Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-54954

The compliance_operator_compliance_scan_error_total metric does not currently capture or update when a compliance scan enters an ERROR state

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.19.0
    • Compliance Operator
    • None
    • None
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      The compliance_operator_compliance_scan_error_total metric does not capture or update when a compliance scan enters an ERROR state  

      Version-Release number of selected component (if applicable):

      compliance-operator.v1.7.0(openshift-compliance-operator-bundle-container-1.7.0-3)    

      How reproducible:

      Always

      Steps to Reproduce:

       
      1. Install Compliance Operator
      2. Create a compliancescan as below:
      % oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceScan
metadata:
  name: worker-scan2
spec:
  profile: xccdf_org.ssgproject.content_profile_coreos-ncp
  content: ssg-rhcos4-ds.xml
  contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:243dce9a4eebe152d8eb4055eaf29ceee855adc66122d6bd95e01703414f1c91
  debug: true
  nodeSelector:
      node-role.kubernetes.io/worker: ""
EOF
compliancescan.compliance.openshift.io/worker-scan2 created

       

      Actual results:

       

      The test scan returns ERROR. In the ERROR message, there is info "
Could not check whether the Profile used by ComplianceScan is deprecated
". However, the compliance_operator_compliance_scan_error_total metric does not capture or update when a compliance scan enters an ERROR state.
% oc get scan worker-scan2 
NAME           PHASE   RESULT
worker-scan2   DONE    ERROR
% oc run --rm -i --restart=Never --image=registry.fedoraproject.org/fedora-minimal:latest -n openshift-compliance test-metrics -- bash -c 'curl -ks -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://metrics.openshift-compliance.svc:8585/metrics-co' | grep -i worker-scan2
compliance_operator_compliance_scan_status_total{name="worker-scan2",phase="PENDING",result=""} 1

       

      % oc get scan worker-scan2 -o=jsonpath={.status} | jq -r
{
  "conditions": [
    {
      "lastTransitionTime": "2025-04-14T12:11:54Z",
      "message": "The compliance scan is waiting to be processed",
      "reason": "Pending",
      "status": "False",
      "type": "Ready"
    }
  ],
  "endTimestamp": "2025-04-14T12:11:54Z",
  "errormsg": "Could not check whether the Profile used by ComplianceScan is deprecated",
  "phase": "DONE",
  "remainingRetries": 3,
  "result": "ERROR",
  "resultsStorage": {},
  "startTimestamp": "2025-04-14T12:11:54Z"
}

       

      Expected results:

      The compliance_operator_compliance_scan_error_total metric should reflect the number of compliance scans that have resulted in an ERROR state.    

      Additional info:

              Unassigned Unassigned
              xiyuan@redhat.com Xiaojie Yuan
              Xiaojie Yuan Xiaojie Yuan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: