allow github concourse contributor team to rerun builds

[xtremerui]

once we have the pr bot working by https://github.com/concourse/concourse/pull/5564

then we need to config concourse production CI to allow members of concourse:contributor team to rerun failure PR pipeline builds(due to flaky test) and check PR resource(if desired version is not fetched)

[xtremerui]

@pivotal-jamie-klassen we realize giving the permission of RerunJobBuild to contributor actually endanger some critical jobs we have in CI main team for example those ship-it jobs in all release pipelines.

So we are thinking moving PRs pipeline to a different concourse team like contributors-team and use fly set-team after concourse deployment to give contributors pipeline-operators role. In this way the RerunJobBuild permission wil be limited. The con is its a manual process and we need to consider this for green peace for automation.

WDYT?

[cirocosta]

[...] use fly set-team after concourse deployment to give contributors pipeline-operators role. [...] a manual process and we need to consider this for green peace for automation.

that just reminded me of RFC: Concourse k8s operator and the Pipeline CRD RFC - with a Team CRD, we could have the configuration as code "and voila

update: and without the use of concourse tokens, having client auth grant type being a thing, we could soon have our controller doing all of that stuff without being admin :eyes:

[aoldershaw]

@cirocosta I know CRDs are the hot thing, but what if we had a Concourse terraform provider instead? Where you could define teams/pipelines using HCL, and when you spin up Concourse, you could have your initial teams/pipelines created as well all through Terraform?

There may be other benefits in using CRD+operator would bring over a Terraform provider, though - what do you think? It's possible we'd be appealing to a wider demographic in K8s than Terraform, I suppose

[jamieklassen]

@cirocosta @aoldershaw rather than investing in a third-party plugin for team automation, I would vote for a core concourse feature, a la set_team step: https://github.com/concourse/rfcs/discussions/50. This could perhaps be wrapped in a k8s operator or terraform provider.

[xtremerui]

Updated to config RBAC in CI deployment only. Added a team config file for manual set-team step for now. Also created contributor team in CI. Next step will be move PRs pipeline to this team.

[xtremerui]

@pivotal-jamie-klassen I forgot to put concourse:pivotal as owner for team contributor. Seems we are doing this for all other teams on CI.

[jamieklassen]

Should be ok since concourse:pivotal are super admins