From 889e3e6f9cc98a5e9b7c2d7ae3b50b87d73fb20c Mon Sep 17 00:00:00 2001
From: mgirgisf <mgirgisf@redhat.com>
Date: Wed, 25 Jun 2025 10:30:31 +0200
Subject: [PATCH 1/5] test rbac-proxy

---
 roles/telemetry_verify_metrics/tasks/main.yml |  4 +
 .../tasks/verify_rbac.yml                     | 76 +++++++++++++++++++
 2 files changed, 80 insertions(+)
 create mode 100644 roles/telemetry_verify_metrics/tasks/verify_rbac.yml

diff --git a/roles/telemetry_verify_metrics/tasks/main.yml b/roles/telemetry_verify_metrics/tasks/main.yml
index c45e62f1d..5dc4c8b6a 100644
--- a/roles/telemetry_verify_metrics/tasks/main.yml
+++ b/roles/telemetry_verify_metrics/tasks/main.yml
@@ -23,6 +23,10 @@
         condition_type: Ready
   tags: precheck
 
+- name: Verify kube-rbac-proxy
+  ansible.builtin.include_tasks:
+    file: verify_rbac.yml
+
 - name: Verify RabbitMQ metrics are being exposed and stored
   ansible.builtin.include_tasks:
     file: verify_rabbitmq_metrics.yml
diff --git a/roles/telemetry_verify_metrics/tasks/verify_rbac.yml b/roles/telemetry_verify_metrics/tasks/verify_rbac.yml
new file mode 100644
index 000000000..6b1013275
--- /dev/null
+++ b/roles/telemetry_verify_metrics/tasks/verify_rbac.yml
@@ -0,0 +1,76 @@
+- name: Verify the container exist in the prometheus-metric-storage-0
+  ansible.builtin.shell: |
+    oc describe pod prometheus-metric-storage-0
+  register: result
+  changed_when: false
+
+- name: Verify kube-rbac-proxy is up and running
+  ansible.builtin.shell: |
+    oc logs prometheus-metric-storage-0 -c kube-rbac-proxy
+  register: result
+  changed_when: false
+
+- name: Create Service Account to Test
+  ansible.builtin.shell: |
+    oc apply -f - <<EOF
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: proxy-test
+      namespace: openstack
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole
+    metadata:
+      name: metrics
+    rules:
+    - nonResourceURLs:
+      - /metrics
+      verbs:
+      - get
+    - apiGroups: [""]
+      resources: ["pods", "pods/metrics"]
+      verbs: ["get", "list", "watch"]
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: metrics
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: metrics
+    subjects:
+    - kind: ServiceAccount
+      name: proxy-test
+      namespace: openstack
+    EOF
+  changed_when: false
+
+- name: Verify metrics through proxy
+  ansible.builtin.shell: |
+    oc exec -it openstackclient -- curl -v -k   -H "Authorization: Bearer $(oc create token proxy-test)"  https://metric-storage-prometheus:8443/metrics
+  register: result
+  changed_when: false
+
+
+- name: Verify clusterrolebinding
+  ansible.builtin.shell: |
+    oc get clusterrolebinding telemetry-operator-proxy-rolebinding
+  register: result
+  changed_when: false
+
+
+- name: Verify clusterrole
+  ansible.builtin.shell: |
+    oc get clusterrole openstack-operator-proxy-role
+  register: result
+  changed_when: false
+
+
+- name: Verify clusterrole telemetry-operator
+  ansible.builtin.shell: |
+    oc get clusterrole telemetry-operator-proxy-role
+  register: result
+  changed_when: false
+

From 654367d169b73ffb692a523cc352254f6c49a415 Mon Sep 17 00:00:00 2001
From: mgirgisf <mgirgisf@redhat.com>
Date: Mon, 30 Jun 2025 10:42:29 +0200
Subject: [PATCH 2/5]  Test with the exist clusterrole

