Hello,
I am trying to configure Splunk Connect for Kubernetes to capture a k8s cluster application logs.
I have problems when configuring https connection to HEC.
On the Heavy Forwarder, I have configured a ServerCert, which has been signed by our Company Authority.
Then, on Splunk Connect for Kubernetes Helm, if I configure https :
splunk:
hec:
# host is required and should be provided by user
host: hostname.domain.com
# token is required and should be provided by user
token: MY-HEC-TOKEN
# protocol has two options: "http" and "https", default is "https"
# For self signed certificate leave this field blank
protocol: https
When deploying, I see the following logs on Heavy Forwarder :
01-25-2022 09:37:16.729 +0100 WARN SSLCommon [1235867 HttpInputServerDataThread] - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='unknown CA'.
01-25-2022 09:37:16.729 +0100 WARN HttpListener [1235867 HttpInputServerDataThread] - Socket error from 10.8.199.195:55608 while idling: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.
I have to configure insecureSSL: true to get the connection working and see logs on Indexer.
But, If I activate HTTPS connection, I do not want it to be insecure ^^.
I am a bit confused about Splunk Connect 4 Kubernetes configuration.
Can I use :
splunk:
# Configurations for HEC (HTTP Event Collector)
hec:
# The PEM-format CA certificate file.
# NOTE: The content of the file itself should be used here, not the file path.
# The file will be stored as a secret in kubernetes.
caFile:
To configure ma Company CA ?
Or are keys clientCert, clientKey and CaFile only used for mTLS configuration ?
Thank you in advance for your answers.
Regards.
Nicolas.