Description of problem: When installing OpenShift Container Platform - Aggregated Logging, running playbooks/openshift-logging/config.yml will trigger role `openshift_logging`. In there, `serviceaccounts` are being created. Those are missing required secrets being assigned which is causing issues when secret whitelisting is being used for serviceaccounts (as they need to be added manually after the installation). - Elasticsearch https://github.com/openshift/openshift-ansible/blob/release-3.9/roles/openshift_logging_elasticsearch/tasks/main.yaml#L74 - Curator https://github.com/openshift/openshift-ansible/blob/release-3.9/roles/openshift_logging_curator/tasks/main.yaml#L42 - Fluentd https://github.com/openshift/openshift-ansible/blob/release-3.9/roles/openshift_logging_fluentd/tasks/main.yaml#L68 - Kibana https://github.com/openshift/openshift-ansible/blob/release-3.9/roles/openshift_logging_kibana/tasks/main.yaml#L45 Since `oc_serviceaccount` does support adding secrets to serviceaccount (https://github.com/openshift/openshift-ansible/blob/release-3.9/roles/lib_openshift/library/oc_serviceaccount.py#L95) this functionality should be used to better control the secret assignment. When checking the details after successful installation, the following secrets should be added using the above function. > aggregated-logging-fluentd: > - logging-fluentd > kibana: > - logging-kibana > - logging-kibana-proxy > aggregated-logging-curator: > - logging-curator > aggregated-logging-elasticsearch: > - prometheus-tls > - logging-elasticsearch Version-Release number of selected component (if applicable): > oc v3.9.68 > kubernetes v1.9.1+a0ce1bc657 > features: Basic-Auth GSSAPI Kerberos SPNEGO How reproducible: - Always Steps to Reproduce: 1. Install OpenShift Container Platform - Aggregated Logging, following https://docs.openshift.com/container-platform/3.9/install_config/aggregate_logging.html#deploying-the-efk-stack 2. Check if and what secerts are being added to the respective service accounts the pods are running with 3. Actual results: None of the required secret is added to the respective service account Expected results: Required secrets added to the respective serviceaccount as per list below (may need to be extended in case I missed any) > aggregated-logging-fluentd: > - logging-fluentd > kibana: > - logging-kibana > - logging-kibana-proxy > aggregated-logging-curator: > - logging-curator > aggregated-logging-elasticsearch: > - prometheus-tls > - logging-elasticsearch Additional info: Issue is also present in OpenShift Container Platform 3.10 and 3.11
https://github.com/openshift/openshift-ansible/pull/11359
3.10 pr - https://github.com/openshift/openshift-ansible/pull/11366 3.9 pr - https://github.com/openshift/openshift-ansible/pull/11367
The secret are append to whitelisting in openshift-ansible:v3.9.74
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0619