MON-4361,MON-4380: Opt monitoring-plugin into Console capability

rexagod · rexagod · commit 55d6da0e1731 · 2025-10-12T23:47:44.000+05:30
Drop `monitoring-plugin` from optional components as its deployment
should only rely on the `Console` capability. This is in-line with its
corresponding task's behavior as well. Also refactored the `jsonnet`
code a bit.

Signed-off-by: Pranshu Srivastava &lt;rexagod@gmail.com&gt;
diff --git a/assets/monitoring-plugin/console-plugin.yaml b/assets/monitoring-plugin/console-plugin.yaml
@@ -2,7 +2,7 @@ apiVersion: console.openshift.io/v1
 kind: ConsolePlugin
 metadata:
   annotations:
-    capability.openshift.io/name: OptionalMonitoring
+    capability.openshift.io/name: Console
   labels:
     app.kubernetes.io/component: monitoring-plugin
     app.kubernetes.io/managed-by: cluster-monitoring-operator
diff --git a/assets/monitoring-plugin/deployment.yaml b/assets/monitoring-plugin/deployment.yaml
@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    capability.openshift.io/name: OptionalMonitoring
+    capability.openshift.io/name: Console
   labels:
     app.kubernetes.io/component: monitoring-plugin
     app.kubernetes.io/managed-by: cluster-monitoring-operator
diff --git a/assets/monitoring-plugin/pod-disruption-budget.yaml b/assets/monitoring-plugin/pod-disruption-budget.yaml
@@ -2,7 +2,7 @@ apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   annotations:
-    capability.openshift.io/name: OptionalMonitoring
+    capability.openshift.io/name: Console
   labels:
     app.kubernetes.io/component: monitoring-plugin
     app.kubernetes.io/managed-by: cluster-monitoring-operator
diff --git a/assets/monitoring-plugin/service-account.yaml b/assets/monitoring-plugin/service-account.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   annotations:
-    capability.openshift.io/name: OptionalMonitoring
+    capability.openshift.io/name: Console
   labels:
     app.kubernetes.io/component: monitoring-plugin
     app.kubernetes.io/managed-by: cluster-monitoring-operator
diff --git a/assets/monitoring-plugin/service.yaml b/assets/monitoring-plugin/service.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    capability.openshift.io/name: OptionalMonitoring
+    capability.openshift.io/name: Console
     openshift.io/description: Expose the monitoring plugin service on port 9443. This port is for internal use, and no other usage is guaranteed.
     service.beta.openshift.io/serving-cert-secret-name: monitoring-plugin-cert
   labels:
diff --git a/jsonnet/components/admission-webhook.libsonnet b/jsonnet/components/admission-webhook.libsonnet
@@ -2,7 +2,7 @@ local tlsVolumeName = 'prometheus-operator-admission-webhook-tls';
 local admissionWebhook = import 'github.com/prometheus-operator/prometheus-operator/jsonnet/prometheus-operator/admission-webhook.libsonnet';
 local antiAffinity = import 'github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus/addons/anti-affinity.libsonnet';
 local withDescription = (import '../utils/add-annotations.libsonnet').withDescription;
-local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet');
+local optIntoCapability = (import '../utils/opt-into-capability.libsonnet');
 
 function(params)
   local aw = admissionWebhook(params);
@@ -129,7 +129,7 @@ function(params)
       ],
     },
 
-    alertmanagerConfigValidatingWebhook: optIntoOptionalMonitoring.forObject({
+    alertmanagerConfigValidatingWebhook: optIntoCapability.optionalMonitoringForObject({
       apiVersion: 'admissionregistration.k8s.io/v1',
       kind: 'ValidatingWebhookConfiguration',
       metadata: {
diff --git a/jsonnet/components/alertmanager-user-workload.libsonnet b/jsonnet/components/alertmanager-user-workload.libsonnet
@@ -6,7 +6,7 @@ local generateSecret = import '../utils/generate-secret.libsonnet';
 local withDescription = (import '../utils/add-annotations.libsonnet').withDescription;
 local requiredRoles = (import '../utils/add-annotations.libsonnet').requiredRoles;
 local requiredClusterRoles = (import '../utils/add-annotations.libsonnet').requiredClusterRoles;
-local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet');
+local optIntoCapability = (import '../utils/opt-into-capability.libsonnet');
 
 function(params)
   local cfg = params {
@@ -417,4 +417,4 @@ function(params)
     },
   };
 
