-
Bug
-
Resolution: Done
-
Critical
-
Logging 5.5.5, Logging 5.6.0, Logging 5.7.0
-
False
-
None
-
False
-
NEW
-
NEW
-
-
Bug Fix
-
-
-
Critical
-
Customer Escalated
Description of problem:
When tls.insecureSkipVerify=true is configured in ClusterLogForwarder, the cluster-logging-operator should set tls.verify_hostname=false and tls.verify_certificate=false.
And it seems the "Bearer Auth Config" section is added uselessly.
How reproducible:
Always
Steps to Reproduce:
- deploy a loki service and expose via edge route( By the way: The certificate used by edge route is signed by kube-root-ca).
git clone https://gitlab.cee.redhat.com/aosqe/aosqe-tools.git
sh aosqe-tools/logging/log_template/loki/01_deploy-loki.sh
Forward log to loki using insecure https.
#!/usr/bin/env bash namespace=${1:-loki-aosqe} route_name=${2:-loki-server} loki_route=$(oc get route ${route_name} -n ${namespace} -o json |jq '.spec.host' -r) cat <<EOF | oc create -f - apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: instance namespace: openshift-logging spec: outputs: - name: loki-route type: loki url: https://${loki_route} tls: insecureSkipVerify: true pipelines: - name: app-to-loki inputRefs: - application - infrastructure - audit outputRefs: - loki-route EOF
- check the vector.toml...
Actual results:
[sinks.loki_route] ...... ...... [sinks.loki_route.tls] enabled = true ca_file = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" # Bearer Auth Config [sinks.loki_route.auth] strategy = "bearer" token = "xxxxx"
Expected results:
1)verify_certificate = false and verify_hostname =false
2)drop Bearer Auth Config section.
[sinks.loki_route.tls] enabled = true ca_file = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" verify_certificate = false verify_hostname =false # Bearer Auth Config #[sinks.loki_route.auth] #strategy = "bearer" #token = "xxxxx
Additional info: