Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1688642

Summary: Metrics Installation adds wrong and not complete list of secrets to serviceaccount [3.9.z]
Product: OpenShift Container Platform Reporter: Simon Reber <sreber>
Component: HawkularAssignee: Jan Martiska <jmartisk>
Status: CLOSED ERRATA QA Contact: Junqi Zhao <juzhao>
Severity: medium Docs Contact:
Priority: high    
Version: 3.9.0CC: aos-bugs, jmartisk, wsun
Target Milestone: ---   
Target Release: 3.9.z   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1689113 1689114 (view as bug list) Environment:
Last Closed: 2019-06-06 06:56:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1689113, 1689114    

Description Simon Reber 2019-03-14 07:07:45 UTC 
Description of problem:

When installing OpenShift Container Platform - Metrics, running playbooks/openshift-metrics/config.yml will trigger role `openshift_metrics`.

In there, `serviceaccounts` are being created and respective secrets added:

https://github.com/openshift/openshift-ansible/blob/release-3.9/roles/openshift_metrics/tasks/generate_serviceaccounts.yaml#L9

https://github.com/openshift/openshift-ansible/blob/release-3.9/roles/openshift_metrics/tasks/install_heapster.yaml#L25

The list of secrets though is not complete and also incorrect, causing issues when secret whitelisting is being used for serviceaccounts (as they need to be added manually after the installation).

So when checking the `openshift_metrics` role we can see the following `secret` being added:

> hawkular:
> - hawkular-hawkular-metrics-secrets-secrets
> cassandra:
> - hawkular-hawkular-cassandra-secrets-secrets
> heapster:
> - heapster-secrets
> - hawkular-metrics-certs 
> - hawkular-metrics-account

Checking the final installation, we can see the following `secrets` being used/added by `serviceaccount`.

> cassandra:
> - hawkular-cassandra-certs
> hawkular:
> - hawkular-metrics-certs
> - hawkular-metrics-account
> heapster:
> - heapster-secrets
> - heapster-certs
> - hawkular-metrics-certs
> - hawkular-metrics-account

Version-Release number of selected component (if applicable):

> oc v3.9.68
> kubernetes v1.9.1+a0ce1bc657
> features: Basic-Auth GSSAPI Kerberos SPNEGO

How reproducible:

 - Always

Steps to Reproduce:
1. Install OpenShift Container Platform - Metrics, following https://docs.openshift.com/container-platform/3.9/install_config/cluster_metrics.html#deploying-the-metrics-components
2. Check secrets added to service account and actually used by the components 

Actual results:

$ oc describe sa cassandra
Name:                cassandra
Namespace:           openshift-infra
Labels:              metrics-infra=support
Annotations:         <none>
Image pull secrets:  cassandra-dockercfg-dv8ld
Mountable secrets:   hawkular-hawkular-cassandra-secrets-secrets (not found)
                     cassandra-dockercfg-dv8ld
                     cassandra-token-nfrzn
Tokens:              cassandra-token-nfrzn
                     cassandra-token-w5wqf
Events:              <none>

$ oc describe sa hawkular
Name:                hawkular
Namespace:           openshift-infra
Labels:              metrics-infra=support
Annotations:         <none>
Image pull secrets:  hawkular-dockercfg-8chvq
Mountable secrets:   hawkular-hawkular-metrics-secrets-secrets (not found)
                     hawkular-token-kcq4v
                     hawkular-dockercfg-8chvq
Tokens:              hawkular-token-kcq4v
                     hawkular-token-p6ml4
Events:              <none>

$ oc describe sa heapster
Name:                heapster
Namespace:           openshift-infra
Labels:              metrics-infra=support
Annotations:         kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"labels":{"metrics-infra":"support"},"name":"heapster","namespace":"openshift-i...
Image pull secrets:  heapster-dockercfg-dtv6z
Mountable secrets:   heapster-secrets
                     hawkular-metrics-certs
                     hawkular-metrics-account
                     heapster-token-lbb9m
                     heapster-dockercfg-dtv6z
Tokens:              heapster-token-dwgcg
                     heapster-token-lbb9m
Events:              <none>

Expected results:

Correct secrets being added to respective service accounts to make it work as expected/intended

Additional info:

 - The same issue also exists in OpenShift Container Platform 3.10 and 3.11
Comment 1 Jan Martiska 2019-03-14 11:30:22 UTC 
3.9 PR: https://github.com/openshift/openshift-ansible/pull/11353
Comment 3 Junqi Zhao 2019-04-18 02:23:26 UTC 
all the secrets used by serviceaccount cassandra/hawkular/heapster could be found

# rpm -qa | grep openshift-ansible
openshift-ansible-playbooks-3.9.78-1.git.0.4441a0c.el7.noarch
openshift-ansible-roles-3.9.78-1.git.0.4441a0c.el7.noarch
openshift-ansible-3.9.78-1.git.0.4441a0c.el7.noarch
openshift-ansible-docs-3.9.78-1.git.0.4441a0c.el7.noarch
Comment 5 errata-xmlrpc 2019-06-06 06:56:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0788