From f00bc34bc617454467536eb819bbb79ace58ce6e Mon Sep 17 00:00:00 2001
From: Scott Hebert <scoheb@gmail.com>
Date: Tue, 27 May 2025 12:09:29 -0400
Subject: [PATCH] fix(RELEASE-1645): allow serviceaccounts to see cm

- Grant access to authenticated users to be able to view
  openshift-pipelines configMaps. The user case involves
  service accounts running automated tests being able to
  discover the custom URL for the Konflux UI

Signed-off-by: Scott Hebert <scoheb@gmail.com>
---
 .../openshift-pipelines/configmap-viewer.yaml | 33 +++++++++++++++++++
 .../openshift-pipelines/kustomization.yaml    |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 components/pipeline-service/base/rbac/openshift-pipelines/configmap-viewer.yaml

diff --git a/components/pipeline-service/base/rbac/openshift-pipelines/configmap-viewer.yaml b/components/pipeline-service/base/rbac/openshift-pipelines/configmap-viewer.yaml
new file mode 100644
index 00000000000..df6e0e42da0
--- /dev/null
+++ b/components/pipeline-service/base/rbac/openshift-pipelines/configmap-viewer.yaml
@@ -0,0 +1,33 @@
+---
+# Grant access to authenticated users to be able to view
+# openshift-pipelines configMaps. The user case involves
+# service accounts running automated tests being able to
+# discover the custom URL for the Konflux UI
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: configmap-viewer
+  namespace: openshift-pipelines
+rules:
+  - verbs:
+      - get
+      - watch
+      - list
+    apiGroups:
+      - ''
+    resources:
+      - configmaps
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: configmap-viewer
+  namespace: openshift-pipelines
+subjects:
+  - kind: Group
+    apiGroup: rbac.authorization.k8s.io
+    name: 'system:authenticated'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: configmap-viewer
diff --git a/components/pipeline-service/base/rbac/openshift-pipelines/kustomization.yaml b/components/pipeline-service/base/rbac/openshift-pipelines/kustomization.yaml
index 51f2a89da7e..293a60b56fe 100644
--- a/components/pipeline-service/base/rbac/openshift-pipelines/kustomization.yaml
+++ b/components/pipeline-service/base/rbac/openshift-pipelines/kustomization.yaml
@@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: openshift-pipelines
 resources:
+  - configmap-viewer.yaml
   - pipeline-service-sre.yaml
   - resolution-req-perms-exporter.yaml