Bug 1662939 - [RFE] Option to add urls to kibana-proxy by using an inventory variable
Summary: [RFE] Option to add urls to kibana-proxy by using an inventory variable
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.11.z
Assignee: Jeff Cantrill
QA Contact: Anping Li
Depends On:
TreeView+ depends on / blocked
Reported: 2019-01-02 13:26 UTC by Bruno Andrade
Modified: 2020-07-20 13:07 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-07-20 13:07:53 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Bruno Andrade 2019-01-02 13:26:21 UTC
Description of problem:

Customer has configured to enable external elasticsearch route access and faced the following issue on Openshift Diagnostics due to the external URL was not added to kibana-proxy:

"ERROR: [AGL0147 from diagnostic AggregatedLogging@openshift/origin/pkg/oc/admin/diagnostics/diagnostics/cluster/aggregated_logging/diagnostic.go:129]
OauthClient 'kibana-proxy' does not include a redirectURI for route 'logging-es' which is ‘elasticsearch-external.apps.example.com'")

By observing the installation playbook[1], I'm currently seeing that it's not possible to add it with an ansible variable right now. 

This RFE has the objective to add an option to add kibana proxy hostnames with an inventory variable

[1] https://github.com/openshift/openshift-ansible/blob/2fb6224c12fffd7862a0e0cceba4eac57279c652/roles/openshift_logging_kibana/tasks/main.yaml#L171

Version-Release number of selected component (if applicable):

Comment 1 Jeff Cantrill 2019-01-08 15:58:23 UTC
External route name to Kibana is configurable by providing the appropriate inventory variable described in:


I would expect setting the variable and rerunning the playbook to resolve the issue.  Closing NOTABUG.  Please reopen with additional details if this does not your requirements

Comment 3 Kirsten Newcomer 2019-06-12 11:58:34 UTC
With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers.  Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant.

This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. 

If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new 

Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new 

As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.

Comment 4 Brendan Shirren 2020-07-20 04:53:13 UTC
This isn't a RFE it's a bug still present in latest v3.11.232 

$ oc adm diagnostics aggregatedlogging

ERROR: [AGL0147 from diagnostic AggregatedLogging@openshift/origin/pkg/oc/cli/admin/diagnostics/diagnostics/cluster/aggregated_logging/diagnostic.go:138]
       OauthClient 'kibana-proxy' does not include a redirectURI for route 'logging-es' which is 'es.'

NAME             HOST/PORT                   PATH      SERVICES         PORT      TERMINATION          WILDCARD
logging-es       es.                 logging-es       <all>     reencrypt            None
logging-kibana   kibana.             logging-kibana   <all>     reencrypt/Redirect   None

$ oc get oauthclient
NAME                           SECRET                                                                 WWW-CHALLENGE   TOKEN-MAX-AGE   REDIRECT URIS
kibana-proxy                   MnC0sEYDxXROcuCT9QI2r3OOjoMN0xR9X4uZzUN92qJZ6CaFoojugWd5gVxd2TkM       FALSE           168h0m0s        https://kibana.

$ oc get oauthclient kibana-proxy -o yaml
accessTokenMaxAgeSeconds: 604800
apiVersion: oauth.openshift.io/v1
kind: OAuthClient
- https://kibana.

Diagnostics check mistakenly(?) thinks ES external route "logging-es" should be part of redirectURIs for "kibana-proxy" OAuthclient.

I don't believe that is the purpose of this ES route - it is optional to provide "external Elasticsearch" access enabled by inventory settings:


Comment 5 Jeff Cantrill 2020-07-20 13:07:53 UTC
The work around is to manually edit the oauthclient to add the required issue.


Note You need to log in before you can comment on or make changes to this bug.