Add metrics role and extend view role (#519)

* Extend view role. Add a role for metrics api

Signed-off-by: svor <vsvydenk@redhat.com>

deploy/olm-catalog/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml

@@ -82,13 +82,13 @@ metadata:
     categories: Developer Tools
     certified: "false"
     containerImage: quay.io/eclipse/che-operator:nightly
-    createdAt: "2020-11-16T13:57:54Z"
+    createdAt: "2020-11-17T10:26:58Z"
     description: A Kube-native development solution that delivers portable and collaborative
       developer workspaces.
     operatorframework.io/suggested-namespace: eclipse-che
     repository: https://github.com/eclipse/che-operator
     support: Eclipse Foundation
-  name: eclipse-che-preview-kubernetes.v7.22.0-31.nightly
+  name: eclipse-che-preview-kubernetes.v7.22.0-33.nightly
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -430,6 +430,15 @@ spec:
                 - '*'
               verbs:
                 - '*'
+            - apiGroups:
+                - metrics.k8s.io
+              resources:
+                - pods
+                - nodes
+              verbs:
+                - get
+                - list
+                - watch
           serviceAccountName: che-operator
     strategy: deployment
   installModes:
@@ -461,4 +470,4 @@ spec:
   maturity: stable
   provider:
     name: Eclipse Foundation
-  version: 7.22.0-31.nightly
+  version: 7.22.0-33.nightly

deploy/olm-catalog/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml

@@ -74,13 +74,13 @@ metadata:
     categories: Developer Tools, OpenShift Optional
     certified: "false"
     containerImage: quay.io/eclipse/che-operator:nightly
-    createdAt: "2020-11-16T13:58:00Z"
+    createdAt: "2020-11-17T10:27:06Z"
     description: A Kube-native development solution that delivers portable and collaborative
       developer workspaces in OpenShift.
     operatorframework.io/suggested-namespace: eclipse-che
     repository: https://github.com/eclipse/che-operator
     support: Eclipse Foundation
-  name: eclipse-che-preview-openshift.v7.22.0-31.nightly
+  name: eclipse-che-preview-openshift.v7.22.0-33.nightly
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -451,6 +451,15 @@ spec:
                 - '*'
               verbs:
                 - '*'
+            - apiGroups:
+                - metrics.k8s.io
+              resources:
+                - pods
+                - nodes
+              verbs:
+                - get
+                - list
+                - watch
           serviceAccountName: che-operator
     strategy: deployment
   installModes:
@@ -481,4 +490,4 @@ spec:
   maturity: stable
   provider:
     name: Eclipse Foundation
-  version: 7.22.0-31.nightly
+  version: 7.22.0-33.nightly

deploy/role.yaml

@@ -87,3 +87,12 @@ rules:
   - '*'
   verbs:
   - '*'
+- apiGroups:
+  - metrics.k8s.io
+  resources:
+  - pods
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch

pkg/controller/che/che_controller.go

@@ -545,9 +545,9 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 		}
 	}
 
-	// create exec and view roles for CheCluster server and workspaces
-	role, err := deploy.SyncRoleToCluster(deployContext, "exec", []string{"pods/exec"}, []string{"*"})
-	if role == nil {
+	// create exec role for CheCluster server and workspaces
+	execRole, err := deploy.SyncExecRoleToCluster(deployContext)
+	if execRole == nil {
 		logrus.Info("Waiting on role 'exec' to be created")
 		if err != nil {
 			logrus.Error(err)
@@ -557,7 +557,8 @@ func (r *ReconcileChe) Reconcile(request reconcile.Request) (reconcile.Result, e
 		}
 	}
 
-	viewRole, err := deploy.SyncRoleToCluster(deployContext, "view", []string{"pods"}, []string{"list"})
+	// create view role for CheCluster server and workspaces
+	viewRole, err := deploy.SyncViewRoleToCluster(deployContext)
 	if viewRole == nil {
 		logrus.Info("Waiting on role 'view' to be created")
 		if err != nil {

pkg/deploy/role.go

@@ -13,7 +13,10 @@ package deploy
 
 import (
 	"context"
+	"fmt"
 
