Watch namespaced RBAC via ns and cluster scoped via label

Signed-off-by: Douglas Camata <[email protected]>

operators/multiclusterobservability/controllers/placementrule/hub_info_secret.go

@@ -64,7 +64,7 @@ func generateHubInfoSecret(client client.Client, obsNamespace string,
 		var err error
 		alertmanagerRouterCA, err = config.GetAlertmanagerCA(client)
 		if err != nil {
-			log.Error(err, "Failed to CA of the Alertmanager")
+			log.Error(err, "Failed to get CA of Alertmanager")
 			return nil, err
 		}
 	}

operators/multiclusterobservability/main.go

@@ -227,8 +227,16 @@ func main() {
 		&addonv1alpha1.ManagedClusterAddOn{}: {
 			Field: fields.Set{"metadata.name": util.ManagedClusterAddonName}.AsSelector(),
 		},
-		&rbacv1.Role{}:                       byObjectWithOwnerLabel,
-		&rbacv1.RoleBinding{}:                byObjectWithOwnerLabel,
+		&rbacv1.Role{}: {
+			Namespaces: map[string]cache.Config{
+				defaultNamespace: {},
+			},
+		},
+		&rbacv1.RoleBinding{}: {
+			Namespaces: map[string]cache.Config{
+				defaultNamespace: {},
+			},
+		},
 		&rbacv1.ClusterRole{}:                byObjectWithOwnerLabel,
 		&rbacv1.ClusterRoleBinding{}:         byObjectWithOwnerLabel,
 		&addonv1alpha1.ManagedClusterAddOn{}: byObjectWithOwnerLabel,

operators/multiclusterobservability/manifests/base/observatorium/cluster_role.yaml

@@ -5,6 +5,7 @@ metadata:
     app.kubernetes.io/component: controller
     app.kubernetes.io/name: observatorium-operator
     app.kubernetes.io/version: v0.1
+    owner: multicluster-observability-operator
   name: open-cluster-management:observatorium-operator
 rules:
 - apiGroups:

operators/multiclusterobservability/manifests/base/observatorium/cluster_role_binding.yaml

@@ -5,6 +5,7 @@ metadata:
     app.kubernetes.io/component: controller
     app.kubernetes.io/name: observatorium-operator
     app.kubernetes.io/version: v0.1
+    owner: multicluster-observability-operator
   name: open-cluster-management:observatorium-operator
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -14,4 +15,3 @@ subjects:
 - kind: ServiceAccount
   name: observatorium
   namespace: open-cluster-management-observability
-

operators/multiclusterobservability/manifests/base/observatorium/prometheus_role_binding.yaml

@@ -11,4 +11,3 @@ subjects:
 - kind: ServiceAccount
   name: prometheus-k8s
   namespace: openshift-monitoring
-

operators/multiclusterobservability/manifests/endpoint-observability/aggregate_role.yaml

@@ -4,7 +4,7 @@ metadata:
   name: aggregate-observabilityaddons-edit
   labels:
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    owner: "multicluster-observability-operator"
+    owner: multicluster-observability-operator
 rules:
   - verbs:
       - get

operators/multiclusterobservability/manifests/endpoint-observability/role.yaml

@@ -3,7 +3,7 @@ kind: ClusterRole
 metadata:
   name: open-cluster-management:endpoint-observability-operator
   labels:
-    owner: "multicluster-observability-operator"
+    owner: multicluster-observability-operator
 rules:
 - apiGroups:
   - apiextensions.k8s.io

operators/multiclusterobservability/manifests/endpoint-observability/role_binding.yaml

@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: open-cluster-management:endpoint-observability-operator-rb
   labels:
-    owner: "multicluster-observability-operator"
+    owner: multicluster-observability-operator
 subjects:
 - kind: ServiceAccount
   name: endpoint-observability-operator-sa