-
Bug
-
Resolution: Not a Bug
-
Undefined
-
None
-
Logging 5.9.0
-
False
-
None
-
False
-
NEW
-
OBSDA-527 - Enable Grafana support for cloud providers in Loki
-
NEW
-
-
Description:
LokiStack status is degraded with InvalidObjectStorageSecret issue. As per the documenation on the story, Lokistack should be able to stand up with gcs bucket name and key.json
spec: managementState: Managed rules: enabled: true namespaceSelector: matchLabels: openshift.io/cluster-monitoring: 'true' selector: matchLabels: openshift.io/cluster-monitoring: 'true' size: 1x.demo storage: schemas: - effectiveDate: '2023-10-15' version: v13 secret: name: logging-loki-gcp-cloud-credentials type: gcs storageClassName: standard-csi tenants: mode: openshift-logging status: components: {} conditions: - lastTransitionTime: '2024-02-27T15:56:19Z' message: 'Invalid object storage secret contents: missing secret field: audience' reason: InvalidObjectStorageSecret status: 'True' type: Degraded storage: {}
$ oc extract secret/logging-loki-gcp-cloud-credentials -n openshift-logging key.json bucketname
$ cat key.json
{
"type": "external_account",
"audience": "<hidden>",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"file": "/var/run/secrets/gcp/serviceaccount/token",
"format":
{ "type": "text" }
},
"service_account_impersonation_url": "<hidden>"
}
How reproducible: Always
Steps to reproduce:
1) Deploy Loki Operator v5.9.
2) Create serviceaccount under your GCP project and perform policy binding (add roles to subjects: <lokistack_name> and <lokistack_name>-ruler service accounts)
3) Create credentials config and output it to a credentials file.
4) Use the credentials file and bucket to create object storage secret.
5) Provision LokiStack CR with object storage secret.
Expected Result: LokiStack should stand up and run successfully with credential_source mounted on Loki components.
Actual Result: LokiStack is degraded.