Create a MM schedule calculator service account

[ElenaKarolinaSemanova]

Create a service account with appropriate perms
for the mintmaker schedule calculator.

Assisted-by: Cursor

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ElenaKarolinaSemanova
Once this PR has been reviewed and has the lgtm label, please assign fernandesmf for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• components/mintmaker/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[qodo-code-review]

Review Summary by Qodo

Add mintmaker schedule calculator service account RBAC

✨ Enhancement

Walkthroughs

Description

• Create service account for mintmaker schedule calculator
• Define Role with read permissions for configmaps and cronjobs
• Bind Role to ServiceAccount via RoleBinding
• Register new RBAC resource in kustomization manifest

Diagram

flowchart LR
  SA["ServiceAccount<br/>mintmaker-schedule-calculator-manager"]
  Role["Role<br/>mintmaker-schedule-calculator-manager-role"]
  RB["RoleBinding<br/>mintmaker-schedule-calculator-manager-rolebinding"]
  CM["ConfigMaps<br/>get, list, watch"]
  CJ["CronJobs<br/>get, list, watch"]
  
  SA -- "bound by" --> RB
  RB -- "references" --> Role
  Role -- "grants access to" --> CM
  Role -- "grants access to" --> CJ

Loading

File Changes

1. components/mintmaker/base/rbac/kustomization.yaml ⚙️ Configuration changes +1/-0

Register schedule calculator RBAC resource

• Add reference to new mintmaker-schedule-calculator-manager.yaml resource

components/mintmaker/base/rbac/kustomization.yaml

---

2. components/mintmaker/base/rbac/mintmaker-schedule-calculator-manager.yaml ⚙️ Configuration changes +42/-0

Create schedule calculator service account and RBAC

• Create ServiceAccount named mintmaker-schedule-calculator-manager in mintmaker namespace
• Define Role with read-only permissions (get, list, watch) for configmaps and cronjobs
• Create RoleBinding to bind ServiceAccount to Role

components/mintmaker/base/rbac/mintmaker-schedule-calculator-manager.yaml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Overbroad read permissions 🐞 Bug ⛨ Security

Description

Role mintmaker-schedule-calculator-manager-role grants list/watch on all ConfigMaps and CronJobs in
the mintmaker namespace, which allows any pod using this ServiceAccount to read all ConfigMap data
and all CronJob specs in that namespace. This unnecessarily increases blast radius compared to
existing patterns in this repo that restrict ConfigMap access via resourceNames.

Code

components/mintmaker/base/rbac/mintmaker-schedule-calculator-manager.yaml[R12-28]

+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - batch
+    resources:
+      - cronjobs
+    verbs:
+      - get
+      - list
+      - watch

Evidence

The new Role explicitly allows get/list/watch on configmaps and cronjobs with no resourceNames
restriction. The mintmaker namespace already contains multiple ConfigMaps (e.g., redis-config,
blackbox-config, controller-config via generator), so this ServiceAccount can read them all. In
contrast, other RBAC in this repo demonstrates restricting ConfigMap read scope using resourceNames.

components/mintmaker/base/rbac/mintmaker-schedule-calculator-manager.yaml[12-28]
components/mintmaker/base/redis-cache/redis-configmap.yaml[1-24]
components/mintmaker/staging/blackbox/blackbox-deployment.yaml[1-24]
components/mintmaker/production/base/kustomization.yaml[22-26]
components/konflux-info/base/rbac.yaml[1-17]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`mintmaker-schedule-calculator-manager-role` currently grants namespace-wide `list`/`watch` on `configmaps` and `cronjobs`, which allows reading *all* ConfigMaps and CronJobs in `mintmaker`.

### Issue Context
This repo already uses narrower RBAC patterns (e.g., `resourceNames` for ConfigMaps) to reduce blast radius.

### Fix Focus Areas
- Restrict permissions to specific resources (use `resourceNames` for ConfigMaps/CronJobs if the set is known) and/or drop `list`/`watch` if not strictly required.
- components/mintmaker/base/rbac/mintmaker-schedule-calculator-manager.yaml[12-28]
- (Example pattern) components/konflux-info/base/rbac.yaml[6-17]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. ServiceAccount not wired up 🐞 Bug ⚙ Maintainability

Description

This PR creates the mintmaker-schedule-calculator-manager ServiceAccount, but does not update any
in-repo CronJob/Deployment manifests to use it via serviceAccountName, so existing mintmaker
workloads here will keep running under mintmaker-controller-manager. If the intent is to change
permissions for an in-repo workload, that wiring change is missing.

Code

components/mintmaker/base/rbac/mintmaker-schedule-calculator-manager.yaml[R1-6]

+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mintmaker-schedule-calculator-manager
+  namespace: mintmaker
+---

Evidence

The new ServiceAccount is created, but the mintmaker base CronJobs and Deployment shown in this repo
explicitly set serviceAccountName: mintmaker-controller-manager, and this PR does not modify those
manifests to reference the new ServiceAccount.

components/mintmaker/base/rbac/mintmaker-schedule-calculator-manager.yaml[1-6]
components/mintmaker/base/cronjobs/create-dependency-update-check.yaml[10-16]
components/mintmaker/base/cronjobs/delete-dependency-update-checks.yaml[12-17]
components/mintmaker/base/redis-cache/redis-deployment.yaml[14-20]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
A new ServiceAccount is added, but no in-repo workload is configured to run as it.

### Issue Context
If the schedule calculator runs as a CronJob/Deployment defined in this repo, it must set `spec.template.spec.serviceAccountName: mintmaker-schedule-calculator-manager` (or equivalent) to actually use the new permissions.

### Fix Focus Areas
- Identify the schedule calculator workload manifest (CronJob/Deployment) and set `serviceAccountName`.
- components/mintmaker/base/rbac/mintmaker-schedule-calculator-manager.yaml[1-42]
- components/mintmaker/base/cronjobs/create-dependency-update-check.yaml[10-16]
- components/mintmaker/base/cronjobs/delete-dependency-update-checks.yaml[12-17]
- components/mintmaker/base/redis-cache/redis-deployment.yaml[14-20]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[github-actions]

Kustomize Render Diff

Comparing 469327f79 → b9ac9ade7

Component	Environment	Changes
components/mintmaker/development	development	+49 -0
components/mintmaker/production/base	production	+49 -0
components/mintmaker/production/kflux-fedora-01	production	+49 -0
components/mintmaker/production/kflux-ocp-p01	production	+49 -0
components/mintmaker/production/kflux-osp-p01	production	+49 -0
components/mintmaker/production/kflux-prd-rh02	production	+49 -0
components/mintmaker/production/kflux-prd-rh03	production	+49 -0
components/mintmaker/production/kflux-rhel-p01	production	+49 -0
components/mintmaker/production/stone-prod-p01	production	+49 -0
components/mintmaker/production/stone-prod-p02	production	+49 -0
components/mintmaker/staging/base	staging	+49 -0
components/mintmaker/staging/stone-stage-p01	staging	+49 -0

Total: 12 components, +588 -0 lines

📋 Full diff available in the workflow summary and as a downloadable artifact.

[qodo-code-review]

1. Overbroad read permissions 🐞 Bug ⛨ Security

Role mintmaker-schedule-calculator-manager-role grants list/watch on all ConfigMaps and CronJobs in
the mintmaker namespace, which allows any pod using this ServiceAccount to read all ConfigMap data
and all CronJob specs in that namespace. This unnecessarily increases blast radius compared to
existing patterns in this repo that restrict ConfigMap access via resourceNames.

Agent Prompt

### Issue description
`mintmaker-schedule-calculator-manager-role` currently grants namespace-wide `list`/`watch` on `configmaps` and `cronjobs`, which allows reading *all* ConfigMaps and CronJobs in `mintmaker`.

### Issue Context
This repo already uses narrower RBAC patterns (e.g., `resourceNames` for ConfigMaps) to reduce blast radius.

### Fix Focus Areas
- Restrict permissions to specific resources (use `resourceNames` for ConfigMaps/CronJobs if the set is known) and/or drop `list`/`watch` if not strictly required.
- components/mintmaker/base/rbac/mintmaker-schedule-calculator-manager.yaml[12-28]
- (Example pattern) components/konflux-info/base/rbac.yaml[6-17]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 51.62%. Comparing base (b00e1da) to head (7714953).
⚠️ Report is 124 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #11341   +/-   ##
=======================================
  Coverage   51.62%   51.62%           
=======================================
  Files          18       18           
  Lines        1263     1263           
=======================================
  Hits          652      652           
  Misses        539      539           
  Partials       72       72           

Flag	Coverage Δ
go	51.62% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.