From c3f71b11d4ed5fdf243cca86e1d99f4671fae56c Mon Sep 17 00:00:00 2001 From: Emma Foley Date: Fri, 25 Aug 2023 12:34:57 +0100 Subject: [PATCH] [issue#306] Add missing ClusterRoles The cluster-monitoring-operator is required for STF to install. It creates the required alertmanager-main and prometheus-k8s. ClusterRoles, and STF relies on these being present. These are not present when using CRC, so ClusterRoles need to be explicitly created. The names of the ClusterRoles have been updated, in case there is some conflict when cluster-monitoring-operator is installed after STF. This is a workaround for not having cluster-monitoring-operator installed: https://github.com/infrawatch/service-telemetry-operator/issues/306 resolves #306 --- .../tasks/component_alertmanager.yml | 31 +++++++++++- .../tasks/component_prometheus.yml | 47 ++++++++++++++++++- 2 files changed, 76 insertions(+), 2 deletions(-) diff --git a/roles/servicetelemetry/tasks/component_alertmanager.yml b/roles/servicetelemetry/tasks/component_alertmanager.yml index bcb63e44f..589a1ab74 100644 --- a/roles/servicetelemetry/tasks/component_alertmanager.yml +++ b/roles/servicetelemetry/tasks/component_alertmanager.yml @@ -77,6 +77,35 @@ annotations: serviceaccounts.openshift.io/oauth-redirectreference.alertmanager: '{{ alertmanager_oauth_redir_ref | to_json }}' +- name: Create the missing alertmanager-stf ClusterRole + k8s: + definition: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: alertmanager-stf + rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - security.openshift.io + resourceNames: + - nonroot + resources: + - securitycontextconstraints + verbs: + - use + - name: Bind role k8s: definition: @@ -88,7 +117,7 @@ roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: alertmanager-main + name: alertmanager-stf subjects: - kind: ServiceAccount name: alertmanager-stf diff --git a/roles/servicetelemetry/tasks/component_prometheus.yml b/roles/servicetelemetry/tasks/component_prometheus.yml index eb890c1be..f301d7ea1 100644 --- a/roles/servicetelemetry/tasks/component_prometheus.yml +++ b/roles/servicetelemetry/tasks/component_prometheus.yml @@ -76,6 +76,51 @@ when: - observability_strategy in ['use_redhat', 'use_hybrid'] +- name: Create the prometheus-stf ClusterRole + k8s: + definition: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: prometheus-stf + rules: + - apiGroups: + - "" + resources: + - nodes/metrics + verbs: + - get + - nonResourceURLs: + - /metrics + verbs: + - get + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - apiGroups: + - security.openshift.io + resourceNames: + - nonroot + resources: + - securitycontextconstraints + verbs: + - use + - name: Bind the local prometheus SA to prometheus cluster role (for oauth perms) k8s: definition: @@ -87,7 +132,7 @@ roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: prometheus-k8s + name: prometheus-stf subjects: - kind: ServiceAccount name: prometheus-k8s