Merge pull request #1545 from PhilipGough/mon-2172

Mon 2172: Add clusterrole for editing alertmanagerconfigs

CHANGELOG.md

@@ -16,7 +16,8 @@
 - [#1488](https://github.com/openshift/cluster-monitoring-operator/pull/1488) Removing the alert HighlyAvailableWorkloadIncorrectlySpread.
 - [#1858](https://github.com/openshift/cluster-monitoring-operator/pull/1858) Allow suppression of storage alerts via PersistentVolumeClaim label
 - [#1527](https://github.com/openshift/cluster-monitoring-operator/pull/1527) Enable user alerts via AlertManagerConfig to be forwarded to the existing Platform Alertmanager
--[#1543](https://github.com/openshift/cluster-monitoring-operator/pull/1543) Bump Grafana version to v8.3.4
+- [#1543](https://github.com/openshift/cluster-monitoring-operator/pull/1543) Bump Grafana version to v8.3.4
+- [#1545](https://github.com/openshift/cluster-monitoring-operator/pull/1545) Add ClusterRole to allow editing of AlertManagerConfig
 
 ## 4.9
 

assets/cluster-monitoring-operator/alerting-edit-cluster-role.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: alert-routing-edit
+rules:
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - alertmanagerconfigs
+  verbs:
+  - '*'

jsonnet/components/cluster-monitoring-operator.libsonnet

@@ -347,4 +347,17 @@ function(params) {
       verbs: ['*'],
     }],
   },
+
+  alertingEditClusterRole: {
+    apiVersion: 'rbac.authorization.k8s.io/v1',
+    kind: 'ClusterRole',
+    metadata: {
+      name: 'alert-routing-edit',
+    },
+    rules: [{
+      apiGroups: ['monitoring.coreos.com'],
+      resources: ['alertmanagerconfigs'],
+      verbs: ['*'],
+    }],
+  },
 }

pkg/manifests/manifests.go

@@ -200,6 +200,7 @@ var (
 	ClusterMonitoringRulesEditClusterRole       = "cluster-monitoring-operator/monitoring-rules-edit-cluster-role.yaml"
 	ClusterMonitoringRulesViewClusterRole       = "cluster-monitoring-operator/monitoring-rules-view-cluster-role.yaml"
 	ClusterMonitoringEditClusterRole            = "cluster-monitoring-operator/monitoring-edit-cluster-role.yaml"
+	ClusterMonitoringEditAlertingClusterRole    = "cluster-monitoring-operator/alerting-edit-cluster-role.yaml"
 	ClusterMonitoringEditUserWorkloadConfigRole = "cluster-monitoring-operator/user-workload-config-edit-role.yaml"
 	ClusterMonitoringGrpcTLSSecret              = "cluster-monitoring-operator/grpc-tls-secret.yaml"
 	ClusterMonitoringOperatorPrometheusRule     = "cluster-monitoring-operator/prometheus-rule.yaml"
@@ -2723,6 +2724,15 @@ func (f *Factory) ClusterMonitoringEditClusterRole() (*rbacv1.ClusterRole, error
 	return cr, nil
 }
 
+func (f *Factory) ClusterMonitoringAlertingEditClusterRole() (*rbacv1.ClusterRole, error) {
+	cr, err := f.NewClusterRole(f.assets.MustNewAssetReader(ClusterMonitoringEditAlertingClusterRole))
+	if err != nil {
+		return nil, err
+	}
+
+	return cr, nil
+}
+
 func (f *Factory) ClusterMonitoringEditUserWorkloadConfigRole() (*rbacv1.Role, error) {
 	cr, err := f.NewRole(f.assets.MustNewAssetReader(ClusterMonitoringEditUserWorkloadConfigRole))
 	if err != nil {

pkg/manifests/manifests_test.go

@@ -669,6 +669,11 @@ func TestUnconfiguredManifests(t *testing.T) {
 		t.Fatal(err)
 	}
 
+	_, err = f.ClusterMonitoringAlertingEditClusterRole()
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	_, err = f.ClusterMonitoringEditUserWorkloadConfigRole()
 	if err != nil {
 		t.Fatal(err)

pkg/tasks/clustermonitoringoperator.go

@@ -49,6 +49,7 @@ func (t *ClusterMonitoringOperatorTask) Run(ctx context.Context) error {
 		"monitoring-rules-edit":   t.factory.ClusterMonitoringRulesEditClusterRole,
 		"monitoring-rules-view":   t.factory.ClusterMonitoringRulesViewClusterRole,
 		"monitoring-edit":         t.factory.ClusterMonitoringEditClusterRole,
+		"alert-routing-edit":      t.factory.ClusterMonitoringAlertingEditClusterRole,
 	} {
 		cr, err := crf()
 		if err != nil {