diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go index 4eeec6936..3bb8edbd7 100644 --- a/api/v1alpha1/common.go +++ b/api/v1alpha1/common.go @@ -17,7 +17,7 @@ type ExternalAccess struct { type MonitoringConfig struct { // If true, the Operator will create monitoring resources //+kubebuilder:validation:XValidation:rule=(self || !oldSelf),message=Feature cannot be disabled - //+kubebuilder:default:=false + //+kubebuilder:default:=true Enabled bool `json:"enabled"` } diff --git a/api/v1alpha1/fulcio_types_test.go b/api/v1alpha1/fulcio_types_test.go index 71ce24c3f..8e9c141bd 100644 --- a/api/v1alpha1/fulcio_types_test.go +++ b/api/v1alpha1/fulcio_types_test.go @@ -142,7 +142,7 @@ var _ = Describe("Fulcio", func() { validObject.Spec.Config.MetaIssuers = []OIDCIssuer{ { ClientID: "client", - Type: "email", + Type: "email", }, } diff --git a/api/v1alpha1/securesign_types.go b/api/v1alpha1/securesign_types.go index b264d49b5..5e6997061 100644 --- a/api/v1alpha1/securesign_types.go +++ b/api/v1alpha1/securesign_types.go @@ -28,10 +28,6 @@ type SecuresignSpec struct { Rekor RekorSpec `json:"rekor,omitempty"` Fulcio FulcioSpec `json:"fulcio,omitempty"` Trillian TrillianSpec `json:"trillian,omitempty"` - // If true, the Operator will create segment backup job and cronjob and required RBAC - //+kubebuilder:validation:XValidation:rule=(self || !oldSelf),message=Feature cannot be disabled - //+kubebuilder:default:=false - Analytics bool `json:"analytics"` //+kubebuilder:default:={keys:{{name: rekor.pub},{name: ctfe.pub},{name: fulcio_v1.crt.pem}}} Tuf TufSpec `json:"tuf,omitempty"` Ctlog CTlogSpec `json:"ctlog,omitempty"` diff --git a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml index c94729e40..3277697d5 100644 --- a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml +++ b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml @@ -101,7 +101,7 @@ metadata: "enabled": true }, "monitoring": { - "enabled": false + "enabled": true } }, "rekor": { @@ -109,7 +109,7 @@ metadata: "enabled": true }, "monitoring": { - "enabled": false + "enabled": true } }, "trillian": { diff --git a/bundle/manifests/rhtas.redhat.com_fulcios.yaml b/bundle/manifests/rhtas.redhat.com_fulcios.yaml index 21b5b3ed6..f6621d231 100644 --- a/bundle/manifests/rhtas.redhat.com_fulcios.yaml +++ b/bundle/manifests/rhtas.redhat.com_fulcios.yaml @@ -242,7 +242,7 @@ spec: description: Enable Service monitors for fulcio properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean x-kubernetes-validations: diff --git a/bundle/manifests/rhtas.redhat.com_rekors.yaml b/bundle/manifests/rhtas.redhat.com_rekors.yaml index 5c2781fbd..c17d9f87c 100644 --- a/bundle/manifests/rhtas.redhat.com_rekors.yaml +++ b/bundle/manifests/rhtas.redhat.com_rekors.yaml @@ -91,7 +91,7 @@ spec: description: Enable Service monitors for rekor properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean x-kubernetes-validations: diff --git a/bundle/manifests/rhtas.redhat.com_securesigns.yaml b/bundle/manifests/rhtas.redhat.com_securesigns.yaml index 0d2bd31ee..056efc710 100644 --- a/bundle/manifests/rhtas.redhat.com_securesigns.yaml +++ b/bundle/manifests/rhtas.redhat.com_securesigns.yaml @@ -371,7 +371,7 @@ spec: description: Enable Service monitors for fulcio properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean @@ -443,7 +443,7 @@ spec: description: Enable Service monitors for rekor properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean diff --git a/config/crd/bases/rhtas.redhat.com_ctlogs.yaml b/config/crd/bases/rhtas.redhat.com_ctlogs.yaml index a0844fa66..ca762bb52 100644 --- a/config/crd/bases/rhtas.redhat.com_ctlogs.yaml +++ b/config/crd/bases/rhtas.redhat.com_ctlogs.yaml @@ -48,7 +48,7 @@ spec: description: Enable Service monitors