Bug 1872253
| Summary: | Invalid service monitors block the update of the user workload monitoring prometheus | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Simon Pasquier <spasquie> |
| Component: | Monitoring | Assignee: | Simon Pasquier <spasquie> |
| Status: | CLOSED ERRATA | QA Contact: | Junqi Zhao <juzhao> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.6 | CC: | alegrand, anpicker, erooth, kakkoyun, lcosic, mloibl, pkrupa, surbania |
| Target Milestone: | --- | ||
| Target Release: | 4.6.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-27 16:33:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196 |
Description of problem: Whenever a service monitor references an invalid secret or configmap's key, the prometheus operator wouldn't update the Prometheus configuration. It shouldn't be a big issue for the infra Prometheus because we pretty control what goes in but it's more problematic for user workload monitoring (basically a bad service monitor can DoS the service). Version-Release number of selected component (if applicable): 4.6 How reproducible: Always Steps to Reproduce: 1. Enable user workload monitoring 2. Create a secret + a service monitor that references this secret but with an invalid key apiVersion: v1 data: {} kind: Secret metadata: name: demo namespace: default type: Opaque apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: demo namespace: default spec: endpoints: - port: web bearerTokenSecret: key: missing name: demo selector: matchLabels: app: demo 3. Create a valid service monitor apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: demo2 namespace: default spec: endpoints: - port: web selector: matchLabels: app: demo2 Actual results: The second service monitor isn't present in the Prometheus configuration. Expected results: The second service monitor should be present in the Prometheus configuration. Additional info: https://github.com/prometheus-operator/prometheus-operator/issues/3327