Disable pipeline SA

Roming22 · Roming22 · commit dfd5c9a94bb3 · 2023-05-17T11:16:22.000-04:00
The service account permissions are too open by default. Therefore
the account needs to be disabled. It has been replaced with an
account with more limited permissions.

Signed-off-by: Romain Arnaud &lt;rarnaud@redhat.com&gt;
diff --git a/operator/gitops/argocd/pipeline-service/openshift-pipelines/tekton-config.yaml b/operator/gitops/argocd/pipeline-service/openshift-pipelines/tekton-config.yaml
@@ -8,9 +8,9 @@ metadata:
     # the CRD will be applied and the resource can be created once the required dependencies are met.
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
-  # params:
-  #   - name: createRbacResource
-  #     value: "false"
+  params:
+    - name: createRbacResource
+      value: "false"
   platforms:
     openshift:
       pipelinesAsCode:
diff --git a/operator/gitops/argocd/pipeline-service/tekton-chains/chains-secrets-config.yaml b/operator/gitops/argocd/pipeline-service/tekton-chains/chains-secrets-config.yaml
@@ -161,3 +161,34 @@ spec:
       terminationGracePeriodSeconds: 30
       serviceAccount: chains-secrets-admin
       serviceAccountName: chains-secrets-admin
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: tekton-chains-trusted-cabundle
+  namespace: tekton-chains
+  annotations:
+spec:
+  template:
+    spec:
+      containers:
+        - name: config-trusted-cabundle-generation
+          image: registry.redhat.io/openshift4/ose-cli:v4.12@sha256:9f0cdc00b1b1a3c17411e50653253b9f6bb5329ea4fb82ad983790a6dbf2d9ad
+          imagePullPolicy: Always
+          command:
+            - /bin/bash
+            - -c
+            - |
+              if oc get cm config-trusted-cabundle -n tekton-chains; then
+                echo "ConfigMap config-trusted-cabundle found"
+              else
+                echo "Create ConfigMap config-trusted-cabundle"
+                oc create configmap config-trusted-cabundle --namespace tekton-chains
+                oc label configmap config-trusted-cabundle config.openshift.io/inject-trusted-cabundle="true"
+              fi
+              echo "Done"
+      dnsPolicy: ClusterFirst
+      restartPolicy: OnFailure
+      terminationGracePeriodSeconds: 30
+      serviceAccount: chains-secrets-admin
+      serviceAccountName: chains-secrets-admin
diff --git a/operator/test/manifests/test/tekton-chains/public-key.yaml b/operator/test/manifests/test/tekton-chains/public-key.yaml
@@ -20,4 +20,4 @@ spec:
                 set -x
                 PUBLIC_KEY=$(oc get secret public-key -n tekton-chains -o jsonpath='{.data.cosign\.pub}')
                 echo "$PUBLIC_KEY" | base64 -d
-  serviceAccountName: pipeline
+  serviceAccountName: chains-test
diff --git a/operator/test/manifests/test/tekton-chains/simple-copy-pipeline.yaml b/operator/test/manifests/test/tekton-chains/simple-copy-pipeline.yaml
@@ -67,7 +67,6 @@ spec:
               fi
             securityContext:
               runAsNonRoot: true
-              runAsUser: 65532
       params:
         - name: IMAGE_SRC
           value: $(params.image-src)
