Run build-definitions CI in konflux-ci namespace

STONEBLD-2339 After konflux-ci/build-definitions#1041, the build-definitions pipelines will need push access to quay.io/konflux-ci. Run the pipelines in the konflux-ci namespace, where the appstudio-pipeline service account has quay.io/konflux-ci push access by default. Also add redhat-appstudio-tekton-catalog-build-definitions-pull-secret to the konflux-ci namespace. It is needed for push access to quay.io/redhat-appstudio-tekton-catalog. Previously, the secret lived in the tekton-ci namespace (but wasn't defined anywhere). Signed-off-by: Adam Cmiel <[email protected]>
chmeliik · May 28, 2024 · de50046 · de50046
1 parent 648808f
commit de50046
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 7 deletions.
diff --git a/components/konflux-ci/base/repository.yaml b/components/konflux-ci/base/repository.yaml
@@ -12,3 +12,10 @@ metadata:
   name: ci-helper-app
 spec:
   url: "https://github.com/konflux-ci/ci-helper-app"
+---
+apiVersion: pipelinesascode.tekton.dev/v1alpha1
+kind: Repository
+metadata:
+  name: build-definitions
+spec:
+  url: "https://github.com/konflux-ci/build-definitions"
diff --git a/components/konflux-ci/production/kustomization.yaml b/components/konflux-ci/production/kustomization.yaml
@@ -5,6 +5,7 @@ resources:
 - ../base/external-secrets
 - plnsvc-ci-secret.yaml
 - plnsvc-codecov-secret.yaml
+- redhat-appstudio-tekton-catalog-build-definitions-pull-secret.yaml
 
 patches:
   - path: quay-push-secret-konflux-ci.yaml

diff --git a/.../konflux-ci/production/redhat-appstudio-tekton-catalog-build-definitions-pull-secret.yaml b/.../konflux-ci/production/redhat-appstudio-tekton-catalog-build-definitions-pull-secret.yaml
@@ -0,0 +1,24 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: redhat-appstudio-tekton-catalog-build-definitions-pull-secret
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  dataFrom:
+    - extract:
+        key: production/build/tekton-ci/redhat-appstudio-tekton-catalog-build-definitions-pull-secret
+  refreshInterval: 15m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: appsre-stonesoup-vault
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Delete
+    name: redhat-appstudio-tekton-catalog-build-definitions-pull-secret
+    template:
+      engineVersion: v2
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: "{{ .config }}"
diff --git a/components/tekton-ci/base/repository.yaml b/components/tekton-ci/base/repository.yaml
@@ -36,13 +36,6 @@ spec:
 ---
 apiVersion: pipelinesascode.tekton.dev/v1alpha1
 kind: Repository
-metadata:
-  name: build-definitions
-spec:
-  url: "https://github.com/konflux-ci/build-definitions"
----
-apiVersion: pipelinesascode.tekton.dev/v1alpha1
-kind: Repository
 metadata:
   name: jvm-build-service
 spec: