feat: add support for watching multiple namespaces

Previously, MontoringStack was only able to watch resources in the same namespace as the stack itself. This commit improves that by allowing user to configure a namespaceSelector in the stack which allows the stack to watch resources created in namespaces matching that label selector. The changes involve * converting the prometheus role to a cluster role * creating a cluster-role-binding allowing prometheus to watch resources in other namespaces if a namespaceSelector is configured Signed-off-by: Sunil Thaha <[email protected]>
rhobs · Nov 8, 2022 · 4bda99c · 4bda99c
1 parent 6310061
commit 4bda99c
Show file tree

Hide file tree

Showing 13 changed files with 546 additions and 121 deletions.
diff --git a/bundle/manifests/monitoring.rhobs_monitoringstacks.yaml b/bundle/manifests/monitoring.rhobs_monitoringstacks.yaml
@@ -53,6 +53,53 @@ spec:
                 - info
                 - warning
                 type: string
+              namespaceSelector:
+                description: Namespace selector for Monitoring Stack Resources. If
+                  left empty the Monitoring Stack will only match resources in the
+                  namespace it was created in.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
               prometheusConfig:
                 default:
                   replicas: 2

diff --git a/bundle/manifests/observability-operator.clusterserviceversion.yaml b/bundle/manifests/observability-operator.clusterserviceversion.yaml
@@ -17,7 +17,7 @@ metadata:
             "logLevel": "debug",
             "resourceSelector": {
               "matchLabels": {
-                "system": "foo"
+                "app": "demo"
               }
             },
             "retention": "1d"
@@ -328,6 +328,8 @@ spec:
         - apiGroups:
           - rbac.authorization.k8s.io
           resources:
+          - clusterrolebindings
+          - clusterroles
           - rolebindings
           - roles
           verbs:

diff --git a/deploy/crds/common/monitoring.rhobs_monitoringstacks.yaml b/deploy/crds/common/monitoring.rhobs_monitoringstacks.yaml
@@ -54,6 +54,53 @@ spec:
                 - info
                 - warning
                 type: string
+              namespaceSelector:
+                description: Namespace selector for Monitoring Stack Resources. If
+                  left empty the Monitoring Stack will only match resources in the
+                  namespace it was created in.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
               prometheusConfig:
                 default:
                   replicas: 2

diff --git a/deploy/operator/observability-operator-cluster-role.yaml b/deploy/operator/observability-operator-cluster-role.yaml
@@ -148,6 +148,8 @@ rules:
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
+  - clusterrolebindings
+  - clusterroles
   - rolebindings
   - roles
   verbs:

diff --git a/deploy/samples/monitoring-stack.yaml b/deploy/samples/monitoring-stack.yaml
@@ -9,4 +9,4 @@ spec:
   retention: 1d
   resourceSelector:
     matchLabels:
-      system: foo
+      app: demo
diff --git a/deploy/samples/multi-ns-stack.yaml b/deploy/samples/multi-ns-stack.yaml
@@ -0,0 +1,15 @@
+apiVersion: monitoring.rhobs/v1alpha1
+kind: MonitoringStack
+metadata:
+  name: multi-ns
+  labels:
+    thanos-querier: the-querier
+spec:
+  logLevel: debug
+  retention: 2h
+  resourceSelector:
+    matchLabels:
+      app: demo
+  namespaceSelector:
+    matchLabels:
+      monitoring.rhobs/stack: multi-ns
diff --git a/docs/api.md b/docs/api.md
@@ -104,6 +104,13 @@ MonitoringStackSpec is the specification for desired Monitoring Stack
             <i>Default</i>: info<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b><a href="#monitoringstackspecnamespaceselector">namespaceSelector</a></b></td>
+        <td>object</td>
+        <td>
+          Namespace selector for Monitoring Stack Resources. If left empty the Monitoring Stack will only match resources in the namespace it was created in.<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b><a href="#monitoringstackspecprometheusconfig">prometheusConfig</a></b></td>
         <td>object</td>
@@ -171,6 +178,81 @@ Define Alertmanager config
 </table>
 
