Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-24683

Steps to enable monitoring for cert-manager operator are not complete in documentation

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • 4.14
    • Documentation / CFE
    • None
    • Moderate
    • No
    • 3
    • OSDOCS Sprint 247, OSDOCS Sprint 248
    • 2
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      This is a documentation bug for cert-manager operator.

The document to enable monitoring for cert-manager operator has incomplete steps:
[-] https://docs.openshift.com/container-platform/4.14/security/cert_manager_operator/cert-manager-monitoring.html#cert-manager-enable-metrics_cert-manager-monitoring

After following the document, the certmanager metrics are not available in "Observe > Metrics" and promtheus-k8s pods in openshift reports below errors:

2023-12-01T16:09:01.513009505Z ts=2023-12-01T16:09:01.512Z caller=klog.go:108 level=warn component=k8s_client_runtime func=Warningf msg="github.com/prometheus/prometheus/discovery/kubernetes/kubernetes.go:542: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:openshift-monitoring:prometheus-k8s\" cannot list resource \"services\" in API group \"\" in the namespace \"cert-manager\""

2023-12-01T16:09:01.513009505Z ts=2023-12-01T16:09:01.512Z caller=klog.go:116 level=error component=k8s_client_runtime func=ErrorDepth msg="github.com/prometheus/prometheus/discovery/kubernetes/kubernetes.go:542: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:openshift-monitoring:prometheus-k8s\" cannot list resource \"services\" in API group \"\" in the namespace \"cert-manager\""

      Version-Release number of selected component (if applicable):

      RHOCP 4.14

      How reproducible:

      100%

      Steps to Reproduce:

          1. Enable monitoring for cert-manager operator
    2. Check metrics in "Observe > Metrics" section in OCP web console
    3. Check logs of prometheus-k8s pods in openshift-monitoring

      Actual results:

      certmanager-* metrics are not available after following the documentation.

      Expected results:

      The metrics certmanager-* should be available.

      Additional info:

      After creating below role and rolebinding, the metrics were available in "Observe > Metrics" section.

==========
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: prometheus-k8s
  namespace: cert-manager
rules:
- apiGroups:
  - ""
  resources:
  - services
  - endpoints
  - pods
  verbs:
  - get
  - list
  - watch
==========

==========
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: prometheus-k8s
  namespace: cert-manager
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: prometheus-k8s
subjects:
- kind: ServiceAccount
  name: prometheus-k8s
  namespace: openshift-monitoring
==========

The documentation[1] should have above steps in place to enable monitoring for cert-manager operator.

[1] https://docs.openshift.com/container-platform/4.14/security/cert_manager_operator/cert-manager-monitoring.html#cert-manager-enable-metrics_cert-manager-monitoring

              rhn-support-snarayan Shubha Narayanan
              rhn-support-dgautam Dhruv Gautam
              Yuedong Wu Yuedong Wu
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: