results metrics exposed over https using kube-rbac-proxy

Satyam Bhardwaj · gabemontero · commit 0f4c69931b63 · 2023-07-31T13:51:09.000-04:00
Signed-off-by: Satyam Bhardwaj &lt;sabhardw@redhat.com&gt;
diff --git a/developer/config.yaml b/developer/config.yaml
@@ -6,10 +6,10 @@
 cluster_type: openshift
 
 # git_url refers to a git repo to be considered as the source of truth for Argo CD applications.
-git_url: https://github.com/ramessesii2/pipeline-service.git
+git_url: https://github.com/openshift-pipelines/pipeline-service.git
 
 # git_ref refers to the git repo's ref to be considered as the source of truth for Argo CD applications.
-git_ref: RAMESSESII2/results-kube-rbac-proxy-test
+git_ref: main
 
 # Applications to be deployed on the cluster
 apps:
diff --git a/developer/openshift/gitops/argocd/pipeline-service-o11y.yaml b/developer/openshift/gitops/argocd/pipeline-service-o11y.yaml
@@ -12,8 +12,8 @@ spec:
     server: https://kubernetes.default.svc
   source:
     path: developer/openshift/gitops/argocd/pipeline-service-o11y
-    repoURL: https://github.com/ramessesii2/pipeline-service.git
-    targetRevision: RAMESSESII2/results-kube-rbac-proxy-test
+    repoURL: https://github.com/openshift-pipelines/pipeline-service.git
+    targetRevision: main
   project: default
   syncPolicy:
     # Comment this out if you want to manually trigger deployments (using the
diff --git a/developer/openshift/gitops/argocd/pipeline-service-storage.yaml b/developer/openshift/gitops/argocd/pipeline-service-storage.yaml
@@ -12,8 +12,8 @@ spec:
     server: https://kubernetes.default.svc
   source:
     path: developer/openshift/gitops/argocd/pipeline-service-storage
-    repoURL: https://github.com/ramessesii2/pipeline-service.git
-    targetRevision: RAMESSESII2/results-kube-rbac-proxy-test
+    repoURL: https://github.com/openshift-pipelines/pipeline-service.git
+    targetRevision: main
   project: default
   syncPolicy:
     # Comment this out if you want to manually trigger deployments (using the
diff --git a/developer/openshift/gitops/argocd/pipeline-service.yaml b/developer/openshift/gitops/argocd/pipeline-service.yaml
@@ -12,8 +12,8 @@ spec:
     server: https://kubernetes.default.svc
   source:
     path: developer/openshift/gitops/argocd/pipeline-service
-    repoURL: https://github.com/ramessesii2/pipeline-service.git
-    targetRevision: RAMESSESII2/results-kube-rbac-proxy-test
+    repoURL: https://github.com/openshift-pipelines/pipeline-service.git
+    targetRevision: main
   project: default
   syncPolicy:
     # Comment this out if you want to manually trigger deployments (using the
diff --git a/operator/gitops/argocd/pipeline-service/tekton-results/api-kube-rbac-proxy.yaml b/operator/gitops/argocd/pipeline-service/tekton-results/api-kube-rbac-proxy.yaml
@@ -14,7 +14,7 @@ spec:
             - "--secure-listen-address=0.0.0.0:9443"
             - "--upstream=http://127.0.0.1:9090/"
             - "--logtostderr=true"
-            - "--v=10"
+            - "--v=6"
           securityContext:
             allowPrivilegeEscalation: false
             seccompProfile:
diff --git a/operator/gitops/argocd/pipeline-service/tekton-results/kustomization.yaml b/operator/gitops/argocd/pipeline-service/tekton-results/kustomization.yaml
@@ -8,6 +8,7 @@ resources:
   - api-route.yaml
   - watcher-logging-rbac.yaml
   - service-monitor.yaml
+  - watcher-rbac.yaml
 
 images:
   - name: ko://github.com/tektoncd/results/cmd/api
@@ -43,7 +44,6 @@ patches:
   - path: watcher-service-sync.yaml
   - path: api-kube-rbac-proxy.yaml
   - path: watcher-kube-rbac-proxy.yaml
-  - path: watcher-cr-patch.yaml
   - path: watcher-service-patch.yaml
     target:
       version: v1
diff --git a/operator/gitops/argocd/pipeline-service/tekton-results/watcher-cr-patch.yaml b/operator/gitops/argocd/pipeline-service/tekton-results/watcher-cr-patch.yaml
diff --git a/operator/gitops/argocd/pipeline-service/tekton-results/watcher-kube-rbac-proxy.yaml b/operator/gitops/argocd/pipeline-service/tekton-results/watcher-kube-rbac-proxy.yaml
@@ -14,7 +14,7 @@ spec:
             - "--secure-listen-address=0.0.0.0:8443"
             - "--upstream=http://127.0.0.1:9090/"
             - "--logtostderr=true"
-            - "--v=10"
+            - "--v=6"
           securityContext:
             allowPrivilegeEscalation: false
             seccompProfile:
diff --git a/operator/gitops/argocd/pipeline-service/tekton-results/watcher-rbac.yaml b/operator/gitops/argocd/pipeline-service/tekton-results/watcher-rbac.yaml
@@ -0,0 +1,32 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tekton-results-watcher-rbac
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+rules:
+  # Watcher needs to be able to verify incoming auth tokens.
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+  # Watcher needs to be able to use RBAC to verify user authorization.
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tekton-results-watcher-rbac
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+subjects:
+  - kind: ServiceAccount
+    name: watcher
+    namespace: tekton-pipelines
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: tekton-results-watcher-rbac
