Fix application-log-reader ClusterRole not aggregating to admin Clust…

…erRole

component/loki.libsonnet

@@ -126,6 +126,7 @@ if loki.enabled then
     '50_loki_rbac': [ aggregate_loki_log_access ],
     '50_loki_operator_metrics_token': workaround.missing_metrics_token,
     '50_loki_ingester_fix': workaround.ingester_stuck,
+    '50_loki_logreader_fix': workaround.patch_app_logs_reader,
   }
 else
   std.trace(

component/loki_workaround.libsonnet

@@ -30,6 +30,19 @@ local missing_metrics_token =
     type: 'kubernetes.io/service-account-token',
   };
 
+// Patches ClusterRole `logging-application-logs-reader` to aggregate to `admin`.
+local patch_app_logs_reader =
+  po.Patch(
+    kube.ClusterRole('logging-application-logs-reader'),
+    {
+      metadata: {
+        labels: {
+          'rbac.authorization.k8s.io/aggregate-to-admin': 'true',
+        },
+      },
+    }
+  );
+
 
 // Workaround for stuck loki-ingester.
 // To be removed, once upstream is fixed.
@@ -134,4 +147,5 @@ local ingester_stuck = [
 {
   missing_metrics_token: [ missing_metrics_token ],
   ingester_stuck: ingester_stuck,
+  patch_app_logs_reader: patch_app_logs_reader,
 }

tests/defaults.yml

@@ -1,6 +1,7 @@
 applications:
   - openshift4-operators as openshift-operators-redhat
   - openshift4-monitoring
+  - patch-operator
 
 parameters:
   kapitan:
@@ -11,6 +12,9 @@ parameters:
       - type: https
         source: https://raw.githubusercontent.com/appuio/component-openshift4-monitoring/v2.9.0/lib/openshift4-monitoring-alert-patching.libsonnet
         output_path: vendor/lib/alert-patching.libsonnet
+      - type: https
+        source: https://raw.githubusercontent.com/projectsyn/component-patch-operator/master/lib/patch-operator.libsonnet
+        output_path: vendor/lib/patch-operator.libsonnet
     compile:
       - input_type: jsonnet
         input_paths:
@@ -21,3 +25,9 @@ parameters:
     defaultInstallPlanApproval: Automatic
     defaultSource: openshift-operators-redhat
     defaultSourceNamespace: openshift-operators-redhat
+
+  patch_operator:
+    namespace: syn-patch-operator
+    patch_serviceaccount:
+      name: patch-sa
+      role_name: cluster-admin

tests/forwardingonly.yml

@@ -1,6 +1,7 @@
 applications:
   - openshift4-operators as openshift-operators-redhat
   - openshift4-monitoring
+  - patch-operator
 
 parameters:
   kapitan:
@@ -11,6 +12,9 @@ parameters:
       - type: https
         source: https://raw.githubusercontent.com/appuio/component-openshift4-monitoring/v2.9.0/lib/openshift4-monitoring-alert-patching.libsonnet
         output_path: vendor/lib/alert-patching.libsonnet
+      - type: https
+        source: https://raw.githubusercontent.com/projectsyn/component-patch-operator/master/lib/patch-operator.libsonnet
+        output_path: vendor/lib/patch-operator.libsonnet
     compile:
       - input_type: jsonnet
         input_paths:
@@ -28,3 +32,9 @@ parameters:
         enabled: false
       elasticsearch:
         enabled: false
+
+  patch_operator:
+    namespace: syn-patch-operator
+    patch_serviceaccount:
+      name: patch-sa
+      role_name: cluster-admin

tests/golden/defaults/openshift4-logging/openshift4-logging/50_loki_logreader_fix.yaml

@@ -0,0 +1,23 @@
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: Patch
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  labels:
+    name: clusterrole-logging-application-logs-reader-b949fd3655a5c0b
+  name: clusterrole-logging-application-logs-reader-b949fd3655a5c0b
+  namespace: syn-patch-operator
+spec:
+  patches:
+    clusterrole-logging-application-logs-reader-b949fd3655a5c0b-patch:
+      patchTemplate: |-
+        "metadata":
+          "labels":
+            "rbac.authorization.k8s.io/aggregate-to-admin": "true"
+      patchType: application/strategic-merge-patch+json
+      targetObjectRef:
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRole
+        name: logging-application-logs-reader
+  serviceAccountRef:
+    name: patch-sa

tests/golden/legacy/openshift4-logging/openshift4-logging/50_loki_logreader_fix.yaml

@@ -0,0 +1,23 @@
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: Patch
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  labels:
+    name: clusterrole-logging-application-logs-reader-b949fd3655a5c0b
+  name: clusterrole-logging-application-logs-reader-b949fd3655a5c0b
+  namespace: syn-patch-operator
+spec:
+  patches:
+    clusterrole-logging-application-logs-reader-b949fd3655a5c0b-patch:
+      patchTemplate: |-
+        "metadata":
+          "labels":
+            "rbac.authorization.k8s.io/aggregate-to-admin": "true"
+      patchType: application/strategic-merge-patch+json
+      targetObjectRef:
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRole
+        name: logging-application-logs-reader
+  serviceAccountRef:
+    name: patch-sa

tests/golden/master/openshift4-logging/openshift4-logging/50_loki_logreader_fix.yaml

@@ -0,0 +1,23 @@
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: Patch
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  labels:
+    name: clusterrole-logging-application-logs-reader-b949fd3655a5c0b
+  name: clusterrole-logging-application-logs-reader-b949fd3655a5c0b
+  namespace: syn-patch-operator
+spec:
+  patches:
+    clusterrole-logging-application-logs-reader-b949fd3655a5c0b-patch:
+      patchTemplate: |-
+        "metadata":
+          "labels":
+            "rbac.authorization.k8s.io/aggregate-to-admin": "true"
+      patchType: application/strategic-merge-patch+json
+      targetObjectRef:
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRole
+        name: logging-application-logs-reader
+  serviceAccountRef:
+    name: patch-sa

tests/golden/multilineerr/openshift4-logging/openshift4-logging/50_loki_logreader_fix.yaml

@@ -0,0 +1,23 @@
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: Patch
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  labels:
+    name: clusterrole-logging-application-logs-reader-b949fd3655a5c0b
+  name: clusterrole-logging-application-logs-reader-b949fd3655a5c0b
+  namespace: syn-patch-operator
+spec:
+  patches:
+    clusterrole-logging-application-logs-reader-b949fd3655a5c0b-patch:
+      patchTemplate: |-
+        "metadata":
+          "labels":
+            "rbac.authorization.k8s.io/aggregate-to-admin": "true"
+      patchType: application/strategic-merge-patch+json
+      targetObjectRef:
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRole
+        name: logging-application-logs-reader
+  serviceAccountRef:
+    name: patch-sa

tests/legacy.yml

@@ -1,6 +1,7 @@
 applications:
   - openshift4-operators as openshift-operators-redhat
   - openshift4-monitoring
+  - patch-operator
 
 parameters:
   kapitan:
@@ -11,6 +12,9 @@ parameters:
       - type: https
         source: https://raw.githubusercontent.com/appuio/component-openshift4-monitoring/v2.9.0/lib/openshift4-monitoring-alert-patching.libsonnet
         output_path: vendor/lib/alert-patching.libsonnet
+      - type: https
+        source: https://raw.githubusercontent.com/projectsyn/component-patch-operator/master/lib/patch-operator.libsonnet
+        output_path: vendor/lib/patch-operator.libsonnet
     compile:
       - input_type: jsonnet
         input_paths:
@@ -55,3 +59,9 @@ parameters:
         application-logs:
           outputRefs:
             - my-forwarder
+
+  patch_operator:
+    namespace: syn-patch-operator
+    patch_serviceaccount:
+      name: patch-sa
+      role_name: cluster-admin

tests/master.yml

@@ -1,6 +1,7 @@
 applications:
   - openshift4-operators as openshift-operators-redhat
   - openshift4-monitoring
+  - patch-operator
 
 parameters:
   kapitan:
@@ -11,6 +12,9 @@ parameters:
       - type: https
         source: https://raw.githubusercontent.com/appuio/component-openshift4-monitoring/v2.9.0/lib/openshift4-monitoring-alert-patching.libsonnet
         output_path: vendor/lib/alert-patching.libsonnet
+      - type: https
+        source: https://raw.githubusercontent.com/projectsyn/component-patch-operator/master/lib/patch-operator.libsonnet
+        output_path: vendor/lib/patch-operator.libsonnet
     compile:
       - input_type: jsonnet
         input_paths:
@@ -49,3 +53,9 @@ parameters:
         audit-logs:
           outputRefs:
             - custom-forwarder
+
+  patch_operator:
+    namespace: syn-patch-operator
+    patch_serviceaccount:
+      name: patch-sa
+      role_name: cluster-admin

tests/multilineerr.yml

@@ -1,6 +1,7 @@
 applications:
   - openshift4-operators as openshift-operators-redhat
   - openshift4-monitoring
+  - patch-operator
 
 parameters:
   kapitan:
@@ -11,6 +12,9 @@ parameters:
       - type: https
         source: https://raw.githubusercontent.com/appuio/component-openshift4-monitoring/v2.9.0/lib/openshift4-monitoring-alert-patching.libsonnet
         output_path: vendor/lib/alert-patching.libsonnet
+      - type: https
+        source: https://raw.githubusercontent.com/projectsyn/component-patch-operator/master/lib/patch-operator.libsonnet
+        output_path: vendor/lib/patch-operator.libsonnet
     compile:
       - input_type: jsonnet
         input_paths:
@@ -28,3 +32,9 @@ parameters:
         application-logs:
           parse: json
           detectMultilineErrors: true
+
+  patch_operator:
+    namespace: syn-patch-operator
+    patch_serviceaccount:
+      name: patch-sa
+      role_name: cluster-admin