Generalize the use of recommended "app.kubernetes.io/managed-by"

and "app.kubernetes.io/part-of" labels on Kube resources created and
managed by CMO and CVO.

See https://issues.redhat.com/browse/MON-3216 for the whys.

We chose this "inject at the end" approach as it requires less changes, but
we're aware that:
- We need to label resources managed by CVO individually (see utils/add-labels.libsonnet)
- Items of a XXXList (RoleList in role-specific-namespaces.yaml for example) are missed
- Resources created by some CR are missed (as we don't tell their operators to add the labels)

A draft of the other approach (Add the labels explicitly to each resource) can be found at
machine424@5386735#diff-3f0ac462e0855b3c5693e93fd73febeec9422783681a4a15b2a82f9f40efec89

Signed-off-by: Ayoub Mrini <amrini@redhat.com>

assets/admission-webhook/alertmanager-config-validating-webhook.yaml

@@ -5,7 +5,9 @@ metadata:
     service.beta.openshift.io/inject-cabundle: "true"
   labels:
     app.kubernetes.io/component: controller
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: prometheus-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: alertmanagerconfigs.openshift.io
 webhooks:
 - admissionReviewVersions:

assets/admission-webhook/pod-disruption-budget.yaml

@@ -2,6 +2,7 @@ apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: prometheus-operator-admission-webhook
     app.kubernetes.io/part-of: openshift-monitoring
     app.kubernetes.io/version: 0.66.0

assets/admission-webhook/prometheus-rule-validating-webhook.yaml

@@ -5,7 +5,9 @@ metadata:
     service.beta.openshift.io/inject-cabundle: "true"
   labels:
     app.kubernetes.io/component: controller
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: prometheus-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: prometheusrules.openshift.io
 webhooks:
 - admissionReviewVersions:

assets/admission-webhook/service-account.yaml

@@ -3,6 +3,7 @@ automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: prometheus-operator-admission-webhook
     app.kubernetes.io/part-of: openshift-monitoring
     app.kubernetes.io/version: 0.66.0

assets/admission-webhook/service.yaml

@@ -4,6 +4,7 @@ metadata:
   annotations:
     service.beta.openshift.io/serving-cert-secret-name: prometheus-operator-admission-webhook-tls
   labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: prometheus-operator-admission-webhook
     app.kubernetes.io/part-of: openshift-monitoring
     app.kubernetes.io/version: 0.66.0

assets/alertmanager-user-workload/alertmanager.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: user-workload
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager
     app.kubernetes.io/part-of: openshift-monitoring
     app.kubernetes.io/version: 0.25.0

assets/alertmanager-user-workload/cluster-role-binding.yaml

@@ -1,6 +1,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: alertmanager-user-workload
 roleRef:
   apiGroup: rbac.authorization.k8s.io

assets/alertmanager-user-workload/cluster-role.yaml

@@ -1,6 +1,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: alertmanager-user-workload
 rules:
 - apiGroups:

assets/alertmanager-user-workload/kube-rbac-proxy-metric-secret.yaml

@@ -3,7 +3,9 @@ data: {}
 kind: Secret
 metadata:
   labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager-user-workload
+    app.kubernetes.io/part-of: openshift-monitoring
   name: alertmanager-kube-rbac-proxy-metric
   namespace: openshift-user-workload-monitoring
 stringData:

assets/alertmanager-user-workload/kube-rbac-proxy-tenancy-secret.yaml

@@ -2,7 +2,9 @@ apiVersion: v1
 kind: Secret
 metadata:
   labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager-user-workload
+    app.kubernetes.io/part-of: openshift-monitoring
   name: alertmanager-kube-rbac-proxy-tenancy
   namespace: openshift-user-workload-monitoring
 stringData:

assets/alertmanager-user-workload/pod-disruption-budget.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: user-workload
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager
     app.kubernetes.io/part-of: openshift-monitoring
     app.kubernetes.io/version: 0.25.0

assets/alertmanager-user-workload/secret.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: user-workload
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager
     app.kubernetes.io/part-of: openshift-monitoring
     app.kubernetes.io/version: 0.25.0

assets/alertmanager-user-workload/service-account.yaml

@@ -5,6 +5,7 @@ metadata:
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: user-workload
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager
     app.kubernetes.io/part-of: openshift-monitoring
     app.kubernetes.io/version: 0.25.0

assets/alertmanager-user-workload/service-monitor.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: user-workload
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager
     app.kubernetes.io/part-of: openshift-monitoring
     app.kubernetes.io/version: 0.25.0

assets/alertmanager-user-workload/service.yaml

@@ -6,6 +6,7 @@ metadata:
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: user-workload
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager
     app.kubernetes.io/part-of: openshift-monitoring
     app.kubernetes.io/version: 0.25.0

assets/alertmanager-user-workload/trusted-ca-bundle.yaml

@@ -3,6 +3,8 @@ data: {}
 kind: ConfigMap
 metadata:
   labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
     config.openshift.io/inject-trusted-cabundle: "true"
   name: alertmanager-trusted-ca-bundle
   namespace: openshift-user-workload-monitoring

assets/alertmanager/alertmanager.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: main
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager
     app.kubernetes.io/part-of: openshift-monitoring
     app.kubernetes.io/version: 0.25.0

assets/alertmanager/cluster-role-binding.yaml

@@ -1,6 +1,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: alertmanager-main
 roleRef:
   apiGroup: rbac.authorization.k8s.io

assets/alertmanager/cluster-role.yaml

@@ -1,6 +1,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: alertmanager-main
 rules:
 - apiGroups:

