Bug 1869732 - Fail to deploy a service monitor for user workload monitoring that references a secret for TLS configuration
Summary: Fail to deploy a service monitor for user workload monitoring that references...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Monitoring
Version: 4.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.6.0
Assignee: Simon Pasquier
QA Contact: Junqi Zhao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-18 14:14 UTC by Simon Pasquier
Modified: 2020-10-27 16:29 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 16:29:05 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift prometheus-operator pull 85 0 None closed Bug 1869732: fix secret and configmap references for TLS config 2020-10-09 09:32:52 UTC
Github prometheus-operator prometheus-operator pull 3413 0 None closed Fix validation logic for SecretOrConfigMap 2020-10-09 09:32:43 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:29:38 UTC

Description Simon Pasquier 2020-08-18 14:14:39 UTC
Description of problem:
The prometheus operator running in the openshift-user-workload-monitoring namespace will fail to reconcile when a user submits a service monitor that references a secret (or configmap) for the TLS configuration.

Version-Release number of selected component (if applicable):
4.6

How reproducible:
Always

Steps to Reproduce:
1. Enable user workload monitoring
2. Create a configmap for future reference
apiVersion: v1
data:
  ca.crt: test
kind: ConfigMap
metadata:
  name: ca-cert-demo
  namespace: default

3. Create a service monitor referencing the configmap above
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  labels:
    app: demo
  name: demo
  namespace: default
spec:
  endpoints:
  - port: web
    tlsConfig:
      ca:
        configMap:
          key: ca.crt
          name: ca-cert-demo
  selector:
    matchLabels:
      app: demo

Actual results:

The prometheus operator's logs show warnings:
level=warn ts=2020-08-18T14:06:02.864503096Z caller=operator.go:1829 component=prometheusoperator msg="skipping servicemonitor" error="SecretOrConfigMap can not specify both Secret and ConfigMap" servicemonitor=default/demo namespace=openshift-user-workload-monitoring prometheus=user-workload

Expected results:

No warbubg in the logs. The prometheus operator processes the service monitor successfully.

Additional info:

Comment 1 Simon Pasquier 2020-08-18 14:17:02 UTC
It has been fixed upstream in https://github.com/prometheus-operator/prometheus-operator/pull/3413

Comment 7 Junqi Zhao 2020-08-24 01:54:14 UTC
tested with 4.6.0-0.nightly-2020-08-23-185640, and followed the steps in Comment 0, issue is fixed
# oc -n openshift-user-workload-monitoring logs $(oc -n openshift-user-workload-monitoring get po | grep prometheus-operator | awk '{print $1}') -c prometheus-operator | grep "level=warn"
no result

Comment 9 errata-xmlrpc 2020-10-27 16:29:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.