Categorygithub.com/openshift-pipelines/hackcmdkonflux-apply
package
0.0.0-20241217100905-0b3d2b649884
Repository: https://github.com/openshift-pipelines/hack.git
Documentation: pkg.go.dev
Overview
Dependencies
9
Dependents
0

# README

Konflux Apply

The Konflux manifests are applied automatically via the konflux-apply Github Workflow.

For this workflow, we use a token for Konflux setup as described in the docs. Therefor we need to setup a service account, role & rolebinding:

  1. Service account gh-action: 
    kubectl apply -f ./manifests/gh-action-serviceaccount.yaml
  2. Role with minimal permissions to apply the Konflux manifests: 
    kubectl apply -f ./manifests/gh-action-role.yaml
  3. Rolebinding 
    kubectl apply -f ./manifests/gh-action-rolebinding.yaml
  4. Use the token from the gh-action Service account as the KONFLUX_SA_TOKEN repository secret used by the Github workflow 
    kubectl create token gh-action --duration $((6*30*24))h

Revoke and Recreate Token

As we use by default Tokens with a validity of 6 months, we need to recreate them periodically. This is done via the following:

  1. Make sure, you're logged in to Konflux via the CLI and have access to the tekton-ecosystem-tenant workspace. Check for example the Konflux kickstart recording or the Konflux docs
  2. Recreate the gh-action service account: 
    kubectl delete -f https://raw.githubusercontent.com/openshift-knative/hack/main/cmd/konflux-apply/manifests/gh-action-serviceaccount.yaml
kubectl apply -f https://raw.githubusercontent.com/openshift-knative/hack/main/cmd/konflux-apply/manifests/gh-action-serviceaccount.yaml
  3. Create a new Token for 6 months and update the KONFLUX_SA_TOKEN secret with its value: 
    kubectl create token gh-action --duration $((6*30*24))h