create stub CR for KRP authorize access to Thanos Querier

openshift · Nov 7, 2023 · 6b96382 · 6b96382
1 parent 7bd2eaf
commit 6b96382
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 23 deletions.
diff --git a/assets/cluster-monitoring-operator/cluster-role-view.yaml b/assets/cluster-monitoring-operator/cluster-role-view.yaml
@@ -12,3 +12,11 @@ rules:
   - namespaces
   verbs:
   - get
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - prometheuses/query
+  verbs:
+  - get
+  - create
+  - update
diff --git a/assets/thanos-querier/kube-rbac-proxy-web-secret.yaml b/assets/thanos-querier/kube-rbac-proxy-web-secret.yaml
@@ -11,15 +11,15 @@ stringData:
   config.yaml: |-
     "authorization":
       "resourceAttributes":
-        "apiGroup": ""
-        "resource": "namespaces"
+        "apiGroup": "monitoring.coreos.com"
+        "resource": "prometheuses"
+        "subresource": "query"
         "verbs":
         - "get"
+        - "create"
+        - "update"
       "static":
       - "resourceRequest": true
         "user":
           "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
-      - "resourceRequest": true
-        "user":
-          "name": "system:serviceaccount:openshift-user-workload-monitoring:thanos-ruler"
 type: Opaque
diff --git a/jsonnet/components/cluster-monitoring-operator.libsonnet b/jsonnet/components/cluster-monitoring-operator.libsonnet
@@ -330,11 +330,18 @@ function(params) {
     metadata: {
       name: 'cluster-monitoring-view',
     },
-    rules: [{
-      apiGroups: [''],
-      resources: ['namespaces'],
-      verbs: ['get'],
-    }],
+    rules: [
+      {
+        apiGroups: [''],
+        resources: ['namespaces'],
+        verbs: ['get'],
+      },
+      {
+        apiGroups: ['monitoring.coreos.com'],
+        resources: ['prometheuses/query'],
+        verbs: ['get', 'create', 'update'],
+      },
+    ],
   },
 
   // This role enables read/write access to the platform Alertmanager API through OAuth proxy.

diff --git a/jsonnet/components/thanos-querier.libsonnet b/jsonnet/components/thanos-querier.libsonnet
@@ -156,12 +156,12 @@ function(params)
       stringData: {
         'config.yaml': std.manifestYamlDoc({
           authorization: {
-            resourceAttributes:
-              {
-                apiGroup: '',
-                resource: 'namespaces',
-                verbs: ['get'],
-              },
+            resourceAttributes: {
+              apiGroup: 'monitoring.coreos.com',
+              resource: 'prometheuses',
+              subresource: 'query',
+              verbs: ['get', 'create', 'update'],
+            },
             static: [
               {
                 // allow prometheus-k8s to get/post queries from/to thanos querier
@@ -170,13 +170,6 @@ function(params)
                 },
                 resourceRequest: true,
               },
-              {
-                // allow thanos ruler to get/post queries from/to thanos querier
-                user: {
-                  name: 'system:serviceaccount:openshift-user-workload-monitoring:thanos-ruler',
-                },
-                resourceRequest: true,
-              },
             ],
           },
         }),
@@ -658,4 +651,5 @@ function(params)
 
       },
     },
+
   }
diff --git a/manifests/0000_50_cluster-monitoring-operator_02-role.yaml b/manifests/0000_50_cluster-monitoring-operator_02-role.yaml
@@ -199,6 +199,14 @@ rules:
   - namespaces
   verbs:
   - get
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - prometheuses/query
+  verbs:
+  - get
+  - create
+  - update
 - apiGroups:
   - ""
   resourceNames: