Bug 1714484
Summary: | So many secrets generated under openshift-cluster-node-tuning-operator namespace after the cluster serve several days | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | weiwei jiang <wjiang> |
Component: | Node Tuning Operator | Assignee: | Jiří Mencák <jmencak> |
Status: | CLOSED ERRATA | QA Contact: | Simon <skordas> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.1.0 | CC: | jmencak, mifiedle, rhowe, sejug, skordas, sponnaga, xtian |
Target Milestone: | --- | Keywords: | OSE41z_next |
Target Release: | 4.1.z | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | 4.1.2 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: The reconciliation loop of the node-tuning operator unnecessarily updated the operand's service account.
Consequence: Accumulating secrets in the openshift-cluster-node-tuning-operator namespace.
Fix: Adjust the reconciliation loop to make sure the service account for the operand is created when it does not exist.
Result: Constant number of secrets in the openshift-cluster-node-tuning-operator namespace.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-19 06:45:34 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1718956 |
Description
weiwei jiang
2019-05-28 08:32:00 UTC
Fix for release-4.1 branch: https://github.com/openshift/cluster-node-tuning-operator/pull/59 *** Bug 1716600 has been marked as a duplicate of this bug. *** @jmencak - To safely delete the extraneous secrets, can all but the most recent tuned-token and tuned-dockercfg secrets be deleted? (In reply to Mike Fiedler from comment #11) > @jmencak - To safely delete the extraneous secrets, can all but the most > recent tuned-token and tuned-dockercfg secrets be deleted? Unfortunately, that wouldn't work. At this point, the suggested cleanup after an upgrade from a version affected by this bug to 4.1.1 (or a version that has the fix) is: $ oc get secrets -n openshift-cluster-node-tuning-operator | awk '/^tuned-/ {print $1}' | xargs oc delete secrets $ oc delete ds/tuned -n openshift-cluster-node-tuning-operator Checked with 4.1.0-0.nightly-2019-06-04-235906, and new fresh installation cluster will not burst so many secrets. And as jmencak said, existed thousands of secrets will not be cleaned. @skordas - Please update the existing node tuning operator basic functionality automation to add a sanity check on the number of secrets in project. Thanks a lot oc get clusterversions NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.1.0-0.nightly-2019-06-04-235906 True False 20h Cluster version is 4.1.0-0.nightly-2019-06-04-235906 # oc get secrets -n openshift-cluster-node-tuning-operator NAME TYPE DATA AGE builder-dockercfg-dp8dm kubernetes.io/dockercfg 1 20h builder-token-987xv kubernetes.io/service-account-token 4 20h builder-token-skzqw kubernetes.io/service-account-token 4 20h cluster-node-tuning-operator-dockercfg-zgwq9 kubernetes.io/dockercfg 1 20h cluster-node-tuning-operator-token-djrfq kubernetes.io/service-account-token 4 20h cluster-node-tuning-operator-token-jnkcw kubernetes.io/service-account-token 4 20h default-dockercfg-j999p kubernetes.io/dockercfg 1 20h default-token-26nlt kubernetes.io/service-account-token 4 20h default-token-wrf2s kubernetes.io/service-account-token 4 20h deployer-dockercfg-c4wzz kubernetes.io/dockercfg 1 20h deployer-token-54k7s kubernetes.io/service-account-token 4 20h deployer-token-cnf7s kubernetes.io/service-account-token 4 20h tuned-dockercfg-t6j85 kubernetes.io/dockercfg 1 20h tuned-token-2p74v kubernetes.io/service-account-token 4 20h tuned-token-4ptrb kubernetes.io/service-account-token 4 20h @mifiedle Test case and automation are updated: https://github.com/openshift/svt/pull/591 (In reply to weiwei jiang from comment #13) > Checked with 4.1.0-0.nightly-2019-06-04-235906, and new fresh installation > cluster will not burst so many secrets. > > And as jmencak said, existed thousands of secrets will not be cleaned. There is an upstream PR https://github.com/openshift/cluster-node-tuning-operator/pull/63 for automated removal of detached tuned secrets to perform the cleanup. Should the removal of secrets be tracked as part of this BZ or a new one created? Re: comment 16. Opened https://bugzilla.redhat.com/show_bug.cgi?id=1718842 to track this and targeted it for 4.1.2 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:1382 |