From 096ef735bf70974957115fd30985d2d5f5ae8b35 Mon Sep 17 00:00:00 2001 From: Yftach Herzog Date: Mon, 7 Oct 2024 15:12:06 +0300 Subject: [PATCH] chore(KFLUXVNGD-38): remove maintainers delete permissions Remove Project* delete permissions from maintainers, as maintainers should not have permissions to delete applications or components. Signed-off-by: Yftach Herzog --- .../production/appstudio/kustomization.yaml | 1 + .../appstudio/nstemplatetier-appstudio.yaml | 2 +- ...studio-maintainer-474752551-474752551.yaml | 202 ++++++++++++++++++ .../appstudiolarge/kustomization.yaml | 1 + .../nstemplatetier-appstudiolarge.yaml | 2 +- ...large-maintainer-3994678728-474752551.yaml | 202 ++++++++++++++++++ .../appstudioxlarge/kustomization.yaml | 1 + .../nstemplatetier-appstudioxlarge.yaml | 2 +- ...xlarge-maintainer-884010306-474752551.yaml | 202 ++++++++++++++++++ .../src/appstudio/spacerole_maintainer.yaml | 1 - .../staging/appstudio/kustomization.yaml | 1 + .../appstudio/nstemplatetier-appstudio.yaml | 2 +- ...studio-maintainer-474752551-474752551.yaml | 202 ++++++++++++++++++ .../staging/appstudiolarge/kustomization.yaml | 1 + .../nstemplatetier-appstudiolarge.yaml | 2 +- ...large-maintainer-3994678728-474752551.yaml | 202 ++++++++++++++++++ .../appstudioxlarge/kustomization.yaml | 1 + .../nstemplatetier-appstudioxlarge.yaml | 2 +- ...xlarge-maintainer-884010306-474752551.yaml | 202 ++++++++++++++++++ 19 files changed, 1224 insertions(+), 7 deletions(-) create mode 100644 components/sandbox/tiers/production/appstudio/tiertemplate-appstudio-maintainer-474752551-474752551.yaml create mode 100644 components/sandbox/tiers/production/appstudiolarge/tiertemplate-appstudiolarge-maintainer-3994678728-474752551.yaml create mode 100644 components/sandbox/tiers/production/appstudioxlarge/tiertemplate-appstudioxlarge-maintainer-884010306-474752551.yaml create mode 100644 components/sandbox/tiers/staging/appstudio/tiertemplate-appstudio-maintainer-474752551-474752551.yaml create mode 100644 components/sandbox/tiers/staging/appstudiolarge/tiertemplate-appstudiolarge-maintainer-3994678728-474752551.yaml create mode 100644 components/sandbox/tiers/staging/appstudioxlarge/tiertemplate-appstudioxlarge-maintainer-884010306-474752551.yaml diff --git a/components/sandbox/tiers/production/appstudio/kustomization.yaml b/components/sandbox/tiers/production/appstudio/kustomization.yaml index e64ee99be2f..e3bc4180fdd 100644 --- a/components/sandbox/tiers/production/appstudio/kustomization.yaml +++ b/components/sandbox/tiers/production/appstudio/kustomization.yaml @@ -15,6 +15,7 @@ resources: - tiertemplate-appstudio-contributor-829105171-829105171.yaml - tiertemplate-appstudio-maintainer-1904354742-1904354742.yaml - tiertemplate-appstudio-maintainer-293087644-293087644.yaml +- tiertemplate-appstudio-maintainer-474752551-474752551.yaml - tiertemplate-appstudio-tenant-199961605-199961605.yaml - tiertemplate-appstudio-tenant-2313893948-2313893948.yaml - tiertemplate-appstudio-tenant-3815075241-3815075241.yaml diff --git a/components/sandbox/tiers/production/appstudio/nstemplatetier-appstudio.yaml b/components/sandbox/tiers/production/appstudio/nstemplatetier-appstudio.yaml index ae9f3bad69c..e8732ff0243 100644 --- a/components/sandbox/tiers/production/appstudio/nstemplatetier-appstudio.yaml +++ b/components/sandbox/tiers/production/appstudio/nstemplatetier-appstudio.yaml @@ -18,7 +18,7 @@ spec: contributor: templateRef: appstudio-contributor-829105171-829105171 maintainer: - templateRef: appstudio-maintainer-1904354742-1904354742 + templateRef: appstudio-maintainer-474752551-474752551 viewer: templateRef: appstudio-viewer-4256863455-4256863455 status: {} diff --git a/components/sandbox/tiers/production/appstudio/tiertemplate-appstudio-maintainer-474752551-474752551.yaml b/components/sandbox/tiers/production/appstudio/tiertemplate-appstudio-maintainer-474752551-474752551.yaml new file mode 100644 index 00000000000..25e45398903 --- /dev/null +++ b/components/sandbox/tiers/production/appstudio/tiertemplate-appstudio-maintainer-474752551-474752551.yaml @@ -0,0 +1,202 @@ +# ---------------------------------------------------------------- +# Generated by cli - DO NOT EDIT +# ---------------------------------------------------------------- + +apiVersion: toolchain.dev.openshift.com/v1alpha1 +kind: TierTemplate +metadata: + name: appstudio-maintainer-474752551-474752551 + namespace: toolchain-host-operator +spec: + revision: 474752551-474752551 + template: + apiVersion: template.openshift.io/v1 + kind: Template + metadata: {} + objects: + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: appstudio-maintainer-user-actions + namespace: ${NAMESPACE} + rules: + - apiGroups: + - appstudio.redhat.com + resources: + - applications + - components + - imagerepositories + - componentdetectionqueries + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - appstudio.redhat.com + resources: + - promotionruns + - snapshotenvironmentbindings + - snapshots + - environments + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - deploymenttargets + - deploymenttargetclaims + verbs: + - get + - list + - watch + - apiGroups: + - managed-gitops.redhat.com + resources: + - gitopsdeployments + - gitopsdeploymentmanagedenvironments + - gitopsdeploymentrepositorycredentials + - gitopsdeploymentsyncruns + verbs: + - get + - list + - watch + - apiGroups: + - tekton.dev + resources: + - pipelineruns + verbs: + - get + - list + - watch + - apiGroups: + - results.tekton.dev + resources: + - results + - records + - logs + verbs: + - get + - list + - apiGroups: + - appstudio.redhat.com + resources: + - integrationtestscenarios + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - appstudio.redhat.com + resources: + - enterprisecontractpolicies + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - releases + - releasestrategies + - releaseplans + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - appstudio.redhat.com + resources: + - releaseplanadmissions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - jvmbuildservice.io + resources: + - jbsconfigs + - artifactbuilds + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - buildpipelineselectors + verbs: + - get + - list + - watch + - apiGroups: + - projctl.konflux.dev + resources: + - projects + - projectdevelopmentstreams + - projectdevelopmentstreamtemplates + verbs: + - get + - list + - watch + - create + - update + - patch + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: appstudio-maintainer-${USERNAME}-actions-user + namespace: ${NAMESPACE} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: appstudio-maintainer-user-actions + subjects: + - kind: User + name: ${USERNAME} + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: appstudio-${USERNAME}-view-user + namespace: ${NAMESPACE} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view + subjects: + - kind: User + name: ${USERNAME} + parameters: + - name: NAMESPACE + required: true + - name: USERNAME + required: true + tierName: appstudio + type: maintainer diff --git a/components/sandbox/tiers/production/appstudiolarge/kustomization.yaml b/components/sandbox/tiers/production/appstudiolarge/kustomization.yaml index a7b662e80c9..368750b468a 100644 --- a/components/sandbox/tiers/production/appstudiolarge/kustomization.yaml +++ b/components/sandbox/tiers/production/appstudiolarge/kustomization.yaml @@ -22,6 +22,7 @@ resources: - tiertemplate-appstudiolarge-maintainer-1929014883-1904354742.yaml - tiertemplate-appstudiolarge-maintainer-1929014883-293087644.yaml - tiertemplate-appstudiolarge-maintainer-3994678728-1904354742.yaml +- tiertemplate-appstudiolarge-maintainer-3994678728-474752551.yaml - tiertemplate-appstudiolarge-tenant-1884308846-199961605.yaml - tiertemplate-appstudiolarge-tenant-1884308846-2313893948.yaml - tiertemplate-appstudiolarge-tenant-1929014883-3815075241.yaml diff --git a/components/sandbox/tiers/production/appstudiolarge/nstemplatetier-appstudiolarge.yaml b/components/sandbox/tiers/production/appstudiolarge/nstemplatetier-appstudiolarge.yaml index 0df7db71746..0bb72be206c 100644 --- a/components/sandbox/tiers/production/appstudiolarge/nstemplatetier-appstudiolarge.yaml +++ b/components/sandbox/tiers/production/appstudiolarge/nstemplatetier-appstudiolarge.yaml @@ -18,7 +18,7 @@ spec: contributor: templateRef: appstudiolarge-contributor-3994678728-829105171 maintainer: - templateRef: appstudiolarge-maintainer-3994678728-1904354742 + templateRef: appstudiolarge-maintainer-3994678728-474752551 viewer: templateRef: appstudiolarge-viewer-3994678728-4256863455 status: {} diff --git a/components/sandbox/tiers/production/appstudiolarge/tiertemplate-appstudiolarge-maintainer-3994678728-474752551.yaml b/components/sandbox/tiers/production/appstudiolarge/tiertemplate-appstudiolarge-maintainer-3994678728-474752551.yaml new file mode 100644 index 00000000000..bf30f1b339f --- /dev/null +++ b/components/sandbox/tiers/production/appstudiolarge/tiertemplate-appstudiolarge-maintainer-3994678728-474752551.yaml @@ -0,0 +1,202 @@ +# ---------------------------------------------------------------- +# Generated by cli - DO NOT EDIT +# ---------------------------------------------------------------- + +apiVersion: toolchain.dev.openshift.com/v1alpha1 +kind: TierTemplate +metadata: + name: appstudiolarge-maintainer-3994678728-474752551 + namespace: toolchain-host-operator +spec: + revision: 3994678728-474752551 + template: + apiVersion: template.openshift.io/v1 + kind: Template + metadata: {} + objects: + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: appstudio-maintainer-user-actions + namespace: ${NAMESPACE} + rules: + - apiGroups: + - appstudio.redhat.com + resources: + - applications + - components + - imagerepositories + - componentdetectionqueries + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - appstudio.redhat.com + resources: + - promotionruns + - snapshotenvironmentbindings + - snapshots + - environments + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - deploymenttargets + - deploymenttargetclaims + verbs: + - get + - list + - watch + - apiGroups: + - managed-gitops.redhat.com + resources: + - gitopsdeployments + - gitopsdeploymentmanagedenvironments + - gitopsdeploymentrepositorycredentials + - gitopsdeploymentsyncruns + verbs: + - get + - list + - watch + - apiGroups: + - tekton.dev + resources: + - pipelineruns + verbs: + - get + - list + - watch + - apiGroups: + - results.tekton.dev + resources: + - results + - records + - logs + verbs: + - get + - list + - apiGroups: + - appstudio.redhat.com + resources: + - integrationtestscenarios + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - appstudio.redhat.com + resources: + - enterprisecontractpolicies + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - releases + - releasestrategies + - releaseplans + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - appstudio.redhat.com + resources: + - releaseplanadmissions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - jvmbuildservice.io + resources: + - jbsconfigs + - artifactbuilds + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - buildpipelineselectors + verbs: + - get + - list + - watch + - apiGroups: + - projctl.konflux.dev + resources: + - projects + - projectdevelopmentstreams + - projectdevelopmentstreamtemplates + verbs: + - get + - list + - watch + - create + - update + - patch + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: appstudio-maintainer-${USERNAME}-actions-user + namespace: ${NAMESPACE} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: appstudio-maintainer-user-actions + subjects: + - kind: User + name: ${USERNAME} + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: appstudio-${USERNAME}-view-user + namespace: ${NAMESPACE} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view + subjects: + - kind: User + name: ${USERNAME} + parameters: + - name: NAMESPACE + required: true + - name: USERNAME + required: true + tierName: appstudiolarge + type: maintainer diff --git a/components/sandbox/tiers/production/appstudioxlarge/kustomization.yaml b/components/sandbox/tiers/production/appstudioxlarge/kustomization.yaml index 7e9fccb9287..1f15dd2768e 100644 --- a/components/sandbox/tiers/production/appstudioxlarge/kustomization.yaml +++ b/components/sandbox/tiers/production/appstudioxlarge/kustomization.yaml @@ -10,6 +10,7 @@ resources: - tiertemplate-appstudioxlarge-clusterresources-884010306-3180033938.yaml - tiertemplate-appstudioxlarge-contributor-884010306-829105171.yaml - tiertemplate-appstudioxlarge-maintainer-884010306-1904354742.yaml +- tiertemplate-appstudioxlarge-maintainer-884010306-474752551.yaml - tiertemplate-appstudioxlarge-tenant-884010306-4121561789.yaml - tiertemplate-appstudioxlarge-tenant-884010306-649666048.yaml - tiertemplate-appstudioxlarge-viewer-884010306-4256863455.yaml diff --git a/components/sandbox/tiers/production/appstudioxlarge/nstemplatetier-appstudioxlarge.yaml b/components/sandbox/tiers/production/appstudioxlarge/nstemplatetier-appstudioxlarge.yaml index 173ed6afa8e..af353e8928e 100644 --- a/components/sandbox/tiers/production/appstudioxlarge/nstemplatetier-appstudioxlarge.yaml +++ b/components/sandbox/tiers/production/appstudioxlarge/nstemplatetier-appstudioxlarge.yaml @@ -18,7 +18,7 @@ spec: contributor: templateRef: appstudioxlarge-contributor-884010306-829105171 maintainer: - templateRef: appstudioxlarge-maintainer-884010306-1904354742 + templateRef: appstudioxlarge-maintainer-884010306-474752551 viewer: templateRef: appstudioxlarge-viewer-884010306-4256863455 status: {} diff --git a/components/sandbox/tiers/production/appstudioxlarge/tiertemplate-appstudioxlarge-maintainer-884010306-474752551.yaml b/components/sandbox/tiers/production/appstudioxlarge/tiertemplate-appstudioxlarge-maintainer-884010306-474752551.yaml new file mode 100644 index 00000000000..75e9e1f2b3c --- /dev/null +++ b/components/sandbox/tiers/production/appstudioxlarge/tiertemplate-appstudioxlarge-maintainer-884010306-474752551.yaml @@ -0,0 +1,202 @@ +# ---------------------------------------------------------------- +# Generated by cli - DO NOT EDIT +# ---------------------------------------------------------------- + +apiVersion: toolchain.dev.openshift.com/v1alpha1 +kind: TierTemplate +metadata: + name: appstudioxlarge-maintainer-884010306-474752551 + namespace: toolchain-host-operator +spec: + revision: 884010306-474752551 + template: + apiVersion: template.openshift.io/v1 + kind: Template + metadata: {} + objects: + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: appstudio-maintainer-user-actions + namespace: ${NAMESPACE} + rules: + - apiGroups: + - appstudio.redhat.com + resources: + - applications + - components + - imagerepositories + - componentdetectionqueries + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - appstudio.redhat.com + resources: + - promotionruns + - snapshotenvironmentbindings + - snapshots + - environments + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - deploymenttargets + - deploymenttargetclaims + verbs: + - get + - list + - watch + - apiGroups: + - managed-gitops.redhat.com + resources: + - gitopsdeployments + - gitopsdeploymentmanagedenvironments + - gitopsdeploymentrepositorycredentials + - gitopsdeploymentsyncruns + verbs: + - get + - list + - watch + - apiGroups: + - tekton.dev + resources: + - pipelineruns + verbs: + - get + - list + - watch + - apiGroups: + - results.tekton.dev + resources: + - results + - records + - logs + verbs: + - get + - list + - apiGroups: + - appstudio.redhat.com + resources: + - integrationtestscenarios + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - appstudio.redhat.com + resources: + - enterprisecontractpolicies + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - releases + - releasestrategies + - releaseplans + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - appstudio.redhat.com + resources: + - releaseplanadmissions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - jvmbuildservice.io + resources: + - jbsconfigs + - artifactbuilds + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - buildpipelineselectors + verbs: + - get + - list + - watch + - apiGroups: + - projctl.konflux.dev + resources: + - projects + - projectdevelopmentstreams + - projectdevelopmentstreamtemplates + verbs: + - get + - list + - watch + - create + - update + - patch + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: appstudio-maintainer-${USERNAME}-actions-user + namespace: ${NAMESPACE} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: appstudio-maintainer-user-actions + subjects: + - kind: User + name: ${USERNAME} + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: appstudio-${USERNAME}-view-user + namespace: ${NAMESPACE} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view + subjects: + - kind: User + name: ${USERNAME} + parameters: + - name: NAMESPACE + required: true + - name: USERNAME + required: true + tierName: appstudioxlarge + type: maintainer diff --git a/components/sandbox/tiers/src/appstudio/spacerole_maintainer.yaml b/components/sandbox/tiers/src/appstudio/spacerole_maintainer.yaml index 2f9f997da5e..bc879bb0d78 100644 --- a/components/sandbox/tiers/src/appstudio/spacerole_maintainer.yaml +++ b/components/sandbox/tiers/src/appstudio/spacerole_maintainer.yaml @@ -161,7 +161,6 @@ objects: - create - update - patch - - delete - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/components/sandbox/tiers/staging/appstudio/kustomization.yaml b/components/sandbox/tiers/staging/appstudio/kustomization.yaml index e64ee99be2f..e3bc4180fdd 100644 --- a/components/sandbox/tiers/staging/appstudio/kustomization.yaml +++ b/components/sandbox/tiers/staging/appstudio/kustomization.yaml @@ -15,6 +15,7 @@ resources: - tiertemplate-appstudio-contributor-829105171-829105171.yaml - tiertemplate-appstudio-maintainer-1904354742-1904354742.yaml - tiertemplate-appstudio-maintainer-293087644-293087644.yaml +- tiertemplate-appstudio-maintainer-474752551-474752551.yaml - tiertemplate-appstudio-tenant-199961605-199961605.yaml - tiertemplate-appstudio-tenant-2313893948-2313893948.yaml - tiertemplate-appstudio-tenant-3815075241-3815075241.yaml diff --git a/components/sandbox/tiers/staging/appstudio/nstemplatetier-appstudio.yaml b/components/sandbox/tiers/staging/appstudio/nstemplatetier-appstudio.yaml index ae9f3bad69c..e8732ff0243 100644 --- a/components/sandbox/tiers/staging/appstudio/nstemplatetier-appstudio.yaml +++ b/components/sandbox/tiers/staging/appstudio/nstemplatetier-appstudio.yaml @@ -18,7 +18,7 @@ spec: contributor: templateRef: appstudio-contributor-829105171-829105171 maintainer: - templateRef: appstudio-maintainer-1904354742-1904354742 + templateRef: appstudio-maintainer-474752551-474752551 viewer: templateRef: appstudio-viewer-4256863455-4256863455 status: {} diff --git a/components/sandbox/tiers/staging/appstudio/tiertemplate-appstudio-maintainer-474752551-474752551.yaml b/components/sandbox/tiers/staging/appstudio/tiertemplate-appstudio-maintainer-474752551-474752551.yaml new file mode 100644 index 00000000000..25e45398903 --- /dev/null +++ b/components/sandbox/tiers/staging/appstudio/tiertemplate-appstudio-maintainer-474752551-474752551.yaml @@ -0,0 +1,202 @@ +# ---------------------------------------------------------------- +# Generated by cli - DO NOT EDIT +# ---------------------------------------------------------------- + +apiVersion: toolchain.dev.openshift.com/v1alpha1 +kind: TierTemplate +metadata: + name: appstudio-maintainer-474752551-474752551 + namespace: toolchain-host-operator +spec: + revision: 474752551-474752551 + template: + apiVersion: template.openshift.io/v1 + kind: Template + metadata: {} + objects: + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: appstudio-maintainer-user-actions + namespace: ${NAMESPACE} + rules: + - apiGroups: + - appstudio.redhat.com + resources: + - applications + - components + - imagerepositories + - componentdetectionqueries + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - appstudio.redhat.com + resources: + - promotionruns + - snapshotenvironmentbindings + - snapshots + - environments + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - deploymenttargets + - deploymenttargetclaims + verbs: + - get + - list + - watch + - apiGroups: + - managed-gitops.redhat.com + resources: + - gitopsdeployments + - gitopsdeploymentmanagedenvironments + - gitopsdeploymentrepositorycredentials + - gitopsdeploymentsyncruns + verbs: + - get + - list + - watch + - apiGroups: + - tekton.dev + resources: + - pipelineruns + verbs: + - get + - list + - watch + - apiGroups: + - results.tekton.dev + resources: + - results + - records + - logs + verbs: + - get + - list + - apiGroups: + - appstudio.redhat.com + resources: + - integrationtestscenarios + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - appstudio.redhat.com + resources: + - enterprisecontractpolicies + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - releases + - releasestrategies + - releaseplans + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - appstudio.redhat.com + resources: + - releaseplanadmissions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - jvmbuildservice.io + resources: + - jbsconfigs + - artifactbuilds + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - buildpipelineselectors + verbs: + - get + - list + - watch + - apiGroups: + - projctl.konflux.dev + resources: + - projects + - projectdevelopmentstreams + - projectdevelopmentstreamtemplates + verbs: + - get + - list + - watch + - create + - update + - patch + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: appstudio-maintainer-${USERNAME}-actions-user + namespace: ${NAMESPACE} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: appstudio-maintainer-user-actions + subjects: + - kind: User + name: ${USERNAME} + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: appstudio-${USERNAME}-view-user + namespace: ${NAMESPACE} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view + subjects: + - kind: User + name: ${USERNAME} + parameters: + - name: NAMESPACE + required: true + - name: USERNAME + required: true + tierName: appstudio + type: maintainer diff --git a/components/sandbox/tiers/staging/appstudiolarge/kustomization.yaml b/components/sandbox/tiers/staging/appstudiolarge/kustomization.yaml index d3a42fd1986..0bb978e95fc 100644 --- a/components/sandbox/tiers/staging/appstudiolarge/kustomization.yaml +++ b/components/sandbox/tiers/staging/appstudiolarge/kustomization.yaml @@ -22,6 +22,7 @@ resources: - tiertemplate-appstudiolarge-maintainer-1929014883-1904354742.yaml - tiertemplate-appstudiolarge-maintainer-1929014883-293087644.yaml - tiertemplate-appstudiolarge-maintainer-3994678728-1904354742.yaml +- tiertemplate-appstudiolarge-maintainer-3994678728-474752551.yaml - tiertemplate-appstudiolarge-tenant-1884308846-199961605.yaml - tiertemplate-appstudiolarge-tenant-1884308846-2313893948.yaml - tiertemplate-appstudiolarge-tenant-1929014883-2313893948.yaml diff --git a/components/sandbox/tiers/staging/appstudiolarge/nstemplatetier-appstudiolarge.yaml b/components/sandbox/tiers/staging/appstudiolarge/nstemplatetier-appstudiolarge.yaml index 0df7db71746..0bb72be206c 100644 --- a/components/sandbox/tiers/staging/appstudiolarge/nstemplatetier-appstudiolarge.yaml +++ b/components/sandbox/tiers/staging/appstudiolarge/nstemplatetier-appstudiolarge.yaml @@ -18,7 +18,7 @@ spec: contributor: templateRef: appstudiolarge-contributor-3994678728-829105171 maintainer: - templateRef: appstudiolarge-maintainer-3994678728-1904354742 + templateRef: appstudiolarge-maintainer-3994678728-474752551 viewer: templateRef: appstudiolarge-viewer-3994678728-4256863455 status: {} diff --git a/components/sandbox/tiers/staging/appstudiolarge/tiertemplate-appstudiolarge-maintainer-3994678728-474752551.yaml b/components/sandbox/tiers/staging/appstudiolarge/tiertemplate-appstudiolarge-maintainer-3994678728-474752551.yaml new file mode 100644 index 00000000000..bf30f1b339f --- /dev/null +++ b/components/sandbox/tiers/staging/appstudiolarge/tiertemplate-appstudiolarge-maintainer-3994678728-474752551.yaml @@ -0,0 +1,202 @@ +# ---------------------------------------------------------------- +# Generated by cli - DO NOT EDIT +# ---------------------------------------------------------------- + +apiVersion: toolchain.dev.openshift.com/v1alpha1 +kind: TierTemplate +metadata: + name: appstudiolarge-maintainer-3994678728-474752551 + namespace: toolchain-host-operator +spec: + revision: 3994678728-474752551 + template: + apiVersion: template.openshift.io/v1 + kind: Template + metadata: {} + objects: + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: appstudio-maintainer-user-actions + namespace: ${NAMESPACE} + rules: + - apiGroups: + - appstudio.redhat.com + resources: + - applications + - components + - imagerepositories + - componentdetectionqueries + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - appstudio.redhat.com + resources: + - promotionruns + - snapshotenvironmentbindings + - snapshots + - environments + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - deploymenttargets + - deploymenttargetclaims + verbs: + - get + - list + - watch + - apiGroups: + - managed-gitops.redhat.com + resources: + - gitopsdeployments + - gitopsdeploymentmanagedenvironments + - gitopsdeploymentrepositorycredentials + - gitopsdeploymentsyncruns + verbs: + - get + - list + - watch + - apiGroups: + - tekton.dev + resources: + - pipelineruns + verbs: + - get + - list + - watch + - apiGroups: + - results.tekton.dev + resources: + - results + - records + - logs + verbs: + - get + - list + - apiGroups: + - appstudio.redhat.com + resources: + - integrationtestscenarios + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - appstudio.redhat.com + resources: + - enterprisecontractpolicies + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - releases + - releasestrategies + - releaseplans + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - appstudio.redhat.com + resources: + - releaseplanadmissions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - jvmbuildservice.io + resources: + - jbsconfigs + - artifactbuilds + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - buildpipelineselectors + verbs: + - get + - list + - watch + - apiGroups: + - projctl.konflux.dev + resources: + - projects + - projectdevelopmentstreams + - projectdevelopmentstreamtemplates + verbs: + - get + - list + - watch + - create + - update + - patch + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: appstudio-maintainer-${USERNAME}-actions-user + namespace: ${NAMESPACE} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: appstudio-maintainer-user-actions + subjects: + - kind: User + name: ${USERNAME} + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: appstudio-${USERNAME}-view-user + namespace: ${NAMESPACE} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view + subjects: + - kind: User + name: ${USERNAME} + parameters: + - name: NAMESPACE + required: true + - name: USERNAME + required: true + tierName: appstudiolarge + type: maintainer diff --git a/components/sandbox/tiers/staging/appstudioxlarge/kustomization.yaml b/components/sandbox/tiers/staging/appstudioxlarge/kustomization.yaml index 7e9fccb9287..1f15dd2768e 100644 --- a/components/sandbox/tiers/staging/appstudioxlarge/kustomization.yaml +++ b/components/sandbox/tiers/staging/appstudioxlarge/kustomization.yaml @@ -10,6 +10,7 @@ resources: - tiertemplate-appstudioxlarge-clusterresources-884010306-3180033938.yaml - tiertemplate-appstudioxlarge-contributor-884010306-829105171.yaml - tiertemplate-appstudioxlarge-maintainer-884010306-1904354742.yaml +- tiertemplate-appstudioxlarge-maintainer-884010306-474752551.yaml - tiertemplate-appstudioxlarge-tenant-884010306-4121561789.yaml - tiertemplate-appstudioxlarge-tenant-884010306-649666048.yaml - tiertemplate-appstudioxlarge-viewer-884010306-4256863455.yaml diff --git a/components/sandbox/tiers/staging/appstudioxlarge/nstemplatetier-appstudioxlarge.yaml