diff --git a/developer/config.yaml b/developer/config.yaml index 565a562f9..22d17fd58 100644 --- a/developer/config.yaml +++ b/developer/config.yaml @@ -6,10 +6,10 @@ cluster_type: openshift # git_url refers to a git repo to be considered as the source of truth for Argo CD applications. -git_url: https://github.com/ramessesii2/pipeline-service.git +git_url: https://github.com/openshift-pipelines/pipeline-service.git # git_ref refers to the git repo's ref to be considered as the source of truth for Argo CD applications. -git_ref: RAMESSESII2/results-kube-rbac-proxy-test +git_ref: main # Applications to be deployed on the cluster apps: diff --git a/developer/openshift/gitops/argocd/pipeline-service-o11y.yaml b/developer/openshift/gitops/argocd/pipeline-service-o11y.yaml index 7cf4a21fe..99a71f57b 100644 --- a/developer/openshift/gitops/argocd/pipeline-service-o11y.yaml +++ b/developer/openshift/gitops/argocd/pipeline-service-o11y.yaml @@ -12,8 +12,8 @@ spec: server: https://kubernetes.default.svc source: path: developer/openshift/gitops/argocd/pipeline-service-o11y - repoURL: https://github.com/ramessesii2/pipeline-service.git - targetRevision: RAMESSESII2/results-kube-rbac-proxy-test + repoURL: https://github.com/openshift-pipelines/pipeline-service.git + targetRevision: main project: default syncPolicy: # Comment this out if you want to manually trigger deployments (using the diff --git a/developer/openshift/gitops/argocd/pipeline-service-storage.yaml b/developer/openshift/gitops/argocd/pipeline-service-storage.yaml index 77db9ca42..ca01d2318 100644 --- a/developer/openshift/gitops/argocd/pipeline-service-storage.yaml +++ b/developer/openshift/gitops/argocd/pipeline-service-storage.yaml @@ -12,8 +12,8 @@ spec: server: https://kubernetes.default.svc source: path: developer/openshift/gitops/argocd/pipeline-service-storage - repoURL: https://github.com/ramessesii2/pipeline-service.git - targetRevision: RAMESSESII2/results-kube-rbac-proxy-test + repoURL: https://github.com/openshift-pipelines/pipeline-service.git + targetRevision: main project: default syncPolicy: # Comment this out if you want to manually trigger deployments (using the diff --git a/developer/openshift/gitops/argocd/pipeline-service.yaml b/developer/openshift/gitops/argocd/pipeline-service.yaml index 9d094ebc7..cfebefd9e 100644 --- a/developer/openshift/gitops/argocd/pipeline-service.yaml +++ b/developer/openshift/gitops/argocd/pipeline-service.yaml @@ -12,8 +12,8 @@ spec: server: https://kubernetes.default.svc source: path: developer/openshift/gitops/argocd/pipeline-service - repoURL: https://github.com/ramessesii2/pipeline-service.git - targetRevision: RAMESSESII2/results-kube-rbac-proxy-test + repoURL: https://github.com/openshift-pipelines/pipeline-service.git + targetRevision: main project: default syncPolicy: # Comment this out if you want to manually trigger deployments (using the diff --git a/operator/gitops/argocd/pipeline-service/tekton-results/api-kube-rbac-proxy.yaml b/operator/gitops/argocd/pipeline-service/tekton-results/api-kube-rbac-proxy.yaml index 0843dd88d..f57e4d71e 100644 --- a/operator/gitops/argocd/pipeline-service/tekton-results/api-kube-rbac-proxy.yaml +++ b/operator/gitops/argocd/pipeline-service/tekton-results/api-kube-rbac-proxy.yaml @@ -14,7 +14,7 @@ spec: - "--secure-listen-address=0.0.0.0:9443" - "--upstream=http://127.0.0.1:9090/" - "--logtostderr=true" - - "--v=10" + - "--v=6" securityContext: allowPrivilegeEscalation: false seccompProfile: diff --git a/operator/gitops/argocd/pipeline-service/tekton-results/kustomization.yaml b/operator/gitops/argocd/pipeline-service/tekton-results/kustomization.yaml index 05cbef671..c685871f5 100644 --- a/operator/gitops/argocd/pipeline-service/tekton-results/kustomization.yaml +++ b/operator/gitops/argocd/pipeline-service/tekton-results/kustomization.yaml @@ -8,6 +8,7 @@ resources: - api-route.yaml - watcher-logging-rbac.yaml - service-monitor.yaml + - watcher-rbac.yaml images: - name: ko://github.com/tektoncd/results/cmd/api @@ -43,7 +44,6 @@ patches: - path: watcher-service-sync.yaml - path: api-kube-rbac-proxy.yaml - path: watcher-kube-rbac-proxy.yaml - - path: watcher-cr-patch.yaml - path: watcher-service-patch.yaml target: version: v1 diff --git a/operator/gitops/argocd/pipeline-service/tekton-results/watcher-cr-patch.yaml b/operator/gitops/argocd/pipeline-service/tekton-results/watcher-cr-patch.yaml deleted file mode 100644 index aa08f47b0..000000000 --- a/operator/gitops/argocd/pipeline-service/tekton-results/watcher-cr-patch.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: watcher -rules: - # Watcher needs to be able to create new and update existing results. - - apiGroups: ["results.tekton.dev"] - resources: ["logs", "results", "records"] - verbs: ["create", "get", "update"] - # Needed to read results and update annotations with Result ID. - - apiGroups: ["tekton.dev"] - resources: ["pipelineruns", "taskruns"] - verbs: ["get", "list", "patch", "update", "watch", "delete"] - # Watcher currently get config from APISever, so will - # fail to start if it does not have this permission. - - apiGroups: [""] - resources: ["configmaps", "pods"] - verbs: ["get", "list", "watch"] - # Required to read logs, when logs API is enabled - - apiGroups: [""] - resources: ["pods/log"] - verbs: ["get"] - - apiGroups: ["tekton.dev"] - resources: ["pipelines"] - verbs: ["get"] - # Required for enabling leader election. - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - # Watcher needs to be able to verify incoming auth tokens. - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - # Watcher needs to be able to use RBAC to verify user authorization. - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] diff --git a/operator/gitops/argocd/pipeline-service/tekton-results/watcher-kube-rbac-proxy.yaml b/operator/gitops/argocd/pipeline-service/tekton-results/watcher-kube-rbac-proxy.yaml index 724d89308..a53b64637 100644 --- a/operator/gitops/argocd/pipeline-service/tekton-results/watcher-kube-rbac-proxy.yaml +++ b/operator/gitops/argocd/pipeline-service/tekton-results/watcher-kube-rbac-proxy.yaml @@ -14,7 +14,7 @@ spec: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:9090/" - "--logtostderr=true" - - "--v=10" + - "--v=6" securityContext: allowPrivilegeEscalation: false seccompProfile: diff --git a/operator/gitops/argocd/pipeline-service/tekton-results/watcher-rbac.yaml b/operator/gitops/argocd/pipeline-service/tekton-results/watcher-rbac.yaml new file mode 100644 index 000000000..294f43c2c --- /dev/null +++ b/operator/gitops/argocd/pipeline-service/tekton-results/watcher-rbac.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tekton-results-watcher-rbac + annotations: + argocd.argoproj.io/sync-wave: "0" +rules: + # Watcher needs to be able to verify incoming auth tokens. + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + # Watcher needs to be able to use RBAC to verify user authorization. + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tekton-results-watcher-rbac + annotations: + argocd.argoproj.io/sync-wave: "0" +subjects: + - kind: ServiceAccount + name: watcher + namespace: tekton-pipelines +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tekton-results-watcher-rbac