1890072 – Log forwarding API with multiple outputs same secret cause issues

Bug 1890072 - Log forwarding API with multiple outputs same secret cause issues

Summary: Log forwarding API with multiple outputs same secret cause issues

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Logging
Sub Component:
Version:	4.5
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	4.7.0
Assignee:	Alan Conway
QA Contact:	Qiaoling Tang
Docs Contact:	Rolfe Dlugy-Hegwer
URL:
Whiteboard:	logging-core
Depends On:
Blocks:	1929419
TreeView+	depends on / blocked

Reported:	2020-10-21 10:15 UTC by Ahmed Anwar
Modified:	2021-03-30 01:45 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	* Previously, the fluentd collector pod went into a crash loop when the ClusterLogForwarder had multiple outputs using the same secret. The current release fixes this issue. Now, multiple outputs can share a secret. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1890072[1890072])
Clone Of:
Clones:	1929419 (view as bug list)
Environment:
Last Closed:	2021-02-24 11:21:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift cluster-logging-operator pull 823	0	None	closed	Bug 1888943: ClusterLogForwarder with Output.Secret causes fluentd crash loop	2021-02-16 13:12:04 UTC
Red Hat Product Errata	RHBA-2021:0652	0	None	None	None	2021-02-24 11:22:12 UTC

Description Ahmed Anwar 2020-10-21 10:15:59 UTC

Description of problem:

When configuring a log forwarding instance with multiple outputs which uses the same secret, the CLO fails to update the ds/fluentd.


Version-Release number of selected component (if applicable):

$ oc get clusterversions.config.openshift.io 
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.5.13    True        False         14d     Cluster version is 4.5.13

$ oc get csv
NAME                                           DISPLAY                          VERSION                 REPLACES                                       PHASE
clusterlogging.4.5.0-202010090328.p0           Cluster Logging                  4.5.0-202010090328.p0   clusterlogging.4.5.0-202009240830.p0           Succeeded
elasticsearch-operator.4.5.0-202010081312.p0   Elasticsearch Operator           4.5.0-202010081312.p0   elasticsearch-operator.4.5.0-202009260615.p0   Succeeded


Steps to Reproduce:
1. Create the secret for TLS communication with an external fluentd

oc create secret generic external-fluentd --from-file=tls.crt=fluentd.crt --from-file=tls.key=fluentd.key --from-file=ca-bundle.crt=ROOT+CA.crt --from-literal=shared_key=blaa

2. Create a log forwarding instance with the below resource

apiVersion: logging.openshift.io/v1alpha1
kind: LogForwarding
metadata:
  name: instance
  namespace: openshift-logging
spec:
  disableDefaultForwarding: true
  outputs:
    - name: external-fluentd-1
      type: forward
      endpoint: 'fluentd-01.luji.io:24224'
      secret:
        name: external-fluentd
    - name: external-fluentd-2
      type: forward
      endpoint: 'fluentd-02.luji.io:24224'
      secret:
        name: external-fluentd
  pipelines:
    - name: app-pipeline
      inputType: logs.app
      outputRefs:
        - external-fluentd-1
        - external-fluentd-2
    - name: infra-pipeline
      inputType: logs.infra
      outputRefs:
        - external-fluentd-1
        - external-fluentd-2
    - name: clo-default-audit-pipeline
      inputType: logs.audit
      outputRefs:
        - external-fluentd-1
        - external-fluentd-2


Actual results:

The CLO cannot update ds/fluentd with the secret, and start throwing the below error:

{"level":"error","ts":1603274734.4781244,"logger":"kubebuilder.controller","msg":"Reconciler error","controller":"logforwarding-controller","request":"openshift-logging/instance","error":"Unable to reconcile collection for \"instance\": Failure creating Fluentd Daemonset DaemonSet.apps \"fluentd\" is invalid: spec.template.spec.containers[0].volumeMounts[16].mountPath: Invalid value: \"/var/run/ocp-collector/secrets/external-fluentd\": must be unique","stacktrace":"github.com/openshift/cluster-logging-operator/vendor/github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/src/github.com/openshift/cluster-logging-operator/vendor/github.com/go-logr/zapr/zapr.go:128\ngithub.com/openshift/cluster-logging-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/openshift/cluster-logging-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:217\ngithub.com/openshift/cluster-logging-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1\n\t/go/src/github.com/openshift/cluster-logging-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:158\ngithub.com/openshift/cluster-logging-operator/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1\n\t/go/src/github.com/openshift/cluster-logging-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133\ngithub.com/openshift/cluster-logging-operator/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/src/github.com/openshift/cluster-logging-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:134\ngithub.com/openshift/cluster-logging-operator/vendor/k8s.io/apimachinery/pkg/util/wait.Until\n\t/go/src/github.com/openshift/cluster-logging-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88"}                                                           
{"level":"error","ts":1603274734.785573,"logger":"kubebuilder.controller","msg":"Reconciler error","controller":"trustedcabundle-controller","request":"openshift-logging/fluentd-trusted-ca-bundle","error":"Failure creating Fluentd Daemonset DaemonSet.apps \"fluentd\" is invalid: spec.template.spec.containers[0].volumeMounts[16].mountPath: Invalid value: \"/var/run/ocp-collector/secrets/external-fluentd\": must be unique","stacktrace":"github.com/openshift/cluster-logging-operator/vendor/github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/src/github.com/openshift/cluster-logging-operator/vendor/github.com/go-logr/zapr/zapr.go:128\ngithub.com/openshift/cluster-logging-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/openshift/cluster-logging-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:217\ngithub.com/openshift/cluster-logging-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1\n\t/go/src/github.com/openshift/cluster-logging-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:158\ngithub.com/openshift/cluster-logging-operator/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1\n\t/go/src/github.com/openshift/cluster-logging-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133\ngithub.com/openshift/cluster-logging-operator/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/src/github.com/openshift/cluster-logging-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:134\ngithub.com/openshift/cluster-logging-operator/vendor/k8s.io/apimachinery/pkg/util/wait.Until\n\t/go/src/github.com/openshift/cluster-logging-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88"}                                                                                          


Expected results:

The CLO must update the ds/fluentd correctly and new pods must roll out using the same secret.


Additional info:

The issue with a customer while configuring the logforwarding using the API to send the logs to five external fluentd all using the same credentials/certificate. As a workaround we created five secrets, each one corresponding to an output.

The solution isn't practical because when the certificates needs rotation, the same action must be applied on 5 identical resources.

//edited
Just putting the configuration which worked;

Create the secret

oc create secret generic external-fluentd-01 --from-file=tls.crt=fluentd.crt --from-file=fluentd.key=mail.key --from-file=ca-bundle.crt=ROOT+CA.crt --from-literal=shared_key=blaa
oc create secret generic external-fluentd-02 --from-file=tls.crt=fluentd.crt --from-file=fluentd.key=mail.key --from-file=ca-bundle.crt=ROOT+CA.crt --from-literal=shared_key=blaa

Create the logforwarding instance

apiVersion: logging.openshift.io/v1alpha1
kind: LogForwarding
metadata:
  name: instance
  namespace: openshift-logging
spec:
  disableDefaultForwarding: true
  outputs:
    - name: external-fluentd-1
      type: forward
      endpoint: 'fluentd-01.luji.io:24224'
      secret:
        name: external-fluentd-01
    - name: external-fluentd-2
      type: forward
      endpoint: 'fluentd-02.luji.io:24224'
      secret:
        name: external-fluentd-02
  pipelines:
    - name: app-pipeline
      inputType: logs.app
      outputRefs:
        - external-fluentd-1
        - external-fluentd-2
    - name: infra-pipeline
      inputType: logs.infra
      outputRefs:
        - external-fluentd-1
        - external-fluentd-2
    - name: clo-default-audit-pipeline
      inputType: logs.audit
      outputRefs:
        - external-fluentd-1
        - external-fluentd-2

Which results in:

$ oc describe ds fluentd
Name:           fluentd                                
Selector:       component=fluentd,logging-infra=fluentd,provider=openshift
Node-Selector:  kubernetes.io/os=linux
... output truncated ...
    Mounts:
      /etc/docker from dockerdaemoncfg (ro)
      /etc/fluent/configs.d/secure-forward from secureforwardconfig (ro)
... output truncated ...
      /var/log from varlog (rw)                         
      /var/run/ocp-collector/secrets/external-fluentd-01 from external-fluentd-1 (rw)
      /var/run/ocp-collector/secrets/external-fluentd-02 from external-fluentd-2 (rw)
  Volumes:   
   runlogjournal:                                       
    Type:          HostPath (bare host directory volume)
    Path:          /run/log/journal
... output truncated ...
   external-fluentd-1:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  external-fluentd-01
    Optional:    false
   external-fluentd-2:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  external-fluentd-02
    Optional:    false

   runlogjournal:                                       
    Type:          HostPath (bare host directory volume)
    Path:          /run/log/journal
... output truncated ...
   external-fluentd-1:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  external-fluentd-01
    Optional:    false
   external-fluentd-2:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  external-fluentd-02
    Optional:    false

Comment 1 Alan Conway 2020-12-22 15:33:19 UTC

Fixed by PR https://github.com/openshift/cluster-logging-operator/pull/823 awaiting merge.

Comment 3 Qiaoling Tang 2021-02-03 01:25:11 UTC

Verified with cluster-logging.5.0.0-34. Fluentd can forward logs to different receivers with same secret.

Comment 6 errata-xmlrpc 2021-02-24 11:21:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Errata Advisory for Openshift Logging 5.0.0), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0652

Note You need to log in before you can comment on or make changes to this bug.