Tekton packaged in 1.12.4 is missing the app-operator and app-viewer role
search cancel

Tekton packaged in 1.12.4 is missing the app-operator and app-viewer role

book

Article ID: 409137

calendar_today

Updated On:

Products

VMware Tanzu Platform - Kubernetes

Issue/Introduction

Tekton packaged in 1.12.4 is missing the app-operator and app-viewer role.

  • For app-operator and app-editor
・pipelineresources.tekton.dev
・pipelines.tekton.dev
・tasks.tekton.dev

 

  • For app-editor-cluster-access
・clustertasks.tekton.dev

Resolution

We can apply the following roles via ytt overlay as workaround on v1.12.4:

1. Create a file tekton-rbac-overlays.yaml:

#@ load("@ytt:overlay", "overlay")

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tekton-pipelines-app-viewer
  labels:
    apps.tanzu.vmware.com/aggregate-to-app-viewer: "true"
rules:
  - apiGroups: ["tekton.dev"]
    resources: ["pipelineresources","pipelineruns","pipelines","taskruns","tasks"]
    verbs: ["get","list","watch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tekton-pipelines-app-viewer-cluster-access
  labels:
    apps.tanzu.vmware.com/aggregate-to-app-viewer-cluster-access: "true"
rules:
  - apiGroups: ["tekton.dev"]
    resources: ["clustertasks"]
    verbs: ["get","list","watch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tekton-pipelines-app-operator
  labels:
    apps.tanzu.vmware.com/aggregate-to-app-operator: "true"
rules:
  - apiGroups: ["tekton.dev"]
    resources: ["pipelineresources","pipelines","tasks"]
    verbs: ["get","list","watch","create","patch","update","delete","deletecollection"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tekton-pipelines-app-operator-cluster-access
  labels:
    apps.tanzu.vmware.com/aggregate-to-app-operator-cluster-access: "true"
rules:
  - apiGroups: ["tekton.dev"]
    resources: ["clustertasks"]
    verbs: ["get","list","watch","create","patch","update","delete","deletecollection"]

 

2. Create a generic secret:

kubectl create secret generic tap-overlay-tekton-rbac --from-file=tekton-rbac-overlays.yaml -n tap-install

 

3. Add a new section to tap-values.yaml:

package_overlays:
- name: tekton.tanzu.vmware.com
  secrets:
  - name: tap-overlay-tekton-rbac

 

4. Update TAP Install

tanzu package installed update tap -p tap.tanzu.vmware.com -v 1.12.4  --values-file tap-values.yaml -n tap-install

 

The fix version:

TAP v1.12.5: Resolved issues: Tekton Pipelines

  • Restored permissions for Tanzu Application Platform Auth roles:
    A regression in Tanzu Application Platform v1.12.4 inadvertently removed permissions from the Tekton Pipelines package, causing the app-operator, app-editor, and app-viewer roles to lose access to Tekton resources (pipelines, pipelineruns, tasks, taskruns, clustertasks). This has been fixed in Tanzu Application Platform v1.12.5 in that the missing permissions are restored.

https://techdocs.broadcom.com/us/en/vmware-tanzu/standalone-components/tanzu-application-platform/1-12/tap/release-notes-1-12-5.html

 

Powered by Wolken Software