Restore metrics service operation when pods do not start after reinstalling Ansible Automation Platform by recreating the missing database credential secret.
Before you begin
- oc CLI access with sufficient RBAC permissions to create and patch secrets and CRs in the metrics service namespace
- The name of your
AnsibleAutomationPlatform CR (<aap-name>)
- The name of your
MetricsService CR (<metrics-cr-name>)
- Access to the automation controller PostgreSQL database host and database name
About this task
This procedure restores metrics service operation when pods do not start after reinstalling or restoring Ansible Automation Platform because the <aap-name>-metrics-read-token Kubernetes secret was deleted during cleanup and not automatically recreated. Use this procedure when the metrics service operator logs contain the error "Gateway-managed AWX read user secret '-metrics-read-token' not found in namespace ''" and the health endpoint does not respond.
What causes this issue
During reinstallation, the <aap-name>-metrics-read-token Kubernetes secret is deleted as part of the cleanup. Under certain conditions the Ansible Automation Platform operator does not automatically recreate this secret on the next reconcile, leaving the metrics service operator unable to configure the read-only database connection to the automation controller.
Note
A permanent fix for this issue is available in the next async update. After applying the update, the Ansible Automation Platform operator automatically recreates the read token secret when it is missing, and the metrics service operator recovers gracefully without manual intervention.
Choose one of the following options.
Procedure
- Option 1: Manually recreate the missing secret
Use this option to restore normal operation without changing your metrics service configuration.
- Confirm the secret is missing. The secret name follows the pattern
<aap-name>-metrics-read-token:
oc get secret <aap-name>-metrics-read-token -n <namespace>
If the command returns Error from server (NotFound), proceed to the next step.
- Retrieve the automation controller database host from the existing postgres configuration secret:
oc get secret <aap-name>-controller-postgres-configuration \
-n <namespace> \
-o jsonpath='{.data.host}' | base64 -d
- Retrieve the automation controller database name:
oc get secret <aap-name>-controller-postgres-configuration \
-n <namespace> \
-o jsonpath='{.data.database}' | base64 -d
- Create the missing secret using the values from the previous steps:
oc create secret generic <aap-name>-metrics-read-token \
--from-literal=username=ms_awx_readonly \
--from-literal=password=<password> \
--from-literal=database=<controller-database-name> \
--from-literal=host=<controller-db-host> \
--from-literal=port=5432 \
-n <namespace>
Replace <password> with a secure password for the ms_awx_readonly database user. If you are restoring the same database, use the original password to avoid a credential mismatch. If you are reinstalling with a fresh database, any secure password is acceptable.
- Trigger a reconcile by annotating the
AnsibleAutomationPlatform CR:
oc annotate ansibleautomationplatform <aap-name> \
ansible.com/force-reconcile="$(date +%s)" \
--overwrite -n <namespace>
- Verify that metrics service pods start successfully:
oc get pods -n <namespace> | grep metrics
- Option 2: Configure metrics service to manage its own read-only credentials
Use this option if you cannot recreate the secret manually, or if you want to prevent the issue from recurring on future reinstallations. This directs the metrics service operator to create and manage the ms_awx_readonly database user independently.
- Patch the
MetricsService CR to use operator-managed credentials:
oc patch metricsservice <metrics-cr-name> \
--type merge \
-p '{"spec":{"ms_awx_readonly_user":{"externally_managed":false}}}' \
-n <namespace>
- Remove the
database.ms_awx_readonly_user_secret reference so the operator does not attempt to locate the missing gateway-managed secret:
oc patch metricsservice <metrics-cr-name> \
--type json \
-p '[{"op":"remove","path":"/spec/database/ms_awx_readonly_user_secret"}]' \
-n <namespace>
- Verify that the operator reconciles successfully and pods start:
oc get pods -n <namespace> | grep metrics
Results
Metrics service has recovered successfully when:
- All metrics service pods show
Running status:
oc get pods -n <namespace> | grep metrics
- The health endpoint returns a successful response:
oc exec deployment/<metrics-cr-name>-web -n <namespace> -- \
curl -s http://localhost:8080/health/
- No secret-related errors appear in the metrics service operator logs:
oc logs -l name=automation-metrics-operator -n <namespace> --tail=50
Red Hat Summit
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}