create stub CR for KRP authorize access to Thanos Querier

openshift · Nov 3, 2023 · bd85d0f · bd85d0f
1 parent 7bd2eaf
commit bd85d0f
Show file tree

Hide file tree

Showing 7 changed files with 81 additions and 20 deletions.
diff --git a/assets/cluster-monitoring-operator/cluster-role-view.yaml b/assets/cluster-monitoring-operator/cluster-role-view.yaml
@@ -12,3 +12,10 @@ rules:
   - namespaces
   verbs:
   - get
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - thanosqueryrequests
+  verbs:
+  - create
+  - get
diff --git a/assets/thanos-querier/kube-rbac-proxy-web-secret.yaml b/assets/thanos-querier/kube-rbac-proxy-web-secret.yaml
@@ -11,15 +11,13 @@ stringData:
   config.yaml: |-
     "authorization":
       "resourceAttributes":
-        "apiGroup": ""
-        "resource": "namespaces"
+        "apiGroup": "monitoring.coreos.com"
+        "resource": "thanosqueryrequests"
         "verbs":
+        - "create"
         - "get"
       "static":
       - "resourceRequest": true
         "user":
           "name": "system:serviceaccount:openshift-monitoring:prometheus-k8s"
-      - "resourceRequest": true
-        "user":
-          "name": "system:serviceaccount:openshift-user-workload-monitoring:thanos-ruler"
 type: Opaque
diff --git a/jsonnet/components/cluster-monitoring-operator.libsonnet b/jsonnet/components/cluster-monitoring-operator.libsonnet
@@ -22,6 +22,7 @@ function(params) {
 
   '0alertingrulesCustomResourceDefinition': import './../crds/alertingrules-custom-resource-definition.json',
   '0alertrelabelconfigsCustomResourceDefinition': import './../crds/alertrelabelconfigs-custom-resource-definition.json',
+  '0thanosqueryrequestsCustomResourceDefinition': import './../crds/thanosqueryrequests-custom-resource-definition.json',
 
   prometheusRule: {
     apiVersion: 'monitoring.coreos.com/v1',
@@ -330,11 +331,18 @@ function(params) {
     metadata: {
       name: 'cluster-monitoring-view',
     },
-    rules: [{
-      apiGroups: [''],
-      resources: ['namespaces'],
-      verbs: ['get'],
-    }],
+    rules: [
+      {
+        apiGroups: [''],
+        resources: ['namespaces'],
+        verbs: ['get'],
+      },
+      {
+        apiGroups: ['monitoring.coreos.com'],
+        resources: ['thanosqueryrequests'],
+        verbs: ['create', 'get'],
+      },
+    ],
   },
 
   // This role enables read/write access to the platform Alertmanager API through OAuth proxy.

diff --git a/jsonnet/components/thanos-querier.libsonnet b/jsonnet/components/thanos-querier.libsonnet
@@ -158,9 +158,9 @@ function(params)
           authorization: {
             resourceAttributes:
               {
-                apiGroup: '',
-                resource: 'namespaces',
-                verbs: ['get'],
+                apiGroup: 'monitoring.coreos.com',
+                resource: 'thanosqueryrequests',
+                verbs: ['create', 'get'],
               },
             static: [
               {
@@ -170,13 +170,6 @@ function(params)
                 },
                 resourceRequest: true,
               },
-              {
-                // allow thanos ruler to get/post queries from/to thanos querier
-                user: {
-                  name: 'system:serviceaccount:openshift-user-workload-monitoring:thanos-ruler',
-                },
-                resourceRequest: true,
-              },
             ],
           },
         }),
@@ -658,4 +651,5 @@ function(params)
 
       },
     },
+
   }
diff --git a/jsonnet/crds/thanosqueryrequests-custom-resource-definition.json b/jsonnet/crds/thanosqueryrequests-custom-resource-definition.json
@@ -0,0 +1,24 @@
+{
+    "apiVersion": "apiextensions.k8s.io/v1",
+    "kind": "CustomResourceDefinition",
+    "metadata": {
+        "name": "thanosqueryrequests.monitoring.coreos.com"
+    },
+    "spec": {
+        "group": "monitoring.coreos.com",
+        "names": {
+            "kind": "ThanosQueryRequest",
+            "listKind": "ThanosQueryRequestList",
+            "plural": "thanosqueryrequests",
+            "singular": "thanosqueryrequest"
+        },
+        "scope": "Namespaced",
+        "versions": [
+            {
+                "name": "v1alpha1",
+                "served": true,
+                "storage": true
+            }
+        ]
+    }
+}
diff --git a/...00_50_cluster-monitoring-operator_00_0thanosqueryrequests-custom-resource-definition.yaml b/...00_50_cluster-monitoring-operator_00_0thanosqueryrequests-custom-resource-definition.yaml
@@ -0,0 +1,23 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  labels:
+    app.kubernetes.io/managed-by: cluster-version-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: thanosqueryrequests.monitoring.coreos.com
+spec:
+  group: monitoring.coreos.com
+  names:
+    kind: ThanosQueryRequest
+    listKind: ThanosQueryRequestList
+    plural: thanosqueryrequests
+    singular: thanosqueryrequest
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
diff --git a/manifests/0000_50_cluster-monitoring-operator_02-role.yaml b/manifests/0000_50_cluster-monitoring-operator_02-role.yaml
@@ -199,6 +199,13 @@ rules:
   - namespaces
   verbs:
   - get
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - thanosqueryrequests
+  verbs:
+  - create
+  - get
 - apiGroups:
   - ""
   resourceNames: