From e7cf41ad23960f23c03a553f62f5d710054ede23 Mon Sep 17 00:00:00 2001 From: Dileep Ranganathan Date: Thu, 13 Jun 2019 00:26:10 -0700 Subject: [PATCH] Add RBAC for prometheus instance Fixed issue of prometheus throwing unauthorized rbac error. Change-Id: I984bf637bf464803c35bfb32bf09b2974fec9053 Issue-ID: ONAPARC-506 Signed-off-by: Dileep Ranganathan --- .../charts/prometheus/templates/_helpers.tpl | 12 +++++++++++- .../charts/prometheus/templates/prometheus.yaml | 1 + .../charts/prometheus/templates/role.yaml | 21 +++++++++++++++++++++ .../charts/prometheus/templates/rolebinding.yaml | 17 +++++++++++++++++ .../charts/prometheus/templates/serviceaccount.yaml | 11 +++++++++++ .../deploy/collection/charts/prometheus/values.yaml | 3 +++ 6 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 vnfs/DAaaS/deploy/collection/charts/prometheus/templates/role.yaml create mode 100644 vnfs/DAaaS/deploy/collection/charts/prometheus/templates/rolebinding.yaml create mode 100644 vnfs/DAaaS/deploy/collection/charts/prometheus/templates/serviceaccount.yaml diff --git a/vnfs/DAaaS/deploy/collection/charts/prometheus/templates/_helpers.tpl b/vnfs/DAaaS/deploy/collection/charts/prometheus/templates/_helpers.tpl index 1ac77dd8..17b7e7bd 100644 --- a/vnfs/DAaaS/deploy/collection/charts/prometheus/templates/_helpers.tpl +++ b/vnfs/DAaaS/deploy/collection/charts/prometheus/templates/_helpers.tpl @@ -44,4 +44,14 @@ heritage: {{ .Release.Service | quote }} {{- if .Values.commonLabels}} {{ toYaml .Values.commonLabels }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} + + +{{/* Create the name of prometheus service account to use */}} +{{- define "prometheus.serviceAccountName" -}} +{{- if .Values.prometheus.serviceAccount.create -}} + {{ default (include "prometheus.fullname" .) .Values.prometheus.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.prometheus.serviceAccount.name }} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/vnfs/DAaaS/deploy/collection/charts/prometheus/templates/prometheus.yaml b/vnfs/DAaaS/deploy/collection/charts/prometheus/templates/prometheus.yaml index 9c3d84c2..27c97d10 100644 --- a/vnfs/DAaaS/deploy/collection/charts/prometheus/templates/prometheus.yaml +++ b/vnfs/DAaaS/deploy/collection/charts/prometheus/templates/prometheus.yaml @@ -7,6 +7,7 @@ metadata: "helm.sh/hook": post-install "helm.sh/hook-weight": "2" spec: + serviceAccountName: {{ template "prometheus.serviceAccountName" . }} serviceMonitorSelector: matchLabels: app: {{ template "prometheus.name" . }}-prometheus diff --git a/vnfs/DAaaS/deploy/collection/charts/prometheus/templates/role.yaml b/vnfs/DAaaS/deploy/collection/charts/prometheus/templates/role.yaml new file mode 100644 index 00000000..dfb932d8 --- /dev/null +++ b/vnfs/DAaaS/deploy/collection/charts/prometheus/templates/role.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "prometheus.fullname" . }}-prometheus + labels: + app: {{ template "prometheus.name" . }}-prometheus +{{ include "prometheus.labels" . | indent 4 }} +rules: +- apiGroups: + - "" + resources: + - nodes + - services + - endpoints + - pods + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/vnfs/DAaaS/deploy/collection/charts/prometheus/templates/rolebinding.yaml b/vnfs/DAaaS/deploy/collection/charts/prometheus/templates/rolebinding.yaml new file mode 100644 index 00000000..04932ee1 --- /dev/null +++ b/vnfs/DAaaS/deploy/collection/charts/prometheus/templates/rolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "prometheus.fullname" . }}-prometheus + labels: + app: {{ template "prometheus.name" . }}-prometheus +{{ include "prometheus.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "prometheus.fullname" . }}-prometheus +subjects: +- kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/vnfs/DAaaS/deploy/collection/charts/prometheus/templates/serviceaccount.yaml b/vnfs/DAaaS/deploy/collection/charts/prometheus/templates/serviceaccount.yaml new file mode 100644 index 00000000..82437523 --- /dev/null +++ b/vnfs/DAaaS/deploy/collection/charts/prometheus/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if .Values.prometheus.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "prometheus.serviceAccountName" . }} + labels: + app: {{ template "prometheus.name" . }}-prometheus +{{ include "prometheus.labels" . | indent 4 }} +imagePullSecrets: +{{ toYaml .Values.global.imagePullSecrets | indent 2 }} +{{- end }} diff --git a/vnfs/DAaaS/deploy/collection/charts/prometheus/values.yaml b/vnfs/DAaaS/deploy/collection/charts/prometheus/values.yaml index 4398f52f..f0c11921 100644 --- a/vnfs/DAaaS/deploy/collection/charts/prometheus/values.yaml +++ b/vnfs/DAaaS/deploy/collection/charts/prometheus/values.yaml @@ -1,6 +1,9 @@ ## Deploy a Prometheus instance ## prometheus: + serviceAccount: + create: true + name: "" additionalServiceMonitors: - name: service-monitor-collectd additionalLabels: -- 2.16.6