Bug 1777486

Summary: Unable to view links to the dashboards in the web console menu
Product: OpenShift Container Platform Reporter: Kevin Chung <kechung>
Component: Management ConsoleAssignee: Jakub Hadvig <jhadvig>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.2.zCC: alegrand, anpicker, aos-bugs, cvogel, erooth, jokerman, kakkoyun, lcosic, mloibl, pkrupa, rhowe, spadgett, spasquie, surbania, yapei
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: CM that contained monitoring URLs stopped been propagated in openshift-monitoring namespace as sharing-config configmap Consequence: Links for monitoring are not rendered Fix: Taking monitoring-shared-config and logging-shared-config CMs from openshift-config-managed namespace and feeding them to the console-config Result: Links for monitoring are rendered
 Story Points: ---
Clone Of:
: 1804884 (view as bug list) Environment:
Last Closed: 2020-07-13 17:12:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1807100, 1807376    
Bug Blocks: 1803192, 1804884    

Description Kevin Chung 2019-11-27 16:10:25 UTC 
Description of problem:

As a user, I am unable to view the links to the dashboards in the Home and Monitoring tabs in the web console menu.  I am following the documentation [1] and using the cluster-monitoring-view cluster role.  I've found that to view the dashboards, this role calls the sharing-config config map in the openshift-monitoring namespace.  Thus, I believe the cluster-monitoring-view cluster role needs to be updated to access this, and the documentation [1] should be updated as well to reflect the requirement.

Interestingly enough, while the links to the dashboards are not visible, the actual Grafana dashboard itself is accessible with the cluster-monitoring-view role.

[1]
https://docs.openshift.com/container-platform/4.2/monitoring/cluster-monitoring/prometheus-alertmanager-and-grafana.html

Version-Release number of selected component (if applicable):
OpenShift 4.2.7

How reproducible:
All the time

Steps to Reproduce:
1. oc adm policy add-cluster-role-to-user cluster-monitoring-view USER
2. Log into the web console as USER

Actual results:
Inspect the menu tabs on the left to see that the links to Home -> Dashboards and Monitoring -> Dashboards links are not visible

Expected results:
The links to the dashboards should be visible

Additional info:
Comment 1 Kevin Chung 2019-11-27 16:13:39 UTC 
I was reviewing this with a colleague, he also proposed this workaround for the time being.  Create the following:


apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: configmap-get
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get

 # oc adm policy add-cluster-role-to-user cluster-monitoring-view USER
 # oc policy add-role-to-user  configmap-get -n openshift-monitoring USER


Error when just adding cluster-monitoring-view to user, the a call to the sharing-config config map is needed.


Request URL:https://console-openshift-console.apps.ocp4test.com/api/kubernetes/api/v1/namespaces/openshift-monitoring/configmaps/sharing-config
Request method:GET
Remote address:1.2.3.4:443
Status code:
403
Version:HTTP/1.1
Referrer Policy:strict-origin-when-cross-origin
Comment 4 Ryan Howe 2019-11-27 17:56:21 UTC 
This is a bug with 4.x as the sharing-config configmap was added in 4.x

https://github.com/openshift/console/blob/release-4.2/frontend/public/actions/features.ts#L93-L129
Comment 10 Samuel Padgett 2019-12-11 01:10:28 UTC 
We can read the config map in the console operator and wire through the URLs. We should probably do the same for the logging sharing-config config map.
Comment 11 bpeterse 2020-02-14 10:41:48 UTC 
*** Bug 1802923 has been marked as a duplicate of this bug. ***
Comment 12 bpeterse 2020-02-19 19:32:36 UTC 
We have a couple dependency bugs:

- Logging operator should publish sharing-config configmap into openshift-config-managed namespace
  https://bugzilla.redhat.com/show_bug.cgi?id=1803196 
- [POST] Monitoring operator should publish sharing-config configmap into openshift-config-managed namespace 
  https://bugzilla.redhat.com/show_bug.cgi?id=1803192

  
Once resolved, we can proceed.
Comment 14 Samuel Padgett 2020-02-22 14:41:56 UTC 
Console needs to be update to read the config values set by the operator.
Comment 18 Yadan Pei 2020-03-09 06:40:03 UTC 
1. grant normal user metrics reader role
# cat metrics-reader-cluster-role.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: metrics-reader
rules:
  - apiGroups:
      - ''
    resources:
      - namespaces
    verbs:
      - get
      - list
      - watch
# oc create -f metrics-reader-cluster-role.yaml 
clusterrole.rbac.authorization.k8s.io/metrics-reader created
# oc adm policy add-cluster-role-to-user metrics-reader yapei1 
clusterrole.rbac.authorization.k8s.io/metrics-reader added: "yapei1"

2. Normal user 'yapei1' login to the cluster and visit Monitoring, user can see Dashboards menu, also user can view dashboards successfully

Verified on 4.5.0-0.nightly-2020-03-06-190457
Comment 20 errata-xmlrpc 2020-07-13 17:12:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409