Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: Logging 5.5.0
Affects Version/s: Logging 5.5.0
Component/s: Log Collection
Labels:
- devel_ack+

Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
Deploy Vector Collector as a GA offering (Phase 1)
Docs QE Status:
NEW
Feature Link:
OBSDA-108 - Distribute an alternate Vector Log Collector
QE Status:
VERIFIED

SFDC Cases Links:
SFDC Cases Counter:

Description

Version of components:

clusterlogging.v5.5.0

elasticsearch-operator.v5.5.0

loki-operator.v5.5.0

Kustomize Version: v4.5.4

Server Version: 4.11.0-0.nightly-2022-06-25-132614

Kubernetes Version: v1.24.0+9ddc8b1

Description of the problem:

In OCP 4.11 SA account do not have a token assciated with it due to which fetching of token for the SA does not work when forwarding logs to Lokistack using Vector as collector and CLF created without creds secret for Lokistack.

https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets

Steps to reproduce the issue:

1 Deploy ClusterLogging, Lokistack and Elasticsearch 5.5 operators on OCP 4.11.

2 Create a LokiStack instance.

3 Create a ClusterLogging instance.

4 Create a CLF instance to forward logs to Lokistack instance without pipeline secret.

apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  name: instance
  namespace: openshift-logging
spec:
  outputs:
   - name: loki-app
     type: loki
     url: https://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/application/
   - name: loki-infra
     type: loki
     url: https://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/infrastructure/
   - name: loki-audit
     type: loki
     url: https://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/audit/
  pipelines:
   - name: send-app-logs
     inputRefs:
     - application
     outputRefs:
     - loki-app
   - name: send-infra-logs
     inputRefs:
     - infrastructure
     outputRefs:
     - loki-infra
   - name: send-audit-logs
     inputRefs:
     - audit
     outputRefs:
     - loki-audit

5 Extract and check the vector config. No auth.token is added to the config.

6 Check that there is no token associated with SA.

oc get sa logcollector -o yaml
apiVersion: v1
imagePullSecrets:
- name: logcollector-dockercfg-8bzvq
kind: ServiceAccount
metadata:
  creationTimestamp: "2022-06-28T14:25:15Z"
  finalizers:
  - foregroundDeletion
  name: logcollector
  namespace: openshift-logging
  ownerReferences:
  - apiVersion: logging.openshift.io/v1
    controller: true
    kind: ClusterLogging
    name: instance
    uid: 7d65d6e7-71c1-4515-b70b-08f2402d8356
  resourceVersion: "48876"
  uid: 64f503eb-79b6-4bc2-b8e2-a644daa3aae6
secrets:
- name: logcollector-dockercfg-8bzvq

Additional notes:

User defined token and ca bundle is working fine with latest bug fixes in ClusterLogging 5.5.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

vector.toml
10 kB
2022/06/28 2:16 PM

Issue Links

is cloned by

LOG-2840 [release-5.4] [OCP 4.11] CLO depends on automatically created SA token

Closed

links to

openshift/cluster-logging-operator#1561: LOG-2778: Create secret for logcollector serviceaccount manually

mentioned on

Merge request - Updated US source to: e22e183 Merge pull request #1561 from xperimental/manual-token-secret

Activity

People

Assignee:: Robert Jacob

Reporter:: Ishwar Kanse

QA Contact:: Ishwar Kanse

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2022/06/28 2:17 PM

Updated:: 2022/08/03 6:16 PM

Resolved:: 2022/07/22 6:48 AM