Open keskad opened 2 years ago
I was looking for it a little bit (I may not have currently probably more time unfortunately) and I was checking this:
PipelineRun
job is created there in a namespace, where LighthouseJob
was found:
https://github.com/jenkins-x/lighthouse/blob/main/pkg/engines/tekton/controller.go#L117
Later an owner reference is linked, it is not allowed cross-namespace, so it means a LighthouseJob
must be in same namespace as PipelineRun
:
https://github.com/jenkins-x/lighthouse/blob/main/pkg/engines/tekton/controller.go#L123
Also I found out that LighthouseJob
itself has namespace
in spec:
but I don't know for what purpose it is. It can be set using triggers.yaml
in repository, but I didn't see any difference, anyway setting a namespace from project repository is not my case as I don't want to give end-users a namespace selection for security reasons.
So... maybe a lighthouse-webhook
that spawns LighthouseJob
should be aware of namespace condition and spawn LighthouseJob
in a proper namespace? I don't know where the namespace could be defined? Maybe in kind: SourceConfig
?
Hi,
Thanks for this impressive and fascinating project. I'm currently doing a PoC of a CI/CD using Jenkins X and probably ArgoCD.
[Background] My setup needs to fullfil following conditions:
Project repository
cannot execute akubectl
and other dangerous things as pipeline can be modified from project repository, which means execution of any code with admin scope (possibly limiting default serviceAccount could help)What I need to achieve:
Project X
will have it's Tekton pipeline pods scheduled by Lighthouse in{{ project-x }}-ci
namespace (namespace for pipelines per project instead of singlejx
namespace), so I can secure access to the cluster, isolate teams in a multi tenancy / multi team environment, block usage ofkubectl
- instead delegate deployment to ArgoCD from a code (helmfile?) prepared by Jenkins XIs this all possible? Any hints? :smile: Thank you for your time :smile: