Add Fournos labels to Tekton managed workspace PVCs; fix RBAC for default Tekton pipeline SA

[avasilevskii]

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Ensured labels are properly propagated to dynamically created storage volumes during pipeline execution.

• Chores

  • Updated access control configuration to support additional pipeline service accounts.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign avasilevskii for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR modifies Tekton pipeline creation to propagate existing labels to dynamically created PVC metadata, and updates Kubernetes RBAC configuration to grant role binding permissions to an additional service account in the psap-automation-wip namespace.

Changes

Cohort / File(s)	Summary
Tekton Pipeline Metadata Enhancement fournos/core/tekton.py	Propagates existing labels (managed-by, job-name, etc.) from the PipelineRun to the volumeClaimTemplate metadata of the artifacts workspace, ensuring dynamically created PVCs inherit consistent labels.
RBAC Service Account Binding manifests/ocpci-sa/rbac-wip-ns.yaml	Extends RoleBinding to grant ocpci-fournos-job-manager role access to two service accounts: ocpci (in psap-automation namespace) and the newly added pipeline (in psap-automation-wip namespace).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• Improve lifecycle by introducing ownership; improve dependent resources labeling #29: Modifies tekton.py to propagate metadata (labels, ownerReferences, taskRunTemplate labels) to created Tekton resources during PipelineRun creation.

Poem

🐰 Hop, hop, labels spread so wide,
Across the PVCs with bunny pride!
Two service accounts now dance in sync,
With RBAC magic, quicker than a blink. ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes both main changes: adding Fournos labels to Tekton workspace PVCs and fixing RBAC for the default Tekton pipeline service account.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

fournos/core/tekton.py (1)

95-97: ⚡ Quick win

Add a regression test for PVC label propagation.

This behavior is important for selectors/cleanup flows; a small unit test asserting workspaces[0].volumeClaimTemplate.metadata.labels in the generated body would prevent regressions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@fournos/core/tekton.py` around lines 95 - 97, Add a unit test that asserts
PVC label propagation by constructing the same input used to build the Tekton
body and verifying that workspaces[0].volumeClaimTemplate.metadata.labels equals
the expected labels; locate the code path that produces the body (the function
that returns or builds `workspaces`, typically where `workspaces` and
`volumeClaimTemplate` are assembled) and call it in the test, then assert the
labels are present and equal to the input `labels` map to prevent regressions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@fournos/core/tekton.py`:
- Around line 95-97: Add a unit test that asserts PVC label propagation by
constructing the same input used to build the Tekton body and verifying that
workspaces[0].volumeClaimTemplate.metadata.labels equals the expected labels;
locate the code path that produces the body (the function that returns or builds
`workspaces`, typically where `workspaces` and `volumeClaimTemplate` are
assembled) and call it in the test, then assert the labels are present and equal
to the input `labels` map to prevent regressions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e2e65c88-a0f1-462a-916a-22506419269b

📥 Commits

Reviewing files that changed from the base of the PR and between 83811e2 and d334541.

📒 Files selected for processing (2)

• fournos/core/tekton.py
• manifests/ocpci-sa/rbac-wip-ns.yaml

[kpouget]

thanks, LGTM

[kpouget]

/lgtm

[avasilevskii]

/test deploy-fournos-wip

[psap-forge-bot]

🟢 Test of 'fournos_deploy --project-source' succeeded after 00 hours 10 minutes 20 seconds 🟢

• Link to the test results.

• No reports index generated...

Test configuration:

/test deploy-fournos-wip

• Execution logs