Fix application-log-reader ClusterRole not aggregating to admin Clust…

…erRole

component/loki.libsonnet

@@ -126,6 +126,7 @@ if loki.enabled then
     '50_loki_rbac': [ aggregate_loki_log_access ],
     '50_loki_operator_metrics_token': workaround.missing_metrics_token,
     '50_loki_ingester_fix': workaround.ingester_stuck,
+    '50_loki_logreader_fix': workaround.app_logs_reader,
   }
 else
   std.trace(

component/loki_workaround.libsonnet

@@ -1,7 +1,6 @@
 local com = import 'lib/commodore.libjsonnet';
 local kap = import 'lib/kapitan.libjsonnet';
 local kube = import 'lib/kube.libjsonnet';
-local po = import 'lib/patch-operator.libsonnet';
 
 // The hiera parameters for the component
 local inv = kap.inventory();
@@ -30,6 +29,22 @@ local missing_metrics_token =
     type: 'kubernetes.io/service-account-token',
   };
 
+// ClusterRole to aggregate to `admin`.
+local app_logs_reader =
+  kube.ClusterRole('logging-application-logs-reader-aggregate') {
+    metadata+: {
+      labels+: {
+        'rbac.authorization.k8s.io/aggregate-to-admin': 'true',
+      },
+    },
+    rules: [ {
+      apiGroups: [ 'loki.grafana.com' ],
+      resourceNames: [ 'logs' ],
+      resources: [ 'application' ],
+      verbs: [ 'get' ],
+    } ],
+  };
+
 
 // Workaround for stuck loki-ingester.
 // To be removed, once upstream is fixed.
@@ -134,4 +149,5 @@ local ingester_stuck = [
 {
   missing_metrics_token: [ missing_metrics_token ],
   ingester_stuck: ingester_stuck,
+  app_logs_reader: app_logs_reader,
 }

tests/golden/defaults/openshift4-logging/openshift4-logging/50_loki_logreader_fix.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: logging-application-logs-reader-aggregate
+    rbac.authorization.k8s.io/aggregate-to-admin: 'true'
+  name: logging-application-logs-reader-aggregate
+rules:
+  - apiGroups:
+      - loki.grafana.com
+    resourceNames:
+      - logs
+    resources:
+      - application
+    verbs:
+      - get

tests/golden/legacy/openshift4-logging/openshift4-logging/50_loki_logreader_fix.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: logging-application-logs-reader-aggregate
+    rbac.authorization.k8s.io/aggregate-to-admin: 'true'
+  name: logging-application-logs-reader-aggregate
+rules:
+  - apiGroups:
+      - loki.grafana.com
+    resourceNames:
+      - logs
+    resources:
+      - application
+    verbs:
+      - get

tests/golden/master/openshift4-logging/openshift4-logging/50_loki_logreader_fix.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: logging-application-logs-reader-aggregate
+    rbac.authorization.k8s.io/aggregate-to-admin: 'true'
+  name: logging-application-logs-reader-aggregate
+rules:
+  - apiGroups:
+      - loki.grafana.com
+    resourceNames:
+      - logs
+    resources:
+      - application
+    verbs:
+      - get

tests/golden/multilineerr/openshift4-logging/openshift4-logging/50_loki_logreader_fix.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: logging-application-logs-reader-aggregate
+    rbac.authorization.k8s.io/aggregate-to-admin: 'true'
+  name: logging-application-logs-reader-aggregate
+rules:
+  - apiGroups:
+      - loki.grafana.com
+    resourceNames:
+      - logs
+    resources:
+      - application
+    verbs:
+      - get