Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2786

[release-5.4] Token not added to Vector config when forwarding logs to Lokistack with Token+CA bundle.

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • VERIFIED
    • Hide
      Before this update, when configuring Vector to forward logs to Loki it was not possible to either set a custom bearer token or use the default token if Loki had TLS enabled. With this update, both the custom bearer token and the CA-certificate of the default token are correctly set in the vector configuration.
      Show
      Before this update, when configuring Vector to forward logs to Loki it was not possible to either set a custom bearer token or use the default token if Loki had TLS enabled. With this update, both the custom bearer token and the CA-certificate of the default token are correctly set in the vector configuration.
    • Log Collection - Sprint 221

      Version of components:

      Server Version: 4.10.0-0.nightly-2022-06-08-150219

      Kubernetes Version: v1.23.5+3afdacb

      cluster-logging.5.4.3

      elasticsearch-operator.5.4.3

      loki-operator.5.4.3-23

      Description of the problem:

      When forwarding logs to Lokistack with Vector as collector, the Vector config is generated without the token in the Vector auth config.

      Steps to reproduce the issue:

      1 Deploy ClusterLogging, Elasticsearch and Lokistack operators.

      2 Create a Lokistack instance, ClusterRole and ClusterRole binding required for submitting logs to the Lokistack instance.

      3 Create the ClusterLogging instance.

      4 Create the secret required by CLF instance for sending logs to Lokistack using Vector as collector.

      #OCP >=4.11: 
       TOKEN=$(oc create token logcollector)
      
       #OCP <4.11:
       TOKEN=$(oc sa get-token logcollector)
      
       oc
       -n openshift-logging create secret generic 
      lokistack-gateway-bearer-token --from-literal=token=$TOKEN  
      --from-literal=ca-bundle.crt="$(oc -n openshift-logging get cm 
      lokistack-instance-ca-bundle -o json | jq -r '.data."service-ca.crt"')" 

      5 Create the CLF instance.

      apiVersion: logging.openshift.io/v1
      kind: ClusterLogForwarder
      metadata:
        name: instance
        namespace: openshift-logging
      spec:
        outputs:
         - name: loki-app
           type: loki
           url: https://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/application/
           secret:
             name: lokistack-gateway-bearer-token
         - name: loki-infra
           type: loki
           url: https://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/infrastructure/
           secret:
             name: lokistack-gateway-bearer-token
         - name: loki-audit
           type: loki
           url: https://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/audit/
           secret:
             name: lokistack-gateway-bearer-token
        pipelines:
         - name: send-app-logs
           inputRefs:
           - application
           outputRefs:
           - loki-app
         - name: send-infra-logs
           inputRefs:
           - infrastructure
           outputRefs:
           - loki-infra
         - name: send-audit-logs
           inputRefs:
           - audit
           outputRefs:
           - loki-audit 

      6 Check the generted vector config which shows missing token.

      oc extract secret/collector-config --confirm

      Additional Notes:

      This is already fixed in 5.5 after the HTTPS LokiStack feature was implemented.

       

       

              rojacob@redhat.com Robert Jacob
              rhn-support-ikanse Ishwar Kanse
              Ishwar Kanse Ishwar Kanse
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: