Split configmaps for thanos operator (#773)

philipgough · web-flow · commit 9de55945487d · 2025-03-06T14:28:18.000Z
diff --git a/magefiles/operator.go b/magefiles/operator.go
@@ -151,7 +151,7 @@ func (l Local) Operator() {
 }
 
 func operatorResources(namespace string, m TemplateMaps) []runtime.Object {
-	return []runtime.Object{
+	objs := []runtime.Object{
 		&corev1.ServiceAccount{
 			TypeMeta: metav1.TypeMeta{
 				APIVersion: "v1",
@@ -797,31 +797,49 @@ func operatorResources(namespace string, m TemplateMaps) []runtime.Object {
 			},
 		},
 		operatorDeployment(namespace, m),
-		operatorServingCertConfigMap(namespace),
 	}
+	for _, cm := range operatorServingCertConfigMaps(namespace) {
+		objs = append(objs, cm)
+	}
+	return objs
 }
 
-func operatorServingCertConfigMap(namespace string) *corev1.ConfigMap {
-	return &corev1.ConfigMap{
+func operatorServingCertConfigMaps(namespace string) []*corev1.ConfigMap {
+	labels := map[string]string{
+		"app.kubernetes.io/component":  "manager",
+		"app.kubernetes.io/created-by": "thanos-operator",
+		"app.kubernetes.io/instance":   "controller-manager",
+		"app.kubernetes.io/managed-by": "rhobs",
+		"app.kubernetes.io/name":       "configmap",
+		"app.kubernetes.io/part-of":    "thanos-operator",
+	}
+
+	serviceCert := &corev1.ConfigMap{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "v1",
 			Kind:       "ConfigMap",
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "thanos-operator-serving-cert",
 			Namespace: namespace,
-			Labels: map[string]string{
-				"app.kubernetes.io/component":  "manager",
-				"app.kubernetes.io/created-by": "thanos-operator",
-				"app.kubernetes.io/instance":   "controller-manager",
-				"app.kubernetes.io/managed-by": "rhobs",
-				"app.kubernetes.io/name":       "configmap",
-				"app.kubernetes.io/part-of":    "thanos-operator",
-			},
+			Labels:    labels,
 			Annotations: map[string]string{
 				"service.beta.openshift.io/inject-cabundle": "true",
 			},
 		},
+		Data: map[string]string{},
+	}
+
+	rbacConfig := &corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "thanos-operator-rbac-config",
+			Namespace: namespace,
+			Labels:    labels,
+		},
 		Data: map[string]string{
 			"config.yaml": `"authorization":
   "static":
@@ -832,6 +850,7 @@ func operatorServingCertConfigMap(namespace string) *corev1.ConfigMap {
     "verb": "get"`,
 		},
 	}
+	return []*corev1.ConfigMap{serviceCert, rbacConfig}
 }
 
 func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment {
@@ -893,7 +912,7 @@ func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment {
 								"--tls-cert-file=/etc/tls/private/tls.crt",
 								"--tls-private-key-file=/etc/tls/private/tls.key",
 								"--client-ca-file=/etc/service-ca/service-ca.crt",
-								"--config-file=/etc/service-ca/config.yaml",
+								"--config-file=/etc/config/config.yaml",
 							},
 							VolumeMounts: []corev1.VolumeMount{
 								{
@@ -906,6 +925,11 @@ func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment {
 									MountPath: "/etc/service-ca",
 									ReadOnly:  true,
 								},
+								{
+									Name:      "config",
+									MountPath: "/etc/config",
+									ReadOnly:  true,
+								},
 							},
 							Ports: []corev1.ContainerPort{
 								{
@@ -994,6 +1018,18 @@ func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment {
 								},
 							},
 						},
+						{
+							Name: "config",
+							VolumeSource: corev1.VolumeSource{
+								ConfigMap: &corev1.ConfigMapVolumeSource{
+									LocalObjectReference: corev1.LocalObjectReference{
+										Name: "thanos-operator-rbac-config",
+									},
+									DefaultMode: ptr.To(int32(420)),
+									Optional:    ptr.To(false),
+								},
+							},
+						},
 					},
 					ServiceAccountName:            "thanos-operator-controller-manager",
 					TerminationGracePeriodSeconds: ptr.To(int64(10)),
diff --git a/resources/services/bundle/staging/operator.yaml b/resources/services/bundle/staging/operator.yaml
@@ -71,7 +71,7 @@ objects:
           - --tls-cert-file=/etc/tls/private/tls.crt
           - --tls-private-key-file=/etc/tls/private/tls.key
           - --client-ca-file=/etc/service-ca/service-ca.crt
-          - --config-file=/etc/service-ca/config.yaml
+          - --config-file=/etc/config/config.yaml
           image: registry.redhat.io/openshift4/ose-kube-rbac-proxy@sha256:98455d503b797b6b02edcfd37045c8fab0796b95ee5cf4cfe73b221a07e805f0
           imagePullPolicy: IfNotPresent
           name: kube-rbac-proxy
@@ -98,6 +98,9 @@ objects:
           - mountPath: /etc/service-ca
             name: service-ca
             readOnly: true
+          - mountPath: /etc/config
+            name: config
+            readOnly: true
         - args:
           - --health-probe-bind-address=:8081
           - --metrics-bind-address=127.0.0.1:8080
@@ -156,6 +159,11 @@ objects:
             name: openshift-service-ca.crt
             optional: false
           name: service-ca
+        - configMap:
+            defaultMode: 420
+            name: thanos-operator-rbac-config
+            optional: false
+          name: config
   status: {}
 - apiVersion: v1
   kind: ServiceAccount
@@ -450,6 +458,19 @@ objects:
             "name": "system:serviceaccount:openshift-customer-monitoring:prometheus-k8s"
           "verb": "get"
   kind: ConfigMap
+  metadata:
+    creationTimestamp: null
+    labels:
+      app.kubernetes.io/component: manager
+      app.kubernetes.io/created-by: thanos-operator
+      app.kubernetes.io/instance: controller-manager
+      app.kubernetes.io/managed-by: rhobs
+      app.kubernetes.io/name: configmap
+      app.kubernetes.io/part-of: thanos-operator
+    name: thanos-operator-rbac-config
+    namespace: rhobs-stage
+- apiVersion: v1
+  kind: ConfigMap
   metadata:
     annotations:
       service.beta.openshift.io/inject-cabundle: "true"
