Get rid of managed gitops permissions in kubesaw

We no longer deploy managed gitops service, clean up the user permissions. Signed-off-by: Hugo Ares <[email protected]>
redhat-appstudio · Nov 13, 2024 · fef3c96 · fef3c96
1 parent eaf916f
commit fef3c96
Show file tree

Hide file tree

Showing 40 changed files with 4,848 additions and 68 deletions.
diff --git a/components/sandbox/tiers/production/appstudio/kustomization.yaml b/components/sandbox/tiers/production/appstudio/kustomization.yaml
@@ -6,21 +6,25 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - nstemplatetier-appstudio.yaml
+- tiertemplate-appstudio-admin-1038607973-1038607973.yaml
 - tiertemplate-appstudio-admin-1876853981-1876853981.yaml
 - tiertemplate-appstudio-admin-2415879015-2415879015.yaml
 - tiertemplate-appstudio-admin-849337768-849337768.yaml
 - tiertemplate-appstudio-clusterresources-3180033938-3180033938.yaml
 - tiertemplate-appstudio-clusterresources-593233715-593233715.yaml
 - tiertemplate-appstudio-clusterresources-809836689-809836689.yaml
 - tiertemplate-appstudio-contributor-1817914940-1817914940.yaml
+- tiertemplate-appstudio-contributor-674648168-674648168.yaml
 - tiertemplate-appstudio-contributor-829105171-829105171.yaml
 - tiertemplate-appstudio-maintainer-1904354742-1904354742.yaml
+- tiertemplate-appstudio-maintainer-2067287336-2067287336.yaml
 - tiertemplate-appstudio-maintainer-293087644-293087644.yaml
 - tiertemplate-appstudio-maintainer-474752551-474752551.yaml
 - tiertemplate-appstudio-tenant-199961605-199961605.yaml
 - tiertemplate-appstudio-tenant-2313893948-2313893948.yaml
 - tiertemplate-appstudio-tenant-3815075241-3815075241.yaml
 - tiertemplate-appstudio-tenant-4121561789-4121561789.yaml
 - tiertemplate-appstudio-tenant-649666048-649666048.yaml
+- tiertemplate-appstudio-viewer-2629034250-2629034250.yaml
 - tiertemplate-appstudio-viewer-4059797645-4059797645.yaml
 - tiertemplate-appstudio-viewer-4256863455-4256863455.yaml
diff --git a/components/sandbox/tiers/production/appstudio/nstemplatetier-appstudio.yaml b/components/sandbox/tiers/production/appstudio/nstemplatetier-appstudio.yaml
@@ -14,11 +14,11 @@ spec:
   - templateRef: appstudio-tenant-4121561789-4121561789
   spaceRoles:
     admin:
-      templateRef: appstudio-admin-849337768-849337768
+      templateRef: appstudio-admin-1038607973-1038607973
     contributor:
-      templateRef: appstudio-contributor-829105171-829105171
+      templateRef: appstudio-contributor-674648168-674648168
     maintainer:
-      templateRef: appstudio-maintainer-474752551-474752551
+      templateRef: appstudio-maintainer-2067287336-2067287336
     viewer:
-      templateRef: appstudio-viewer-4256863455-4256863455
+      templateRef: appstudio-viewer-2629034250-2629034250
 status: {}
diff --git a/...andbox/tiers/production/appstudio/tiertemplate-appstudio-admin-1038607973-1038607973.yaml b/...andbox/tiers/production/appstudio/tiertemplate-appstudio-admin-1038607973-1038607973.yaml
@@ -0,0 +1,270 @@
+# ----------------------------------------------------------------
+# Generated by cli - DO NOT EDIT
+# ----------------------------------------------------------------
+
+apiVersion: toolchain.dev.openshift.com/v1alpha1
+kind: TierTemplate
+metadata:
+  name: appstudio-admin-1038607973-1038607973
+  namespace: toolchain-host-operator
+spec:
+  revision: 1038607973-1038607973
+  template:
+    apiVersion: template.openshift.io/v1
+    kind: Template
+    metadata: {}
+    objects:
+    - apiVersion: rbac.authorization.k8s.io/v1
+      kind: Role
+      metadata:
+        name: appstudio-admin-user-actions
+        namespace: ${NAMESPACE}
+      rules:
+      - apiGroups:
+        - appstudio.redhat.com
+        resources:
+        - applications
+        - components
+        - imagerepositories
+        - componentdetectionqueries
+        verbs:
+        - get
+        - list
+        - watch
+        - create
+        - update
+        - patch
+        - delete
+        - deletecollection
+      - apiGroups:
+        - appstudio.redhat.com
+        resources:
+        - promotionruns
+        - snapshotenvironmentbindings
+        - snapshots
+        - environments
+        verbs:
+        - get
+        - list
+        - watch
+        - create
+        - update
+        - patch
+        - delete
+      - apiGroups:
+        - appstudio.redhat.com
+        resources:
+        - deploymenttargets
