-
Bug
-
Resolution: Done
-
Major
-
Logging 5.6.0
-
False
-
None
-
False
-
NEW
-
Release Notes
-
VERIFIED
-
Before this update, we could not create a LokiStack instance with a Custom tlsSecurityProfile set.. With this update, adding support for the Custom profile resolves the issue.
-
Log Storage - Sprint 226
Description of problem:
Cannot create a LokiStack instance with a custom tlsSecurityProfile set. Following is the custom profile configuration.
$ oc get apiserver/cluster -o yaml apiVersion: config.openshift.io/v1 kind: APIServer metadata: annotations: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" oauth-apiserver.openshift.io/secure-token-storage: "true" release.openshift.io/create-only: "true" creationTimestamp: "2022-10-17T03:15:16Z" generation: 15 name: cluster ownerReferences: - apiVersion: config.openshift.io/v1 kind: ClusterVersion name: version uid: 16a4fea1-b6cd-41c9-ad67-34d3ee0d25d1 resourceVersion: "101533" uid: e4ed4f0c-63cd-4b0a-8081-67eec55f38a0 spec: audit: profile: Default tlsSecurityProfile: custom: ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 minTLSVersion: VersionTLS11 type: Custom
Below errors are observed in the loki-operator-controller-manager
{"_ts":"2022-10-17T05:48:14.012163507Z","_level":"0","_component":"loki-operator_controllers_LokiStack","_message":"error in getting tenant config map data","_error":{"cause":{"ErrStatus":{"metadata":{},"status":"Failure","message":"ConfigMap \"lokistack-instance-gateway\" not found","reason":"NotFound","details":{"name":"lokistack-instance-gateway","kind":"ConfigMap"},"code":404}},"msg":"couldn't find tenant configMap."},"event":"createOrUpdate","lokistack":{"Namespace":"openshift-logging","Name":"lokistack-instance"}}
{"_ts":"2022-10-17T05:48:14.012246331Z","_level":"0","_component":"loki-operator_controllers_LokiStack","_message":"begin building manifests","event":"createOrUpdate","lokistack":{"Namespace":"openshift-logging","Name":"lokistack-instance"}}
{"_ts":"2022-10-17T05:48:14.012364442Z","_level":"0","_component":"loki-operator_controllers_LokiStack","_message":"failed to conform options to tls profile settings","_error":{"msg":"unable to determine tls profile settings"},"event":"createOrUpdate","lokistack":{"Namespace":"openshift-logging","Name":"lokistack-instance"}}
{"_ts":"2022-10-17T05:48:14.012410631Z","_level":"0","_component":"loki-operator","_message":"Reconciler error","_error":{"msg":"unable to determine tls profile settings"},"controller":"rulerconfig","controllerGroup":"loki.grafana.com","controllerKind":"RulerConfig","lokiStack":{"name":"lokistack-instance","namespace":"openshift-logging"},"name":"lokistack-instance","namespace":"openshift-logging","reconcileID":"3558281d-99f2-4258-8ac4-65dd44656e31"}
{"_ts":"2022-10-17T05:48:45.106862827Z","_level":"0","_component":"loki-operator_controllers_LokiStack","_message":"error in getting tenant config map data","_error":{"cause":{"ErrStatus":{"metadata":{},"status":"Failure","message":"ConfigMap \"lokistack-instance-gateway\" not found","reason":"NotFound","details":{"name":"lokistack-instance-gateway","kind":"ConfigMap"},"code":404}},"msg":"couldn't find tenant configMap."},"event":"createOrUpdate","lokistack":{"Namespace":"openshift-logging","Name":"lokistack-instance"}}
{"_ts":"2022-10-17T05:48:45.106945689Z","_level":"0","_component":"loki-operator_controllers_LokiStack","_message":"begin building manifests","event":"createOrUpdate","lokistack":{"Namespace":"openshift-logging","Name":"lokistack-instance"}}
{"_ts":"2022-10-17T05:48:45.10705394Z","_level":"0","_component":"loki-operator_controllers_LokiStack","_message":"failed to conform options to tls profile settings","_error":{"msg":"unable to determine tls profile settings"},"event":"createOrUpdate","lokistack":{"Namespace":"openshift-logging","Name":"lokistack-instance"}}
{"_ts":"2022-10-17T05:48:45.107110872Z","_level":"0","_component":"loki-operator","_message":"Reconciler error","_error":{"msg":"unable to determine tls profile settings"},"controller":"rulerconfig","controllerGroup":"loki.grafana.com","controllerKind":"RulerConfig","lokiStack":{"name":"lokistack-instance","namespace":"openshift-logging"},"name":"lokistack-instance","namespace":"openshift-logging","reconcileID":"558bb4df-2330-46f5-8be3-166259ac126a"}
Version-Release number of selected component (if applicable):
Loki-operator.v5.6.0
cluster-logging.v5.6.0
Server Version: 4.11.0-0.nightly-2022-10-08-131055
How reproducible:
Always
Steps to Reproduce:
*Set a custom tlsSecurity profile in the global apiserver config.
