Merge pull request openshift#9045 from alvaroaleman/chatbot-2

Configure ci-chat bot with build-cluster-kubeconfig
jstuever · May 12, 2020 · 7365dac · 7365dac
2 parents 7ed7b84 + 8eddd4a
commit 7365dac
Show file tree

Hide file tree

Showing 5 changed files with 68 additions and 30 deletions.
diff --git a/clusters/app.ci/ci-chat-bot/ci-chat-bot.yaml b/clusters/app.ci/ci-chat-bot/ci-chat-bot.yaml
@@ -45,36 +45,6 @@ subjects:
   namespace: ci
   name: ci-chat-bot
 ---
-kind: Role
-apiVersion: authorization.openshift.io/v1
-metadata:
-  name: ci-chat-bot-read
-  namespace: ocp
-rules:
-- apiGroups:
-  - image.openshift.io
-  resources:
-  - imagestreams
-  - imagestreamtags
-  verbs:
-  - get
-  - list
-  - watch
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: ci-chat-bot-binding
-  namespace: ocp
-roleRef:
-  kind: Role
-  apiGroup: rbac.authorization.k8s.io
-  name: ci-chat-bot-read
-subjects:
-- kind: ServiceAccount
-  namespace: ci
-  name: ci-chat-bot
----
 kind: ServiceAccount
 apiVersion: v1
 metadata:
@@ -141,6 +111,12 @@ spec:
       - name: job-config-47
         configMap:
           name: job-config-4.7
+      - name: build-cluster-kubeconfig
+        secret:
+          secretName: ci-chatbot-kubeconfig
+          items:
+            - key: sa.ci-chatbot.api.ci.config
+              path: kubeconfig
       containers:
       - name: bot
         image: ci-chat-bot:latest
@@ -178,6 +154,9 @@ spec:
         - name: job-config-47
           mountPath: /etc/job-config/4.7
           readOnly: true
+        - name: ci-chatbot-kubeconfig
+          mountPath: /var/build-cluster-kubeconfig
+          readOnly: true
         env:
         - name: BOT_TOKEN
           valueFrom:
@@ -191,3 +170,4 @@ spec:
         - --github-endpoint=http://ghproxy
         - --github-endpoint=https://api.github.com
         - --force-pr-owner=system:serviceaccount:ci:ci-chat-bot
+        - --build-cluster-kubeconfig=/var/build-cluster-kubeconfig/kubeconfig
diff --git a/core-services/ci-chat-bot/OWNERS b/core-services/ci-chat-bot/OWNERS
@@ -0,0 +1,2 @@
+approvers:
+- smarterclayton
diff --git a/core-services/ci-chat-bot/README.md b/core-services/ci-chat-bot/README.md
@@ -0,0 +1,3 @@
+# CI chat bot
+
+Some rbacs needed for the chat bot on the api.ci cluster. Its main config is at [/clusters/app.ci/ci-chat-bot](/clusters/app.ci/ci-chat-bot)
diff --git a/core-services/ci-chat-bot/ci-chat-bot.yaml b/core-services/ci-chat-bot/ci-chat-bot.yaml
@@ -0,0 +1,45 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: ci-chat-bot
+  namespace: ci
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ci-chat-bot-prowjob
+  namespace: ci
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/log
+  verbs:
+  - "*"
+- apiGroups:
+  - image.openshift.io
+  resources:
+  - "imagestreams"
+  verbs:
+  - "get"
+- apiGroups:
+  - project.openshift.io
+  resources:
+  - projects
+  verbs:
+  - delete
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ci-chat-bot-binding-prowjob
+  namespace: ci
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: ci-chat-bot-prowjob
+subjects:
+- kind: ServiceAccount
+  namespace: ci
+  name: ci-chat-bot
diff --git a/core-services/ci-secret-bootstrap/_config.yaml b/core-services/ci-secret-bootstrap/_config.yaml
@@ -1070,3 +1070,11 @@
     - cluster: api.ci
       namespace: ci
       name: pj-rehearse
+- from:
+    sa.ci-chatbot.api.ci.config:
+      bw_item: ci-chatbot
+      attachment: sa.ci-chatbot.api.ci.config
+  to:
+    - cluster: app.ci
+      namespace: ci
+      name: ci-chatbot-kubeconfig
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		# CI chat bot

		Some rbacs needed for the chat bot on the api.ci cluster. Its main config is at [/clusters/app.ci/ci-chat-bot](/clusters/app.ci/ci-chat-bot)