Bug 1856940 - Should support ca only kafka secret
Summary: Should support ca only kafka secret
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 4.6
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 4.6.0
Assignee: Periklis Tsirakidis
QA Contact: Anping Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-14 17:56 UTC by Anping Li
Modified: 2020-10-27 16:14 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 16:14:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-logging-operator pull 602 0 None closed Bug 1856940: Add kafka mTLS conditional support 2020-09-30 18:51:52 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:14:52 UTC

Description Anping Li 2020-07-14 17:56:05 UTC 
shouldn't add ssl_client_cert and ssl_client_cert_key if no tls.crt and tls.key in kafka secret

Description of problem:
For Server-authenticated only TLS, if the Kakfa cluster is using self-assigned certificate.  I create the secret using only the ca-bundle.crt 'oc create secret generic kafka --from-file=ca-bundle.crt=ca.crt'.  

Three ssl variables into fluentd.conf, the fluentd couldn't be started as no tls.crt and tls.key.   The CLO should add ssl_ca_cert only.
 ssl_ca_cert '/var/run/ocp-collector/secrets/kafka/ca-bundle.crt'
 ssl_client_cert '/var/run/ocp-collector/secrets/kafka/tls.crt'
 ssl_client_cert_key '/var/run/ocp-collector/secrets/kafka/tls.key'


Version-Release number of selected component (if applicable):
4.6

How reproducible:
Always

Steps to Reproduce:
Always

1.oc create secret generic kafka --from-file=ca-bundle.crt=ca.crt 
2.oc create ClusterLogForwarder CR
apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  name: instance
  namespace: openshift-logging
spec:
  outputs:
    - name: kafka
      type: kafka
      url: tls://my-cluster-kafka-bootstrap.openshift-operators.svc.cluster.local:9093/bridge-quickstart-topic
      secret: 
        name: kafka
  pipelines:
    - name: test-app
      inputRefs:
      - application
      outputRefs:
      - kafka

3. Check the fluentd.conf
 <label @KAFKA>
      <match **>
        @type kafka2
        brokers my-cluster-kafka-bootstrap.openshift-operators.svc.cluster.local:9093
        default_topic bridge-quickstart-topic
        ssl_ca_cert '/var/run/ocp-collector/secrets/kafka/ca-bundle.crt'
        ssl_client_cert '/var/run/ocp-collector/secrets/kafka/tls.crt'
        ssl_client_cert_key '/var/run/ocp-collector/secrets/kafka/tls.key'
        <format>
          @type json
        </format>
        <buffer bridge-quickstart-topic>
          @type file
          path '/var/lib/fluentd/kafka'
          flush_interval 1s
          flush_thread_count 2
          flush_at_shutdown false
          retry_max_interval 300
          retry_forever true
          queued_chunks_limit_size "#{ENV['BUFFER_QUEUE_LIMIT'] || '32' }"
          chunk_limit_size "#{ENV['BUFFER_SIZE_LIMIT'] || '8m' }"
          overflow_action "#{ENV['BUFFER_QUEUE_FULL_ACTION'] || 'block'}"
        </buffer>
      </match>
    </label>
4. Check the fluentd pod status
 oc logs fluentd-2khbm
2020-07-14 17:40:52 +0000 [error]: unexpected error error_class=Errno::ENOENT error="No such file or directory @ rb_sysopen - /var/run/ocp-collector/secrets/kafka/tls.crt"
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluent-plugin-kafka-0.13.0/lib/fluent/plugin/kafka_plugin_util.rb:41:in `read'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluent-plugin-kafka-0.13.0/lib/fluent/plugin/kafka_plugin_util.rb:41:in `read_ssl_file'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluent-plugin-kafka-0.13.0/lib/fluent/plugin/out_kafka2.rb:108:in `refresh_client'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluent-plugin-kafka-0.13.0/lib/fluent/plugin/out_kafka2.rb:181:in `start'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/root_agent.rb:200:in `block in start'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/root_agent.rb:179:in `block (2 levels) in lifecycle'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/agent.rb:121:in `block (2 levels) in lifecycle'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/agent.rb:120:in `each'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/agent.rb:120:in `block in lifecycle'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/agent.rb:113:in `each'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/agent.rb:113:in `lifecycle'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/root_agent.rb:178:in `block in lifecycle'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/root_agent.rb:175:in `each'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/root_agent.rb:175:in `lifecycle'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/root_agent.rb:199:in `start'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/engine.rb:248:in `start'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/engine.rb:147:in `run'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/supervisor.rb:592:in `block in run_worker'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/supervisor.rb:823:in `main_process'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/supervisor.rb:586:in `run_worker'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/lib/fluent/command/fluentd.rb:338:in `<top (required)>'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:59:in `require'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:59:in `require'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/share/gems/gems/fluentd-1.9.2/bin/fluentd:8:in `<top (required)>'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/bin/fluentd:23:in `load'
  2020-07-14 17:40:52 +0000 [error]: /opt/rh/rh-ruby25/root/usr/local/bin/fluentd:23:in `<main>'
2020-07-14 17:40:52 +0000 [error]: unexpected error error_class=Errno::ENOENT error="No such file or directory @ rb_sysopen - /var/run/ocp-collector/secrets/kafka/tls.crt"


Expected Result:
The CLO only add ssl_ca_cert when there is only ca-bundle.crt in kafka secret
Comment 1 Jeff Cantrill 2020-07-14 22:01:57 UTC 
@Peri, this varies from TP based on the enhancement proposal [1] which states "Client-authenticated TLS is enabled if url is secure and secretRef has keys tls.crt, tls.key, ca-bundle.crt"

[1] https://github.com/openshift/enhancements/blob/master/enhancements/cluster-logging/cluster-logging-log-forwarding.md#security
Comment 4 Anping Li 2020-07-23 17:18:56 UTC 
Verified on the PR. the fix hasn't  been merged into downstream.
Comment 6 errata-xmlrpc 2020-10-27 16:14:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196
Note You need to log in before you can comment on or make changes to this bug.