From 6c85ab7eddfd0597ad1b2ea6007c1c3fe301eadd Mon Sep 17 00:00:00 2001 From: Arnav Meduri <58114756+arnavmeduri@users.noreply.github.com> Date: Thu, 2 Jul 2026 17:52:02 +0000 Subject: [PATCH] Add chai-bot service account for MCP write access --- .../dashboard/chai-bot-serviceaccount.yaml | 18 +++++++++++++ .../dashboard/deployment.yaml | 12 ++++++--- .../ship-status-dash/dashboard/rbac.yaml | 26 +++++++++++++++++++ .../ship-status/dashboard-config.yaml | 5 ++++ 4 files changed, 58 insertions(+), 3 deletions(-) create mode 100644 clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml diff --git a/clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml b/clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml new file mode 100644 index 0000000000000..7435a392f829a --- /dev/null +++ b/clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: chai-bot + namespace: ship-status + labels: + app: dashboard +--- +apiVersion: v1 +kind: Secret +metadata: + name: chai-bot-token + namespace: ship-status + annotations: + kubernetes.io/service-account.name: chai-bot + labels: + app: dashboard +type: kubernetes.io/service-account-token diff --git a/clusters/app.ci/ship-status-dash/dashboard/deployment.yaml b/clusters/app.ci/ship-status-dash/dashboard/deployment.yaml index c37a5b60e4f11..3882207e6e595 100644 --- a/clusters/app.ci/ship-status-dash/dashboard/deployment.yaml +++ b/clusters/app.ci/ship-status-dash/dashboard/deployment.yaml @@ -177,9 +177,12 @@ spec: value: http://127.0.0.1:8080/ - name: SHIP_STATUS_REQUEST_TIMEOUT value: "10" - # Future write support: mount SA token and set SHIP_STATUS_AUTH_TOKEN_FILE - # to enable writes through the oauth-proxy on :8443. - # See: component-monitor --report-auth-token-file pattern. + - name: SHIP_STATUS_AUTH_TOKEN_FILE + value: /var/run/secrets/chai-bot/token + volumeMounts: + - name: chai-bot-token + mountPath: /var/run/secrets/chai-bot + readOnly: true resources: requests: memory: "64Mi" @@ -211,3 +214,6 @@ spec: items: - key: hmac path: hmac + - name: chai-bot-token + secret: + secretName: chai-bot-token diff --git a/clusters/app.ci/ship-status-dash/dashboard/rbac.yaml b/clusters/app.ci/ship-status-dash/dashboard/rbac.yaml index de8f560c8c248..52d7a2b0e348f 100644 --- a/clusters/app.ci/ship-status-dash/dashboard/rbac.yaml +++ b/clusters/app.ci/ship-status-dash/dashboard/rbac.yaml @@ -25,3 +25,29 @@ subjects: - kind: ServiceAccount name: ship-status namespace: ship-status +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ship-status-chai-bot + labels: + app: dashboard +rules: +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ship-status-chai-bot + labels: + app: dashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ship-status-chai-bot +subjects: +- kind: ServiceAccount + name: chai-bot + namespace: ship-status diff --git a/core-services/ship-status/dashboard-config.yaml b/core-services/ship-status/dashboard-config.yaml index 0d5c9625d8071..92f9419f68123 100644 --- a/core-services/ship-status/dashboard-config.yaml +++ b/core-services/ship-status/dashboard-config.yaml @@ -131,6 +131,7 @@ components: owners: - rover_group: "test-platform-ci-admins" - service_account: "system:serviceaccount:ship-status:component-monitor" + - service_account: "system:serviceaccount:ship-status:chai-bot" - name: "Boskos" description: "Dynamic resource manager for cloud-account quotas" ship_team: "DPTP" @@ -260,6 +261,7 @@ components: owners: - rover_group: "test-platform-ci-admins" - service_account: "system:serviceaccount:ship-status:component-monitor" + - service_account: "system:serviceaccount:ship-status:chai-bot" - name: "Downstream CI" description: "Downstream CI tools maintained by Test Platform" ship_team: "DPTP" @@ -289,6 +291,7 @@ components: owners: - rover_group: "test-platform-ci-admins" - service_account: "system:serviceaccount:ship-status:component-monitor" + - service_account: "system:serviceaccount:ship-status:chai-bot" - name: "Sippy" description: "CI Private Investigator" ship_team: "TRT" @@ -334,6 +337,7 @@ components: owners: - rover_group: "openshift-technical-release-team" - service_account: "system:serviceaccount:ship-status:dpcr-component-monitor" + - service_account: "system:serviceaccount:ship-status:chai-bot" - name: "Build Farm" description: "OpenShift CI build clusters that run all CI jobs" ship_team: "DPTP" @@ -424,6 +428,7 @@ components: owners: - rover_group: "test-platform-ci-admins" - service_account: "system:serviceaccount:ship-status:component-monitor" + - service_account: "system:serviceaccount:ship-status:chai-bot" tags: - name: "ci-frontend"