Uploaded image for project: 'Observability Documentation'
  1. Observability Documentation
  2. OBSDOCS-802

TLS section and command for creating the secret are incomplete

XMLWordPrintable

    • 5
    • False
    • Hide

      None

      Show
      None
    • False
    • Moderate

      URL

      About forwarding logs to third-party systems
      Creating a secret

      Description

      This issue has two parts related to the same.

      ISSUE 1.**

      In the section Transport Layer Security (TLS), it's said:

          Using a TLS URL (http://... or ssl://...) without a secret enables basic TLS server-side authentication. Additional TLS features are enabled by including a secret and setting the following optional fields:
        passphrase: (string) Passphrase to decode an encoded TLS private key. Requires tls.key.
        ca-bundle.crt: (string) File name of a customer CA for server authentication.

      This is partially wrong. If it's used MTLS, it's needed also the `tls.crt` as explained in some examples of the documentation in this same section and where it's said:

      If using a tls prefix, you must specify the name of the secret required by the endpoint for TLS communication. The secret must exist in the openshift-logging project and have tls.crt, tls.key, and ca-bundle.crt keys that each point to the certificates they represent.

       
      Then, it should be also added to the sentence of the passphrase and ca-bundle.crt, the explanation of tls.crt and tls.key.

      Also, it could be skipped the verification as it was indicated in the documentation bug: OBSDOCS-773

      ISSUE 2

      Taking into consideration the previous, in the Creating a Secret section, it's also not documented how to create the `tls.key` and `tls.crt` and also, at the same time, the `passphrase`. The example could be like:

      oc create secret generic -n openshift-logging <secret_name> \
  --from-file=ca-bundle.crt=<your_bundle_file> \
  --from-file=tls.key=<your_tls_crt_file> \
  --from-file=tls.crt=<your_tls_key_file> \
  --from-literal=passphrase=<your_tls_key_file> \
  --from-literal=username=<your_username> \
  --from-literal=password=<your_password>
      ISSUE 3

      Taking into consideration the previous, in the Creating a Secret section, the words before the example are saying:

      You can create a secret in the directory that contains your certificate and key files by using the following command:

      Really, this text is not reflecting what it can be done. This secret can contain also the username and password, the CA and important, needed to highlight that all the fields are not needed, then, the fields not needed should be removed from the command for creating the secret.

              Unassigned Unassigned
              rhn-support-ocasalsa Oscar Casal Sanchez
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: