Bug 1904380 - Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)

[syedriko]

Description

Bug 1904380 - Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)

• Upgraded Kafka to 2.7.0
• Switched the kafka logforwarding test to run over TLS
• The Kafka broker certificate chain is Server - Intermediate CA - Root CA
• Added Java Key Store generation functions

/cc @alanconway
/assign @jcantrill

Links

• Depending on PR(s): Bug 1904380: Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate) origin-aggregated-logging#2068
• Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1904380

[syedriko]

/test e2e-operator

[syedriko]

@jcantrill Could you bless this

[jcantrill]

/approve

[jcantrill]

Why are we using a specific sha in stead of a more digestible version number that is easier to document?

[syedriko]

There's no tag for 2.7.0, it's just "latest". Between latest and sha I picked sha.

[syedriko]

I'm not actually sure it's a good idea to rely on images from Docker Hub now that they introduced rate limiting. We could start with copying these to quay. Or better yet switch to Strimzi.

[jcantrill]

if you have concerns, feel free to push to quay.io/openshift-logging. Seems reasonable for us to have a controlled copy of the image against which we test.

[syedriko]

/test e2e-operator

[syedriko]

/test e2e-operator

[syedriko]

/test e2e-operator

[syedriko]

/test e2e-operator

[syedriko]

/test e2e-operator

[syedriko]

/test e2e-operator

[syedriko]

/test e2e-operator

[syedriko]

/test e2e-operator

[syedriko]

/test e2e-operator

[openshift-ci-robot]

@syedriko: This pull request references Bugzilla bug 1904380, which is invalid:

• expected the bug to target the "4.8.0" release, but it targets "4.6.z" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 1904380: Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@syedriko: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

In response to this:

Bug 1904380 - Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[syedriko]

/test e2e-operator

[syedriko]

@jcantrill yea? nay?

[alanconway]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alanconway, syedriko

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [alanconway]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[syedriko]

/cherrypick release-5.0

[openshift-cherrypick-robot]

@syedriko: #936 failed to apply on top of branch "release-5.0":

Applying: Bug 1904380 - Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate) - Upgraded Kafka to 2.7.0 and pushed images to quay.io - Switched the kafka logforwarding test to run over TLS - The Kafka broker certificate chain is Server - Intermediate CA - Root CA - Added Java Key Store generation functions - Removed Kafka consumer output to stdio to avoid recursive logs
Using index info to reconstruct a base tree...
M	go.mod
M	go.sum
M	vendor/modules.txt
Falling back to patching base and 3-way merge...
Auto-merging vendor/modules.txt
CONFLICT (content): Merge conflict in vendor/modules.txt
Auto-merging go.sum
Auto-merging go.mod
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Bug 1904380 - Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate) - Upgraded Kafka to 2.7.0 and pushed images to quay.io - Switched the kafka logforwarding test to run over TLS - The Kafka broker certificate chain is Server - Intermediate CA - Root CA - Added Java Key Store generation functions - Removed Kafka consumer output to stdio to avoid recursive logs
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherrypick release-5.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.