assets/alertmanager/kube-rbac-proxy-metric-secret.yaml

@@ -3,7 +3,9 @@ data: {}
 kind: Secret
 metadata:
   labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager-main
+    app.kubernetes.io/part-of: openshift-monitoring
   name: alertmanager-kube-rbac-proxy-metric
   namespace: openshift-monitoring
 stringData:

assets/alertmanager/kube-rbac-proxy-secret.yaml

@@ -2,7 +2,9 @@ apiVersion: v1
 kind: Secret
 metadata:
   labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager-main
+    app.kubernetes.io/part-of: openshift-monitoring
   name: alertmanager-kube-rbac-proxy
   namespace: openshift-monitoring
 stringData:

assets/alertmanager/pod-disruption-budget.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: main
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager
     app.kubernetes.io/part-of: openshift-monitoring
     app.kubernetes.io/version: 0.25.0

assets/alertmanager/prometheus-rule.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: main
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager
     app.kubernetes.io/part-of: openshift-monitoring
     app.kubernetes.io/version: 0.25.0

assets/alertmanager/proxy-secret.yaml

@@ -3,7 +3,9 @@ data: {}
 kind: Secret
 metadata:
   labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager-main
+    app.kubernetes.io/part-of: openshift-monitoring
   name: alertmanager-main-proxy
   namespace: openshift-monitoring
 type: Opaque

assets/alertmanager/route.yaml

@@ -1,6 +1,9 @@
 apiVersion: v1
 kind: Route
 metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: alertmanager-main
   namespace: openshift-monitoring
 spec:

assets/alertmanager/secret.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: main
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager
     app.kubernetes.io/part-of: openshift-monitoring
     app.kubernetes.io/version: 0.25.0

assets/alertmanager/service-account.yaml

@@ -7,6 +7,7 @@ metadata:
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: main
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager
     app.kubernetes.io/part-of: openshift-monitoring
     app.kubernetes.io/version: 0.25.0

assets/alertmanager/service-monitor.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: main
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager
     app.kubernetes.io/part-of: openshift-monitoring
     app.kubernetes.io/version: 0.25.0

assets/alertmanager/service.yaml

@@ -6,6 +6,7 @@ metadata:
   labels:
     app.kubernetes.io/component: alert-router
     app.kubernetes.io/instance: main
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: alertmanager
     app.kubernetes.io/part-of: openshift-monitoring
     app.kubernetes.io/version: 0.25.0

assets/alertmanager/trusted-ca-bundle.yaml

@@ -3,6 +3,8 @@ data: {}
 kind: ConfigMap
 metadata:
   labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
     config.openshift.io/inject-trusted-cabundle: "true"
   name: alertmanager-trusted-ca-bundle
   namespace: openshift-monitoring

assets/cluster-monitoring-operator/alerting-edit-cluster-role.yaml

@@ -1,6 +1,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: alert-routing-edit
 rules:
 - apiGroups:

assets/cluster-monitoring-operator/cluster-role-view.yaml

@@ -1,6 +1,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: cluster-monitoring-view
 rules:
 - apiGroups:

assets/cluster-monitoring-operator/federate-client-certs.yaml

@@ -2,6 +2,9 @@ apiVersion: v1
 data: {}
 kind: Secret
 metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: federate-client-certs
   namespace: openshift-monitoring
 type: Opaque

assets/cluster-monitoring-operator/grpc-tls-secret.yaml

@@ -8,6 +8,9 @@ data:
   thanos-querier-client.key: ""
 kind: Secret
 metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: grpc-tls
   namespace: openshift-monitoring
 type: Opaque

assets/cluster-monitoring-operator/metrics-client-ca.yaml

@@ -2,5 +2,8 @@ apiVersion: v1
 data: {}
 kind: ConfigMap
 metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: metrics-client-ca
   namespace: openshift-monitoring

assets/cluster-monitoring-operator/metrics-client-certs.yaml

@@ -2,6 +2,9 @@ apiVersion: v1
 data: {}
 kind: Secret
 metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: metrics-client-certs
   namespace: openshift-monitoring
 type: Opaque

assets/cluster-monitoring-operator/monitoring-alertmanager-edit-role.yaml

@@ -1,6 +1,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: monitoring-alertmanager-edit
   namespace: openshift-monitoring
 rules:

assets/cluster-monitoring-operator/monitoring-edit-cluster-role.yaml

@@ -1,6 +1,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: monitoring-edit
 rules:
 - apiGroups:

assets/cluster-monitoring-operator/monitoring-rules-edit-cluster-role.yaml

@@ -1,6 +1,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: monitoring-rules-edit
 rules:
 - apiGroups:

assets/cluster-monitoring-operator/monitoring-rules-view-cluster-role.yaml

@@ -1,6 +1,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: monitoring-rules-view
 rules:
 - apiGroups:

assets/cluster-monitoring-operator/prometheus-rule.yaml

@@ -3,6 +3,7 @@ kind: PrometheusRule
 metadata:
   labels:
     app.kubernetes.io/component: operator
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: cluster-monitoring-operator
     app.kubernetes.io/part-of: openshift-monitoring
     prometheus: k8s

assets/cluster-monitoring-operator/service-monitor.yaml

@@ -2,7 +2,9 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
     app.kubernetes.io/name: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: cluster-monitoring-operator
   namespace: openshift-monitoring
 spec:

assets/cluster-monitoring-operator/user-workload-config-edit-role.yaml

@@ -1,6 +1,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
   name: user-workload-monitoring-config-edit
   namespace: openshift-user-workload-monitoring
 rules: