Bug 2016228 - Collect Profiles pprof secret is hardcoded to openshift-operator-lifecycle-manager
Summary: Collect Profiles pprof secret is hardcoded to openshift-operator-lifecycle-ma...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: OLM
Version: 4.9
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.10.0
Assignee: Alexander Greene
QA Contact: Jian Zhang
URL:
Whiteboard:
Depends On:
Blocks: 2017434
TreeView+ depends on / blocked
 
Reported: 2021-10-21 02:48 UTC by Alexander Greene
Modified: 2022-03-10 16:21 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: OLM recently began serving performance metrics at an endpoint by default. Requests against this endpoint were rejected unless the included information stored in a secret that existed in the `openshift-operator-lifecycle-manager` namespace. The namespace of the secret was hardcoded. Consequence: In distributions where OLM is not running in the `openshift-operator-lifecycle-manager` namespace, OLM fails to verify requests against the performance metric endpoint as it cannot find the expected secret in the `openshift-operator-lifecycle-manager` namespace. Fix: Update OLM to look for the secret in the namespace it is running in. Result: OLM is once again able to verify requests against the performance endpoint.
Clone Of:
Environment:
Last Closed: 2022-03-10 16:21:07 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift operator-framework-olm pull 208 0 None open Bug 2016228: Use arguments to configure pprof-secret 2021-10-21 02:50:29 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:21:22 UTC

Description Alexander Greene 2021-10-21 02:48:57 UTC
Description of problem:
The secret used to establish a secure connection with OLM's pprof endpoint is hardcoded to the openshift-operator-lifecycle-manager namespace. This cannot work if OLM is not running in that namespace, as is the case on HyperShift clusters.

Version-Release number of selected component (if applicable): 4.10


How reproducible: Always


Steps to Reproduce:
1.No steps needed, view hardcoded value here: https://github.com/openshift/operator-framework-olm/blob/master/cmd/collect-profiles/main.go#L34

Actual results:
Expected PPROF secret namespace cannot be configured.

Expected results:
Expected PPROF secret namespace can be configured.

Additional info:

Comment 3 Jian Zhang 2021-10-25 09:51:23 UTC
[cloud-user@preserve-olm-env jian]$ oc -n openshift-operator-lifecycle-manager exec deploy/catalog-operator -- olm --version
OLM version: 0.19.0
git commit: 6d684d4d9a85f9577fbb8f2da5846e820af69626

[cloud-user@preserve-olm-env jian]$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2021-10-23-225921   True        False         7h57m   Cluster version is 4.10.0-0.nightly-2021-10-23-225921

[cloud-user@preserve-olm-env jian]$ oc get CronJob -n openshift-operator-lifecycle-manager
NAME               SCHEDULE       SUSPEND   ACTIVE   LAST SCHEDULE   AGE
collect-profiles   */15 * * * *   False     0        4m56s           8h

[cloud-user@preserve-olm-env jian]$ oc get pods -n openshift-operator-lifecycle-manager 
NAME                                     READY   STATUS      RESTARTS   AGE
catalog-operator-7dbf8cb576-hq6zm        1/1     Running     0          8h
collect-profiles-27252555--1-dj7pf       0/1     Completed   0          35m
collect-profiles-27252570--1-gxp8t       0/1     Completed   0          20m
collect-profiles-27252585--1-ll4m5       0/1     Completed   0          5m19s
olm-operator-6f75bf9687-r6h7c            1/1     Running     0          8h
package-server-manager-d6799ddbd-2bq2k   1/1     Running     0          8h
packageserver-5c7c6777cb-js6v6           1/1     Running     0          8h
packageserver-5c7c6777cb-qz8h9           1/1     Running     0          8h

The cronjob works well, LGTM, verify it.

Comment 6 errata-xmlrpc 2022-03-10 16:21:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.