-  optIntoOptionalMonitoring.forObjectWithWalk(o)
+  optIntoCapability.optionalMonitoringForObjectWithWalk(o)
diff --git a/jsonnet/components/alertmanager.libsonnet b/jsonnet/components/alertmanager.libsonnet
@@ -7,7 +7,7 @@ local withDescription = (import '../utils/add-annotations.libsonnet').withDescri
 local testFilePlaceholder = (import '../utils/add-annotations.libsonnet').testFilePlaceholder;
 local requiredRoles = (import '../utils/add-annotations.libsonnet').requiredRoles;
 local requiredClusterRoles = (import '../utils/add-annotations.libsonnet').requiredClusterRoles;
-local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet');
+local optIntoCapability = (import '../utils/opt-into-capability.libsonnet');
 
 function(params)
   local cfg = params {
@@ -443,4 +443,4 @@ function(params)
     },
   };
 
-  optIntoOptionalMonitoring.forObjectWithWalk(o)
+  optIntoCapability.optionalMonitoringForObjectWithWalk(o)
diff --git a/jsonnet/components/cluster-monitoring-operator.libsonnet b/jsonnet/components/cluster-monitoring-operator.libsonnet
@@ -1,7 +1,7 @@
 local metrics = import 'github.com/openshift/telemeter/jsonnet/telemeter/metrics.jsonnet';
 
 local cmoRules = import './../rules.libsonnet';
-local optIntoOptionalMonitoring = import './../utils/opt-into-optional-monitoring.libsonnet';
+local optIntoCapability = import './../utils/opt-into-capability.libsonnet';
 local kubePrometheus = import 'github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus/components/mixin/custom.libsonnet';
 
 local defaults = {
@@ -330,7 +330,7 @@ function(params) {
   // - get/list/watch permissions on alertingrules and alertrelabelconfigs to detect changes requiring reconciliation.
   // - all permissions on alertingrules/finalizers to set the `ownerReferences` field on generated prometheusrules.
   // - all permissions on alertingrules/status to set the status of alertingrules.
-  alertCustomizationRole: optIntoOptionalMonitoring.forObject({
+  alertCustomizationRole: optIntoCapability.optionalMonitoringForObject({
     apiVersion: 'rbac.authorization.k8s.io/v1',
     kind: 'Role',
     metadata: {
@@ -423,7 +423,7 @@ function(params) {
 
   // This role enables read/write access to the platform Alertmanager API
   // through kube-rbac-proxy.
-  monitoringAlertmanagerEditRole: optIntoOptionalMonitoring.forObject({
+  monitoringAlertmanagerEditRole: optIntoCapability.optionalMonitoringForObject({
     apiVersion: 'rbac.authorization.k8s.io/v1',
     kind: 'Role',
     metadata: {
@@ -442,7 +442,7 @@ function(params) {
 
   // This role enables read access to the platform Alertmanager API
   // through kube-rbac-proxy.
-  monitoringAlertmanagerViewRole: optIntoOptionalMonitoring.forObject({
+  monitoringAlertmanagerViewRole: optIntoCapability.optionalMonitoringForObject({
     apiVersion: 'rbac.authorization.k8s.io/v1',
     kind: 'Role',
     metadata: {
@@ -465,7 +465,7 @@ function(params) {
   // Using "nonResourceURLs" doesn't work because authenticated users and
   // service accounts are allowed to get /api/* by default.
   // See https://issues.redhat.com/browse/OCPBUGS-17850.
-  userWorkloadAlertmanagerApiReader: optIntoOptionalMonitoring.forObject({
+  userWorkloadAlertmanagerApiReader: optIntoCapability.optionalMonitoringForObject({
     apiVersion: 'rbac.authorization.k8s.io/v1',
     kind: 'Role',
     metadata: {
@@ -482,7 +482,7 @@ function(params) {
 
   // This role provides read/write access to the user-workload Alertmanager API.
   // See the 'monitoring-alertmanager-api-reader' role for details.
-  userWorkloadAlertmanagerApiWriter: optIntoOptionalMonitoring.forObject({
+  userWorkloadAlertmanagerApiWriter: optIntoCapability.optionalMonitoringForObject({
     apiVersion: 'rbac.authorization.k8s.io/v1',
     kind: 'Role',
     metadata: {
@@ -539,7 +539,7 @@ function(params) {
   },
 
   // This role provides read/write access to the user-workload monitoring configuration.
-  userWorkloadConfigEditRole: optIntoOptionalMonitoring.forObject({
+  userWorkloadConfigEditRole: optIntoCapability.optionalMonitoringForObject({
     apiVersion: 'rbac.authorization.k8s.io/v1',
     kind: 'Role',
     metadata: {
@@ -555,7 +555,7 @@ function(params) {
   }),
 
   // This cluster role can be referenced in a RoleBinding object to provide read/write access to AlertmanagerConfiguration objects for a project.
-  alertingEditClusterRole: optIntoOptionalMonitoring.forObject({
+  alertingEditClusterRole: optIntoCapability.optionalMonitoringForObject({
     apiVersion: 'rbac.authorization.k8s.io/v1',
     kind: 'ClusterRole',
     metadata: {
diff --git a/jsonnet/components/monitoring-plugin.libsonnet b/jsonnet/components/monitoring-plugin.libsonnet
@@ -1,5 +1,5 @@
 local withDescription = (import '../utils/add-annotations.libsonnet').withDescription;
-local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet');
+local optIntoCapability = (import '../utils/opt-into-capability.libsonnet');
 
 function(params)
   local cfg = params;
@@ -225,4 +225,5 @@ function(params)
       },  // spec
     },  // deployment
   };
-  optIntoOptionalMonitoring.forObjectWithWalk(o)
+
+  optIntoCapability.consoleForObjectWithWalk(o)
diff --git a/jsonnet/components/prometheus-operator-user-workload.libsonnet b/jsonnet/components/prometheus-operator-user-workload.libsonnet
@@ -4,7 +4,7 @@ local operator = import 'github.com/prometheus-operator/kube-prometheus/jsonnet/
 local generateSecret = import '../utils/generate-secret.libsonnet';
 local rbac = import '../utils/rbac.libsonnet';
 local withDescription = (import '../utils/add-annotations.libsonnet').withDescription;
-local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet');
+local optIntoCapability = (import '../utils/opt-into-capability.libsonnet');
 
 function(params)
   local po = operator(params);
@@ -199,4 +199,4 @@ function(params)
     },
   };
 
-  optIntoOptionalMonitoring.forObjectWithWalk(opo)
+  optIntoCapability.optionalMonitoringForObjectWithWalk(opo)
diff --git a/jsonnet/components/prometheus-operator.libsonnet b/jsonnet/components/prometheus-operator.libsonnet
@@ -6,7 +6,7 @@ local conversionWebhook = import 'github.com/prometheus-operator/prometheus-oper
 local generateSecret = import '../utils/generate-secret.libsonnet';
 local rbac = import '../utils/rbac.libsonnet';
 local withDescription = (import '../utils/add-annotations.libsonnet').withDescription;
-local optIntoOptionalMonitoring = import '../utils/opt-into-optional-monitoring.libsonnet';
+local optIntoCapability = import '../utils/opt-into-capability.libsonnet';
 
 function(params)
   local po = operator(params);
@@ -35,7 +35,7 @@ function(params)
     },
     '0alertmanagerConfigCustomResourceDefinition'+:
       // Add v1beta1 AlertmanagerConfig version.
-      optIntoOptionalMonitoring.forObject(import 'github.com/prometheus-operator/prometheus-operator/jsonnet/prometheus-operator/alertmanagerconfigs-v1beta1-crd.libsonnet') +
+      optIntoCapability.optionalMonitoringForObject(import 'github.com/prometheus-operator/prometheus-operator/jsonnet/prometheus-operator/alertmanagerconfigs-v1beta1-crd.libsonnet') +
       // Enable conversion webhook.
       conversionWebhook(params.conversionWebhook),
 
diff --git a/jsonnet/components/prometheus-user-workload.libsonnet b/jsonnet/components/prometheus-user-workload.libsonnet
@@ -2,7 +2,7 @@ local generateCertInjection = import '../utils/generate-certificate-injection.li
 local generateSecret = import '../utils/generate-secret.libsonnet';
 local withDescription = (import '../utils/add-annotations.libsonnet').withDescription;
 local requiredClusterRoles = (import '../utils/add-annotations.libsonnet').requiredClusterRoles;
-local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet');
+local optIntoCapability = (import '../utils/opt-into-capability.libsonnet');
 
 local prometheus = import 'github.com/prometheus-operator/kube-prometheus/jsonnet/kube-prometheus/components/prometheus.libsonnet';
 
@@ -614,4 +614,4 @@ function(params)
 
   };
 
-  optIntoOptionalMonitoring.forObjectWithWalk(o)
+  optIntoCapability.optionalMonitoringForObjectWithWalk(o)
diff --git a/jsonnet/components/thanos-ruler.libsonnet b/jsonnet/components/thanos-ruler.libsonnet
@@ -3,7 +3,7 @@ local generateSecret = import '../utils/generate-secret.libsonnet';
 local ruler = import 'github.com/thanos-io/kube-thanos/jsonnet/kube-thanos/kube-thanos-rule.libsonnet';
 local withDescription = (import '../utils/add-annotations.libsonnet').withDescription;
 local requiredClusterRoles = (import '../utils/add-annotations.libsonnet').requiredClusterRoles;
-local optIntoOptionalMonitoring = (import '../utils/opt-into-optional-monitoring.libsonnet');
+local optIntoCapability = (import '../utils/opt-into-capability.libsonnet');
 
 local defaults = {
   volumeClaimTemplate: {},
@@ -572,4 +572,4 @@ function(params)
 
   };
 
-  optIntoOptionalMonitoring.forObjectWithWalk(o)
+  optIntoCapability.optionalMonitoringForObjectWithWalk(o)
diff --git a/jsonnet/utils/opt-into-capability.libsonnet b/jsonnet/utils/opt-into-capability.libsonnet
@@ -0,0 +1,31 @@
+{
+  local addAnnotationToChild(parent, annotationKeyCapability, annotationValueOptionalMonitoringCapability) =
+    parent {
+      metadata+: {
+        annotations+: {
+          [annotationKeyCapability]: annotationValueOptionalMonitoringCapability,
+        },
+      },
+    },
+  local addAnnotationToChildren(parent, annotationKeyCapability, annotationValueOptionalMonitoringCapability) =
+    local listKinds = std.set(['RoleList', 'RoleBindingList']);
+    parent {
+      [k]:
+        if std.objectHas(parent[k], 'kind') && std.setMember(parent[k].kind, listKinds) && std.objectHas(parent[k], 'items')
+        then
+          parent[k] {
+            items: [addAnnotationToChild(item, annotationKeyCapability, annotationValueOptionalMonitoringCapability) for item in parent[k].items],
+          }
+        else
+          addAnnotationToChild(parent[k], annotationKeyCapability, annotationValueOptionalMonitoringCapability)
+      for k in std.objectFields(parent)
+    },
+
+  local annotationKeyCapability = 'capability.openshift.io/name',
+  local annotationValueConsoleCapability = 'Console',
+  local annotationValueOptionalMonitoringCapability = 'OptionalMonitoring',
+  consoleForObject(o): addAnnotationToChild(o, annotationKeyCapability, annotationValueConsoleCapability),
+  consoleForObjectWithWalk(o): addAnnotationToChildren(o, annotationKeyCapability, annotationValueConsoleCapability),
+  optionalMonitoringForObject(o): addAnnotationToChild(o, annotationKeyCapability, annotationValueOptionalMonitoringCapability),
+  optionalMonitoringForObjectWithWalk(o): addAnnotationToChildren(o, annotationKeyCapability, annotationValueOptionalMonitoringCapability),
+}
diff --git a/jsonnet/utils/opt-into-optional-monitoring.libsonnet b/jsonnet/utils/opt-into-optional-monitoring.libsonnet
