-
Bug
-
Resolution: Done
-
Major
-
Logging 5.6.0
Description of problem:
Lokistack doesn't reconcile to use the changed tlsSecurityProfile set in the global config. For example if we set custom tlsSecurityProfile and create a LokiStack instance, LokiStack uses the custom profile. When we update the tlsSecurityProfile to use another profile old, LokiStack continues to use the custom profile.
Version-Release number of selected component (if applicable):
cluster-logging.v5.6.0
loki-operator.v5.6.0
Server Version: 4.11.0-0.nightly-2022-11-10-202051
How reproducible:
Always
Steps to Reproduce:
*Install the ClusterLogging and LokiStack 5.6.0 operators.
*Set custom tlsSecurityProfile.
oc patch apiserver/cluster -p '{"spec":{"tlsSecurityProfile":{"custom":{"ciphers":["ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256"],"minTLSVersion":"VersionTLS12"},"type":"Custom"}}}' --type=merge
apiserver.config.openshift.io/cluster patched
*Create a LokiStack instance.
*Check LokiStack compoents to see if the custom profile is used.
$ oc describe pod lokistack-instance-gateway-f9f4f5966-hfr6z | grep -iE "tls.cipher|tls.min-version|opa:|gateway:"
gateway:
--tls.min-version=VersionTLS12
--tls.min-version=VersionTLS12
--tls.cipher-suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
opa:
--tls.min-version=VersionTLS12
--tls.cipher-suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
*Check other non-logging services complying with the tlsSecurityProfile.
oc describe etcd cluster Spec: Log Level: Normal Management State: Managed Observed Config: Control Plane: Replicas: 3 Serving Info: Cipher Suites: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Min TLS Version: VersionTLS12 Operator Log Level: Normal
*Change the tlsSecurityProfile to old.
oc get apiserver/cluster -o yaml
spec:
audit:
profile: Default
tlsSecurityProfile:
old: {}
type: Old
*Wait for sometime and check LokiStack components.
$ oc describe pod lokistack-instance-gateway-f9f4f5966-hfr6z | grep -iE "tls.cipher|tls.min-version|opa:|gateway:"
gateway:
--tls.min-version=VersionTLS12
--tls.min-version=VersionTLS12
--tls.cipher-suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
opa:
--tls.min-version=VersionTLS12
--tls.cipher-suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
*Check non-logging services.
oc describe etcd Spec: Log Level: Normal Management State: Managed Observed Config: Control Plane: Replicas: 3 Serving Info: Cipher Suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA Min TLS Version: VersionTLS10
Expected results:
LokiStack should reconcile to use the changed tlsSecurityProfile defined in the global apiserver/cluster config.
