Merge pull request #754 from simonpasquier/add-monitoring-targets-edi…

…t-role Add monitoring-edit role
openshift · Apr 16, 2020 · 2bd3798 · 2bd3798
2 parents 1031289 + ef99daf
commit 2bd3798
Show file tree

Hide file tree

Showing 7 changed files with 111 additions and 28 deletions.
diff --git a/assets/cluster-monitoring-operator/monitoring-edit-cluster-role.yaml b/assets/cluster-monitoring-operator/monitoring-edit-cluster-role.yaml
@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: monitoring-edit
+rules:
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - servicemonitors
+  - podmonitors
+  - prometheusrules
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
diff --git a/jsonnet/cluster-monitoring-operator.jsonnet b/jsonnet/cluster-monitoring-operator.jsonnet
@@ -84,6 +84,21 @@ local metrics = import 'telemeter-client/metrics.jsonnet';
       clusterRole.mixin.metadata.withName('cluster-monitoring-view') +
       clusterRole.withRules(rules),
 
+    monitoringEditClusterRole:
+      local clusterRole = k.rbac.v1.clusterRole;
+      local policyRule = clusterRole.rulesType;
+
+      local editRule = policyRule.new() +
+                       policyRule.withApiGroups(['monitoring.coreos.com']) +
+                       policyRule.withResources(['servicemonitors', 'podmonitors', 'prometheusrules']) +
+                       policyRule.withVerbs(['create', 'delete', 'get', 'list', 'update', 'watch']);
+
+      local rules = [editRule];
+
+      clusterRole.new() +
+      clusterRole.mixin.metadata.withName('monitoring-edit') +
+      clusterRole.withRules(rules),
+
     monitoringRulesViewClusterRole:
       local clusterRole = k.rbac.v1.clusterRole;
       local policyRule = clusterRole.rulesType;

diff --git a/manifests/0000_50_cluster_monitoring_operator_02-role.yaml b/manifests/0000_50_cluster_monitoring_operator_02-role.yaml
@@ -5,6 +5,7 @@
 # 	hack/cluster-monitoring-operator-role.yaml.in
 # 	assets/alertmanager/cluster-role.yaml
 # 	assets/cluster-monitoring-operator/cluster-role.yaml
+# 	assets/cluster-monitoring-operator/monitoring-edit-cluster-role.yaml
 # 	assets/cluster-monitoring-operator/monitoring-rules-edit-cluster-role.yaml
 # 	assets/cluster-monitoring-operator/monitoring-rules-view-cluster-role.yaml
 # 	assets/grafana/cluster-role.yaml
@@ -147,6 +148,19 @@ rules:
   - namespaces
   verbs:
   - get
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - podmonitors
+  - prometheusrules
+  - servicemonitors
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
 - apiGroups:
   - monitoring.coreos.com
   resources:

diff --git a/pkg/manifests/bindata.go b/pkg/manifests/bindata.go
diff --git a/pkg/manifests/manifests.go b/pkg/manifests/manifests.go
@@ -167,6 +167,7 @@ var (
 	ClusterMonitoringClusterRole            = "assets/cluster-monitoring-operator/cluster-role.yaml"
 	ClusterMonitoringRulesEditClusterRole   = "assets/cluster-monitoring-operator/monitoring-rules-edit-cluster-role.yaml"
 	ClusterMonitoringRulesViewClusterRole   = "assets/cluster-monitoring-operator/monitoring-rules-view-cluster-role.yaml"
+	ClusterMonitoringEditClusterRole        = "assets/cluster-monitoring-operator/monitoring-edit-cluster-role.yaml"
 	ClusterMonitoringGrpcTLSSecret          = "assets/cluster-monitoring-operator/grpc-tls-secret.yaml"
 
 	TelemeterClientClusterRole            = "assets/telemeter-client/cluster-role.yaml"
@@ -2185,6 +2186,15 @@ func (f *Factory) ClusterMonitoringRulesViewClusterRole() (*rbacv1.ClusterRole,
 	return cr, nil
 }
 
