Drop the get and update right on the secret auto creation

We are only give the rights to create and delete but not read every secrets out there. We need to find a way to disable that right if we want install by operator and user chose to disable that feature.
openshift-pipelines · Sep 16, 2021 · 4031e66 · 4031e66
1 parent d700611
commit 4031e66
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 9 deletions.
diff --git a/config/200-role.yaml b/config/200-role.yaml
@@ -82,10 +82,10 @@ rules:
   - apiGroups: [""]
     resources: ["namespaces", "pods", "pods/log"]
     verbs: ["get", "list", "watch"]
-  # Allow creating secrets in namespace
+  # Allow creating and deleting secrets in namespace
   - apiGroups: [""]
     resources: ["secrets"]
-    verbs: ["get", "create", "update"]
+    verbs: ["create", "delete"]
   # Permissions to list repositories on cluster
   - apiGroups: ["pipelinesascode.tekton.dev"]
     resources: ["repositories"]

diff --git a/pkg/kubeinteraction/secrets.go b/pkg/kubeinteraction/secrets.go
@@ -19,6 +19,16 @@ const (
 	`
 )
 
+func (k Interaction) createSecret(ctx context.Context, secretData map[string]string, targetNamespace, secretName string) error {
+	secret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{
+		Name:   secretName,
+		Labels: map[string]string{"app.kubernetes.io/managed-by": "pipelines-as-code"},
+	}}
+	secret.StringData = secretData
+	_, err := k.Clients.Kube.CoreV1().Secrets(targetNamespace).Create(ctx, secret, metav1.CreateOptions{})
+	return err
+}
+
 // CreateBasicAuthSecret Create a secret for git-clone basic-auth workspace
 func (k Interaction) CreateBasicAuthSecret(ctx context.Context, runinfo webvcs.RunInfo, targetNamespace, token string) error {
 	repoURL, err := url.Parse(runinfo.URL)
@@ -32,15 +42,15 @@ func (k Interaction) CreateBasicAuthSecret(ctx context.Context, runinfo webvcs.R
 		".git-credentials": urlWithToken,
 	}
 
+	// Try to create secrete if that fails then delete it first and then create
+	// This allows up not to give List and Get right clusterwide
 	secretName := fmt.Sprintf(basicAuthSecretName, runinfo.Owner, runinfo.Repository)
-	secret, err := k.Clients.Kube.CoreV1().Secrets(targetNamespace).Get(ctx, secretName, metav1.GetOptions{})
+	err = k.createSecret(ctx, secretData, targetNamespace, secretName)
 	if err != nil {
-		secret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: secretName}}
-		secret.StringData = secretData
-		_, err = k.Clients.Kube.CoreV1().Secrets(targetNamespace).Create(ctx, secret, metav1.CreateOptions{})
-	} else {
-		secret.StringData = secretData
-		_, err = k.Clients.Kube.CoreV1().Secrets(targetNamespace).Update(ctx, secret, metav1.UpdateOptions{})
+		err = k.Clients.Kube.CoreV1().Secrets(targetNamespace).Delete(ctx, secretName, metav1.DeleteOptions{})
+		if err == nil {
+			err = k.createSecret(ctx, secretData, targetNamespace, secretName)
+		}
 	}
 
 	return err