Add missing ClusterRoles

The cluster-monitoring-operator is required for STF to install. It creates the required alertmanager-main and prometheus-k8s ClusterRoles. These are not present when usin CRC, so a workaround is needed. TODO: Add in check for the ClusterRoles instead of creating them unconditionally This is a workaround for not having cluster-monitoring-operator installed: #306
infrawatch · Aug 25, 2023 · f33780d · f33780d
1 parent 75084d4
commit f33780d
Show file tree

Hide file tree

Showing 2 changed files with 78 additions and 0 deletions.
diff --git a/roles/servicetelemetry/tasks/component_alertmanager.yml b/roles/servicetelemetry/tasks/component_alertmanager.yml
@@ -77,6 +77,37 @@
         annotations:
           serviceaccounts.openshift.io/oauth-redirectreference.alertmanager: '{{ alertmanager_oauth_redir_ref | to_json }}'
 
+# TODO: Add check for alertmanager-main ClusterRole
+#
+- name: Create the missing alertmanager-main ClusterRole
+  k8s:
+    definition:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRole
+      metadata:
+        name: alertmanager-main
+      rules:
+        - apiGroups:
+          - authentication.k8s.io
+          resources:
+          - tokenreviews
+          verbs:
+          - create
+        - apiGroups:
+          - authorization.k8s.io
+          resources:
+          - subjectaccessreviews
+          verbs:
+          - create
+        - apiGroups:
+          - security.openshift.io
+          resourceNames:
+          - nonroot
+          resources:
+          - securitycontextconstraints
+          verbs:
+          - use
+
 - name: Bind role
   k8s:
     definition:

diff --git a/roles/servicetelemetry/tasks/component_prometheus.yml b/roles/servicetelemetry/tasks/component_prometheus.yml
@@ -76,6 +76,53 @@
   when:
     - observability_strategy in ['use_redhat', 'use_hybrid']
 
+      #- name: Check for existing prometheus-k8s ClusterRole
+
+- name: Create the prometheus-k8s ClusterRole
+  k8s:
+    definition:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRole
+      metadata:
+        name: prometheus-k8s
+      rules:
+        - apiGroups:
+          - ""
+          resources:
+          - nodes/metrics
+          verbs:
+          - get
+        - nonResourceURLs:
+          - /metrics
+          verbs:
+          - get
+        - apiGroups:
+          - authentication.k8s.io
+          resources:
+          - tokenreviews
+          verbs:
+          - create
+        - apiGroups:
+          - authorization.k8s.io
+          resources:
+          - subjectaccessreviews
+          verbs:
+          - create
+        - apiGroups:
+          - ""
+          resources:
+          - namespaces
+          verbs:
+          - get
+        - apiGroups:
+          - security.openshift.io
+          resourceNames:
+          - nonroot
+          resources:
+          - securitycontextconstraints
+          verbs:
+          - use
+
 - name: Bind the local prometheus SA to prometheus cluster role (for oauth perms)
   k8s:
     definition: