update rbac for pipelines and argo

day0hero · day0hero · commit 31cbe0b4e0c0 · 2026-04-23T15:30:10.000+01:00
diff --git a/values-hypershift.yaml b/values-hypershift.yaml
@@ -98,6 +98,30 @@ rbac:
   - qe
   - Docs
 
+# Tekton / OpenShift Pipelines (charts/all/pipelines-rbac): ClusterRole plus optional
+# ClusterRoleBinding for OpenShift Users and Groups (for example names produced by
+# GitHub Group Sync). Grants full lifecycle on Pipelines CRDs in every namespace.
+pipelinesRbac:
+  create: true
+  clusterRoleName: openshift-pipelines-tekton-admin
+  clusterRoleBindingName: openshift-pipelines-tekton-admin
+  includePodLogAccess: true
+  users: []
+  groups:
+    - Engineering
+
+# Argo CD / OpenShift GitOps Application CRs (charts/all/argocd-application-rbac).
+# Grants Kubernetes API access to applications, applicationsets, and appprojects.
+# For the Argo CD web UI, also configure policy.csv in argocd-rbac-cm for the same groups.
+argocdApplicationRbac:
+  create: true
+  clusterRoleName: openshift-gitops-application-manager
+  clusterRoleBindingName: openshift-gitops-application-manager
+  includeArgoCdOperatorCr: false
+  users: []
+  groups:
+    - Engineering
+
 letsencrypt:
 # region can be the empty string unless AccessKeyID and SecretAccessKeyID are not set (which we ensure is never true)
 # Otherwise, set to the region of the cluster, eg. us-east-1
diff --git a/values-prod.yaml b/values-prod.yaml
@@ -130,6 +130,24 @@ clusterGroup:
       annotations:
         argocd.argoproj.io/sync-wave: "18"
 
+    pipeline-tekton-rbac:
+      disabled: false
+      name: pipeline-tekton-rbac
+      namespace: openshift-pipelines
+      argoProject: pipelines
+      path: charts/all/pipelines-rbac
+      annotations:
+        argocd.argoproj.io/sync-wave: "19"
+
+    argocd-application-rbac:
+      disabled: false
+      name: argocd-application-rbac
+      namespace: openshift-gitops
+      argoProject: hub
+      path: charts/all/argocd-application-rbac
+      annotations:
+        argocd.argoproj.io/sync-wave: "17"
+
     # Uncomment when ACM is installed — pipelines chart detects this key and enables Klusterlet add-on task.
     # acm:
     #   name: acm
