/
extranamespacerolebindings.go
61 lines (53 loc) · 1.78 KB
/
extranamespacerolebindings.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
package prometheus
import (
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"github.com/gitpod-io/observability/installer/pkg/common"
certmanager "github.com/gitpod-io/observability/installer/pkg/components/cert-manager"
)
// extraNamespaceRoleBindings and extraNamespaceRoles are used to give permission to prometheus to scrape metrics
// from endpoints in other namespaces.
// TODO: Add more namespaces from configuration
func extraNamespaceRoleBindings(ctx *common.RenderContext) ([]runtime.Object, error) {
var extraRoleBindings []runtime.Object
extraRoleBindings = append(extraRoleBindings,
rolebindingFactory(Namespace),
rolebindingFactory("default"),
rolebindingFactory("kube-system"),
)
if ctx.Config.Werft.InstallServiceMonitors {
extraRoleBindings = append(extraRoleBindings, rolebindingFactory("werft"))
}
if ctx.Config.Certmanager.InstallServiceMonitors {
extraRoleBindings = append(extraRoleBindings, rolebindingFactory(certmanager.Namespace))
}
return extraRoleBindings, nil
}
func rolebindingFactory(ns string) *rbacv1.RoleBinding {
return &rbacv1.RoleBinding{
TypeMeta: metav1.TypeMeta{
APIVersion: "rbac.authorization.k8s.io/v1",
Kind: "RoleBinding",
},
ObjectMeta: metav1.ObjectMeta{
Name: resourceName(),
Namespace: ns,
Labels: common.Labels(Name, Component, App, Version),
},
RoleRef: rbacv1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "Role",
Name: resourceName(),
},
Subjects: []rbacv1.Subject{
{
Kind: "ServiceAccount",
Name: resourceName(),
// Here we associate the service account used by prometheus
// which lives in the same namespace as prometheus, and not the role.
Namespace: Namespace,
},
},
}
}