From 74373acc4b1eeae083bef1927fdb5e23edb4a5ba Mon Sep 17 00:00:00 2001 From: "Adam A.G. Shamblin" Date: Sat, 13 Nov 2021 20:23:00 -0700 Subject: [PATCH] Better templating, better rbac --- .gitignore | 1 - charts/pipeline/templates/ingress.yaml | 8 ++--- charts/pipeline/templates/rbac.yaml | 42 +++++++++++++++++++++----- charts/pipeline/templates/trigger.yaml | 17 ++++++++--- charts/pipeline/values.yaml | 4 +++ cosign.pub | 4 +++ 6 files changed, 59 insertions(+), 17 deletions(-) create mode 100644 cosign.pub diff --git a/.gitignore b/.gitignore index 1146861..e6e3288 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ -cosign.* __pycache__ output *.bak diff --git a/charts/pipeline/templates/ingress.yaml b/charts/pipeline/templates/ingress.yaml index 95d25e7..2a1b5ce 100644 --- a/charts/pipeline/templates/ingress.yaml +++ b/charts/pipeline/templates/ingress.yaml @@ -8,17 +8,17 @@ metadata: cert-manager.io/cluster-issuer: "acme-prod" spec: rules: - - host: trigger.vexingworkshop.com + - host: {{ .Values.ingress.host }} http: paths: - backend: service: - name: el-cluster-listener + name: {{ .Values.ingress.service }} port: number: 8080 path: / pathType: ImplementationSpecific tls: - hosts: - - trigger.vexingworkshop.com - secretName: vexing-tls + - {{ .Values.ingress.host }} + secretName: {{ .Values.ingress.tlsSecretName }} diff --git a/charts/pipeline/templates/rbac.yaml b/charts/pipeline/templates/rbac.yaml index 34e9ea9..39ec8d8 100644 --- a/charts/pipeline/templates/rbac.yaml +++ b/charts/pipeline/templates/rbac.yaml @@ -1,6 +1,6 @@ --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: name: event-listener-role rules: @@ -14,7 +14,6 @@ rules: - apiGroups: - triggers.tekton.dev resources: - - clusterinterceptors - eventlisteners - pipelineruns - triggers @@ -35,7 +34,7 @@ rules: - create --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: name: event-listener-rolebinding subjects: @@ -43,12 +42,39 @@ subjects: name: {{ .Values.serviceAccount.listener }} namespace: {{ .Release.Namespace }} roleRef: - kind: ClusterRole + kind: Role name: event-listener-role apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole +metadata: + name: interceptor-role +rules: + - apiGroups: + - triggers.tekton.dev + resources: + - clusterinterceptors + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: interceptor-rolebinding +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.listener }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: interceptor-role + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: pipeline-role rules: @@ -62,14 +88,14 @@ rules: - create --- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: name: pipeline-rolebinding subjects: - kind: ServiceAccount - name: {{ .Values.serviceAccount.listener }} + name: {{ .Values.serviceAccount.pipeline }} namespace: {{ .Release.Namespace }} roleRef: - kind: Role + kind: ClusterRole name: pipeline-role apiGroup: rbac.authorization.k8s.io diff --git a/charts/pipeline/templates/trigger.yaml b/charts/pipeline/templates/trigger.yaml index 78403c9..fbf7f6c 100644 --- a/charts/pipeline/templates/trigger.yaml +++ b/charts/pipeline/templates/trigger.yaml @@ -42,8 +42,12 @@ spec: params: - name: repo-url value: $(body.repository.url) - - name: image - value: ghcr.io/coyote240/letters:$(body.head_commit.id) + - name: owner + value: $(body.repository.owner.name) + - name: image-name + value: $(body.repository.name) + - name: commit + value: $(body.head_commit.id) --- apiVersion: triggers.tekton.dev/v1beta1 kind: TriggerTemplate @@ -53,8 +57,12 @@ spec: params: - name: repo-url description: git repo to clone - - name: image - description: published image + - name: owner + description: github owner of repo + - name: image-name + description: github repo name + - name: commit + description: git commit id resourcetemplates: - apiVersion: tekton.dev/v1beta1 kind: PipelineRun @@ -81,3 +89,4 @@ spec: value: $(tt.params.repo-url) - name: image value: $(tt.params.image) + value: ghcr.io/$(tt.params.owner)/$(tt.params.image-name):$(tt.params.commit) diff --git a/charts/pipeline/values.yaml b/charts/pipeline/values.yaml index 9602d49..b1a1c53 100644 --- a/charts/pipeline/values.yaml +++ b/charts/pipeline/values.yaml @@ -1,3 +1,7 @@ serviceAccount: pipeline: letters-pipeline listener: cluster-listener +ingress: + host: trigger.vexingworkshop.com + service: el-cluster-listener + tlsSecretName: vexing-tls diff --git a/cosign.pub b/cosign.pub new file mode 100644 index 0000000..5424c8f --- /dev/null +++ b/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdovq4EPpKQ/UcwTH/84wWS4bRtjX +v2HWN8YGCBV5z5Q/wIPxXO4Jd6ZChD72cq3X6YlYjhERgCaPDQAT4O5ogw== +-----END PUBLIC KEY----- -- 2.39.5