Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-14865

BZ#2329120 RsyslogElasticsearch tls certs and keys are always created even when an encrypted connection is not required

XMLWordPrintable

    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • openstack-tripleo-heat-templates-14.3.1-17.1.20250516123839.e7c7ce3.el8ost openstack-tripleo-heat-templates-14.3.1-17.1.20250512221013.e7c7ce3.el9ost
    • None
    • Moderate

      Description of problem:
      in a tls-e RHOSP 17.1 environment, deployment is gonna create empty RsyslogElasticsearch tls certs and keys when customers are not gonna define them in templates because they don't need encrypted connection between overcloud nodes and elasticsearch, causing rsyslog to fail connecting to the collector [1]

      Version-Release number of selected component (if applicable):
      RHOSP 17.1

      How reproducible:
      always

      Steps to Reproduce:
      1. deploy using tls-e
      2. enable logs collection to elasticsearch as described in our docs [2] without defining additional RsyslogElasticsearchTls* parameter

      Actual results:
      empty certs/key files are created and rsyslog fails to connect to elasticsearch due to this

      Expected results:
      certs/key files not getting created by deployment when not defined in the templates.

      Additional info:

      • trying to use "tripleo::profile::base::logging::rsyslog::enable_internal_tls: false" [3] did not help
      • removing line #108 from deployment/logging/rsyslog-container-puppet.yaml [4] fixed the issue

      [0]
      8<--------8<-------8<-------8<--------
      tls.cacert="/etc/rsyslog.d/es-ca-cert.crt"
      tls.mycert="/etc/rsyslog.d/es-client-cert.pem"
      tls.myprivkey="/etc/rsyslog.d/es-client-key.pem"
      8<--------8<-------8<-------8<--------

      [1]

      8<--------8<-------8<-------8<--------
      2024-11-06T09:58:11.571530728+01:00 stderr F rsyslogd: omelasticsearch: we are suspending ourselfs due to server failure 58: could not load PEM client certificate, OpenSSL error error:0480006C:PEM routines::no start line, (no key found, wrong pass phrase, or wrong file format?) [v8.2102.0-113.el9_2.1 try https://www.rsyslog.com/e/2007 ]
      8<--------8<-------8<-------8<--------

      [2]

      8<--------8<-------8<-------8<--------
      parameter_defaults:
      RsyslogElasticsearchSetting:
      uid: "elastic"
      pwd: "yourownpassword"
      skipverifyhost: "on"
      allowunsignedcerts: "on"
      server: "https://openstack-log-storage.elasticsearch.tld"
      serverport: 443
      8<--------8<-------8<-------8<--------

      [3]
      8<--------8<-------8<-------8<--------
      parameter_defaults:
      ControllerExtraConfig:
      tripleo::profile::base::logging::rsyslog::enable_internal_tls: false
      ComputeExtraConfig:
      tripleo::profile::base::logging::rsyslog::enable_internal_tls: false
      8<--------8<-------8<-------8<--------

      [4] https://opendev.org/openstack/tripleo-heat-templates/src/branch/stable/wallaby/deployment/logging/rsyslog-container-puppet.yaml#L108

              mmagr@redhat.com Martin Magr
              jira-bugzilla-migration RH Bugzilla Integration
              Leonid Natapov Leonid Natapov
              rhos-conplat-observability
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: