shouldn't add ssl_client_cert and ssl_client_cert_key if no tls.crt and tls.key in kafka secret Description of problem: For Server-authenticated only TLS, if the Kakfa cluster is using self-assigned certificate. I create the secret using only the ca-bundle.crt 'oc create secret generic kafka --from-file=ca-bundle.crt=ca.crt'. Three ssl variables into fluentd.conf, the fluentd couldn't be started as no tls.crt and tls.key. The CLO should add ssl_ca_cert only. ssl_ca_cert '/var/run/ocp-collector/secrets/kafka/ca-bundle.crt' ssl_client_cert '/var/run/ocp-collector/secrets/kafka/tls.crt' ssl_client_cert_key '/var/run/ocp-collector/secrets/kafka/tls.key' Version-Release number of selected component (if applicable): 4.6 How reproducible: Always Steps to Reproduce: Always 1.oc create secret generic kafka --from-file=ca-bundle.crt=ca.crt 2.oc create ClusterLogForwarder CR apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: instance namespace: openshift-logging spec: outputs: - name: kafka type: kafka url: tls://my-cluster-kafka-bootstrap.openshift-operators.svc.cluster.local:9093/bridge-quickstart-topic secret: name: kafka pipelines: - name: test-app inputRefs: - application outputRefs: - kafka 3. Check the fluentd.conf <label @KAFKA> <match **> @type kafka2 brokers my-cluster-kafka-bootstrap.openshift-operators.svc.cluster.local:9093 default_topic bridge-quickstart-topic ssl_ca_cert '/var/run/ocp-collector/secrets/kafka/ca-bundle.crt' ssl_client_cert '/var/run/ocp-collector/secrets/kafka/tls.crt' ssl_client_cert_key '/var/run/ocp-collector/secrets/kafka/tls.key' <format> @type json </format> <buffer bridge-quickstart-topic> @type file path '/var/lib/fluentd/kafka' flush_interval 1s flush_thread_count 2 flush_at_shutdown false retry_max_interval 300 retry_forever true queued_chunks_limit_size "#{ENV['BUFFER_QUEUE_LIMIT'] || '32' }" chunk_limit_size "#{ENV['BUFFER_SIZE_LIMIT'] || '8m' }" overflow_action "#{ENV['BUFFER_QUEUE_FULL_ACTION'] || 'block'}" </buffer> </match> </label> 4. Check the fluentd pod status oc logs fluentd-2khbm 2020-07-14 17:40:52 +0000 [error]: unexpected error error_class=Errno::ENOENT error="No such file or directory @ rb_sysopen - /var/run/ocp-collector/secrets/kafka/tls.crt" 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluent-plugin-kafka-0.13.0/lib/fluent/plugin/kafka_plugin_util.rb:41:in `read' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluent-plugin-kafka-0.13.0/lib/fluent/plugin/kafka_plugin_util.rb:41:in `read_ssl_file' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluent-plugin-kafka-0.13.0/lib/fluent/plugin/out_kafka2.rb:108:in `refresh_client' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluent-plugin-kafka-0.13.0/lib/fluent/plugin/out_kafka2.rb:181:in `start' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/root_agent.rb:200:in `block in start' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/root_agent.rb:179:in `block (2 levels) in lifecycle' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/agent.rb:121:in `block (2 levels) in lifecycle' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/agent.rb:120:in `each' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/agent.rb:120:in `block in lifecycle' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/agent.rb:113:in `each' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/agent.rb:113:in `lifecycle' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/root_agent.rb:178:in `block in lifecycle' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/root_agent.rb:175:in `each' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/root_agent.rb:175:in `lifecycle' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/root_agent.rb:199:in `start' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/engine.rb:248:in `start' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/engine.rb:147:in `run' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/supervisor.rb:592:in `block in run_worker' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/supervisor.rb:823:in `main_process' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/supervisor.rb:586:in `run_worker' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/command/fluentd.rb:338:in `<top (required)>' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:59:in `require' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:59:in `require' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/bin/fluentd:8:in `<top (required)>' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/bin/fluentd:23:in `load' 2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/bin/fluentd:23:in `<main>' 2020-07-14 17:40:52 +0000 [error]: unexpected error error_class=Errno::ENOENT error="No such file or directory @ rb_sysopen - /var/run/ocp-collector/secrets/kafka/tls.crt" Expected Result: The CLO only add ssl_ca_cert when there is only ca-bundle.crt in kafka secret
@Peri, this varies from TP based on the enhancement proposal [1] which states "Client-authenticated TLS is enabled if url is secure and secretRef has keys tls.crt, tls.key, ca-bundle.crt" [1] https://github.com/openshift/enhancements/blob/master/enhancements/cluster-logging/cluster-logging-log-forwarding.md#security
Verified on the PR. the fix hasn't been merged into downstream.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196