Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-4881

Vector collector Pods no longer picks up the log collector SAs Secret as a fallback

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • NEW
    • Hide
      Before this update, forwarding with a legacy forwarder to an internal Lokistack would produce SSL certificate errors. With this update, the logcollector service account is used as the default service account for authentication, using it's associated token and ca.crt.
      Show
      Before this update, forwarding with a legacy forwarder to an internal Lokistack would produce SSL certificate errors. With this update, the logcollector service account is used as the default service account for authentication, using it's associated token and ca.crt.
    • Release Note Not Required
    • Log Collection - Sprint 246
    • ?

      Jira made to track fix into 5.9

      Description of problem:

      Using legacy method, Vector can forward to Lokistack instance deployed by loki-opreator on the same cluster.   But this legacy method doesn't works on 5.8.0.

      Vector pods raise error below

      2023-12-04T14:57:00.319654Z  WARN sink{component_kind="sink" component_id=loki_infra component_type=loki component_name=loki_infra}: vector::sinks::util::retries: Retrying after error. error=Failed to make HTTP(S) request: Failed to make HTTP(S) request: error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889:: self-signed certificate in certificate chain internal_log_rate_limit=true  

      Compared 5.7,   ca_cert  is not set in vector.toml 

          ca_cert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
      

       

      The new generated config no longer contains the required ca_cert.

      Version-Release number of selected component (if applicable):

      5.8.0

      How reproducible:

      1. Forward logs to  lokistack, but not use as  default output,

      #!/usr/bin/env bash
      lokistack_name="${1:-lokistack-sample}"
      lokistack_namespace="${2:-openshift-logging}"
      if [[ $1 == "" ]] ; then
         echo Warn: no \$1, use default name lokistack-sample
      fi
      if ! oc get lokistack $lokistack_name -o name -n $lokistack_namespace >/dev/null ; then
         echo Error: Can not find lokistack $lokistack_name
         exit 1
      fi
      cat <<EOF |oc create -f -
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        name: ${lokistack_name}-collectors
      rules:
      - apiGroups:
        - 'loki.grafana.com'
        resources:
        - application
        - infrastructure
        - audit
        resourceNames:
        - logs
        verbs:
        - 'create'
        - 'get'
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        name: ${lokistack_name}-collectors
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: ${lokistack_name}-collectors
      subjects:
      - kind: ServiceAccount
        name: logcollector
        namespace: openshift-logging
      EOF
      gataway_svc_name="${lokistack_name}-gateway-http.${lokistack_namespace}.svc:8080"
      cat <<EOF |oc apply -f -
      apiVersion: logging.openshift.io/v1
      kind: ClusterLogForwarder
      metadata:
        name: instance
        namespace: openshift-logging
      spec:
        outputs:
         - name: loki-app
           type: loki
           url: https://${gataway_svc_name}/api/logs/v1/application
         - name: loki-infra
           type: loki
           url: https://${gataway_svc_name}/api/logs/v1/infrastructure
         - name: loki-audit
           type: loki
           url: https://${gataway_svc_name}/api/logs/v1/audit
        pipelines:
        - name: infro-to-loki
          inputRefs:
          - infrastructure
          outputRefs:
          - loki-infra
        - name: app-to-loki
          inputRefs:
          - application
          outputRefs:
          - loki-app
        - name: audit-to-loki
          inputRefs:
          - audit
          outputRefs:
          - loki-audit
      EOF
      
      cat <<EOF | oc create -f -
      apiVersion: "logging.openshift.io/v1"
      kind: "ClusterLogging"
      metadata:
        name: "instance"
        namespace: openshift-logging
      spec:
        managementState: "Managed"
        collection:
          type: "vector"
      EOF

      2. Check the collector logs

       

      Actual results:

      Logs can not be forward to default lokistack.

      Expected results:

      Additional info:

              rh-ee-calee Calvin Lee
              pgough@redhat.com Philip Gough
              Anping Li Anping Li
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: