remove references to chains ns

    - The tekton-chains namespace is obsolete with the Tekton-Chains controller
      deployed with openshift-pipelines operator.
    - We also don't need the secrets-migrator because 'chains-secret-admin' now
      directly create/update the secretes in the Openshift-Pipelines
      namespace.
    - remove redundant roles & RB for `chains-secrets-admin` SA from openshift-ingress-operator namespace

Signed-off-by: Satyam Bhardwaj <[email protected]>

operator/gitops/argocd/pipeline-service/kustomization.yaml

@@ -4,7 +4,6 @@ kind: Kustomization
 
 resources:
   - openshift-pipelines
-  - tekton-chains
   - tekton-results
   - metrics-exporter
 

operator/gitops/argocd/pipeline-service/openshift-pipelines/allow-argocd-to-manage-jobs.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: openshift-gitops-jobs-admin
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+rules:
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+    verbs:
+      - get
+      - list
+      - patch
+      - create
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: openshift-gitops-jobs-admin
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: openshift-gitops-jobs-admin
+subjects:
+  - kind: ServiceAccount
+    name: openshift-gitops-argocd-application-controller
+    namespace: openshift-gitops

operator/gitops/argocd/pipeline-service/tekton-chains/public-key.yaml → operator/gitops/argocd/pipeline-service/openshift-pipelines/chains-public-key-viewer.yaml

@@ -17,11 +17,12 @@ rules:
       - list
       - watch
 ---
+# public-key access
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: tekton-chains-public-key-viewer
-  namespace: tekton-chains
+  namespace: openshift-pipelines
   annotations:
     argocd.argoproj.io/sync-wave: "0"
 roleRef:

operator/gitops/argocd/pipeline-service/tekton-chains/chains-secrets-config.yaml → operator/gitops/argocd/pipeline-service/openshift-pipelines/chains-secrets-config.yaml

@@ -3,15 +3,15 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: chains-secrets-admin
-  namespace: tekton-chains
+  namespace: openshift-pipelines
   annotations:
     argocd.argoproj.io/sync-wave: "0"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: chains-secret-admin
-  namespace: tekton-chains
+  namespace: openshift-pipelines
   annotations:
     argocd.argoproj.io/sync-wave: "0"
 rules:
@@ -27,25 +27,10 @@ rules:
       - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: secret-reader
-  namespace: openshift-ingress-operator
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - get
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: chains-secret-admin
-  namespace: tekton-chains
+  namespace: openshift-pipelines
   annotations:
     argocd.argoproj.io/sync-wave: "0"
 roleRef:
@@ -55,29 +40,13 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: chains-secrets-admin
-    namespace: tekton-chains
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: chains-secret-reader
-  namespace: openshift-ingress-operator
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: secret-reader
-subjects:
-  - kind: ServiceAccount
-    name: chains-secrets-admin
-    namespace: tekton-chains
+    namespace: openshift-pipelines
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
   name: tekton-chains-signing-secret
-  namespace: tekton-chains
+  namespace: openshift-pipelines
   annotations:
     argocd.argoproj.io/sync-wave: "1"
 spec:
@@ -94,22 +63,22 @@ spec:
               cd /tmp
               # Once the key-pair has been set it's marked as immutable so it can't be updated.
               # Try to handle that nicely. The object is expected to always exist so check the data.
-              SIG_KEY_DATA=$(kubectl get secret signing-secrets -n tekton-chains -o jsonpath='{.data}')
+              SIG_KEY_DATA=$(kubectl get secret signing-secrets -n openshift-pipelines -o jsonpath='{.data}')
               if [[ -n $SIG_KEY_DATA ]]; then
                 echo "Signing secret exists."
               else
                 # To make this run conveniently without user input let's create a random password
                 RANDOM_PASS=$( head -c 12 /dev/urandom | base64 )
 
                 # Generate the key pair secret directly in the cluster.
-                env COSIGN_PASSWORD=$RANDOM_PASS cosign generate-key-pair k8s://tekton-chains/signing-secrets
+                env COSIGN_PASSWORD=$RANDOM_PASS cosign generate-key-pair k8s://openshift-pipelines/signing-secrets
               fi
 
               # Generate/update the secret with the public key
               kubectl create secret generic public-key \
-                --namespace tekton-chains \
+                --namespace openshift-pipelines \
                 --from-literal=cosign.pub="$(
-                  cosign public-key --key k8s://tekton-chains/signing-secrets
+                  cosign public-key --key k8s://openshift-pipelines/signing-secrets
                 )" \
                 --dry-run=client \
                 -o yaml | kubectl apply -f -

operator/gitops/argocd/pipeline-service/openshift-pipelines/kustomization.yaml

@@ -3,10 +3,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - allow-argocd-to-manage.yaml
+  - allow-argocd-to-manage-jobs.yaml
   - appstudio-pipelines-scc.yaml
   - openshift-operator.yaml
   - tekton-config.yaml
   - config-logging.yaml
   - chains-service-monitor.yaml
   # Manully add ConfigMap and Service until PLNSRVCE-1359 is fixed
   - chains-observability-service.yaml
+  - chains-public-key-viewer.yaml
+  - chains-secrets-config.yaml