From 415e92ff2a1a2322ae995d8479ab4d5f741cf0f3 Mon Sep 17 00:00:00 2001
From: Joao Marcal <jmarcal@redhat.com>
Date: Wed, 10 Jan 2024 18:25:17 +0000
Subject: [PATCH] Update RBAC to work with ocp >= 4.15 and ocp < 4.15

---
 .../loki-operator.clusterserviceversion.yaml       | 12 +++++-------
 .../loki-operator.clusterserviceversion.yaml       | 12 +++++-------
 .../loki-operator.clusterserviceversion.yaml       | 12 +++++-------
 operator/config/rbac/role.yaml                     | 10 ++++------
 operator/controllers/loki/lokistack_controller.go  |  3 ++-
 operator/internal/manifests/openshift/rbac.go      | 14 ++++++++------
 6 files changed, 29 insertions(+), 34 deletions(-)

diff --git a/operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml b/operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml
index ea869c5c90737..2915af504fd39 100644
--- a/operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml
+++ b/operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml
@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:0.5.0
-    createdAt: "2024-01-09T15:56:31Z"
+    createdAt: "2024-01-10T18:25:00Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
     features.operators.openshift.io/disconnected: "true"
@@ -1420,6 +1420,10 @@ spec:
     spec:
       clusterPermissions:
       - rules:
+        - nonResourceURLs:
+          - /api/v2/alerts
+          verbs:
+          - create
         - apiGroups:
           - ""
           resources:
@@ -1593,12 +1597,6 @@ spec:
           - alertmanagers/api
           verbs:
           - create
-          - delete
-          - get
-          - list
-          - patch
-          - update
-          - watch
         - apiGroups:
           - monitoring.coreos.com
           resources:
diff --git a/operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml b/operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml
index 5584c94518502..b78b8f6d30b98 100644
--- a/operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml
+++ b/operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml
@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:0.5.0
-    createdAt: "2024-01-09T15:56:30Z"
+    createdAt: "2024-01-10T18:24:59Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
     operators.operatorframework.io/builder: operator-sdk-unknown
@@ -1400,6 +1400,10 @@ spec:
     spec:
       clusterPermissions:
       - rules:
+        - nonResourceURLs:
+          - /api/v2/alerts
+          verbs:
+          - create
         - apiGroups:
           - ""
           resources:
@@ -1573,12 +1577,6 @@ spec:
           - alertmanagers/api
           verbs:
           - create
-          - delete
-          - get
-          - list
-          - patch
-          - update
-          - watch
         - apiGroups:
           - monitoring.coreos.com
           resources:
diff --git a/operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml b/operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml
index ec2e865d288ee..b0fca996ce78f 100644
--- a/operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml
+++ b/operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml
@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: quay.io/openshift-logging/loki-operator:0.1.0
-    createdAt: "2024-01-09T15:56:33Z"
+    createdAt: "2024-01-10T18:25:02Z"
     description: |
       The Loki Operator for OCP provides a means for configuring and managing a Loki stack for cluster logging.
       ## Prerequisites and Requirements
@@ -1405,6 +1405,10 @@ spec:
     spec:
       clusterPermissions:
       - rules:
+        - nonResourceURLs:
+          - /api/v2/alerts
+          verbs:
+          - create
         - apiGroups:
           - ""
           resources:
@@ -1578,12 +1582,6 @@ spec:
           - alertmanagers/api
           verbs:
           - create
-          - delete
-          - get
-          - list
-          - patch
-          - update
-          - watch
         - apiGroups:
           - monitoring.coreos.com
           resources:
diff --git a/operator/config/rbac/role.yaml b/operator/config/rbac/role.yaml
index de3ed675c2c53..09dc60b8c33b9 100644
--- a/operator/config/rbac/role.yaml
+++ b/operator/config/rbac/role.yaml
@@ -4,6 +4,10 @@ kind: ClusterRole
 metadata:
   name: lokistack-manager
 rules:
+- nonResourceURLs:
+  - /api/v2/alerts
+  verbs:
+  - create
 - apiGroups:
   - ""
   resources:
@@ -177,12 +181,6 @@ rules:
   - alertmanagers/api
   verbs:
   - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - monitoring.coreos.com
   resources:
diff --git a/operator/controllers/loki/lokistack_controller.go b/operator/controllers/loki/lokistack_controller.go
index c17ce1a4cde92..487390d7287bd 100644
--- a/operator/controllers/loki/lokistack_controller.go
+++ b/operator/controllers/loki/lokistack_controller.go
@@ -123,7 +123,8 @@ type LokiStackReconciler struct {
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings;clusterroles;roles;rolebindings,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors;prometheusrules,verbs=get;list;watch;create;update;delete
 // +kubebuilder:rbac:groups=monitoring.coreos.com,resources=alertmanagers,verbs=patch
-// +kubebuilder:rbac:groups=monitoring.coreos.com,resources=alertmanagers/api,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=monitoring.coreos.com,resources=alertmanagers/api,verbs=create
+// +kubebuilder:rbac:urls=/api/v2/alerts,verbs=create
 // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;create;update
 // +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=get;list;watch;create;update
 // +kubebuilder:rbac:groups=policy,resources=poddisruptionbudgets,verbs=get;list;watch;create;update
diff --git a/operator/internal/manifests/openshift/rbac.go b/operator/internal/manifests/openshift/rbac.go
index 68fa22d2c6000..46e5837a2c262 100644
--- a/operator/internal/manifests/openshift/rbac.go
+++ b/operator/internal/manifests/openshift/rbac.go
@@ -100,6 +100,14 @@ func BuildRulerClusterRole(opts Options) *rbacv1.ClusterRole {
 					"patch",
 				},
 			},
+			{
+				NonResourceURLs: []string{
+					"/api/v2/alerts",
+				},
+				Verbs: []string{
+					"create",
+				},
+			},
 			{
 				APIGroups: []string{
 					"monitoring.coreos.com",
@@ -108,13 +116,7 @@ func BuildRulerClusterRole(opts Options) *rbacv1.ClusterRole {
 					"alertmanagers/api",
 				},
 				Verbs: []string{
-					"get",
-					"list",
-					"watch",
 					"create",
-					"update",
-					"patch",
-					"delete",
 				},
 			},
 		},