-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
Logging 6.4.z
-
Incidents & Support
-
False
-
-
False
-
NEW
-
NEW
-
Bug Fix
-
-
-
Moderate
Description of problem:
When it's configured to logForward to the *lokiStack* or *loki* sink setting the ".spec.outputs[lokistack].tls.ca.configMapName" and ".spec.outputs[lokistack].tls.ca.key". If the certificate in ".spec.outputs[lokistack].tls.ca.key" changes, the Logging Operator does not restart the collector pods for using the new certificate.
*Note*: only verified for LokiStack and loki outputs, not tested already for the rest of the output types.
Version-Release number of selected component (if applicable):
Logging 6.4.1
How reproducible:
Not able to reproduce when using the "openshift-service-ca.crt" configmap as the time validity is long and not getting it expired in a lab.
// certificate validity
Not Before: Dec 11 22:44:45 2025 GMT
Not After : Feb 9 22:44:46 2028 GMT
For reproducing it, it was configured the LokiStack for using a configmap created manually.
Steps to Reproduce:
- Create the "ca-test.crt"configmap that it will contain the CA to be used to connect to the LokiStack [0]
- Create a "clusterLogForwarder" using the clusterLogForwarder CR from [1] that it will use the "ca-test.crt" configmap to connect to the LokiStack
- Review that all the collectors are started
- Create a yaml with the content from [2] and replace the content [3]
Actual results:
Collector pods are not restarted by the Logging operator
Expected results:
Logging Operator watches the resources used by the collector to connect to the Lokistack and restart them if these resources change.
Additional info:
[0]
apiVersion: v1
data:
service-ca.crt: |
-----BEGIN CERTIFICATE-----
MIIDUTCCAjmgAwIBAgIIVvQZypbfpPEwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE
Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc0MjM5NTE5MzAe
Fw0yNTAzMTkxNDM5NTJaFw0yNzA1MTgxNDM5NTNaMDYxNDAyBgNVBAMMK29wZW5z
aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3NDIzOTUxOTMwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvDxrUULYtKsS9jGpfgQ+noIHoOsb9bWty
jGqNLL7DBSD4ME1q/92N9t8HqaI34g/s05lQ23Ns5ffL9XvY1Z4Q1XXmtzWAjiOT
IExNi8q0P7yAW5w8a8jKoJc+s6IsMnCY4bcQ6ElvuHUL1py7f6EPSn+O6jdyDuN3
wPHntHau9kEl7a7HRMxL7JdrsCYhojgRGoFCxYGkpRGNPaPJ64RCXGuI0aVG0vnk
akca+a5e14QOpvBa/DJWWghmteos/yHisiYy1rcVm6y7LwPd3850RQnJYnumQVxA
W8G5FpXKBfKT0cH5S3pt7FDXP8gCBDV1b2y30lvqscOnHwshE6wvAgMBAAGjYzBh
MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRUe2b7
mN5h3kL2r1kLMN4w2rtkITAfBgNVHSMEGDAWgBRUe2b7mN5h3kL2r1kLMN4w2rtk
ITANBgkqhkiG9w0BAQsFAAOCAQEAovsJyunXncybI9NxYcJ0+TLPYJ/HifwjFGaq
osN9Gn+GarCtBgGkPLz6M4xGnEjDDbr9uucLGH1goJMDlYQEPEtv4LAzOLt4L6sq
W3VjdzwxfFMMzhKLh0vvgk1bszTADYXmKxo6odOOn4gJNsnSRUioNfZ6DzcZA76z
VBIJA6Lk1c4fo8m9KCe8MCu/HZk10s2A+KR3nIhGI5bmNLGUhdxMm90Z4Fy+e8OG
dzxPtXYo4IjAjPZTKsguM0T8msMULfarXHogVILKj/3XVuVnj8SNHTSerIP1yB9g
ndE2dAbtnM1W8QSZdMN0JAc8ZDPkzyq4o7DFP2Z+hjeZjjGP6g==
-----END CERTIFICATE-----
kind: ConfigMap
metadata:
name: ca-test.crt
namespace: openshift-logging
[1]
apiVersion: observability.openshift.io/v1
kind: ClusterLogForwarder
metadata:
name: collector
namespace: openshift-logging
spec:
managementState: Managed
outputs:
- lokiStack:
authentication:
token:
from: serviceAccount
target:
name: logging-loki
namespace: openshift-logging
name: ocp-lokistack
tls:
ca:
configMapName: ca-test.crt
key: service-ca.crt
type: lokiStack
pipelines:
- inputRefs:
- application
- infrastructure
name: default
outputRefs:
- ocp-lokistack
serviceAccount:
name: collector
[2]
apiVersion: v1
data:
service-ca.crt: |
-----BEGIN CERTIFICATE-----
MIIDUTCCAjmgAwIBAgIIfuUsWnFIVccwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE
Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc2NTQ5MzA4NTAe
Fw0yNTEyMTEyMjQ0NDVaFw0yODAyMDkyMjQ0NDZaMDYxNDAyBgNVBAMMK29wZW5z
aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3NjU0OTMwODUwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDeUx9xSS9EHFtDxrzUXzEwEDYFTGQzeEJ
6QA+48BZn7BjzjRb/coKGv1BheKsizxDfFh/+Qj5u3TzT+CTzqFVGIjvIpYlKVtP
eFJDj/hexL/rNEzjDFsqmsxJrPnLPmY4Jb40Fj9leBt8RPREcL/rsoFwXlhMw7Mk
qBnzdjqC1NBZ1rvnyUpcEvXHsVvVcr19lgUInFob+6XpS/IyE95uWNWB1jPpej1A
V6BqNr42PRVVjqSwCgqhJSm01bsxujFfXj1STo4Qm90jK35/wiovmVJvJvWVpRYL
QFLht4FRcBp8EGKWrg2tk3sLnVgegpLpQrCcAO33qbc0+KrXnpldAgMBAAGjYzBh
MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRQj+BN
2acPn2CJI1CQWqxq7wEbDTAfBgNVHSMEGDAWgBRQj+BN2acPn2CJI1CQWqxq7wEb
DTANBgkqhkiG9w0BAQsFAAOCAQEATCmlghZaU3VVkWo6H8GN/qQfTu0vObohNzhs
WmBDD9rA2mgCgzkK+6AMMsYhlJcl+HsEJtyv2T+XJCThuFf+9ZftTtzyI0D3itYv
335B4qs9oJTyKjE/rYSbG5e/Tx5h7qRmxnL/vdvzRNNQg8dV0LkX70mU0lSrrL2/
UvggdopGrhGiqDaYn0Xgs5PZjNobY6g5pDCnlJ/ySeoXx7QECkvvxEPXMph8NXI1
vJ2WZg2Ke206JbkbR0oggpPNJtRbVhREV1+BffXDHcHVUkiICmBYKb+es/RvBeBj
4RsRPJ1rEZ2ChzVnhJvqYe5X68hjRhtEsGy6f9EXRGz7f1A7OA==
-----END CERTIFICATE-----
kind: ConfigMap
metadata:
name: ca-test.crt
namespace: openshift-logging
[3]
$ diff ca-test.crt ca-test-mod.crt
5,22c5,22
< MIIDUTCCAjmgAwIBAgIIVvQZypbfpPEwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE
[...]
---
> MIIDUTCCAjmgAwIBAgIIfuUsWnFIVccwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE
[...]
/// Replace the configmap with the modified content
$ oc replace -f ca-test-mod.crt