MGMT-21395: Add cluster monitoring label to operators's namespace with monitoring enabled by default

To provide a consistent, out-of-the-box monitoring experience, the Assisted Installer automatically enables cluster monitoring for all operators that support this feature (i.e., those with the "Enable Operator-recommended cluster monitoring..." option in OperatorHub). This choice is enabled by default and cannot be changed by the user during the assisted installation process. To enforce this, the Assisted Installer's code must perform two key actions for each monitoring-aware operator:

1. apply the openshift.io/cluster-monitoring=true label to the operator's pre-created namespace
2. if an operator does not provide its own RBAC, the installer code is responsible for creating the standard Prometheus Role and RoleBinding in the operator's namespace.

Note: When a developer adds a new operator to Assisted, they are responsible for the following:

1. Check the operator's CSV for the openshift.io/cluster-monitoring=true annotation. If the annotation is present, add the openshift.io/cluster-monitoring=true namespace label.
2. Check if the operator already includes its own Prometheus Role and RoleBinding. If not, add the logic to the installer to create them.

Author: linoyaslan

docs/dev/olm-operator-plugins.md

@@ -148,3 +148,11 @@ The first return value could be used to specify a set of manifests that will be
 manifest for creating a new namespace, a new subscription and a new operator group CR for the involved operator.
 
 The second return value it's a manifest used to configure the freshly installed operator, and it will be applied by the ```assisted-installer-controller``` job, only after the cluster have been successfully created and the OLM operators are all ready (currently the ```assisted-installer-controller``` retrieves the whole list of configurations by downloading the ```custom_manifests.json``` file fetched from the Assisted Service).
+
+## General Notes
+
+### Cluster Monitoring
+
+When adding a new operator:
+1. Check the operator's CSV for the ```openshift.io/cluster-monitoring=true``` annotation. If the annotation is present,  add the ```openshift.io/cluster-monitoring=true``` namespace label.
+2. Check if the operator already includes its own Prometheus Role and RoleBinding. If not, add the logic to the installer to create them.

internal/operators/amdgpu/templates/openshift/50_amd_gpu_namespace.yaml

@@ -1,4 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ .Operator.Namespace }}
+  name: {{ .Operator.Namespace }}
+  labels:
+    openshift.io/cluster-monitoring: "true"

internal/operators/amdgpu/templates/openshift/50_amd_gpu_prometheus-role.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Operator.Namespace }}-prometheus-k8s
+  namespace: {{ .Operator.Namespace }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+        - pods
+    verbs:
+      - get
+      - list
+      - watch

internal/operators/amdgpu/templates/openshift/50_amd_gpu_prometheus-rolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Operator.Namespace }}-prometheus-k8s
+  namespace: {{ .Operator.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Operator.Namespace }}-prometheus-k8s
+subjects:
+  - kind: ServiceAccount
+    name: prometheus-k8s
+    namespace: openshift-monitoring

internal/operators/clusterobservability/templates/openshift/50_cluster_observability_namespace.yaml

@@ -2,3 +2,5 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: {{ .Operator.Namespace }}
+  labels:
+    openshift.io/cluster-monitoring: "true"

internal/operators/kubedescheduler/templates/openshift/50_kube_descheduler_namespace.yaml

@@ -1,4 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ .Operator.Namespace }}
+  name: {{ .Operator.Namespace }}
+  labels:
+    openshift.io/cluster-monitoring: "true"

internal/operators/lso/manifest.go

@@ -43,6 +43,8 @@ func Manifests() (map[string][]byte, []byte, error) {
 	openshiftManifests["50_openshift-lso_ns.yaml"] = []byte(localStorageNamespace)
 	openshiftManifests["50_openshift-lso_operator_group.yaml"] = []byte(lsoOperatorGroup)
 	openshiftManifests["50_openshift-lso_subscription.yaml"] = lsoSubs
+	openshiftManifests["50_openshift-lso_prometheus-role.yaml"] = []byte(localStoragePrometheusRole)
+	openshiftManifests["50_openshift-lso_prometheus-rolebinding.yaml"] = []byte(localStoragePrometheusRoleBinding)
 	return openshiftManifests, []byte(localVolumeSet), nil
 }
 
@@ -60,7 +62,9 @@ spec:
 const localStorageNamespace = `apiVersion: v1
 kind: Namespace
 metadata:
-  name: openshift-local-storage`
+  name: openshift-local-storage
+  labels:
+    openshift.io/cluster-monitoring: "true"`
 
 const localVolumeSet = `apiVersion: "local.storage.openshift.io/v1alpha1"
 kind: "LocalVolumeSet"
@@ -73,3 +77,34 @@ spec:
   deviceInclusionSpec:
     deviceTypes:
       - "disk"`
+
+const localStoragePrometheusRole = `apiVersion: "rbac.authorization.k8s.io/v1"
+kind: "Role"
+metadata:
+  name: "openshift-local-storage-prometheus-k8s"
+  namespace: "openshift-local-storage"
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - "services"
+    - "endpoints"
+    - "pods"
+  verbs:
+    - "get"
+    - "list"
+    - "watch"`
+
+const localStoragePrometheusRoleBinding = `apiVersion: "rbac.authorization.k8s.io/v1"
+kind: "RoleBinding"
+metadata:
+  name: "openshift-local-storage-prometheus-k8s"
+  namespace: "openshift-local-storage"
+roleRef:
+  apiGroup: "rbac.authorization.k8s.io"
+  kind: "Role"
+  name: "openshift-local-storage-prometheus-k8s"
+subjects:
+  - kind: "ServiceAccount"
+    name: "prometheus-k8s"
+    namespace: "openshift-monitoring"`

internal/operators/nodefeaturediscovery/templates/openshift/50_nodefeaturediscovery_namespace.yaml

@@ -1,4 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ .Operator.Namespace }}
+  name: {{ .Operator.Namespace }}
+  labels:
+    openshift.io/cluster-monitoring: "true"

internal/operators/numaresources/templates/openshift/50_numaresources_namespace.yaml

@@ -1,4 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ .Operator.Namespace }} 
+  name: {{ .Operator.Namespace }}
+  labels:
+    openshift.io/cluster-monitoring: "true"

internal/operators/numaresources/templates/openshift/50_numaresources_prometheus-role.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Operator.Namespace }}-prometheus-k8s
+  namespace: {{ .Operator.Namespace }}
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - services
+    - endpoints
+     - pods
+  verbs:
+    - get
+    - list
+    - watch