Loading...

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: Logging 5.7.2
Affects Version/s: Logging 5.6.0
Component/s: Log Collection
Labels:
- devel_ack+

Blocked:
False
Blocked Reason:
None
Ready:
False
Docs QE Status:
NEW
QE Status:
NEW
Release Note Text:

Hide
Before this update, users encountered a limitation where they couldn't enable the passphrase for log forwarding to Kafka. This posed a security risk as sensitive information could be exposed.
With this update, we have resolved the issue and now users can easily enable the passphrase for log forwarding to Kafka. This enhancement ensures secure transmission of log data, protecting it from unauthorized access.

Show
Before this update, users encountered a limitation where they couldn't enable the passphrase for log forwarding to Kafka. This posed a security risk as sensitive information could be exposed. With this update, we have resolved the issue and now users can easily enable the passphrase for log forwarding to Kafka. This enhancement ensures secure transmission of log data, protecting it from unauthorized access.
Release Note Type:
Bug Fix
Intelligence Requested:
Market:

Sprint:
Log Collection - Sprint 235, Log Collection - Sprint 236, Log Collection - Sprint 237

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Description of problem:

The passphrase is not enabled in fluentd.conf when passphrase in forward secret.

By the way, There is a known issue already https://github.com/fluent/fluent-plugin-kafka/issues/382

Version-Release number of selected component (if applicable):

Logging 5.x

How reproducible:

always

Steps to Reproduce:

deploy kafka with ssl.client.auth=required
git clone git@gitlab.cee.redhat.com:anli/aosqe-tools.git
cd logging/log_template/kafka/kafka-2.4.1/
sh 01_create-pki-cluster-client_passphase.sh
sh 10_deploy-kafka-plaintext-sasl_ssl.sh

use certificate with passphase to forward logs to kafka
sh 20_create-clf-kafka-mutual_sasl_ssl_passphase.sh
#oc create secret generic kafka-fluentd -from-file=ca-bundle.crt=ca/ca_bundle.crt --from-file=tls.crt=client/client.crt -from-file=tls.key=client/client.key --from-literal=username=${kafka_user_name} --from-literal=password=${kafka_user_password} --from-literal=sasl_over_ssl=true --from-literal=sasl.enable=true --from-literal=sasl.mechanisms=PLAIN --from-literal=passphrase=aosqe2021 -n openshift-logging

Actual results:

#fluent.conf
<label @KAFKA_APP>
  <match **>
    @type kafka2
    @id kafka_app
    brokers kafka.openshift-logging.svc.cluster.local:9093
    default_topic clo-topic
    use_event_time true
    username "#\{File.exists?('/var/run/ocp-collector/secrets/kafka-fluentd/username') ? open('/var/run/ocp-collector/secrets/kafka-fluentd/username','r') do |f|f.read end : ''}"
    password "#\{File.exists?('/var/run/ocp-collector/secrets/kafka-fluentd/password') ? open('/var/run/ocp-collector/secrets/kafka-fluentd/password','r') do |f|f.read end : ''}"
    ssl_client_cert_key '/var/run/ocp-collector/secrets/kafka-fluentd/tls.key'
    ssl_client_cert '/var/run/ocp-collector/secrets/kafka-fluentd/tls.crt'
    ssl_ca_cert '/var/run/ocp-collector/secrets/kafka-fluentd/ca-bundle.crt'
    sasl_over_ssl true
    <format>
      @type json
     .....
</label>

Expected results:

#fluent.conf
<label @KAFKA_APP>
  <match **>
    @type kafka2
   .....
    ssl_client_cert_key '/var/run/ocp-collector/secrets/kafka-fluentd/tls.key'
    *ssl_client_cert_key_password #\{File.exists?('/var/run/ocp-collector/secrets/kafka-fluentd/passphase') ? open('/var/run/ocp-collector/secrets/kafka-fluentd/passphase','r') do |f|f.read end : ''}"*

       .....
</label>