LOG-4852: Vector collector Pods no longer picks up the log collector …

…SAs Secret as a fallback
openshift · Dec 8, 2023 · 66d75b4 · 66d75b4
1 parent fc43817
commit 66d75b4
Showing 1 changed file with 14 additions and 6 deletions.
diff --git a/internal/generator/vector/output/loki/loki.go b/internal/generator/vector/output/loki/loki.go
@@ -2,9 +2,10 @@ package loki
 
 import (
 	"fmt"
-	"github.com/openshift/cluster-logging-operator/internal/generator/vector/output"
 	"strings"
 
+	"github.com/openshift/cluster-logging-operator/internal/generator/vector/output"
+
 	"github.com/openshift/cluster-logging-operator/internal/generator/vector/helpers"
 	"github.com/openshift/cluster-logging-operator/internal/generator/vector/normalize"
 
@@ -206,26 +207,33 @@ func Tenant(l *logging.Loki) Element {
 }
 
 func TLSConf(o logging.OutputSpec, secret *corev1.Secret, op Options) []Element {
+	conf := []Element{}
 	if isDefaultOutput(o.Name) {
 		// Set CA from logcollector ServiceAccount for internal Loki
 		tlsConf := security.TLSConf{
 			ComponentID: strings.ToLower(vectorhelpers.Replacer.Replace(o.Name)),
 			CAFilePath:  `"/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"`,
 		}
 		tlsConf.SetTLSProfileFromOptions(op)
-		return []Element{
-			tlsConf,
-		}
+		return append(conf, tlsConf)
 	}
+
 	if o.Secret != nil || (o.TLS != nil && o.TLS.InsecureSkipVerify) {
 
 		if tlsConf := security.GenerateTLSConf(o, secret, op, false); tlsConf != nil {
 			tlsConf.NeedsEnabled = false
-			return []Element{tlsConf}
+			conf = append(conf, tlsConf)
+		}
+	} else if secret != nil {
+		// Use secret of logcollector service account as backup
+		tlsConf := security.TLSConf{
+			ComponentID: strings.ToLower(vectorhelpers.Replacer.Replace(o.Name)),
+			CAFilePath:  `"/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"`,
 		}
+		conf = append(conf, tlsConf)
 	}
 
-	return []Element{}
+	return conf
 }
 
 func isDefaultOutput(name string) bool {