Open ralphbean opened 1 day ago
I understand that when @scoheb tried to do this last week, he ran into issues where all of the https://github.com/konflux-ci/release-service-catalog pipelines expected a ReleasePlanAdmission
to exist and so didn't work off the bat with tenant scoped pipelines.
From chatting with @rhartman93, it seems like there are two main issues:
Scott was toying around with making pipelines work over in a tenant-release-pipelines branch on his fork.
* There's probably some additional RoleBindings that need to be applied to the default serviceaccount.
The issue i think was, the roles that our managed service accounts use, are cluster level, which tenant maintainers don't have access to, so they need to create their own role (with the same permissions) to bind to their SAs, solving that could be as simple as documenting that process
OK, I realized today that the version of release-service running on the fedora instance is so old (2 months) that it doesn't even have the tenants release pipeline feature.
We need to solve https://discussion.fedoraproject.org/t/mintmaker-renovate-update-infra-deployments-for-konflux/134050/2 first, and then we can make progress on this one.
Over in https://github.com/QUBIP/pq-container/pull/2, @lsm5 was trying to use the fedora instance of konflux run by the fedora + konflux sig to build their container. You can see additional discussion at https://github.com/QUBIP/pq-container/pull/1.
They got the build to work in https://github.com/QUBIP/pq-container/pull/4 and simple policy checks passed :raised_hands: , but they failed to get a tenant release pipeline set up to publish their image to a location that they care about.
They want to use the "tenant release pipelines" feature to release their image to quay.io/qubip/pq-container (an organization under their control).
Let's produce a working end to end example for them and/or a user guide how-to on how to do it.