Adds second read only SA for analytics team (#763)

philipgough · web-flow · commit c10b25c77b2e · 2025-03-04T14:08:55.000Z
diff --git a/configuration/observatorium/rbac.go b/configuration/observatorium/rbac.go
@@ -215,6 +215,18 @@ func GenerateRBAC() *observatoriumRBAC {
 		skipConventionCheck: true,
 	})
 
+	// analytics read only prod
+	// Special request of extra read account.
+	// https://issues.redhat.com/browse/RHOBS-1116
+	attachBinding(&obsRBAC, bindingOpts{
+		name:                "8f7aa5e1-aa08-493d-82eb-cf24834fc08f",
+		tenant:              telemeterTenant,
+		signals:             []signal{metricsSignal},
+		perms:               []rbac.Permission{rbac.Read}, // Read only.
+		envs:                []env{productionEnv},
+		skipConventionCheck: true,
+	})
+
 	// RHTAP
 	// Reader and Writer serviceaccount
 	attachBinding(&obsRBAC, bindingOpts{
diff --git a/resources/services/app-sre-stage-01/rhobs/observatorium-api-template.yaml b/resources/services/app-sre-stage-01/rhobs/observatorium-api-template.yaml
@@ -1023,6 +1023,12 @@ objects:
             subjects:
               - kind: user
                 name: service-account-7f7f912e-0429-4639-8e70-609ecf65b280
+          - name: 8f7aa5e1-aa08-493d-82eb-cf24834fc08f
+            roles:
+              - telemeter-metrics-read
+            subjects:
+              - kind: user
+                name: service-account-8f7aa5e1-aa08-493d-82eb-cf24834fc08f
           - name: observatorium-rhtap
             roles:
               - rhtap-metrics-read
diff --git a/resources/services/observatorium-api/staging/observatorium-api-template.yaml b/resources/services/observatorium-api/staging/observatorium-api-template.yaml
@@ -147,6 +147,12 @@ objects:
         subjects:
         - kind: user
           name: service-account-7f7f912e-0429-4639-8e70-609ecf65b280
+      - name: 8f7aa5e1-aa08-493d-82eb-cf24834fc08f
+        roles:
+        - telemeter-metrics-read
+        subjects:
+        - kind: user
+          name: service-account-8f7aa5e1-aa08-493d-82eb-cf24834fc08f
       - name: observatorium-rhtap
         roles:
         - rhtap-metrics-read
diff --git a/resources/services/observatorium-template.yaml b/resources/services/observatorium-template.yaml
@@ -883,6 +883,12 @@ objects:
         "subjects":
         - "kind": "user"
           "name": "service-account-7f7f912e-0429-4639-8e70-609ecf65b280"
+      - "name": "8f7aa5e1-aa08-493d-82eb-cf24834fc08f"
+        "roles":
+        - "telemeter-metrics-read"
+        "subjects":
+        - "kind": "user"
+          "name": "service-account-8f7aa5e1-aa08-493d-82eb-cf24834fc08f"
       - "name": "observatorium-rhtap"
         "roles":
         - "rhtap-metrics-read"
