Fix example SA permissions

The service account used for examples had permissions for all namespaced
Triggers resources but not `clustertriggerbindings`. With the switch to using
listers instead of making direct API calls this means that the EL will keep
printing out error log messages about not being able to fetch
clustertriggerbindings. To fix this, I added updated the SA with the right
ClusterRole and Binding.

In addition, some of the examples were using their own roles/SAs/bindings.
Instead of updating those, I created a single `rbac.yaml` file and added
symlinks to it from the examples.

Fixes #846

Signed-off-by: Dibyo Mukherjee <dibyo@google.com>

docs/eventlisteners.md

@@ -80,38 +80,11 @@ the following fields:
 ### ServiceAccountName
 
 The `serviceAccountName` field is required. The ServiceAccount that the
-EventListener sink uses to create the Tekton resources. The ServiceAccount needs
-a role with the following rules:
+EventListener sink uses to create the Tekton resources. 
+The ServiceAccount needs a Role that with "get", "list", and "watch" verbs for each Triggers resource as well as  a ClusterRole with read access to ClusterTriggerBindings. In addition, it needs to have "create"
+permissions on the Pipeline resources it needs to create. See a working example at [../examples/rbac.yaml](../examples/rbac.yaml).
 
-<!-- FILE: examples/role-resources/triggerbinding-roles/role.yaml -->
-```YAML
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: tekton-triggers-example-minimal
-rules:
-# Permissions for every EventListener deployment to function
-- apiGroups: ["triggers.tekton.dev"]
-  resources: ["eventlisteners", "triggerbindings", "triggertemplates", "triggers"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: [""]
-  # secrets are only needed for GitHub/GitLab interceptors
-  resources: ["configmaps", "secrets"]
-  verbs: ["get", "list", "watch"]
-# Permissions to create resources in associated TriggerTemplates
-- apiGroups: ["tekton.dev"]
-  resources: ["pipelineruns", "pipelineresources", "taskruns"]
-  verbs: ["create"]
-- apiGroups: [""]
-  resources: ["serviceaccounts"]
-  verbs: ["impersonate"]
-```
-
-
-If your EventListener is using
-[`ClusterTriggerBindings`](./clustertriggerbindings.md), you'll need a
-ServiceAccount with a
-[ClusterRole instead](../examples/role-resources/clustertriggerbinding-roles/clusterrole.yaml).
+If your EventListener is using `namespaceSelectors`, the ServiceAccount will require a Cluster role to have read permissions for all Triggers resources across the cluster.
 
 ### Triggers
 

examples/bitbucket/rbac.yaml

@@ -0,0 +1 @@
+../rbac.yaml

examples/cron/eventlistener.yaml

@@ -3,7 +3,7 @@ kind: EventListener
 metadata:
   name: cron-listener
 spec:
-  serviceAccountName: tekton-triggers-cron-sa
+  serviceAccountName: tekton-triggers-example-sa
   triggers:
     - name: cron-trig
       bindings:

examples/cron/rbac.yaml

@@ -0,0 +1 @@
+../rbac.yaml

examples/eventlistener-tls-connection/rbac.yaml

@@ -0,0 +1 @@
+../rbac.yaml

examples/github/github-eventlistener-interceptor.yaml

@@ -24,7 +24,7 @@ spec:
       spec:
         template:
           spec:
-            serviceAccountName: tekton-triggers-github-sa
+            serviceAccountName: tekton-triggers-example-sa
             containers:
               - resources:
                   requests:

examples/github/rbac.yaml

@@ -0,0 +1 @@
+../rbac.yaml

examples/gitlab/gitlab-push-listener.yaml

@@ -3,7 +3,7 @@ kind: EventListener
 metadata:
   name: gitlab-listener
 spec:
-  serviceAccountName: tekton-triggers-gitlab-sa
+  serviceAccountName: tekton-triggers-example-sa
   triggers:
     - name: gitlab-push-events-trigger
       interceptors:

examples/gitlab/rbac.yaml

@@ -0,0 +1 @@
+../rbac.yaml