fix(observability): correct audit server default TLS paths and prefix resources with d8-#2632
Merged
danilrwx merged 3 commits intoJul 10, 2026
Conversation
The mounted secret is at /etc/virtualization-audit/certificates (plural), but the flag defaults pointed at /etc/virtualization-audit/certificate, so the server failed to load TLS when started without explicit flags. Signed-off-by: Daniil Antoshin <daniil.antoshin@flant.com>
…and drop to- Rename the ClusterLoggingConfig and ClusterLogDestination objects created for audit shipping: to-virtualization-audit -> d8-virtualization-audit and virtualization-audit-* -> d8-virtualization-audit-*, aligning with the d8- naming convention for module-owned cluster-scoped resources. Signed-off-by: Daniil Antoshin <daniil.antoshin@flant.com>
universal-itengineer
approved these changes
Jul 10, 2026
deckhouse-BOaTswain
added a commit
that referenced
this pull request
Jul 10, 2026
…and prefix resources with d8- (#2637) fix(observability): correct audit server default TLS paths and prefix resources with d8- (#2632) * fix(observability): default audit TLS cert paths to certificates dir The mounted secret is at /etc/virtualization-audit/certificates (plural), but the flag defaults pointed at /etc/virtualization-audit/certificate, so the server failed to load TLS when started without explicit flags. * refactor(observability): prefix audit log-shipper resources with d8- and drop to- Rename the ClusterLoggingConfig and ClusterLogDestination objects created for audit shipping: to-virtualization-audit -> d8-virtualization-audit and virtualization-audit-* -> d8-virtualization-audit-*, aligning with the d8- naming convention for module-owned cluster-scoped resources. --------- Signed-off-by: Daniil Antoshin <daniil.antoshin@flant.com> Co-authored-by: Daniil Antoshin <daniil.antoshin@flant.com>
Contributor
|
Cherry pick PR 2637 to the branch release-1.9 successful! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Two fixes in the audit delivery path (log-shipper → virtualization-audit).
The audit server crashed on startup when launched without explicit TLS flags: its built-in default certificate paths pointed at a directory that does not exist, while the mounted secret lives under a different path. The defaults now match the real mount location, so the server loads TLS and starts even with no flags passed. In the shipped deployment the paths are passed explicitly, so this was a latent footgun (it bites debug/alternative launches).
Separately, the cluster-scoped log-shipper objects created for audit delivery are renamed to follow the module's
d8-naming convention for cluster-scoped resources (the oldto-/unprefixed names are replaced).Why do we need it, and what problem does it solve?
The default certificate paths were a latent trap — any launch without the explicit flags fails on missing TLS files, which is confusing to debug. And the audit log-shipper resource names did not follow the
d8-convention used for module-owned cluster-scoped objects, unlike the rest of the module.What is the expected result?
--tls-*flags.d8-virtualization-audit*.Checklist
Changelog entries