kabanero-io · dacleyra · Apr 2, 2020 · Apr 2, 2020 · Apr 7, 2020 · Apr 8, 2020
diff --git a/config/orchestrations/stack-controller/0.1/stack-controller-kabanero-triggers.yaml b/config/orchestrations/stack-controller/0.1/stack-controller-kabanero-triggers.yaml
@@ -0,0 +1,42 @@
+# This role lets the stack controller create triggerbindings,
+# triggertemplates and eventlisteners in the tekton-pipelines
+# namespace, as required by the tekton dashboard webhooks
+# extension.  The Role was created during Kabanero install.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: kabanero-trigger-role 
+  namespace: tekton-pipelines
+rules:
+- apiGroups:
+  - tekton.dev
+  resources:
+  - triggerbindings
+  - triggertemplates
+  - eventlisteners
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+  - patch
+  - watch
+---
+# This rolebinding lets the stack controller create triggerbindings,
+# triggertemplates and eventlisteners in the tekton-pipelines
+# namespace, as required by the tekton dashboard webhooks
+# extension.  The Role was created during Kabanero install.
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .name }}
+  namespace: tekton-pipelines
+subjects:
+- kind: ServiceAccount
+  name: kabanero-operator-stack-controller
+  namespace: {{ .kabaneroNamespace }}
+roleRef:
+  kind: Role
+  name: kabanero-trigger-role 
+  apiGroup: rbac.authorization.k8s.io
diff --git a/...g/orchestrations/stack-controller/0.1/stack-controller-pipelines-namespace-manifests.yaml b/...g/orchestrations/stack-controller/0.1/stack-controller-pipelines-namespace-manifests.yaml
@@ -0,0 +1,228 @@
+# ServiceAccount, Role & RoleBinding for stack-controller to create & piplines to be run
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kabanero-pipeline
+  namespace: {{ .pipelinesNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: kabanero-pipeline-role
+  namespace: {{ .pipelinesNamespace }}
+rules:
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/log
+  - namespaces
+  - events
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - configmaps
+  verbs:
+  - get
+  - list
+  - create
+  - delete
+  - update
+  - watch
+- apiGroups:
+  - extensions
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+  - patch
+  - watch
+- apiGroups:
+  - tekton.dev
+  resources:
+  - tasks
+  - clustertasks
+  - taskruns
+  - pipelines
+  - pipelineruns
+  - pipelineresources
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+  - patch
+  - watch
+- apiGroups:
+  - tekton.dev
+  resources:
+  - taskruns/finalizers
+  - pipelineruns/finalizers
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+  - patch
+  - watch
+- apiGroups:
+  - tekton.dev
+  resources:
+  - tasks/status
+  - clustertasks/status
+  - taskruns/status
+  - pipelines/status
+  - pipelineruns/status
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+  - patch
+  - watch
+- apiGroups:
+  - kabanero.io
+  resources:
+  - stacks
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  - image.openshift.io
+  resources:
+  - imagestreams/layers
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  - image.openshift.io
+  resources:
+  - imagestreams
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: kabanero-pipeline-get-stack-role
+  namespace: {{ .kabaneroNamespace }}
+rules:
+- apiGroups:
+  - kabanero.io
+  resources:
+  - stacks
+  verbs:
+  - get
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kabanero-pipeline-role-binding
+  namespace: {{ .pipelinesNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: kabanero-pipeline-role
+subjects:
+- kind: ServiceAccount
+  name: kabanero-pipeline
+  namespace:  {{ .pipelinesNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kabanero-pipeline-get-stack-role-binding
+  namespace: {{ .kabaneroNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: kabanero-pipeline-get-stack-role
+subjects:
+- kind: ServiceAccount
+  name: kabanero-pipeline
+  namespace:  {{ .pipelinesNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: kabanero-operator-stack-controller-tekton
+  namespace: {{ .pipelinesNamespace }}
+rules:
+- apiGroups:
+  - tekton.dev
+  resources:
+  - conditions
+  - pipelines
+  - tasks
+  - triggerbindings
+  - triggertemplates
+  verbs:
+  - delete
+  - get
+  - create
+  - list
+  - update
+  - watch
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kabanero-operator-stack-controller-tekton
+  namespace: {{ .pipelinesNamespace }}
+subjects:
+- kind: ServiceAccount
+  name: kabanero-operator-stack-controller
+  namespace: {{ .kabaneroNamespace }}
+roleRef:
+  kind: Role
+  name: kabanero-operator-stack-controller
+  apiGroup: rbac.authorization.k8s.io
diff --git a/config/orchestrations/stack-controller/0.1/stack-controller-pipelines-namespace.yaml b/config/orchestrations/stack-controller/0.1/stack-controller-pipelines-namespace.yaml
@@ -0,0 +1,5 @@
+# This namespace is created for tekton pipelineruns
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .pipelinesNamespace }}
diff --git a/config/orchestrations/stack-controller/0.1/stack-controller-tekton.yaml b/config/orchestrations/stack-controller/0.1/stack-controller-tekton.yaml
diff --git a/config/samples/full.yaml b/config/samples/full.yaml
@@ -125,6 +125,9 @@ spec:
       https:
         url: https://github.com/kabanero-io/kabanero-pipelines/releases/download/0.8.0-rc.1/default-kabanero-pipelines.tar.gz
 
