Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-60159

openshift-cluster-csi-drivers vmware-vsphere-csi-driver-operator-metrics endpoint 8445 port should return 401 instead 500

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 4.20.0
    • Storage / Operators
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • None
    • None
    • Rejected
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      see similar bug OCPBUGS-57585

      Stole the testing result from https://github.com/openshift/origin/pull/30014#issuecomment-3153130188

      8445 port is for openshift-cluster-csi-drivers vmware-vsphere-csi-driver-operator-metrics endpoint, did not see this port on other IAAS(example AWS,OSP)checked on vsphere, curl 8445 without auth returns 500(actually it's forbidden),

      $ oc get infrastructure/cluster -o jsonpath={.spec.platformSpec.type}
      VSphere
      
      $ oc -n openshift-cluster-csi-drivers get ep
      Warning: v1 Endpoints is deprecated in v1.33+; use discovery.k8s.io/v1 EndpointSlice
      NAME                                           ENDPOINTS                                                        AGE
      vmware-vsphere-csi-driver-controller-metrics   10.129.0.17:9203,10.130.0.21:9203,10.129.0.17:9202 + 9 more...   28m
      vmware-vsphere-csi-driver-operator-metrics     10.130.0.17:8445                                                 28m
      vmware-vsphere-csi-driver-webhook-svc          10.128.0.45:8443,10.130.0.23:8443                                28m
      
      $ oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -s -o /dev/null -w '%{http_code}' https://10.130.0.17:8445/metrics
      500
      

      return code is 500, expecting 401 forbidden instead of 500.

      $ oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k https://10.130.0.17:8445/metrics
      
      Internal Server Error: "/metrics": subjectaccessreviews.authorization.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-csi-drivers:vmware-vsphere-csi-driver-operator" cannot create resource "subjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope  

      curl with auth, no issue

      $ token=`oc create token prometheus-k8s -n openshift-monitoring`
      $ oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -H "Authorization: Bearer $token" 'https://10.130.0.17:8445/metrics' | head -n3
      # HELP aggregator_discovery_aggregation_count_total [ALPHA] Counter of number of times discovery was aggregated
      # TYPE aggregator_discovery_aggregation_count_total counter
      aggregator_discovery_aggregation_count_total 0 

      https://github.com/openshift/origin/pull/30014#issuecomment-3154900379

       

      When the bug is fixed, please remove it from this code snippet to avoid regression.

      https://github.com/openshift/origin/blob/4f183dd3427cffd8d97b44557caa782d65726416/test/extended/prometheus/prometheus.go#L64-L71

              rh-ee-rhrmo Richard Hrmo
              juzhao@redhat.com Junqi Zhao
              None
              None
              Xia Zhao Xia Zhao
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: