add rbac and fixup broken sample (#109)

dibbles · web-flow · commit a01e4ecbc59d · 2020-06-15T11:39:07.000+01:00
* add rbac and fixup broken sample
* remove type from triggertemplate
diff --git a/automerge-example/README.md b/automerge-example/README.md
@@ -12,7 +12,6 @@ This example is for more advanced users. Start with the [tekton-example](../tekt
 - [`tkn`](https://github.com/tektoncd/cli) if you're not using webhooks
 - [`docker`](https://docs.docker.com/get-docker/)
 
-*Note* The 'standalone' code was developed on Docker Desktop and does not yet include the Role-Based Access Control configuration necessary for it to run on OpenShift or other locked-down environments. The 'webhook' code was developed on OpenShift but used a ServiceAccount that had a generous Role attached to it. Full RBAC support should be added to this example under https://github.com/rhd-gitops-example/services/issues/77.
 
 ## Setup - both cases
 
@@ -58,7 +57,14 @@ kubectl apply -f standalone/resources
 kubectl apply -f standalone/templates
 ```
 
-Create or modify an existing ServiceAccount to use your `github-secret` (hint, you can use the provided `sa.yaml` file: this creates `my-sa` which will be used in the `tkn` command)
+If you did not follow the [tekton-example](../tekton-example/README.md), you will need to create or modify an existing ServiceAccount to use your `github-secret` (You can use the provided `sa.yaml` file - this creates `my-sa` which will be used in the `tkn` command).
+
+Once you have a service account, you will need to edit `rbac.yaml` and edit the entries `REPLACE_ME.YOUR_SA_NAME` and `REPLACE_ME.YOUR_NAMESPACE`.  Once this is done apply the yaml:
+
+```sh
+kubectl apply -f standalone/rbac.yaml
+```
+
 
 Finally start the Tekton pipeline referencing your ServiceAccount:
 
@@ -84,6 +90,7 @@ This secret is used in two related ways. We check the source repository out usin
 ```yaml
 ---
 apiVersion: v1
+type: kubernetes.io/basic-auth
 data:
   password: [base64-encoded token]
   username: [base64-encoded email address]
@@ -93,15 +100,15 @@ metadata:
     tekton.dev/git-0: https://github.ibm.com  # For example
   labels:
     serviceAccount: test-sa                   # As configured in the Webhooks Extension
-  name: github-repo-access-secret
+  name: github-secret
 
