add viewer role for appstudio (#1011)

* Add viewer role

Signed-off-by: Francesco Ilario <filario@redhat.com>

* fix viewer role permissions

Signed-off-by: Francesco Ilario <filario@redhat.com>

* add viewer role to nstemplatetier_generator_test

Signed-off-by: Francesco Ilario <filario@redhat.com>

* remove not needed test template

Signed-off-by: Francesco Ilario <filario@redhat.com>

---------

Signed-off-by: Francesco Ilario <filario@redhat.com>
Co-authored-by: Francisc Munteanu <fmuntean@redhat.com>
Co-authored-by: Matous Jobanek <mjobanek@redhat.com>

deploy/templates/nstemplatetiers/appstudio-env/spacerole_viewer.yaml

@@ -0,0 +1,6 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  name: appstudio-env-spacerole-viewer
+objects: []
+# The user doesn't have any permissions in the namespace

deploy/templates/nstemplatetiers/appstudio-env/tier.yaml

@@ -20,6 +20,8 @@ objects:
         templateRef: ${MAINTAINER_TEMPL_REF}
       contributor:
         templateRef: ${CONTRIBUTOR_TEMPL_REF}
+      viewer:
+        templateRef: ${VIEWER_TEMPL_REF}
     spaceRequestConfig:
       serviceAccountName: namespace-manager
 parameters:
@@ -29,3 +31,4 @@ parameters:
 - name: ADMIN_TEMPL_REF
 - name: MAINTAINER_TEMPL_REF
 - name: CONTRIBUTOR_TEMPL_REF
+- name: VIEWER_TEMPL_REF

deploy/templates/nstemplatetiers/appstudio/spacerole_viewer.yaml

@@ -0,0 +1,191 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  name: appstudio-spacerole-viewer # name is used in e2e tests
+objects:
+
+# RoleBinding that grants limited CRUD permissions on AppStudio components CRDs & secrets to the user's SA
+# Role(s) and RoleBinding(s) that grant limited CRUD permissions on AppStudio components CRDs & secrets to the user's SA
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: Role
+  metadata:
+    namespace: ${NAMESPACE}
+    name: appstudio-viewer-user-actions
+  rules:
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - applications
+    - components
+    - componentdetectionqueries
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - promotionruns
+    - snapshotenvironmentbindings
+    - snapshots
+    - environments
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - deploymenttargets
+    - deploymenttargetclaims
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - managed-gitops.redhat.com
+    resources:
+    - gitopsdeployments
+    - gitopsdeploymentmanagedenvironments
+    - gitopsdeploymentrepositorycredentials
+    - gitopsdeploymentsyncruns
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - tekton.dev
+    resources:
+    - pipelineruns
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - results.tekton.dev
+    resources:
+    - results
+    - records
+    - logs
+    verbs:
+    - get
+    - list
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - integrationtestscenarios
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - enterprisecontractpolicies
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - releases
+    - releasestrategies
+    - releaseplans
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - releaseplanadmissions
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - jvmbuildservice.io
+    resources:
+    - jbsconfigs
+    - artifactbuilds
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - spiaccesstokenbindings
+    - spiaccesschecks
+    - spiaccesstokens
+    - spifilecontentrequests
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - remotesecrets
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - ''
+    resources:
+    - configmaps
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - buildpipelineselectors
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - projctl.konflux.dev
+    resources:
+    - projects
+    - projectdevelopmentstreams
+    - projectdevelopmentstreamtemplates
+    verbs:
+    - get
+    - list
+    - watch
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: RoleBinding
+  metadata:
+    namespace: ${NAMESPACE}
+    name: appstudio-viewer-${USERNAME}-actions-user
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: appstudio-viewer-user-actions
+  subjects:
+  - kind: User
+    name: ${USERNAME}
+# Role & RoleBinding that grants view permissions to the user's SA
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: RoleBinding
+  metadata:
+    namespace: ${NAMESPACE}
+    name: appstudio-${USERNAME}-view-user
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: view
+  subjects:
+  - kind: User
+    name: ${USERNAME}
+
+parameters:
+- name: NAMESPACE
+  required: true
+- name: USERNAME
+  required: true

deploy/templates/nstemplatetiers/appstudio/tier.yaml

@@ -20,10 +20,13 @@ objects:
         templateRef: ${MAINTAINER_TEMPL_REF}
       contributor:
         templateRef: ${CONTRIBUTOR_TEMPL_REF}
+      viewer:
+        templateRef: ${VIEWER_TEMPL_REF}
 parameters:
 - name: NAMESPACE
 - name: CLUSTER_TEMPL_REF
 - name: TENANT_TEMPL_REF
 - name: ADMIN_TEMPL_REF
 - name: MAINTAINER_TEMPL_REF
 - name: CONTRIBUTOR_TEMPL_REF
+- name: VIEWER_TEMPL_REF

pkg/templates/nstemplatetiers/nstemplatetier_generator_test.go

@@ -54,7 +54,7 @@ func nsTypes(tier string) []string {
 func roles(tier string) []string {
 	switch tier {
 	case "appstudio", "appstudio-env", "appstudiolarge":
-		return []string{"admin", "maintainer", "contributor"}
+		return []string{"admin", "maintainer", "contributor", "viewer"}
 	default:
 		return []string{"admin"}
 	}