chore: Remove admin roles for CP4I resources

.github/workflows/close-pr.yml

@@ -24,4 +24,4 @@ jobs:
       - uses: actions/checkout@v3
 
       - name: Verify destroy
-        run: tests/postbuild/cluster.sh --delete -t ibmcloud -n "gitops-${GITHUB_HEAD_REF}" --apikey "${IBM_CLOUD_API_KEY}"
+        run: tests/postbuild/cluster.sh --delete -t ibmcloud -n "gitops-${GITHUB_HEAD_REF:0:25}" --apikey "${IBM_CLOUD_API_KEY}"

config/argocd-cloudpaks/cp4i/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.1
+version: 0.5.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

config/argocd-cloudpaks/cp4i/templates/cp4i-client-app.yaml

@@ -1,6 +1,3 @@
-{{- $argocd_app_namespace := .Values.metadata.argocd_app_namespace -}}
-{{- $repoUrl := .Values.repoURL -}}
-{{- $targetRevision := .Values.targetRevision -}}
 {{- $client := .Values.modules.client }}
 {{- if eq ( default false $client ) true  }}
 ---
@@ -27,6 +24,8 @@ spec:
   source:
     helm:
       parameters:
+        - name: metadata.argocd_app_namespace
+          value: {{.Values.metadata.argocd_app_namespace}}
         - name: repoURL
           value: ${ARGOCD_APP_SOURCE_REPO_URL}
         - name: targetRevision

config/cloudpaks/cp4i/client/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.5.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

config/cloudpaks/cp4i/client/templates/10-sbo-account-role-binding.yaml

@@ -3,15 +3,15 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  creationTimestamp: null
-  name: sbo-admin-cloudpaks
-  namespace: ibm-cloudpaks
   annotations:
     argocd.argoproj.io/sync-wave: "10"
+  creationTimestamp: null
+  name: cp4i-sbo
+  namespace: "{{.Values.metadata.argocd_app_namespace}}"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: admin
+  kind: Role
+  name: cp4i-sbo-binding-role
 subjects:
   - kind: ServiceAccount
     name: service-binding-operator

config/cloudpaks/cp4i/client/templates/10-sbo-role.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+  creationTimestamp: null
+  name: cp4i-sbo-binding-role
+  namespace: "{{.Values.metadata.argocd_app_namespace}}"
+rules:
+  - apiGroups: ["mq.ibm.com"]
+    resources: ["queuemanagers"]
+    verbs: ["get"]

config/cloudpaks/cp4i/client/templates/20-role.yaml

@@ -8,27 +8,21 @@ metadata:
   name: ibm-cp4i-client
   namespace: dev
 rules:
-  - apiGroups:
-      - apps
-    resources:
-      - '*'
-    verbs:
-      - '*'
-  - apiGroups:
-      - binding.operators.coreos.com
-    resources:
-      - '*'
-    verbs:
-      - '*'
-  - apiGroups:
-      - build.openshift.io
-    resources:
-      - '*'
-    verbs:
-      - '*'
-  - apiGroups:
-      - image.openshift.io
-    resources:
-      - '*'
-    verbs:
-      - '*'
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: ["binding.operators.coreos.com"]
+    resources: ["servicebindings"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: ["build.openshift.io"]
+    resources: ["buildconfigs"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: ["image.openshift.io"]
+    resources: ["imagestreams"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: ["mq.ibm.com"]
+    resources: ["queuemanagers"]
+    verbs: ["get"]

config/cloudpaks/cp4i/client/templates/300-service-binding.yaml

@@ -23,13 +23,13 @@ spec:
       kind: QueueManager
       name: case-queues-1-qmgr
       id: mqqmgr
-      namespace: ibm-cloudpaks
+      namespace: "{{.Values.metadata.argocd_app_namespace}}"
     - group: ''
       version: v1
       kind: Service
       name: case-queues-1-qmgr-ibm-mq
       id: queueservice
-      namespace: ibm-cloudpaks
+      namespace: "{{.Values.metadata.argocd_app_namespace}}"
   mappings:
     - name: env.json
       value: |

config/cloudpaks/cp4i/client/values.yaml

@@ -1 +1,4 @@
 ---
+metadata:
+  argocd_namespace: openshift-gitops
+  argocd_app_namespace: ibm-cloudpaks

config/cloudpaks/cp4i/operators/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.5.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

config/cloudpaks/cp4i/operators/templates/02-rolebinding/20-role.yaml

@@ -10,4 +10,13 @@ metadata:
 rules:
   - apiGroups: [""]
     resources: ["secrets"]
-    verbs: ["*"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: ["apiconnect.ibm.com"]
+    resources: ["apiconnectclusters"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: ["mq.ibm.com"]
+    resources: ["queuemanagers"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: ["integration.ibm.com"]
+    resources: ["platformnavigators"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]

config/cloudpaks/cp4i/resources/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.5.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to