Uploaded image for project: 'Network Observability'
  1. Network Observability
  2. NETOBSERV-844

Unable to have a working statusUrl in FlowCollector with Loki Operator 5.6

    • False
    • None
    • False
    • NetObserv - Sprint 232, NetObserv - Sprint 233, NetObserv - Sprint 234
    • Moderate

      The statusUrl can be configured when creating the FlowCollector resource. When the FlowCollector has problems getting flow data, it icalls the statusUrl appended with /ready to see if Loki is able to respond to requests. This does not work when using Loki Operator 5.6.

      The /ready URL is not accessible through LokiStack gateway. You must access the Loki component, in this case, https://lokistack-query-frontend-http:3100/ready, assuming the LokiStack's name is "lokistack". Accessing the Loki component presents two problems.

      1. The Loki components require a client cert to prevent any arbitrary client from making changes. The client cert is in a secrets file named lokistack-gateway-client-http. However, the FlowCollector resource doesn't mount this so it is unable to access the tls.crt and tls.key files.

      2. The Loki components use a different server cert than the LokiStack gateway. This means the CA cert must be different if you are validating the server cert. The CA cert for the Loki components is a configmap named lokistack-ca-bundle in the file server-ca.crt. The FlowCollector resource also does not mount this, nor is there any way to configure this in FlowCollector.

      The same issues apply to querierUrl in FlowCollector, but when using Loki Operator 5.6, you would use url instead of querierUrl.

      -----------------------------------------------------

      To fix this issue, a new field `statusTls` has been added to the CRD as:

          statusTls:       
            enable: true
            caCert:         
              certFile: service-ca.crt
              name: loki-ca-bundle
              type: configmap
            userCert:         
              certFile: tls.crt
              certKey: tls.key
              name: loki-query-frontend-http
              type: secret

      You need to specify both caCert and userCert for mTLS

              jpinsonn@redhat.com Julien Pinsonneau
              stlee@redhat.com Steven Lee
              Amogh Rameshappa Devapura Amogh Rameshappa Devapura
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: