fix(operator): move authorization RBAC to dedicated cluster_scoped

reconciler

Author: JoaoBraveCoding

operator/internal/controller/loki/dashboards_controller.go renamed to operator/internal/controller/loki/lokistack_cluster_scoped_controller.go

@@ -47,15 +47,15 @@ func (r *DashboardsReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	if len(stacks.Items) == 0 {
 		// Removes all LokiStack dashboard resources on OpenShift clusters when
 		// the last LokiStack custom resource is deleted.
-		if err := handlers.DeleteDashboards(ctx, r.Client, r.OperatorNs); err != nil {
+		if err := handlers.DeleteClusterScopedResources(ctx, r.Client, r.OperatorNs, stacks); err != nil {
 			return ctrl.Result{}, kverrors.Wrap(err, "failed to delete dashboard resources")
 		}
 		return ctrl.Result{}, nil
 	}
 
 	// Creates all LokiStack dashboard resources on OpenShift clusters when
 	// the first LokiStack custom resource is created.
-	if err := handlers.CreateDashboards(ctx, r.Log, r.OperatorNs, r.Client, r.Scheme); err != nil {
+	if err := handlers.CreateClusterScopedResources(ctx, r.Log, r.OperatorNs, r.Client, r.Scheme, stacks); err != nil {
 		return ctrl.Result{}, kverrors.Wrap(err, "failed to create dashboard resources", "req", req)
 	}
 	return ctrl.Result{}, nil

operator/internal/handlers/dashboards_create.go

@@ -0,0 +1,77 @@
+package handlers
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/ViaQ/logerr/v2/kverrors"
+	"github.com/go-logr/logr"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client" //nolint:typecheck
+	ctrlutil "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+
+	lokiv1 "github.com/grafana/loki/operator/api/loki/v1"
+	"github.com/grafana/loki/operator/internal/external/k8s"
+	"github.com/grafana/loki/operator/internal/manifests"
+	"github.com/grafana/loki/operator/internal/manifests/openshift"
+)
+
+// CreateClusterScopedResources handles the LokiStack cluster scoped create events.
+func CreateClusterScopedResources(ctx context.Context, log logr.Logger, operatorNs string, k k8s.Client, s *runtime.Scheme, stacks lokiv1.LokiStackList) error {
+	// This has to be done here as to not introduce a circular dependency.
+	gatewaySubjects := make([]rbacv1.Subject, 0, len(stacks.Items))
+	rulerSubjects := make([]rbacv1.Subject, 0, len(stacks.Items))
+	for _, stack := range stacks.Items {
+		gatewaySubjects = append(gatewaySubjects, rbacv1.Subject{
+			Kind:      "ServiceAccount",
+			Name:      manifests.GatewayName(stack.Name),
+			Namespace: stack.Namespace,
+		})
+		rulerSubjects = append(rulerSubjects, rbacv1.Subject{
+			Kind:      "ServiceAccount",
+			Name:      manifests.RulerName(stack.Name),
+			Namespace: stack.Namespace,
+		})
+	}
+	opts := openshift.NewOptionsClusterScope(operatorNs, stacks, manifests.ClusterScopeLabels(), gatewaySubjects, rulerSubjects)
+
+	objs, err := openshift.BuildDashboards(opts)
+	if err != nil {
+		return kverrors.Wrap(err, "failed to build dashboard manifests")
+	}
+
+	rbacOBjs, err := openshift.BuildRBAC(opts)
+	if err != nil {
+		return kverrors.Wrap(err, "failed to build RBAC manifests")
+	}
+	objs = append(objs, rbacOBjs...)
+
+	var errCount int32
+	for _, obj := range objs {
+		desired := obj.DeepCopyObject().(client.Object)
+		mutateFn := manifests.MutateFuncFor(obj, desired, nil)
+
+		op, err := ctrl.CreateOrUpdate(ctx, k, obj, mutateFn)
+		if err != nil {
+			log.Error(err, "failed to configure resource")
+			errCount++
+			continue
+		}
+
+		msg := fmt.Sprintf("Resource has been %s", op)
+		switch op {
+		case ctrlutil.OperationResultNone:
+			log.V(1).Info(msg)
+		default:
+			log.Info(msg)
+		}
+	}
+
+	if errCount > 0 {
+		return kverrors.New("failed to configure lokistack dashboard resources")
+	}
+
+	return nil
+}

operator/internal/handlers/lokistack_cluster_scope_resources_create.go

@@ -53,7 +53,7 @@ func TestCreateDashboards_ReturnsResourcesInManagedNamespaces(t *testing.T) {
 
 	k.StatusStub = func() client.StatusWriter { return sw }
 
-	err := CreateDashboards(context.TODO(), logger, "test", k, scheme)
+	err := CreateClusterScopedResources(context.TODO(), logger, "test", k, scheme, lokiv1.LokiStackList{Items: []lokiv1.LokiStack{stack}})
 	require.NoError(t, err)
 
 	// make sure create was called

operator/internal/handlers/dashboards_create_test.go renamed to operator/internal/handlers/lokistack_cluster_scope_resources_create_test.go

@@ -4,20 +4,26 @@ import (
 	"context"
 
 	"github.com/ViaQ/logerr/v2/kverrors"
+	rbacv1 "k8s.io/api/rbac/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
+	lokiv1 "github.com/grafana/loki/operator/api/loki/v1"
 	"github.com/grafana/loki/operator/internal/external/k8s"
+	"github.com/grafana/loki/operator/internal/manifests"
 	"github.com/grafana/loki/operator/internal/manifests/openshift"
 )
 
-// DeleteDashboards removes all cluster-scoped dashboard resources.
-func DeleteDashboards(ctx context.Context, k k8s.Client, operatorNs string) error {
-	objs, err := openshift.BuildDashboards(operatorNs)
+// DeleteClusterScopedResources removes all cluster-scoped resources.
+func DeleteClusterScopedResources(ctx context.Context, k k8s.Client, operatorNs string, stacks lokiv1.LokiStackList) error {
+	opts := openshift.NewOptionsClusterScope(operatorNs, stacks, manifests.ClusterScopeLabels(), []rbacv1.Subject{}, []rbacv1.Subject{})
+	objs, err := openshift.BuildDashboards(opts)
 	if err != nil {
 		return kverrors.Wrap(err, "failed to build dashboards manifests")
 	}
 
+	// Delete all re
+
 	for _, obj := range objs {
 		key := client.ObjectKeyFromObject(obj)
 		if err := k.Delete(ctx, obj, &client.DeleteOptions{}); err != nil {

operator/internal/handlers/dashboards_delete.go renamed to operator/internal/handlers/lokistack_cluster_scope_resources_delete.go

@@ -9,17 +9,19 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
+	v1 "github.com/grafana/loki/operator/api/loki/v1"
 	"github.com/grafana/loki/operator/internal/external/k8s/k8sfakes"
 	"github.com/grafana/loki/operator/internal/manifests/openshift"
 )
 
 func TestDeleteDashboards(t *testing.T) {
-	objs, err := openshift.BuildDashboards("operator-ns")
+	opts := openshift.NewOptionsClusterScope("operator-ns", v1.LokiStackList{}, nil, nil, nil)
+	objs, err := openshift.BuildDashboards(opts)
 	require.NoError(t, err)
 
 	k := &k8sfakes.FakeClient{}
 
-	err = DeleteDashboards(context.TODO(), k, "operator-ns")
+	err = DeleteClusterScopedResources(context.TODO(), k, "operator-ns", v1.LokiStackList{})
 	require.NoError(t, err)
 	require.Equal(t, k.DeleteCallCount(), len(objs))
 }
@@ -30,6 +32,6 @@ func TestDeleteDashboards_ReturnsNoError_WhenNotFound(t *testing.T) {
 		return apierrors.NewNotFound(schema.GroupResource{}, "something wasn't found")
 	}
 
-	err := DeleteDashboards(context.TODO(), k, "operator-ns")
+	err := DeleteClusterScopedResources(context.TODO(), k, "operator-ns", v1.LokiStackList{})
 	require.NoError(t, err)
 }

operator/internal/handlers/dashboards_delete_test.go renamed to operator/internal/handlers/lokistack_cluster_scope_resources_delete_test.go

@@ -152,8 +152,6 @@ func configureGatewayObjsForMode(objs []client.Object, opts Options) []client.Ob
 			}
 		}
 
-		openShiftObjs := openshift.BuildGatewayTenantModeObjects(opts.OpenShiftOptions)
-		objs = append(objs, openShiftObjs...)
 	}
 
 	return objs

operator/internal/manifests/gateway_tenants.go

@@ -303,7 +303,7 @@ func TestBuildGateway_HasExtraObjectsForTenantMode(t *testing.T) {
 	})
 
 	require.NoError(t, err)
-	require.Len(t, objs, 13)
+	require.Len(t, objs, 11)
 }
 
 func TestBuildGateway_WithExtraObjectsForTenantMode_RouteSvcMatches(t *testing.T) {
@@ -987,7 +987,7 @@ func TestBuildGateway_PodDisruptionBudget(t *testing.T) {
 	}
 	objs, err := BuildGateway(opts)
 	require.NoError(t, err)
-	require.Len(t, objs, 13)
+	require.Len(t, objs, 11)
 
 	pdb := objs[6].(*policyv1.PodDisruptionBudget)
 	require.NotNil(t, pdb)

operator/internal/manifests/gateway_test.go

@@ -15,24 +15,11 @@ func BuildGatewayObjects(opts Options) []client.Object {
 	}
 }
 
-// BuildGatewayTenantModeObjects returns a list of auxiliary openshift/k8s objects
-// for lokistack gateway deployments on OpenShift for tenant modes:
-// - openshift-logging
-// - openshift-network
-func BuildGatewayTenantModeObjects(opts Options) []client.Object {
-	return []client.Object{
-		BuildGatewayClusterRole(opts),
-		BuildGatewayClusterRoleBinding(opts),
-	}
-}
-
 // BuildRulerObjects returns a list of auxiliary openshift/k8s objects
 // for lokistack ruler deployments on OpenShift.
 func BuildRulerObjects(opts Options) []client.Object {
 	return []client.Object{
 		BuildAlertManagerCAConfigMap(opts),
 		BuildRulerServiceAccount(opts),
-		BuildRulerClusterRole(opts),
-		BuildRulerClusterRoleBinding(opts),
 	}
 }

operator/internal/manifests/openshift/build.go

@@ -6,24 +6,9 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/require"
-	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
-
-	lokiv1 "github.com/grafana/loki/operator/api/loki/v1"
 )
 
-func TestBuildGatewayTenantModeObjects_ClusterRoleRefMatches(t *testing.T) {
-	opts := NewOptions("abc", "ns", "abc", "abc", "abc", 1*time.Minute, map[string]string{}, "abc").
-		WithTenantsForMode(lokiv1.OpenshiftLogging, "example.com", map[string]TenantData{})
-
-	objs := BuildGatewayTenantModeObjects(*opts)
-	cr := objs[0].(*rbacv1.ClusterRole)
-	rb := objs[1].(*rbacv1.ClusterRoleBinding)
-
-	require.Equal(t, cr.Kind, rb.RoleRef.Kind)
-	require.Equal(t, cr.Name, rb.RoleRef.Name)
-}
-
 func TestBuildGatewayObjects_MonitoringClusterRoleRefMatches(t *testing.T) {
 	opts := NewOptions("abc", "ns", "abc", "abc", "abc", 1*time.Minute, map[string]string{}, "abc")
 
@@ -49,18 +34,3 @@ func TestBuildGatewayObjets_RouteWithTimeoutAnnotation(t *testing.T) {
 	want := fmt.Sprintf("%.fs", routeTimeout.Seconds())
 	require.Equal(t, want, got)
 }
-
-func TestBuildRulerObjects_ClusterRoleRefMatches(t *testing.T) {
-	opts := NewOptions("abc", "ns", "abc", "abc", "abc", 1*time.Minute, map[string]string{}, "abc")
-
-	objs := BuildRulerObjects(*opts)
-	sa := objs[1].(*corev1.ServiceAccount)
-	cr := objs[2].(*rbacv1.ClusterRole)
-	rb := objs[3].(*rbacv1.ClusterRoleBinding)
-
-	require.Equal(t, sa.Kind, rb.Subjects[0].Kind)
-	require.Equal(t, sa.Name, rb.Subjects[0].Name)
-	require.Equal(t, sa.Namespace, rb.Subjects[0].Namespace)
-	require.Equal(t, cr.Kind, rb.RoleRef.Kind)
-	require.Equal(t, cr.Name, rb.RoleRef.Name)
-}