Merge pull request #7409 from simonpasquier/debug-feature-gate-ci

fix: unblock feature-gates CI
2025-04-21 03:38:43 +00:00 · 2025-03-14 16:53:16 +01:00 · 2025-03-14 16:53:16 +01:00 · 81634cc2c1
commit 81634cc2c1
parent 240b3031fc 036a56054c
12 changed files with 182 additions and 158 deletions
--- a/pkg/operator/feature_gates.go
+++ b/pkg/operator/feature_gates.go
@ -26,8 +26,10 @@ const (
 	// PrometheusAgentDaemonSetFeature enables the DaemonSet mode for PrometheusAgent.
 	PrometheusAgentDaemonSetFeature FeatureGateName = "PrometheusAgentDaemonSet"

-	// PrometheusTopologySharding enables the zone aware sharding for Prometheus.
-	PrometheusTopologyShardingFeature     FeatureGateName = "PrometheusTopologySharding"
+	// PrometheusTopologySharding enables the zone-aware sharding for Prometheus.
+	PrometheusTopologyShardingFeature FeatureGateName = "PrometheusTopologySharding"
+
+	// PrometheusShardRetentionPolicyFeature enables the shard retention policy for Prometheus.
 	PrometheusShardRetentionPolicyFeature FeatureGateName = "PrometheusShardRetentionPolicy"
 )

--- a/test/e2e/denylist_test.go
+++ b/test/e2e/denylist_test.go
@ -94,7 +94,7 @@ func testDenyServiceMonitor(t *testing.T) {
 	for _, denied := range deniedNamespaces {
 		echo := &appsv1.Deployment{
 			ObjectMeta: metav1.ObjectMeta{
-				Name: "ehoserver",
+				Name: "echoserver",
 			},
 			Spec: appsv1.DeploymentSpec{
 				Replicas: proto.Int32(1),
--- a/test/e2e/main_test.go
+++ b/test/e2e/main_test.go
@ -38,7 +38,10 @@ var (
 	opImage                  *string
 )

-const testControllerID = "--controller-id=42"
+const (
+	testControllerID            = "--controller-id=42"
+	gitHubContentReleaseBaseURL = "https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/release-%d.%d"
+)

 func skipPrometheusAllNSTests(t *testing.T) {
 	if os.Getenv("EXCLUDE_PROMETHEUS_ALL_NS_TESTS") != "" {
@ -113,7 +116,7 @@ func TestMain(m *testing.M) {
 		os.Exit(1)
 	}

-	prevStableVersionURL := fmt.Sprintf("https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/release-%d.%d/VERSION", currentSemVer.Major, currentSemVer.Minor-1)
+	prevStableVersionURL := fmt.Sprintf(gitHubContentReleaseBaseURL, currentSemVer.Major, currentSemVer.Minor-1) + "/VERSION"
 	reader, err := operatorFramework.URLToIOReader(prevStableVersionURL)
 	if err != nil {
 		logger.Printf("failed to get previous version file content: %v\n", err)
@ -126,16 +129,14 @@ func TestMain(m *testing.M) {
 		os.Exit(1)
 	}

-	prometheusOperatorGithubBranchURL := "https://raw.githubusercontent.com/prometheus-operator/prometheus-operator"
-
 	prevSemVer, err := semver.ParseTolerant(string(prevStableVersion))
 	if err != nil {
 		logger.Printf("failed to parse previous stable version: %v\n", err)
 		os.Exit(1)
 	}
-	prevStableOpImage := fmt.Sprintf("%s:v%s", "quay.io/prometheus-operator/prometheus-operator", strings.TrimSpace(string(prevStableVersion)))
-	prevExampleDir := fmt.Sprintf("%s/release-%d.%d/example", prometheusOperatorGithubBranchURL, prevSemVer.Major, prevSemVer.Minor)
-	prevResourcesDir := fmt.Sprintf("%s/release-%d.%d/test/framework/resources", prometheusOperatorGithubBranchURL, prevSemVer.Major, prevSemVer.Minor)
+	prevStableOpImage := fmt.Sprintf("quay.io/prometheus-operator/prometheus-operator:v%s", strings.TrimSpace(string(prevStableVersion)))
+	prevExampleDir := fmt.Sprintf(gitHubContentReleaseBaseURL, prevSemVer.Major, prevSemVer.Minor) + "/example"
+	prevResourcesDir := fmt.Sprintf(gitHubContentReleaseBaseURL, prevSemVer.Major, prevSemVer.Minor) + "/test/framework/resources"

