Allow the cilium-olm service account to manage monitoring.coreos.com/servicemonitors resources

ungureanuvladvictor commented 2 years ago

When prometheus is enabled via the CiliumConfig:

spec:
  operator:
    prometheus:
      enabled: true
      serviceMonitor:
        enabled: true
  prometheus:
    enabled: true
    serviceMonitor:
      enabled: true

the cilium-olm pod starts failing with:

2022-03-25T04:06:43.436Z    ERROR   controller-runtime.manager.controller.ciliumconfig-controller   Reconciler error    {"name": "cilium", "namespace": "cilium", "error": "failed to get candidate release: rendered manifests contain a resource that already exists. Unable to continue with update: could not get information about the resource: servicemonitors.monitoring.coreos.com \"cilium-agent\" is forbidden: User \"system:serviceaccount:cilium:cilium-olm\" cannot get resource \"servicemonitors\" in API group \"monitoring.coreos.com\" in the namespace \"cilium\": RBAC: role.rbac.authorization.k8s.io \"leader-election\" not found"}
github.com/go-logr/zapr.(*zapLogger).Error
    /go/pkg/mod/github.com/go-logr/zapr@v0.2.0/zapr.go:132
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
    /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.8.2/pkg/internal/controller/controller.go:301
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
    /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.8.2/pkg/internal/controller/controller.go:252
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1.2
    /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.8.2/pkg/internal/controller/controller.go:215
k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1
    /go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:185
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1
    /go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:155
k8s.io/apimachinery/pkg/util/wait.BackoffUntil
    /go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:156
k8s.io/apimachinery/pkg/util/wait.JitterUntil
    /go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:133
k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext
    /go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:185
k8s.io/apimachinery/pkg/util/wait.UntilWithContext
    /go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:99

ungureanuvladvictor commented 2 years ago

@nathanjsweet -- tagging you via a comment, don't have perms to assign the PR to you for a review.

nathanjsweet commented 2 years ago

Thanks Vlad!

ungureanuvladvictor commented 2 years ago

@nathanjsweet -- do you think it would be useful to re-generate the previous https://github.com/cilium/cilium-olm/tree/master/manifests to include this as well? Or should I wait for a Cilium v1.11.3+ that will include this?

cilium / cilium-olm

Allow the cilium-olm service account to manage monitoring.coreos.com/servicemonitors resources #54