update rbac for pipelines and argo

Author: day0hero

charts/all/argocd-application-rbac/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: argocd-application-rbac
+description: ClusterRole and ClusterRoleBinding for managing Argo CD Application CRs (argoproj.io)
+type: application
+version: 0.1.0
+appVersion: "0.1.0"

charts/all/argocd-application-rbac/templates/application-rbac.yaml

@@ -0,0 +1,79 @@
+{{- $cfg := .Values.argocdApplicationRbac | default dict }}
+{{- $doCreate := true }}
+{{- $createFlag := index $cfg "create" }}
+{{- if kindIs "bool" $createFlag }}
+{{- $doCreate = $createFlag }}
+{{- end }}
+{{- $includeArgoCD := false }}
+{{- $argoCrFlag := index $cfg "includeArgoCdOperatorCr" }}
+{{- if kindIs "bool" $argoCrFlag }}
+{{- $includeArgoCD = $argoCrFlag }}
+{{- end }}
+{{- if $doCreate }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ $cfg.clusterRoleName | default "openshift-gitops-application-manager" }}
+rules:
+  # Argo CD Application, ApplicationSet, AppProject (incl. status/finalizers for sync + deletion)
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - applications
+      - applications/status
+      - applications/finalizers
+      - applicationsets
+      - applicationsets/status
+      - applicationsets/finalizers
+      - appprojects
+      - appprojects/status
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+      - deletecollection
+{{- if $includeArgoCD }}
+  # Argo CD / OpenShift GitOps operator instance (cluster-scoped); enables changing operator-managed settings via CR.
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - argocds
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+      - deletecollection
+{{- end }}
+{{- $users := $cfg.users | default list }}
+{{- $groups := $cfg.groups | default list }}
+{{- if or (gt (len $users) 0) (gt (len $groups) 0) }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $cfg.clusterRoleBindingName | default "openshift-gitops-application-manager" }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ $cfg.clusterRoleName | default "openshift-gitops-application-manager" }}
+subjects:
+{{- range $users }}
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: {{ . | quote }}
+{{- end }}
+{{- range $groups }}
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: {{ . | quote }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/all/argocd-application-rbac/values.yaml

@@ -0,0 +1,11 @@
+# Kubernetes RBAC on argoproj.io resources used by Argo CD / OpenShift GitOps.
+# The Argo CD API server may still require policy in argocd-rbac-cm (policy.csv) for UI
+# actions; pair this chart with GitOps RBAC policy for your groups.
+argocdApplicationRbac:
+  create: true
+  clusterRoleName: openshift-gitops-application-manager
+  clusterRoleBindingName: openshift-gitops-application-manager
+  # When true, also allows create/update/delete on the ArgoCD operator CR (cluster-scoped).
+  includeArgoCdOperatorCr: false
+  users: []
+  groups: []

charts/all/pipelines-rbac/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: pipelines-rbac
+description: ClusterRole and ClusterRoleBinding for Tekton / OpenShift Pipelines developer access
+type: application
+version: 0.1.0
+appVersion: "0.1.0"

charts/all/pipelines-rbac/templates/tekton-rbac.yaml

@@ -0,0 +1,112 @@
+{{- $cfg := .Values.pipelinesRbac | default dict }}
+{{- $podAccess := true }}
+{{- $podFlag := index $cfg "includePodLogAccess" }}
+{{- if kindIs "bool" $podFlag }}
+{{- $podAccess = $podFlag }}
+{{- end }}
+{{- $doCreate := true }}
+{{- $createFlag := index $cfg "create" }}
+{{- if kindIs "bool" $createFlag }}
+{{- $doCreate = $createFlag }}
+{{- end }}
+{{- if $doCreate }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ $cfg.clusterRoleName | default "openshift-pipelines-tekton-admin" }}
+rules:
+  # Core Tekton Pipelines (namespaced)
+  - apiGroups:
+      - tekton.dev
+    resources:
+      - pipelines
+      - pipelineruns
+      - tasks
+      - taskruns
+      - runs
+      - customruns
+      - pipelineresources
+      - verificationpolicies
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+      - deletecollection
+  # Cluster-scoped task catalog (read-only; cluster-wide Task definitions stay platform-owned)
+  - apiGroups:
+      - tekton.dev
+    resources:
+      - clustertasks
+    verbs:
+      - get
+      - list
+      - watch
+  # Tekton Triggers (namespaced)
+  - apiGroups:
+      - triggers.tekton.dev
+    resources:
+      - eventlisteners
+      - triggers
+      - triggerbindings
+      - triggertemplates
+      - interceptors
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+      - deletecollection
+  # Triggers cluster catalog
+  - apiGroups:
+      - triggers.tekton.dev
+    resources:
+      - clustertriggerbindings
+      - clusterinterceptors
+    verbs:
+      - get
+      - list
+      - watch
+{{- if $podAccess }}
+  # Pod logs for PipelineRun / TaskRun debugging (console and kubectl/oc)
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/log
+    verbs:
+      - get
+      - list
+      - watch
+{{- end }}
+{{- $users := $cfg.users | default list }}
+{{- $groups := $cfg.groups | default list }}
+{{- if or (gt (len $users) 0) (gt (len $groups) 0) }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $cfg.clusterRoleBindingName | default "openshift-pipelines-tekton-admin" }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ $cfg.clusterRoleName | default "openshift-pipelines-tekton-admin" }}
+subjects:
+{{- range $users }}
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: {{ . | quote }}
+{{- end }}
+{{- range $groups }}
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: {{ . | quote }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/all/pipelines-rbac/values.yaml

@@ -0,0 +1,13 @@
+# ClusterRole + ClusterRoleBinding granting full lifecycle (get/list/watch/create/update/patch/delete)
+# on core Tekton Pipelines CRDs and Triggers CRDs in any namespace, plus read-only use of
+# cluster-scoped catalog objects (ClusterTask, cluster-scoped triggers) and pod log access
+# for pipeline debugging.
+pipelinesRbac:
+  create: true
+  clusterRoleName: openshift-pipelines-tekton-admin
+  clusterRoleBindingName: openshift-pipelines-tekton-admin
+  # If false, omits cluster-wide Pod rules (tighter; you may grant namespace Role view/edit separately for logs).
+  includePodLogAccess: true
+  # OpenShift Users and Groups (e.g. GitHub Group Sync → group name "my-org-my-team")
+  users: []
+  groups: []