From 83ea2694d83d150223eddb431efa17dbb19d81af Mon Sep 17 00:00:00 2001
From: Brandon Booker <bbooker@vt.edu>
Date: Mon, 29 Apr 2024 20:05:13 +0000
Subject: [PATCH] PLATFORM-2481 - allow prometheus-operator to modify
 deployments and stateful sets in tenant namespaces

Changelog: updated
---
 Chart.yaml                                         | 2 +-
 rego/allow_rollout_restart_deployment/policy.rego  | 1 +
 rego/allow_rollout_restart_statefulset/policy.rego | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/Chart.yaml b/Chart.yaml
index 0b0c27e..3598162 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,4 +1,4 @@
 apiVersion: v2
 name: constraint-templates
-version: 1.6.1
+version: 1.6.2
 appVersion: 1.0.0
diff --git a/rego/allow_rollout_restart_deployment/policy.rego b/rego/allow_rollout_restart_deployment/policy.rego
index 6acd89d..8c52729 100644
--- a/rego/allow_rollout_restart_deployment/policy.rego
+++ b/rego/allow_rollout_restart_deployment/policy.rego
@@ -3,6 +3,7 @@ package allow_rollout_restart_deployment
 # Violation caused when user is not the local flux, nor stakater-reloader, and not in the admin group, trying to use UPDATE to change a DEPLOYMENT. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
 violation[{"msg": msg}] {
     not input.review.userInfo.username == "system:serviceaccount:platform-stakater-reloader:stakater-reloader"
+    not input.review.userInfo.username == "system:serviceaccount:platform-prometheus-stack:prometheus-kube-prometheus-operator"
     flux_username := concat("",["system:serviceaccount:",input.review.namespace,":flux"])
     not input.review.userInfo.username == flux_username
     not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin")
diff --git a/rego/allow_rollout_restart_statefulset/policy.rego b/rego/allow_rollout_restart_statefulset/policy.rego
index 122f143..411482a 100644
--- a/rego/allow_rollout_restart_statefulset/policy.rego
+++ b/rego/allow_rollout_restart_statefulset/policy.rego
@@ -3,6 +3,7 @@ package allow_rollout_restart_statefulset
 # Violation caused when user is not local flux, not the stakater-reloader, and not in the admin group, trying to use UPDATE to change a StatefulSet. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
 violation[{"msg": msg}] {
     not input.review.userInfo.username == "system:serviceaccount:platform-stakater-reloader:stakater-reloader"
+    not input.review.userInfo.username == "system:serviceaccount:platform-prometheus-stack:prometheus-kube-prometheus-operator"
     flux_username := concat("",["system:serviceaccount:",input.review.namespace,":flux"])
     not input.review.userInfo.username == flux_username
     not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin")
-- 
GitLab