logging-loki-ruler pods are not injected with custom CA certificate defined in LokiStack in RHOCP 4

Solution Verified - Updated -

Issue

  • logging-loki-ruler pods are unable to evaluate the AlertingRule.

  • logging-loki-ruler pods fail to establish connection with object storage because of failed certificate validation

    level=error ts=2023-11-20T19:04:56.601682008Z caller=compat.go:78 user=infrastructure rule_name=k8sallowedrepos rule_type=alerting query="(sum(count_over_time({kubernetes_namespace_name=\"openshift-logging\"} | json | openshift_labels_cluster_name=\"abc\" | kubernetes_event_reason=\"FailedCreate\" | message=~\".*denied.*\" | message=~\".*trusted-repos.*\"[10m])) > 5)" query_hash=834209125 msg="rule evaluation failed" err="failed to load chunk 'infrastructure/862880de39542850/18bedaadd36:18bee18f903:6b1e191c': failed to get s3 object: RequestError: send request failed\ncaused by: Get \"https://s3.storage.example.com:443/observability-observability/infrastructure/862880de39542850/18bedbadd36%3B18bee19f903%3A6b1e191c\": tls: failed to verify certificate: x509: certificate signed by unknown authority"
  • CA certificate defined in LokiStack custom resource is not injected in logging-loki-ruler pods.

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4
  • Red Hat OpenShift Logging (RHOL)
    • 5.7
    • 5.8
    • 5.9

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content