Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Splunk Operator: permit disabling splunkd TLS #1310

Open
paheath opened this issue Mar 26, 2024 · 3 comments
Open

Splunk Operator: permit disabling splunkd TLS #1310

paheath opened this issue Mar 26, 2024 · 3 comments
Assignees
Labels
enhancement New feature or request spike-2.8

Comments

@paheath
Copy link

paheath commented Mar 26, 2024

Please select the type of request

Bug

Tell us more

Describe the request
It appears that the operator does not function properly when TLS on the Splunk API (8089) is disabled. The operator does not appear to throw obvious errors, but the cluster manager fails to install and come ready. The indexer cluster is stuck waiting, and never appears to instantiate its stateful set. I suspect this is because the operator can not perform the API calls required to complete the cluster manager installation/configuration. The operator should function in an environment with TLS on splunkd disabled.

Expected behavior
The operator should identify when it's running in an environment with TLS disabled. It should modify the protocol it uses to make Splunk API calls accordingly. It should also pass the URL of the cluster manager and license manager to connect the cluster with the correct protocol.

Splunk setup on K8S
cluster manager, indexer cluster, search head, standalone heavy forwarder, license manager, monitoring console. Using the App Framework and Smartstore.

Reproduction/Testing steps
Set splunk.ssl.enable to false in the defaults.yml file on every Splunk CR per the using default settings documentation. Watch for successful cluster manager and indexer cluster pod creation.

K8s environment
On-prem cluster running Istio service mesh.

Additional context(optional)
The intent here is to disable TLS at the application level so Istio can perform in-cluster mTLS encryption that is invisible to Splunk.

@k4r1
Copy link

k4r1 commented Apr 3, 2024

I also came across this, exactly the same behaviour with no stateful set for the indexer cluster.

I found that I could at least get the startupProbe / readinessProbe for the cluster manager to pass by adding an env var to the CR:

  extraEnv:
  - name: SPLUNKD_SSL_ENABLE
    value: "false"

However, the operator logs still complain about not being able to reach the various components, I assume it's using https with no way to change it - will probably need a code change.

@vivekr-splunk
Copy link
Collaborator

Hello @paheath we will test this scenario and get back to you .

@paheath
Copy link
Author

paheath commented Jun 13, 2024

Thank you! I've done a fair amount of testing for this, and have gotten Splunk to function normally with strict pod-to-pod mTLS enabled by deploying docker-splunk directly without the operator. It's possible that the only thing required to get this to work is:

  • remove the istio annotations applied by the operator that force istio to ignore all Splunk ports
  • create a flag that forces the operator to disable TLS for all splunk api calls made by the operator
  • create a flag that forces the operator to deploy the workload pods with SPLUNKD_SSL_ENABLE = false

One other quirk I noticed, the cli command (and I assume the equivalent API call) that connects indexer peers to the cluster manager does not accept a manager URI with plain http. The command usage is documented here, but I don't see a mention of this behavior: https://docs.splunk.com/Documentation/Splunk/latest/Indexer/ConfigurepeerswithCLI. I was able to work around this in my istio mTLS testing by configuring the indexer -> manager connection directly with config files applied through the default.yaml mechanism supported by splunk-ansible.

Let me know if I can provide any more information that might be helpful for your testing.

@vivekr-splunk vivekr-splunk added enhancement New feature or request spike-2.8 and removed Q3 2024 labels Oct 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request spike-2.8
Projects
None yet
Development

No branches or pull requests

6 participants