Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2778

[Vector] [OCP 4.11] SA token not added to Vector config when connecting to LokiStack instance without CLF creds secret required by LokiStack.

    XMLWordPrintable

Details

    Description

      Version of components:

      clusterlogging.v5.5.0

      elasticsearch-operator.v5.5.0

      loki-operator.v5.5.0

      Kustomize Version: v4.5.4

      Server Version: 4.11.0-0.nightly-2022-06-25-132614

      Kubernetes Version: v1.24.0+9ddc8b1

      Description of the problem:

      In OCP 4.11 SA account do not have a token assciated with it due to which fetching of token for the SA does not work when forwarding logs to Lokistack using Vector as collector and CLF created without creds secret for Lokistack.

      https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets

      Steps to reproduce the issue:

      1 Deploy ClusterLogging, Lokistack and Elasticsearch 5.5 operators on OCP 4.11.

      2 Create a LokiStack instance.

      3 Create a ClusterLogging instance.

      4 Create a CLF instance to forward logs to Lokistack instance without pipeline secret.

      apiVersion: logging.openshift.io/v1
      kind: ClusterLogForwarder
      metadata:
        name: instance
        namespace: openshift-logging
      spec:
        outputs:
         - name: loki-app
           type: loki
           url: https://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/application/
         - name: loki-infra
           type: loki
           url: https://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/infrastructure/
         - name: loki-audit
           type: loki
           url: https://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/audit/
        pipelines:
         - name: send-app-logs
           inputRefs:
           - application
           outputRefs:
           - loki-app
         - name: send-infra-logs
           inputRefs:
           - infrastructure
           outputRefs:
           - loki-infra
         - name: send-audit-logs
           inputRefs:
           - audit
           outputRefs:
           - loki-audit 

      5 Extract and check the vector config. No auth.token is added to the config.

      6 Check that there is no token associated with SA.

      oc get sa logcollector -o yaml
      apiVersion: v1
      imagePullSecrets:
      - name: logcollector-dockercfg-8bzvq
      kind: ServiceAccount
      metadata:
        creationTimestamp: "2022-06-28T14:25:15Z"
        finalizers:
        - foregroundDeletion
        name: logcollector
        namespace: openshift-logging
        ownerReferences:
        - apiVersion: logging.openshift.io/v1
          controller: true
          kind: ClusterLogging
          name: instance
          uid: 7d65d6e7-71c1-4515-b70b-08f2402d8356
        resourceVersion: "48876"
        uid: 64f503eb-79b6-4bc2-b8e2-a644daa3aae6
      secrets:
      - name: logcollector-dockercfg-8bzvq 

      Additional notes:

      User defined token and ca bundle is working fine with latest bug fixes in ClusterLogging 5.5.

      Attachments

        Activity

          People

            rojacob@redhat.com Robert Jacob
            rhn-support-ikanse Ishwar Kanse
            Ishwar Kanse Ishwar Kanse
            Ishwar Kanse Ishwar Kanse
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: