apiVersion: project.openshift.io/v1
kind: Project
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "0"
    openshift.io/description: ""
    openshift.io/display-name: ""
  labels:
    kubernetes.io/metadata.name: eshop-dev
  name: eshop-dev
spec:
  finalizers:
  - kubernetes
---
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: cosign-hook
  namespace: eshop-dev
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: cosign-hook
  namespace: eshop-dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit
subjects:
- kind: ServiceAccount
  name: cosign-hook
  namespace: eshop-dev
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: secret-reader
  namespace: eshop-dev
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch"]
---
# The stackrox hook needs to be able to read the cosign public key in order to create the sigstore policy
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: stackrox-hook
  namespace: eshop-dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: secret-reader
subjects:
- kind: ServiceAccount
  name: stackrox-hook
  namespace: stackrox
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: test-can-pull
  namespace: eshop-dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:image-puller
subjects:
- kind: ServiceAccount
  name: default
  namespace: eshop-test
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: prod-can-pull
  namespace: eshop-dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:image-puller
subjects:
- kind: ServiceAccount
  name: default
  namespace: eshop-prod
---
apiVersion: v1
kind: ConfigMap
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: cosign-hook
  namespace: eshop-dev
data:
{{ (.Files.Glob "files/cosign-hook/*").AsConfig | indent 2 }}
---
apiVersion: batch/v1
kind: Job
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: cosign-hook
  namespace: eshop-dev
spec:
  backoffLimit: 30
  template:
    spec:
      containers:
      - name: hook
        command:
        - /entrypoint/cosign.sh
        args: []
        image: registry.redhat.io/openshift4/ose-cli:v4.13
        imagePullPolicy: IfNotPresent
        env:
        - name: USER
          value: openshift
        - name: HOME
          value: /tmp
        volumeMounts:
        - mountPath: /entrypoint
          name: cosign-hook
          readOnly: true
      serviceAccountName: cosign-hook
      serviceAccount: cosign-hook
      restartPolicy: OnFailure
      terminationGracePeriodSeconds: 30
      volumes:
      - name: cosign-hook
        configMap:
          name: cosign-hook
          defaultMode: 0755
---
apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: eshop-web
  namespace: eshop-dev
spec:
  lookupPolicy:
    local: false
---
apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: eshop-api
  namespace: eshop-dev
spec:
  lookupPolicy:
    local: false