Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[issue#306] Add missing ClusterRoles #465

Merged
merged 8 commits into from
Sep 21, 2023
Merged

[issue#306] Add missing ClusterRoles #465

merged 8 commits into from
Sep 21, 2023

Commits on Sep 21, 2023

  1. [issue#306] Add missing ClusterRoles 

    The cluster-monitoring-operator is required for STF to install. It
creates the required alertmanager-main and prometheus-k8s.
ClusterRoles, and STF relies on these being present.
These are not present when using CRC, so ClusterRoles need to be
explicitly created.

The names of the ClusterRoles have been updated, in case there is some
conflict when cluster-monitoring-operator is installed after STF.

This is a workaround for not having cluster-monitoring-operator
installed: #306

resolves #306
    @elfiesmelfie @leifmadsen
    elfiesmelfie authored and leifmadsen committed Sep 21, 2023
    Configuration menu
    Copy the full SHA
    d537327 View commit details
    Browse the repository at this point in the history

  2. Fix up the RBAC setup for prometheus-stf (#467) 

    Fix up the RBAC changes to fully get prometheus-stf working and
decoupled from prometheus-k8s. Changes to using a separate
prometheus-stf ClusterRole, ClusterRoleBinding, and ServiceAccount,
along with a Role and RoleBinding, all using prometheus-stf as the
ServiceAccount. Also updates the Alertmanager configuration to use
alertmanager-stf instead of alertmanager-main.
    @leifmadsen
    leifmadsen committed Sep 21, 2023
    Configuration menu
    Copy the full SHA
    a74cffb View commit details
    Browse the repository at this point in the history

  3. Fix smoketest to use prometheus-stf for token retrieval

    @leifmadsen
    leifmadsen committed Sep 21, 2023
    Configuration menu
    Copy the full SHA
    e3306bd View commit details
    Browse the repository at this point in the history

  4. Refactor smoketest script (#468) 

    * Refactor smoketest script

Perform a bit of smoketest refactoring and fix up a few bugs.

* Update alert trigger to use startsAt in order to potentially speed up
  delivery of the alerts. Failures in the SNMP_WEBHOOK_STATUS seems to
  be primarily to delayed alert notification through
  prometheus-snmp-webhook.
* Add an alert clean up task as part of the clean up logic at the end.
* Update openssl x509 to not use the -in flag which seems unnecessary
  and on some systems causes a failure.
* Add new SMOKETEST_VERBOSE boolean so local testing can skip massive
  amounts of information dumped to stdout.
* Remove curl pod using label selector for slightly cleaner output.
* Update failure check to combine RET and SNMP_WEBHOOK_STATUS since
  testing seems to show changes are slightly more reliable.

* Show logs from curl
    @leifmadsen
    leifmadsen committed Sep 21, 2023
    Configuration menu
    Copy the full SHA
    a63f79c View commit details
    Browse the repository at this point in the history

  5. Remove nodes/metrics permission from ClusterRole 

    As part of least priviledge work, remove the nodes/metrics permission as
we're not scraping nodes for information. Everything appears to continue
working in STF without this permission.
    @leifmadsen
    leifmadsen committed Sep 21, 2023
    Configuration menu
    Copy the full SHA
    557d75f View commit details
    Browse the repository at this point in the history

  6. Move SCC RBAC from ClusterRole to Role 

    Working on simplifying and reducing our access scope as much as
possible. It appears moving SCC RBAC from ClusterRole to Role allows
things to continue to work with Prometheus. It's possible further
testing may reveal this will need to reverted.
    @leifmadsen
    leifmadsen committed Sep 21, 2023
    Configuration menu
    Copy the full SHA
    a4787a3 View commit details
    Browse the repository at this point in the history

  7. Convert alertmanager-stf Role to ClusterRole (#473) 

    Convert alertmanager-stf Role to ClusterRole as the tokenreviews and
subjectaccessreviews resources need to be accessable at the cluster
scope.
    @leifmadsen
    leifmadsen committed Sep 21, 2023
    Configuration menu
    Copy the full SHA
    c525fb0 View commit details
    Browse the repository at this point in the history

  8. Create ClusterRoleBinding and Role for alertmanager (#475) 

    * Create ClusterRoleBinding and Role for alertmanager

Create appropriate ClusterRoleBinding and Role for alertmanager-stf,
breaking out SCC into a Role vs ClusterRole to keep things in alignment
to prometheus-stf RBAC setup.

* Adjust smoketest.sh for SNMP webhook test failures

Adjust the smoketest script to also fail when the SNMP webhook test has
failed. Add a wait condition for the curl pod to complete so logs can be
retrieved.

* Add *RoleBinding rescue capabilities

If changes happen to the ClusterRoleBinding or RoleBinding then
generally the system is not going to allow you to patch the object. Adds
block/rescue logic to remove the existing ClusterRoleBinding or
RoleBinding before creating it when patching the object fails.
    @leifmadsen
    leifmadsen committed Sep 21, 2023
    Configuration menu
    Copy the full SHA
    abe966b View commit details
    Browse the repository at this point in the history