Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-4242

Vector pods raise `Configuration error` when forwarding to cloudwatch/googlecloudlogging with tlsSecurityProfile configured.

    XMLWordPrintable

Details

    • False
    • None
    • False
    • NEW
    • VERIFIED
    • Before this update, if add 'enabled = true' to the TLS configuration for AWS Cloudwatch logs and GCP Stackdriver after upgrading Vector to the new version. With this update, 'enabled = true' will be removed for these outputs.
    • Log Collection - Sprint 237, Log Collection - Sprint 238

    Description

      Description of problem:

      Vector pods stuck in `Error` status and raise below error when forwarding to cloudwatch with tlsSecurityProfile configured:

      2023-06-19T01:11:52.564773Z ERROR vector::cli: Configuration error. error=unknown field `enabled`, expected one of `verify_certificate`, `verify_hostname`, `alpn_protocols`, `ca_file`, `crt_file`, `key_file`, `key_pass`, `min_tls_version`, `ciphersuites`
in `sinks.cw`

      vector.toml:

       [sinks.cw.tls]
 enabled = true
 min_tls_version = "VersionTLS12"
 ciphersuites = "ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256"

      Version-Release number of selected component (if applicable):

      openshift-logging/cluster-logging-rhel9-operator/images/v5.8.0-55

      openshift-logging/vector-rhel9/images/v0.28.1-1

      How reproducible:

      Always

      Steps to Reproduce:

      1. add below configurations to apiserver/cluster

        tlsSecurityProfile:
    custom:
      ciphers:
      - ECDHE-ECDSA-CHACHA20-POLY1305
      - ECDHE-RSA-CHACHA20-POLY1305
      - ECDHE-RSA-AES128-GCM-SHA256
      - ECDHE-ECDSA-AES128-GCM-SHA256
      minTLSVersion: VersionTLS12
    type: Custom

      2. create CLF with:

      apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  annotations:
    logging.openshift.io/preview-tls-security-profile: enabled
  name: instance
  namespace: openshift-logging
spec:
  outputs:
  - cloudwatch:
      groupBy: logType
      groupPrefix: logging-47052-qitang-l5lkb
      region: us-east-2
    name: cw
    secret:
      name: cw-secret-qvxhzyad
    type: cloudwatch
  pipelines:
  - detectMultilineErrors: false
    inputRefs:
    - infrastructure
    - audit
    - application
    name: to-cloudwatch
    outputRefs:
    - cw

      3. deploy vector pods:

      apiVersion: logging.openshift.io/v1
kind: ClusterLogging
metadata:
  name: instance
  namespace: openshift-logging
spec:
  collection:
    type: vector
  managementState: Managed

      4. check collector pods

      Actual results:

      Collector pods can't start.

      Expected results:

      Collector pods should start.

      Additional info:

      Attachments

        Activity

          People

            vparfono Vitalii Parfonov
            qitang@redhat.com Qiaoling Tang
            Qiaoling Tang Qiaoling Tang
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: