One ClusterRole to rule them all

cmo-cluster-role.jsonnet

// One ClusterRole to rule them all
// one ClusterRole to find them
// One ClusterRole to bring them all
// and in the darkness bind them;
{
  // This should live in https://github.com/openshift/cluster-monitoring-operator/blob/master/jsonnet/cluster-monitoring-operator.libsonnet
  clusterRole: {
    apiVersion: 'rbac.authorization.k8s.io/v1',
    kind: 'ClusterRole',
    metadata: {
      name: 'cluster-monitoring-operator',
      annotations: {  // Ideally those come from https://github.com/openshift/cluster-monitoring-operator/blob/master/jsonnet/ibm-cloud-managed-profile.libsonnet
        'include.release.openshift.io/ibm-cloud-managed': 'true',
        'include.release.openshift.io/self-managed-high-availability': 'true',
        'include.release.openshift.io/single-node-developer': 'true',
      },
    },
    // All those currently are a bit hidden in https://github.com/openshift/cluster-monitoring-operator/blob/master/hack/cluster-monitoring-operator-role.yaml.in
    rules: [
      {
        apiGroups: ['rbac.authorization.k8s.io'],
        resources: ['roles', 'rolebindings', 'clusterroles', 'clusterrolebindings'],
        verbs: ['create', 'get', 'list', 'watch', 'update', 'delete'],
      },
      {
        apiGroups: ['admissionregistration.k8s.io'],
        resources: ['validatingwebhookconfigurations'],
        verbs: ['create', 'get', 'list', 'watch'],
      },
      {
        apiGroups: ['admissionregistration.k8s.io'],
        resourceNames: ['prometheusrules.openshift.io'],
        resources: ['validatingwebhookconfigurations'],
        verbs: ['create', 'get', 'list', 'watch', 'update', 'delete'],
      },
      {
        apiGroups: [''],
        resources: ['services', 'serviceaccounts', 'configmaps'],
        verbs: ['create', 'get', 'list', 'watch', 'update', 'delete'],
      },
      {
        apiGroups: ['apps'],
        resources: ['deployments', 'daemonsets'],
        verbs: ['create', 'get', 'list', 'watch', 'update', 'delete'],
      },
      {
        apiGroups: ['route.openshift.io'],
        resources: ['routes'],
        verbs: ['create', 'get', 'list', 'watch', 'update', 'delete'],
      },
      {
        apiGroups: ['security.openshift.io'],
        resources: ['securitycontextconstraints'],
        verbs: ['create', 'get', 'list', 'watch', 'update', 'delete'],
      },
      {
        apiGroups: ['apiregistration.k8s.io'],
        resources: ['apiservices'],
        verbs: ['create', 'get', 'list', 'watch', 'update', 'delete'],
      },
      {
        apiGroups: ['config.openshift.io'],
        resources: ['clusterversions'],
        verbs: ['get'],
      },
      {
        apiGroups: ['config.openshift.io'],
        resources: ['infrastructures'],
        verbs: ['get', 'list', 'watch'],
      },
      {
        apiGroups: ['config.openshift.io'],
        resources: ['proxies'],
        verbs: ['get'],
      },
      {
        apiGroups: ['config.openshift.io'],
        resources: ['clusteroperators', 'clusteroperators/status'],
        verbs: ['get', 'update', 'create'],
      },
      {
        apiGroups: ['policy'],
        resources: ['poddisruptionbudgets'],
        verbs: ['create', 'get', 'update', 'delete'],
      },
    ],
  },

  // Sth like this should be in https://github.com/openshift/cluster-monitoring-operator/blob/master/jsonnet/main.jsonnet
  local inCluster = {
    // ...
    clusterMonitoringOperator: clusterMonitoringOperator($.values.clusterMonitoringOperator) {
      // Extend the ClusterRole
      clusterRole+: {
        // Ideally this would be some addon or sth, that would iterate over all ClusterRole objects.
        // Similar to how patch-rules.libsonnet goes over all PrometheusRule objects
        rules+: inCluster.alertmanager.clusterRole.rules +
                inCluster.prometheus.clusterRole + 
                inCluster.prometheusOperator.clusterRole + 
                inCluster.grafana.clusterRole // + all other ClusterRole
      },
    },
    // ...
  },
}