Bug 1746212

Summary: [3.11] metrics-server-certs secret does not be removed after metrics-server uninstall due to incorrect label
Product: OpenShift Container Platform Reporter: Daein Park <dapark>
Component: InstallerAssignee: Russell Teague <rteague>
Installer sub component: openshift-ansible QA Contact: Weinan Liu <weinliu>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: unspecified CC: gpei
Version: 3.11.0   
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Metrics serving certs have an incorrect label Consequence: When uninstalling metrics server, the serving certs remain. Fix: Corrected the metrics serving certs label Result: Metrics serving certs are removed during uninstall
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-24 08:08:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daein Park 2019-08-28 01:03:40 UTC 
Description of problem:

metrics-server was uninstalled to update its certificates (secret/metrics-server-certs), but "metrics-server-certs" is remained due to a incorrect label.

* The uninstall task is selecting the targets with "--selector=metrics-server-infra".

// "roles/metrics_server/tasks/uninstall_metrics_server.yaml"
~~~
- name: remove metrics-server components
  command: >
    {{ openshift_client_binary }} -n {{ openshift_metrics_server_project }} --config={{ mktemp.stdout }}/admin.kubeconfig
    delete --ignore-not-found --selector=metrics-server-infra
    all,sa,secrets,rolebindings,clusterrolebindings,clusterrole,apiservice,deployment
  register: delete_metrics_server
  changed_when: delete_metrics_server.stdout != 'No resources found'

~~~

BUT the "metrics-server-certs" labeled as "metrics-infra", not "metrics-server-infra".

// roles/metrics_server/templates/serving-certs-secret.j2
~~~
apiVersion: v1
kind: Secret
metadata:
  name: metrics-server-certs
  labels:
    metrics-infra: metrics-server
data:
  tls.crt: {{ cert }}
  tls.key: {{ key }}
  ca.crt: {{ ca }}

~~~

Version-Release number of the following components:
rpm -q openshift-ansible

openshift-ansible-3.11.135-1.git.0.b7ad55a.el7

rpm -q ansible

ansible-2.6.19-1.el7ae.noarch

ansible --version

ansible 2.6.19
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, May 31 2018, 09:41:32) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]


How reproducible:

You can always reproduce to run the playbooks as follows.

1> uninstall metrics-server

# ansible-playbook -i <inventory file path> playbooks/metrics-server/config.yml -e openshift_metrics_server_install=false

2> You can see the secret to remain after uninstall.
# oc get secret metrics-server-certs -n openshift-metrics-server
NAME                   TYPE      DATA      AGE
metrics-server-certs   Opaque    3         26d

Steps to Reproduce:
1.
2.
3.

Actual results:

After uninstall metrics-server, only "metrics-server-certs" is remaining.

Expected results:

All metrics-server components are removed including "metrics-server-certs" secret after uninstall metrics-server.

Additional info:
Comment 3 Weinan Liu 2019-09-20 06:15:27 UTC 
Issue got fixed on openshift-ansible-3.11.146-1.git.0.fcedb45.el7.noarch

[root@qe-weinliu-311-146-master-etcd-1 ~]# oc version
oc v3.11.146
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://qe-weinliu-311-146-master-etcd-1:8443
openshift v3.11.146
kubernetes v1.11.0+d4cacc0



After deploy metrics-server:

[root@qe-weinliu-311-146-master-etcd-1 ~]# oc get po
NAME                             READY     STATUS    RESTARTS   AGE
metrics-server-d79b7d8d9-b2gfr   1/1       Running   0          2m
[root@qe-weinliu-311-146-master-etcd-1 ~]# oc get secret metrics-server-certs -n openshift-metrics-server
NAME                   TYPE      DATA      AGE
metrics-server-certs   Opaque    3         3m
[root@qe-weinliu-311-146-master-etcd-1 ~]# oc version
oc v3.11.146
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

After uninstall metrics-server:

[root@qe-weinliu-311-146-master-etcd-1 ~]# oc get po
No resources found.
[root@qe-weinliu-311-146-master-etcd-1 ~]# oc get secret metrics-server-certs -n openshift-metrics-server
No resources found.
Error from server (NotFound): secrets "metrics-server-certs" not found
Comment 5 errata-xmlrpc 2019-09-24 08:08:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2816