Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2786

[release-5.4] Token not added to Vector config when forwarding logs to Lokistack with Token+CA bundle.

    XMLWordPrintable

Details

    • False
    • None
    • False
    • NEW
    • VERIFIED
    • Hide
      Before this update, when configuring Vector to forward logs to Loki it was not possible to either set a custom bearer token or use the default token if Loki had TLS enabled. With this update, both the custom bearer token and the CA-certificate of the default token are correctly set in the vector configuration.
      Show
      Before this update, when configuring Vector to forward logs to Loki it was not possible to either set a custom bearer token or use the default token if Loki had TLS enabled. With this update, both the custom bearer token and the CA-certificate of the default token are correctly set in the vector configuration.
    • Log Collection - Sprint 221

    Description

      Version of components:

      Server Version: 4.10.0-0.nightly-2022-06-08-150219

      Kubernetes Version: v1.23.5+3afdacb

      cluster-logging.5.4.3

      elasticsearch-operator.5.4.3

      loki-operator.5.4.3-23

      Description of the problem:

      When forwarding logs to Lokistack with Vector as collector, the Vector config is generated without the token in the Vector auth config.

      Steps to reproduce the issue:

      1 Deploy ClusterLogging, Elasticsearch and Lokistack operators.

      2 Create a Lokistack instance, ClusterRole and ClusterRole binding required for submitting logs to the Lokistack instance.

      3 Create the ClusterLogging instance.

      4 Create the secret required by CLF instance for sending logs to Lokistack using Vector as collector.

      #OCP >=4.11: 
 TOKEN=$(oc create token logcollector)

 #OCP <4.11:
 TOKEN=$(oc sa get-token logcollector)

 oc
 -n openshift-logging create secret generic 
lokistack-gateway-bearer-token --from-literal=token=$TOKEN  
--from-literal=ca-bundle.crt="$(oc -n openshift-logging get cm 
lokistack-instance-ca-bundle -o json | jq -r '.data."service-ca.crt"')"

      5 Create the CLF instance.

      apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  name: instance
  namespace: openshift-logging
spec:
  outputs:
   - name: loki-app
     type: loki
     url: https://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/application/
     secret:
       name: lokistack-gateway-bearer-token
   - name: loki-infra
     type: loki
     url: https://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/infrastructure/
     secret:
       name: lokistack-gateway-bearer-token
   - name: loki-audit
     type: loki
     url: https://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/audit/
     secret:
       name: lokistack-gateway-bearer-token
  pipelines:
   - name: send-app-logs
     inputRefs:
     - application
     outputRefs:
     - loki-app
   - name: send-infra-logs
     inputRefs:
     - infrastructure
     outputRefs:
     - loki-infra
   - name: send-audit-logs
     inputRefs:
     - audit
     outputRefs:
     - loki-audit

      6 Check the generted vector config which shows missing token.

      oc extract secret/collector-config --confirm

      Additional Notes:

      This is already fixed in 5.5 after the HTTPS LokiStack feature was implemented.

       

       

      Attachments

        Activity

          People

            rojacob@redhat.com Robert Jacob
            rhn-support-ikanse Ishwar Kanse
            Ishwar Kanse Ishwar Kanse
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: