Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1688642 - Metrics Installation adds wrong and not complete list of secrets to serviceaccount [3.9.z]
Summary: Metrics Installation adds wrong and not complete list of secrets to serviceac...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Hawkular
Version: 3.9.0
Hardware: x86_64
OS: Linux
Target Milestone: ---
: 3.9.z
Assignee: Jan Martiska
QA Contact: Junqi Zhao
Depends On:
Blocks: 1689113 1689114
TreeView+ depends on / blocked
Reported: 2019-03-14 07:07 UTC by Simon Reber
Modified: 2019-04-16 04:58 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1689113 1689114 (view as bug list)
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

Description Simon Reber 2019-03-14 07:07:45 UTC
Description of problem:

When installing OpenShift Container Platform - Metrics, running playbooks/openshift-metrics/config.yml will trigger role `openshift_metrics`.

In there, `serviceaccounts` are being created and respective secrets added:

The list of secrets though is not complete and also incorrect, causing issues when secret whitelisting is being used for serviceaccounts (as they need to be added manually after the installation).

So when checking the `openshift_metrics` role we can see the following `secret` being added:

> hawkular:
> - hawkular-hawkular-metrics-secrets-secrets
> cassandra:
> - hawkular-hawkular-cassandra-secrets-secrets
> heapster:
> - heapster-secrets
> - hawkular-metrics-certs 
> - hawkular-metrics-account

Checking the final installation, we can see the following `secrets` being used/added by `serviceaccount`.

> cassandra:
> - hawkular-cassandra-certs
> hawkular:
> - hawkular-metrics-certs
> - hawkular-metrics-account
> heapster:
> - heapster-secrets
> - heapster-certs
> - hawkular-metrics-certs
> - hawkular-metrics-account

Version-Release number of selected component (if applicable):

> oc v3.9.68
> kubernetes v1.9.1+a0ce1bc657
> features: Basic-Auth GSSAPI Kerberos SPNEGO

How reproducible:

 - Always

Steps to Reproduce:
1. Install OpenShift Container Platform - Metrics, following
2. Check secrets added to service account and actually used by the components 

Actual results:

$ oc describe sa cassandra
Name:                cassandra
Namespace:           openshift-infra
Labels:              metrics-infra=support
Annotations:         <none>
Image pull secrets:  cassandra-dockercfg-dv8ld
Mountable secrets:   hawkular-hawkular-cassandra-secrets-secrets (not found)
Tokens:              cassandra-token-nfrzn
Events:              <none>

$ oc describe sa hawkular
Name:                hawkular
Namespace:           openshift-infra
Labels:              metrics-infra=support
Annotations:         <none>
Image pull secrets:  hawkular-dockercfg-8chvq
Mountable secrets:   hawkular-hawkular-metrics-secrets-secrets (not found)
Tokens:              hawkular-token-kcq4v
Events:              <none>

$ oc describe sa heapster
Name:                heapster
Namespace:           openshift-infra
Labels:              metrics-infra=support
Image pull secrets:  heapster-dockercfg-dtv6z
Mountable secrets:   heapster-secrets
Tokens:              heapster-token-dwgcg
Events:              <none>

Expected results:

Correct secrets being added to respective service accounts to make it work as expected/intended

Additional info:

 - The same issue also exists in OpenShift Container Platform 3.10 and 3.11

Comment 1 Jan Martiska 2019-03-14 11:30:22 UTC
3.9 PR:

Note You need to log in before you can comment on or make changes to this bug.