Skip to content

Commit e3687f4

Browse files
authored
RELEASE-2451: Refactor internal-services RBAC layout (redhat-appstudio#374)
Move local-only RBAC resources to extra/ directory to prevent automated tasks from removing them. The update-internal-services task overwrites rbac/ with upstream content, but extra/ remains untouched and is referenced in the parent kustomization.yaml. Previously, the list of extra resources was hardcoded in the update-internal-services tekton task, requiring updates to the task whenever new local-only resources were added. Changes: - Create extra/ directories for production and staging - Move local-only files from rbac/ to extra/: - signing-sa.yaml - view-authenticated-users.yaml - release_team_role.yaml - release_team_role_binding.yaml - Update parent kustomization.yaml to reference extra/ - Update rbac/kustomization.yaml to remove moved resources Assisted-by: Claude Code Signed-off-by: Martin Malina <mmalina@redhat.com>
1 parent a78b3f2 commit e3687f4

14 files changed

Lines changed: 20 additions & 8 deletions
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
apiVersion: kustomize.config.k8s.io/v1beta1
2+
kind: Kustomization
3+
4+
resources:
5+
- release_team_role.yaml
6+
- release_team_role_binding.yaml
7+
- signing-sa.yaml
8+
- view-authenticated-users.yaml

components/internal-services/internal-production/rbac/release_team_role.yaml renamed to components/internal-services/internal-production/extra/release_team_role.yaml

File renamed without changes.

components/internal-services/internal-production/rbac/release_team_role_binding.yaml renamed to components/internal-services/internal-production/extra/release_team_role_binding.yaml

File renamed without changes.

components/internal-services/internal-production/rbac/signing-sa.yaml renamed to components/internal-services/internal-production/extra/signing-sa.yaml

File renamed without changes.

components/internal-services/internal-production/rbac/view-authenticated-users.yaml renamed to components/internal-services/internal-production/extra/view-authenticated-users.yaml

File renamed without changes.

components/internal-services/internal-production/kustomization.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,5 +18,7 @@ resources:
1818
- networkpolicy/
1919
# RBAC Resources
2020
- rbac/
21+
# Extra RBAC Resources (local-only, not managed by automation)
22+
- extra/
2123
# Signing ConfigMaps
2224
- signing/

components/internal-services/internal-production/rbac/kustomization.yaml

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,3 @@ resources:
2323
- internalrequest_viewer_role.yaml
2424
- internalservicesconfig_editor_role.yaml
2525
- internalservicesconfig_viewer_role.yaml
26-
- view-authenticated-users.yaml
27-
- release_team_role.yaml
28-
- release_team_role_binding.yaml
29-
- signing-sa.yaml
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
apiVersion: kustomize.config.k8s.io/v1beta1
2+
kind: Kustomization
3+
4+
resources:
5+
- release_team_role.yaml
6+
- release_team_role_binding.yaml
7+
- signing-sa.yaml
8+
- view-authenticated-users.yaml

components/internal-services/internal-staging/rbac/release_team_role.yaml renamed to components/internal-services/internal-staging/extra/release_team_role.yaml

File renamed without changes.

components/internal-services/internal-staging/rbac/release_team_role_binding.yaml renamed to components/internal-services/internal-staging/extra/release_team_role_binding.yaml

File renamed without changes.

0 commit comments

Comments
 (0)