From 079782a0963c1195de8e9f0463f2ff58048f5356 Mon Sep 17 00:00:00 2001 From: Blaine Gardner Date: Fri, 10 Dec 2021 10:10:45 -0700 Subject: [PATCH] helm: add optional monitoring RBAC to operator chart An older version of the Helm chart always installed RBAC permissions for enabling monitoring. In an effort to reduce the privileges Rook uses by default, they were removed. We need to still include the monitoring RBAC optionally since the change could break some users. Signed-off-by: Blaine Gardner --- Documentation/ceph-upgrade.md | 3 +++ Documentation/helm-operator.md | 1 + deploy/charts/rook-ceph/templates/cluster-rbac.yaml | 5 +++++ deploy/charts/rook-ceph/values.yaml | 5 +++++ 4 files changed, 14 insertions(+) diff --git a/Documentation/ceph-upgrade.md b/Documentation/ceph-upgrade.md index 176e34c0aa08c..ae2d2537ebe0d 100644 --- a/Documentation/ceph-upgrade.md +++ b/Documentation/ceph-upgrade.md @@ -319,6 +319,9 @@ step to upgrade the Prometheus RBAC resources as well. kubectl apply -f deploy/examples/monitoring/rbac.yaml ``` +Or, if you use only the `rook-ceph` operator Helm chart, you should also add `monitoring.enabled` to +your Helm values. + ### **2. Update Ceph CSI versions** > Automatically updated if you are upgrading via the helm chart diff --git a/Documentation/helm-operator.md b/Documentation/helm-operator.md index 5e69ab793db54..a11506884866e 100644 --- a/Documentation/helm-operator.md +++ b/Documentation/helm-operator.md @@ -148,6 +148,7 @@ The following tables lists the configurable parameters of the rook-operator char | `admissionController.tolerations` | Array of tolerations in YAML format which will be added to admission controller deployment. | | | `admissionController.nodeAffinity` | The node labels for affinity of the admission controller deployment (***) | | | `allowMultipleFilesystems` | **(experimental in Octopus (v15))** Allows multiple filesystems to be deployed to a Ceph cluster. | `false` | +| `monitoring.enabled` | Create necessary RBAC rules for Rook to integrate with prometheus monitoring. Requires Prometheus to be pre-installed. | `false` | * * * `nodeAffinity` and `*NodeAffinity` options should have the format `"role=storage,rook; storage=ceph"` or `storage=;role=rook-example` or `storage=;` (_checks only for presence of key_) diff --git a/deploy/charts/rook-ceph/templates/cluster-rbac.yaml b/deploy/charts/rook-ceph/templates/cluster-rbac.yaml index 1662fb121b152..6b844013a22fd 100644 --- a/deploy/charts/rook-ceph/templates/cluster-rbac.yaml +++ b/deploy/charts/rook-ceph/templates/cluster-rbac.yaml @@ -26,6 +26,11 @@ roles --- {{ include "library.cluster.roles" . }} +{{- if .Values.monitoring.enabled }} +--- +{{ include "library.cluster.monitoring.roles" . }} +{{- end }} + {{/* rolebindings */}} diff --git a/deploy/charts/rook-ceph/values.yaml b/deploy/charts/rook-ceph/values.yaml index bca7cfdec08be..80d42d088409d 100644 --- a/deploy/charts/rook-ceph/values.yaml +++ b/deploy/charts/rook-ceph/values.yaml @@ -353,3 +353,8 @@ admissionController: # operator: Exists # effect: NoSchedule # nodeAffinity: key1=value1,value2; key2=value3 + +monitoring: + # requires Prometheus to be pre-installed + # enabling will also create RBAC rules to allow Operator to create ServiceMonitors + enabled: false