 	if previousVersionFramework, err = operatorFramework.New(*kubeconfig, prevStableOpImage, prevExampleDir, prevResourcesDir, prevSemVer); err != nil {
 		logger.Printf("failed to setup previous version framework: %v\n", err)
--- a/test/e2e/prometheus_test.go
+++ b/test/e2e/prometheus_test.go
@ -5366,7 +5366,7 @@ func testPrometheusRetentionPolicies(t *testing.T) {
 		ctx, testFramework.PrometheusOperatorOpts{
 			Namespace:           ns,
 			AllowedNamespaces:   []string{ns},
-			EnabledFeatureGates: []string{"PrometheusShardRetentionPolicy"},
+			EnabledFeatureGates: []operator.FeatureGateName{operator.PrometheusShardRetentionPolicyFeature},
 		},
 	)
 	require.NoError(t, err)
--- a/test/e2e/prometheusagent_test.go
+++ b/test/e2e/prometheusagent_test.go
@ -37,6 +37,7 @@ import (

 	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	monitoringv1alpha1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1alpha1"
+	"github.com/prometheus-operator/prometheus-operator/pkg/operator"
 	pa "github.com/prometheus-operator/prometheus-operator/pkg/prometheus/agent"
 	testFramework "github.com/prometheus-operator/prometheus-operator/test/framework"
 )
@ -74,7 +75,7 @@ func testCreatePrometheusAgentDaemonSet(t *testing.T) {
 		ctx, testFramework.PrometheusOperatorOpts{
 			Namespace:           ns,
 			AllowedNamespaces:   []string{ns},
-			EnabledFeatureGates: []string{"PrometheusAgentDaemonSet"},
+			EnabledFeatureGates: []operator.FeatureGateName{operator.PrometheusAgentDaemonSetFeature},
 		},
 	)
 	require.NoError(t, err)
@ -204,7 +205,7 @@ func testPromAgentDaemonSetResourceUpdate(t *testing.T) {
 		ctx, testFramework.PrometheusOperatorOpts{
 			Namespace:           ns,
 			AllowedNamespaces:   []string{ns},
-			EnabledFeatureGates: []string{"PrometheusAgentDaemonSet"},
+			EnabledFeatureGates: []operator.FeatureGateName{operator.PrometheusAgentDaemonSetFeature},
 		},
 	)
 	require.NoError(t, err)
@ -276,7 +277,7 @@ func testPromAgentReconcileDaemonSetResourceUpdate(t *testing.T) {
 		ctx, testFramework.PrometheusOperatorOpts{
 			Namespace:           ns,
 			AllowedNamespaces:   []string{ns},
-			EnabledFeatureGates: []string{"PrometheusAgentDaemonSet"},
+			EnabledFeatureGates: []operator.FeatureGateName{operator.PrometheusAgentDaemonSetFeature},
 		},
 	)
 	require.NoError(t, err)
@ -341,7 +342,7 @@ func testPromAgentReconcileDaemonSetResourceDelete(t *testing.T) {
 		ctx, testFramework.PrometheusOperatorOpts{
 			Namespace:           ns,
 			AllowedNamespaces:   []string{ns},
-			EnabledFeatureGates: []string{"PrometheusAgentDaemonSet"},
+			EnabledFeatureGates: []operator.FeatureGateName{operator.PrometheusAgentDaemonSetFeature},
 		},
 	)
 	require.NoError(t, err)
@ -371,7 +372,7 @@ func testPrometheusAgentDaemonSetSelectPodMonitor(t *testing.T) {
 		ctx, testFramework.PrometheusOperatorOpts{
 			Namespace:           ns,
 			AllowedNamespaces:   []string{ns},
-			EnabledFeatureGates: []string{"PrometheusAgentDaemonSet"},
+			EnabledFeatureGates: []operator.FeatureGateName{operator.PrometheusAgentDaemonSetFeature},
 		},
 	)
 	require.NoError(t, err)
--- a/test/e2e/upgradepath_test.go
+++ b/test/e2e/upgradepath_test.go
@ -125,7 +125,8 @@ func testOperatorUpgrade(t *testing.T) {
 	_, err = previousVersionFramework.CreateOrUpdateServiceAndWaitUntilReady(context.Background(), ns, &alertmanagerService)
 	require.NoError(t, err)

-	previousVersionFramework.SetupPrometheusRBAC(context.Background(), t, nil, ns)
+	// Setup RBAC rules for the Prometheus service account.
+	previousVersionFramework.SetupPrometheusRBAC(context.Background(), t, testCtx, ns)
 	prometheus := previousVersionFramework.MakeBasicPrometheus(ns, name, name, 1)

 	_, err = previousVersionFramework.CreatePrometheusAndWaitUntilReady(context.Background(), ns, previousVersionFramework.MakeBasicPrometheus(ns, name, name, 1))
@ -140,8 +141,10 @@ func testOperatorUpgrade(t *testing.T) {
 	_, err = previousVersionFramework.CreateOrUpdateServiceAndWaitUntilReady(context.Background(), ns, &thanosRulerService)
 	require.NoError(t, err)

+	// Update the Prometheus Operator to the current version:
+	// 1. Update the RBAC rules for the Prometheus service account.
+	// 2. Upgrade the operator deployment.
 	framework.SetupPrometheusRBAC(context.Background(), t, testCtx, ns)
-	// Update Prometheus Operator to current version
 	finalizers, err := framework.CreateOrUpdatePrometheusOperator(context.Background(), ns, nil, nil, nil, nil, true, true, true)
 	require.NoError(t, err)
 	for _, f := range finalizers {
--- a/test/framework/cluster_role.go
+++ b/test/framework/cluster_role.go
@ -16,7 +16,9 @@ package framework

 import (
 	"context"
+	"fmt"

+	"github.com/cespare/xxhash/v2"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -46,41 +48,21 @@ var (
 	}
 )

-func (f *Framework) CreateOrUpdateClusterRole(ctx context.Context, source string) (*rbacv1.ClusterRole, error) {
-	clusterRole, err := parseClusterRoleYaml(source)
-	if err != nil {
-		return nil, err
-	}
-
-	_, err = f.KubeClient.RbacV1().ClusterRoles().Get(ctx, clusterRole.Name, metav1.GetOptions{})
+func (f *Framework) CreateOrUpdateClusterRole(ctx context.Context, cr *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
+	_, err := f.KubeClient.RbacV1().ClusterRoles().Get(ctx, cr.Name, metav1.GetOptions{})
 	if err != nil && !apierrors.IsNotFound(err) {
-		return nil, err
-	}
-
-	if apierrors.IsNotFound(err) {
-		// ClusterRole doesn't exists -> Create
-		clusterRole, err = f.KubeClient.RbacV1().ClusterRoles().Create(ctx, clusterRole, metav1.CreateOptions{})
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		// ClusterRole already exists -> Update
-		clusterRole, err = f.KubeClient.RbacV1().ClusterRoles().Update(ctx, clusterRole, metav1.UpdateOptions{})
-		if err != nil {
-			return nil, err
+		if apierrors.IsNotFound(err) {
+			// ClusterRole doesn't exists -> Create
+			return f.KubeClient.RbacV1().ClusterRoles().Create(ctx, cr, metav1.CreateOptions{})
 		}
 	}

-	return clusterRole, nil
+	// ClusterRole already exists -> Update
+	return f.KubeClient.RbacV1().ClusterRoles().Update(ctx, cr, metav1.UpdateOptions{})
 }

-func (f *Framework) DeleteClusterRole(ctx context.Context, source string) error {
-	clusterRole, err := parseClusterRoleYaml(source)
-	if err != nil {
-		return err
-	}
-
-	return f.KubeClient.RbacV1().ClusterRoles().Delete(ctx, clusterRole.Name, metav1.DeleteOptions{})
+func (f *Framework) DeleteClusterRole(ctx context.Context, name string) error {
+	return f.KubeClient.RbacV1().ClusterRoles().Delete(ctx, name, metav1.DeleteOptions{})
 }

 func (f *Framework) UpdateClusterRole(ctx context.Context, clusterRole *rbacv1.ClusterRole) error {
@ -91,7 +73,7 @@ func (f *Framework) UpdateClusterRole(ctx context.Context, clusterRole *rbacv1.C
 	return nil
 }

-func parseClusterRoleYaml(source string) (*rbacv1.ClusterRole, error) {
+func clusterRoleFromYaml(suffix, source string) (*rbacv1.ClusterRole, error) {
 	manifest, err := SourceToIOReader(source)
 	if err != nil {
 		return nil, err
@ -102,5 +84,17 @@ func parseClusterRoleYaml(source string) (*rbacv1.ClusterRole, error) {
 		return nil, err
 	}

+	// Use a unique cluster role name to avoid parallel tests doing concurrent
+	// updates to the same resource.
+	if suffix != "" {
+		xxh := xxhash.New()
+		if _, err := xxh.Write([]byte(suffix)); err != nil {
+			// Write() never returns nil.
+			panic(fmt.Errorf("failed to write hash: %w", err))
+		}
+
+		clusterRole.Name = fmt.Sprintf("%s-%x", clusterRole.Name, xxh.Sum64())
+	}
+
 	return &clusterRole, nil
 }
--- a/test/framework/cluster_role_binding.go
+++ b/test/framework/cluster_role_binding.go
@ -23,52 +23,48 @@ import (
 	"k8s.io/apimachinery/pkg/util/yaml"
 )

-func (f *Framework) createOrUpdateClusterRoleBinding(ctx context.Context, ns string, source string) (FinalizerFn, error) {
-	finalizerFn := func() error { return f.DeleteClusterRoleBinding(ctx, ns, source) }
+func (f *Framework) createOrUpdateClusterRoleBinding(ctx context.Context, ns string, cr *rbacv1.ClusterRole, source string) (FinalizerFn, error) {
 	clusterRoleBinding, err := parseClusterRoleBindingYaml(source)
 	if err != nil {
-		return finalizerFn, err
+		return nil, err
 	}

-	// Make sure to create a new cluster role binding for each namespace to
-	// prevent concurrent tests to delete each others bindings.
-	clusterRoleBinding.Name = ns + "-" + clusterRoleBinding.Name
-
+	clusterRoleBinding.Name = cr.Name
+	clusterRoleBinding.RoleRef.Name = cr.Name
 	clusterRoleBinding.Subjects[0].Namespace = ns

-	_, err = f.KubeClient.RbacV1().ClusterRoleBindings().Get(ctx, clusterRoleBinding.Name, metav1.GetOptions{})
-	if err != nil && !apierrors.IsNotFound(err) {
-		return finalizerFn, err
-	}
+	finalizerFn := func() error { return f.deleteClusterRoleBinding(ctx, clusterRoleBinding.Name) }
+
+	_, err = f.KubeClient.RbacV1().ClusterRoleBindings().Get(ctx, clusterRoleBinding.Name, metav1.GetOptions{})
+	if err != nil {
+		if !apierrors.IsNotFound(err) {
+			return nil, err
+		}

-	if apierrors.IsNotFound(err) {
-		// ClusterRoleBinding doesn't exists -> Create
 		_, err = f.KubeClient.RbacV1().ClusterRoleBindings().Create(ctx, clusterRoleBinding, metav1.CreateOptions{})
 		if err != nil {
-			return finalizerFn, err
-		}
-	} else {
-		// ClusterRoleBinding already exists -> Update
-		_, err = f.KubeClient.RbacV1().ClusterRoleBindings().Update(ctx, clusterRoleBinding, metav1.UpdateOptions{})
-		if err != nil {
-			return finalizerFn, err
+			return nil, err
 		}
+
+		return finalizerFn, nil
 	}

-	return finalizerFn, err
+	// ClusterRoleBinding already exists -> Update
+	_, err = f.KubeClient.RbacV1().ClusterRoleBindings().Update(ctx, clusterRoleBinding, metav1.UpdateOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	return finalizerFn, nil
 }

-func (f *Framework) DeleteClusterRoleBinding(ctx context.Context, ns string, source string) error {
-	clusterRoleBinding, err := parseClusterRoleYaml(source)
-	if err != nil {
+func (f *Framework) deleteClusterRoleBinding(ctx context.Context, crbName string) error {
+	err := f.KubeClient.RbacV1().ClusterRoleBindings().Delete(ctx, crbName, metav1.DeleteOptions{})
+	if err != nil && !apierrors.IsNotFound(err) {
 		return err
 	}

-	// Make sure to delete the specific cluster role binding for the namespace
-	// it was created preventing concurrent tests to delete each others bindings.
-	clusterRoleBinding.Name = ns + "-" + clusterRoleBinding.Name
-
-	return f.KubeClient.RbacV1().ClusterRoleBindings().Delete(ctx, clusterRoleBinding.Name, metav1.DeleteOptions{})
+	return nil
 }

 func parseClusterRoleBindingYaml(source string) (*rbacv1.ClusterRoleBinding, error) {
--- a/test/framework/context.go
+++ b/test/framework/context.go
@ -271,6 +271,7 @@ func (ctx *TestCtx) ID() string {
 }

 func (ctx *TestCtx) Cleanup(t *testing.T) {
+	t.Helper()
 	var eg errgroup.Group

 	for i := len(ctx.cleanUpFns) - 1; i >= 0; i-- {
--- a/test/framework/framework.go
+++ b/test/framework/framework.go
@ -26,6 +26,7 @@ import (
 	"time"

 	"github.com/blang/semver/v4"
+	"github.com/cespare/xxhash/v2"
 	"github.com/gogo/protobuf/proto"
 	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
@ -50,6 +51,7 @@ import (
 	v1monitoringclient "github.com/prometheus-operator/prometheus-operator/pkg/client/versioned/typed/monitoring/v1"
 	v1alpha1monitoringclient "github.com/prometheus-operator/prometheus-operator/pkg/client/versioned/typed/monitoring/v1alpha1"
 	v1beta1monitoringclient "github.com/prometheus-operator/prometheus-operator/pkg/client/versioned/typed/monitoring/v1beta1"
+	"github.com/prometheus-operator/prometheus-operator/pkg/operator"
 )

 const (
@ -213,7 +215,7 @@ type PrometheusOperatorOpts struct {
 	ClusterRoleBindings    bool
 	EnableScrapeConfigs    bool
 	AdditionalArgs         []string
-	EnabledFeatureGates    []string
+	EnabledFeatureGates    []operator.FeatureGateName
 }

 func (f *Framework) CreateOrUpdatePrometheusOperator(
@ -226,7 +228,7 @@ func (f *Framework) CreateOrUpdatePrometheusOperator(
 	createResourceAdmissionHooks,
 	createClusterRoleBindings,
 	createScrapeConfigCrd bool,
-	enabledFeatureGates ...string,
+	enabledFeatureGates ...operator.FeatureGateName,
 ) ([]FinalizerFn, error) {
 	return f.CreateOrUpdatePrometheusOperatorWithOpts(
 		ctx,
@ -266,14 +268,21 @@ func (f *Framework) CreateOrUpdatePrometheusOperatorWithOpts(
 		return nil, fmt.Errorf("failed to create or update prometheus operator service account: %w", err)
 	}

-	clusterRole, err := f.CreateOrUpdateClusterRole(ctx, fmt.Sprintf("%s/rbac/prometheus-operator/prometheus-operator-cluster-role.yaml", f.exampleDir))
+	clusterRole, err := clusterRoleFromYaml(opts.Namespace, f.exampleDir+"/rbac/prometheus-operator/prometheus-operator-cluster-role.yaml")
 	if err != nil {
-		return nil, fmt.Errorf("failed to create or update prometheus cluster role: %w", err)
+		return nil, fmt.Errorf("failed to load prometheus-operator cluster role: %w", err)
 	}

-	// Add CRD rbac rules
+	// Use a unique cluster role name to avoid parallel tests doing concurrent
+	// updates to the same resource.
+	xxh := xxhash.New()
+	if _, err := xxh.Write([]byte(opts.Namespace)); err != nil {
+		return nil, fmt.Errorf("failed to write hash: %w", err)
+	}
+	clusterRole.Name = fmt.Sprintf("%s-%x", clusterRole.Name, xxh.Sum64())
+
 	clusterRole.Rules = append(clusterRole.Rules, CRDCreateRule, CRDMonitoringRule)
-	if slices.Contains(opts.EnabledFeatureGates, "PrometheusAgentDaemonSet") {
+	if slices.Contains(opts.EnabledFeatureGates, operator.PrometheusAgentDaemonSetFeature) {
 		daemonsetRule := rbacv1.PolicyRule{
 			APIGroups: []string{"apps"},
 			Resources: []string{"daemonsets"},
@ -281,15 +290,22 @@ func (f *Framework) CreateOrUpdatePrometheusOperatorWithOpts(
 		}
 		clusterRole.Rules = append(clusterRole.Rules, daemonsetRule)
 	}
-	if err := f.UpdateClusterRole(ctx, clusterRole); err != nil {
-		return nil, fmt.Errorf("failed to update prometheus cluster role: %w", err)
+
+	clusterRole, err = f.CreateOrUpdateClusterRole(ctx, clusterRole)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create/update prometheus cluster role: %w", err)
 	}
+	finalizers = append(finalizers, func() error {
+		return f.DeleteClusterRole(ctx, clusterRole.Name)
+	})

 	if opts.ClusterRoleBindings {
 		// Grant permissions on all namespaces.
-		if _, err := f.createOrUpdateClusterRoleBinding(ctx, opts.Namespace, fmt.Sprintf("%s/rbac/prometheus-operator/prometheus-operator-cluster-role-binding.yaml", f.exampleDir)); err != nil {
+		fn, err := f.createOrUpdateClusterRoleBinding(ctx, opts.Namespace, clusterRole, f.exampleDir+"/rbac/prometheus-operator/prometheus-operator-cluster-role-binding.yaml")
+		if err != nil {
 			return nil, fmt.Errorf("failed to create or update prometheus cluster role binding: %w", err)
 		}
+		finalizers = append(finalizers, fn)
 	} else {
 		// Grant permissions on specific namespaces.
 		var namespaces []string
@ -298,7 +314,7 @@ func (f *Framework) CreateOrUpdatePrometheusOperatorWithOpts(
 		namespaces = append(namespaces, opts.AlertmanagerNamespaces...)

