Details
-
Bug
-
Resolution: Done
-
Major
-
netobserv-ocp4.12
-
False
-
None
-
False
-
NetObserv - Sprint 232, NetObserv - Sprint 233, NetObserv - Sprint 234
-
Moderate
Description
The statusUrl can be configured when creating the FlowCollector resource. When the FlowCollector has problems getting flow data, it icalls the statusUrl appended with /ready to see if Loki is able to respond to requests. This does not work when using Loki Operator 5.6.
The /ready URL is not accessible through LokiStack gateway. You must access the Loki component, in this case, https://lokistack-query-frontend-http:3100/ready, assuming the LokiStack's name is "lokistack". Accessing the Loki component presents two problems.
1. The Loki components require a client cert to prevent any arbitrary client from making changes. The client cert is in a secrets file named lokistack-gateway-client-http. However, the FlowCollector resource doesn't mount this so it is unable to access the tls.crt and tls.key files.
2. The Loki components use a different server cert than the LokiStack gateway. This means the CA cert must be different if you are validating the server cert. The CA cert for the Loki components is a configmap named lokistack-ca-bundle in the file server-ca.crt. The FlowCollector resource also does not mount this, nor is there any way to configure this in FlowCollector.
The same issues apply to querierUrl in FlowCollector, but when using Loki Operator 5.6, you would use url instead of querierUrl.
-----------------------------------------------------
To fix this issue, a new field `statusTls` has been added to the CRD as:
statusTls:
enable: true
caCert:
certFile: service-ca.crt
name: loki-ca-bundle
type: configmap
userCert:
certFile: tls.crt
certKey: tls.key
name: loki-query-frontend-http
type: secret
You need to specify both caCert and userCert for mTLS
Attachments
Issue Links
- links to
- mentioned on
