Bug 1818772

Summary: Wrong serverName for certificate on /metrics endpoint
Product: OpenShift Container Platform Reporter: Pawel Krupa <pkrupa>
Component: Management ConsoleAssignee: Jakub Hadvig <jhadvig>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 4.5CC: aos-bugs, hasha, jhadvig, jokerman, nmukherj, travi
Target Milestone: ---Keywords: Reopened
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Incorrect handling of cert rotation. Consequence: /metrics endpoint cannot be scraped by prometheus due to incorrect serverName in TLS cert. Fix: Bump go dependencies in the console-operator repo to pick up latest changes in the library-go. Result: /metrics endpoint can be scraped by prometheus.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-13 17:24:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1836938    

Description Pawel Krupa 2020-03-30 10:41:34 UTC 
Description of problem:
/metrics endpoint cannot be scraped by prometheus due to incorrect serverName in TLS cert.

Version-Release number of selected component (if applicable):
4.5

How reproducible:
often

Steps to Reproduce:
1. Start a cluster
2. Go to prometheus targets page
3. Scroll to openshift-console-operator/console-operator/0

Actual results:
Target is down due to:
Get https://10.128.0.32:8443/metrics: x509: certificate is valid for localhost, not metrics.openshift-console-operator.svc

Expected results:
Target is up

Additional info:
Comment 1 Jakub Hadvig 2020-03-31 08:36:34 UTC 
Closing this one after trying to reproduce with Pawel's assistance.
The ServiceMonitor responsible for the /metrics endpoint to be scraped was validated
and looks without any issue:
https://github.com/openshift/console-operator/blob/master/manifests/0000_90_console-operator_02_servicemonitor.yaml

We agreed to close the bug since it's most probably a flake.
Comment 6 Jakub Hadvig 2020-05-18 14:20:45 UTC 
This issue should be fixed by the latest go deps bump.
Putting on ON_QA
Comment 7 shahan 2020-05-19 05:31:16 UTC 
goto https://prometheus-k8s-openshift-monitoring.apps.qe-groupd-0519.qe.devcluster.openshift.com/targets page and check openshift-console-operator/console-operator/0 part.
no "x509: certificate is valid for localhost, not metrics.openshift-console-operator.svc errors" found
4.5.0-0.nightly-2020-05-18-225907
Comment 10 errata-xmlrpc 2020-07-13 17:24:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409