chore: Narrower role bindings for CP4S

config/argocd-cloudpaks/cp4s/Chart.yaml

@@ -16,9 +16,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.1.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 1.9.0
+appVersion: 1.9.1

config/argocd-cloudpaks/cp4s/templates/cp4s-all-app.yaml

@@ -32,7 +32,7 @@ spec:
           value: {{.Values.storageclass.rwo}}
         - name: targetRevision
           value: ${ARGOCD_APP_SOURCE_TARGET_REVISION}
-    path: config/cloudpaks/cp4s/install
+    path: config/cloudpaks/cp4s
     repoURL: {{.Values.repoURL}}
     targetRevision: {{.Values.targetRevision}}
   syncPolicy:

config/cloudpaks/cp4s/install/Chart.yaml → config/cloudpaks/cp4s/Chart.yaml

@@ -16,9 +16,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 1.9.0
+appVersion: 1.9.1

config/cloudpaks/cp4s/templates/prereqs/000-knative-namespace.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  creationTimestamp: null
+  name: knative-serving
+spec: {}
+status: {}

config/cloudpaks/cp4s/templates/prereqs/020-cp4s-role-knative.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "20"
+  creationTimestamp: null
+  name: ibm-cp4s-knative
+  namespace: knative-serving
+rules:
+  - apiGroups: ["operator.knative.dev"]
+    resources: ["knativeservings"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

config/cloudpaks/cp4s/templates/prereqs/020-cp4s-role.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "21"
+  creationTimestamp: null
+  name: ibm-cp4s
+  namespace: "{{.Values.metadata.argocd_app_namespace}}"
+rules:
+  - apiGroups: [""]
+    resources: ["pods/exec", "secrets", "serviceaccounts", "services"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["isc.ibm.com"]
+    resources: ["cp4sthreatmanagements"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

config/cloudpaks/cp4s/templates/prereqs/030-argocd-role-binding-knative.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "30"
+  creationTimestamp: null
+  name: ibm-cp4s-role-knative
+  namespace: knative-serving
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ibm-cp4s-knative
+subjects:
+  - kind: ServiceAccount
+    name: "{{.Values.serviceaccount.argocd_application_controller}}"
+    namespace: "{{.Values.metadata.argocd_namespace}}"

config/cloudpaks/cp4s/install/templates/prereqs/030-argocd-role-binding-admin.yaml → config/cloudpaks/cp4s/templates/prereqs/030-argocd-role-binding.yaml

@@ -1,14 +1,15 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: "10"
+    argocd.argoproj.io/sync-wave: "30"
   creationTimestamp: null
-  name: ibm-cp4s-cluster-role
+  name: ibm-cp4s-role
+  namespace: "{{.Values.metadata.argocd_app_namespace}}"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: ibm-cp4s
 subjects:
   - kind: ServiceAccount

tests/prebuild/yamllint-config.yaml

@@ -14,8 +14,8 @@ ignore: |
   config/cloudpaks/cp4d/install-platform/templates/prereqs/020-operators-operator-group.yaml
   config/cloudpaks/cp4i/operators/templates/01-namespaces/individual.yaml
   config/cloudpaks/cp4i/operators/templates/04-operators/0100-operator-group.yaml
-  config/cloudpaks/cp4s/install/templates/prereqs/001-cp4s-namespace.yaml
-  config/cloudpaks/cp4s/install/templates/subscriptions/050-cp4s-operator-group.yaml
+  config/cloudpaks/cp4s/templates/prereqs/001-cp4s-namespace.yaml
+  config/cloudpaks/cp4s/templates/subscriptions/050-cp4s-operator-group.yaml
   config/rhacm/cloudpaks/templates/placement-argocd.yaml
   config/rhacm/cloudpaks/templates/placement-cloudpaks.yaml
   config/rhacm/cloudpaks/templates/placement-cp-shared.yaml