adjust chains installation now that openshift-pipelines operator is installing chaings

Author: gabemontero

developer/openshift/reset.sh

@@ -244,13 +244,6 @@ uninstall_operators_and_controllers(){
       kubectl delete ns "$pac_ns"
     fi
 
-    printf "\n  Uninstalling tekton-chains:\n"
-    kubectl delete -k "$GITOPS_DIR/tekton-chains" --ignore-not-found=true
-    tkn_chains_ns=$(kubectl get ns | grep -ie "tekton-chains" | cut -d " " -f 1)
-    if [[ -n "$pac_ns" ]]; then
-      kubectl delete ns "$tkn_chains_ns"
-    fi
-
     printf "\n  Uninstalling tekton-results:\n"
     kubectl delete -k "$GITOPS_DIR/tekton-results/base" --ignore-not-found=true
     tkn_results_ns=$(kubectl get ns | grep -ie "tekton-results" | cut -d " " -f 1)
@@ -266,7 +259,7 @@ uninstall_operators_and_controllers(){
     fi
 
     # Checks if the Tekton controllers are uninstalled successfully
-    mapfile -t controllers < <(kubectl get ns | grep -iE "tekton-results|tekton-chains|pipelines-as-code" | cut -d " " -f 1)
+    mapfile -t controllers < <(kubectl get ns | grep -iE "tekton-results" | cut -d " " -f 1)
     if (( ${#controllers[@]} >= 1 )); then
         printf "\n[ERROR] Couldn't remove Tekton controllers, please try removing them manually." >&2
         exit 1

operator/gitops/argocd/pipeline-service/tekton-chains/chains-config.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: chains-config
-  namespace: tekton-chains
+  namespace: openshift-pipelines
 
 data:
   # See https://tekton.dev/docs/chains/config/

operator/gitops/argocd/pipeline-service/tekton-chains/chains-controller-deployment.yaml

@@ -3,13 +3,13 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: chains-secrets-admin
-  namespace: tekton-chains
+  namespace: openshift-pipelines
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: chains-secret-admin
-  namespace: tekton-chains
+  namespace: openshift-pipelines
 rules:
   - apiGroups:
       - ""
@@ -39,15 +39,15 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: chains-secret-admin
-  namespace: tekton-chains
+  namespace: openshift-pipelines
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: chains-secret-admin
 subjects:
   - kind: ServiceAccount
     name: chains-secrets-admin
-    namespace: tekton-chains
+    namespace: openshift-pipelines
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -61,13 +61,13 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: chains-secrets-admin
-    namespace: tekton-chains
+    namespace: openshift-pipelines
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
   name: tekton-chains-signing-secret
-  namespace: tekton-chains
+  namespace: openshift-pipelines
   annotations:
     argocd.argoproj.io/sync-wave: "1"
 spec:

operator/gitops/argocd/pipeline-service/tekton-chains/chains-secrets-config.yaml

@@ -9,38 +9,21 @@ resources:
   # To list available releases:
   #  curl -s https://storage.googleapis.com/tekton-releases/ | xq | grep -E 'chains/.*/release.yaml'
   #
-  - https://storage.googleapis.com/tekton-releases/chains/previous/v0.14.0/release.yaml
   - chains-secrets-config.yaml
   - public-key.yaml
 
-images:
-  - name: gcr.io/tekton-releases/github.com/tektoncd/chains/cmd/controller:v0.14.0
-    newName: registry.redhat.io/openshift-pipelines/pipelines-chains-controller-rhel8
-    newTag: v1.11.0-22
-
 patches:
-  # allow openshift-gitops to manage tekton-chains
-  - target:
-      kind: Namespace
-      name: tekton-chains
-    patch: |-
-      - op: add
-        path: "/metadata/labels"
-        value:
-          argocd.argoproj.io/managed-by: openshift-gitops
-  # Add some chains configuration
+ # Add some chains configuration
   - path: chains-config.yaml
   #
-  # Mount the chains cert volume and apply operator security standards
-  - path: chains-controller-deployment.yaml
   - target:
       kind: Secret
       name: signing-secrets
-      namespace: tekton-chains
+      namespace: openshift-pipelines
     patch: |-
       apiVersion: v1
       kind: Secret
       metadata:
         name: signing-secrets
-        namespace: tekton-chains
+        namespace: openshift-pipelines
       $patch: delete

