Using the CloudWatch Logging add-on with ROSA STS Clusters
Environment
- Red Hat OpenShift Service on AWS (ROSA)
- 4
- Red Hat OpenShift Dedicated (OSD)
- 4
- AWS Security Token Service (STS)
- Logging add-on for Amazon CloudWatch
- Red Hat OpenShift Logging (RHOL)
- 5
Issue
- ROSA clusters installed using the Security Token Service (STS) workflow do not have the ability to create the long-lived IAM credentials necessary for the Logging add-on to properly authenticate with AWS CloudWatch.
-
The following message is shown in the
clusterlogforwarderresource when installing the Logging add-on in ROSA cluster with STS:invalid: unrecognized outputs: [cloudwatch], no valid outputs
Resolution
The Logging add-on operator in ROSA/OSD is now deprecated, and the recommendation is to install Red Hat OpenShift Logging in OSD and ROSA.
Starting with RHOL 5.5, it's now possible to configure the required permissions with a CredentialsRequest resource. Refer to Forwarding logs to Amazon CloudWatch from STS enabled clusters (for OSD clusters, change rosa to dedicated in the URL).
Note: If the logging add-on is already installed in the cluster, it's needed to remove it before installing the logging operator. Please refer to Deleting an add-on service using Red Hat OpenShift Cluster Manager for uninstalling. If the un-installation is not able to finish after some time, please refer to Failed to delete Add-on Cluster-Logging-Operator in OSD or ROSA.
Root Cause
The Logging add-on operator in ROSA/OSD is now deprecated, and the recommendation is to install Red Hat OpenShift Logging in OSD and ROSA.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments