[Chore] Add cluster role binding required for OpenShift monitoring dependent cases. #708
Conversation
IshwarKanse
changed the title
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #708 +/- ##
=======================================
Coverage 77.66% 77.66%
=======================================
Files 68 68
Lines 5157 5157
=======================================
Hits 4005 4005
Misses 954 954
Partials 198 198
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
IshwarKanse
force-pushed
the
monitoring-fix
branch
from
440637b
to
fd94b3e
Compare
| name: kuttl-cluster-monitoring-metrics-api | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| name: prometheus-user-workload |
There was a problem hiding this comment.
The tempo operator does not own/manage the prometheus-user-workload service account, is it really the responsibility of the tempo operator (tests) to grant this service account additional permissions?
Shouldn't this permission be granted in the CMO operator?
There was a problem hiding this comment.
I checked with the CMO dev, the CMO creates cluster-monitoring-view role which can be bound to any SA to view the metrics for user workload monitoring. This is the docs for the viewing user workload monitoring metrics. https://docs.openshift.com/container-platform/4.14/monitoring/enabling-monitoring-for-user-defined-projects.html#accessing-metrics-from-outside-cluster_enabling-monitoring-for-user-defined-projects With the new CMO change, the additional step is to also bind the cluster-monitoring-view role. This gives the flexibility to the user to use any SA.
The ClusterRoleBinding step is not a Tempo requirement and is used only by the test case to check the metrics using the check_metrics.sh script.
There was a problem hiding this comment.
The ClusterRoleBinding step is not a Tempo requirement and is used only by the test case to check the metrics using the check_metrics.sh script.
Ah! Thanks for the explanation. That was the part I didn't realize, that check_metrics.sh is impersonating the prometheus-user-workload service account.
Could you add this as a comment above the ClusterRoleBinding?
There was a problem hiding this comment.
Added the comment. :)
IshwarKanse
force-pushed
the
monitoring-fix
branch
from
335f9fa
to
49aeb40
Compare
IshwarKanse
changed the title
IshwarKanse
force-pushed
the
monitoring-fix
branch
from
49aeb40
to
c8fe606
Compare
The Thanos Querier has switched to using kube-rbac-proxy in OpenShift 4.15 which requires creation of additional role and binding to query for metrics. https://issues.redhat.com/browse/MON-3379 This PR adds the required ClusterRole and ClusterRolebinding so that the in-cluster monitoring dependent cases work on OCP 4.15.