Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1872253

Summary: Invalid service monitors block the update of the user workload monitoring prometheus
Product: OpenShift Container Platform Reporter: Simon Pasquier <spasquie>
Component: MonitoringAssignee: Simon Pasquier <spasquie>
Status: CLOSED ERRATA QA Contact: Junqi Zhao <juzhao>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.6CC: alegrand, anpicker, erooth, kakkoyun, lcosic, mloibl, pkrupa, surbania
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:33:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Simon Pasquier 2020-08-25 09:42:00 UTC
Description of problem:
Whenever a service monitor references an invalid secret or configmap's key, the prometheus operator wouldn't update the Prometheus configuration. It shouldn't be a big issue for the infra Prometheus because we pretty control what goes in but it's more problematic for user workload monitoring (basically a bad service monitor can DoS the service).

Version-Release number of selected component (if applicable):
4.6

How reproducible:
Always

Steps to Reproduce:
1. Enable user workload monitoring
2. Create a secret + a service monitor that references this secret but with an invalid key
apiVersion: v1
data: {}
kind: Secret
metadata:
  name: demo
  namespace: default
type: Opaque

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: demo
  namespace: default
spec:
  endpoints:
  - port: web
    bearerTokenSecret:
      key: missing
      name: demo
  selector:
    matchLabels:
      app: demo

3. Create a valid service monitor

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: demo2
  namespace: default
spec:
  endpoints:
  - port: web
  selector:
    matchLabels:
      app: demo2

Actual results:
The second service monitor isn't present in the Prometheus configuration.

Expected results:
The second service monitor should be present in the Prometheus configuration.

Additional info:
https://github.com/prometheus-operator/prometheus-operator/issues/3327

Comment 6 errata-xmlrpc 2020-10-27 16:33:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196