openshift
diff --git a/‎Documentation/resources.adoc‎
Lines changed: 120 additions & 60 deletions b/‎Documentation/resources.adoc‎
Lines changed: 120 additions & 60 deletions
diff --git a/‎Documentation/resources.md‎
Lines changed: 96 additions & 60 deletions b/‎Documentation/resources.md‎
Lines changed: 96 additions & 60 deletions
diff --git a/‎test/e2e/test_command/scripts/openshift-monitoring_alertmanager-main_service_port_9092.yaml‎
Lines changed: 14 additions & 10 deletions b/‎test/e2e/test_command/scripts/openshift-monitoring_alertmanager-main_service_port_9092.yaml‎
Lines changed: 14 additions & 10 deletions
diff --git a/‎test/e2e/test_command/scripts/openshift-monitoring_alertmanager-main_service_port_9094.yaml‎
Lines changed: 16 additions & 10 deletions b/‎test/e2e/test_command/scripts/openshift-monitoring_alertmanager-main_service_port_9094.yaml‎
Lines changed: 16 additions & 10 deletions
diff --git a/‎test/e2e/test_command/scripts/openshift-monitoring_prometheus-k8s_service_port_9091.yaml‎
Lines changed: 16 additions & 10 deletions b/‎test/e2e/test_command/scripts/openshift-monitoring_prometheus-k8s_service_port_9091.yaml‎
Lines changed: 16 additions & 10 deletions
diff --git a/‎test/e2e/test_command/scripts/openshift-monitoring_thanos-querier_service_port_9091.yaml‎
Lines changed: 16 additions & 10 deletions b/‎test/e2e/test_command/scripts/openshift-monitoring_thanos-querier_service_port_9091.yaml‎
Lines changed: 16 additions & 10 deletions
diff --git a/‎test/e2e/test_command/scripts/openshift-monitoring_thanos-querier_service_port_9092.yaml‎
Lines changed: 7 additions & 5 deletions b/‎test/e2e/test_command/scripts/openshift-monitoring_thanos-querier_service_port_9092.yaml‎
Lines changed: 7 additions & 5 deletions
@@ -1,17 +1,19 @@
 tests:
   - script: |
-      # The following example exercises permissions granted by the monitoring-rules-edit Cluster Role.
-      # The binding commands are supposed to run by a user with the necessary privileges.
+      ## The following example exercises permissions granted by the `monitoring-rules-edit` cluster role.
+      ## The binding commands must be run by a user with the necessary privileges.
+      # Create a test namespace and a service account.
       oc create namespace test-alertmanager-tenancy-monitoring-rules-edit
       oc create serviceaccount am-client --namespace=test-alertmanager-tenancy-monitoring-rules-edit
-      # The binding is done to a Service Account, but it can also be applied to any other user.
+      # Bind the role to the service account.
+      # The binding in this example is applied to a service account but can also be applied to any user.
       oc create rolebinding test-alertmanager-tenancy-monitoring-rules-edit \
         --namespace=test-alertmanager-tenancy-monitoring-rules-edit \
         --clusterrole=monitoring-rules-edit \
         --serviceaccount=test-alertmanager-tenancy-monitoring-rules-edit:am-client
-      # The token can then be used to access the endpoints on the port.
+      # Generate a token to access the endpoints.
       TOKEN=$(oc create token am-client --namespace=test-alertmanager-tenancy-monitoring-rules-edit)
-      # Because the port is not exposed by default, the endpoint is assumed to be accessed from within the cluster.
+      # Access Alertmanager endpoints from within the cluster. The port is not exposed externally by default.
       curl -k -f -H "Authorization: Bearer $TOKEN" "https://alertmanager-main.openshift-monitoring:9092/api/v2/alerts?namespace=test-alertmanager-tenancy-monitoring-rules-edit"
       curl -k -X POST -f "https://alertmanager-main.openshift-monitoring:9092/api/v2/silences?namespace=test-alertmanager-tenancy-monitoring-rules-edit" \
         -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
@@ -31,18 +33,20 @@ tests:
     tearDown: |
       oc delete namespace test-alertmanager-tenancy-monitoring-rules-edit --wait=false
   - script: |
-      # The following example exercises permissions granted by the monitoring-edit Cluster Role.
-      # The binding commands are supposed to run by a user with the necessary privileges.
+      ## The following example exercises permissions granted by the `monitoring-edit` cluster role.
+      ## The binding commands must be run by a user with the necessary privileges.
+      # Create a test namespace and a service account.
       oc create namespace test-alertmanager-tenancy-monitoring-edit
       oc create serviceaccount am-client --namespace=test-alertmanager-tenancy-monitoring-edit
-      # The binding is done to a Service Account, but it can also be applied to any other user.
+      # Bind the role to the service account.
+      # The binding in this example is applied to a service account but can also be applied to any user.
       oc create rolebinding test-alertmanager-tenancy-monitoring-edit \
         --namespace=test-alertmanager-tenancy-monitoring-edit \
         --clusterrole=monitoring-edit \
         --serviceaccount=test-alertmanager-tenancy-monitoring-edit:am-client
-      # The token can then be used to access the endpoints on the port.
+      # Generate a token to access the endpoints.
       TOKEN=$(oc create token am-client --namespace=test-alertmanager-tenancy-monitoring-edit)
-      # Because the port is not exposed by default, the endpoint is assumed to be accessed from within the cluster.
+      # Access Alertmanager endpoints from within the cluster. The port is not exposed externally by default.
       curl -k -f -H "Authorization: Bearer $TOKEN" "https://alertmanager-main.openshift-monitoring:9092/api/v2/alerts?namespace=test-alertmanager-tenancy-monitoring-edit"
       curl -k -X POST -f "https://alertmanager-main.openshift-monitoring:9092/api/v2/silences?namespace=test-alertmanager-tenancy-monitoring-edit" \
         -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
 
@@ -1,35 +1,41 @@
 tests:
   - script: |
-      # The following example exercises permissions granted by the monitoring-alertmanager-view Role.
-      # The binding commands are supposed to run by a user with the necessary privileges.
+      ## The following example exercises permissions granted by the `monitoring-alertmanager-view` role.
+      ## The binding commands must be run by a user with the necessary privileges.
+      # Create a test namespace and a service account.
       oc create namespace test-alertmanager-web-monitoring-alertmanager-view
       oc create serviceaccount am-client --namespace=test-alertmanager-web-monitoring-alertmanager-view
-      # The binding is done to a Service Account, but it can also be applied to any other user.
+      # Bind the role to the service account.
+      # The binding in this example is applied to a service account but can also be applied to any user.
       oc create rolebinding test-alertmanager-web-monitoring-alertmanager-view \
         --namespace=openshift-monitoring \
         --role=monitoring-alertmanager-view \
         --serviceaccount=test-alertmanager-web-monitoring-alertmanager-view:am-client
-      # The token can then be used to access the endpoints.
+      # Generate a token to access the endpoints.
       TOKEN=$(oc create token am-client --namespace=test-alertmanager-web-monitoring-alertmanager-view)
+      # Access Alertmanager endpoints externally.
       ROUTE=$(oc get route alertmanager-main --namespace=openshift-monitoring -ojsonpath={.spec.host})
       curl -k -H "Authorization: Bearer $TOKEN" "https://$ROUTE/api/v2/alerts?filter=alertname=Watchdog"
-      # The endpoints can also be accessed from within the cluster.
+      # Access Alertmanager endpoints from within the cluster.
       curl -k -H "Authorization: Bearer $TOKEN" "https://alertmanager-main.openshift-monitoring:9094/api/v2/alerts?filter=alertname=Watchdog"
     tearDown: |
       oc delete rolebinding test-alertmanager-web-monitoring-alertmanager-view --namespace=openshift-monitoring
       oc delete namespace test-alertmanager-web-monitoring-alertmanager-view --wait=false
   - script: |
-      # The following example exercises permissions granted by the monitoring-alertmanager-edit Role.
-      # The binding commands are supposed to run by a user with the necessary privileges.
+      ## The following example exercises permissions granted by the `monitoring-alertmanager-edit` role.
+      ## The binding commands must be run by a user with the necessary privileges.
+      # Create a test namespace and a service account.
       oc create namespace test-alertmanager-web-monitoring-alertmanager-edit
       oc create serviceaccount am-client --namespace=test-alertmanager-web-monitoring-alertmanager-edit
-      # The binding is done to a Service Account, but it can also be applied to any other user.
+      # Bind the role to the service account.
+      # The binding in this example is applied to a service account but can also be applied to any user.
       oc create rolebinding test-alertmanager-web-monitoring-alertmanager-edit \
         --namespace=openshift-monitoring \
         --role=monitoring-alertmanager-edit \
         --serviceaccount=test-alertmanager-web-monitoring-alertmanager-edit:am-client
-      # The token can then be used to access the endpoints on the port.
+      # Generate a token to access the endpoints.
       TOKEN=$(oc create token am-client --namespace=test-alertmanager-web-monitoring-alertmanager-edit)
+      # Access Alertmanager endpoints externally.
       ROUTE=$(oc get route alertmanager-main --namespace=openshift-monitoring -ojsonpath={.spec.host})
       curl -k -X POST  "https://$ROUTE/api/v2/silences" \
         -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
@@ -46,7 +52,7 @@ tests:
           "createdBy": "test-alertmanager-web-monitoring-alertmanager-edit/am-client",
           "comment": "Silence test"
         }'
-      # The endpoints can also be accessed from within the cluster.
+      # Access Alertmanager endpoints from within the cluster.
       curl -k -X POST  "https://alertmanager-main.openshift-monitoring:9094/api/v2/silences" \
         -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
         -d '{
 
@@ -1,38 +1,44 @@
 tests:
   - script: |
-      # The following example exercises permissions granted by the cluster-monitoring-view Cluster Role.
-      # The binding commands are supposed to run by a user with the necessary privileges.
+      ## The following example exercises permissions granted by the `cluster-monitoring-view` cluster role.
+      ## The binding commands must be run by a user with the necessary privileges.
+      # Create a test namespace and a service account.
       oc create namespace test-prometheus-web-cluster-monitoring-view
       oc create serviceaccount prom-client --namespace=test-prometheus-web-cluster-monitoring-view
-      # The binding is done to a Service Account, but it can also be applied to any other user.
+      # Bind the role to the service account.
+      # The binding in this example is applied to a service account but can also be applied to any user.
       oc create rolebinding test-prometheus-web-cluster-monitoring-view \
         --namespace=openshift-monitoring \
         --clusterrole=cluster-monitoring-view \
         --serviceaccount=test-prometheus-web-cluster-monitoring-view:prom-client
-      # The token can then be used to access the endpoints.
+      # Generate a token to access the endpoints.
       TOKEN=$(oc create token prom-client --namespace=test-prometheus-web-cluster-monitoring-view)
+      # Access Prometheus endpoints externally.
       ROUTE=$(oc get route prometheus-k8s --namespace=openshift-monitoring -ojsonpath={.spec.host})
       curl -k -H "Authorization: Bearer $TOKEN" "https://$ROUTE/api/v1/query?query=up"
-      # The endpoints can also be accessed from within the cluster.
+      # Access Prometheus endpoints from within the cluster.
       curl -k -H "Authorization: Bearer $TOKEN" "https://prometheus-k8s.openshift-monitoring:9091/api/v1/query?query=up"
     tearDown: |
       oc delete rolebinding test-prometheus-web-cluster-monitoring-view --namespace=openshift-monitoring
       oc delete namespace test-prometheus-web-cluster-monitoring-view --wait=false
   - script: |
-      # The following example exercises permissions granted by the cluster-monitoring-metrics-api Role.
-      # The binding commands are supposed to run by a user with the necessary privileges.
+      ## The following example exercises permissions granted by the `cluster-monitoring-metrics-api` role.
+      ## The binding commands must be run by a user with the necessary privileges.
+      # Create a test namespace and a service account.
       oc create namespace test-prometheus-web-cluster-monitoring-metrics-api
       oc create serviceaccount prom-client --namespace=test-prometheus-web-cluster-monitoring-metrics-api
-      # The binding is done to a Service Account, but it can also be applied to any other user.
+      # Bind the role to the service account.
+      # The binding in this example is applied to a service account but can also be applied to any user.
       oc create rolebinding test-prometheus-web-cluster-monitoring-metrics-api \
         --namespace=openshift-monitoring \
         --role=cluster-monitoring-metrics-api  \
         --serviceaccount=test-prometheus-web-cluster-monitoring-metrics-api:prom-client
-      # The token can then be used to access the endpoints.
+      # Generate a token to access the endpoints.
       TOKEN=$(oc create token prom-client --namespace=test-prometheus-web-cluster-monitoring-metrics-api)
+      # Access Prometheus endpoints externally.
       ROUTE=$(oc get route prometheus-k8s --namespace=openshift-monitoring -ojsonpath={.spec.host})
       curl -k -H "Authorization: Bearer $TOKEN" "https://$ROUTE/api/v1/query?query=up"
-      # The endpoints can also be accessed from within the cluster.
+      # Access Prometheus endpoints from within the cluster.
       curl -k -H "Authorization: Bearer $TOKEN" "https://prometheus-k8s.openshift-monitoring:9091/api/v1/query?query=up"
     tearDown: |
       oc delete rolebinding test-prometheus-web-cluster-monitoring-metrics-api --namespace=openshift-monitoring
 
@@ -1,38 +1,44 @@
 tests:
   - script: |
-      # The following example exercises permissions granted by the cluster-monitoring-view Cluster Role.
-      # The binding commands are supposed to run by a user with the necessary privileges.
+      ## The following example exercises permissions granted by the `cluster-monitoring-view` cluster role.
+      ## The binding commands must be run by a user with the necessary privileges.
+      # Create a test namespace and a service account.
       oc create namespace test-thanos-querier-web-cluster-monitoring-view
       oc create serviceaccount thanos-client --namespace=test-thanos-querier-web-cluster-monitoring-view
-      # The binding is done to a Service Account, but it can also be applied to any other user.
+      # Bind the role to the service account.
+      # The binding in this example is applied to a service account but can also be applied to any user.
       oc create rolebinding test-thanos-querier-web-cluster-monitoring-view \
         --namespace=openshift-monitoring \
         --clusterrole=cluster-monitoring-view \
         --serviceaccount=test-thanos-querier-web-cluster-monitoring-view:thanos-client
-      # The token can then be used to access the endpoints.
+      # Generate a token to access the endpoints.
       TOKEN=$(oc create token thanos-client --namespace=test-thanos-querier-web-cluster-monitoring-view)
+      # Access Thanos Querier endpoints externally.
       ROUTE=$(oc get route thanos-querier --namespace=openshift-monitoring -ojsonpath={.spec.host})
       curl -k -H "Authorization: Bearer $TOKEN" "https://$ROUTE/api/v1/query?query=up"
-      # The endpoints can also be accessed from within the cluster.
+      # Access Thanos Querier endpoints from within the cluster.
       curl -k -H "Authorization: Bearer $TOKEN" "https://thanos-querier.openshift-monitoring:9091/api/v1/query?query=up"
     tearDown: |
       oc delete rolebinding test-thanos-querier-web-cluster-monitoring-view --namespace=openshift-monitoring
       oc delete namespace test-thanos-querier-web-cluster-monitoring-view --wait=false
   - script: |
-      # The following example exercises permissions granted by the cluster-monitoring-metrics-api Role.
-      # The binding commands are supposed to run by a user with the necessary privileges.
+      ## The following example exercises permissions granted by the `cluster-monitoring-metrics-api` role.
+      ## The binding commands must be run by a user with the necessary privileges.
+      # Create a test namespace and a service account.
       oc create namespace test-thanos-querier-web-cluster-monitoring-metrics-api
       oc create serviceaccount thanos-client --namespace=test-thanos-querier-web-cluster-monitoring-metrics-api
-      # The binding is done to a Service Account, but it can also be applied to any other user.
+      # Bind the role to the service account.
+      # The binding in this example is applied to a service account but can also be applied to any user.
       oc create rolebinding test-thanos-querier-web-cluster-monitoring-metrics-api \
         --namespace=openshift-monitoring \
         --role=cluster-monitoring-metrics-api  \
         --serviceaccount=test-thanos-querier-web-cluster-monitoring-metrics-api:thanos-client
-      # The token can then be used to access the endpoints.
+      # Generate a token to access the endpoints.
       TOKEN=$(oc create token thanos-client --namespace=test-thanos-querier-web-cluster-monitoring-metrics-api)
+      # Access Thanos Querier endpoints externally.
       ROUTE=$(oc get route thanos-querier --namespace=openshift-monitoring -ojsonpath={.spec.host})
       curl -k -H "Authorization: Bearer $TOKEN" "https://$ROUTE/api/v1/query?query=up"
-      # The endpoints can also be accessed from within the cluster.
+      # Access Thanos Querier endpoints from within the cluster.
       curl -k -H "Authorization: Bearer $TOKEN" "https://thanos-querier.openshift-monitoring:9091/api/v1/query?query=up"
     tearDown: |
       oc delete rolebinding test-thanos-querier-web-cluster-monitoring-metrics-api --namespace=openshift-monitoring
 
@@ -1,17 +1,19 @@
 tests:
   - script: |
-      # The following example exercises permissions granted by the view Cluster Role.
-      # The binding commands are supposed to run by a user with the necessary privileges.
+      ## The following example exercises permissions granted by the `view` cluster role.
+      ## The binding commands must be run by a user with the necessary privileges.
+      # Create a test namespace and a service account.
       oc create namespace test-thanos-querier-tenancy-view
       oc create serviceaccount thanos-client --namespace=test-thanos-querier-tenancy-view
-      # The binding is done to a Service Account, but it can also be applied to any other user.
+      # Bind the role to the service account.
+      # The binding in this example is applied to a service account but can also be applied to any user.
       oc create rolebinding test-thanos-querier-tenancy-view \
         --namespace=test-thanos-querier-tenancy-view \
         --clusterrole=view \
         --serviceaccount=test-thanos-querier-tenancy-view:thanos-client
-      # The token can then be used to access the endpoints.
+      # Generate a token to access the endpoints.
       TOKEN=$(oc create token thanos-client --namespace=test-thanos-querier-tenancy-view)
-      # Because the port is not exposed by default, the endpoint is assumed to be accessed from within the cluster.
+      # Access Thanos Querier endpoints from within the cluster. The port is not exposed externally by default.
       curl -k -f -H "Authorization: Bearer $TOKEN" "https://thanos-querier.openshift-monitoring:9092/api/v1/query?query=up&namespace=test-thanos-querier-tenancy-view"
     tearDown: |
       oc delete namespace test-thanos-querier-tenancy-view --wait=false