 		for _, n := range namespaces {
-			if _, err := f.CreateOrUpdateRoleBindingForSubjectNamespace(ctx, n, opts.Namespace, fmt.Sprintf("%s/prometheus-operator-role-binding.yaml", f.resourcesDir)); err != nil {
+			if _, err := f.createOrUpdateRoleBindingForSubjectNamespace(ctx, n, opts.Namespace, clusterRole, fmt.Sprintf("%s/prometheus-operator-role-binding.yaml", f.resourcesDir)); err != nil {
 				return nil, fmt.Errorf("failed to create or update prometheus operator role binding: %w", err)
 			}
 		}
@ -392,7 +408,7 @@ func (f *Framework) CreateOrUpdatePrometheusOperatorWithOpts(
 		return nil, fmt.Errorf("failed to create or update prometheus-operator TLS secret: %w", err)
 	}

-	deploy, err := MakeDeployment(fmt.Sprintf("%s/rbac/prometheus-operator/prometheus-operator-deployment.yaml", f.exampleDir))
+	deploy, err := MakeDeployment(f.exampleDir + "/rbac/prometheus-operator/prometheus-operator-deployment.yaml")
 	if err != nil {
 		return nil, err
 	}
@ -542,14 +558,8 @@ func (f *Framework) CreateOrUpdatePrometheusOperatorWithOpts(
 	return finalizers, nil
 }

-// DeletePrometheusOperatorClusterResource delete Prometheus Operator cluster wide resources
-// if the resource is found.
+// DeletePrometheusOperatorClusterResource delete Prometheus Operator cluster wide resources.
 func (f *Framework) DeletePrometheusOperatorClusterResource(ctx context.Context) error {
-	err := f.DeleteClusterRole(ctx, fmt.Sprintf("%s/rbac/prometheus-operator/prometheus-operator-cluster-role.yaml", f.exampleDir))
-	if err != nil && !apierrors.IsNotFound(err) {
-		return fmt.Errorf("failed to delete prometheus cluster role: %w", err)
-	}
-
 	group := monitoring.GroupName

 	alertmanagerCRD, err := f.MakeCRD(fmt.Sprintf("%s/prometheus-operator-crd/%s_%s.yaml", f.exampleDir, group, monitoringv1.AlertmanagerName))
@ -655,42 +665,54 @@ func (f *Framework) DeletePrometheusOperatorClusterResource(ctx context.Context)
 }

 func (f *Framework) SetupPrometheusRBAC(ctx context.Context, t *testing.T, testCtx *TestCtx, ns string) {
-	if _, err := f.CreateOrUpdateClusterRole(ctx, fmt.Sprintf("%s/rbac/prometheus/prometheus-cluster-role.yaml", f.exampleDir)); err != nil && !apierrors.IsAlreadyExists(err) {
+	t.Helper()
+
+	clusterRole, err := clusterRoleFromYaml(ns, f.exampleDir+"/rbac/prometheus/prometheus-cluster-role.yaml")
+	if err != nil {
+		t.Fatalf("failed to load prometheus cluster role: %v", err)
+	}
+
+	cr, err := f.CreateOrUpdateClusterRole(ctx, clusterRole)
+	if err != nil {
 		t.Fatalf("failed to create or update prometheus cluster role: %v", err)
 	}
-	if finalizerFn, err := f.createOrUpdateServiceAccount(ctx, ns, fmt.Sprintf("%s/rbac/prometheus/prometheus-service-account.yaml", f.exampleDir)); err != nil {
-		t.Fatal(fmt.Errorf("failed to create or update prometheus service account: %w", err))
-	} else {
-		if testCtx != nil {
-			testCtx.AddFinalizerFn(finalizerFn)
-		}

+	finalizerFn, err := f.createOrUpdateServiceAccount(ctx, ns, f.exampleDir+"/rbac/prometheus/prometheus-service-account.yaml")
+	if err != nil {
+		t.Fatalf("failed to create or update prometheus service account: %v", err)
 	}
+	testCtx.AddFinalizerFn(finalizerFn)

-	if finalizerFn, err := f.CreateOrUpdateRoleBinding(ctx, ns, fmt.Sprintf("%s/prometheus-role-binding.yml", f.resourcesDir)); err != nil {
-		t.Fatal(fmt.Errorf("failed to create prometheus role binding: %w", err))
-	} else {
-		if testCtx != nil {
-			testCtx.AddFinalizerFn(finalizerFn)
-		}
+	finalizerFn, err = f.createOrUpdateRoleBinding(ctx, ns, cr, f.resourcesDir+"/prometheus-role-binding.yml")
+	if err != nil {
+		t.Fatalf("failed to create prometheus role binding: %v", err)
 	}
+	testCtx.AddFinalizerFn(finalizerFn)
 }

