chore(operator): remove ensure AM and rule-eval resource

After security hardening, those serve no purpose at the moment as AFAIK.
I also removed watches for those which is not needed.

Signed-off-by: bwplotka <[email protected]>

charts/operator/templates/role.yaml

@@ -83,7 +83,7 @@ rules:
   - deployments
   apiGroups: ["apps"]
   resourceNames: ["rule-evaluator"]
-  verbs: ["get", "list", "watch"]
+  verbs: ["get", "list"]
 - resources:
   - deployments/scale
   apiGroups: ["apps"]
@@ -98,7 +98,7 @@ rules:
   - statefulsets
   apiGroups: ["apps"]
   resourceNames: ["alertmanager"]
-  verbs: ["get", "list", "watch"]
+  verbs: ["get", "list"]
 - resources:
   - statefulsets/scale
   apiGroups: ["apps"]

manifests/operator.yaml

@@ -205,7 +205,7 @@ rules:
   - deployments
   apiGroups: ["apps"]
   resourceNames: ["rule-evaluator"]
-  verbs: ["get", "list", "watch"]
+  verbs: ["get", "list"]
 - resources:
   - deployments/scale
   apiGroups: ["apps"]
@@ -220,7 +220,7 @@ rules:
   - statefulsets
   apiGroups: ["apps"]
   resourceNames: ["alertmanager"]
-  verbs: ["get", "list", "watch"]
+  verbs: ["get", "list"]
 - resources:
   - statefulsets/scale
   apiGroups: ["apps"]

pkg/operator/operator.go

@@ -246,18 +246,6 @@ func New(logger logr.Logger, clientConfig *rest.Config, opts Options) (*Operator
 				"metadata.name":      NameCollector,
 			}),
 		},
-		&appsv1.Deployment{}: {
-			Field: fields.SelectorFromSet(fields.Set{
-				"metadata.namespace": opts.OperatorNamespace,
-				"metadata.name":      NameRuleEvaluator,
-			}),
-		},
-		&appsv1.StatefulSet{}: {
-			Field: fields.SelectorFromSet(fields.Set{
-				"metadata.namespace": opts.OperatorNamespace,
-				"metadata.name":      NameAlertmanager,
-			}),
-		},
 	}
 
 	// Determine whether VPA is installed in the cluster. If so, set up the scaling controller.

pkg/operator/operator_config.go

@@ -221,21 +221,12 @@ func (r *operatorConfigReconciler) Reconcile(ctx context.Context, req reconcile.
 		return reconcile.Result{}, fmt.Errorf("ensure alertmanager config secret: %w", err)
 	}
 
-	if err := r.ensureAlertmanagerStatefulSet(ctx, config.ManagedAlertmanager); err != nil {
-		return reconcile.Result{}, fmt.Errorf("ensure alertmanager statefulset: %w", err)
-	}
-
 	// Mirror the fetched secret data to where the rule-evaluator can
 	// mount and access.
 	if err := r.ensureRuleEvaluatorSecrets(ctx, secretData); err != nil {
 		return reconcile.Result{}, fmt.Errorf("ensure rule-evaluator secrets: %w", err)
 	}
 
-	// Ensure the rule-evaluator deployment and volume mounts.
-	if err := r.ensureRuleEvaluatorDeployment(ctx); err != nil {
-		return reconcile.Result{}, fmt.Errorf("ensure rule-evaluator deploy: %w", err)
-	}
-
 	return reconcile.Result{}, nil
 }
 
@@ -513,42 +504,6 @@ func (config *alertmanagerConfig) UnmarshalYAML(value *yaml.Node) error {
 	return nil
 }
 
-// ensureAlertmanagerStatefulSet configures the managed Alertmanager instance
-// to reflect the provided spec.
-func (r *operatorConfigReconciler) ensureAlertmanagerStatefulSet(ctx context.Context, spec *monitoringv1.ManagedAlertmanagerSpec) error {
-	if spec == nil {
-		return nil
-	}
-
-	logger, _ := logr.FromContext(ctx)
-
-	var sset appsv1.StatefulSet
-	err := r.client.Get(ctx, client.ObjectKey{Namespace: r.opts.OperatorNamespace, Name: NameAlertmanager}, &sset)
-	// Some users deliberately not want to run the alertmanager.
-	// Only emit a warning but don't cause retries
-	// as this logic gets re-triggered anyway if the StatefulSet is created later.
-	if apierrors.IsNotFound(err) {
-		logger.Error(err, "Alertmanager StatefulSet does not exist")
-		return nil
-	}
-	return err
-}
-
-// ensureRuleEvaluatorDeployment reconciles the Deployment for rule-evaluator.
-func (r *operatorConfigReconciler) ensureRuleEvaluatorDeployment(ctx context.Context) error {
-	logger, _ := logr.FromContext(ctx)
-
-	var deploy appsv1.Deployment
-	err := r.client.Get(ctx, client.ObjectKey{Namespace: r.opts.OperatorNamespace, Name: NameRuleEvaluator}, &deploy)
-	// Some users deliberately not want to run the rule-evaluator. Only emit a warning but don't cause
-	// retries as this logic gets re-triggered anyway if the Deployment is created later.
-	if apierrors.IsNotFound(err) {
-		logger.Error(err, "rule-evaluator Deployment does not exist")
-		return nil
-	}
-	return err
-}
-
 // makeAlertmanagerConfigs creates the alertmanager_config entries as described in
 // https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config.
 func (r *operatorConfigReconciler) makeAlertmanagerConfigs(ctx context.Context, spec *monitoringv1.AlertingSpec) (promconfig.AlertmanagerConfigs, map[string][]byte, error) {