Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-3445

[vector to loki] validation is not disabled when tls.insecureSkipVerify=true

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • Logging 5.7.2
    • Logging 5.5.5, Logging 5.6.0, Logging 5.7.0
    • Log Collection
    • False
    • None
    • False
    • NEW
    • NEW
    • Hide
      Before this update, CLO API require a certificate to be provided through K8s Secret if the tls.insecureSkipVerify option is set to true. With these changes, CLO API will no longer require a certificate to be provided through K8s Secret if the tls.insecureSkipVerify option is set to true. The following configuration will be added to the Vector config:
      tls.verify_certificate = false
      tls.verify_hostname = false
      Show
      Before this update, CLO API require a certificate to be provided through K8s Secret if the tls.insecureSkipVerify option is set to true. With these changes, CLO API will no longer require a certificate to be provided through K8s Secret if the tls.insecureSkipVerify option is set to true. The following configuration will be added to the Vector config: tls.verify_certificate = false tls.verify_hostname = false
    • Bug Fix
    • Critical
    • Customer Escalated

      Description of problem:

      When tls.insecureSkipVerify=true is configured in ClusterLogForwarder, the cluster-logging-operator should set tls.verify_hostname=false and tls.verify_certificate=false.

      And it seems the "Bearer Auth Config" section is added uselessly.

      How reproducible:

      Always

      Steps to Reproduce:

      1. deploy a loki service and expose via edge route( By the way: The certificate used by edge route is signed by kube-root-ca).

      git clone https://gitlab.cee.redhat.com/aosqe/aosqe-tools.git 

      sh aosqe-tools/logging/log_template/loki/01_deploy-loki.sh

      1.  

      Forward log to loki using insecure https.

       

      #!/usr/bin/env bash
      namespace=${1:-loki-aosqe}
      route_name=${2:-loki-server}
      
      
      
      loki_route=$(oc get route ${route_name} -n ${namespace} -o json |jq '.spec.host' -r)
      cat <<EOF | oc create -f -
      apiVersion: logging.openshift.io/v1
      kind: ClusterLogForwarder
      metadata:
        name: instance
        namespace: openshift-logging
      spec:
        outputs:
        - name: loki-route
          type: loki
          url: https://${loki_route}
          tls:
            insecureSkipVerify: true
        pipelines:
          - name: app-to-loki
            inputRefs:
            - application
            - infrastructure
            - audit
            outputRefs:
            - loki-route
      EOF
      

       

      1. check the vector.toml...

      Actual results:

       

      [sinks.loki_route]
       ......
       ......
      [sinks.loki_route.tls]
      enabled = true
      ca_file = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
      # Bearer Auth Config
      [sinks.loki_route.auth]
      strategy = "bearer"
      token = "xxxxx"
      

       

      Expected results:

      1)verify_certificate = false and verify_hostname =false

      2)drop Bearer Auth Config section.

       

       

      [sinks.loki_route.tls]
      enabled = true
      ca_file = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
      verify_certificate = false
      verify_hostname =false
       
      # Bearer Auth Config
      #[sinks.loki_route.auth]
      #strategy = "bearer"
      #token = "xxxxx
      

       

      Additional info:

       

            vparfono Vitalii Parfonov
            rhn-support-anli Anping Li
            Anping Li Anping Li
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: