-
Epic
-
Resolution: Done
-
Critical
-
None
-
New model for build pipeline Service Accounts
-
30
-
False
-
-
False
-
Konflux
-
Committed
-
Done
-
KONFLUX-5207 - New model for build pipeline Service Accounts
-
0% To Do, 0% In Progress, 100% Done
-
-
All secrets that exist in a user namespace (tenant) could be implicitly split into two sets: secrets that are related to Component build Service Account and all other secrets. Secrets that are related to Component build Service Account could be only used to authenticate to a git repository or an image repository. In terms of k8s they must be of "kubernetes.io/basic-auth" / "kubernetes.io/dockercfg" / "kubernetes.io/dockerconfigjson" type (however not any secret of such type is related to Component build Service Account) and be linked to the corresponding Service Account (named "build-pipeline-<component-name>"). So, only a subset of secrets are related to Components. This means that all key/value secrets and potentially some basic auth / docker config secrets should not be viewed as related to any component (this probably should add an option "none" to the component selection for a secret if the secret is for git or image repository. However all secrets of the types above should be visible to be linked).
Now let's concentrate on Component related secrets. Any secret could be related to a. only one, b. some or c. all components. User, at any time, can change this relations.
If a secret is related to a Component, it means that the secret is linked to the Component's Service Account named "build-pipeline-<component-name>". This should be true for all cases (a b and c above). If a user has chosen option that the secret is related to all Components, then UI should add "build.appstudio.openshift.io/common-secret: 'true' " label to that secret and link it to all existing Component-related Service Accounts. The label should be removed if the secret is not for all Components any more (the label is needed for Build Service, so it can provision new Components correctly, but UI should take care about existing Components on user demand, because watching such a change is very expensive on the operator side).
Note, that for image registry secrets, they should also be added/removed to/from imagePullSecrets section of the Service Account.