oc get apiserver/cluster -o yaml apiVersion: config.openshift.io/v1 kind: APIServer metadata: annotations: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" oauth-apiserver.openshift.io/secure-token-storage: "true" release.openshift.io/create-only: "true" creationTimestamp: "2022-10-17T03:15:16Z" generation: 15 name: cluster ownerReferences: - apiVersion: config.openshift.io/v1 kind: ClusterVersion name: version uid: 16a4fea1-b6cd-41c9-ad67-34d3ee0d25d1 resourceVersion: "101533" uid: e4ed4f0c-63cd-4b0a-8081-67eec55f38a0 spec: audit: profile: Default tlsSecurityProfile: custom: ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 minTLSVersion: VersionTLS11 type: Custom
*Create a LokiStack instance.
apiVersion: loki.grafana.com/v1 kind: LokiStack metadata: name: lokistack-instance namespace: openshift-logging spec: managementState: Managed replicationFactor: 1 size: 1x.extra-small storage: secret: name: s3-secret type: s3 storageClassName: gp2 tenants: mode: openshift-logging
*The LokiStack instance is not created, check the loki-operator-controller-manager pod logs in the openshift-operators-redhat namespace.
{"_ts":"2022-10-17T06:04:22.0668109Z","_level":"0","_component":"loki-operator_controllers_LokiStack","_message":"error in getting tenant config map data","_error":{"cause":{"ErrStatus":{"metadata":{},"status":"Failure","message":"ConfigMap \"lokistack-instance-gateway\" not found","reason":"NotFound","details":{"name":"lokistack-instance-gateway","kind":"ConfigMap"},"code":404}},"msg":"couldn't find tenant configMap."},"event":"createOrUpdate","lokistack":{"Namespace":"openshift-logging","Name":"lokistack-instance"}}
{"_ts":"2022-10-17T06:04:22.066872231Z","_level":"0","_component":"loki-operator_controllers_LokiStack","_message":"begin building manifests","event":"createOrUpdate","lokistack":{"Namespace":"openshift-logging","Name":"lokistack-instance"}}
{"_ts":"2022-10-17T06:04:22.066973169Z","_level":"0","_component":"loki-operator_controllers_LokiStack","_message":"failed to conform options to tls profile settings","_error":{"msg":"unable to determine tls profile settings"},"event":"createOrUpdate","lokistack":{"Namespace":"openshift-logging","Name":"lokistack-instance"}}
{"_ts":"2022-10-17T06:04:22.06703015Z","_level":"0","_component":"loki-operator","_message":"Reconciler error","_error":{"msg":"unable to determine tls profile settings"},"controller":"rulerconfig","controllerGroup":"loki.grafana.com","controllerKind":"RulerConfig","lokiStack":{"name":"lokistack-instance","namespace":"openshift-logging"},"name":"lokistack-instance","namespace":"openshift-logging","reconcileID":"f9727537-5cfe-4c3b-ac7d-2597a96fd5a6"}
- links to