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: test-sa
 secrets:
-- name: github-repo-access-secret
+- name: github-secret
 ```
 
 ### Edit templates
@@ -111,7 +118,14 @@ Next edit the `webhooks/templates/*` files.
 - In automerge-task.yaml,
   - replace `YOUR_DOCKER_HUB_ID` with your DockerHub id.
   - replace `YOUR_GHE` with your GitHub Enterprise domain.
-- In automerge-tt.yaml, replace YOUR_TEKTON_SERVICE_ACCOUNT with the name of your ServiceAccount used by Tekton.
+- In automerge-tt.yaml,
+  - replace `YOUR_TEKTON_SERVICE_ACCOUNT` with the name of your ServiceAccount used by Tekton.
+- In automerge-tb.yaml,
+  - replace `YOUR-GIT-USER-NAME` with your GitHub user name
+  - replace `YOUR-GIT-EMAIL` with the associated email address
+- In rbac.yaml,
+  - replace `YOUR_TEKTON_SERVICE_ACCOUNT` as per earlier
+  - replace `YOUR_NAMESPACE` with the namespace of your serviceaccount
 
 ### Apply configuration
 
diff --git a/automerge-example/standalone/rbac.yaml b/automerge-example/standalone/rbac.yaml
@@ -0,0 +1,36 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: demo-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: demo-role
+subjects:
+- kind: ServiceAccount
+  name: REPLACE_ME.YOUR_SA_NAME
+  namespace: REPLACE_ME.YOUR_NAMESPACE
+
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: demo-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
diff --git a/automerge-example/webhooks/resources/automerge-pipeline.yaml b/automerge-example/webhooks/resources/automerge-pipeline.yaml
@@ -6,14 +6,16 @@ spec:
   params:
   - name: github-secret
     type: string
-  - name: github-config
-    type: string
   - name: event-type
     type: string
   - name: branch-name
     type: string
   - name: pull-request-url
     type: string
+  - name: commit-name
+    type: string
+  - name: commit-email
+    type: string
   resources: 
   - name: source-repo
     type: git
@@ -28,11 +30,13 @@ spec:
     params:
     - name: github-secret
       value: $(params.github-secret)
-    - name: github-config
-      value: $(params.github-config)
     - name: event-type
       value: $(params.event-type)
     - name: branch-name
       value: $(params.branch-name)
     - name: pull-request-url
-      value: $(params.pull-request-url)
+      value: $(params.pull-request-url)
+    - name: commit-name
+      value: $(params.commit-name)
+    - name: commit-email
+      value: $(params.commit-email)
diff --git a/automerge-example/webhooks/templates/automerge-task.yaml b/automerge-example/webhooks/templates/automerge-task.yaml
@@ -4,7 +4,7 @@ metadata:
   name: automerge-task
 spec:
   params:
- - name: github-secret
+  - name: github-secret
     type: string
     description: Name of the secret containing an access token for Github. Expects Tekton format, 'username' and 'password' keys.
   - name: event-type
@@ -16,6 +16,11 @@ spec:
   - name: pull-request-url
     type: string
     description: The URL of the pull request, where applicable
+  - name: commit-name
+    type: string
+    description: GitHub name to author the commit with
+  - name: commit-email
+    type: string
   inputs:
     resources:
       - name: git-source
@@ -25,7 +30,7 @@ spec:
     image: YOUR_DOCKER_HUB_ID/hub-test
     script: |
       #!/bin/bash
-      kubectl apply -k git-source/env --dry-run=client
+      kubectl apply -k git-source/environments/dev/env --dry-run=client
   - name: merge-pr
     image: YOUR_DOCKER_HUB_ID/hub-test
     script: |
@@ -34,7 +39,7 @@ spec:
       if [ $(params.event-type) = "push" ]; then
         echo "git push on branch $(params.branch-name)"
         if [ $(params.branch-name) = "refs/heads/master" ]; then
-          echo "kubectl apply -k env"
+          echo "kubectl apply -k git-source/environments/dev/env"
         else
           echo "do nothing"
         fi
diff --git a/automerge-example/webhooks/templates/automerge-tb.yaml b/automerge-example/webhooks/templates/automerge-tb.yaml
@@ -3,7 +3,6 @@ apiVersion: triggers.tekton.dev/v1alpha1
 kind: TriggerBinding
 metadata:
   name: automerge-pipeline-pullrequest-binding
-  namespace: tekton-pipelines
 spec:
   params:
   - name: pullrequesturl
@@ -14,13 +13,16 @@ spec:
     value: $(header.X-GitHub-Event)
   - name: branch-name
     value: $(body.pull_request.head.ref)
+  - name: commit-name
+    value: YOUR-GIT-USER-NAME
+  - name: commit-email
+    value: YOUR-GIT-EMAIL
 ---
 
 apiVersion: triggers.tekton.dev/v1alpha1
 kind: TriggerBinding
 metadata:
   name: automerge-pipeline-push-binding
-  namespace: tekton-pipelines
 spec:
   params:
   - name: gitrepositoryurl
@@ -30,3 +32,4 @@ spec:
   - name: branch-name
     value: $(body.ref)
 
+
diff --git a/automerge-example/webhooks/templates/automerge-tt.yaml b/automerge-example/webhooks/templates/automerge-tt.yaml
@@ -2,31 +2,29 @@ apiVersion: triggers.tekton.dev/v1alpha1
 kind: TriggerTemplate
 metadata:
   name: automerge-pipeline-template
-  namespace: tekton-pipelines
 spec:
   params:
   - name: pullrequesturl
     description: The pull request url
-    type: string
     default: notApplicable
-  - name: github-configmap-name
-    description: Name of the configmap that stores the github username and password to be used in commits. 
-    type: string
-    default: promote-configmap
   - name: github-secretname
     description: The git secret name
     default: github-secret
-    type: string
   - name: github-secret-keyname
     description: The git secret key name
     default: accessToken
-    type: string
   - name: gitrepositoryurl
     description: The url of the Git repository
   - name: event-type
     description: push, pull_request
   - name: branch-name
     description: The branch name associated with push events
+  - name: commit-name
+    description: GitHub name to author the commit with
+    default: NA-for-push
+  - name: commit-email
+    description: GitHub email of author
+    default: NA-for-push
   resourcetemplates:
     - apiVersion: tekton.dev/v1alpha1
       kind: PipelineResource
@@ -49,8 +47,6 @@ spec:
         name: automerge-pipelinerun-$(uid)
       spec:
         params:
-        - name: github-config
-          value: $(params.github-configmap-name)
         - name: github-secret
           value: $(params.github-secretname)
         - name: branch-name
@@ -59,6 +55,10 @@ spec:
           value: $(params.event-type)
         - name: pull-request-url
           value: $(params.pullrequesturl)
+        - name: commit-name
+          value: $(params.commit-name)
+        - name: commit-email
+          value: $(params.commit-email)
         serviceAccountName: YOUR_TEKTON_SERVICE_ACCOUNT
         pipelineRef:
           name: automerge-pipeline
diff --git a/automerge-example/webhooks/templates/rbac.yaml b/automerge-example/webhooks/templates/rbac.yaml
@@ -0,0 +1,36 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: demo-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: demo-role
+subjects:
+- kind: ServiceAccount
+  name: YOUR_TEKTON_SERVICE_ACCOUNT
+  namespace: YOUR_NAMESPACE
+
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: demo-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