for ctlog properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean x-kubernetes-validations: diff --git a/config/crd/bases/rhtas.redhat.com_fulcios.yaml b/config/crd/bases/rhtas.redhat.com_fulcios.yaml index c82b674af..101a66da3 100644 --- a/config/crd/bases/rhtas.redhat.com_fulcios.yaml +++ b/config/crd/bases/rhtas.redhat.com_fulcios.yaml @@ -242,7 +242,7 @@ spec: description: Enable Service monitors for fulcio properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean x-kubernetes-validations: diff --git a/config/crd/bases/rhtas.redhat.com_rekors.yaml b/config/crd/bases/rhtas.redhat.com_rekors.yaml index 36b81800a..3a3dd4614 100644 --- a/config/crd/bases/rhtas.redhat.com_rekors.yaml +++ b/config/crd/bases/rhtas.redhat.com_rekors.yaml @@ -91,7 +91,7 @@ spec: description: Enable Service monitors for rekor properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean x-kubernetes-validations: diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml index ab8809e3e..728cc3cfd 100644 --- a/config/crd/bases/rhtas.redhat.com_securesigns.yaml +++ b/config/crd/bases/rhtas.redhat.com_securesigns.yaml @@ -56,14 +56,6 @@ spec: spec: description: SecuresignSpec defines the desired state of Securesign properties: - analytics: - default: false - description: If true, the Operator will create segment backup job - and cronjob and required RBAC - type: boolean - x-kubernetes-validations: - - message: Feature cannot be disabled - rule: (self || !oldSelf) ctlog: description: CTlogSpec defines the desired state of CTlog component properties: @@ -71,7 +63,7 @@ spec: description: Enable Service monitors for ctlog properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean @@ -371,7 +363,7 @@ spec: description: Enable Service monitors for fulcio properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean @@ -443,7 +435,7 @@ spec: description: Enable Service monitors for rekor properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean @@ -641,7 +633,7 @@ spec: description: Enable Monitoring for Logsigner and Logserver properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean @@ -723,8 +715,6 @@ spec: minimum: 1 type: integer type: object - required: - - analytics type: object status: description: SecuresignStatus defines the observed state of Securesign diff --git a/config/crd/bases/rhtas.redhat.com_trillians.yaml b/config/crd/bases/rhtas.redhat.com_trillians.yaml index 3746ca198..f4950b9a9 100644 --- a/config/crd/bases/rhtas.redhat.com_trillians.yaml +++ b/config/crd/bases/rhtas.redhat.com_trillians.yaml @@ -125,7 +125,7 @@ spec: description: Enable Monitoring for Logsigner and Logserver properties: enabled: - default: false + default: true description: If true, the Operator will create monitoring resources type: boolean x-kubernetes-validations: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 5e109341e..f9d95d455 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -158,6 +158,14 @@ rules: - patch - update - watch +- apiGroups: + - monitoring.coreos.com + resources: + - prometheuses/api + verbs: + - create + - get + - update - apiGroups: - monitoring.coreos.com resources: @@ -233,6 +241,7 @@ rules: verbs: - create - delete + - deletecollection - get - list - patch @@ -245,6 +254,7 @@ rules: verbs: - create - delete + - deletecollection - get - list - patch @@ -257,6 +267,7 @@ rules: verbs: - create - delete + - deletecollection - get - list - patch diff --git a/config/samples/rhtas_v1alpha1_securesign.yaml b/config/samples/rhtas_v1alpha1_securesign.yaml index 021d7f94b..d5c1c76cc 100644 --- a/config/samples/rhtas_v1alpha1_securesign.yaml +++ b/config/samples/rhtas_v1alpha1_securesign.yaml @@ -5,14 +5,15 @@ metadata: app.kubernetes.io/name: securesign-sample app.kubernetes.io/instance: securesign-sample app.kubernetes.io/part-of: trusted-artifact-signer + annotations: + rhtas.redhat.com/metrics: "true" name: securesign-sample - namespace: rhtas-operator spec: rekor: externalAccess: enabled: true monitoring: - enabled: false + enabled: true trillian: database: create: true @@ -30,7 +31,7 @@ spec: organizationEmail: jdoe@redhat.com commonName: fulcio.hostname monitoring: - enabled: false + enabled: true tuf: externalAccess: enabled: true diff --git a/controllers/securesign/actions/rbac.go b/controllers/securesign/actions/rbac.go index e8f81b379..920a1dc91 100644 --- a/controllers/securesign/actions/rbac.go +++ b/controllers/securesign/actions/rbac.go @@ -13,10 +13,14 @@ import ( rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" ) -const namespacedNamePattern = SegmentRBACName + "-%s" +const ( + namespacedNamePattern = SegmentRBACName + "-%s" + clusterWideNamePattern = SegmentRBACName + "-%s" + "-%s" + OpenshiftMonitoringNS = "openshift-monitoring" +) func NewRBACAction() action.Action[rhtasv1alpha1.Securesign] { return &rbacAction{} @@ -42,92 +46,183 @@ func (i rbacAction) CanHandle(_ context.Context, instance *rhtasv1alpha1.Secures } func (i rbacAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Securesign) *action.Result { - if !instance.Spec.Analytics { - return i.Continue() - } var err error - labels := constants.LabelsFor(SegmentBackupCronJobName, SegmentBackupCronJobName, instance.Name) + labels := constants.LabelsFor(SegmentBackupJobName, SegmentBackupCronJobName, instance.Name) labels["app.kubernetes.io/instance-namespace"] = instance.Namespace - sa := &v1.ServiceAccount{ + serviceAccount := &v1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ Name: SegmentRBACName, Namespace: instance.Namespace, Labels: labels, }, } - - if err = ctrl.SetControllerReference(instance, sa, i.Client.Scheme()); err != nil { - return i.Failed(fmt.Errorf("could not set controll reference for SA: %w", err)) + if err = controllerutil.SetControllerReference(instance, serviceAccount, i.Client.Scheme()); err != nil { + return i.Failed(fmt.Errorf("could not set controller reference for serviceAccount: %w", err)) + } + if _, err = i.Ensure(ctx, serviceAccount); err != nil { + meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ + Type: MetricsCondition, + Status: metav1.ConditionFalse, + Reason: constants.Failure, + Message: err.Error(), + }) + meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ + Type: constants.Ready, + Status: metav1.ConditionFalse, + Reason: constants.Failure, + Message: err.Error(), + }) + return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create serviceAccount: %w", err), instance) } - // don't re-enqueue for RBAC in any case (except failure) - _, err = i.Ensure(ctx, sa) - if err != nil { + openshiftMonitoringSBJRole := kubernetes.CreateRole( + OpenshiftMonitoringNS, + fmt.Sprintf(namespacedNamePattern, instance.Namespace), + labels, + []rbacv1.PolicyRule{ + { + APIGroups: []string{""}, + Resources: []string{"configmaps"}, + Verbs: []string{"get", "list"}, + ResourceNames: []string{"cluster-monitoring-config"}, + }, + { + APIGroups: []string{"route.openshift.io"}, + Resources: []string{"routes"}, + Verbs: []string{"get", "list"}, + }, + }) + if _, err = i.Ensure(ctx, openshiftMonitoringSBJRole); err != nil { + meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ + Type: MetricsCondition, + Status: metav1.ConditionFalse, + Reason: constants.Failure, + Message: err.Error(), + }) meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ Type: constants.Ready, Status: metav1.ConditionFalse, Reason: constants.Failure, Message: err.Error(), }) - return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create SA: %w", err), instance) + return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create