-
Notifications
You must be signed in to change notification settings - Fork 65
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add viewer role for appstudio (#1011)
* Add viewer role Signed-off-by: Francesco Ilario <filario@redhat.com> * fix viewer role permissions Signed-off-by: Francesco Ilario <filario@redhat.com> * add viewer role to nstemplatetier_generator_test Signed-off-by: Francesco Ilario <filario@redhat.com> * remove not needed test template Signed-off-by: Francesco Ilario <filario@redhat.com> --------- Signed-off-by: Francesco Ilario <filario@redhat.com> Co-authored-by: Francisc Munteanu <fmuntean@redhat.com> Co-authored-by: Matous Jobanek <mjobanek@redhat.com>
- Loading branch information
1 parent
dbf0c82
commit 662ad5d
Showing
5 changed files
with
204 additions
and
1 deletion.
There are no files selected for viewing
6 changes: 6 additions & 0 deletions
6
deploy/templates/nstemplatetiers/appstudio-env/spacerole_viewer.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
apiVersion: template.openshift.io/v1 | ||
kind: Template | ||
metadata: | ||
name: appstudio-env-spacerole-viewer | ||
objects: [] | ||
# The user doesn't have any permissions in the namespace |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
191 changes: 191 additions & 0 deletions
191
deploy/templates/nstemplatetiers/appstudio/spacerole_viewer.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,191 @@ | ||
apiVersion: template.openshift.io/v1 | ||
kind: Template | ||
metadata: | ||
name: appstudio-spacerole-viewer # name is used in e2e tests | ||
objects: | ||
|
||
# RoleBinding that grants limited CRUD permissions on AppStudio components CRDs & secrets to the user's SA | ||
# Role(s) and RoleBinding(s) that grant limited CRUD permissions on AppStudio components CRDs & secrets to the user's SA | ||
- apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
namespace: ${NAMESPACE} | ||
name: appstudio-viewer-user-actions | ||
rules: | ||
- apiGroups: | ||
- appstudio.redhat.com | ||
resources: | ||
- applications | ||
- components | ||
- componentdetectionqueries | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- appstudio.redhat.com | ||
resources: | ||
- promotionruns | ||
- snapshotenvironmentbindings | ||
- snapshots | ||
- environments | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- appstudio.redhat.com | ||
resources: | ||
- deploymenttargets | ||
- deploymenttargetclaims | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- managed-gitops.redhat.com | ||
resources: | ||
- gitopsdeployments | ||
- gitopsdeploymentmanagedenvironments | ||
- gitopsdeploymentrepositorycredentials | ||
- gitopsdeploymentsyncruns | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- tekton.dev | ||
resources: | ||
- pipelineruns | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- results.tekton.dev | ||
resources: | ||
- results | ||
- records | ||
- logs | ||
verbs: | ||
- get | ||
- list | ||
- apiGroups: | ||
- appstudio.redhat.com | ||
resources: | ||
- integrationtestscenarios | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- appstudio.redhat.com | ||
resources: | ||
- enterprisecontractpolicies | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- appstudio.redhat.com | ||
resources: | ||
- releases | ||
- releasestrategies | ||
- releaseplans | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- appstudio.redhat.com | ||
resources: | ||
- releaseplanadmissions | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- jvmbuildservice.io | ||
resources: | ||
- jbsconfigs | ||
- artifactbuilds | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- appstudio.redhat.com | ||
resources: | ||
- spiaccesstokenbindings | ||
- spiaccesschecks | ||
- spiaccesstokens | ||
- spifilecontentrequests | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- appstudio.redhat.com | ||
resources: | ||
- remotesecrets | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- '' | ||
resources: | ||
- configmaps | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- appstudio.redhat.com | ||
resources: | ||
- buildpipelineselectors | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- projctl.konflux.dev | ||
resources: | ||
- projects | ||
- projectdevelopmentstreams | ||
- projectdevelopmentstreamtemplates | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
namespace: ${NAMESPACE} | ||
name: appstudio-viewer-${USERNAME}-actions-user | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: appstudio-viewer-user-actions | ||
subjects: | ||
- kind: User | ||
name: ${USERNAME} | ||
# Role & RoleBinding that grants view permissions to the user's SA | ||
- apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
namespace: ${NAMESPACE} | ||
name: appstudio-${USERNAME}-view-user | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: view | ||
subjects: | ||
- kind: User | ||
name: ${USERNAME} | ||
|
||
parameters: | ||
- name: NAMESPACE | ||
required: true | ||
- name: USERNAME | ||
required: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters