Details
-
Bug
-
Resolution: Done
-
Critical
-
Logging 5.5.5, Logging 5.6.0, Logging 5.7.0
-
False
-
None
-
False
-
NEW
-
NEW
-
-
Bug Fix
-
Critical
-
Customer Escalated
Description
Description of problem:
When tls.insecureSkipVerify=true is configured in ClusterLogForwarder, the cluster-logging-operator should set tls.verify_hostname=false and tls.verify_certificate=false.
And it seems the "Bearer Auth Config" section is added uselessly.
How reproducible:
Always
Steps to Reproduce:
- deploy a loki service and expose via edge route( By the way: The certificate used by edge route is signed by kube-root-ca).
git clone https://gitlab.cee.redhat.com/aosqe/aosqe-tools.git
sh aosqe-tools/logging/log_template/loki/01_deploy-loki.sh
Forward log to loki using insecure https.
#!/usr/bin/env bash
namespace=${1:-loki-aosqe}
route_name=${2:-loki-server}
loki_route=$(oc get route ${route_name} -n ${namespace} -o json |jq '.spec.host' -r)
cat <<EOF | oc create -f -
apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
name: instance
namespace: openshift-logging
spec:
outputs:
- name: loki-route
type: loki
url: https://${loki_route}
tls:
insecureSkipVerify: true
pipelines:
- name: app-to-loki
inputRefs:
- application
- infrastructure
- audit
outputRefs:
- loki-route
EOF
- check the vector.toml...
Actual results:
[sinks.loki_route] ...... ...... [sinks.loki_route.tls] enabled = true ca_file = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" # Bearer Auth Config [sinks.loki_route.auth] strategy = "bearer" token = "xxxxx"
Expected results:
1)verify_certificate = false and verify_hostname =false
2)drop Bearer Auth Config section.
[sinks.loki_route.tls] enabled = true ca_file = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" verify_certificate = false verify_hostname =false # Bearer Auth Config #[sinks.loki_route.auth] #strategy = "bearer" #token = "xxxxx
Additional info:
