From 8eddd4a8134bb76fb2467df9e268171e5773263a Mon Sep 17 00:00:00 2001 From: Alvaro Aleman Date: Tue, 12 May 2020 12:03:48 -0400 Subject: [PATCH] Configure ci-chat bot with build-cluster-kubeconfig --- clusters/app.ci/ci-chat-bot/ci-chat-bot.yaml | 40 +++++------------ core-services/ci-chat-bot/OWNERS | 2 + core-services/ci-chat-bot/README.md | 3 ++ core-services/ci-chat-bot/ci-chat-bot.yaml | 45 +++++++++++++++++++ .../ci-secret-bootstrap/_config.yaml | 8 ++++ 5 files changed, 68 insertions(+), 30 deletions(-) create mode 100644 core-services/ci-chat-bot/OWNERS create mode 100644 core-services/ci-chat-bot/README.md create mode 100644 core-services/ci-chat-bot/ci-chat-bot.yaml diff --git a/clusters/app.ci/ci-chat-bot/ci-chat-bot.yaml b/clusters/app.ci/ci-chat-bot/ci-chat-bot.yaml index a12e2edd08f1..892c644b9139 100644 --- a/clusters/app.ci/ci-chat-bot/ci-chat-bot.yaml +++ b/clusters/app.ci/ci-chat-bot/ci-chat-bot.yaml @@ -45,36 +45,6 @@ subjects: namespace: ci name: ci-chat-bot --- -kind: Role -apiVersion: authorization.openshift.io/v1 -metadata: - name: ci-chat-bot-read - namespace: ocp -rules: -- apiGroups: - - image.openshift.io - resources: - - imagestreams - - imagestreamtags - verbs: - - get - - list - - watch ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ci-chat-bot-binding - namespace: ocp -roleRef: - kind: Role - apiGroup: rbac.authorization.k8s.io - name: ci-chat-bot-read -subjects: -- kind: ServiceAccount - namespace: ci - name: ci-chat-bot ---- kind: ServiceAccount apiVersion: v1 metadata: @@ -141,6 +111,12 @@ spec: - name: job-config-47 configMap: name: job-config-4.7 + - name: build-cluster-kubeconfig + secret: + secretName: ci-chatbot-kubeconfig + items: + - key: sa.ci-chatbot.api.ci.config + path: kubeconfig containers: - name: bot image: ci-chat-bot:latest @@ -178,6 +154,9 @@ spec: - name: job-config-47 mountPath: /etc/job-config/4.7 readOnly: true + - name: ci-chatbot-kubeconfig + mountPath: /var/build-cluster-kubeconfig + readOnly: true env: - name: BOT_TOKEN valueFrom: @@ -191,3 +170,4 @@ spec: - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com - --force-pr-owner=system:serviceaccount:ci:ci-chat-bot + - --build-cluster-kubeconfig=/var/build-cluster-kubeconfig/kubeconfig diff --git a/core-services/ci-chat-bot/OWNERS b/core-services/ci-chat-bot/OWNERS new file mode 100644 index 000000000000..23e925ac2edf --- /dev/null +++ b/core-services/ci-chat-bot/OWNERS @@ -0,0 +1,2 @@ +approvers: +- smarterclayton diff --git a/core-services/ci-chat-bot/README.md b/core-services/ci-chat-bot/README.md new file mode 100644 index 000000000000..d55cddc16fe8 --- /dev/null +++ b/core-services/ci-chat-bot/README.md @@ -0,0 +1,3 @@ +# CI chat bot + +Some rbacs needed for the chat bot on the api.ci cluster. Its main config is at [/clusters/app.ci/ci-chat-bot](/clusters/app.ci/ci-chat-bot) diff --git a/core-services/ci-chat-bot/ci-chat-bot.yaml b/core-services/ci-chat-bot/ci-chat-bot.yaml new file mode 100644 index 000000000000..69e80d3d4a25 --- /dev/null +++ b/core-services/ci-chat-bot/ci-chat-bot.yaml @@ -0,0 +1,45 @@ +kind: ServiceAccount +apiVersion: v1 +metadata: + name: ci-chat-bot + namespace: ci +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ci-chat-bot-prowjob + namespace: ci +rules: +- apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - "*" +- apiGroups: + - image.openshift.io + resources: + - "imagestreams" + verbs: + - "get" +- apiGroups: + - project.openshift.io + resources: + - projects + verbs: + - delete +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ci-chat-bot-binding-prowjob + namespace: ci +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: ci-chat-bot-prowjob +subjects: +- kind: ServiceAccount + namespace: ci + name: ci-chat-bot diff --git a/core-services/ci-secret-bootstrap/_config.yaml b/core-services/ci-secret-bootstrap/_config.yaml index 3b85f8bd1982..e9966a2312bc 100644 --- a/core-services/ci-secret-bootstrap/_config.yaml +++ b/core-services/ci-secret-bootstrap/_config.yaml @@ -1070,3 +1070,11 @@ - cluster: api.ci namespace: ci name: pj-rehearse +- from: + sa.ci-chatbot.api.ci.config: + bw_item: ci-chatbot + attachment: sa.ci-chatbot.api.ci.config + to: + - cluster: app.ci + namespace: ci + name: ci-chatbot-kubeconfig