 func (f *Framework) SetupPrometheusRBACGlobal(ctx context.Context, t *testing.T, testCtx *TestCtx, ns string) {
-	if _, err := f.CreateOrUpdateClusterRole(ctx, "../../example/rbac/prometheus/prometheus-cluster-role.yaml"); err != nil && !apierrors.IsAlreadyExists(err) {
-		t.Fatalf("failed to create or update prometheus cluster role: %v", err)
-	}
-	if finalizerFn, err := f.createOrUpdateServiceAccount(ctx, ns, "../../example/rbac/prometheus/prometheus-service-account.yaml"); err != nil {
-		t.Fatal(fmt.Errorf("failed to create or update prometheus service account: %w", err))
-	} else {
-		testCtx.AddFinalizerFn(finalizerFn)
+	t.Helper()
+
+	clusterRole, err := clusterRoleFromYaml(ns, f.exampleDir+"/rbac/prometheus/prometheus-cluster-role.yaml")
+	if err != nil {
+		t.Fatalf("failed to load prometheus cluster role: %v", err)
 	}

-	if finalizerFn, err := f.createOrUpdateClusterRoleBinding(ctx, ns, "../../example/rbac/prometheus/prometheus-cluster-role-binding.yaml"); err != nil && !apierrors.IsAlreadyExists(err) {
-		t.Fatal(fmt.Errorf("failed to create or update prometheus cluster role binding: %w", err))
-	} else {
-		testCtx.AddFinalizerFn(finalizerFn)
+	if _, err := f.CreateOrUpdateClusterRole(ctx, clusterRole); err != nil && !apierrors.IsAlreadyExists(err) {
+		t.Fatalf("failed to create or update prometheus cluster role: %v", err)
 	}
+
+	finalizerFn, err := f.createOrUpdateServiceAccount(ctx, ns, f.exampleDir+"/rbac/prometheus/prometheus-service-account.yaml")
+	if err != nil {
+		t.Fatalf("failed to create or update prometheus service account: %v", err)
+	}
+	testCtx.AddFinalizerFn(finalizerFn)
+
+	finalizerFn, err = f.createOrUpdateClusterRoleBinding(ctx, ns, clusterRole, f.exampleDir+"/rbac/prometheus/prometheus-cluster-role-binding.yaml")
+	if err != nil {
+		t.Fatalf("failed to create or update prometheus cluster role binding: %v", err)
+	}
+	testCtx.AddFinalizerFn(finalizerFn)
 }

 func (f *Framework) configureAlertmanagerConfigConversion(ctx context.Context, svc *v1.Service, cert []byte) (FinalizerFn, error) {
--- a/test/framework/role_binding.go
+++ b/test/framework/role_binding.go
@ -24,13 +24,11 @@ import (
 	"k8s.io/apimachinery/pkg/util/yaml"
 )

-func (f *Framework) CreateOrUpdateRoleBinding(ctx context.Context, ns string, relativePath string) (FinalizerFn, error) {
-	return f.CreateOrUpdateRoleBindingForSubjectNamespace(ctx, ns, "", relativePath)
+func (f *Framework) createOrUpdateRoleBinding(ctx context.Context, ns string, cr *rbacv1.ClusterRole, relativePath string) (FinalizerFn, error) {
+	return f.createOrUpdateRoleBindingForSubjectNamespace(ctx, ns, "", cr, relativePath)
 }

-func (f *Framework) CreateOrUpdateRoleBindingForSubjectNamespace(ctx context.Context, ns, subjectNs string, source string) (FinalizerFn, error) {
-	finalizerFn := func() error { return f.DeleteRoleBinding(ctx, ns, source) }
-
+func (f *Framework) createOrUpdateRoleBindingForSubjectNamespace(ctx context.Context, ns, subjectNs string, cr *rbacv1.ClusterRole, source string) (FinalizerFn, error) {
 	roleBinding, err := f.parseRoleBindingYaml(source)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse role binding manifest: %w", err)
@ -41,19 +39,22 @@ func (f *Framework) CreateOrUpdateRoleBindingForSubjectNamespace(ctx context.Con
 			roleBinding.Subjects[i].Namespace = subjectNs
 		}
 	}
+	roleBinding.RoleRef.Name = cr.Name
+
+	finalizerFn := func() error { return f.deleteRoleBinding(ctx, ns, roleBinding.Name) }

 	_, err = f.KubeClient.RbacV1().RoleBindings(ns).Get(ctx, roleBinding.Name, metav1.GetOptions{})
-	if err != nil && !apierrors.IsNotFound(err) {
-		return nil, fmt.Errorf("failed to get role binding: %w", err)
-	}
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			_, err = f.KubeClient.RbacV1().RoleBindings(ns).Create(ctx, roleBinding, metav1.CreateOptions{})
+			if err != nil {
+				return nil, fmt.Errorf("failed to create role binding: %w", err)
+			}

-	if apierrors.IsNotFound(err) {
-		_, err = f.KubeClient.RbacV1().RoleBindings(ns).Create(ctx, roleBinding, metav1.CreateOptions{})
-		if err != nil {
-			return nil, fmt.Errorf("failed to create role binding: %w", err)
+			return finalizerFn, nil
 		}

-		return finalizerFn, nil
+		return nil, fmt.Errorf("failed to get role binding: %w", err)
 	}

 	_, err = f.KubeClient.RbacV1().RoleBindings(ns).Update(ctx, roleBinding, metav1.UpdateOptions{})
@ -64,13 +65,13 @@ func (f *Framework) CreateOrUpdateRoleBindingForSubjectNamespace(ctx context.Con
 	return finalizerFn, nil
 }

-func (f *Framework) DeleteRoleBinding(ctx context.Context, ns string, source string) error {
-	roleBinding, err := f.parseRoleBindingYaml(source)
-	if err != nil {
+func (f *Framework) deleteRoleBinding(ctx context.Context, ns, name string) error {
+	err := f.KubeClient.RbacV1().RoleBindings(ns).Delete(ctx, name, metav1.DeleteOptions{})
+	if err != nil && !apierrors.IsNotFound(err) {
 		return err
 	}

-	return f.KubeClient.RbacV1().RoleBindings(ns).Delete(ctx, roleBinding.Name, metav1.DeleteOptions{})
+	return nil
 }

 func (f *Framework) parseRoleBindingYaml(source string) (*rbacv1.RoleBinding, error) {
--- a/test/framework/service_account.go
+++ b/test/framework/service_account.go
@ -24,33 +24,36 @@ import (
 )

 func (f *Framework) createOrUpdateServiceAccount(ctx context.Context, namespace string, source string) (FinalizerFn, error) {
-	finalizerFn := func() error { return f.DeleteServiceAccount(ctx, namespace, source) }
-
 	serviceAccount, err := parseServiceAccountYaml(source)
 	if err != nil {
-		return finalizerFn, err
+		return nil, err
 	}
+
 	serviceAccount.Namespace = namespace
+	finalizer := func() error { return f.deleteServiceAccount(ctx, namespace, serviceAccount.Name) }
+
 	_, err = f.KubeClient.CoreV1().ServiceAccounts(namespace).Get(ctx, serviceAccount.Name, metav1.GetOptions{})
-	if err != nil && !apierrors.IsNotFound(err) {
-		return finalizerFn, err
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			// ServiceAccount doesn't exists -> Create
+			_, err = f.KubeClient.CoreV1().ServiceAccounts(namespace).Create(ctx, serviceAccount, metav1.CreateOptions{})
+			if err != nil {
+				return nil, err
+			}
+
+			return finalizer, nil
+		}
+
+		return nil, err
 	}

-	if apierrors.IsNotFound(err) {
-		// ServiceAccount doesn't exists -> Create
-		_, err = f.KubeClient.CoreV1().ServiceAccounts(namespace).Create(ctx, serviceAccount, metav1.CreateOptions{})
-		if err != nil {
-			return finalizerFn, err
-		}
-	} else {
-		// ServiceAccount already exists -> Update
-		_, err = f.KubeClient.CoreV1().ServiceAccounts(namespace).Update(ctx, serviceAccount, metav1.UpdateOptions{})
-		if err != nil {
-			return finalizerFn, err
-		}
+	// ServiceAccount already exists -> Update
+	_, err = f.KubeClient.CoreV1().ServiceAccounts(namespace).Update(ctx, serviceAccount, metav1.UpdateOptions{})
+	if err != nil {
+		return nil, err
 	}

-	return finalizerFn, nil
+	return finalizer, nil
 }

 func parseServiceAccountYaml(source string) (*v1.ServiceAccount, error) {
@ -67,11 +70,11 @@ func parseServiceAccountYaml(source string) (*v1.ServiceAccount, error) {
 	return &serviceAccount, nil
 }

-func (f *Framework) DeleteServiceAccount(ctx context.Context, namespace string, source string) error {
-	serviceAccount, err := parseServiceAccountYaml(source)
-	if err != nil {
+func (f *Framework) deleteServiceAccount(ctx context.Context, namespace, name string) error {
+	err := f.KubeClient.CoreV1().ServiceAccounts(namespace).Delete(ctx, name, metav1.DeleteOptions{})
+	if err != nil && !apierrors.IsNotFound(err) {
 		return err
 	}

-	return f.KubeClient.CoreV1().ServiceAccounts(namespace).Delete(ctx, serviceAccount.Name, metav1.DeleteOptions{})
+	return nil
 }