+func (f *Factory) ClusterMonitoringEditClusterRole() (*rbacv1.ClusterRole, error) {
+	cr, err := f.NewClusterRole(MustAssetReader(ClusterMonitoringEditClusterRole))
+	if err != nil {
+		return nil, err
+	}
+
+	return cr, nil
+}
+
 func (f *Factory) ClusterMonitoringOperatorService() (*v1.Service, error) {
 	s, err := f.NewService(MustAssetReader(ClusterMonitoringOperatorService))
 	if err != nil {

diff --git a/pkg/manifests/manifests_test.go b/pkg/manifests/manifests_test.go
@@ -624,6 +624,21 @@ func TestUnconfiguredManifests(t *testing.T) {
 		t.Fatal(err)
 	}
 
+	_, err = f.ClusterMonitoringRulesEditClusterRole()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = f.ClusterMonitoringRulesViewClusterRole()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = f.ClusterMonitoringEditClusterRole()
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	_, err = f.ClusterMonitoringOperatorService()
 	if err != nil {
 		t.Fatal(err)

diff --git a/pkg/tasks/clustermonitoringoperator.go b/pkg/tasks/clustermonitoringoperator.go
@@ -18,6 +18,7 @@ import (
 	"github.com/openshift/cluster-monitoring-operator/pkg/client"
 	"github.com/openshift/cluster-monitoring-operator/pkg/manifests"
 	"github.com/pkg/errors"
+	rbacv1 "k8s.io/api/rbac/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 )
 
@@ -44,34 +45,21 @@ func (t *ClusterMonitoringOperatorTask) Run() error {
 		return errors.Wrap(err, "reconciling Cluster Monitoring Operator Service failed")
 	}
 
-	cr, err := t.factory.ClusterMonitoringClusterRole()
-	if err != nil {
-		return errors.Wrap(err, "initializing cluster-monitoring ClusterRole failed")
-	}
-
-	err = t.client.CreateOrUpdateClusterRole(cr)
-	if err != nil {
-		return errors.Wrap(err, "reconciling cluster-monitoring ClusterRole failed")
-	}
-
-	cr, err = t.factory.ClusterMonitoringRulesEditClusterRole()
-	if err != nil {
-		return errors.Wrap(err, "initializing monitoring-rules-edit ClusterRole failed")
-	}
-
-	err = t.client.CreateOrUpdateClusterRole(cr)
-	if err != nil {
-		return errors.Wrap(err, "reconciling monitoring-rules-edit ClusterRole failed")
-	}
-
-	cr, err = t.factory.ClusterMonitoringRulesViewClusterRole()
-	if err != nil {
-		return errors.Wrap(err, "initializing monitoring-rules-view ClusterRole failed")
-	}
-
-	err = t.client.CreateOrUpdateClusterRole(cr)
-	if err != nil {
-		return errors.Wrap(err, "reconciling monitoring-rules-view ClusterRole failed")
+	for name, crf := range map[string]func() (*rbacv1.ClusterRole, error){
+		"cluster-monitoring-view": t.factory.ClusterMonitoringClusterRole,
+		"monitoring-rules-edit":   t.factory.ClusterMonitoringRulesEditClusterRole,
+		"monitoring-rules-view":   t.factory.ClusterMonitoringRulesViewClusterRole,
+		"monitoring-edit":         t.factory.ClusterMonitoringEditClusterRole,
+	} {
+		cr, err := crf()
+		if err != nil {
+			return errors.Wrapf(err, "initializing %s ClusterRole failed", name)
+		}
+
+		err = t.client.CreateOrUpdateClusterRole(cr)
+		if err != nil {
+			return errors.Wrapf(err, "reconciling %s ClusterRole failed", name)
+		}
 	}
 
 	smcmo, err := t.factory.ClusterMonitoringOperatorServiceMonitor()