operator/gitops/argocd/pipeline-service/tekton-chains/kustomization.yaml

@@ -19,7 +19,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: tekton-chains-public-key-viewer
-  namespace: tekton-chains
+  namespace: openshift-pipelines
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

operator/gitops/argocd/pipeline-service/tekton-chains/public-key.yaml

@@ -157,8 +157,8 @@ tekton_chains_manifest(){
       --workdir /workspace \
       --entrypoint /usr/bin/cosign \
       "$cosign_image" generate-key-pair
-    kubectl create namespace tekton-chains --dry-run=client -o yaml > "$chains_namespace"
-    kubectl create secret generic -n tekton-chains signing-secrets --from-file="$chains_tmp_dir" --dry-run=client -o yaml | \
+    kubectl create namespace openshift-pipelines --dry-run=client -o yaml > "$chains_namespace"
+    kubectl create secret generic -n openshift-pipelines signing-secrets --from-file="$chains_tmp_dir" --dry-run=client -o yaml | \
             yq '. += {"immutable" :true}' | \
             yq "sort_keys(.)" > "$chains_secret"
     yq e -n '.resources += ["namespace.yaml", "signing-secrets.yaml"]' > "$chains_kustomize"

operator/images/access-setup/content/bin/setup_work_dir.sh

@@ -135,14 +135,12 @@ install_clusters() {
 
     #checking if the pipelines and triggers pods are up and running
     printf -- "- Checking deployment status\n"
-    tektonDeployments=("tekton-pipelines-controller" "tekton-triggers-controller" "tekton-triggers-core-interceptors")
+    tektonDeployments=("tekton-pipelines-controller" "tekton-triggers-controller" "tekton-triggers-core-interceptors" "tekton-chains-controller")
     check_deployments "openshift-pipelines" "${tektonDeployments[@]}" | indent 4
     resultsDeployments=("tekton-results-api" "tekton-results-watcher")
     check_deployments "tekton-results" "${resultsDeployments[@]}" | indent 4
     resultsStatefulsets=("postgres-postgresql" "storage-pool-0")
     check_statefulsets "tekton-results" "${resultsStatefulsets[@]}" | indent 4
-    chainsDeployments=("tekton-chains-controller")
-    check_deployments "tekton-chains" "${chainsDeployments[@]}" | indent 4
 
     printf -- "- Checking pods status for controlplane namespaces\n"
     # list of control plane namespaces
@@ -156,9 +154,9 @@ install_clusters() {
 install_shared_manifests() {
   CREDENTIALS_DIR="$WORKSPACE_DIR/credentials"
 
-  if [ "$(kubectl get secret -n tekton-chains signing-secrets --ignore-not-found -o json | jq -r ".immutable")" != "true" ]; then
-    kubectl apply -k "$CREDENTIALS_DIR/manifests/compute/tekton-chains"
-  fi
+#  if [ "$(kubectl get secret -n openshift-pipelines signing-secrets --ignore-not-found -o json | jq -r ".immutable")" != "true" ]; then
+#    kubectl apply -k "$CREDENTIALS_DIR/manifests/compute/tekton-chains"
+#  fi
   kubectl apply -k "$CREDENTIALS_DIR/manifests/compute/tekton-results"
 }
 

operator/images/cluster-setup/content/bin/install.sh

@@ -18,6 +18,6 @@ spec:
                 set -o nounset
                 set -o pipefail
                 set -x
-                PUBLIC_KEY=$(oc get secret public-key -n tekton-chains -o jsonpath='{.data.cosign\.pub}')
+                PUBLIC_KEY=$(oc get secret public-key -n openshift-pipelines -o jsonpath='{.data.cosign\.pub}')
                 echo "$PUBLIC_KEY" | base64 -d
   serviceAccountName: chains-test

operator/test/manifests/test/tekton-chains/public-key.yaml

@@ -247,10 +247,6 @@ test_security() {
   check_pod_security "tekton-results"
   echo "  - Check Pod Host Network tekton-results: "
   check_host_network "tekton-results"
-  echo "  - Check Pod Security tekton-chains: "
-  check_pod_security "tekton-chains"
-  echo "  - Check Pod Host Network tekton-chains: "
-  check_host_network "tekton-chains"
 
   if [[ "$securityErrorFound" == "yes" ]]; then
     echo " - Check security failed"