Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-3180

fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • Impediment
    • VERIFIED
    • Log Collection - Sprint 226, Log Collection - Sprint 227, Log Collection - Sprint 228

      Description of problem:

      Add fluentd plugin for kafka support for passing a CA cert chain (i.e. root+intermediate certs)

      Version-Release number of selected component (if applicable):

      CLO 5.4, 5.5 (and possibly other older 5.x releases not tested)

      Additional info:

      We are seeing this message:

      2022-09-14 16:24:48 +0000 [warn]: [kafka_legacy_oasis_tls] Send exception occurred: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unspecified certificate verification error) 
      

      It apparently can't support two CA's in the ca-bundle.crt to use for verification. The issue we have is almost exactly following this: https://github.com/fluent/fluent-plugin-kafka/issues/252

      KCS (https://access.redhat.com/solutions/5676121) related to 4.6 states a workaround is possible, and, BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1904380 states that a fix was released for 4.6

      But having checked the latest code, it seems the ssl_ca_cert attribute included in the fluentd configmap doesn't support an array of certs, also checked the code and ssl_ca_cert seems to be of type string.
      Is there anything being done to address this as my customer if blocked atm and waiting on this.

      #forum-logging slack thread:
      https://coreos.slack.com/archives/CB3HXM2QK/p1663175510316379

              syedriko_sub@redhat.com Sergey Yedrikov
              rhn-support-ddelcian Daniel Del Ciancio
              Anping Li Anping Li
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: