-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
premerge
-
None
-
Moderate
-
No
-
MON Sprint 251
-
1
-
False
-
-
Release Note Not Required
-
In Progress
Description of problem:
tested MON-3749 with PR
launch 4.16.0-0.nightly-2024-03-28-223620,openshift/cluster-monitoring-operator#2293 gcp
enabled TechPreviewNoUpgrade featureSet, check metrics-server deployment, no "requestheader-client-ca-file" in metrics-server deployment as mentioned in MON-3749
$ oc -n openshift-monitoring get deploy metrics-server -oyaml apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "1" creationTimestamp: "2024-03-29T02:09:40Z" generation: 1 labels: app.kubernetes.io/component: metrics-server app.kubernetes.io/managed-by: cluster-monitoring-operator app.kubernetes.io/name: metrics-server app.kubernetes.io/part-of: openshift-monitoring name: metrics-server namespace: openshift-monitoring resourceVersion: "49163" uid: a7464947-e05c-42cb-b48c-7e86d92988e2 spec: progressDeadlineSeconds: 600 replicas: 2 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/component: metrics-server app.kubernetes.io/name: metrics-server app.kubernetes.io/part-of: openshift-monitoring strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 1 type: RollingUpdate template: metadata: annotations: monitoring.openshift.io/kubelet-serving-ca-bundle-hash: 76mk3p4trsotm monitoring.openshift.io/metrics-client-cert-hash: 53h1vl39q6a8 monitoring.openshift.io/serving-ca-secret-hash: d68l7sujepd9q target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' creationTimestamp: null labels: app.kubernetes.io/component: metrics-server app.kubernetes.io/name: metrics-server app.kubernetes.io/part-of: openshift-monitoring spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/component: metrics-server app.kubernetes.io/name: metrics-server app.kubernetes.io/part-of: openshift-monitoring namespaces: - openshift-monitoring topologyKey: kubernetes.io/hostname containers: - args: - --secure-port=10250 - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --kubelet-use-node-status-port - --metric-resolution=15s - --kubelet-certificate-authority=/etc/tls/kubelet-serving-ca-bundle/ca-bundle.crt - --kubelet-client-certificate=/etc/tls/metrics-client-certs/tls.crt - --kubelet-client-key=/etc/tls/metrics-client-certs/tls.key - --tls-cert-file=/etc/tls/private/tls.crt - --tls-private-key-file=/etc/tls/private/tls.key - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - --tls-min-version=VersionTLS12 - --requestheader-allowed-names=kube-apiserver-proxy,system:kube-apiserver-proxy,system:openshift-aggregator - --requestheader-extra-headers-prefix=X-Remote-Extra- - --requestheader-group-headers=X-Remote-Group - --requestheader-username-headers=X-Remote-User - --audit-policy-file=/etc/audit/metadata-profile.yaml - --audit-log-path=/var/log/metrics-server/audit.log - --audit-log-maxsize=100 - --audit-log-maxbackup=5 - --audit-log-compress=true image: registry.build02.ci.openshift.org/ci-ln-m8g5srk/stable@sha256:7fa8fd8e7c8d0759d5a013d5d45083c155a8d282df80d3c811c7114e177f8074 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /livez port: https scheme: HTTPS periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 name: metrics-server ports: - containerPort: 10250 name: https protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /readyz port: https scheme: HTTPS initialDelaySeconds: 20 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: requests: cpu: 1m memory: 40Mi securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private name: secret-metrics-server-tls - mountPath: /etc/tls/metrics-client-certs name: secret-metrics-client-certs - mountPath: /etc/tls/kubelet-serving-ca-bundle name: configmap-kubelet-serving-ca-bundle - mountPath: /etc/audit name: metrics-server-audit-profiles readOnly: true - mountPath: /var/log/metrics-server name: audit-log dnsPolicy: ClusterFirst nodeSelector: kubernetes.io/os: linux priorityClassName: system-cluster-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: metrics-server serviceAccountName: metrics-server terminationGracePeriodSeconds: 30 volumes: - name: secret-metrics-client-certs secret: defaultMode: 420 secretName: metrics-client-certs - name: secret-metrics-server-tls secret: defaultMode: 420 secretName: metrics-server-tls - configMap: defaultMode: 420 name: kubelet-serving-ca-bundle name: configmap-kubelet-serving-ca-bundle - emptyDir: {} name: audit-log - configMap: defaultMode: 420 name: metrics-server-audit-profiles name: metrics-server-audit-profiles status: availableReplicas: 2 conditions: - lastTransitionTime: "2024-03-29T02:10:10Z" lastUpdateTime: "2024-03-29T02:10:10Z" message: Deployment has minimum availability. reason: MinimumReplicasAvailable status: "True" type: Available - lastTransitionTime: "2024-03-29T02:09:40Z" lastUpdateTime: "2024-03-29T02:10:10Z" message: ReplicaSet "metrics-server-6794c99cdb" has successfully progressed. reason: NewReplicaSetAvailable status: "True" type: Progressing observedGeneration: 1 readyReplicas: 2 replicas: 2 updatedReplicas: 2
Version-Release number of selected component (if applicable):
tested with PR
How reproducible:
Always
Steps to Reproduce:
1. check metrics-server deployment
Actual results:
no "requestheader-client-ca-file" in metrics-server deployment
Expected results:
should see it
Additional info:
if it's not a bug, please close it and correct the description in MON-3749