Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1688642 - Metrics Installation adds wrong and not complete list of secrets to serviceaccount [3.9.z]
Summary: Metrics Installation adds wrong and not complete list of secrets to serviceac...
Keywords:
Status: MODIFIED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Hawkular
Version: 3.9.0
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: ---
: 3.9.z
Assignee: Jan Martiska
QA Contact: Junqi Zhao
URL:
Whiteboard:
Depends On:
Blocks: 1689113 1689114
TreeView+ depends on / blocked
 
Reported: 2019-03-14 07:07 UTC by Simon Reber
Modified: 2019-04-16 04:58 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1689113 1689114 (view as bug list)
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)

Description Simon Reber 2019-03-14 07:07:45 UTC
Description of problem:

When installing OpenShift Container Platform - Metrics, running playbooks/openshift-metrics/config.yml will trigger role `openshift_metrics`.

In there, `serviceaccounts` are being created and respective secrets added:

https://github.com/openshift/openshift-ansible/blob/release-3.9/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml#L9

https://github.com/openshift/openshift-ansible/blob/release-3.9/roles/openshift_metrics/tasks/install_heapster.yaml#L25

The list of secrets though is not complete and also incorrect, causing issues when secret whitelisting is being used for serviceaccounts (as they need to be added manually after the installation).

So when checking the `openshift_metrics` role we can see the following `secret` being added:

> hawkular:
> - hawkular-hawkular-metrics-secrets-secrets
> cassandra:
> - hawkular-hawkular-cassandra-secrets-secrets
> heapster:
> - heapster-secrets
> - hawkular-metrics-certs 
> - hawkular-metrics-account

Checking the final installation, we can see the following `secrets` being used/added by `serviceaccount`.

> cassandra:
> - hawkular-cassandra-certs
> hawkular:
> - hawkular-metrics-certs
> - hawkular-metrics-account
> heapster:
> - heapster-secrets
> - heapster-certs
> - hawkular-metrics-certs
> - hawkular-metrics-account

Version-Release number of selected component (if applicable):

> oc v3.9.68
> kubernetes v1.9.1+a0ce1bc657
> features: Basic-Auth GSSAPI Kerberos SPNEGO

How reproducible:

 - Always

Steps to Reproduce:
1. Install OpenShift Container Platform - Metrics, following https://docs.openshift.com/container-platform/3.9/install_config/cluster_metrics.html#deploying-the-metrics-components
2. Check secrets added to service account and actually used by the components 

Actual results:

$ oc describe sa cassandra
Name:                cassandra
Namespace:           openshift-infra
Labels:              metrics-infra=support
Annotations:         <none>
Image pull secrets:  cassandra-dockercfg-dv8ld
Mountable secrets:   hawkular-hawkular-cassandra-secrets-secrets (not found)
                     cassandra-dockercfg-dv8ld
                     cassandra-token-nfrzn
Tokens:              cassandra-token-nfrzn
                     cassandra-token-w5wqf
Events:              <none>

$ oc describe sa hawkular
Name:                hawkular
Namespace:           openshift-infra
Labels:              metrics-infra=support
Annotations:         <none>
Image pull secrets:  hawkular-dockercfg-8chvq
Mountable secrets:   hawkular-hawkular-metrics-secrets-secrets (not found)
                     hawkular-token-kcq4v
                     hawkular-dockercfg-8chvq
Tokens:              hawkular-token-kcq4v
                     hawkular-token-p6ml4
Events:              <none>

$ oc describe sa heapster
Name:                heapster
Namespace:           openshift-infra
Labels:              metrics-infra=support
Annotations:         kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"labels":{"metrics-infra":"support"},"name":"heapster","namespace":"openshift-i...
Image pull secrets:  heapster-dockercfg-dtv6z
Mountable secrets:   heapster-secrets
                     hawkular-metrics-certs
                     hawkular-metrics-account
                     heapster-token-lbb9m
                     heapster-dockercfg-dtv6z
Tokens:              heapster-token-dwgcg
                     heapster-token-lbb9m
Events:              <none>

Expected results:

Correct secrets being added to respective service accounts to make it work as expected/intended

Additional info:

 - The same issue also exists in OpenShift Container Platform 3.10 and 3.11

Comment 1 Jan Martiska 2019-03-14 11:30:22 UTC
3.9 PR: https://github.com/openshift/openshift-ansible/pull/11353


Note You need to log in before you can comment on or make changes to this bug.