+  # The namespace pipelines will be created in
+  pipelinesNamespace: kabanero-pipeliness
+
   governancePolicy:
     # Provide governance configuration for all stacks managed by Kabanero. The allowed configuration policies are:
     # strictDigest, activeDigest, ignoreDigest, and none. If a stack policy is not specified, activeDigest is used. 

diff --git a/pkg/apis/kabanero/v1alpha2/kabanero_types.go b/pkg/apis/kabanero/v1alpha2/kabanero_types.go
@@ -46,6 +46,8 @@ type KabaneroSpec struct {
 	AdmissionControllerWebhook AdmissionControllerWebhookCustomizationSpec `json:"admissionControllerWebhook,omitempty"`
 
 	Sso SsoCustomizationSpec `json:"sso,omitempty"`
+
+	PipelinesNamespace string `json:"pipelinesNamespace,omitempty"`
 }
 
 // InstanceStackConfig defines the customization entries for a set of stacks.
@@ -241,6 +243,9 @@ type KabaneroStatus struct {
 
 	// SSO server status
 	Sso SsoStatus `json:"sso,omitempty"`
+
+	// Namespace of deployed Pipelines
+	PipelinesNamespace  string    `json:"pipelinesNamespace,omitempty"`
 }
 
 // KabaneroInstanceStatus defines the observed status details of Kabanero operator instance

diff --git a/pkg/apis/kabanero/v1alpha2/stack_types.go b/pkg/apis/kabanero/v1alpha2/stack_types.go
@@ -35,6 +35,7 @@ type StackSpec struct {
 	Name string `json:"name,omitempty"`
 	// +listType=set
 	Versions []StackVersion `json:"versions,omitempty"`
+	PipelinesNamespace string `json:"pipelinesNamespace,omitempty"`
 }
 
 // StackVersion defines the desired composition of a specific stack version.
@@ -79,6 +80,7 @@ type StackStatus struct {
 	// +listType=set
 	Versions []StackVersionStatus `json:"versions,omitempty"`
 	Summary  string               `json:"summary,omitempty"`
+	PipelinesNamespace string `json:"pipelinesNamespace,omitempty"`
 }
 
 // StackVersionStatus defines the observed state of a specific stack version.

diff --git a/pkg/controller/kabaneroplatform/featured_stacks.go b/pkg/controller/kabaneroplatform/featured_stacks.go
@@ -46,7 +46,13 @@ func reconcileFeaturedStacks(ctx context.Context, k *kabanerov1alpha2.Kabanero,
 		alreadyDeployed := true
 		stackResource := &kabanerov1alpha2.Stack{}
 		err := cl.Get(ctx, name, stackResource)
-		if err != nil {
+
+		pipelinesNamespace := pipelinesNamespace(k)
+
+		if err == nil {
+			// Ensure the featured stack pipelinesNamespace = Kabanero pipelinesNamespace
+			stackResource.Spec.PipelinesNamespace = pipelinesNamespace
+		} else {
 			if errors.IsNotFound(err) {
 				alreadyDeployed = false
 				// Not found. Need to create it.
@@ -68,6 +74,7 @@ func reconcileFeaturedStacks(ctx context.Context, k *kabanerov1alpha2.Kabanero,
 					},
 					Spec: kabanerov1alpha2.StackSpec{
 						Name: key,
+						PipelinesNamespace: pipelinesNamespace,
 					},
 				}
 			} else {
@@ -168,8 +175,26 @@ func preProcessCurrentStacks(ctx context.Context, k *kabanerov1alpha2.Kabanero,
 		return err
 	}
 
+	// Only keep the FeaturedStack if the Kabanero pipelinesNamespace did not change, otherwise delete & recreate
+	pipelinesNamespace := pipelinesNamespace(k)
+	for _, deployedStack := range deployedStacks.Items {
+		if deployedStack.Spec.PipelinesNamespace != pipelinesNamespace {
+			err := cl.Delete(ctx, &deployedStack)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	deployedStacks = &kabanerov1alpha2.StackList{}
+	err = cl.List(ctx, deployedStacks, client.InNamespace(k.GetNamespace()))
+	if err != nil {
+		return err
+	}
+
 	// Compare the list of currently deployed stacks and the stacks in the index.
 	for _, deployedStack := range deployedStacks.Items {
+
 		iStackList, _ := indexStackMap[deployedStack.GetName()]
 		newStackVersions := []kabanerov1alpha2.StackVersion{}
 		for _, dStackVersion := range deployedStack.Spec.Versions {