Uploaded image for project: 'Observability and Data Analysis Program'
  1. Observability and Data Analysis Program
  2. OBSDA-648

OpenShift Logging should trust the "service-ca" certificate to allow logforwarding to internal components of the same OpenShift cluster over HTTPS

    XMLWordPrintable

Details

    • Feature
    • Resolution: Unresolved
    • Undefined
    • None
    • Logging 5.8
    • Log Collection, PM Logging
    • None
    • False
    • None
    • False
    • Not Selected
    • 0
    • 0
    • 0% 0%
    • 0

    Description

      Proposed title of this feature request

      OpenShift Logging should trust the "service-ca" certificate to allow logforwarding to internal components of the same OpenShift cluster over HTTPS without secret creation with the CA.

      What is the nature and description of the request?

      • OpenShift Logging should trust the "service-ca" certificate to allow logforwarding to internal components of the same OpenShift cluster over HTTPS.
      • OpenShift Logging should trust the service CA certificate of the cluster itself (expected from every OpenShift component that allows communication with internal customer components".
      • OpenShift Logging should forward it's data over a verified HTTPS connection to a service running in the same cluster as the collectors
      • As long as the destination endpoint for Logforwarding is inside the same OpenShift cluster, using the "service serving certificates" must be possible
        https://docs.openshift.com/container-platform/4.14/security/certificates/service-serving-certificate.html

      This is important because of it avoids the creation of a secret with the CA. If a secret is created containing the cluster `service-ca`, if this `service-ca` is rotated, then, the collectors start to fail the log forwarding until manual intervention recreating the secret with the new CA.

      If the collectors are trusting in the CA inside the OS in `/etc/pki/ca-trust/*`, then, it could be imported the cluster `service-ca` using the`ca-certificates` command.

      Why does the customer need this? (List the business requirements)

      If it's created through a secret, always that the `service-ca` is rotated in the cluster level, this rotation can happen automatically, then, the collectors will fail to deliver the logs.

      The collectors should trust in the OpenShift CA configured in the same cluster that running for avoiding any manual secret cration and in this way avoiding any manual interaction when the `service-ca` is rotated not being disrupted the service of log forwarding.

      List any affected packages or components.
      Cluster Logging Operator
      Collectors

      Attachments

        Activity

          People

            jamparke@redhat.com Jamie Parker
            rhn-support-ocasalsa Oscar Casal Sanchez
            Votes:
            3 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated: