Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1689149 - Aggregated Logging installation does not add secret to serviceaccount
Summary: Aggregated Logging installation does not add secret to serviceaccount
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 3.9.0
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: ---
: 3.9.z
Assignee: ewolinet
QA Contact: Anping Li
URL:
Whiteboard:
Depends On:
Blocks: 1690603 1690605
TreeView+ depends on / blocked
 
Reported: 2019-03-15 09:53 UTC by Simon Reber
Modified: 2019-04-09 14:20 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: When using secret whitelisting the openshift-logging roles don't add the secret names to the created service accounts. Consequence: the service accounts don't have permissions to access the secrets. Fix: Secrets to be used by service accounts are added during SA creation. Result: The SA is able to use the secret even when whitelisting is used.
Clone Of:
: 1690603 1690605 (view as bug list)
Environment:
Last Closed: 2019-04-09 14:20:18 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0619 None None None 2019-04-09 14:20:27 UTC

Description Simon Reber 2019-03-15 09:53:20 UTC
Description of problem:

When installing OpenShift Container Platform - Aggregated Logging, running playbooks/openshift-logging/config.yml will trigger role `openshift_logging`.

In there, `serviceaccounts` are being created. Those are missing required secrets being assigned which is causing issues when secret whitelisting is being used for serviceaccounts (as they need to be added manually after the installation).

 - Elasticsearch

https://github.com/openshift/openshift-ansible/blob/release-3.9/roles/openshift_logging_elasticsearch/tasks/main.yaml#L74

 - Curator

https://github.com/openshift/openshift-ansible/blob/release-3.9/roles/openshift_logging_curator/tasks/main.yaml#L42

 - Fluentd

https://github.com/openshift/openshift-ansible/blob/release-3.9/roles/openshift_logging_fluentd/tasks/main.yaml#L68

 - Kibana

https://github.com/openshift/openshift-ansible/blob/release-3.9/roles/openshift_logging_kibana/tasks/main.yaml#L45

Since `oc_serviceaccount` does support adding secrets to serviceaccount (https://github.com/openshift/openshift-ansible/blob/release-3.9/roles/lib_openshift/library/oc_serviceaccount.py#L95) this functionality should be used to better control the secret assignment.

When checking the details after successful installation, the following secrets should be added using the above function.

> aggregated-logging-fluentd:
> - logging-fluentd
> kibana:
> - logging-kibana
> - logging-kibana-proxy
> aggregated-logging-curator:
> - logging-curator
> aggregated-logging-elasticsearch:
> - prometheus-tls
> - logging-elasticsearch

Version-Release number of selected component (if applicable):

> oc v3.9.68
> kubernetes v1.9.1+a0ce1bc657
> features: Basic-Auth GSSAPI Kerberos SPNEGO

How reproducible:

 - Always

Steps to Reproduce:
1. Install OpenShift Container Platform - Aggregated Logging, following https://docs.openshift.com/container-platform/3.9/install_config/aggregate_logging.html#deploying-the-efk-stack
2. Check if and what secerts are being added to the respective service accounts the pods are running with
3.

Actual results:

None of the required secret is added to the respective service account

Expected results:

Required secrets added to the respective serviceaccount as per list below (may need to be extended in case I missed any)

> aggregated-logging-fluentd:
> - logging-fluentd
> kibana:
> - logging-kibana
> - logging-kibana-proxy
> aggregated-logging-curator:
> - logging-curator
> aggregated-logging-elasticsearch:
> - prometheus-tls
> - logging-elasticsearch

Additional info:

Issue is also present in OpenShift Container Platform 3.10 and 3.11

Comment 4 Anping Li 2019-03-25 10:56:24 UTC
The secret are append to whitelisting in openshift-ansible:v3.9.74

Comment 6 errata-xmlrpc 2019-04-09 14:20:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0619


Note You need to log in before you can comment on or make changes to this bug.