Improve release process and structure of release manifests

Reduce unnecessary differences between the read-only and read-write manifests,
both to reduce maintenance overhead and to avoid user confusion. There have
been a few instances where users thought the read-only mode was broken as they
switched the `read-only` flag in the deployment args but didn't replace the
associated roles with the appropriate versions. With this update we now include
all roles in the manifest, and create bindings for the relevant ones with
updated naming to make it clear which grant view access and which grant edit
rather than keeping the same name and swapping out the rules.

Update install script to accept input from a previously generated installer
manifest. This removes the need to run the `ko` build 4 times (2x installer
modes + 2x normal release modes) as part of our releases. Now it builds once,
and uses the resulting manifest as input to the normal releases so they can
augment it with the appropriate RBAC resources depending on mode (read-only vs.
read-write). This also means there's no need for a dedicated read-write
installer manifest.

Update the release pipeline's publish task to take advantage of this new
approach, and eliminate other unnecessary config.

Use the aggregate ClusterRoles provided by Tekton Pipelines and Triggers
instead of defining them ourselves, ensuring we stay in sync with the
versions deployed on the cluster. The one exception to this is for
`ClusterTask` resources as they're not included in the aggregate roles
provided by Tekton Pipelines. We will remove support for these resources
in a future release and remove the corresponding rule from the Dashboard
backend role.

With this new approach to building the manifests, we no longer need
separate overlays or additional patches to modify the resources to match
the desired mode. Instead, the installer augments the base installer
manifest with the appropriate ClusterRoleBindings or RoleBindings to grant
the read-only or read-write permissions as desired, and replaces other
config in-place.

Move the remaining resources into the `config` folder for consistency
with other Tekton projects.

All of this should be mostly transparent to consumers. They will still use
the `installer` or `release-installer` scripts as before. There is some
cleanup that should be performed on clusters if upgrading from a previous
Dashboard release, by removing the following resources after upgrade:
- `clusterrole/tekton-dashboard-backend`
- `clusterrole/tekton-dashboard-tenant`
- `clusterrolebinding/tekton-dashboard-backend`
- `clusterrolebinding/tekton-dashboard-tenant`

and if the Dashboard was installed with limited namespace visibility
(i.e. using the `--tenant-namespaces` installer flag, or directly via the
`--namespaces` deployment arg):
- `rolebinding/tekton-dashboard-tenant` in each of the tenant namespaces

Author: AlanGreene

overlays/installer/read-write/100-namespace.yaml renamed to config/100-namespace.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 The Tekton Authors
+# Copyright 2019-2024 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

base/200-role.yaml renamed to config/200-clusterrole-backend-edit.yaml

@@ -1,4 +1,4 @@
-# Copyright 2021 The Tekton Authors
+# Copyright 2019-2024 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,20 +12,29 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
 metadata:
-  name: tekton-dashboard-info
-  namespace: tekton-dashboard
+  name: tekton-dashboard-backend-edit
   labels:
+    app.kubernetes.io/component: dashboard
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-dashboard
 rules:
-    # All system:authenticated users needs to have access
-    # of the dashboard-info ConfigMap even if they don't
-    # have access to the other resources present in the
-    # installed namespace.
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    resourceNames: ["dashboard-info"]
-    verbs: ["get"]
+  - apiGroups:
+      - ''
+    resources:
+      - serviceaccounts
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - dashboard.tekton.dev
+    resources:
+      - extensions
+    verbs:
+      - create
+      - update
+      - delete
+      - patch

base/200-clusterrole-backend.yaml renamed to config/200-clusterrole-backend-view.yaml

@@ -1,4 +1,4 @@
-# Copyright 2019-2022 The Tekton Authors
+# Copyright 2019-2024 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,11 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
----
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: tekton-dashboard-backend
+  name: tekton-dashboard-backend-view
   labels:
     app.kubernetes.io/component: dashboard
     app.kubernetes.io/instance: default
@@ -35,8 +34,6 @@ rules:
       - securitycontextconstraints
     verbs:
       - use
-  # clustertasks and clustertriggerbindings are cluster level resources,
-  # it doesn't make sense to put them in the tenant ClusterRole
   - apiGroups:
       - tekton.dev
     resources:
@@ -45,12 +42,3 @@ rules:
       - get
       - list
       - watch
-  - apiGroups:
-      - triggers.tekton.dev
-    resources:
-      - clusterinterceptors
-      - clustertriggerbindings
-    verbs:
-      - get
-      - list
-      - watch

base/200-clusterrole-tenant.yaml renamed to config/200-clusterrole-tenant-view.yaml

