bakery-ia/infrastructure/cicd/tekton-helm/templates/clusterroles.yaml

# ClusterRole for Tekton Triggers to create PipelineRuns
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tekton-triggers-role
  labels:
    app.kubernetes.io/name: {{ .Values.labels.app.name }}
    app.kubernetes.io/component: triggers
rules:
  # Ability to create PipelineRuns from triggers
  - apiGroups: ["tekton.dev"]
    resources: ["pipelineruns", "taskruns"]
    verbs: ["create", "get", "list", "watch"]
  # Ability to read pipelines and tasks
  - apiGroups: ["tekton.dev"]
    resources: ["pipelines", "tasks", "clustertasks"]
    verbs: ["get", "list", "watch"]
  # Ability to manage PVCs for workspaces
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["create", "get", "list", "watch", "delete"]
  # Ability to read secrets for credentials
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  # Ability to read configmaps
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch"]
  # Ability to manage events for logging
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
---
# ClusterRole for Pipeline execution (needed for git operations and deployments)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tekton-pipeline-role
  labels:
    app.kubernetes.io/name: {{ .Values.labels.app.name }}
    app.kubernetes.io/component: pipeline
rules:
  # Ability to read/update deployments for GitOps
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "watch", "patch", "update"]
  # Ability to read secrets for credentials
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  # Ability to read configmaps
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch"]
  # Ability to manage pods for build operations
  - apiGroups: [""]
    resources: ["pods", "pods/log"]
    verbs: ["get", "list", "watch"]
---
# Role for EventListener to access triggers resources
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: tekton-triggers-eventlistener-role
  namespace: {{ .Values.namespace }}
  labels:
    app.kubernetes.io/name: {{ .Values.labels.app.name }}
    app.kubernetes.io/component: triggers
rules:
  - apiGroups: ["triggers.tekton.dev"]
    resources: ["eventlisteners", "triggerbindings", "triggertemplates", "triggers", "interceptors"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["configmaps", "secrets"]
    verbs: ["get", "list", "watch"]
Add new infra architecture 2026-01-19 11:55:17 +01:00			`# ClusterRole for Tekton Triggers to create PipelineRuns`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRole`
			`metadata:`
			`name: tekton-triggers-role`
			`labels:`
Add new infra architecture 3 2026-01-19 13:57:50 +01:00			`app.kubernetes.io/name: {{ .Values.labels.app.name }}`
Add new infra architecture 2026-01-19 11:55:17 +01:00			`app.kubernetes.io/component: triggers`
			`rules:`
			`# Ability to create PipelineRuns from triggers`
			`- apiGroups: ["tekton.dev"]`
			`resources: ["pipelineruns", "taskruns"]`
			`verbs: ["create", "get", "list", "watch"]`
			`# Ability to read pipelines and tasks`
			`- apiGroups: ["tekton.dev"]`
			`resources: ["pipelines", "tasks", "clustertasks"]`
			`verbs: ["get", "list", "watch"]`
			`# Ability to manage PVCs for workspaces`
			`- apiGroups: [""]`
			`resources: ["persistentvolumeclaims"]`
			`verbs: ["create", "get", "list", "watch", "delete"]`
			`# Ability to read secrets for credentials`
			`- apiGroups: [""]`
			`resources: ["secrets"]`
			`verbs: ["get", "list", "watch"]`
			`# Ability to read configmaps`
			`- apiGroups: [""]`
			`resources: ["configmaps"]`
			`verbs: ["get", "list", "watch"]`
			`# Ability to manage events for logging`
			`- apiGroups: [""]`
			`resources: ["events"]`
			`verbs: ["create", "patch"]`
			`---`
			`# ClusterRole for Pipeline execution (needed for git operations and deployments)`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRole`
			`metadata:`
			`name: tekton-pipeline-role`
			`labels:`
Add new infra architecture 3 2026-01-19 13:57:50 +01:00			`app.kubernetes.io/name: {{ .Values.labels.app.name }}`
Add new infra architecture 2026-01-19 11:55:17 +01:00			`app.kubernetes.io/component: pipeline`
			`rules:`
			`# Ability to read/update deployments for GitOps`
			`- apiGroups: ["apps"]`
			`resources: ["deployments"]`
			`verbs: ["get", "list", "watch", "patch", "update"]`
			`# Ability to read secrets for credentials`
			`- apiGroups: [""]`
			`resources: ["secrets"]`
			`verbs: ["get", "list", "watch"]`
			`# Ability to read configmaps`
			`- apiGroups: [""]`
			`resources: ["configmaps"]`
			`verbs: ["get", "list", "watch"]`
			`# Ability to manage pods for build operations`
			`- apiGroups: [""]`
			`resources: ["pods", "pods/log"]`
			`verbs: ["get", "list", "watch"]`
			`---`
			`# Role for EventListener to access triggers resources`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: Role`
			`metadata:`
			`name: tekton-triggers-eventlistener-role`
Add new infra architecture 3 2026-01-19 13:57:50 +01:00			`namespace: {{ .Values.namespace }}`
Add new infra architecture 2026-01-19 11:55:17 +01:00			`labels:`
Add new infra architecture 3 2026-01-19 13:57:50 +01:00			`app.kubernetes.io/name: {{ .Values.labels.app.name }}`
Add new infra architecture 2026-01-19 11:55:17 +01:00			`app.kubernetes.io/component: triggers`
			`rules:`
			`- apiGroups: ["triggers.tekton.dev"]`
			`resources: ["eventlisteners", "triggerbindings", "triggertemplates", "triggers", "interceptors"]`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: [""]`
			`resources: ["configmaps", "secrets"]`
Add new infra architecture 3 2026-01-19 13:57:50 +01:00			`verbs: ["get", "list", "watch"]`