Skip to content

Commit 0ff844d

Browse files
ChengYanJinChengYanJin
committed
MK8S-140 - Always create two Role and RoleBinding SeviceAccount for Prometheus and Alertmanager
1 parent 2afe2ef commit 0ff844d

File tree

3 files changed

+92
-22
lines changed

3 files changed

+92
-22
lines changed

salt/metalk8s/addons/prometheus-operator/deployed/oidc-proxy-alertmanager.sls

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ Create oauth2-proxy-alertmanager Deployment:
4242
labels:
4343
app: oauth2-proxy-alertmanager
4444
spec:
45-
serviceAccountName: oidc-proxy
45+
serviceAccountName: oidc-proxy-alertmanager
4646
{%- if ca_configured %}
4747
initContainers:
4848
- name: k8s-sidecar

salt/metalk8s/addons/prometheus-operator/deployed/oidc-proxy-prometheus.sls

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ Create oauth2-proxy-prometheus Deployment:
4242
labels:
4343
app: oauth2-proxy-prometheus
4444
spec:
45-
serviceAccountName: oidc-proxy
45+
serviceAccountName: oidc-proxy-prometheus
4646
{%- if ca_configured %}
4747
initContainers:
4848
- name: k8s-sidecar

salt/metalk8s/addons/prometheus-operator/deployed/oidc-proxy-rbac.sls

Lines changed: 90 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -23,50 +23,120 @@
2323
{%- set prometheus_oidc_enabled = prometheus.spec.config.get('enable_oidc_authentication', False) %}
2424
{%- set alertmanager_oidc_enabled = alertmanager.spec.get('config', {}).get('enable_oidc_authentication', False) %}
2525

26-
{%- set oidc_enabled = prometheus_oidc_enabled or alertmanager_oidc_enabled %}
26+
{%- set prometheus_ca_namespace = prometheus.spec.config.get('oidc', {}).get('caSecret', {}).get('namespace', '') %}
27+
{%- set alertmanager_ca_namespace = alertmanager.spec.get('config', {}).get('oidc', {}).get('caSecret', {}).get('namespace', '') %}
28+
29+
{%- if prometheus_oidc_enabled %}
30+
31+
Create oidc-proxy-prometheus ServiceAccount:
32+
metalk8s_kubernetes.object_present:
33+
- manifest:
34+
apiVersion: v1
35+
kind: ServiceAccount
36+
metadata:
37+
name: oidc-proxy-prometheus
38+
namespace: metalk8s-monitoring
39+
40+
{%- if prometheus_ca_namespace %}
41+
42+
Create oidc-proxy-secret-reader Role in {{ prometheus_ca_namespace }} for Prometheus:
43+
metalk8s_kubernetes.object_present:
44+
- manifest:
45+
apiVersion: rbac.authorization.k8s.io/v1
46+
kind: Role
47+
metadata:
48+
name: oidc-proxy-secret-reader
49+
namespace: {{ prometheus_ca_namespace }}
50+
rules:
51+
- apiGroups: [""]
52+
resources: ["secrets"]
53+
verbs: ["get", "list", "watch"]
54+
55+
Create oidc-proxy-secret-reader-binding RoleBinding in {{ prometheus_ca_namespace }} for Prometheus:
56+
metalk8s_kubernetes.object_present:
57+
- manifest:
58+
apiVersion: rbac.authorization.k8s.io/v1
59+
kind: RoleBinding
60+
metadata:
61+
name: oidc-proxy-secret-reader-binding
62+
namespace: {{ prometheus_ca_namespace }}
63+
subjects:
64+
- kind: ServiceAccount
65+
name: oidc-proxy-prometheus
66+
namespace: metalk8s-monitoring
67+
roleRef:
68+
kind: Role
69+
name: oidc-proxy-secret-reader
70+
apiGroup: rbac.authorization.k8s.io
71+
72+
{%- endif %}
73+
74+
{%- else %}
75+
76+
Ensure oidc-proxy-prometheus ServiceAccount does not exist:
77+
metalk8s_kubernetes.object_absent:
78+
- name: oidc-proxy-prometheus
79+
- namespace: metalk8s-monitoring
80+
- kind: ServiceAccount
81+
- apiVersion: v1
82+
83+
{%- if prometheus_ca_namespace %}
84+
85+
Ensure oidc-proxy-secret-reader Role does not exist in {{ prometheus_ca_namespace }}:
86+
metalk8s_kubernetes.object_absent:
87+
- name: oidc-proxy-secret-reader
88+
- namespace: {{ prometheus_ca_namespace }}
89+
- kind: Role
90+
- apiVersion: rbac.authorization.k8s.io/v1
91+
92+
Ensure oidc-proxy-secret-reader-binding RoleBinding does not exist in {{ prometheus_ca_namespace }}:
93+
metalk8s_kubernetes.object_absent:
94+
- name: oidc-proxy-secret-reader-binding
95+
- namespace: {{ prometheus_ca_namespace }}
96+
- kind: RoleBinding
97+
- apiVersion: rbac.authorization.k8s.io/v1
98+
99+
{%- endif %}
27100

