fix viewer role permissions

Signed-off-by: Francesco Ilario <[email protected]>
codeready-toolchain · Apr 17, 2024 · 33a1f47 · 33a1f47
1 parent e497401
commit 33a1f47
Show file tree

Hide file tree

Showing 2 changed files with 146 additions and 150 deletions.
diff --git a/deploy/templates/nstemplatetiers/appstudio/spacerole_viewer.yaml b/deploy/templates/nstemplatetiers/appstudio/spacerole_viewer.yaml
@@ -22,9 +22,6 @@ objects:
     - get
     - list
     - watch
-    - create
-    - update
-    - patch
   - apiGroups:
     - appstudio.redhat.com
     resources:
@@ -81,10 +78,6 @@ objects:
     - get
     - list
     - watch
-    - create
-    - update
-    - patch
-    - delete
   - apiGroups:
     - appstudio.redhat.com
     resources:
@@ -103,10 +96,6 @@ objects:
     - get
     - list
     - watch
-    - create
-    - update
-    - patch
-    - delete
   - apiGroups:
     - appstudio.redhat.com
     resources:
@@ -115,10 +104,6 @@ objects:
     - get
     - list
     - watch
-    - create
-    - update
-    - patch
-    - delete
   - apiGroups:
     - jvmbuildservice.io
     resources:
@@ -128,24 +113,17 @@ objects:
     - get
     - list
     - watch
-    - create
-    - update
-    - patch
   - apiGroups:
     - appstudio.redhat.com
     resources:
     - spiaccesstokenbindings
     - spiaccesschecks
     - spiaccesstokens
     - spifilecontentrequests
-    - spiaccesstokendataupdates
     verbs:
     - get
     - list
     - watch
-    - create
-    - update
-    - patch
   - apiGroups:
     - appstudio.redhat.com
     resources:
@@ -170,7 +148,6 @@ objects:
     - get
     - list
     - watch
-  # Allow using the project-controller
   - apiGroups:
     - projctl.konflux.dev
     resources:
@@ -181,10 +158,6 @@ objects:
     - get
     - list
     - watch
-    - create
-    - update
-    - patch
-    - delete
 - apiVersion: rbac.authorization.k8s.io/v1
   kind: RoleBinding
   metadata:

diff --git a/test/templates/nstemplatetiers/appstudio/spacerole_viewer.yaml b/test/templates/nstemplatetiers/appstudio/spacerole_viewer.yaml
@@ -19,129 +19,152 @@ objects:
     namespace: ${NAMESPACE}
     name: appstudio-viewer-user-actions
   rules:
-    - apiGroups:
-        - appstudio.redhat.com
-      resources:
-        - applications
-        - components
-        - componentdetectionqueries
-      verbs:
-        - get
-        - list
-        - watch
-        - create
-        - update
-        - patch
-    - apiGroups:
-        - appstudio.redhat.com
-      resources:
-        - promotionruns
-        - snapshotenvironmentbindings
-        - snapshots
-        - environments
-      verbs:
-        - get
-        - list
-        - watch
-    - apiGroups:
-        - appstudio.redhat.com
-      resources:
-        - deploymentttargets
-        - deploymenttargetclaims
-      verbs:
-        - get
-        - list
-        - watch
-    - apiGroups:
-        - managed-gitops.redhat.com
-      resources:
-        - gitopsdeployments
-        - gitopsdeploymentmanagedenvironments
-        - gitopsdeploymentrepositorycredentials
-        - gitopsdeploymentsyncruns
-      verbs:
-        - get
-        - list
-        - watch
-    - apiGroups:
-        - tekton.dev
-      resources:
-        - pipelineruns
-      verbs:
-        - get
-        - list
-        - watch
-    - apiGroups:
-        - results.tekton.dev
-      resources:
-        - results
-        - records
-      verbs:
-        - get
-        - list
-    - apiGroups:
-        - appstudio.redhat.com
-      resources:
-        - integrationtestscenarios
-      verbs:
-        - '*'
-    - apiGroups:
-        - appstudio.redhat.com
-      resources:
-        - enterprisecontractpolicies
-      verbs:
-        - get
-        - list
-        - watch
-    - apiGroups:
-        - appstudio.redhat.com
-      resources:
-        - releases
-        - releasestrategies
-        - releaseplans
-      verbs:
-        - '*'
-    - apiGroups:
-        - appstudio.redhat.com
-      resources:
-        - releaseplanadmissions
-      verbs:
-        - '*'
-    - apiGroups:
-        - jvmbuildservice.io
-      resources:
-        - jbsconfigs
-        - artifactbuilds
-      verbs:
-        - get
-        - list
-        - watch
-        - create
-        - update
-        - patch
-    - apiGroups:
-        - appstudio.redhat.com
-      resources:
-        - spiaccesstokenbindings
-        - spiaccesschecks
-        - spiaccesstokens
-        - spifilecontentrequests
-        - spiaccesstokendataupdates
-      verbs:
-        - get
-        - list
-        - watch
-        - create
-        - update
-        - patch
-    - apiGroups:
-        - ''
-      resources:
-        - configmaps
-      verbs:
-        - get
-        - list
-        - watch
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - applications
+    - components
+    - componentdetectionqueries
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - promotionruns
+    - snapshotenvironmentbindings
+    - snapshots
+    - environments
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - deploymenttargets
+    - deploymenttargetclaims
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - managed-gitops.redhat.com
+    resources:
+    - gitopsdeployments
+    - gitopsdeploymentmanagedenvironments
+    - gitopsdeploymentrepositorycredentials
+    - gitopsdeploymentsyncruns
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - tekton.dev
+    resources:
+    - pipelineruns
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - results.tekton.dev
+    resources:
+    - results
+    - records
+    - logs
+    verbs:
+    - get
+    - list
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - integrationtestscenarios
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - enterprisecontractpolicies
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - releases
+    - releasestrategies
+    - releaseplans
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - releaseplanadmissions
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - jvmbuildservice.io
+    resources:
+    - jbsconfigs
+    - artifactbuilds
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - spiaccesstokenbindings
+    - spiaccesschecks
+    - spiaccesstokens
+    - spifilecontentrequests
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - remotesecrets
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - ''
+    resources:
+    - configmaps
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - appstudio.redhat.com
+    resources:
+    - buildpipelineselectors
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - projctl.konflux.dev
+    resources:
+    - projects
+    - projectdevelopmentstreams
+    - projectdevelopmentstreamtemplates
+    verbs:
+    - get
+    - list
+    - watch
 - apiVersion: rbac.authorization.k8s.io/v1
   kind: RoleBinding
   metadata: