Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-5243

[release-5.7] Elasticsearch Operator ServiceMonitor relies on a BearerTokenFile, in violation with UWM Prometheus specification

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • NEW
    • Hide
      Before this update, the Elasticsearch operator ServiceMonitor in openshift-operators-redhat relied on static token and CA files for authentication caused the Prometheus Operator in User-Workload-Monitoring to error on such ServiceMonitor configuration. With this update, the Elasticsearch Operator ServiceMonitor in openshift-operators-redhat references a serviceaccount token secret via a LocalReference and this approach resolves the issue and the User-Workload-Monitoring Prometheus Operator can process the Loki Operator ServiceMonitor successfully enabling Prometheus to scrape the Elasticsearch Operator metrics.
      Show
      Before this update, the Elasticsearch operator ServiceMonitor in openshift-operators-redhat relied on static token and CA files for authentication caused the Prometheus Operator in User-Workload-Monitoring to error on such ServiceMonitor configuration. With this update, the Elasticsearch Operator ServiceMonitor in openshift-operators-redhat references a serviceaccount token secret via a LocalReference and this approach resolves the issue and the User-Workload-Monitoring Prometheus Operator can process the Loki Operator ServiceMonitor successfully enabling Prometheus to scrape the Elasticsearch Operator metrics.
    • Bug Fix
    • Log Storage - Sprint 251, Log Storage - Sprint 252
    • Important

      Description of problem:

      Following the changes brought by [0], the Elasticsearch ServiceMonitor continues [1] to use the legacy `.spec.endpoints.bearertokensecret`, instead of the `.spec.endpoints.bearertokensecret` highlighted in [0]. 

The above is in direct violation with User Workload Monitoring (UWM) Prometheus specification, which triggers this [2] warning for every customer that relies on UWM in a cluster that has OpenShift Logging deployed as well.

[0] https://github.com/openshift/elasticsearch-operator/pull/903     
[1] https://github.com/openshift/elasticsearch-operator/blame/release-5.8/config/prometheus/monitor.yaml#L11

[2]
~~~
level=warn ts=2023-11-09T15:21:33.009551274Z caller=operator.go:2255 component=prometheusoperator msg="skipping servicemonitor" error="it accesses file system via bearer token file which Prometheus specification prohibits" servicemonitor=openshift-operators-redhat/elasticsearch-operator-metrics-monitor namespace=openshift-user-workload-monitoring prometheus=user-workload
level=warn ts=2023-11-09T15:21:33.0096416Z caller=operator.go:2255 component=prometheusoperator msg="skipping servicemonitor" error="it accesses file system via bearer token file which Prometheus specification prohibits" servicemonitor=openshift-operators-redhat/loki-operator-metrics-monitor namespace=openshift-user-workload-monitoring prometheus=user-workload
~~~

      Actual results:

      UWM Prometheus triggers the above-highlighted warning for every customer that relies on UWM in a cluster that has OpenShift Logging deployed as well.

      Expected results:

      The Elasticsearch ServiceMonitor to be updated to use the `.spec.endpoints.bearertokensecret` specification, in compliance with the UWM Prometheus specification

            ptsiraki@redhat.com Periklis Tsirakidis
            rhn-support-rsandu Robert Sandu
            Qiaoling Tang Qiaoling Tang
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: