Move clustertask and clustertriggerbinding role to component #2164
Conversation
This will move clustertask and clustertriggerbinding view permissions for all system authenticated users on openshift to be installed along with component installation instead of doing it with addon resources. This will help users to move to basic or lite profile without permission issues, also if user disable default clustertasks installation then also permission issue will not happen Also clustertask permissions were getting created as part of all installersets like custom and versioned installerset, and later in new versioned installerset also if upgraded. This was creating race between the different installerset reconiler to update resource because of the different installerset name was getting added to ownerReference resulting in different yaml and sha value, so this will also fix that as we moved the permissions out of addon installerset and there will be single instance. I have changed the name of resources to not conflict with old name and we can users to delete old clustertask installerset if they are not using old clustertasks
tekton-robot
added
the
release-note
tekton-robot
added
the
size/L
|
/cherry-pick main |
|
@piyush-garg: once the present PR merges, I will cherry-pick it on top of main in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Should we do this for https://github.com/tektoncd/operator/tree/main/cmd/openshift/operator/kodata/tekton-addon/addons/07-ecosystem ?
Should we indicate this in RN ? and is this a breaking change for existing users ? |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jkandasa The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
these roles are specific to getting task only in openshift-pipelines, while the clustertask and clustertriggerbinding are different case as these are clustertwide resources and end up in breaking profiles, UI etc
changing the name of the role/rolebinding which is not exposed to user, should not be a breaking change for users |
|
Great findings 🙌🏻 |
|
@piyush-garg: new pull request created: #2165 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This will move clustertask and clustertriggerbinding view permissions for all system authenticated users on openshift to be installed along with component installation instead of doing it with addon resources.
This will help users to move to basic or lite profile without permission issues, also if user disable default clustertasks installation then also permission issue will not happen
Also clustertask permissions were getting created as part of all installersets like custom and versioned installerset, and later in new versioned installerset also if upgraded. This was creating race between the different installerset reconiler to update resource because of the different installerset name was getting added to ownerReference resulting in different yaml and sha value, so this will also fix that as we moved the permissions out of addon installerset and there will be single instance. I have changed the name of resources to not conflict with old name and we can users to delete old clustertask installerset if they are not using old clustertasks
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
make test lintbefore submitting a PRSee the contribution guide for more details.
Release Notes