[OpenShift] Add rbac files to pipelines while adding release yaml

in #369, openshift specific files were removed. this adds them back but in kodata/openshift dir and make get-releases will add them to target directory ie. tektoncd-pipelines while adding release yaml Signed-off-by: Shivam Mukhade <smukhade@redhat.com>
tektoncd · Aug 5, 2021 · 6fd6a99 · 6fd6a99
1 parent c8dad73
commit 6fd6a99
Show file tree

Hide file tree

Showing 5 changed files with 100 additions and 10 deletions.
diff --git a/...prereconcile/openshift-pipelines-scc.yaml → ...prereconcile/openshift-pipelines-scc.yaml b/...prereconcile/openshift-pipelines-scc.yaml → ...prereconcile/openshift-pipelines-scc.yaml
diff --git a/cmd/openshift/operator/kodata/openshift/pipelines-rbac/01-clusterrole.yaml b/cmd/openshift/operator/kodata/openshift/pipelines-rbac/01-clusterrole.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pipelines-scc-role
+rules:
+- apiGroups: [security.openshift.io]
+  resourceNames: [nonroot]
+  resources: [securitycontextconstraints]
+  verbs: [use]
diff --git a/cmd/openshift/operator/kodata/openshift/pipelines-rbac/02-rolebinding.yaml b/cmd/openshift/operator/kodata/openshift/pipelines-rbac/02-rolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: openshift-pipelines-permission
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: pipelines-scc-role
+subjects:
+- kind: ServiceAccount
+  name: tekton-pipelines-controller
+  namespace: openshift-pipelines
diff --git a/cmd/openshift/operator/kodata/openshift/pipelines-rbac/03-monitoring.yaml b/cmd/openshift/operator/kodata/openshift/pipelines-rbac/03-monitoring.yaml
@@ -0,0 +1,68 @@
+---
+# Copyright 2018 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: openshift-pipelines-read
+  namespace: tekton-pipelines
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: openshift-pipelines-prometheus-k8s-read-binding
+  namespace: tekton-pipelines
+  annotations:
+    operator.tekton.dev/preserve-rb-subject-namespace: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: openshift-pipelines-read
+subjects:
+  - kind: ServiceAccount
+    name: prometheus-k8s
+    namespace: openshift-monitoring
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app: controller
+  annotations:
+    networkoperator.openshift.io/ignore-errors: ""
+  name: openshift-pipelines-monitor
+  namespace: tekton-pipelines
+spec:
+  endpoints:
+    - interval: 10s
+      port: http-metrics
+  jobLabel: app
+  namespaceSelector:
+    matchNames:
+      - openshift-pipelines
+  selector:
+    matchLabels:
+      app: tekton-pipelines-controller
diff --git a/hack/fetch-releases.sh b/hack/fetch-releases.sh
@@ -39,17 +39,12 @@ release_yaml() {
       ;;
   esac
 
-  # remove existing versions
-  comp_dir=${SCRIPT_DIR}/cmd/${TARGET}/operator/kodata/tekton-${dir}
+  ko_data=${SCRIPT_DIR}/cmd/${TARGET}/operator/kodata
+  comp_dir=${ko_data}/tekton-${dir}
 
-  # In case of openshift pipelines we have 00-prereconcile preserve it
-  # when removing and adding new version
-  if [[ ${TARGET} == "openshift" ]] && [[ ${comp} == "pipeline" ]]; then
-    mv ${comp_dir}/00-prereconcile /tmp/00-prereconcile/ || true
-    rm -rf ${comp_dir}/*
-    mv /tmp/00-prereconcile/ ${comp_dir}/00-prereconcile/ || true
-  # while adding release for interceptor ignore removing existing version
-  elif [[ ${releaseFileName} != "interceptors" ]] ; then
+  # before adding releases, remove existing version directories
+  # ignore while adding for interceptors
+  if [[ ${releaseFileName} != "interceptors" ]] ; then
     rm -rf ${comp_dir}/*
   fi
 
@@ -67,6 +62,12 @@ release_yaml() {
       exit 1
   fi
 
+  # Add OpenShift specific files for pipelines
+  if [[ ${TARGET} == "openshift" ]] && [[ ${comp} == "pipeline" ]]; then
+    cp -r ${ko_data}/openshift/00-prereconcile ${comp_dir}/
+    cp ${ko_data}/openshift/pipelines-rbac/* ${dirPath}/
+  fi
+
   echo "Info: Added $comp/$releaseFileName:$version release yaml !!"
 }