/
extranamespaceroles.go
64 lines (56 loc) · 1.73 KB
/
extranamespaceroles.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
package prometheus
import (
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"github.com/gitpod-io/observability/installer/pkg/common"
certmanager "github.com/gitpod-io/observability/installer/pkg/components/cert-manager"
)
// extraNamespaceRoles and extraNamespaceRoleBindings are used to give permission to prometheus to scrape metrics
// from endpoints in other namespaces.
// TODO: Add more namespaces from configuration
func extraNamespaceRoles(ctx *common.RenderContext) ([]runtime.Object, error) {
var extraRoles []runtime.Object
extraRoles = append(extraRoles,
roleFactory(Namespace),
roleFactory("default"),
roleFactory("kube-system"),
)
if ctx.Config.Werft.InstallServiceMonitors {
extraRoles = append(extraRoles, roleFactory("werft"))
}
if ctx.Config.Certmanager.InstallServiceMonitors {
extraRoles = append(extraRoles, roleFactory(certmanager.Namespace))
}
return extraRoles, nil
}
func roleFactory(ns string) *rbacv1.Role {
return &rbacv1.Role{
TypeMeta: metav1.TypeMeta{
APIVersion: "rbac.authorization.k8s.io/v1",
Kind: "Role",
},
ObjectMeta: metav1.ObjectMeta{
Name: resourceName(),
Namespace: ns,
Labels: common.Labels(Name, Component, App, Version),
},
Rules: []rbacv1.PolicyRule{
{
APIGroups: []string{""},
Resources: []string{"services", "endpoints", "pods"},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"extensions"},
Resources: []string{"ingresses"},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"networking.k8s.io"},
Resources: []string{"ingresses"},
Verbs: []string{"get", "list", "watch"},
},
},
}
}