openshift-monitoring role for SBJ: %w", err), instance) } - role := kubernetes.CreateClusterRole(SegmentRBACName, constants.LabelsRHTAS(), []rbacv1.PolicyRule{ - { - APIGroups: []string{""}, - Resources: []string{"secrets"}, - Verbs: []string{"get", "list"}, - }, - { - APIGroups: []string{""}, - Resources: []string{"configmaps"}, - Verbs: []string{"get", "list"}, - }, - { - APIGroups: []string{"route.openshift.io"}, - Resources: []string{"routes"}, - Verbs: []string{"get", "list"}, + openshiftMonitoringSBJRoleBinding := kubernetes.CreateRoleBinding( + OpenshiftMonitoringNS, + fmt.Sprintf(namespacedNamePattern, instance.Namespace), + labels, + rbacv1.RoleRef{ + APIGroup: v1.SchemeGroupVersion.Group, + Kind: "Role", + Name: fmt.Sprintf(namespacedNamePattern, instance.Namespace), }, - { - APIGroups: []string{"operator.openshift.io"}, - Resources: []string{"consoles"}, - Verbs: []string{"get", "list"}, - }, - }) - - _, err = i.Ensure(ctx, role) - - if err != nil { + []rbacv1.Subject{ + {Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace}, + }) + if _, err = i.Ensure(ctx, openshiftMonitoringSBJRoleBinding); err != nil { + meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ + Type: MetricsCondition, + Status: metav1.ConditionFalse, + Reason: constants.Failure, + Message: err.Error(), + }) meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ Type: constants.Ready, Status: metav1.ConditionFalse, Reason: constants.Failure, Message: err.Error(), }) - return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create clusterrole required for SBJ: %w", err), instance) + return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create openshift-monitoring role binding for SBJ: %w", err), instance) } - rb := kubernetes.CreateClusterRoleBinding(fmt.Sprintf(namespacedNamePattern, instance.Namespace), labels, rbacv1.RoleRef{ - APIGroup: v1.SchemeGroupVersion.Group, - Kind: "ClusterRole", - Name: SegmentRBACName, - }, + openshiftMonitoringClusterRoleBinding := kubernetes.CreateClusterRoleBinding( + fmt.Sprintf(clusterWideNamePattern, instance.Namespace, "clusterMonitoringRoleBinding"), + labels, + rbacv1.RoleRef{ + APIGroup: v1.SchemeGroupVersion.Group, + Kind: "ClusterRole", + Name: "cluster-monitoring-view", + }, []rbacv1.Subject{ {Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace}, }) + if _, err = i.Ensure(ctx, openshiftMonitoringClusterRoleBinding); err != nil { + meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ + Type: MetricsCondition, + Status: metav1.ConditionFalse, + Reason: constants.Failure, + Message: err.Error(), + }) + meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ + Type: constants.Ready, + Status: metav1.ConditionFalse, + Reason: constants.Failure, + Message: err.Error(), + }) + return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create monitoring ClusterRoleBinding for SBJ: %w", err), instance) + } - _, err = i.Ensure(ctx, rb) + openshiftConsoleSBJRole := kubernetes.CreateClusterRole( + fmt.Sprintf(clusterWideNamePattern, instance.Namespace, "clusterRole"), + labels, + []rbacv1.PolicyRule{ + { + APIGroups: []string{"operator.openshift.io"}, + Resources: []string{"consoles"}, + Verbs: []string{"get", "list"}, + ResourceNames: []string{"cluster"}, + }, + { + APIGroups: []string{"route.openshift.io"}, + Resources: []string{"routes"}, + Verbs: []string{"get", "list"}, + ResourceNames: []string{"console"}, + }, + }) + if _, err = i.Ensure(ctx, openshiftConsoleSBJRole); err != nil { + meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ + Type: MetricsCondition, + Status: metav1.ConditionFalse, + Reason: constants.Failure, + Message: err.Error(), + }) + meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ + Type: