Bug 1746212 - [3.11] metrics-server-certs secret does not be removed after metrics-server uninstall due to incorrect label
Summary: [3.11] metrics-server-certs secret does not be removed after metrics-server u...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.11.z
Assignee: Russell Teague
QA Contact: Weinan Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-28 01:03 UTC by Daein Park
Modified: 2019-09-24 08:08 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Metrics serving certs have an incorrect label Consequence: When uninstalling metrics server, the serving certs remain. Fix: Corrected the metrics serving certs label Result: Metrics serving certs are removed during uninstall
Clone Of:
Environment:
Last Closed: 2019-09-24 08:08:09 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift openshift-ansible pull 11863 0 'None' closed Bug 1746212: [3.11] metrics-server-certs secret does not be removed after metrics-server uninstall due to incorrect labe... 2021-01-27 21:44:41 UTC
Red Hat Product Errata RHBA-2019:2816 0 None None None 2019-09-24 08:08:17 UTC

Description Daein Park 2019-08-28 01:03:40 UTC 
Description of problem:

metrics-server was uninstalled to update its certificates (secret/metrics-server-certs), but "metrics-server-certs" is remained due to a incorrect label.

* The uninstall task is selecting the targets with "--selector=metrics-server-infra".

// "roles/metrics_server/tasks/uninstall_metrics_server.yaml"
~~~
- name: remove metrics-server components
  command: >
    {{ openshift_client_binary }} -n {{ openshift_metrics_server_project }} --config={{ mktemp.stdout }}/admin.kubeconfig
    delete --ignore-not-found --selector=metrics-server-infra
    all,sa,secrets,rolebindings,clusterrolebindings,clusterrole,apiservice,deployment
  register: delete_metrics_server
  changed_when: delete_metrics_server.stdout != 'No resources found'

~~~

BUT the "metrics-server-certs" labeled as "metrics-infra", not "metrics-server-infra".

// roles/metrics_server/templates/serving-certs-secret.j2
~~~
apiVersion: v1
kind: Secret
metadata:
  name: metrics-server-certs
  labels:
    metrics-infra: metrics-server
data:
  tls.crt: {{ cert }}
  tls.key: {{ key }}
  ca.crt: {{ ca }}

~~~

Version-Release number of the following components:
rpm -q openshift-ansible

openshift-ansible-3.11.135-1.git.0.b7ad55a.el7

rpm -q ansible

ansible-2.6.19-1.el7ae.noarch

ansible --version

ansible 2.6.19
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, May 31 2018, 09:41:32) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]


How reproducible:

You can always reproduce to run the playbooks as follows.

1> uninstall metrics-server

# ansible-playbook -i <inventory file path> playbooks/metrics-server/config.yml -e openshift_metrics_server_install=false

2> You can see the secret to remain after uninstall.
# oc get secret metrics-server-certs -n openshift-metrics-server
NAME                   TYPE      DATA      AGE
metrics-server-certs   Opaque    3         26d

Steps to Reproduce:
1.
2.
3.

Actual results:

After uninstall metrics-server, only "metrics-server-certs" is remaining.

Expected results:

All metrics-server components are removed including "metrics-server-certs" secret after uninstall metrics-server.

Additional info:
Comment 3 Weinan Liu 2019-09-20 06:15:27 UTC 
Issue got fixed on openshift-ansible-3.11.146-1.git.0.fcedb45.el7.noarch

[root@qe-weinliu-311-146-master-etcd-1 ~]# oc version
oc v3.11.146
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://qe-weinliu-311-146-master-etcd-1:8443
openshift v3.11.146
kubernetes v1.11.0+d4cacc0



After deploy metrics-server:

[root@qe-weinliu-311-146-master-etcd-1 ~]# oc get po
NAME                             READY     STATUS    RESTARTS   AGE
metrics-server-d79b7d8d9-b2gfr   1/1       Running   0          2m
[root@qe-weinliu-311-146-master-etcd-1 ~]# oc get secret metrics-server-certs -n openshift-metrics-server
NAME                   TYPE      DATA      AGE
metrics-server-certs   Opaque    3         3m
[root@qe-weinliu-311-146-master-etcd-1 ~]# oc version
oc v3.11.146
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

After uninstall metrics-server:

[root@qe-weinliu-311-146-master-etcd-1 ~]# oc get po
No resources found.
[root@qe-weinliu-311-146-master-etcd-1 ~]# oc get secret metrics-server-certs -n openshift-metrics-server
No resources found.
Error from server (NotFound): secrets "metrics-server-certs" not found
Comment 5 errata-xmlrpc 2019-09-24 08:08:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2816
Note You need to log in before you can comment on or make changes to this bug.