-
False
-
NEW
-
Impediment
-
VERIFIED
-
Log Collection - Sprint 226, Log Collection - Sprint 227, Log Collection - Sprint 228
Description of problem:
Add fluentd plugin for kafka support for passing a CA cert chain (i.e. root+intermediate certs)
Version-Release number of selected component (if applicable):
CLO 5.4, 5.5 (and possibly other older 5.x releases not tested)
Additional info:
We are seeing this message:
2022-09-14 16:24:48 +0000 [warn]: [kafka_legacy_oasis_tls] Send exception occurred: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unspecified certificate verification error)
It apparently can't support two CA's in the ca-bundle.crt to use for verification. The issue we have is almost exactly following this: https://github.com/fluent/fluent-plugin-kafka/issues/252
KCS (https://access.redhat.com/solutions/5676121) related to 4.6 states a workaround is possible, and, BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1904380 states that a fix was released for 4.6
But having checked the latest code, it seems the ssl_ca_cert attribute included in the fluentd configmap doesn't support an array of certs, also checked the code and ssl_ca_cert seems to be of type string.
Is there anything being done to address this as my customer if blocked atm and waiting on this.
#forum-logging slack thread:
https://coreos.slack.com/archives/CB3HXM2QK/p1663175510316379
- is cloned by
-
LOG-3222 [release-5.5] fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs
- Closed
- links to
- mentioned on