Actually, RBAC rules are additive, so we can simply add this RBAC rule and let the agent create their own again (#176)

Signed-off-by: Pete Wall <[email protected]>

Author: petewall

charts/k8s-monitoring/templates/grafana-agent-logs-rbac.yaml

@@ -1,4 +1,5 @@
 {{- if and (eq .Values.cluster.platform "openshift") .Values.logs.enabled .Values.logs.pod_logs.enabled }}
+---
 apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
@@ -45,4 +46,31 @@ volumes:
 - hostPath
 - projected
 - secret
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "grafana-agent.fullname" (index .Subcharts "grafana-agent-logs") }}-scc
+rules:
+- verbs:
+  - use
+  apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  resourceNames:
+  - {{ include "grafana-agent.fullname" (index .Subcharts "grafana-agent-logs") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "grafana-agent.fullname" (index .Subcharts "grafana-agent-logs") }}-scc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "grafana-agent.fullname" (index .Subcharts "grafana-agent-logs") }}-scc
+subjects:
+- kind: ServiceAccount
+  name: {{ include "grafana-agent.serviceAccountName" (index .Subcharts "grafana-agent-logs") }}
+  namespace: {{ .Release.Namespace }}
 {{- end }}

charts/k8s-monitoring/templates/grafana-agent-rbac.yaml

@@ -17,6 +17,10 @@
                 },
                 "name": {
                     "type": "string"
+                },
+                "platform": {
+                    "type": "string",
+                    "enum": ["", "openshift"]
                 }
             }
         },

charts/k8s-monitoring/templates/platform_specific/openshift/security-context-constraint.yaml

@@ -622,10 +622,6 @@ grafana-agent:
         configMap:
           name: kubernetes-monitoring-telemetry
 
-  # This chart creates the ClusterRole and ClusterRoleBinding for Grafana Agent
-  rbac:
-    create: false
-
 # Settings for the Grafana Agent deployment
 # You can use this sections to make modifications to the Grafana Agent deployment.
 # See https://github.com/grafana/agent/tree/main/operations/helm/charts/grafana-agent for available values.
@@ -668,7 +664,3 @@ grafana-agent-logs:
   # creation attempt.
   crds:
     create: false
-
-  # This chart creates the ClusterRole and ClusterRoleBinding for Grafana Agent for logs
-  rbac:
-    create: false