Merge pull request #70 from appuio/fix/maintenance-silence-rbac

HappyTetrahedron · web-flow · commit 4f348bea911c · 2024-10-29T11:43:11.000+01:00
Update RBAC for maintenance silence job to be compatible with OpenShift 4.16
diff --git a/component/silence.libsonnet b/component/silence.libsonnet
@@ -20,6 +20,20 @@ local sa = kube.ServiceAccount('maintenance-silence') + namespace {
   automountServiceAccountToken: true,
 };
 
+local cr = kube.ClusterRole('maintenance-silence-alertmanager-api') + namespace {
+  rules: [
+    {
+      apiGroups: [ 'monitoring.coreos.com' ],
+      resources: [
+        'alertmanagers/api',
+      ],
+      verbs: [
+        'get',
+      ],
+    },
+  ],
+};
+
 local crb = kube.ClusterRoleBinding('maintenance-silence') + namespace {
   roleRef: {
     apiGroup: 'rbac.authorization.k8s.io',
@@ -35,6 +49,21 @@ local crb = kube.ClusterRoleBinding('maintenance-silence') + namespace {
   ],
 };
 
+local crb2 = kube.ClusterRoleBinding('maintenance-silence-alertmanager-api') + namespace {
+  roleRef: {
+    apiGroup: 'rbac.authorization.k8s.io',
+    kind: 'ClusterRole',
+    name: 'maintenance-silence-alertmanager-api',
+  },
+  subjects: [
+    {
+      kind: 'ServiceAccount',
+      name: sa.metadata.name,
+      namespace: sa.metadata.namespace,
+    },
+  ],
+};
+
 local cm = kube.ConfigMap('maintenance-silence') + namespace {
   data: {
     silence: importstr './scripts/silence.sh',
@@ -117,6 +146,6 @@ local ujh = kube._Object('managedupgrade.appuio.io/v1beta1', 'UpgradeJobHook', '
 } + com.makeMergeable(params.upgrade_silence.additional_job_configuration);
 
 if enabled then
-  [ sa, crb, cm, certcm, ujh ]
+  [ sa, cr, crb, crb2, cm, certcm, ujh ]
 else
   {}
diff --git a/tests/golden/defaults/openshift-upgrade-controller/openshift-upgrade-controller/90_upgrade_silence.yaml b/tests/golden/defaults/openshift-upgrade-controller/openshift-upgrade-controller/90_upgrade_silence.yaml
@@ -9,6 +9,22 @@ metadata:
   namespace: appuio-openshift-upgrade-controller
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: maintenance-silence-alertmanager-api
+  name: maintenance-silence-alertmanager-api
+  namespace: appuio-openshift-upgrade-controller
+rules:
+  - apiGroups:
+      - monitoring.coreos.com
+    resources:
+      - alertmanagers/api
+    verbs:
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   annotations: {}
@@ -25,6 +41,23 @@ subjects:
     name: maintenance-silence
     namespace: appuio-openshift-upgrade-controller
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: maintenance-silence-alertmanager-api
+  name: maintenance-silence-alertmanager-api
+  namespace: appuio-openshift-upgrade-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: maintenance-silence-alertmanager-api
+subjects:
+  - kind: ServiceAccount
+    name: maintenance-silence
+    namespace: appuio-openshift-upgrade-controller
+---
 apiVersion: v1
 data:
   silence: |
