Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: Logging 5.6.4
Affects Version/s: Logging 5.5.8
Component/s: Log Collection
Labels:
- devel_ack+

Blocked:
False
Blocked Reason:
None
Ready:
False
Docs QE Status:
NEW
QE Status:
NEW
Release Note Text:

Hide
Before this update, Cluster Logging Operator would generate incorrect configuration when tls.insecureSkipVerify was set to true, as result fails to send to an elasticsearch when trying to skip the certificates validation

After this update, Cluster Logging Operator now generates the correct TLS configuration even when tls.insecureSkipVerify is enabled, as result data sent succesfully to an elasticsearch when trying to skip the certificates validation.

Show
Before this update, Cluster Logging Operator would generate incorrect configuration when tls.insecureSkipVerify was set to true, as result fails to send to an elasticsearch when trying to skip the certificates validation After this update, Cluster Logging Operator now generates the correct TLS configuration even when tls.insecureSkipVerify is enabled, as result data sent succesfully to an elasticsearch when trying to skip the certificates validation.
Intelligence Requested:
Market:

Severity:
Important

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Description of problem:

When defined in the clusterLogForwarder the `tls.insecureSkipVerify: true` in conjunction with `type: elasticsearch`, the configuration generated is not skipping the validation of the certificates

This bug is similar to the same described between vector when configured to send to Loki: https://issues.redhat.com/browse/LOG-3445

Version-Release number of selected component (if applicable):

$ oc get csv
NAME                           DISPLAY                            VERSION   REPLACES   PHASE
cluster-logging.5.5.8          Red Hat OpenShift Logging          5.5.8                Succeeded
elasticsearch-operator.5.5.8   OpenShift Elasticsearch Operator   5.5.8                Succeeded

How reproducible:

Always

Steps to Reproduce:

Create clusterLogging instance using fluentd collector:

spec:
  collection:
    logs:
      fluentd:
        resources: {}
      type: fluentd
...

Create a clusterlogforwarder configuration where the output.type is elasticsearch and used tls.insecureSkipVerify: true

spec:
  outputs:
  - name: elasticsearch
    tls:
      insecureSkipVerify: true
    type: elasticsearch
    url: https://localhost:9200
  pipelines:
  - inputRefs:
    - application
    - infrastructure
    name: container-logs
    outputRefs:
    - elasticsearch

Review the configuration generated where it's not skipped the certificates verification:

oc get cm collector -o json |jq '.data."fluent.conf"' -r|
...
  <match **>
    @type elasticsearch
    @id elasticsearch
    host localhost
    port 9200
    verify_es_version_at_startup false
    scheme https
    ssl_version TLSv1_2
    target_index_key viaq_index_name
    id_key viaq_msg_id
    remove_keys viaq_index_name
    type_name _doc
    retry_tag retry_elasticsearch
    http_backend typhoeus
    write_operation create
    # https://github.com/uken/fluent-plugin-elasticsearch#suppress_type_name
    suppress_type_name 'true'
    reload_connections 'true'
    # https://github.com/uken/fluent-plugin-elasticsearch#reload-after
    reload_after '200'
    # https://github.com/uken/fluent-plugin-elasticsearch#sniffer-class-name
    sniffer_class_name 'Fluent::Plugin::ElasticsearchSimpleSniffer'
    reload_on_failure false
    # 2 ^ 31
    request_timeout 2147483648
...