Merge pull request #2149 from lcarva/release-pipeline

lcarva · web-flow · commit 0d5ed05593a1 · 2024-11-07T16:59:42.000-05:00
Add release setup steps
diff --git a/release/README.md b/release/README.md
@@ -7,6 +7,11 @@ The Pipelines are generated via [kustomize](https://kustomize.io/) from the `src
 make changes to the Pipelines, update the corresponding files in that directory and run the
 `make generate-pipelines` command (requires `kustomize`).
 
+## Setup
+
+The [setup.yaml](setup.yaml) file should be applied to the namespace where the release Pipeliens
+will run. This creates a ServiceAccount with access to perform the release.
+
 ## Why are there two Pipelines?
 
 Currently, it is not possible to specify the EC policy in the ReleasePlan, nor any general Pipeline
diff --git a/release/setup.yaml b/release/setup.yaml
@@ -0,0 +1,56 @@
+---
+# Copyright The Enterprise Contract Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# A dedicated ServiceAccount is used to create create a distinction between build and release access.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tenant-release
+  namespace: rhtap-contract-tenant
+secrets:
+  - name: ec-cli-main  # push quay.io/enterprise-contract/cli
+  - name: ec-tekton-task-main  # push quay.io/enterprise-contract/tekton-task
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: rhtap-contract-tenant
+  name: tenant-release
+rules:
+  - apiGroups:
+      - appstudio.redhat.com
+    resources:
+      - releases
+      - releaseplans
+      - snapshots
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tenant-release
+  namespace: rhtap-contract-tenant
+subjects:
+  - kind: ServiceAccount
+    name: tenant-release
+roleRef:
+  kind: Role
+  name: tenant-release
+  apiGroup: rbac.authorization.k8s.io