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/sirupsen/logrus"
 	rbac "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -23,13 +26,79 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
+var roleDiffOpts = cmp.Options{
+	cmpopts.IgnoreFields(rbac.Role{}, "TypeMeta", "ObjectMeta"),
+	cmpopts.IgnoreFields(rbac.PolicyRule{}, "ResourceNames", "NonResourceURLs"),
+}
+
+func SyncTLSRoleToCluster(deployContext *DeployContext) (*rbac.Role, error) {
+	tlsPolicyRule := []rbac.PolicyRule{
+		{
+			APIGroups: []string{
+				"",
+			},
+			Resources: []string{
+				"secrets",
+			},
+			Verbs:     []string{
+				"create",
+			},
+		},
+	}
+	return SyncRoleToCluster(deployContext, CheTLSJobRoleName, tlsPolicyRule)	
+}
+
+func SyncExecRoleToCluster(deployContext *DeployContext) (*rbac.Role, error) {
+	execPolicyRule := []rbac.PolicyRule{
+		{
+			APIGroups: []string{
+				"",
+			},
+			Resources: []string{
+				"pods/exec",
+			},
+			Verbs:     []string{
+				"*",
+			},
+		},
+	}
+	return SyncRoleToCluster(deployContext, "exec", execPolicyRule)	
+}
+
+func SyncViewRoleToCluster(deployContext *DeployContext) (*rbac.Role, error) {
+	viewPolicyRule := []rbac.PolicyRule{
+		{
+			APIGroups: []string{
+				"",
+			},
+			Resources: []string{
+				"pods",
+			},
+			Verbs:     []string{
+				"list", "get",
+			},
+		},
+		{
+			APIGroups: []string{
+				"metrics.k8s.io",
+			},
+			Resources: []string{
+				"pods",
+			},
+			Verbs:     []string{
+				"list", "get", "watch",
+			},
+		},
+	}
+	return SyncRoleToCluster(deployContext, "view", viewPolicyRule)	
+}
+
 func SyncRoleToCluster(
 	deployContext *DeployContext,
 	name string,
-	resources []string,
-	verbs []string) (*rbac.Role, error) {
+	policyRule []rbac.PolicyRule) (*rbac.Role, error) {
 
-	specRole, err := getSpecRole(deployContext, name, resources, verbs)
+	specRole, err := getSpecRole(deployContext, name, policyRule)
 	if err != nil {
 		return nil, err
 	}
@@ -44,6 +113,15 @@ func SyncRoleToCluster(
 		err := deployContext.ClusterAPI.Client.Create(context.TODO(), specRole)
 		return nil, err
 	}
+	
+	diff := cmp.Diff(clusterRole, specRole, roleDiffOpts)
+	if len(diff) > 0 {
+		logrus.Infof("Updating existed object: %s, name: %s", clusterRole.Kind, clusterRole.Name)
+		fmt.Printf("Difference:\n%s", diff)
+		clusterRole.Rules = specRole.Rules
+		err := deployContext.ClusterAPI.Client.Update(context.TODO(), clusterRole)
+		return nil, err
+	}
 
 	return clusterRole, nil
 }
@@ -64,7 +142,7 @@ func getClusterRole(name string, namespace string, client runtimeClient.Client)
 	return role, nil
 }
 
-func getSpecRole(deployContext *DeployContext, name string, resources []string, verbs []string) (*rbac.Role, error) {
+func getSpecRole(deployContext *DeployContext, name string, policyRule []rbac.PolicyRule) (*rbac.Role, error) {
 	labels := GetLabels(deployContext.CheCluster, DefaultCheFlavor(deployContext.CheCluster))
 	role := &rbac.Role{
 		TypeMeta: metav1.TypeMeta{
@@ -76,15 +154,7 @@ func getSpecRole(deployContext *DeployContext, name string, resources []string,
 			Namespace: deployContext.CheCluster.Namespace,
 			Labels:    labels,
 		},
-		Rules: []rbac.PolicyRule{
-			{
-				APIGroups: []string{
-					"",
-				},
-				Resources: resources,
-				Verbs:     verbs,
-			},
-		},
+		Rules: policyRule,
 	}
 
 	err := controllerutil.SetControllerReference(deployContext.CheCluster, role, deployContext.ClusterAPI.Scheme)

pkg/deploy/tls.go

@@ -298,7 +298,7 @@ func K8sHandleCheTLSSecrets(deployContext *DeployContext) (reconcile.Result, err
 			return reconcile.Result{RequeueAfter: time.Second}, err
 		}
 
-		role, err := SyncRoleToCluster(deployContext, CheTLSJobRoleName, []string{"secrets"}, []string{"create"})
+		role, err := SyncTLSRoleToCluster(deployContext)
 		if role == nil {
 			return reconcile.Result{RequeueAfter: time.Second}, err
 		}