1869732 – Fail to deploy a service monitor for user workload monitoring that references a secret for TLS configuration

Bug 1869732 - Fail to deploy a service monitor for user workload monitoring that references a secret for TLS configuration

Summary: Fail to deploy a service monitor for user workload monitoring that references...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Monitoring
Sub Component:
Version:	4.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.6.0
Assignee:	Simon Pasquier
QA Contact:	Junqi Zhao
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-08-18 14:14 UTC by Simon Pasquier
Modified:	2020-10-27 16:29 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-27 16:29:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift prometheus-operator pull 85	None	closed	Bug 1869732: fix secret and configmap references for TLS config	2020-10-09 09:32:52 UTC
Github	prometheus-operator prometheus-operator pull 3413	None	closed	Fix validation logic for SecretOrConfigMap	2020-10-09 09:32:43 UTC
Red Hat Product Errata	RHBA-2020:4196	None	None	None	2020-10-27 16:29:38 UTC

Description Simon Pasquier 2020-08-18 14:14:39 UTC

Description of problem:
The prometheus operator running in the openshift-user-workload-monitoring namespace will fail to reconcile when a user submits a service monitor that references a secret (or configmap) for the TLS configuration.

Version-Release number of selected component (if applicable):
4.6

How reproducible:
Always

Steps to Reproduce:
1. Enable user workload monitoring
2. Create a configmap for future reference
apiVersion: v1
data:
  ca.crt: test
kind: ConfigMap
metadata:
  name: ca-cert-demo
  namespace: default

3. Create a service monitor referencing the configmap above
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  labels:
    app: demo
  name: demo
  namespace: default
spec:
  endpoints:
  - port: web
    tlsConfig:
      ca:
        configMap:
          key: ca.crt
          name: ca-cert-demo
  selector:
    matchLabels:
      app: demo

Actual results:

The prometheus operator's logs show warnings:
level=warn ts=2020-08-18T14:06:02.864503096Z caller=operator.go:1829 component=prometheusoperator msg="skipping servicemonitor" error="SecretOrConfigMap can not specify both Secret and ConfigMap" servicemonitor=default/demo namespace=openshift-user-workload-monitoring prometheus=user-workload

Expected results:

No warbubg in the logs. The prometheus operator processes the service monitor successfully.

Additional info:

Comment 1 Simon Pasquier 2020-08-18 14:17:02 UTC

It has been fixed upstream in https://github.com/prometheus-operator/prometheus-operator/pull/3413

Comment 7 Junqi Zhao 2020-08-24 01:54:14 UTC

tested with 4.6.0-0.nightly-2020-08-23-185640, and followed the steps in Comment 0, issue is fixed
# oc -n openshift-user-workload-monitoring logs $(oc -n openshift-user-workload-monitoring get po | grep prometheus-operator | awk '{print $1}') -c prometheus-operator | grep "level=warn"
no result

Comment 9 errata-xmlrpc 2020-10-27 16:29:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196

Note You need to log in before you can comment on or make changes to this bug.