How to check Logging EFK stack certificates in OpenShift Container Platform 4

Environment

• Red Hat OpenShift Container Platform (RHOCP)
  • 4.8

Issue

• What is the default validity of certificates used by the EFK stack ?
• Is it possible to rotate the logging certificates manually ?
• How to get the CA that signs the server-client certificates for the EFK components ?
• How to get the certificate information of logging components ?

Resolution

• The certificate-key pairs used by the EFK stack components are provided through different secrets that resides in the namespace openshift-logging

$ oc get secrets -n openshift-logging | egrep "tls|Opaque"

1 . Root CA:

• The root CA that signs all the certificates for the EFK components such as Fluentd, Elastic Search etc is openshift-cluster-logging-signer.

• The Logging CA has a validity of 5 years and is rotated by the Logging Operator. The CA can be checked as:

$ oc project openshift-logging
$ oc get secret master-certs -ojsonpath="{.data.ca\.crt}" | base64 -d | openssl x509 -noout -dates -issuer -subject

• The rotation of this logging root CA is handled by the logging operator itself.
• The master-certs can be considered as a master secret for the EFK stack as it holds all the certificates, private keys, CSR for each of the logging components and also includes the ca.db.

All other server-client certificates for the EFK components have a validity of 2 years and can be inspected as follows:

2 . Kibana:

• Kibana uses two secrets kibana and kibana -proxy which contains the respective cert-key pair.

$ oc get secret kibana -o=custom-columns=":.data.cert" | tail -1 | base64 -d | openssl x509 -noout -text
$ oc get secret kibana-proxy -o=custom-columns=":.data.server-cert" | tail -1 | base64 -d | openssl x509 -noout -text

3 . Fluentd:

• There are two secrets for fluentd, fluentd and fluentd-metrics.
• The secret fluentd contains the serving cert-key pair for the fluentd and the secret fluentd-metrics is a This page is not included, but the link has been rewritten to point to the nearest parent document.service serving certificate secret.

$ oc get secret fluentd -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -text
$ oc get secret fluentd-metrics  -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -text

4 . Elasticsearch:

• Elasticsearch also having two secrets. One is elasticsearch and which is the main secret that contains the following cert-key pairs:
  a . elasticsearch.crt
  b . elasticsearch.key
  c . admin-ca
  d . admin-cert
  e . admin-key
  f . logging-es.crt
  g . logging-es.key

• The secret elasticsearch-metrics is a service serving certificate secret for the elasticsearch metrics.

$ oc get secret elasticsearch -o=custom-columns=":.data.elasticsearch\.crt" | tail -1 | base64 -d | openssl x509 -noout -text
$ oc get secret elasticsearch-metrics -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -text

5 . Curator:

• The secret curator contains the cert-key pair for the curator.

$ oc get secret curator -o=custom-columns=":.data.cert" | tail -1 | base64 -d | openssl x509 -noout -text

• All of the above mentioned certificates are system managed and rotated automatically.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.