b/components/sandbox/tiers/staging/appstudioxlarge/nstemplatetier-appstudioxlarge.yaml index 173ed6afa8e..af353e8928e 100644 --- a/components/sandbox/tiers/staging/appstudioxlarge/nstemplatetier-appstudioxlarge.yaml +++ b/components/sandbox/tiers/staging/appstudioxlarge/nstemplatetier-appstudioxlarge.yaml @@ -18,7 +18,7 @@ spec: contributor: templateRef: appstudioxlarge-contributor-884010306-829105171 maintainer: - templateRef: appstudioxlarge-maintainer-884010306-1904354742 + templateRef: appstudioxlarge-maintainer-884010306-474752551 viewer: templateRef: appstudioxlarge-viewer-884010306-4256863455 status: {} diff --git a/components/sandbox/tiers/staging/appstudioxlarge/tiertemplate-appstudioxlarge-maintainer-884010306-474752551.yaml b/components/sandbox/tiers/staging/appstudioxlarge/tiertemplate-appstudioxlarge-maintainer-884010306-474752551.yaml new file mode 100644 index 00000000000..75e9e1f2b3c --- /dev/null +++ b/components/sandbox/tiers/staging/appstudioxlarge/tiertemplate-appstudioxlarge-maintainer-884010306-474752551.yaml @@ -0,0 +1,202 @@ +# ---------------------------------------------------------------- +# Generated by cli - DO NOT EDIT +# ---------------------------------------------------------------- + +apiVersion: toolchain.dev.openshift.com/v1alpha1 +kind: TierTemplate +metadata: + name: appstudioxlarge-maintainer-884010306-474752551 + namespace: toolchain-host-operator +spec: + revision: 884010306-474752551 + template: + apiVersion: template.openshift.io/v1 + kind: Template + metadata: {} + objects: + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: appstudio-maintainer-user-actions + namespace: ${NAMESPACE} + rules: + - apiGroups: + - appstudio.redhat.com + resources: + - applications + - components + - imagerepositories + - componentdetectionqueries + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - appstudio.redhat.com + resources: + - promotionruns + - snapshotenvironmentbindings + - snapshots + - environments + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - deploymenttargets + - deploymenttargetclaims + verbs: + - get + - list + - watch + - apiGroups: + - managed-gitops.redhat.com + resources: + - gitopsdeployments + - gitopsdeploymentmanagedenvironments + - gitopsdeploymentrepositorycredentials + - gitopsdeploymentsyncruns + verbs: + - get + - list + - watch + - apiGroups: + - tekton.dev + resources: + - pipelineruns + verbs: + - get + - list + - watch + - apiGroups: + - results.tekton.dev + resources: + - results + - records + - logs + verbs: + - get + - list + - apiGroups: + - appstudio.redhat.com + resources: + - integrationtestscenarios + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - appstudio.redhat.com + resources: + - enterprisecontractpolicies + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - releases + - releasestrategies + - releaseplans + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - appstudio.redhat.com + resources: + - releaseplanadmissions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - jvmbuildservice.io + resources: + - jbsconfigs + - artifactbuilds + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - buildpipelineselectors + verbs: + - get + - list + - watch + - apiGroups: + - projctl.konflux.dev + resources: + - projects + - projectdevelopmentstreams + - projectdevelopmentstreamtemplates + verbs: + - get + - list + - watch + - create + - update + - patch + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: appstudio-maintainer-${USERNAME}-actions-user + namespace: ${NAMESPACE} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: appstudio-maintainer-user-actions + subjects: + - kind: User + name: ${USERNAME} + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: appstudio-${USERNAME}-view-user + namespace: ${NAMESPACE} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view + subjects: + - kind: User + name: ${USERNAME} + parameters: + - name: NAMESPACE + required: true + - name: USERNAME + required: true + tierName: appstudioxlarge + type: maintainer