Loading...

XML

Word

Printable

Type: Bug
Resolution: Won't Do
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: Log Collection
Labels:
- devel_ack+

Blocked:
False
Blocked Reason:
None
Ready:
False
Docs QE Status:
NEW
QE Status:
NEW
Release Note Type:
Bug Fix
Intelligence Requested:
Market:

Severity:
Important
Customer Impact:

Customer Escalated

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Description of problem:

When log forwarding to cloudWatch using different AWS Role, all logs arrives to the first AWS role defined as it's taking the value from ENV variable and it only exists one.

ClusterLogForwarder definition:

 spec:
  inputs:
  - application:
      namespaces:
      - logforwarder1
    name: namespace1
  - application:
      namespaces:
      - logforwarder2
    name: namespace2
  outputs:
  - cloudwatch:
      groupPrefix: /path/logforwarder1
      region: us-east-1
    name: cloudwatch-namespace1
    secret:
      name: cw-sts-credentials1
    type: cloudwatch
  - cloudwatch:
      groupPrefix: /path/logforwarder2
      region: us-east-1
    name: cloudwatch-namespace2
    secret:
      name: cw-sts-credentials2
    type: cloudwatch
  pipelines:
  - inputRefs:
    - namespace1
    name: namespace1-logs-to-cloudwatch
    outputRefs:
    - cloudwatch-namespace1
    parse: json
  - inputRefs:
    - namespace2
    name: namespace2-logs-to-cloudwatch
    outputRefs:
    - cloudwatch-namespace2
    parse: json

Environment variable in the collector pods is only one, the one matching the first secret. And this variable is used for both outputs defined. Then, all the logs are sent to the same AWS Role

$ oc rsh <vector pod>
$ env |grep -i AWS
AWS_REGION=xxxxx
AWS_ROLE_ARN=xxxxx
AWS_ROLE_SESSION_NAME=xxxxx

Version-Release number of selected component (if applicable):

Logging 5.8 and 5.9 latest versions

How reproducible:

Always

Steps to Reproduce:

Create a clusterlogforwarder as visible in the "Description of Problem" where the AWS role in `cw-sts-credentials1` is different to the set in `cw-sts-credentials2`

Actual results:

Logs from the namespace1 and namespace2 are all of them set to the AWS role defined in the first secret as the variable used by Vector is taken from Environment pod variables:

$ oc rsh <vector pod> 
$ env |grep -i AWS
AWS_REGION=xxxxx
AWS_ROLE_ARN=xxxxx
AWS_ROLE_SESSION_NAME=xxxxx

Expected results:

Expected to log forwarder the logs from:

- namespace1 to the output `cloudwatch-namespace1` using the AWS role set in `cw-sts-credentials1`

- namespace2 to the output `cloudwatch-namespace2` using the AWS role set in `cw-sts-credentials2`

Additional info:

relates to

OBSDOCS-1141 Can't use multiple AWS "role" secrets in a single CLF when authenticating to cloudWatch via STS

LOG-3650 HyperShift for ROSA - Support STS CW Forwarding to Multiple Outputs

To Do

LOG-4029 Support STS Cloudwatch authentication for logging in Managed Clusters

Closed

LOG-5640 Add validation to reject when CW outputs spec different web identities and roleARN

Closed

links to

[KCS] Vector log forwards all the logs at the same AWS Role in RHOCP 4

Assignee:: Unassigned

Reporter:: Oscar Casal Sanchez

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/05/15 4:19 PM

Updated:: 2024/07/22 1:54 PM

Resolved:: 2024/07/22 1:54 PM

Details

Description

Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Attachments

Issue Links

Activity

People

Dates