CR-10565 (#409)

* version bump

* [ runtime.go / createReporterRBAC ]: ClusterRoleBinding and ClusterRole for cases when we need to report replicasets, rollouts, analysis runs from all namespaces

* [ runtime.go / createReporterRBAC ]: fixed wrong role ref kind for roleBinding

* version bump

Author: oleksandr-codefresh

Makefile

@@ -1,4 +1,4 @@
-VERSION=v0.0.361
+VERSION=v0.0.362
 
 OUT_DIR=dist
 YEAR?=$(shell date +"%Y")

cmd/commands/runtime.go

@@ -139,6 +139,7 @@ type (
 		gvr          []gvr
 		saName       string
 		IsInternal   bool
+		clusterScope bool
 	}
 
 	summaryLogLevels string
@@ -1077,8 +1078,9 @@ func installComponents(ctx context.Context, opts *RuntimeInstallOptions, rt *run
 				version:      "v1alpha1",
 			},
 		},
-		saName:     store.Get().RolloutReporterServiceAccount,
-		IsInternal: true,
+		saName:       store.Get().RolloutReporterServiceAccount,
+		IsInternal:   true,
+		clusterScope: true,
 	}); err != nil {
 		return fmt.Errorf("failed to create rollout-reporter: %w", err)
 	}
@@ -2144,11 +2146,11 @@ func createReporter(ctx context.Context, cloneOpts *git.CloneOptions, opts *Runt
 		return err
 	}
 
-	if err := createReporterRBAC(repofs, resPath, opts.RuntimeName, reporterCreateOpts.saName); err != nil {
+	if err := createReporterRBAC(repofs, resPath, opts.RuntimeName, reporterCreateOpts.saName, reporterCreateOpts.clusterScope); err != nil {
 		return err
 	}
 
-	if err := createReporterEventSource(repofs, resPath, opts.RuntimeName, reporterCreateOpts); err != nil {
+	if err := createReporterEventSource(repofs, resPath, opts.RuntimeName, reporterCreateOpts, reporterCreateOpts.clusterScope); err != nil {
 		return err
 	}
 
@@ -2239,7 +2241,7 @@ func getArgoCDTokenSecret(ctx context.Context, kubeContext, namespace string, in
 	})
 }
 
-func createReporterRBAC(repofs fs.FS, path, runtimeName, saName string) error {
+func createReporterRBAC(repofs fs.FS, path, runtimeName, saName string, clusterScope bool) error {
 	serviceAccount := &v1.ServiceAccount{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "ServiceAccount",
@@ -2251,15 +2253,25 @@ func createReporterRBAC(repofs fs.FS, path, runtimeName, saName string) error {
 		},
 	}
 
+	roleKind := "Role"
+	roleMeta := metav1.ObjectMeta{
+		Name:      saName,
+		Namespace: runtimeName,
+	}
+
+	if clusterScope {
+		roleKind = "ClusterRole"
+		roleMeta = metav1.ObjectMeta{
+			Name: saName,
+		}
+	}
+
 	role := &rbacv1.Role{
 		TypeMeta: metav1.TypeMeta{
-			Kind:       "Role",
+			Kind:       roleKind,
 			APIVersion: "rbac.authorization.k8s.io/v1",
 		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      saName,
-			Namespace: runtimeName,
-		},
+		ObjectMeta: roleMeta,
 		Rules: []rbacv1.PolicyRule{
 			{
 				APIGroups: []string{"*"},
@@ -2269,15 +2281,25 @@ func createReporterRBAC(repofs fs.FS, path, runtimeName, saName string) error {
 		},
 	}
 
+	roleBindingKind := "RoleBinding"
+	roleBindingMeta := metav1.ObjectMeta{
+		Name:      saName,
+		Namespace: runtimeName,
+	}
+
+	if clusterScope {
+		roleBindingKind = "ClusterRoleBinding"
+		roleBindingMeta = metav1.ObjectMeta{
+			Name: saName,
+		}
+	}
+
 	roleBinding := rbacv1.RoleBinding{
 		TypeMeta: metav1.TypeMeta{
-			Kind:       "RoleBinding",
+			Kind:       roleBindingKind,
 			APIVersion: "rbac.authorization.k8s.io/v1",
 		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      saName,
-			Namespace: runtimeName,
-		},
+		ObjectMeta: roleBindingMeta,
 		Subjects: []rbacv1.Subject{
 			{
 				Kind:      "ServiceAccount",
@@ -2286,7 +2308,7 @@ func createReporterRBAC(repofs fs.FS, path, runtimeName, saName string) error {
 			},
 		},
 		RoleRef: rbacv1.RoleRef{
-			Kind: "Role",
+			Kind: roleKind,
 			Name: saName,
 		},
 	}
@@ -2316,7 +2338,7 @@ func createEventsReporterEventSource(repofs fs.FS, path, namespace string, insec
 	return repofs.WriteYamls(repofs.Join(path, "event-source.yaml"), eventSource)
 }
 
-func createReporterEventSource(repofs fs.FS, path, namespace string, reporterCreateOpts reporterCreateOptions) error {
+func createReporterEventSource(repofs fs.FS, path, namespace string, reporterCreateOpts reporterCreateOptions, clusterScope bool) error {
 	var eventSource *aev1alpha1.EventSource
 	var options *eventsutil.CreateEventSourceOptions
 
@@ -2333,12 +2355,18 @@ func createReporterEventSource(repofs fs.FS, path, namespace string, reporterCre
 		Resource:           map[string]eventsutil.CreateResourceEventSourceOptions{},
 	}
 
+	resourceNamespace := namespace
+
+	if clusterScope {
+		resourceNamespace = ""
+	}
+
 	for i, name := range resourceNames {
 		options.Resource[name] = eventsutil.CreateResourceEventSourceOptions{
 			Group:     reporterCreateOpts.gvr[i].group,
 			Version:   reporterCreateOpts.gvr[i].version,
 			Resource:  reporterCreateOpts.gvr[i].resourceName,
-			Namespace: namespace,
+			Namespace: resourceNamespace,
 		}
 	}
 

docs/releases/release_notes.md

@@ -23,7 +23,7 @@ cf version
 
 ```bash
 # download and extract the binary
-curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.361/cf-linux-amd64.tar.gz | tar zx
+curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.362/cf-linux-amd64.tar.gz | tar zx
 
 # move the binary to your $PATH
 mv ./cf-linux-amd64 /usr/local/bin/cf
@@ -36,7 +36,7 @@ cf version
 
 ```bash
 # download and extract the binary
-curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.361/cf-darwin-amd64.tar.gz | tar zx
+curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.362/cf-darwin-amd64.tar.gz | tar zx
 
 # move the binary to your $PATH
 mv ./cf-darwin-amd64 /usr/local/bin/cf

manifests/runtime.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: "{{ namespace }}"
 spec:
   defVersion: 1.0.1
-  version: 0.0.361
+  version: 0.0.362
   bootstrapSpecifier: github.com/codefresh-io/cli-v2/manifests/argo-cd
   components:
     - name: events