]> Vexing Labs - letters.git/commitdiff
projects / letters.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d405e68)
Better templating, better rbac
authorAdam A.G. Shamblin <adam@vexingworkshop.com>
Sun, 14 Nov 2021 03:23:00 +0000 (20:23 -0700)
committerAdam A.G. Shamblin <adam@vexingworkshop.com>
Sun, 14 Nov 2021 03:23:00 +0000 (20:23 -0700)
.gitignore patch | blob | history
charts/pipeline/templates/ingress.yaml patch | blob | history
charts/pipeline/templates/rbac.yaml patch | blob | history
charts/pipeline/templates/trigger.yaml patch | blob | history
charts/pipeline/values.yaml patch | blob | history
cosign.pub [new file with mode: 0644] patch | blob

diff --git a/.gitignore b/.gitignore
index 11468618ff041e1346bbdf2dea0af83aac659b56..e6e3288590488a852f0b185a2fee7f8cb2a00612 100644 (file)
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,3 @@
-cosign.*
 __pycache__
 output
 *.bak
diff --git a/charts/pipeline/templates/ingress.yaml b/charts/pipeline/templates/ingress.yaml
index 95d25e70341650fecb8561522a90f4e3649b35c7..2a1b5ce4aa6501a3ea8f166ed25df5f8ae1c8b4e 100644 (file)
--- a/charts/pipeline/templates/ingress.yaml
+++ b/charts/pipeline/templates/ingress.yaml
@@ -8,17 +8,17 @@ metadata:
     cert-manager.io/cluster-issuer: "acme-prod"
 spec:
   rules:
-  - host: trigger.vexingworkshop.com
+  - host: {{ .Values.ingress.host }}
     http:
       paths:
       - backend:
           service:
-            name: el-cluster-listener
+            name: {{ .Values.ingress.service }}
             port:
               number: 8080
         path: /
         pathType: ImplementationSpecific
   tls:
     - hosts:
-      - trigger.vexingworkshop.com
-      secretName: vexing-tls
+      - {{ .Values.ingress.host }}
+      secretName: {{ .Values.ingress.tlsSecretName }}
diff --git a/charts/pipeline/templates/rbac.yaml b/charts/pipeline/templates/rbac.yaml
index 34e9ea98de8f8bf806e32a1d9064ec84256e0211..39ec8d8727ee87af7c40c375e87bf06a7b664eda 100644 (file)
--- a/charts/pipeline/templates/rbac.yaml
+++ b/charts/pipeline/templates/rbac.yaml
@@ -1,6 +1,6 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: event-listener-role
 rules:
@@ -14,7 +14,6 @@ rules:
   - apiGroups:
       - triggers.tekton.dev
     resources:
-      - clusterinterceptors
       - eventlisteners
       - pipelineruns
       - triggers
@@ -35,7 +34,7 @@ rules:
       - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: event-listener-rolebinding
 subjects:
@@ -43,12 +42,39 @@ subjects:
     name: {{ .Values.serviceAccount.listener }}
     namespace: {{ .Release.Namespace }}
 roleRef:
-  kind: ClusterRole
+  kind: Role
   name: event-listener-role
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
+metadata:
+  name: interceptor-role
+rules:
+  - apiGroups:
+      - triggers.tekton.dev
+    resources:
+      - clusterinterceptors
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: interceptor-rolebinding
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount.listener }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: interceptor-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
   name: pipeline-role
 rules:
@@ -62,14 +88,14 @@ rules:
       - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
   name: pipeline-rolebinding
 subjects:
   - kind: ServiceAccount
-    name: {{ .Values.serviceAccount.listener }}
+    name: {{ .Values.serviceAccount.pipeline }}
     namespace: {{ .Release.Namespace }}
 roleRef:
-  kind: Role
+  kind: ClusterRole
   name: pipeline-role
   apiGroup: rbac.authorization.k8s.io
diff --git a/charts/pipeline/templates/trigger.yaml b/charts/pipeline/templates/trigger.yaml
index 78403c9a82780cf9bacbd12623c2f459589f9b08..fbf7f6c8a7351cefea3e6f704fcfe53cf68eb46b 100644 (file)
--- a/charts/pipeline/templates/trigger.yaml
+++ b/charts/pipeline/templates/trigger.yaml
@@ -42,8 +42,12 @@ spec:
   params:
     - name: repo-url
       value: $(body.repository.url)
-    - name: image
-      value: ghcr.io/coyote240/letters:$(body.head_commit.id)
+    - name: owner
+      value: $(body.repository.owner.name)
+    - name: image-name
+      value: $(body.repository.name)
+    - name: commit
+      value: $(body.head_commit.id)
 ---
 apiVersion: triggers.tekton.dev/v1beta1
 kind: TriggerTemplate
@@ -53,8 +57,12 @@ spec:
   params:
     - name: repo-url
       description: git repo to clone
-    - name: image
-      description: published image
+    - name: owner
+      description: github owner of repo
+    - name: image-name
+      description: github repo name
+    - name: commit
+      description: git commit id
   resourcetemplates:
     - apiVersion: tekton.dev/v1beta1
       kind: PipelineRun
@@ -81,3 +89,4 @@ spec:
             value: $(tt.params.repo-url)
           - name: image
             value: $(tt.params.image)
+            value: ghcr.io/$(tt.params.owner)/$(tt.params.image-name):$(tt.params.commit)
diff --git a/charts/pipeline/values.yaml b/charts/pipeline/values.yaml
index 9602d49f5d72b2b91cb8dfad6b2022f9c0e3b546..b1a1c530e103888f7d8f4f99ddd20f20b71e9045 100644 (file)
--- a/charts/pipeline/values.yaml
+++ b/charts/pipeline/values.yaml
@@ -1,3 +1,7 @@
 serviceAccount:
   pipeline: letters-pipeline
   listener: cluster-listener
+ingress:
+  host: trigger.vexingworkshop.com
+  service: el-cluster-listener
+  tlsSecretName: vexing-tls
diff --git a/cosign.pub b/cosign.pub
new file mode 100644 (file)
index 0000000..5424c8f
--- /dev/null
+++ b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdovq4EPpKQ/UcwTH/84wWS4bRtjX
+v2HWN8YGCBV5z5Q/wIPxXO4Jd6ZChD72cq3X6YlYjhERgCaPDQAT4O5ogw==
+-----END PUBLIC KEY-----
Personal blog