@@ -12,11 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
----
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: tekton-dashboard-tenant
+  name: tekton-dashboard-tenant-view
   labels:
     app.kubernetes.io/component: dashboard
     app.kubernetes.io/instance: default
@@ -41,28 +40,3 @@ rules:
       - get
       - list
       - watch
-  - apiGroups:
-      - tekton.dev
-    resources:
-      - stepactions
-      - tasks
-      - taskruns
-      - pipelines
-      - pipelineruns
-      - customruns
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - triggers.tekton.dev
-    resources:
-      - eventlisteners
-      - interceptors
-      - triggerbindings
-      - triggers
-      - triggertemplates
-    verbs:
-      - get
-      - list
-      - watch

base/201-clusterrolebinding-backend.yaml renamed to config/201-clusterrolebinding-backend.yaml

@@ -1,4 +1,4 @@
-# Copyright 2019-2022 The Tekton Authors
+# Copyright 2019-2024 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,11 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: tekton-dashboard-backend
+  name: tekton-dashboard-backend-view
   labels:
     app.kubernetes.io/component: dashboard
     app.kubernetes.io/instance: default
@@ -29,4 +28,4 @@ subjects:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: tekton-dashboard-backend
+  name: tekton-dashboard-backend-view

base/202-extension-crd.yaml renamed to config/202-extension-crd.yaml

@@ -1,4 +1,4 @@
-# Copyright 2019-2021 The Tekton Authors
+# Copyright 2019-2024 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,7 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
----
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:

base/203-serviceaccount.yaml renamed to config/203-serviceaccount.yaml

@@ -1,4 +1,4 @@
-# Copyright 2019-2023 The Tekton Authors
+# Copyright 2019-2024 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,7 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
----
 apiVersion: v1
 kind: ServiceAccount
 metadata:

config/300-config-info.yaml

@@ -0,0 +1,61 @@
+# Copyright 2021-2024 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: dashboard-info
+  namespace: tekton-dashboard
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-dashboard
+data:
+  # Contains dashboard version which can be queried by external tools such as
+  # the Tekton CLI. Elevated permissions are given to this ConfigMap such that
+  # even if we don't have access to other resources in the namespace we still
+  # have access to this ConfigMap.
+  version: "devel"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tekton-dashboard-info
+  namespace: tekton-dashboard
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-dashboard
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["dashboard-info"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tekton-dashboard-info
+  namespace: tekton-dashboard
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-dashboard
+subjects:
+  # Grant all system:authenticated users access to the dashboard-info ConfigMap
+  # even if they don't have access to other resources present in the namespace.
+  - kind: Group
+    name: system:authenticated
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: tekton-dashboard-info

base/300-deployment.yaml renamed to config/300-deployment.yaml

@@ -1,4 +1,4 @@
-# Copyright 2019-2023 The Tekton Authors
+# Copyright 2019-2024 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,7 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -64,7 +63,17 @@ spec:
               path: /readiness
               port: 9097
           args:
+            - --default-namespace=--default-namespace
+            - --external-logs=--external-logs
+            - --log-format=--log-format
+            - --log-level=--log-level
+            - --logout-url=--logout-url
+            - --namespaces=--tenant-namespaces
+            - --pipelines-namespace=--pipelines-namespace
             - --port=9097
+            - --read-only=--read-only
+            - --stream-logs=--stream-logs
+            - --triggers-namespace=--triggers-namespace
           env:
             - name: INSTALLED_NAMESPACE
               valueFrom:

base/300-service.yaml renamed to config/300-service.yaml

@@ -1,4 +1,4 @@
-# Copyright 2019-2023 The Tekton Authors
+# Copyright 2019-2024 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,7 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
----
 kind: Service
 apiVersion: v1
 metadata:

base/201-rolebinding.yaml renamed to config/clusterrole-aggregate-edit.yaml

@@ -1,4 +1,4 @@
-# Copyright 2021 The Tekton Authors
+# Copyright 2024 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,20 +13,25 @@
 # limitations under the License.
 
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRole
 metadata:
-  name: tekton-dashboard-info
-  namespace: tekton-dashboard
+  name: tekton-dashboard-aggregate-edit
   labels:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-dashboard
-subjects:
-    # Giving all system:authenticated users the access of the
-    # ConfigMap which contains version information.
-  - kind: Group
-    name: system:authenticated
-    apiGroup: rbac.authorization.k8s.io
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: tekton-dashboard-info
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+- apiGroups:
+    - dashboard.tekton.dev
+  resources:
+    - extensions
+  verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch

base/300-config-info.yaml renamed to config/clusterrole-aggregate-view.yaml

@@ -1,4 +1,4 @@
-# Copyright 2021 The Tekton Authors
+# Copyright 2024 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,18 +12,20 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: v1
-kind: ConfigMap
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
-  name: dashboard-info
-  namespace: tekton-dashboard
+  name: tekton-dashboard-aggregate-view
   labels:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-dashboard
-data:
-  # Contains dashboard version which can be queried by external
-  # tools such as CLI. Elevated permissions are already given to
-  # this ConfigMap such that even if we don't have access to
-  # other resources in the namespace we still can have access to
-  # this ConfigMap.
-  version: "devel"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups:
+    - dashboard.tekton.dev
+  resources:
+    - extensions
+  verbs:
+    - get
+    - list
+    - watch