Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: Logging 5.7.4
Affects Version/s: Logging 5.7.4
Component/s: Log Collection
Labels:
- devel_ack+

Blocked:
False
Blocked Reason:
None
Ready:
False
Docs QE Status:
NEW
QE Status:
VERIFIED
Release Note Text:
Before this update, if add 'enabled = true' to the TLS configuration for AWS Cloudwatch logs and GCP Stackdriver after upgrading Vector to the new version. With this update, 'enabled = true' will be removed for these outputs.
Intelligence Requested:
Market:

Sprint:
Log Collection - Sprint 237, Log Collection - Sprint 238

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Description of problem:

Vector pods stuck in `Error` status and raise below error when forwarding to cloudwatch with tlsSecurityProfile configured:

2023-06-19T01:11:52.564773Z ERROR vector::cli: Configuration error. error=unknown field `enabled`, expected one of `verify_certificate`, `verify_hostname`, `alpn_protocols`, `ca_file`, `crt_file`, `key_file`, `key_pass`, `min_tls_version`, `ciphersuites`
in `sinks.cw`

vector.toml:

 [sinks.cw.tls]
 enabled = true
 min_tls_version = "VersionTLS12"
 ciphersuites = "ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256"

Version-Release number of selected component (if applicable):

openshift-logging/cluster-logging-rhel9-operator/images/v5.8.0-55

openshift-logging/vector-rhel9/images/v0.28.1-1

How reproducible:

Always

Steps to Reproduce:

1. add below configurations to apiserver/cluster

  tlsSecurityProfile:
    custom:
      ciphers:
      - ECDHE-ECDSA-CHACHA20-POLY1305
      - ECDHE-RSA-CHACHA20-POLY1305
      - ECDHE-RSA-AES128-GCM-SHA256
      - ECDHE-ECDSA-AES128-GCM-SHA256
      minTLSVersion: VersionTLS12
    type: Custom

2. create CLF with:

apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  annotations:
    logging.openshift.io/preview-tls-security-profile: enabled
  name: instance
  namespace: openshift-logging
spec:
  outputs:
  - cloudwatch:
      groupBy: logType
      groupPrefix: logging-47052-qitang-l5lkb
      region: us-east-2
    name: cw
    secret:
      name: cw-secret-qvxhzyad
    type: cloudwatch
  pipelines:
  - detectMultilineErrors: false
    inputRefs:
    - infrastructure
    - audit
    - application
    name: to-cloudwatch
    outputRefs:
    - cw

3. deploy vector pods:

apiVersion: logging.openshift.io/v1
kind: ClusterLogging
metadata:
  name: instance
  namespace: openshift-logging
spec:
  collection:
    type: vector
  managementState: Managed

4. check collector pods

Actual results:

Collector pods can't start.

Expected results:

Collector pods should start.

Additional info:

links to

openshift/cluster-logging-operator#2062: LOG-4242: remove 'enabled = true' from TLS config for Cloudwatch and GCL outputs

openshift/cluster-logging-operator#2110: [release-5.7] LOG-4242: remove 'enabled = true' from TLS config for Cloudwatch and GCL outputs

mentioned on

Merge request - Updated US source to: 1add407 Merge pull request #2062 from vparfonov/log4242

Merge request - Updated US source to: aef37eb Merge pull request #2073 from syedriko/syedriko-del-init-container-builder

Merge request - Updated US source to: cf84160 Merge pull request #2110 from openshift-cherrypick-robot/cherry-pick-2062-to-release-5.7

Assignee:: Vitalii Parfonov

Reporter:: Qiaoling Tang

QA Contact:: Qiaoling Tang

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2023/06/19 5:33 AM

Updated:: 2023/08/02 1:49 PM

Resolved:: 2023/08/02 1:49 PM

Details

Description

Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates