From 82239679bab7d57eebf9af89c28bcfafe73ede4c Mon Sep 17 00:00:00 2001 From: Jan Fajerski Date: Wed, 18 Feb 2026 11:35:43 +0100 Subject: [PATCH] fix: monitoring: create unique cluster roles Otherwise two stack with the same name in two namespaces try to create the same cluster roles. Signed-off-by: Jan Fajerski --- .../monitoring/monitoring-stack/components.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pkg/controllers/monitoring/monitoring-stack/components.go b/pkg/controllers/monitoring/monitoring-stack/components.go index 76514cf9b..77eaeba0c 100644 --- a/pkg/controllers/monitoring/monitoring-stack/components.go +++ b/pkg/controllers/monitoring/monitoring-stack/components.go @@ -50,6 +50,9 @@ func stackComponentReconcilers( ) []reconciler.Reconciler { prometheusName := ms.Name + "-prometheus" alertmanagerName := ms.Name + "-alertmanager" + namespace := ms.Namespace + prometheusClusterRoleName := ms.Name + "-prometheus" + "-" + namespace + alertmanagerClusterRoleName := ms.Name + "-alertmanager" + "-" + namespace additionalScrapeConfigsSecretName := ms.Name + "-self-scrape" hasNsSelector := ms.Spec.NamespaceSelector != nil createCRB := hasNsSelector && ms.Spec.CreateClusterRoleBindings == stack.CreateClusterRoleBindings @@ -58,7 +61,7 @@ func stackComponentReconcilers( return []reconciler.Reconciler{ // Prometheus Deployment reconciler.NewUpdater(newServiceAccount(prometheusName, ms.Namespace), ms), - reconciler.NewUpdater(newPrometheusClusterRole(prometheusName, rbacVerbs), ms), + reconciler.NewUpdater(newPrometheusClusterRole(prometheusClusterRoleName, rbacVerbs), ms), reconciler.NewUpdater(newAdditionalScrapeConfigsSecret(ms, additionalScrapeConfigsSecretName), ms), reconciler.NewUpdater(newPrometheus(ms, prometheusName, additionalScrapeConfigsSecretName, @@ -71,13 +74,13 @@ func stackComponentReconcilers( // Alertmanager Deployment reconciler.NewOptionalUpdater(newServiceAccount(alertmanagerName, ms.Namespace), ms, deployAlertmanager), // create clusterrolebinding if nsSelector's present otherwise a rolebinding - reconciler.NewOptionalUpdater(newClusterRoleBinding(ms, prometheusName), ms, createCRB), + reconciler.NewOptionalUpdater(newClusterRoleBinding(ms, prometheusClusterRoleName), ms, createCRB), reconciler.NewOptionalUpdater(newRoleBindingForClusterRole(ms, prometheusName), ms, !hasNsSelector), - reconciler.NewOptionalUpdater(newAlertManagerClusterRole(alertmanagerName, rbacVerbs), ms, deployAlertmanager), + reconciler.NewOptionalUpdater(newAlertManagerClusterRole(alertmanagerClusterRoleName, rbacVerbs), ms, deployAlertmanager), // create clusterrolebinding if alertmanager is enabled and namespace selector is also present in MonitoringStack - reconciler.NewOptionalUpdater(newClusterRoleBinding(ms, alertmanagerName), ms, deployAlertmanager && createCRB), + reconciler.NewOptionalUpdater(newClusterRoleBinding(ms, alertmanagerClusterRoleName), ms, deployAlertmanager && createCRB), reconciler.NewOptionalUpdater(newRoleBindingForClusterRole(ms, alertmanagerName), ms, deployAlertmanager && !hasNsSelector), reconciler.NewOptionalUpdater(newAlertmanager(ms, alertmanagerName, alertmanager), ms, deployAlertmanager),