Uploaded image for project: 'OpenShift Monitoring'
  1. OpenShift Monitoring
  2. MON-2844

RFE: Set ownerReferences for the metrics-client-certs Secret

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • False
    • NEW
    • NEW

      From a 4.12.0-ec.4 CI run:

      $ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.12-e2e-aws-sdn-serial/1578535371610787840/artifacts/e2e-aws-sdn-serial/gather-must-gather/artifacts/must-gather.tar | tar xOz quay-io-openshift-release-dev-ocp-v4-0-art-dev-sha256-c7f5e32ff38c7a4616d6e9357fb0381c715f11b5a4f454424ea708be17072aad/namespaces/openshift-monitoring/core/secrets.yaml | yaml2json | jq -r '.items[].metadata | select(.name == "metrics-client-certs")'
{
  "creationTimestamp": "2022-10-08T00:16:01Z",
  "managedFields": [
    {
      "apiVersion": "v1",
      "fieldsType": "FieldsV1",
      "fieldsV1": {
        "f:data": {
          ".": {},
          "f:tls.crt": {},
          "f:tls.key": {}
        },
        "f:type": {}
      },
      "manager": "operator",
      "operation": "Update",
      "time": "2022-10-08T00:16:01Z"
    }
  ],
  "name": "metrics-client-certs",
  "namespace": "openshift-monitoring",
  "resourceVersion": "7786",
  "uid": "9eae6505-a93a-4ab0-a1b4-b59a9a72aab3"
}

      And from that run's audit logs:

      $ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.12-e2e-aws-sdn-serial/1578535371610787840/artifacts/e2e-aws-sdn-serial/gather-audit-logs/artifacts/audit-logs.tar | tar xz --strip-components=2
$ zgrep -h secrets kube-apiserver/*.log.gz | jq -r .verb | sort | uniq -c
parse error: Invalid numeric literal at line 13306, column 6
     48 create
    301 delete
   6187 get
    595 list
    622 update
   5552 watch
$ zgrep -h '"verb":"create".*"resource":"secrets","namespace":"openshift-monitoring"' kube-apiserver/*.log.gz | jq -r '.stageTimestamp + " " + (.responseStatus.code | tostring) + " " + .user.username' | sort | head -n2
2022-10-08T00:28:33.146347Z 201 system:serviceaccount:openshift-infra:serviceaccount-pull-secrets-controller
2022-10-08T00:28:33.173866Z 201 system:serviceaccount:openshift-infra:serviceaccount-pull-secrets-controller

      So unfortunately this particular Secret predates the audit logs, and was presumably created on the bootstrap machine by operator (whoever that was). It would be nice if the Secret set ownerReferences (like my ask for Prometheus ownerReferences in MON-1634), so it was easier to use generic-kube knowledge to understand who creates and manages the Secret.

              Unassigned Unassigned
              trking W. Trevor King
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: