From 6e6a5663dbf2bc3ac646cdcb0f8dd9718f4dfc2f Mon Sep 17 00:00:00 2001
From: "Bartra, Rick" <rick.bartra@att.com>
Date: Wed, 3 Mar 2021 23:45:03 +0000
Subject: [PATCH] (fix) Update jarvis-system-el ClusterRole permissions

Update the permissions to include:
  - delete configmaps
  - list serviceaccounts
  - delete secrets
  - list rolebindings

All of which are needed when a job is re-run and the namespace
and the resources in the namespace are deleted.

Change-Id: I4005a11c92f480f9ab5b0d969d93fa5152f765c8
---
 charts/jarvis-system/templates/ClusterRole-el.yaml        | 8 ++++----
 .../jarvis-system/templates/Task-createProjectAccess.yaml | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/charts/jarvis-system/templates/ClusterRole-el.yaml b/charts/jarvis-system/templates/ClusterRole-el.yaml
index 57635469..a04443e8 100644
--- a/charts/jarvis-system/templates/ClusterRole-el.yaml
+++ b/charts/jarvis-system/templates/ClusterRole-el.yaml
@@ -19,17 +19,17 @@ rules:
   verbs: ["list", "get", "create", "delete"]
 - apiGroups: [""]
   resources: ["configmaps"]
-  verbs: ["get", "list", "watch", "create"]
+  verbs: ["get", "list", "watch", "create", "delete"]
 # Permissions to create resources in associated TriggerTemplates
 - apiGroups: ["tekton.dev"]
   resources: ["pipelineruns", "pipelineresources", "taskruns", "pipelines","tasks"]
   verbs: ["create", "get", "list", "delete"]
 - apiGroups: [""]
   resources: ["serviceaccounts"]
-  verbs: ["impersonate", "get", "create", "delete"]
+  verbs: ["impersonate", "get", "create", "delete", "list"]
 - apiGroups: [""]
   resources: ["secrets"]
-  verbs: ["get", "list", "create"]
+  verbs: ["get", "list", "create", "delete"]
 - apiGroups: [""]
   resources: ["services"]
   verbs: ["get"]
@@ -38,7 +38,7 @@ rules:
   verbs: ["get"]
 - apiGroups: ["rbac.authorization.k8s.io"]
   resources: ["rolebindings"]
-  verbs: ["get", "create", "delete"]
+  verbs: ["get", "create", "delete", "list"]
 ...
 {{- end -}}
 {{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "ClusterRole-el" ) }}
diff --git a/charts/jarvis-system/templates/Task-createProjectAccess.yaml b/charts/jarvis-system/templates/Task-createProjectAccess.yaml
index f1011e56..5b74501b 100644
--- a/charts/jarvis-system/templates/Task-createProjectAccess.yaml
+++ b/charts/jarvis-system/templates/Task-createProjectAccess.yaml
@@ -31,7 +31,7 @@ spec:
           else
             echo "Namespace already exists, delete all resources for re-run."
             kubectl delete pr -n jarvis-$(params.changeNumber)-$(params.patchSetNumber) --all
-            helm delete development-pipeline -n jarvis-$(params.changeNumber)-$(params.patchSetNumber) || true
+            helm delete development-pipeline -n jarvis-$(params.changeNumber)-$(params.patchSetNumber)
             kubectl delete role -n jarvis-$(params.changeNumber)-$(params.patchSetNumber) --all
             kubectl delete secret -n jarvis-$(params.changeNumber)-$(params.patchSetNumber) --all
             kubectl delete sa -n jarvis-$(params.changeNumber)-$(params.patchSetNumber) --all