Skip to content

fix(observability): correct audit server default TLS paths and prefix resources with d8-#2632

Merged
danilrwx merged 3 commits into
mainfrom
fix/observability/audit-cert-paths-and-resource-names
Jul 10, 2026
Merged

fix(observability): correct audit server default TLS paths and prefix resources with d8-#2632
danilrwx merged 3 commits into
mainfrom
fix/observability/audit-cert-paths-and-resource-names

Conversation

@danilrwx

Copy link
Copy Markdown
Contributor

Description

Two fixes in the audit delivery path (log-shipper → virtualization-audit).

The audit server crashed on startup when launched without explicit TLS flags: its built-in default certificate paths pointed at a directory that does not exist, while the mounted secret lives under a different path. The defaults now match the real mount location, so the server loads TLS and starts even with no flags passed. In the shipped deployment the paths are passed explicitly, so this was a latent footgun (it bites debug/alternative launches).

Separately, the cluster-scoped log-shipper objects created for audit delivery are renamed to follow the module's d8- naming convention for cluster-scoped resources (the old to-/unprefixed names are replaced).

Why do we need it, and what problem does it solve?

The default certificate paths were a latent trap — any launch without the explicit flags fails on missing TLS files, which is confusing to debug. And the audit log-shipper resource names did not follow the d8- convention used for module-owned cluster-scoped objects, unlike the rest of the module.

What is the expected result?

  • The audit server starts and loads its certificate, key and CA from the mounted certificates directory even without explicit --tls-* flags.
  • The audit log-shipper resources are named d8-virtualization-audit*.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: observability
type: fix
summary: "The audit server no longer fails to start when TLS certificate paths are not passed explicitly."
---
section: observability
type: chore
summary: "Audit log-shipper resources are renamed to the d8- prefixed naming convention."
impact_level: low

danilrwx added 2 commits July 10, 2026 14:45
The mounted secret is at /etc/virtualization-audit/certificates (plural),
but the flag defaults pointed at /etc/virtualization-audit/certificate,
so the server failed to load TLS when started without explicit flags.

Signed-off-by: Daniil Antoshin <daniil.antoshin@flant.com>
…and drop to-

Rename the ClusterLoggingConfig and ClusterLogDestination objects created for
audit shipping: to-virtualization-audit -> d8-virtualization-audit and
virtualization-audit-* -> d8-virtualization-audit-*, aligning with the d8-
naming convention for module-owned cluster-scoped resources.

Signed-off-by: Daniil Antoshin <daniil.antoshin@flant.com>
@danilrwx danilrwx enabled auto-merge (squash) July 10, 2026 15:02
@danilrwx danilrwx merged commit 4ebef2f into main Jul 10, 2026
19 of 26 checks passed
@danilrwx danilrwx deleted the fix/observability/audit-cert-paths-and-resource-names branch July 10, 2026 15:02
deckhouse-BOaTswain added a commit that referenced this pull request Jul 10, 2026
…and prefix resources with d8- (#2637)

fix(observability): correct audit server default TLS paths and prefix resources with d8- (#2632)

* fix(observability): default audit TLS cert paths to certificates dir

The mounted secret is at /etc/virtualization-audit/certificates (plural),
but the flag defaults pointed at /etc/virtualization-audit/certificate,
so the server failed to load TLS when started without explicit flags.



* refactor(observability): prefix audit log-shipper resources with d8- and drop to-

Rename the ClusterLoggingConfig and ClusterLogDestination objects created for
audit shipping: to-virtualization-audit -> d8-virtualization-audit and
virtualization-audit-* -> d8-virtualization-audit-*, aligning with the d8-
naming convention for module-owned cluster-scoped resources.



---------

Signed-off-by: Daniil Antoshin <daniil.antoshin@flant.com>
Co-authored-by: Daniil Antoshin <daniil.antoshin@flant.com>
@deckhouse-BOaTswain

Copy link
Copy Markdown
Contributor

Cherry pick PR 2637 to the branch release-1.9 successful!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants