Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2778

[Vector] [OCP 4.11] SA token not added to Vector config when connecting to LokiStack instance without CLF creds secret required by LokiStack.

XMLWordPrintable

      Version of components:

      clusterlogging.v5.5.0

      elasticsearch-operator.v5.5.0

      loki-operator.v5.5.0

      Kustomize Version: v4.5.4

      Server Version: 4.11.0-0.nightly-2022-06-25-132614

      Kubernetes Version: v1.24.0+9ddc8b1

      Description of the problem:

      In OCP 4.11 SA account do not have a token assciated with it due to which fetching of token for the SA does not work when forwarding logs to Lokistack using Vector as collector and CLF created without creds secret for Lokistack.

      https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets

      Steps to reproduce the issue:

      1 Deploy ClusterLogging, Lokistack and Elasticsearch 5.5 operators on OCP 4.11.

      2 Create a LokiStack instance.

      3 Create a ClusterLogging instance.

      4 Create a CLF instance to forward logs to Lokistack instance without pipeline secret.

      apiVersion: logging.openshift.io/v1
      kind: ClusterLogForwarder
      metadata:
        name: instance
        namespace: openshift-logging
      spec:
        outputs:
         - name: loki-app
           type: loki
           url: https://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/application/
         - name: loki-infra
           type: loki
           url: https://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/infrastructure/
         - name: loki-audit
           type: loki
           url: https://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/audit/
        pipelines:
         - name: send-app-logs
           inputRefs:
           - application
           outputRefs:
           - loki-app
         - name: send-infra-logs
           inputRefs:
           - infrastructure
           outputRefs:
           - loki-infra
         - name: send-audit-logs
           inputRefs:
           - audit
           outputRefs:
           - loki-audit 

      5 Extract and check the vector config. No auth.token is added to the config.

      6 Check that there is no token associated with SA.

      oc get sa logcollector -o yaml
      apiVersion: v1
      imagePullSecrets:
      - name: logcollector-dockercfg-8bzvq
      kind: ServiceAccount
      metadata:
        creationTimestamp: "2022-06-28T14:25:15Z"
        finalizers:
        - foregroundDeletion
        name: logcollector
        namespace: openshift-logging
        ownerReferences:
        - apiVersion: logging.openshift.io/v1
          controller: true
          kind: ClusterLogging
          name: instance
          uid: 7d65d6e7-71c1-4515-b70b-08f2402d8356
        resourceVersion: "48876"
        uid: 64f503eb-79b6-4bc2-b8e2-a644daa3aae6
      secrets:
      - name: logcollector-dockercfg-8bzvq 

      Additional notes:

      User defined token and ca bundle is working fine with latest bug fixes in ClusterLogging 5.5.

              rojacob@redhat.com Robert Jacob
              rhn-support-ikanse Ishwar Kanse
              Ishwar Kanse Ishwar Kanse
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: