monitoring: add missing RBAC manifests (#1259)

Signed-off-by: Mat Kowalski <[email protected]>
nmstate · Aug 8, 2024 · 5476488 · 5476488
1 parent 085e77d
commit 5476488
Show file tree

Hide file tree

Showing 7 changed files with 66 additions and 25 deletions.
diff --git a/Makefile b/Makefile
@@ -163,7 +163,7 @@ check-bundle: bundle
 generate: gen-k8s gen-crds gen-rbac
 
 manifests:
-	GOFLAGS=-mod=mod go run hack/render-manifests.go -handler-prefix=$(HANDLER_PREFIX) -handler-namespace=$(HANDLER_NAMESPACE) -operator-namespace=$(OPERATOR_NAMESPACE) -handler-image=$(HANDLER_IMAGE) -operator-image=$(OPERATOR_IMAGE) -handler-pull-policy=$(HANDLER_PULL_POLICY) -kube-rbac-proxy-image=$(KUBE_RBAC_PROXY_IMAGE) -operator-pull-policy=$(OPERATOR_PULL_POLICY) -input-dir=deploy/ -output-dir=$(MANIFESTS_DIR)
+	GOFLAGS=-mod=mod go run hack/render-manifests.go -handler-prefix=$(HANDLER_PREFIX) -handler-namespace=$(HANDLER_NAMESPACE) -operator-namespace=$(OPERATOR_NAMESPACE) -handler-image=$(HANDLER_IMAGE) -operator-image=$(OPERATOR_IMAGE) -handler-pull-policy=$(HANDLER_PULL_POLICY) -monitoring-namespace=$(MONITORING_NAMESPACE) -kube-rbac-proxy-image=$(KUBE_RBAC_PROXY_IMAGE) -operator-pull-policy=$(OPERATOR_PULL_POLICY) -input-dir=deploy/ -output-dir=$(MANIFESTS_DIR)
 
 handler: SKIP_PUSH=true
 handler: push-handler

diff --git a/bundle/manifests/kubernetes-nmstate-operator.clusterserviceversion.yaml b/bundle/manifests/kubernetes-nmstate-operator.clusterserviceversion.yaml
@@ -256,6 +256,8 @@ spec:
                   value: Always
                 - name: HANDLER_NAMESPACE
                   value: nmstate
+                - name: MONITORING_NAMESPACE
+                  value: monitoring
                 - name: KUBE_RBAC_PROXY_IMAGE
                   value: quay.io/openshift/origin-kube-rbac-proxy:4.10.0
                 image: quay.io/nmstate/kubernetes-nmstate-operator:latest

diff --git a/controllers/operator/nmstate_controller.go b/controllers/operator/nmstate_controller.go
@@ -299,6 +299,7 @@ func (r *NMStateReconciler) applyHandler(instance *nmstatev1.NMState) error {
 	data.Data["HandlerImage"] = os.Getenv("RELATED_IMAGE_HANDLER_IMAGE")
 	data.Data["HandlerPullPolicy"] = os.Getenv("HANDLER_IMAGE_PULL_POLICY")
 	data.Data["HandlerPrefix"] = os.Getenv("HANDLER_PREFIX")
+	data.Data["MonitoringNamespace"] = os.Getenv("MONITORING_NAMESPACE")
 	data.Data["KubeRBACProxyImage"] = os.Getenv("KUBE_RBAC_PROXY_IMAGE")
 	data.Data["InfraNodeSelector"] = archAndCRInfraNodeSelector
 	data.Data["InfraTolerations"] = infraTolerations

diff --git a/controllers/operator/nmstate_controller_test.go b/controllers/operator/nmstate_controller_test.go
@@ -73,14 +73,15 @@ var _ = Describe("NMState controller reconcile", func() {
 				UID:  "12345",
 			},
 		}
-		handlerPrefix      = "handler"
-		handlerNamespace   = "nmstate"
-		handlerKey         = types.NamespacedName{Namespace: handlerNamespace, Name: handlerPrefix + "-nmstate-handler"}
-		webhookKey         = types.NamespacedName{Namespace: handlerNamespace, Name: handlerPrefix + "-nmstate-webhook"}
-		handlerImage       = "quay.io/some_image"
-		kubeRBACProxyImage = "quay.io/some_kube_rbac_proxy_image"
-		imagePullPolicy    = "Always"
-		manifestsDir       = ""
+		handlerPrefix       = "handler"
+		handlerNamespace    = "nmstate"
+		handlerKey          = types.NamespacedName{Namespace: handlerNamespace, Name: handlerPrefix + "-nmstate-handler"}
+		webhookKey          = types.NamespacedName{Namespace: handlerNamespace, Name: handlerPrefix + "-nmstate-webhook"}
+		handlerImage        = "quay.io/some_image"
+		monitoringNamespace = "monitoring"
+		kubeRBACProxyImage  = "quay.io/some_kube_rbac_proxy_image"
+		imagePullPolicy     = "Always"
+		manifestsDir        = ""
 	)
 	BeforeEach(func() {
 		var err error
@@ -106,6 +107,7 @@ var _ = Describe("NMState controller reconcile", func() {
 		os.Setenv("RELATED_IMAGE_HANDLER_IMAGE", handlerImage)
 		os.Setenv("HANDLER_IMAGE_PULL_POLICY", imagePullPolicy)
 		os.Setenv("HANDLER_PREFIX", handlerPrefix)
+		os.Setenv("MONITORING_NAMESPACE", monitoringNamespace)
 		os.Setenv("KUBE_RBAC_PROXY_IMAGE", kubeRBACProxyImage)
 	})
 	AfterEach(func() {

diff --git a/deploy/handler/operator.yaml b/deploy/handler/operator.yaml
@@ -523,3 +523,34 @@ spec:
   selector:
     matchLabels:
       prometheus.nmstate.io: "true"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: prometheus-k8s
+  namespace: {{ .HandlerNamespace }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: prometheus-k8s
+  namespace: {{ .HandlerNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: prometheus-k8s
+subjects:
+  - kind: ServiceAccount
+    name: prometheus-k8s
+    namespace: {{ .MonitoringNamespace }}
diff --git a/deploy/operator/operator.yaml b/deploy/operator/operator.yaml
@@ -78,5 +78,7 @@ spec:
               value: {{ .HandlerPullPolicy }}
             - name: HANDLER_NAMESPACE
               value: {{ .HandlerNamespace }}
+            - name: MONITORING_NAMESPACE
+              value: {{ .MonitoringNamespace }}
             - name: KUBE_RBAC_PROXY_IMAGE
               value: {{ .KubeRBACProxyImage }}
diff --git a/hack/render-manifests.go b/hack/render-manifests.go
@@ -34,14 +34,15 @@ func exitWithError(err error, cause string, args ...interface{}) {
 
 func main() {
 	type Inventory struct {
-		HandlerNamespace   string
-		HandlerImage       string
-		HandlerPullPolicy  string
-		HandlerPrefix      string
-		OperatorNamespace  string
-		OperatorImage      string
-		OperatorPullPolicy string
-		KubeRBACProxyImage string
+		HandlerNamespace    string
+		HandlerImage        string
+		HandlerPullPolicy   string
+		HandlerPrefix       string
+		OperatorNamespace   string
+		OperatorImage       string
+		OperatorPullPolicy  string
+		MonitoringNamespace string
+		KubeRBACProxyImage  string
 	}
 
 	handlerNamespace := flag.String("handler-namespace", "nmstate", "Namespace for the NMState handler")
@@ -51,20 +52,22 @@ func main() {
 	operatorNamespace := flag.String("operator-namespace", "nmstate-operator", "Namespace for the NMState operator")
 	operatorImage := flag.String("operator-image", "", "Image for the NMState operator")
 	operatorPullPolicy := flag.String("operator-pull-policy", "Always", "Pull policy for the NMState operator image")
+	monitoringNamespace := flag.String("monitoring-namespace", "monitoring", "Namespace for the cluster monitoring")
 	kubeRBACProxyImage := flag.String("kube-rbac-proxy-image", "", "Image for the kube RBAC proxy needed for metrics")
 	inputDir := flag.String("input-dir", "", "Input directory")
 	outputDir := flag.String("output-dir", "", "Output directory")
 	flag.Parse()
 
 	inventory := Inventory{
-		HandlerNamespace:   *handlerNamespace,
-		HandlerImage:       *handlerImage,
-		HandlerPullPolicy:  *handlerPullPolicy,
-		HandlerPrefix:      *handlerPrefix,
-		OperatorNamespace:  *operatorNamespace,
-		OperatorImage:      *operatorImage,
-		OperatorPullPolicy: *operatorPullPolicy,
-		KubeRBACProxyImage: *kubeRBACProxyImage,
+		HandlerNamespace:    *handlerNamespace,
+		HandlerImage:        *handlerImage,
+		HandlerPullPolicy:   *handlerPullPolicy,
+		HandlerPrefix:       *handlerPrefix,
+		OperatorNamespace:   *operatorNamespace,
+		OperatorImage:       *operatorImage,
+		OperatorPullPolicy:  *operatorPullPolicy,
+		MonitoringNamespace: *monitoringNamespace,
+		KubeRBACProxyImage:  *kubeRBACProxyImage,
 	}
 
 	// Clean up output dir so we don't have old files.