Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-5164

[release-5.8] Elasticsearch Operator ServiceMonitor relies on a BearerTokenFile, in violation with UWM Prometheus specification

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • NEW
    • Hide
      Before this update, the Elasticsearch operator ServiceMonitor in openshift-operators-redhat relied on static token and CA files for authentication caused the Prometheus Operator in User-Workload-Monitoring to error on such ServiceMonitor configuration. With this update, the Elasticsearch Operator ServiceMonitor in openshift-operators-redhat references a serviceaccount token secret via a LocalReference and this approach resolves the issue and the User-Workload-Monitoring Prometheus Operator can process the Loki Operator ServiceMonitor successfully enabling Prometheus to scrape the Elasticsearch Operator metrics.
      Show
      Before this update, the Elasticsearch operator ServiceMonitor in openshift-operators-redhat relied on static token and CA files for authentication caused the Prometheus Operator in User-Workload-Monitoring to error on such ServiceMonitor configuration. With this update, the Elasticsearch Operator ServiceMonitor in openshift-operators-redhat references a serviceaccount token secret via a LocalReference and this approach resolves the issue and the User-Workload-Monitoring Prometheus Operator can process the Loki Operator ServiceMonitor successfully enabling Prometheus to scrape the Elasticsearch Operator metrics.
    • Log Storage - Sprint 250, Log Storage - Sprint 251, Log Storage - Sprint 252
    • Important

      Description of problem:

      Following the changes brought by [0], the Elasticsearch ServiceMonitor continues [1] to use the legacy `.spec.endpoints.bearertokensecret`, instead of the `.spec.endpoints.bearertokensecret` highlighted in [0]. 
      
      The above is in direct violation with User Workload Monitoring (UWM) Prometheus specification, which triggers this [2] warning for every customer that relies on UWM in a cluster that has OpenShift Logging deployed as well.
      
      [0] https://github.com/openshift/elasticsearch-operator/pull/903     
      [1] https://github.com/openshift/elasticsearch-operator/blame/release-5.8/config/prometheus/monitor.yaml#L11
      
      [2]
      ~~~
      level=warn ts=2023-11-09T15:21:33.009551274Z caller=operator.go:2255 component=prometheusoperator msg="skipping servicemonitor" error="it accesses file system via bearer token file which Prometheus specification prohibits" servicemonitor=openshift-operators-redhat/elasticsearch-operator-metrics-monitor namespace=openshift-user-workload-monitoring prometheus=user-workload
      level=warn ts=2023-11-09T15:21:33.0096416Z caller=operator.go:2255 component=prometheusoperator msg="skipping servicemonitor" error="it accesses file system via bearer token file which Prometheus specification prohibits" servicemonitor=openshift-operators-redhat/loki-operator-metrics-monitor namespace=openshift-user-workload-monitoring prometheus=user-workload
      ~~~

      Actual results:

      UWM Prometheus triggers the above-highlighted warning for every customer that relies on UWM in a cluster that has OpenShift Logging deployed as well.

      Expected results:

      The Elasticsearch ServiceMonitor to be updated to use the `.spec.endpoints.bearertokensecret` specification, in compliance with the UWM Prometheus specification

            ptsiraki@redhat.com Periklis Tsirakidis
            rhn-support-rsandu Robert Sandu
            Qiaoling Tang Qiaoling Tang
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: