From 9df79331b52c61be31a28e084a6f48d0fc2b50c0 Mon Sep 17 00:00:00 2001
From: Mathieu Parent <mathieu.parent@insee.fr>
Date: Fri, 10 Dec 2021 15:31:09 +0100
Subject: [PATCH] helm: add RBAC for mgr to create service monitor

Signed-off-by: Mathieu Parent <mathieu.parent@insee.fr>
---
 Documentation/helm-operator.md                |  1 +
 .../rook-ceph/templates/cluster-rbac.yaml     | 10 +++
 deploy/charts/rook-ceph/values.yaml           |  4 ++
 deploy/examples/common.yaml                   | 67 +++++++++++++++++++
 4 files changed, 82 insertions(+)

diff --git a/Documentation/helm-operator.md b/Documentation/helm-operator.md
index 5e69ab793db5..ea8473c5f93e 100644
--- a/Documentation/helm-operator.md
+++ b/Documentation/helm-operator.md
@@ -83,6 +83,7 @@ The following tables lists the configurable parameters of the rook-operator char
 | `crds.enabled`                      | If true, the helm chart will create the Rook CRDs. Do NOT change to `false` in a running cluster or CRs will be deleted!    | `true`                                                    |
 | `rbacEnable`                        | If true, create & use RBAC resources                                                                                        | `true`                                                    |
 | `pspEnable`                         | If true, create & use PSP resources                                                                                         | `true`                                                    |
+| `monitoring.enabled`                | Enable Prometheus integration, currently will only create necessary RBAC rules                                              | `true`                                                    |
 | `resources`                         | Pod resource requests & limits                                                                                              | `{}`                                                      |
 | `annotations`                       | Pod annotations                                                                                                             | `{}`                                                      |
 | `logLevel`                          | Global log level                                                                                                            | `INFO`                                                    |
diff --git a/deploy/charts/rook-ceph/templates/cluster-rbac.yaml b/deploy/charts/rook-ceph/templates/cluster-rbac.yaml
index 1662fb121b15..38a21a3512f2 100644
--- a/deploy/charts/rook-ceph/templates/cluster-rbac.yaml
+++ b/deploy/charts/rook-ceph/templates/cluster-rbac.yaml
@@ -26,8 +26,18 @@ roles
 ---
 {{ include "library.cluster.roles" . }}
 
+{{- if .Values.monitoring.enabled }}
+---
+{{ include "library.cluster.monitoring.roles" . }}
+{{- end }}
+
 {{/*
 rolebindings
 */}}
 ---
 {{ include "library.cluster.rolebindings" . }}
+
+{{- if .Values.monitoring.enabled }}
+---
+{{ include "library.cluster.monitoring.rolebindings" . }}
+{{- end }}
diff --git a/deploy/charts/rook-ceph/values.yaml b/deploy/charts/rook-ceph/values.yaml
index bca7cfdec08b..8744abc52855 100644
--- a/deploy/charts/rook-ceph/values.yaml
+++ b/deploy/charts/rook-ceph/values.yaml
@@ -52,6 +52,10 @@ rbacEnable: true
 ##
 pspEnable: true
 
+monitoring:
+  # enabling will create RBAC rules to allow Operator to create ServiceMonitors
+  enabled: true
+
 ## Settings for whether to disable the drivers or other daemons if they are not
 ## needed
 csi:
diff --git a/deploy/examples/common.yaml b/deploy/examples/common.yaml
index 6fae3544d47f..56da0eb3f8bc 100644
--- a/deploy/examples/common.yaml
+++ b/deploy/examples/common.yaml
@@ -876,6 +876,43 @@ rules:
     verbs:
       - delete
 ---
+# ---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: rook-ceph-monitoring
+  namespace: rook-ceph # namespace:cluster
+rules:
+  - apiGroups:
+      - "monitoring.coreos.com"
+    resources:
+      - servicemonitors
+      - prometheusrules
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - delete
+---
+# Allow management of monitoring resources in the mgr
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: rook-ceph-monitoring-mgr
+  namespace: rook-ceph # namespace:cluster
+rules:
+  - apiGroups:
+      - monitoring.coreos.com
+    resources:
+      - servicemonitors
+    verbs:
+      - get
+      - list
+      - create
+      - update
+---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -1093,6 +1130,36 @@ subjects:
     name: rook-ceph-mgr
     namespace: rook-ceph # namespace:cluster
 ---
+# Allow the operator to get ServiceMonitors in this cluster's namespace
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: rook-ceph-monitoring
+  namespace: rook-ceph # namespace:cluster
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: rook-ceph-monitoring
+subjects:
+  - kind: ServiceAccount
+    name: rook-ceph-system
+    namespace: rook-ceph # namespace:cluster
+---
+# Allow creation of monitoring resources in the mgr
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: rook-ceph-monitoring-mgr
+  namespace: rook-ceph # namespace:cluster
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: rook-ceph-monitoring-mgr
+subjects:
+  - kind: ServiceAccount
+    name: rook-ceph-mgr
+    namespace: rook-ceph # namespace:cluster
+---
 # Allow the osd pods in this namespace to work with configmaps
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1