helm: add optional monitoring RBAC to operator chart

An older version of the Helm chart always installed RBAC permissions for enabling monitoring. In an effort to reduce the privileges Rook uses by default, they were removed. We need to still include the monitoring RBAC optionally since the change could break some users. Co-authored-by: Mathieu Parent <mathieu.parent@insee.fr> Co-authored-by: Blaine Gardner <blaine.gardner@redhat.com> Signed-off-by: Blaine Gardner <blaine.gardner@redhat.com>
rook · Dec 14, 2021 · 7725144 · 7725144
1 parent d40e6d7
commit 7725144
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 1 deletion.
diff --git a/Documentation/ceph-upgrade.md b/Documentation/ceph-upgrade.md
@@ -319,6 +319,12 @@ step to upgrade the Prometheus RBAC resources as well.
 kubectl apply -f deploy/examples/monitoring/rbac.yaml
 ```
 
+If you use the `rook-ceph` operator Helm chart, you should also add `monitoring.enabled` to
+your Helm values with two caveats:
+- this is unnecessary if you deploy monitoring RBAC from `deploy/examples/monitoring/rbac.yaml`
+- this is unnecessary if you use `rook-ceph-cluster` charts exclusively outside of the `rook-ceph`
+  operator namespace.
+
 ### **2. Update Ceph CSI versions**
 
 > Automatically updated if you are upgrading via the helm chart

diff --git a/Documentation/helm-operator.md b/Documentation/helm-operator.md
@@ -148,6 +148,7 @@ The following tables lists the configurable parameters of the rook-operator char
 | `admissionController.tolerations`   | Array of tolerations in YAML format which will be added to admission controller deployment.                                 | <none>                                                    |
 | `admissionController.nodeAffinity`  | The node labels for affinity of the admission controller deployment (***)                                                   | <none>                                                    |
 | `allowMultipleFilesystems`          | **(experimental in  Octopus (v15))** Allows multiple filesystems to be deployed to a Ceph cluster.                          | `false`                                                   |
+| `monitoring.enabled`                | Create necessary RBAC rules for Rook to integrate with prometheus monitoring. Requires Prometheus to be pre-installed. | `false` |
 
 &ast; &ast; &ast; `nodeAffinity` and `*NodeAffinity` options should have the format `"role=storage,rook; storage=ceph"` or `storage=;role=rook-example` or `storage=;` (_checks only for presence of key_)
 

diff --git a/deploy/charts/library/templates/_cluster-monitoring.tpl b/deploy/charts/library/templates/_cluster-monitoring.tpl
@@ -4,7 +4,6 @@ These should be scoped to the namespace where the CephCluster is located.
 */}}
 
 {{- define "library.cluster.monitoring.roles" -}}
-# ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

diff --git a/deploy/charts/rook-ceph/templates/cluster-rbac.yaml b/deploy/charts/rook-ceph/templates/cluster-rbac.yaml
@@ -26,8 +26,18 @@ roles
 ---
 {{ include "library.cluster.roles" . }}
 
+{{- if .Values.monitoring.enabled }}
+---
+{{ include "library.cluster.monitoring.roles" . }}
+{{- end }}
+
 {{/*
 rolebindings
 */}}
 ---
 {{ include "library.cluster.rolebindings" . }}
+
+{{- if .Values.monitoring.enabled }}
+---
+{{ include "library.cluster.monitoring.rolebindings" . }}
+{{- end }}
diff --git a/deploy/charts/rook-ceph/values.yaml b/deploy/charts/rook-ceph/values.yaml
@@ -353,3 +353,8 @@ admissionController:
   #      operator: Exists
   #      effect: NoSchedule
   # nodeAffinity: key1=value1,value2; key2=value3
+
+monitoring:
+  # requires Prometheus to be pre-installed
+  # enabling will also create RBAC rules to allow Operator to create ServiceMonitors
+  enabled: false