28-
{%- set oidc_ca_namespace = prometheus.spec.config.get('oidc', {}).get('caSecret', {}).get('namespace', '') %}
29-
{%- if not oidc_ca_namespace %}
30-
{%- set oidc_ca_namespace = alertmanager.spec.get('config', {}).get('oidc', {}).get('caSecret', {}).get('namespace', '') %}
31101
{%- endif %}
32102

33-
{%- if oidc_enabled %}
103+
{%- if alertmanager_oidc_enabled %}
34104

35-
Create oidc-proxy ServiceAccount:
105+
Create oidc-proxy-alertmanager ServiceAccount:
36106
metalk8s_kubernetes.object_present:
37107
- manifest:
38108
apiVersion: v1
39109
kind: ServiceAccount
40110
metadata:
41-
name: oidc-proxy
111+
name: oidc-proxy-alertmanager
42112
namespace: metalk8s-monitoring
43113

44-
{%- if oidc_ca_namespace %}
114+
{%- if alertmanager_ca_namespace %}
45115

46-
Create oidc-proxy-secret-reader Role in {{ oidc_ca_namespace }}:
116+
Create oidc-proxy-secret-reader Role in {{ alertmanager_ca_namespace }} for Alertmanager:
47117
metalk8s_kubernetes.object_present:
48118
- manifest:
49119
apiVersion: rbac.authorization.k8s.io/v1
50120
kind: Role
51121
metadata:
52122
name: oidc-proxy-secret-reader
53-
namespace: {{ oidc_ca_namespace }}
123+
namespace: {{ alertmanager_ca_namespace }}
54124
rules:
55125
- apiGroups: [""]
56126
resources: ["secrets"]
57127
verbs: ["get", "list", "watch"]
58128

59-
Create oidc-proxy-secret-reader-binding RoleBinding in {{ oidc_ca_namespace }}:
129+
Create oidc-proxy-secret-reader-binding RoleBinding in {{ alertmanager_ca_namespace }} for Alertmanager:
60130
metalk8s_kubernetes.object_present:
61131
- manifest:
62132
apiVersion: rbac.authorization.k8s.io/v1
63133
kind: RoleBinding
64134
metadata:
65135
name: oidc-proxy-secret-reader-binding
66-
namespace: {{ oidc_ca_namespace }}
136+
namespace: {{ alertmanager_ca_namespace }}
67137
subjects:
68138
- kind: ServiceAccount
69-
name: oidc-proxy
139+
name: oidc-proxy-alertmanager
70140
namespace: metalk8s-monitoring
71141
roleRef:
72142
kind: Role
@@ -77,26 +147,26 @@ Create oidc-proxy-secret-reader-binding RoleBinding in {{ oidc_ca_namespace }}:
77147

78148
{%- else %}
79149

80-
Ensure oidc-proxy ServiceAccount does not exist:
150+
Ensure oidc-proxy-alertmanager ServiceAccount does not exist:
81151
metalk8s_kubernetes.object_absent:
82-
- name: oidc-proxy
152+
- name: oidc-proxy-alertmanager
83153
- namespace: metalk8s-monitoring
84154
- kind: ServiceAccount
85155
- apiVersion: v1
86156

87-
{%- if oidc_ca_namespace %}
157+
{%- if alertmanager_ca_namespace %}
88158

89-
Ensure oidc-proxy-secret-reader Role does not exist:
159+
Ensure oidc-proxy-secret-reader Role does not exist in {{ alertmanager_ca_namespace }}:
90160
metalk8s_kubernetes.object_absent:
91161
- name: oidc-proxy-secret-reader
92-
- namespace: {{ oidc_ca_namespace }}
162+
- namespace: {{ alertmanager_ca_namespace }}
93163
- kind: Role
94164
- apiVersion: rbac.authorization.k8s.io/v1
95165

96-
Ensure oidc-proxy-secret-reader-binding RoleBinding does not exist:
166+
Ensure oidc-proxy-secret-reader-binding RoleBinding does not exist in {{ alertmanager_ca_namespace }}:
97167
metalk8s_kubernetes.object_absent:
98168
- name: oidc-proxy-secret-reader-binding
99-
- namespace: {{ oidc_ca_namespace }}
169+
- namespace: {{ alertmanager_ca_namespace }}
100170
- kind: RoleBinding
101171
- apiVersion: rbac.authorization.k8s.io/v1
102172

0 commit comments

Comments
 (0)