-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to fetch labels from Loki (Failed to call resource)...
in Grafana when TLS is enabled in Loki
#344
Comments
We need to add one more relation in
|
@Abuelodelanada While the relation you mentioned might be needed as well, please note that it's not CA cert verification that's failing, the error is:
I checked the cert presented by the Loki endpoint visible in Grafana (well, by Traefik)
So trying to reach Loki on the Traefik IP instead of that FQDN will always fail as long as the Traefik IP is not included in SANs in that cert. Also, I tried the suggested relation and it didn't make any difference, Grafana is still failing to query Loki with the same error message. |
Hi @przemeklal! You are right, I was only testing with IP, not domain name. Let's try both scenarios: Testing with Traefik using public IPLet's deploy cos-lite this way in the model ╭─ubuntu@charm-dev-juju-31 ~/repos [microk8s:cos]
╰─$ juju add-model ip
microk8s:admin/cos -> microk8s:admin/domain
╭─ubuntu@charm-dev-juju-31 ~/repos [microk8s:ip]
╰─$ juju deploy cos-lite --channel=edge --trust --overlay ./tls-overlay.yaml --overlay ./offers-overlay.yaml Let's install ╭─ubuntu@charm-dev-juju-31 ~/repos [microk8s:ip]
╰─$ juju ssh --container grafana grafana/0 "apt update && apt install -y curl" Let's try to curl loki endpoint using traefik external IP from inside the grafana workload container: ╭─ubuntu@charm-dev-juju-31 ~/repos [microk8s:ip]
╰─$ juju ssh --container grafana grafana/0 "curl https://192.168.1.251/ip-loki-0/ready"
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
ERROR command terminated with exit code 60 Now, let's add the relation: ╭─ubuntu@charm-dev-juju-31 ~/repos [microk8s:ip]
╰─$ juju relate grafana:receive-ca-cert external-ca Let's try again to curl loki endpoint using traefik external IP from inside the grafana workload container: ╭─ubuntu@charm-dev-juju-31 ~/repos [microk8s:ip]
╰─$ juju ssh --container grafana grafana/0 "curl https://192.168.1.251/ip-loki-0/ready"
ready Testing with Traefik using a domain nameLet's deploy cos-lite this way in de model ╭─ubuntu@charm-dev-juju-31 ~/repos [microk8s:ip]
╰─$ juju add-model domain
microk8s:admin/ip -> microk8s:admin/domain
╭─ubuntu@charm-dev-juju-31 ~/repos [microk8s:domain]
╰─$ juju deploy cos-lite --channel=edge --trust --overlay ./tls-overlay.yaml --overlay ./offers-overlay.yaml Set external hostname for traefik: ╭─ubuntu@charm-dev-juju-31 ~/repos [microk8s:domain]
╰─$ juju config traefik external_hostname=foobar.com Let's install ╭─ubuntu@charm-dev-juju-31 ~/repos [microk8s:domain]
╰─$ juju ssh --container grafana grafana/0 "apt update && apt install -y curl" Let's add ╭─ubuntu@charm-dev-juju-31 ~/repos [microk8s:domain]
╰─$ juju ssh --container grafana grafana/0 "echo 192.168.1.250 foobar.com >> /etc/hosts" Now, let's try to curl loki endpoint using traefik external domain from inside the grafana workload container: ╭─ubuntu@charm-dev-juju-31 ~/repos [microk8s:domain]
╰─$ juju ssh --container grafana grafana/0 "curl https://foobar.com/domain-loki-0/ready"
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
ERROR command terminated with exit code 60 Now, let's add the relation: ╭─ubuntu@charm-dev-juju-31 ~/repos [microk8s:domain]
╰─$ juju relate grafana:receive-ca-cert external-ca Let's try again to curl loki endpoint using traefik external domain from inside the grafana workload container: ╭─ubuntu@charm-dev-juju-31 ~/repos [microk8s:domain]
╰─$ juju ssh --container grafana grafana/0 "curl https://foobar.com/domain-loki-0/ready"
ready |
Great that it works for you but my issue is that the Traefik endpoint cert has only FQDN while in Grafana, Loki's data source URL uses an IP. This should be consistent in my opinion. Also, alertmanager and prometheus data sources don't use bare IP addresses, but
This isn't going to be persistent, is it? Also, is this |
@dstathis @simskij Issues that we discussed on the call:
tl;dr of how we got it to work in the end:
All data sources in Grafana work now, although Prometheus still uses the |
Nop, I did that just to try to reproduce your situation |
Hi @przemeklal As far as I know you could solve this in a call with Simme and Dylan. Closing. |
Bug Description
Grafana can't query Loki when TLS is enabled.
The following error is thrown on the Loki Data Source page.
In grafana.log I can see this whenever I click the "Test" button:
10.red.red.red is Traefik's IP, Loki URL appears as https://10.red.red.red/cos-loki-0 in Grafana.
Loki itself seems to be okay, the unit is active/idle, and I can run these commands just fine (please note
-k
parameter for curl):I tried toggling this switch without any luck:
The same errors appear in grafana logs.
To Reproduce
Deploy COS Lite with the TLS overlay and go to Grafana. Versions are listed below.
Environment
Versions:
Relevant log output
Additional context
No response
The text was updated successfully, but these errors were encountered: