Fix monitoring-view clusterrolebinding when using the oauth proxy gra…

…fana#1016 Signed-off-by: Israel Blancas <iblancasa@gmail.com>
iblancasa · Aug 26, 2024 · 71b180d · 71b180d
1 parent 7bdfce0
commit 71b180d
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 6 deletions.
diff --git a/Makefile b/Makefile
@@ -500,3 +500,5 @@ release-artifacts: set-image-controller ## Generate release artifacts
 	mkdir -p dist
 	$(KUSTOMIZE) build config/overlays/community -o dist/tempo-operator.yaml
 	$(KUSTOMIZE) build config/overlays/openshift -o dist/tempo-operator-openshift.yaml
+	echo "---" >> dist/tempo-operator-openshift.yaml
+	cat bundle/openshift/manifests/tempo-operator-manager-rolebinding-cluster-monitoring-view_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml >> dist/tempo-operator-openshift.yaml
diff --git a/internal/manifests/queryfrontend/query_frontend.go b/internal/manifests/queryfrontend/query_frontend.go
@@ -98,7 +98,7 @@ func BuildQueryFrontend(params manifestutils.Params) ([]client.Object, error) {
 
 	if tempo.Spec.Template.QueryFrontend.JaegerQuery.Enabled && tempo.Spec.Template.QueryFrontend.JaegerQuery.MonitorTab.Enabled &&
 		tempo.Spec.Template.QueryFrontend.JaegerQuery.MonitorTab.PrometheusEndpoint == thanosQuerierOpenShiftMonitoring {
-		clusterRoleBinding := openShiftMonitoringClusterRoleBinding(tempo)
+		clusterRoleBinding := openShiftMonitoringClusterRoleBinding(tempo, d)
 		manifests = append(manifests, &clusterRoleBinding)
 	}
 
@@ -362,7 +362,7 @@ func enableMonitoringTab(tempo v1alpha1.TempoStack, jaegerQueryContainer corev1.
 	return jaegerQueryContainer, nil
 }
 
-func openShiftMonitoringClusterRoleBinding(tempo v1alpha1.TempoStack) rbacv1.ClusterRoleBinding {
+func openShiftMonitoringClusterRoleBinding(tempo v1alpha1.TempoStack, d *appsv1.Deployment) rbacv1.ClusterRoleBinding {
 	labels := manifestutils.ComponentLabels(manifestutils.QueryFrontendComponentName, tempo.Name)
 	return rbacv1.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
@@ -371,7 +371,7 @@ func openShiftMonitoringClusterRoleBinding(tempo v1alpha1.TempoStack) rbacv1.Clu
 		},
 		Subjects: []rbacv1.Subject{
 			{
-				Name:      naming.DefaultServiceAccountName(tempo.Name),
+				Name:      d.Spec.Template.Spec.ServiceAccountName,
 				Kind:      "ServiceAccount",
 				Namespace: tempo.Namespace,
 			},

diff --git a/internal/manifests/queryfrontend/query_frontend_test.go b/internal/manifests/queryfrontend/query_frontend_test.go
@@ -10,6 +10,7 @@ import (
 	v1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	k8slabels "k8s.io/apimachinery/pkg/labels"
@@ -604,8 +605,20 @@ func TestBuildQueryFrontendWithJaegerMonitorTab(t *testing.T) {
 					},
 				},
 			},
-			args: []string{"--query.base-path=/", "--grpc-storage-plugin.configuration-file=/conf/tempo-query.yaml", "--query.bearer-token-propagation=true", "--prometheus.query.support-spanmetrics-connector", "--prometheus.tls.enabled=true", "--prometheus.token-file=/var/run/secrets/kubernetes.io/serviceaccount/token", "--prometheus.token-override-from-context=false", "--prometheus.tls.ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"},
-			env:  []corev1.EnvVar{{Name: "METRICS_STORAGE_TYPE", Value: "prometheus"}, {Name: "PROMETHEUS_SERVER_URL", Value: "https://thanos-querier.openshift-monitoring.svc.cluster.local:9091"}},
+			args: []string{
+				"--query.base-path=/",
+				"--grpc-storage-plugin.configuration-file=/conf/tempo-query.yaml",
+				"--query.bearer-token-propagation=true",
+				"--prometheus.query.support-spanmetrics-connector",
+				"--prometheus.tls.enabled=true",
+				"--prometheus.token-file=/var/run/secrets/kubernetes.io/serviceaccount/token",
+				"--prometheus.token-override-from-context=false",
+				"--prometheus.tls.ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt",
+			},
+			env: []corev1.EnvVar{
+				{Name: "METRICS_STORAGE_TYPE", Value: "prometheus"},
+				{Name: "PROMETHEUS_SERVER_URL", Value: "https://thanos-querier.openshift-monitoring.svc.cluster.local:9091"},
+			},
 		},
 	}
 
@@ -627,6 +640,9 @@ func TestBuildQueryFrontendWithJaegerMonitorTab(t *testing.T) {
 				assert.Equal(t, 4, len(objects))
 
 				assert.Equal(t, "tempo-simplest-cluster-monitoring-view", objects[3].GetName())
+				crb := objects[3].(*rbacv1.ClusterRoleBinding)
+				assert.Equal(t, crb.Subjects[0].Kind, "ServiceAccount")
+				assert.Equal(t, dep.Spec.Template.Spec.ServiceAccountName, crb.Subjects[0].Name)
 			}
 		})
 	}

diff --git a/tests/e2e-openshift/red-metrics/02-install-otel-collector.yaml b/tests/e2e-openshift/red-metrics/02-install-otel-collector.yaml
@@ -4,7 +4,7 @@ metadata:
   name: otel
 spec:
   mode: deployment
-  image: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:0.92.0
+  image: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:0.107.0
   observability:
     metrics:
       enableMetrics: true