harmony/harmony/src/modules/monitoring/kube_prometheus/crd/role.rs

use k8s_openapi::api::{
    core::v1::ServiceAccount,
    rbac::v1::{PolicyRule, Role, RoleBinding, RoleRef, Subject},
};
use kube::api::ObjectMeta;

pub fn build_prom_role(role_name: String, namespace: String) -> Role {
    Role {
        metadata: ObjectMeta {
            name: Some(role_name),
            namespace: Some(namespace),
            ..Default::default()
        },
        rules: Some(vec![PolicyRule {
            api_groups: Some(vec!["".into()]), // core API group
            resources: Some(vec!["services".into(), "endpoints".into(), "pods".into()]),
            verbs: vec!["get".into(), "list".into(), "watch".into()],
            ..Default::default()
        }]),
    }
}

pub fn build_prom_rolebinding(
    role_name: String,
    namespace: String,
    service_account_name: String,
) -> RoleBinding {
    RoleBinding {
        metadata: ObjectMeta {
            name: Some(format!("{}-rolebinding", role_name)),
            namespace: Some(namespace.clone()),
            ..Default::default()
        },
        role_ref: RoleRef {
            api_group: "rbac.authorization.k8s.io".into(),
            kind: "Role".into(),
            name: role_name,
        },
        subjects: Some(vec![Subject {
            kind: "ServiceAccount".into(),
            name: service_account_name,
            namespace: Some(namespace.clone()),
            ..Default::default()
        }]),
    }
}

pub fn build_prom_service_account(
    service_account_name: String,
    namespace: String,
) -> ServiceAccount {
    ServiceAccount {
        automount_service_account_token: None,
        image_pull_secrets: None,
        metadata: ObjectMeta {
            name: Some(service_account_name),
            namespace: Some(namespace),
            ..Default::default()
        },
        secrets: None,
    }
}