---
 .../tasks/verify_rbac.yml                     | 44 +++----------------
 1 file changed, 7 insertions(+), 37 deletions(-)

diff --git a/roles/telemetry_verify_metrics/tasks/verify_rbac.yml b/roles/telemetry_verify_metrics/tasks/verify_rbac.yml
index 6b1013275..76b870fee 100644
--- a/roles/telemetry_verify_metrics/tasks/verify_rbac.yml
+++ b/roles/telemetry_verify_metrics/tasks/verify_rbac.yml
@@ -10,50 +10,20 @@
   register: result
   changed_when: false
 
-- name: Create Service Account to Test
-  ansible.builtin.shell: |
-    oc apply -f - <<EOF
-    apiVersion: v1
-    kind: ServiceAccount
-    metadata:
-      name: proxy-test
-      namespace: openstack
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRole
-    metadata:
-      name: metrics
-    rules:
-    - nonResourceURLs:
-      - /metrics
-      verbs:
-      - get
-    - apiGroups: [""]
-      resources: ["pods", "pods/metrics"]
-      verbs: ["get", "list", "watch"]
-    ---
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRoleBinding
-    metadata:
-      name: metrics
-    roleRef:
-      apiGroup: rbac.authorization.k8s.io
-      kind: ClusterRole
-      name: metrics
-    subjects:
-    - kind: ServiceAccount
-      name: proxy-test
-      namespace: openstack
-    EOF
-  changed_when: false
 
 - name: Verify metrics through proxy
   ansible.builtin.shell: |
-    oc exec -it openstackclient -- curl -v -k   -H "Authorization: Bearer $(oc create token proxy-test)"  https://metric-storage-prometheus:8443/metrics
+    oc exec -it openstackclient -- curl -v -k   -H "Authorization: Bearer $(oc create token telemetry-operator-metrics-reader)"  https://metric-storage-prometheus:8443/metrics
   register: result
   changed_when: false
 
 
+- name: Verify all clusterroles
+  ansible.builtin.shell: |
+    oc get clusterrole
+  register: result
+  changed_when: false
+
 - name: Verify clusterrolebinding
   ansible.builtin.shell: |
     oc get clusterrolebinding telemetry-operator-proxy-rolebinding

From 8859f10685553d72c13b7a321a88a3d61f3862a9 Mon Sep 17 00:00:00 2001
From: mgirgisf <mgirgisf@redhat.com>
Date: Tue, 1 Jul 2025 09:19:07 +0200
Subject: [PATCH 3/5] print result

---
 roles/telemetry_verify_metrics/tasks/verify_rbac.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/roles/telemetry_verify_metrics/tasks/verify_rbac.yml b/roles/telemetry_verify_metrics/tasks/verify_rbac.yml
index 76b870fee..a8153184d 100644
--- a/roles/telemetry_verify_metrics/tasks/verify_rbac.yml
+++ b/roles/telemetry_verify_metrics/tasks/verify_rbac.yml
@@ -17,6 +17,9 @@
   register: result
   changed_when: false
 
+- name: Print the result of metrics
+  ansible.builtin.debug:
+    var: result.stdout_lines
 
 - name: Verify all clusterroles
   ansible.builtin.shell: |
@@ -24,6 +27,10 @@
   register: result
   changed_when: false
 
+- name: Print the result of clusterroles
+  ansible.builtin.debug:
+    var: result.stdout_lines
+
 - name: Verify clusterrolebinding
   ansible.builtin.shell: |
     oc get clusterrolebinding telemetry-operator-proxy-rolebinding
@@ -38,9 +45,4 @@
   changed_when: false
 
 
-- name: Verify clusterrole telemetry-operator
-  ansible.builtin.shell: |
-    oc get clusterrole telemetry-operator-proxy-role
-  register: result
-  changed_when: false
 

From 2be4518d055f863b2e53c28cc08c8ed7580bb02f Mon Sep 17 00:00:00 2001
From: mgirgisf <mgirgisf@redhat.com>
Date: Tue, 1 Jul 2025 10:56:39 +0200
Subject: [PATCH 4/5] append serviceAccount to exist clusterrole

