From 5ca0e752ef8c2af0d16bce1ebc596e65fbbd98dd Mon Sep 17 00:00:00 2001
From: Blaine Gardner <blaine.gardner@redhat.com>
Date: Fri, 10 Dec 2021 10:10:45 -0700
Subject: [PATCH] helm: add optional monitoring RBAC to operator chart

An older version of the Helm chart always installed RBAC permissions for
enabling monitoring. In an effort to reduce the privileges Rook uses by
default, they were removed. We need to still include the monitoring RBAC
optionally since the change could break some users.

Co-authored-by: Mathieu Parent <mathieu.parent@insee.fr>
Co-authored-by: Blaine Gardner <blaine.gardner@redhat.com>

Signed-off-by: Blaine Gardner <blaine.gardner@redhat.com>
(cherry picked from commit e3be7a30ba0836db9f96dbf05f2fd5b727e731ee)
---
 Documentation/ceph-upgrade.md                          |  6 ++++++
 Documentation/helm-operator.md                         |  1 +
 .../charts/library/templates/_cluster-monitoring.tpl   |  1 -
 deploy/charts/rook-ceph/templates/cluster-rbac.yaml    | 10 ++++++++++
 deploy/charts/rook-ceph/values.yaml                    |  5 +++++
 5 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/Documentation/ceph-upgrade.md b/Documentation/ceph-upgrade.md
index be39a37a4d04..cb903ea20568 100644
--- a/Documentation/ceph-upgrade.md
+++ b/Documentation/ceph-upgrade.md
@@ -319,6 +319,12 @@ step to upgrade the Prometheus RBAC resources as well.
 kubectl apply -f deploy/examples/monitoring/rbac.yaml
 ```
 
+If you use the `rook-ceph` operator Helm chart, you should also add `monitoring.enabled` to
+your Helm values with two caveats:
+- this is unnecessary if you deploy monitoring RBAC from `deploy/examples/monitoring/rbac.yaml`
+- this is unnecessary if you use `rook-ceph-cluster` charts exclusively outside of the `rook-ceph`
+  operator namespace.
+
 ### **2. Update Ceph CSI versions**
 
 > Automatically updated if you are upgrading via the helm chart
diff --git a/Documentation/helm-operator.md b/Documentation/helm-operator.md
index 5e69ab793db5..644e327dee59 100644
--- a/Documentation/helm-operator.md
+++ b/Documentation/helm-operator.md
@@ -148,6 +148,7 @@ The following tables lists the configurable parameters of the rook-operator char
 | `admissionController.tolerations`   | Array of tolerations in YAML format which will be added to admission controller deployment.                                 | <none>                                                    |
 | `admissionController.nodeAffinity`  | The node labels for affinity of the admission controller deployment (***)                                                   | <none>                                                    |
 | `allowMultipleFilesystems`          | **(experimental in  Octopus (v15))** Allows multiple filesystems to be deployed to a Ceph cluster.                          | `false`                                                   |
+| `monitoring.enabled`                | Create necessary RBAC rules for Rook to integrate with Prometheus monitoring in the operator namespace. Requires Prometheus to be pre-installed. | `false` |
 
 &ast; &ast; &ast; `nodeAffinity` and `*NodeAffinity` options should have the format `"role=storage,rook; storage=ceph"` or `storage=;role=rook-example` or `storage=;` (_checks only for presence of key_)
 
diff --git a/deploy/charts/library/templates/_cluster-monitoring.tpl b/deploy/charts/library/templates/_cluster-monitoring.tpl
index fe7ceeb5ab04..d421bce1bbd1 100644
--- a/deploy/charts/library/templates/_cluster-monitoring.tpl
+++ b/deploy/charts/library/templates/_cluster-monitoring.tpl
@@ -4,7 +4,6 @@ These should be scoped to the namespace where the CephCluster is located.
 */}}
 
 {{- define "library.cluster.monitoring.roles" -}}
-# ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
diff --git a/deploy/charts/rook-ceph/templates/cluster-rbac.yaml b/deploy/charts/rook-ceph/templates/cluster-rbac.yaml
index 1662fb121b15..38a21a3512f2 100644
--- a/deploy/charts/rook-ceph/templates/cluster-rbac.yaml
+++ b/deploy/charts/rook-ceph/templates/cluster-rbac.yaml
@@ -26,8 +26,18 @@ roles
 ---
 {{ include "library.cluster.roles" . }}
 
+{{- if .Values.monitoring.enabled }}
+---
+{{ include "library.cluster.monitoring.roles" . }}
+{{- end }}
+
 {{/*
 rolebindings
 */}}
 ---
 {{ include "library.cluster.rolebindings" . }}
+
+{{- if .Values.monitoring.enabled }}
+---
+{{ include "library.cluster.monitoring.rolebindings" . }}
+{{- end }}
diff --git a/deploy/charts/rook-ceph/values.yaml b/deploy/charts/rook-ceph/values.yaml
index bca7cfdec08b..80d42d088409 100644
--- a/deploy/charts/rook-ceph/values.yaml
+++ b/deploy/charts/rook-ceph/values.yaml
@@ -353,3 +353,8 @@ admissionController:
   #      operator: Exists
   #      effect: NoSchedule
   # nodeAffinity: key1=value1,value2; key2=value3
+
+monitoring:
+  # requires Prometheus to be pre-installed
+  # enabling will also create RBAC rules to allow Operator to create ServiceMonitors
+  enabled: false