+        - deploymenttargetclaims
+        verbs:
+        - get
+        - list
+        - watch
+        - create
+        - update
+        - patch
+        - delete
+      - apiGroups:
+        - tekton.dev
+        resources:
+        - pipelineruns
+        verbs:
+        - get
+        - list
+        - watch
+        - create
+        - update
+        - patch
+        - delete
+      - apiGroups:
+        - results.tekton.dev
+        resources:
+        - results
+        - records
+        - logs
+        verbs:
+        - get
+        - list
+      - apiGroups:
+        - appstudio.redhat.com
+        resources:
+        - enterprisecontractpolicies
+        - integrationtestscenarios
+        - releases
+        - releasestrategies
+        - releaseplans
+        - releaseplanadmissions
+        verbs:
+        - get
+        - list
+        - watch
+        - create
+        - update
+        - patch
+        - delete
+      - apiGroups:
+        - jvmbuildservice.io
+        resources:
+        - jbsconfigs
+        - artifactbuilds
+        verbs:
+        - get
+        - list
+        - watch
+        - create
+        - update
+        - patch
+        - delete
+      - apiGroups:
+        - ""
+        resources:
+        - secrets
+        verbs:
+        - get
+        - list
+        - watch
+        - create
+        - update
+        - patch
+        - delete
+      - apiGroups:
+        - ""
+        resources:
+        - configmaps
+        verbs:
+        - get
+        - list
+        - watch
+        - create
+        - update
+        - patch
+        - delete
+      - apiGroups:
+        - appstudio.redhat.com
+        resources:
+        - buildpipelineselectors
+        verbs:
+        - get
+        - list
+        - watch
+        - create
+        - update
+        - patch
+        - delete
+      - apiGroups:
+        - ""
+        resourceNames:
+        - appstudio-pipeline
+        resources:
+        - serviceaccounts
+        verbs:
+        - get
+        - list
+        - watch
+        - update
+        - patch
+      - apiGroups:
+        - ""
+        resources:
+        - pods/exec
+        verbs:
+        - create
+      - apiGroups:
+        - toolchain.dev.openshift.com
+        resources:
+        - spacebindingrequests
+        verbs:
+        - get
+        - list
+        - watch
+        - create
+        - update
+        - patch
+        - delete
+      - apiGroups:
+        - projctl.konflux.dev
+        resources:
+        - projects
+        - projectdevelopmentstreams
+        - projectdevelopmentstreamtemplates
+        verbs:
+        - get
+        - list
+        - watch
+        - create
+        - update
+        - patch
+        - delete
+      - apiGroups:
+        - external-secrets.io
+        resources:
+        - secretstores
+        - externalsecrets
+        verbs:
+        - get
+        - list
+        - watch
+        - create
+        - update
+        - patch
+        - delete
+      - apiGroups:
+        - rbac.authorization.k8s.io
+        resources:
+        - roles
+        - rolebindings
+        verbs:
+        - get
+        - list
+        - create
+        - update
+        - patch
+        - delete
+      - apiGroups:
+        - ""
+        resources:
+        - serviceaccounts
+        verbs:
+        - get
+        - list
+        - create
+        - update
+        - patch
+        - delete
+      - apiGroups:
+        - ""
+        resources:
+        - serviceaccounts/token
+        verbs:
+        - create
+    - apiVersion: rbac.authorization.k8s.io/v1
+      kind: RoleBinding
+      metadata:
+        name: appstudio-admin-${USERNAME}-actions-user
+        namespace: ${NAMESPACE}
+      roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: Role
+        name: appstudio-admin-user-actions
+      subjects:
+      - kind: User
+        name: ${USERNAME}
+    - apiVersion: rbac.authorization.k8s.io/v1
+      kind: RoleBinding
+      metadata:
+        name: appstudio-${USERNAME}-view-user
+        namespace: ${NAMESPACE}
+      roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: ClusterRole
+        name: view
+      subjects:
+      - kind: User
+        name: ${USERNAME}
+    parameters:
+    - name: NAMESPACE
+      required: true
+    - name: USERNAME
+      required: true
+  tierName: appstudio
+  type: admin