keskad
commented
2 years ago I was looking for it a little bit (I may not have currently probably more time unfortunately) and I was checking this:
PipelineRun job is created there in a namespace, where LighthouseJob was found:
https://github.com/jenkins-x/lighthouse/blob/main/pkg/engines/tekton/controller.go#L117
Later an owner reference is linked, it is not allowed cross-namespace, so it means a LighthouseJob must be in same namespace as PipelineRun:
https://github.com/jenkins-x/lighthouse/blob/main/pkg/engines/tekton/controller.go#L123
Also I found out that LighthouseJob itself has namespace in spec: but I don't know for what purpose it is. It can be set using triggers.yaml in repository, but I didn't see any difference, anyway setting a namespace from project repository is not my case as I don't want to give end-users a namespace selection for security reasons.
So... maybe a lighthouse-webhook that spawns LighthouseJob should be aware of namespace condition and spawn LighthouseJob in a proper namespace? I don't know where the namespace could be defined? Maybe in kind: SourceConfig?
Hi,
Thanks for this impressive and fascinating project. I'm currently doing a PoC of a CI/CD using Jenkins X and probably ArgoCD.
[Background] My setup needs to fullfil following conditions:
Project repositorycannot execute akubectland other dangerous things as pipeline can be modified from project repository, which means execution of any code with admin scope (possibly limiting default serviceAccount could help)What I need to achieve:
Project Xwill have it's Tekton pipeline pods scheduled by Lighthouse in{{ project-x }}-cinamespace (namespace for pipelines per project instead of singlejxnamespace), so I can secure access to the cluster, isolate teams in a multi tenancy / multi team environment, block usage ofkubectl- instead delegate deployment to ArgoCD from a code (helmfile?) prepared by Jenkins XIs this all possible? Any hints? :smile: Thank you for your time :smile: