-
Bug
-
Resolution: Not a Bug
-
Minor
-
None
-
Logging 5.9.z
-
False
-
None
-
False
-
NEW
-
NEW
-
Bug Fix
-
-
Description of problem:
Unable to setup LokiStack on ROSA HCP cluster. After creating LokiStack CR, the secret "logging-loki-managed-credentials" is not getting created automatically:
apiVersion: loki.grafana.com/v1 kind: LokiStack metadata: creationTimestamp: "2024-07-06T14:25:13Z" generation: 1 name: logging-loki namespace: openshift-logging resourceVersion: "37886" uid: 8ef2d38b-12f4-45f2-ab42-27ae6bc560c8 spec: managementState: Managed size: 1x.demo storage: schemas: - effectiveDate: "2024-04-02" version: v13 secret: credentialMode: token-cco <<<=== Used token-cco mode (default) name: logging-loki-s3 type: s3 storageClassName: gp3-csi tenants: mode: openshift-logging status: components: {} conditions: - lastTransitionTime: "2024-07-06T14:36:13Z" message: Missing OpenShift cloud credentials secret reason: MissingTokenCCOAuthenticationSecret <<<<==== Issue here status: "True" type: Degraded storage: {}
The CredentialsRequest resource is getting created but the creation of secret logging-loki-managed-credentials was not triggered. Interestingly, there is no status section available in this newly created credentialsrequest. See below:
kind: CredentialsRequest metadata: creationTimestamp: "2024-07-06T14:25:17Z" generation: 1 name: logging-loki namespace: openshift-logging ownerReferences: - apiVersion: loki.grafana.com/v1 blockOwnerDeletion: true controller: true kind: LokiStack name: logging-loki uid: 8ef2d38b-12f4-45f2-ab42-27ae6bc560c8 resourceVersion: "35169" uid: 8529660f-323d-4dcf-b4b6-64fb4db43257 spec: cloudTokenPath: /var/run/secrets/storage/serviceaccount/token providerSpec: apiVersion: cloudcredential.openshift.io/v1 kind: AWSProviderSpec statementEntries: - action: - s3:ListBucket - s3:PutObject - s3:GetObject - s3:DeleteObject effect: Allow resource: arn:aws:s3:*:*:* stsIAMRoleARN: <obfusted> secretRef: name: logging-loki-managed-credentials namespace: openshift-logging serviceAccountNames: - logging-loki - logging-loki-ruler ---- No Status Section Available ----
Version-Release number of selected component (if applicable):
Loki Operator 5.9.z
How reproducible:
100%
Steps to Reproduce:
- Deploy Loki Operator and Red Hat OpenShift Logging Operator 5.9.z
- Navigate to openshift-logging project and create secret which contain details of S3 bucket and its region.
- Create LokiStack CR and check status of LokiStack CR.
status:
components: {}
conditions:
- lastTransitionTime: "2024-07-06T14:36:13Z"
message: Missing OpenShift cloud credentials secret
reason: MissingTokenCCOAuthenticationSecret
status: "True"
type: Degraded
Actual results:
- Secret logging-loki-managed-credentials is not created.
- Loki pods are not getting created because secret is unavailable for mounting.
- CredentialsRequest CR got created.
- CredentialsRequest doesn't contain any status section in this situation.
- Loki Operator pod doesn't stream any logs related to secret logging-loki-managed-credentials not getting created.
Expected results:
The secret logging-loki-managed-credentials should get created in openshift-logging on ROSA HCP cluster and should get further mounted in loki pods.
Additional info:
- The same config works fine on ROSA Classic cluster.
