Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1765803

Summary: elasticsearch-proxy clusterrolebinding has been overwritten as istio-system elasticsearch even though openshif-logging elasticsearch is configured that.
Product: OpenShift Container Platform Reporter: Pavol Loffay <ploffay>
Component: LoggingAssignee: Pavol Loffay <ploffay>
Status: CLOSED ERRATA QA Contact: Anping Li <anli>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 4.3.0CC: aos-bugs, jcantril, rmeggins
Target Milestone: ---   
Target Release: 4.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-23 11:09:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1765808    

Description Pavol Loffay 2019-10-26 07:40:22 UTC 
Copied from https://issues.jboss.org/browse/OSSM-100

If openshift-logging is running on the OCP4.1, Jager which is configured by "template: production-elasticsearch" would replace namespace  "openshift-logging" with "istio-system" in elasticsearch-proxy ClusterRoleBinding subjects section.

{code:yaml}
  apiVersion: maistra.io/v1
  kind: ServiceMeshControlPlane
  spec:
    istio:
      tracing:
        jaeger:
          template: production-elasticsearch
          elasticsearch:
            nodeCount: 3
            redundancyPolicy:
            resources:
              requests:
                memory: "16Gi"
                cpu: "1"
              limits:
                memory: "16Gi"
{code}

Before installing Service Mesh,
{code:yaml}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2019-10-07T05:49:31Z"
  name: elasticsearch-proxy
  ownerReferences:
  - apiVersion: logging.openshift.io/v1
    controller: true
    kind: Elasticsearch
    name: elasticsearch
...
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: elasticsearch-proxy
subjects:
- kind: ServiceAccount
  name: elasticsearch
  namespace: openshift-logging
{code}

After Installing Jager with elasticsearch
{code:yaml}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2019-10-07T05:49:31Z"
  name: elasticsearch-proxy
  ownerReferences:
  - apiVersion: logging.openshift.io/v1
    controller: true
    kind: Elasticsearch
    name: elasticsearch
...
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: elasticsearch-proxy
subjects:
- kind: ServiceAccount
  name: elasticsearch
  namespace: istio-system
{code}

This issue is a root cause of following elasticsearch error in openshift-logging.
{code:shell}
2019/10/04 12:35:22 oauthproxy.go:782: 10.0.1.11:36836 tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-logging:elasticsearch" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope
{code}
Comment 2 Anping Li 2019-11-12 10:32:29 UTC 
jaeger-operator report the following error.  I deployed jaeger-operator from Webconsole. The jaeger-operator is deployed in openshift-operators namespaces.  Is this a jaeger-operator bug in 4.3?

Version:
   jaeger-operator:   docker.io/jaegertracing/jaeger-operator:1.14.0
   OCP: v4.3

E1112 06:14:26.125554       1 reflector.go:125] pkg/mod/k8s.io/client-go.0-20190507014756-65905f29c17c/tools/cache/reflector.go:93: Failed to list *v1alpha1.Jaeger: jaegers.io.jaegertracing is forbidden: User "system:serviceaccount:openshift-operators:jaeger-operator" cannot list resource "jaegers" in API group "io.jaegertracing" at the cluster scope
E1112 06:14:27.127883       1 reflector.go:125] pkg/mod/k8s.io/client-go.0-20190507014756-65905f29c17c/tools/cache/reflector.go:93: Failed to list *v1alpha1.Jaeger: jaegers.io.jaegertracing is forbidden: User "system:serviceaccount:openshift-operators:jaeger-operator" cannot list resource "jaegers" in API group "io.jaegertracing" at the cluster scope
E1112 06:14:28.130654       1 reflector.go:125] pkg/mod/k8s.io/client-go.0-20190507014756-65905f29c17c/tools/cache/reflector.go:93: Failed to list *v1alpha1.Jaeger: jaegers.io.jaegertracing is forbidden: User "system:serviceaccount:openshift-operators:jaeger-operator" cannot list resource "jaegers" in API group "io.jaegertracing" at the cluster scope
Comment 3 Pavol Loffay 2019-11-12 10:48:48 UTC 
Anping, 

it seems like an issue. However you chose the upstream operator. Could you please choose the productized version and test with it?
Comment 4 Pavol Loffay 2019-11-13 16:32:57 UTC 
Anping? Were you able to use productized version instead of upstream? We are fixing the upstream bug in a separate ticket. This issue should not blog on that and instead use productized version which works.
Comment 6 Anping Li 2019-11-14 02:42:11 UTC 
Verified and pass. independent Account are created for jaeger applications.

[anli@preserve-docker-slave 43]$  oc get ClusterRoleBinding elasticsearch-proxy -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
<---skip --->
  name: elasticsearch-proxy
subjects:
- kind: ServiceAccount
  name: elasticsearch
  namespace: openshift-logging
- kind: ServiceAccount
  name: elasticsearch
  namespace: jaeger
Comment 7 Pavol Loffay 2019-11-14 08:39:06 UTC 
The result looks good
Comment 8 Pavol Loffay 2019-11-20 05:57:31 UTC 
The results look good
Comment 10 errata-xmlrpc 2020-01-23 11:09:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062