Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-59768

openshift-operator-lifecycle-manager catalog-operator-metrics/olm-operator-metrics endpoints exposed all the information without any authorization

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 4.20.0
    • OLM
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • None
    • Rejected
    • Oddish Sprint 275, Pikachu Sprint 276, Quagsire Sprint 277, Rhydon Sprint 278
    • 4
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      see similar bug OCPBUGS-57585

      checked in 4.20.0-0.nightly-2025-07-20-021531, openshift-operator-lifecycle-manager catalog-operator-metrics/olm-operator-metrics endpoints exposed all the information without any authorization

      as shown in https://rhobs-handbook.netlify.app/products/openshiftmonitoring/collecting_metrics.md/#exposing-metrics-for-prometheus

      should implement proper authentication

      $ oc -n openshift-operator-lifecycle-manager get po -o wide
NAME                                      READY   STATUS      RESTARTS   AGE   IP            NODE                                        NOMINATED NODE   READINESS GATES
catalog-operator-5df685f8d4-5cjjq         1/1     Running     0          11h   10.129.0.33   ip-10-0-77-233.us-east-2.compute.internal   <none>           <none>
collect-profiles-29222625-j7zfn           0/1     Completed   0          31m   10.131.0.64   ip-10-0-79-84.us-east-2.compute.internal    <none>           <none>
collect-profiles-29222640-sxz89           0/1     Completed   0          16m   10.131.0.65   ip-10-0-79-84.us-east-2.compute.internal    <none>           <none>
collect-profiles-29222655-kjv4z           0/1     Completed   0          71s   10.131.0.66   ip-10-0-79-84.us-east-2.compute.internal    <none>           <none>
olm-operator-f66d58f74-nkbh4              1/1     Running     0          11h   10.129.0.36   ip-10-0-77-233.us-east-2.compute.internal   <none>           <none>
package-server-manager-6c44dd9954-mgph7   2/2     Running     0          11h   10.129.0.16   ip-10-0-77-233.us-east-2.compute.internal   <none>           <none>
packageserver-db998f8d4-7m9fq             1/1     Running     0          11h   10.130.0.22   ip-10-0-43-21.us-east-2.compute.internal    <none>           <none>
packageserver-db998f8d4-vdlw9             1/1     Running     0          11h   10.128.0.23   ip-10-0-25-174.us-east-2.compute.internal   <none>           <none>

$ oc -n openshift-operator-lifecycle-manager get ep
Warning: v1 Endpoints is deprecated in v1.33+; use discovery.k8s.io/v1 EndpointSlice
NAME                             ENDPOINTS                           AGE
catalog-operator-metrics         10.129.0.33:8443                    11h
olm-operator-metrics             10.129.0.36:8443                    11h
package-server-manager-metrics   10.129.0.16:8443                    11h
packageserver-service            10.128.0.23:5443,10.130.0.22:5443   11h

$ oc -n openshift-operator-lifecycle-manager exec catalog-operator-5df685f8d4-5cjjq -- curl -k https://10.129.0.33:8443/metrics | head
# HELP catalog_source_count Number of catalog sources
# TYPE catalog_source_count gauge
catalog_source_count 4
# HELP catalog_source_snapshots_total The number of times the catalog operator has requested a snapshot of data from a catalog source
# TYPE catalog_source_snapshots_total counter
catalog_source_snapshots_total{name="certified-operators",namespace="openshift-marketplace"} 0
catalog_source_snapshots_total{name="community-operators",namespace="openshift-marketplace"} 0
catalog_source_snapshots_total{name="redhat-marketplace",namespace="openshift-marketplace"} 0
catalog_source_snapshots_total{name="redhat-operators",namespace="openshift-marketplace"} 0
# HELP catalogsource_ready State of a CatalogSource. 1 indicates that the CatalogSource is in a READY state. 0 indicates CatalogSource is in a Non READY state.

$ oc -n openshift-operator-lifecycle-manager exec olm-operator-f66d58f74-nkbh4 -- curl -k https://10.129.0.36:8443/metrics | head
# HELP csv_count Number of CSVs successfully registered
# TYPE csv_count gauge
csv_count 1
# HELP csv_succeeded Successful CSV install
# TYPE csv_succeeded gauge
csv_succeeded{name="packageserver",namespace="openshift-operator-lifecycle-manager",version="0.0.1-snapshot"} 1
# HELP csv_upgrade_count Monotonic count of CSV upgrades
# TYPE csv_upgrade_count counter
csv_upgrade_count 0
# HELP go_gc_duration_seconds A summary of the wall-time pause (stop-the-world) duration in garbage collection cycles.

      Version-Release number of selected component (if applicable):

      $ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.20.0-0.nightly-2025-07-20-021531   True        False         11h     Cluster version is 4.20.0-0.nightly-2025-07-20-021531

      How reproducible:

      always

      Steps to Reproduce:

      1. see descriptions

      Actual results:

      openshift-operator-lifecycle-manager catalog-operator-metrics/olm-operator-metrics endpoints exposed all the information without any authorization

      Expected results:

      should be with authorization

      Additional info:

      the issue also exist in 4.19 and previous versions

      When the bug is fixed, please remove it from this code snippet to avoid regression.

      https://github.com/openshift/origin/blob/4f183dd3427cffd8d97b44557caa782d65726416/test/extended/prometheus/prometheus.go#L64-L71

              anik120 Anik Bhattacharjee
              juzhao@redhat.com Junqi Zhao
              None
              None
              Xia Zhao Xia Zhao
              None
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: