Bug 1695903
| Summary: | Could not monitor Elasticsearch with Prometheus with OCP 3.11 | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | hgomes |
| Component: | Logging | Assignee: | Jeff Cantrill <jcantril> |
| Status: | CLOSED ERRATA | QA Contact: | Anping Li <anli> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.11.0 | CC: | anpicker, aos-bugs, erooth, jcantril, mloibl, pkrupa, rmeggins, surbania |
| Target Milestone: | --- | ||
| Target Release: | 3.11.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: The oauth-proxy was not passing a user's token
Consequence: Elasticsearch did not have a token to evaluate if a user could retrieve metrics
Fix: add the proper switch to the oauth-proxy
Result: User's with the proper role can retrieve metrics
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-26 09:07:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
hgomes
2019-04-03 21:22:04 UTC
Each component is responsible for shipping their monitoring, so reassigning this to the logging component. As far as I am aware though the team has shipped scraping and alerting for 4.1, but I'd prefer if they would confirm that. Metrics are available in 3.11, though during investigation of another issue I discovered we are unable to pull them through our proxy because of a missing switch. I will use this bz to fix that. I believe there may be a second issue, however, which we corrected in 4.x. I believe even if you provide the correct service account that you will not have properly signed certs unless you ignore who signed them. Logging creates its own certs and builds it's own truststore. To setup: 1. Define the service account in your inventory file(openshift_prometheus_namespace, openshift_logging_elasticsearch_prometheus_sa) which will be bound to this role: prometheus-metrics-viewer 2. Deploy logging using the 3.11 fix that will be associated with this bz 3. Retrieve metrics like: 'curl -k https://<logging-es-prometheus service>/_prometheus/metrics -H "Authorization : Bearer $sa_token" I defer to the monitoring team how to configure prometheus as I'm unfamiliar with that end. Following is the documentation we presently have regarding metrics [1]. [1]https://github.com/openshift/origin-aggregated-logging/blob/master/docs/metrics.md#elasticsearch The metrics can be fetched using the token of serviceaccount system:serviceaccount:openshift-monitoring:prometheus-k8s. @Frederic, you are correct, to display the elasticsearch metrics and apply the rules, you need to provide rules files to prometheus. that appened automatically in 4.x. I'd like close this bug as the elasticsearch can expose the metrics via token. For the further requirement, such display metrics in prometheus. please workaround yourself or file a RFE bug. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:1605 |