 
+### MonitoringStack.spec.namespaceSelector
+<sup><sup>[↩ Parent](#monitoringstackspec)</sup></sup>
+
+
+
+Namespace selector for Monitoring Stack Resources. If left empty the Monitoring Stack will only match resources in the namespace it was created in.
+
+<table>
+    <thead>
+        <tr>
+            <th>Name</th>
+            <th>Type</th>
+            <th>Description</th>
+            <th>Required</th>
+        </tr>
+    </thead>
+    <tbody><tr>
+        <td><b><a href="#monitoringstackspecnamespaceselectormatchexpressionsindex">matchExpressions</a></b></td>
+        <td>[]object</td>
+        <td>
+          matchExpressions is a list of label selector requirements. The requirements are ANDed.<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td><b>matchLabels</b></td>
+        <td>map[string]string</td>
+        <td>
+          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.<br/>
+        </td>
+        <td>false</td>
+      </tr></tbody>
+</table>
+
+
+### MonitoringStack.spec.namespaceSelector.matchExpressions[index]
+<sup><sup>[↩ Parent](#monitoringstackspecnamespaceselector)</sup></sup>
+
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+
+<table>
+    <thead>
+        <tr>
+            <th>Name</th>
+            <th>Type</th>
+            <th>Description</th>
+            <th>Required</th>
+        </tr>
+    </thead>
+    <tbody><tr>
+        <td><b>key</b></td>
+        <td>string</td>
+        <td>
+          key is the label key that the selector applies to.<br/>
+        </td>
+        <td>true</td>
+      </tr><tr>
+        <td><b>operator</b></td>
+        <td>string</td>
+        <td>
+          operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.<br/>
+        </td>
+        <td>true</td>
+      </tr><tr>
+        <td><b>values</b></td>
+        <td>[]string</td>
+        <td>
+          values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.<br/>
+        </td>
+        <td>false</td>
+      </tr></tbody>
+</table>
+
+
 ### MonitoringStack.spec.prometheusConfig
 <sup><sup>[↩ Parent](#monitoringstackspec)</sup></sup>
 

diff --git a/pkg/apis/monitoring/v1alpha1/types.go b/pkg/apis/monitoring/v1alpha1/types.go
@@ -58,6 +58,11 @@ type MonitoringStackSpec struct {
 	// +optional
 	ResourceSelector *metav1.LabelSelector `json:"resourceSelector,omitempty"`
 
+	// Namespace selector for Monitoring Stack Resources.
+	// If left empty the Monitoring Stack will only match resources in the namespace it was created in.
+	// +optional
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
+
 	// Time duration to retain data for. Default is '120h',
 	// and must match the regular expression `[0-9]+(ms|s|m|h|d|w|y)` (milliseconds seconds minutes hours days weeks years).
 	// +kubebuilder:default="120h"

diff --git a/pkg/apis/monitoring/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/monitoring/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/controllers/monitoring/monitoring-stack/alertmanager.go b/pkg/controllers/monitoring/monitoring-stack/alertmanager.go
@@ -72,6 +72,7 @@ func newAlertmanager(
 				RunAsNonRoot: pointer.Bool(true),
 				RunAsUser:    pointer.Int64(AlertmanagerUserFSGroupID),
 			},
+			AlertmanagerConfigNamespaceSelector: ms.Spec.NamespaceSelector,
 		},
 	}
 }
@@ -127,23 +128,21 @@ func newAlertmanagerPDB(ms *stack.MonitoringStack, instanceSelectorKey string, i
 	}
 }
 
-func newAlertManagerRole(ms *stack.MonitoringStack, rbacResourceName string, rbacVerbs []string) *rbacv1.Role {
-	return &rbacv1.Role{
+func newAlertManagerClusterRole(ms *stack.MonitoringStack, rbacResourceName string, rbacVerbs []string) *rbacv1.ClusterRole {
+	return &rbacv1.ClusterRole{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: rbacv1.SchemeGroupVersion.String(),
-			Kind:       "Role",
+			Kind:       "ClusterRole",
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      rbacResourceName,
 			Namespace: ms.Namespace,
 		},
-		Rules: []rbacv1.PolicyRule{
-			{
-				APIGroups:     []string{"security.openshift.io"},
-				Resources:     []string{"securitycontextconstraints"},
-				ResourceNames: []string{"nonroot", "nonroot-v2"},
-				Verbs:         []string{"use"},
-			},
-		},
+		Rules: []rbacv1.PolicyRule{{
+			APIGroups:     []string{"security.openshift.io"},
+			Resources:     []string{"securitycontextconstraints"},
+			ResourceNames: []string{"nonroot", "nonroot-v2"},
+			Verbs:         []string{"use"},
+		}},
 	}
 }