-
Bug
-
Resolution: Done
-
Major
-
Logging 5.9.0
-
False
-
None
-
False
-
NEW
-
NEW
-
-
Release Note Not Required
-
-
-
Log Collection - Sprint 246
-
?
Jira made to track fix into 5.9
Description of problem:
Using legacy method, Vector can forward to Lokistack instance deployed by loki-opreator on the same cluster. But this legacy method doesn't works on 5.8.0.
Vector pods raise error below
2023-12-04T14:57:00.319654Z WARN sink{component_kind="sink" component_id=loki_infra component_type=loki component_name=loki_infra}: vector::sinks::util::retries: Retrying after error. error=Failed to make HTTP(S) request: Failed to make HTTP(S) request: error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889:: self-signed certificate in certificate chain internal_log_rate_limit=true
Compared 5.7, ca_cert is not set in vector.toml
ca_cert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
The new generated config no longer contains the required ca_cert.
Version-Release number of selected component (if applicable):
5.8.0
How reproducible:
1. Forward logs to lokistack, but not use as default output,
#!/usr/bin/env bash lokistack_name="${1:-lokistack-sample}" lokistack_namespace="${2:-openshift-logging}" if [[ $1 == "" ]] ; then echo Warn: no \$1, use default name lokistack-sample fi if ! oc get lokistack $lokistack_name -o name -n $lokistack_namespace >/dev/null ; then echo Error: Can not find lokistack $lokistack_name exit 1 fi cat <<EOF |oc create -f - --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ${lokistack_name}-collectors rules: - apiGroups: - 'loki.grafana.com' resources: - application - infrastructure - audit resourceNames: - logs verbs: - 'create' - 'get' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: ${lokistack_name}-collectors roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ${lokistack_name}-collectors subjects: - kind: ServiceAccount name: logcollector namespace: openshift-logging EOF gataway_svc_name="${lokistack_name}-gateway-http.${lokistack_namespace}.svc:8080" cat <<EOF |oc apply -f - apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: instance namespace: openshift-logging spec: outputs: - name: loki-app type: loki url: https://${gataway_svc_name}/api/logs/v1/application - name: loki-infra type: loki url: https://${gataway_svc_name}/api/logs/v1/infrastructure - name: loki-audit type: loki url: https://${gataway_svc_name}/api/logs/v1/audit pipelines: - name: infro-to-loki inputRefs: - infrastructure outputRefs: - loki-infra - name: app-to-loki inputRefs: - application outputRefs: - loki-app - name: audit-to-loki inputRefs: - audit outputRefs: - loki-audit EOF
cat <<EOF | oc create -f - apiVersion: "logging.openshift.io/v1" kind: "ClusterLogging" metadata: name: "instance" namespace: openshift-logging spec: managementState: "Managed" collection: type: "vector" EOF
2. Check the collector logs
Actual results:
Logs can not be forward to default lokistack.
Expected results:
Additional info:
- clones
-
LOG-4852 Vector collector Pods no longer picks up the log collector SAs Secret as a fallback
- Closed
- links to
- mentioned on