Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: Logging 5.7.0
Affects Version/s: Logging 5.7.0
Component/s: Log Collection
Labels:
- devel_ack+
- no-rn

Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
Log Collection OCP TLS Security Profile
Docs QE Status:
NEW
Feature Link:
OBSDA-160 - Comply with OCP cluster-wide cryptographic policies
QE Status:
NEW

Sprint:
Log Collection - Sprint 233, Log Collection - Sprint 234

SFDC Cases Links:
SFDC Cases Counter:

Description

Description of problem:

When forwarding logs to an external Loki instance without any client TLS certs, the tlsSecurityProfile configuration is not added to Loki sink in the generated Vector config.

Version-Release number of selected component (if applicable):

Cluster-logging.v5.7.0

Loki-operator.v5.7.0

Server Version: 4.13.0-0.nightly-2023-03-19-052243

How reproducible:

Always

Steps to Reproduce:

*Add a tlsSecurityProfile in the global apiserver/cluster config. If no config is set, intermediate profile will be used.

oc edit apiserver/cluster
 
spec:
  audit:
    profile: Default
  tlsSecurityProfile:
    intermediate: {}
    type: Intermediate

*Create secret in openshift-logging namespace for forwarding logs to an externally hosted HTTPS Loki instance.

oc create secret generic loki-client -n openshift-logging --from-literal=username=<Loki Grafana username> --from-literal=password=<loki Grafana API token>

*Create a CLF to forward to the external Loki instance with the tlsSecurityProfile feature gate enabled.

apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  name: instance
  namespace: openshift-logging
  annotations:
    logging.openshift.io/preview-tls-security-profile: enabled
spec:
  outputs:
  - name: loki-server
    type: loki
    url: https://logs-prod3.grafana.net
    secret:
       name: loki-client
  pipelines:
    - name: to-loki
      inputRefs:
      - application
      outputRefs:
      - loki-server

*Create a ClusterLogging instance.

apiVersion: "logging.openshift.io/v1"
kind: "ClusterLogging"
metadata:
  name: "instance" 
  namespace: "openshift-logging"
spec:
  managementState: "Managed"  
  collection:
    type: vector

*Extract and check the Vector config.

[sinks.loki_server]
type = "loki"
inputs = ["loki_server_remap"]
endpoint = "https://logs-prod3.grafana.net"
out_of_order_action = "accept"
healthcheck.enabled = false
 
[sinks.loki_server.encoding]
codec = "json"
 
[sinks.loki_server.labels]
kubernetes_container_name = "{{kubernetes.container_name}}"
kubernetes_host = "${VECTOR_SELF_NODE_NAME}"
kubernetes_namespace_name = "{{kubernetes.namespace_name}}"
kubernetes_pod_name = "{{kubernetes.pod_name}}"
log_type = "{{log_type}}"
 
# Basic Auth Config
[sinks.loki_server.auth]
strategy = "basic"
user = "REDACTED"
password = "REDACTED"
[transforms.add_nodename_to_metric]
type = "remap"
inputs = ["internal_metrics"]
source = '''
.tags.hostname = get_env_var!("VECTOR_SELF_NODE_NAME")
'''

Additional info:

*However if we add tls certs for the Loki output secret and create a CLF to forward logs to an external Lokistack instance, the tlsSecurityProfile ciphers and min TLS version is added to the generated Vector config.

oc -n openshift-logging create secret generic lokistack-gateway-bearer-token --from-literal=token=$TOKEN  --from-literal=ca-bundle.crt="$(oc -n openshift-logging get cm lokistack-instance-ca-bundle -o json | jq -r '.data."service-ca.crt"')"

apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  name: instance
  namespace: openshift-logging
  annotations:
    logging.openshift.io/preview-tls-security-profile: enabled
spec:
  outputs:
   - name: loki-app
     type: loki
     url: https://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/application/
     secret:
       name: lokistack-gateway-bearer-token
   - name: loki-infra
     type: loki
     url: https://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/infrastructure/
     secret:
       name: lokistack-gateway-bearer-token
   - name: loki-audit
     type: loki
     url: https://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/audit/
     secret:
       name: lokistack-gateway-bearer-token
  pipelines:
   - name: send-app-logs
     inputRefs:
     - application
     outputRefs:
     - loki-app
   - name: send-infra-logs
     inputRefs:
     - infrastructure
     outputRefs:
     - loki-infra
   - name: send-audit-logs
     inputRefs:
     - audit
     outputRefs:
     - loki-audit

Example sink config generated for app logs.

[sinks.loki_app.tls]
enabled = true
min_tls_version = "VersionTLS12"
ciphersuites = "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,DHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-GCM-SHA384"
ca_file = "/var/run/ocp-collector/secrets/lokistack-gateway-bearer-token/ca-bundle.crt"

Attachments

Issue Links

links to

openshift/cluster-logging-operator#1933: LOG-3824: fix loki tls security profile

mentioned on

Merge request - Updated US source to: 718a8c8 Merge pull request #1933 from jcantrill/log3824

Activity

People

Assignee:: Jeffrey Cantrill

Reporter:: Ishwar Kanse

QA Contact:: Ishwar Kanse

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2023/03/21 11:30 AM

Updated:: 2023/05/06 1:43 AM

Resolved:: 2023/05/06 1:43 AM