Opening a bit more openshift apps

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I have been asked to look at the build of the docsbuilding openshift app. However, I 
am not a appowners and do not have access to anything. My understanding is that
either you are listed in appowners, and you can control the app, or you are not,
and you can do nothing. 

I would propose that we revise that policy, and let (as a opt-in since I guess opt-out would be too
radical) application be a bit more open.

Since I tend to think that patch are clearer to express my intent than my words, a patch
that would be a first draft of what I would like to see being implemented is attached.

I am still reading openshift docs on ressources, to see if I missed and/or opened too much.

-- 
Michael Scherer

>From c831bb3f9cf79e6a517290a19db09934e7ee60d5 Mon Sep 17 00:00:00 2001
From: Michael Scherer <misc@xxxxxxxx>
Date: Wed, 26 Feb 2020 16:52:11 +0100
Subject: [PATCH] Add a is_public flag

This permit a appowner to let external people see the build or the status
without having to have a FAS account, and/or be listed as a appowner.
---
 roles/openshift/project/defaults/main.yml          |  1 +
 roles/openshift/project/tasks/main.yml             | 15 +++++++++++++
 roles/openshift/project/templates/appviewers.yml   | 12 +++++++++++
 .../openshift/project/templates/role-appowners.yml |  2 +-
 .../project/templates/role-appviewers.yml          | 25 ++++++++++++++++++++++
 5 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 roles/openshift/project/templates/appviewers.yml
 create mode 100644 roles/openshift/project/templates/role-appviewers.yml

diff --git a/roles/openshift/project/defaults/main.yml b/roles/openshift/project/defaults/main.yml
index 41916fd..80b08c4 100644
--- a/roles/openshift/project/defaults/main.yml
+++ b/roles/openshift/project/defaults/main.yml
@@ -1,5 +1,6 @@
 ---
 allow_fas_db: false
 allow_phx2: true
+is_public: false
 
 egress_policy_template: "{{roles_path}}/openshift/project/templates/egresspolicy.yml"
diff --git a/roles/openshift/project/tasks/main.yml b/roles/openshift/project/tasks/main.yml
index 5a2c46c..320576d 100644
--- a/roles/openshift/project/tasks/main.yml
+++ b/roles/openshift/project/tasks/main.yml
@@ -58,6 +58,21 @@
     objectname: appowners.yml
     template_fullpath: "{{roles_path}}/openshift/project/templates/appowners.yml"
 
+- name: role-appviewers.yml
+  include_role:
+    name: openshift/object
+  vars:
+    objectname: role-appviewers.yml
+    template_fullpath: "{{roles_path}}/openshift/project/templates/role-appviewers.yml"
+
+- name: appviewers.yml
+  include_role:
+    name: openshift/object
+  vars:
+    objectname: appviewers.yml
+    template_fullpath: "{{roles_path}}/openshift/project/templates/appviewers.yml"
+  when: is_public
+
 - name: ergresspolicy.yml
   include_role:
     name: openshift/object
diff --git a/roles/openshift/project/templates/appviewers.yml b/roles/openshift/project/templates/appviewers.yml
new file mode 100644
index 0000000..8abbda5
--- /dev/null
+++ b/roles/openshift/project/templates/appviewers.yml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: RoleBinding
+metadata:
+  namespace: "{{app}}"
+  name: appviewers
+roleRef:
+  name: appviewers
+  namespace: "{{app}}"
+subjects:
+- kind: Group
+  name: system:unauthenticated
+  apiGroup: rbac.authorization.k8s.io
diff --git a/roles/openshift/project/templates/role-appowners.yml b/roles/openshift/project/templates/role-appowners.yml
index 3cb94c5..93cfa5b 100644
--- a/roles/openshift/project/templates/role-appowners.yml
+++ b/roles/openshift/project/templates/role-appowners.yml
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Role
 metadata:
   annotations:
-    openshift.io/description: An application owner. Can view everything but ConfigMaps.
+    openshift.io/description: An application owner. Can view everything but ConfigMaps, and start build
   name: appowner
   namespace: "{{ app }}"
 rules:
diff --git a/roles/openshift/project/templates/role-appviewers.yml b/roles/openshift/project/templates/role-appviewers.yml
new file mode 100644
index 0000000..f189c34
--- /dev/null
+++ b/roles/openshift/project/templates/role-appviewers.yml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Role
+metadata:
+  annotations:
+    openshift.io/description: An application viewer. Can view logs for everything.
+  name: appviewer
+  namespace: "{{ app }}"
+rules:
+- apiGroups:
+  - "*"
+  attributeRestrictions: null
+  resources:
+  - buildlogs
+  - builds
+  - builds/log
+  - deploymentconfigs/log
+  - deploymentconfigs/status
+  - imagestreams/status
+  - routes/status
+  - pods/log
+  - pods/status
+verbs:
+  - get
+  - list
+  - watch
-- 
1.8.3.1


_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux