From 50178243765a15416263ffcd10d711293231dc02 Mon Sep 17 00:00:00 2001
From: mwringe <mwringe@redhat.com>
Date: Mon, 24 Jul 2017 17:32:20 -0400
Subject: Metrics: grant hawkular namespace listener role

---
 .../tasks/generate_rolebindings.yaml               | 24 ++++++++++++++++++++++
 .../openshift_metrics/tasks/uninstall_metrics.yaml |  3 ++-
 .../templates/hawkular_metrics_role.j2             | 15 ++++++++++++++
 3 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 roles/openshift_metrics/templates/hawkular_metrics_role.j2

diff --git a/roles/openshift_metrics/tasks/generate_rolebindings.yaml b/roles/openshift_metrics/tasks/generate_rolebindings.yaml
index e050c8eb2..1304ab8b5 100644
--- a/roles/openshift_metrics/tasks/generate_rolebindings.yaml
+++ b/roles/openshift_metrics/tasks/generate_rolebindings.yaml
@@ -13,3 +13,27 @@
     - kind: ServiceAccount
       name: hawkular
   changed_when: no
+
+- name: generate hawkular-metrics cluster role binding for the hawkular service account
+  template:
+    src: rolebinding.j2
+    dest: "{{ mktemp.stdout }}/templates/hawkular-cluster-rolebinding.yaml"
+  vars:
+    cluster: True
+    obj_name: hawkular-namespace-watcher
+    labels:
+      metrics-infra: hawkular
+    roleRef:
+      kind: ClusterRole
+      name: hawkular-metrics
+    subjects:
+    - kind: ServiceAccount
+      name: hawkular
+      namespace: "{{openshift_metrics_project}}"
+  changed_when: no
+
+- name: generate the hawkular cluster role
+  template:
+    src: hawkular_metrics_role.j2
+    dest: "{{ mktemp.stdout }}/templates/hawkular-cluster-role.yaml"
+  changed_when: no
diff --git a/roles/openshift_metrics/tasks/uninstall_metrics.yaml b/roles/openshift_metrics/tasks/uninstall_metrics.yaml
index 9a5d52eb6..403b1252c 100644
--- a/roles/openshift_metrics/tasks/uninstall_metrics.yaml
+++ b/roles/openshift_metrics/tasks/uninstall_metrics.yaml
@@ -6,7 +6,7 @@
   command: >
     {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} --config={{ mktemp.stdout }}/admin.kubeconfig
     delete --ignore-not-found --selector=metrics-infra
-    all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings
+    all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings,clusterrole
   register: delete_metrics
   changed_when: delete_metrics.stdout != 'No resources found'
 
@@ -16,4 +16,5 @@
     delete --ignore-not-found
     rolebinding/hawkular-view
     clusterrolebinding/heapster-cluster-reader
+    clusterrolebinding/hawkular-metrics
   changed_when: delete_metrics.stdout != 'No resources found'
diff --git a/roles/openshift_metrics/templates/hawkular_metrics_role.j2 b/roles/openshift_metrics/templates/hawkular_metrics_role.j2
new file mode 100644
index 000000000..6c9dbf5d6
--- /dev/null
+++ b/roles/openshift_metrics/templates/hawkular_metrics_role.j2
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ClusterRole
+metadata:
+  name: hawkular-metrics
+  labels:
+    metrics-infra: hawkular-metrics
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - list
+  - get
+  - watch
-- 
cgit v1.2.3