Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ceph: Add RBAC for mgr to create service monitor #8118

Merged
merged 1 commit into from Jun 14, 2021
Merged

ceph: Add RBAC for mgr to create service monitor #8118

merged 1 commit into from Jun 14, 2021

Conversation

travisn
Copy link
Member

@travisn travisn commented Jun 11, 2021

Description of your changes:
When there are two mgr daemons, a sidecar of the mgr will update the service monitor depending on the active mgr daemon. When there is only a single mgr, the operator will create the service monitor. Now, we add rbac for the mgr to create these resources.

Without the rbac, the mgr will fail similar to this error:

2021-06-11 08:49:43.594790 E | cephcmd: failed to reconcile services. failed to enable service monitor: service monitor could not be enabled: failed to retrieve servicemonitor. servicemonitors.monitoring.coreos.com "rook-ceph-mgr" is forbidden: User "system:serviceaccount:openshift-storage:rook-ceph-mgr" cannot get resource "servicemonitors" in API group "monitoring.coreos.com" in the namespace "openshift-storage"

Checklist:

  • Commit Message Formatting: Commit titles and messages follow guidelines in the developer guide.
  • Skip Tests for Docs: Add the flag for skipping the build if this is only a documentation change. See here for the flag.
  • Skip Unrelated Tests: Add a flag to run tests for a specific storage provider. See test options.
  • Reviewed the developer guide on Submitting a Pull Request
  • Documentation has been updated, if necessary.
  • Unit tests have been added, if necessary.
  • Integration tests have been added, if necessary.
  • Pending release notes updated with breaking and/or notable changes, if necessary.
  • Upgrade from previous release is tested and upgrade user guide is updated, if necessary.
  • Code generation (make codegen) has been run to update object specifications, if necessary.

@travisn
ceph: add rbac for mgr to create service monitor
66dba4f 
When there are two mgr daemons, a sidecar of the mgr will update the
service monitor depending on the active mgr daemon. When there is only
a single mgr, the operator will create the service monitor. Now, we
add rbac for the mgr to create these resources.

Signed-off-by: Travis Nielsen <tnielsen@redhat.com>
@travisn travisn requested a review from BlaineEXE June 11, 2021 22:47
@travisn travisn merged commit 3741672 into rook:master Jun 14, 2021
@mergify mergify bot mentioned this pull request Jun 14, 2021
Merged
travisn added a commit that referenced this pull request Jun 14, 2021
@travisn
Merge pull request #8124 from rook/mergify/bp/release-1.6/pr-8118
243f529 
ceph: Add RBAC for mgr to create service monitor (backport #8118)
@openshift-ci openshift-ci bot mentioned this pull request Jun 14, 2021
Merged
10 tasks
@travisn travisn mentioned this pull request Jun 16, 2021
Merged
@openshift-ci openshift-ci bot mentioned this pull request Jun 17, 2021
Merged
@BlaineEXE
Copy link
Member

Questions:

  1. Am I correct in understanding this is only needed when monitoring is enabled?
  2. Should this be enabled for Helm charts? (If so, I will add them)

@travisn travisn deleted the mgr-monitoring-rbac branch September 27, 2021 22:01
@travisn
Copy link
Member Author

travisn commented Sep 27, 2021
edited

Questions:

  1. Am I correct in understanding this is only needed when monitoring is enabled?
  2. Should this be enabled for Helm charts? (If so, I will add them)

Correct on both points, thanks

@sathieu
Copy link
Contributor

sathieu commented Dec 10, 2021
edited

@BlaineEXE @travisn I've been hit by this in v1.8.0:

2021-12-10 14:18:26.576031 E | ceph-cluster-controller: failed to reconcile CephCluster "rook-ceph/rook-ceph". failed to reconcile cluster "rook-ceph": failed to configure local ceph cluster: failed to create cluster: failed to start ceph mgr: failed to enable mgr services: failed to enable service monitor: service monitor could not be enabled: failed to retrieve servicemonitor. servicemonitors.monitoring.coreos.com "rook-ceph-mgr" is forbidden: User "system:serviceaccount:rook-ceph:rook-ceph-system" cannot get resource "servicemonitors" in API group "monitoring.coreos.com" in the namespace "rook-ceph"

The helm chart has not (yet) the required RBAC.

@sathieu sathieu mentioned this pull request Dec 10, 2021
Closed
10 tasks
@sathieu
Copy link
Contributor

sathieu commented Dec 10, 2021

I've created #9383...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@satoru-takeuchi satoru-takeuchi satoru-takeuchi approved these changes

@BlaineEXE BlaineEXE Awaiting requested review from BlaineEXE

Assignees
No one assigned
Labels
ceph main ceph tag
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@travisn @BlaineEXE @sathieu @satoru-takeuchi