constants.Ready, + Status: metav1.ConditionFalse, + Reason: constants.Failure, + Message: err.Error(), + }) + return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create openshift-console ClusterRole for SBJ: %w", err), instance) + } - if err != nil { + openshiftConsoleSBJRolebinding := kubernetes.CreateClusterRoleBinding( + fmt.Sprintf(clusterWideNamePattern, instance.Namespace, "clusterRoleBinding"), + labels, + rbacv1.RoleRef{ + APIGroup: v1.SchemeGroupVersion.Group, + Kind: "ClusterRole", + Name: fmt.Sprintf(clusterWideNamePattern, instance.Namespace, "clusterRole"), + }, + []rbacv1.Subject{ + {Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace}, + }) + if _, err = i.Ensure(ctx, openshiftConsoleSBJRolebinding); err != nil { + meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ + Type: MetricsCondition, + Status: metav1.ConditionFalse, + Reason: constants.Failure, + Message: err.Error(), + }) meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ Type: constants.Ready, Status: metav1.ConditionFalse, Reason: constants.Failure, Message: err.Error(), }) - return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create clusterrolebinding required for SBJ: %w", err), instance) + return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create openshift-console ClusterRoleBinding for SBJ: %w", err), instance) } return i.Continue() diff --git a/controllers/securesign/actions/segment_backup_cronjob.go b/controllers/securesign/actions/segment_backup_cronjob.go index f7ae1bf4c..5f64f794a 100644 --- a/controllers/securesign/actions/segment_backup_cronjob.go +++ b/controllers/securesign/actions/segment_backup_cronjob.go @@ -42,11 +42,6 @@ func (i segmentBackupCronJob) CanHandle(_ context.Context, instance *rhtasv1alph } func (i segmentBackupCronJob) Handle(ctx context.Context, instance *rhtasv1alpha1.Securesign) *action.Result { - - if !instance.Spec.Analytics { - return i.Continue() - } - var ( err error updated bool diff --git a/controllers/securesign/actions/segment_backup_job.go b/controllers/securesign/actions/segment_backup_job.go index e79227d71..496f21d1c 100644 --- a/controllers/securesign/actions/segment_backup_job.go +++ b/controllers/securesign/actions/segment_backup_job.go @@ -38,9 +38,6 @@ func (i segmentBackupJob) CanHandle(_ context.Context, instance *rhtasv1alpha1.S } func (i segmentBackupJob) Handle(ctx context.Context, instance *rhtasv1alpha1.Securesign) *action.Result { - if !instance.Spec.Analytics { - return i.Continue() - } var ( err error diff --git a/controllers/securesign/securesign_controller.go b/controllers/securesign/securesign_controller.go index 3ad9bc964..22757d0bc 100644 --- a/controllers/securesign/securesign_controller.go +++ b/controllers/securesign/securesign_controller.go @@ -55,14 +55,15 @@ type SecuresignReconciler struct { //+kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=networking,resources=ingresses,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=core,resources=persistentvolumeclaims,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;list;watch;create;update;patch;delete;deletecollection //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;list;watch;create;update;patch;delete;deletecollection -//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;list;watch;create;update;patch;delete;deletecollection +//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete;deletecollection //+kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=create;get;list;watch;update;patch;delete +//+kubebuilder:rbac:groups=monitoring.coreos.com,resources=prometheuses/api,verbs=get;create;update //+kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch //+kubebuilder:rbac:groups="",resources=endpoints,verbs=get;list;watch //+kubebuilder:rbac:groups="",resources=events,verbs=create;get;list;watch;update;patch @@ -92,11 +93,21 @@ func (r *SecuresignReconciler) Reconcile(ctx context.Context, req ctrl.Request) } if instance.DeletionTimestamp != nil { - labels := constants.LabelsFor(actions.SegmentBackupCronJobName, actions.SegmentBackupCronJobName, instance.Name) + labels := constants.LabelsFor(actions.SegmentBackupJobName, actions.SegmentBackupCronJobName, instance.Name) labels["app.kubernetes.io/instance-namespace"] = instance.Namespace if err := r.Client.DeleteAllOf(ctx, &v1.ClusterRoleBinding{}, client.MatchingLabels(labels)); err != nil { log.Error(err, "problem with removing clusterRoleBinding resource") } + if err := r.Client.DeleteAllOf(ctx, &v1.ClusterRole{}, client.MatchingLabels(labels)); err != nil { + log.Error(err, "problem with removing ClusterRole resource") + } + if err := r.Client.DeleteAllOf(ctx, &v1.Role{}, client.InNamespace(actions.OpenshiftMonitoringNS), client.MatchingLabels(labels)); err != nil { + log.Error(err, "problem with removing Role resource in %s", actions.OpenshiftMonitoringNS) + } + if err := r.Client.DeleteAllOf(ctx, &v1.RoleBinding{}, client.InNamespace(actions.OpenshiftMonitoringNS), client.MatchingLabels(labels)); err != nil { + log.Error(err, "problem with removing RoleBinding resource in %s", actions.OpenshiftMonitoringNS) + } + controllerutil.RemoveFinalizer(target, finalizer) return ctrl.Result{}, r.Update(ctx, target) } diff --git a/e2e/byodb_test.go b/e2e/byodb_test.go index 8576327cd..5918e57af 100644 --- a/e2e/byodb_test.go +++ b/e2e/byodb_test.go @@ -49,6 +49,9 @@ var _ = Describe("Securesign install with byodb", Ordered, func() { ObjectMeta: metav1.ObjectMeta{ Namespace: namespace.Name, Name: "test", + Annotations: map[string]string{ + "rhtas.redhat.com/metrics": "false", + }, }, Spec: v1alpha1.SecuresignSpec{ Rekor: v1alpha1.RekorSpec{ diff --git a/e2e/common_install_test.go b/e2e/common_install_test.go index 8b24b0dfe..3041a88cc 100644 --- a/e2e/common_install_test.go +++ b/e2e/common_install_test.go @@ -49,6 +49,9 @@ var _ = Describe("Securesign install with certificate generation", Ordered, func ObjectMeta: metav1.ObjectMeta{ Namespace: namespace.Name, Name: "test", + Annotations: map[string]string{ + "rhtas.redhat.com/metrics": "false", + }, }, Spec: v1alpha1.SecuresignSpec{ Rekor: v1alpha1.RekorSpec{ diff --git a/e2e/config_update_test.go b/e2e/config_update_test.go index 9c5758617..61ed2a1d8 100644 --- a/e2e/config_update_test.go +++ b/e2e/config_update_test.go @@ -53,6 +53,9 @@ var _ = Describe("Securesign hot update", Ordered, func() { ObjectMeta: metav1.ObjectMeta{ Namespace: namespace.Name, Name: "test", + Annotations: map[string]string{ + "rhtas.redhat.com/metrics": "false", + }, }, Spec: v1alpha1.SecuresignSpec{ Rekor: v1alpha1.RekorSpec{ diff --git a/e2e/key_autodiscovery_test.go b/e2e/key_autodiscovery_test.go index b6754409b..922dfe773 100644 --- a/e2e/key_autodiscovery_test.go +++ b/e2e/key_autodiscovery_test.go @@ -47,6 +47,9 @@ var _ = Describe("Securesign key autodiscovery test", Ordered, func() { ObjectMeta: metav1.ObjectMeta{ Namespace: namespace.Name, Name: "test", + Annotations: map[string]string{ + "rhtas.redhat.com/metrics": "false", + }, }, Spec: v1alpha1.SecuresignSpec{ Rekor: v1alpha1.RekorSpec{ diff --git a/e2e/provided_certs_test.go b/e2e/provided_certs_test.go index 7543c7a24..adbaf1258 100644 --- a/e2e/provided_certs_test.go +++ b/e2e/provided_certs_test.go @@ -55,6 +55,9 @@ var _ = Describe("Securesign install with provided certs", Ordered, func() { ObjectMeta: metav1.ObjectMeta{ Namespace: namespace.Name, Name: "test", + Annotations: map[string]string{ + "rhtas.redhat.com/metrics": "false", + }, }, Spec: v1alpha1.SecuresignSpec{ Rekor: v1alpha1.RekorSpec{