NETOBSERV-1893: fix netobserv-mertics-reader role creation [1.7 backp…

…ort] (#800) * NETOBSERV-1893: fix netobserv-mertics-reader role creation Prevent undesired mutation of the role by copying it before use. * Change ClusterRoles to be provided as functions This is to avoid keeping reference to old / potentially mutated objects.
netobserv · Oct 3, 2024 · 017d213 · 017d213
1 parent 0de6d49
commit 017d213
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 31 deletions.
diff --git a/controllers/flp/flp_controller.go b/controllers/flp/flp_controller.go
@@ -270,7 +270,8 @@ func reconcileDataAccessRoles(ctx context.Context, r *reconcilers.Common, b *bui
 		}
 	}
 	// Install netobserv-metrics-reader role
-	return r.ReconcileClusterRole(ctx, &resources.PromReaderCR)
+	cr := resources.PromReaderCR()
+	return r.ReconcileClusterRole(ctx, &cr)
 }
 
 func (r *Reconciler) getOpenShiftSubnets(ctx context.Context) ([]flowslatest.SubnetLabel, error) {

diff --git a/pkg/loki/roles.go b/pkg/loki/roles.go
@@ -10,7 +10,7 @@ import (
 
 func ClusterRoles(appName, saName, namespace string) ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding) {
 	crb := writerBinding(appName, saName, namespace)
-	return []rbacv1.ClusterRole{resources.LokiWriterCR, resources.LokiReaderCR}, []rbacv1.ClusterRoleBinding{*crb}
+	return []rbacv1.ClusterRole{resources.LokiWriterCR(), resources.LokiReaderCR()}, []rbacv1.ClusterRoleBinding{*crb}
 }
 
 func writerBinding(appName, saName, namespace string) *rbacv1.ClusterRoleBinding {

diff --git a/pkg/resources/static_resources.go b/pkg/resources/static_resources.go
@@ -7,37 +7,43 @@ import (
 	"github.com/netobserv/network-observability-operator/controllers/constants"
 )
 
-var LokiWriterCR = rbacv1.ClusterRole{
-	ObjectMeta: metav1.ObjectMeta{
-		Name: constants.LokiCRWriter,
-	},
-	Rules: []rbacv1.PolicyRule{{
-		APIGroups:     []string{"loki.grafana.com"},
-		Resources:     []string{"network"},
-		ResourceNames: []string{"logs"},
-		Verbs:         []string{"create"},
-	}},
+func LokiWriterCR() rbacv1.ClusterRole {
+	return rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: constants.LokiCRWriter,
+		},
+		Rules: []rbacv1.PolicyRule{{
+			APIGroups:     []string{"loki.grafana.com"},
+			Resources:     []string{"network"},
+			ResourceNames: []string{"logs"},
+			Verbs:         []string{"create"},
+		}},
+	}
 }
 
-var LokiReaderCR = rbacv1.ClusterRole{
-	ObjectMeta: metav1.ObjectMeta{
-		Name: constants.LokiCRReader,
-	},
-	Rules: []rbacv1.PolicyRule{{
-		APIGroups:     []string{"loki.grafana.com"},
-		Resources:     []string{"network"},
-		ResourceNames: []string{"logs"},
-		Verbs:         []string{"get"},
-	}},
+func LokiReaderCR() rbacv1.ClusterRole {
+	return rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: constants.LokiCRReader,
+		},
+		Rules: []rbacv1.PolicyRule{{
+			APIGroups:     []string{"loki.grafana.com"},
+			Resources:     []string{"network"},
+			ResourceNames: []string{"logs"},
+			Verbs:         []string{"get"},
+		}},
+	}
 }
 
-var PromReaderCR = rbacv1.ClusterRole{
-	ObjectMeta: metav1.ObjectMeta{
-		Name: constants.PromCRReader,
-	},
-	Rules: []rbacv1.PolicyRule{{
-		APIGroups: []string{"metrics.k8s.io"},
-		Resources: []string{"pods"},
-		Verbs:     []string{"create"},
-	}},
+func PromReaderCR() rbacv1.ClusterRole {
+	return rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: constants.PromCRReader,
+		},
+		Rules: []rbacv1.PolicyRule{{
+			APIGroups: []string{"metrics.k8s.io"},
+			Resources: []string{"pods"},
+			Verbs:     []string{"create"},
+		}},
+	}
 }