---
 .../tasks/verify_rbac.yml                     | 25 ++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/roles/telemetry_verify_metrics/tasks/verify_rbac.yml b/roles/telemetry_verify_metrics/tasks/verify_rbac.yml
index a8153184d..b138d1ace 100644
--- a/roles/telemetry_verify_metrics/tasks/verify_rbac.yml
+++ b/roles/telemetry_verify_metrics/tasks/verify_rbac.yml
@@ -10,10 +10,33 @@
   register: result
   changed_when: false
 
+- name: Create Service Account to Test
+  ansible.builtin.shell: |
+    oc apply -f - <<EOF
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: proxy-test
+      namespace: openstack
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: metrics
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: openstack-operator-metrics-reader
+    subjects:
+    - kind: ServiceAccount
+      name: proxy-test
+      namespace: openstack
+    EOF
+  changed_when: false
 
 - name: Verify metrics through proxy
   ansible.builtin.shell: |
-    oc exec -it openstackclient -- curl -v -k   -H "Authorization: Bearer $(oc create token telemetry-operator-metrics-reader)"  https://metric-storage-prometheus:8443/metrics
+    oc exec -it openstackclient -- curl -v -k   -H "Authorization: Bearer $(oc create token proxy-test)"  https://metric-storage-prometheus:8443/metrics
   register: result
   changed_when: false
 

From 780cd00af9c9964b1783df3d2a5a8c07d2deeda6 Mon Sep 17 00:00:00 2001
From: mgirgisf <mgirgisf@redhat.com>
Date: Wed, 2 Jul 2025 11:14:21 +0200
Subject: [PATCH 5/5] debug auth faliure

---
 .../tasks/verify_rbac.yml                     | 27 ++++++++++++-------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/roles/telemetry_verify_metrics/tasks/verify_rbac.yml b/roles/telemetry_verify_metrics/tasks/verify_rbac.yml
index b138d1ace..b22bde6b7 100644
--- a/roles/telemetry_verify_metrics/tasks/verify_rbac.yml
+++ b/roles/telemetry_verify_metrics/tasks/verify_rbac.yml
@@ -4,12 +4,21 @@
   register: result
   changed_when: false
 
+- name: Print the result of rometheus-metric-storage-0
+  ansible.builtin.debug:
+    var: result.stdout_lines
+
+
 - name: Verify kube-rbac-proxy is up and running
   ansible.builtin.shell: |
     oc logs prometheus-metric-storage-0 -c kube-rbac-proxy
   register: result
   changed_when: false
 
+- name: Print the result of metrics
+  ansible.builtin.debug:
+    var: result.stdout_lines
+
 - name: Create Service Account to Test
   ansible.builtin.shell: |
     oc apply -f - <<EOF
@@ -44,28 +53,26 @@
   ansible.builtin.debug:
     var: result.stdout_lines
 
-- name: Verify all clusterroles
+- name: Print kube-rbac-proxy logs
   ansible.builtin.shell: |
-    oc get clusterrole
+    oc logs prometheus-metric-storage-0 -c kube-rbac-proxy
   register: result
   changed_when: false
 
-- name: Print the result of clusterroles
+- name: Print the result of metrics
   ansible.builtin.debug:
     var: result.stdout_lines
 
-- name: Verify clusterrolebinding
+- name: Verify all clusterroles
   ansible.builtin.shell: |
-    oc get clusterrolebinding telemetry-operator-proxy-rolebinding
+    oc get clusterrole
   register: result
   changed_when: false
 
+- name: Print the result of clusterroles
+  ansible.builtin.debug:
+    var: result.stdout_lines
 
-- name: Verify clusterrole
-  ansible.builtin.shell: |
-    oc get clusterrole openstack-operator-proxy-role
-  register: result
-  changed_when: false