Add konflux-eaas kubesaw tier (#4189)

amisstea · web-flow · commit 1b078babd2b7 · 2024-08-01T18:58:17.000Z
The user should only be allowed to create select resources
(ClusterTemplateInstance, Secrets) in the provisioned namespace.

Signed-off-by: Alex Misstear &lt;amisstea@redhat.com&gt;
diff --git a/components/sandbox/tiers/production/konflux-eaas/kustomization.yaml b/components/sandbox/tiers/production/konflux-eaas/kustomization.yaml
@@ -0,0 +1,14 @@
+# ----------------------------------------------------------------
+# Generated by cli - DO NOT EDIT
+# ----------------------------------------------------------------
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- nstemplatetier-konflux-eaas.yaml
+- tiertemplate-konflux-eaas-admin-37575401-37575401.yaml
+- tiertemplate-konflux-eaas-clusterresources-885501723-885501723.yaml
+- tiertemplate-konflux-eaas-contributor-37575401-37575401.yaml
+- tiertemplate-konflux-eaas-eaas-3975606140-3975606140.yaml
+- tiertemplate-konflux-eaas-maintainer-37575401-37575401.yaml
+- tiertemplate-konflux-eaas-viewer-37575401-37575401.yaml
diff --git a/components/sandbox/tiers/production/konflux-eaas/nstemplatetier-konflux-eaas.yaml b/components/sandbox/tiers/production/konflux-eaas/nstemplatetier-konflux-eaas.yaml
@@ -0,0 +1,26 @@
+# ----------------------------------------------------------------
+# Generated by cli - DO NOT EDIT
+# ----------------------------------------------------------------
+
+apiVersion: toolchain.dev.openshift.com/v1alpha1
+kind: NSTemplateTier
+metadata:
+  name: konflux-eaas
+  namespace: toolchain-host-operator
+spec:
+  clusterResources:
+    templateRef: konflux-eaas-clusterresources-885501723-885501723
+  namespaces:
+  - templateRef: konflux-eaas-eaas-3975606140-3975606140
+  spaceRequestConfig:
+    serviceAccountName: namespace-manager
+  spaceRoles:
+    admin:
+      templateRef: konflux-eaas-admin-37575401-37575401
+    contributor:
+      templateRef: konflux-eaas-contributor-37575401-37575401
+    maintainer:
+      templateRef: konflux-eaas-maintainer-37575401-37575401
+    viewer:
+      templateRef: konflux-eaas-viewer-37575401-37575401
+status: {}
diff --git a/components/sandbox/tiers/production/konflux-eaas/tiertemplate-konflux-eaas-admin-37575401-37575401.yaml b/components/sandbox/tiers/production/konflux-eaas/tiertemplate-konflux-eaas-admin-37575401-37575401.yaml
@@ -0,0 +1,18 @@
+# ----------------------------------------------------------------
+# Generated by cli - DO NOT EDIT
+# ----------------------------------------------------------------
+
+apiVersion: toolchain.dev.openshift.com/v1alpha1
+kind: TierTemplate
+metadata:
+  name: konflux-eaas-admin-37575401-37575401
+  namespace: toolchain-host-operator
+spec:
+  revision: 37575401-37575401
+  template:
+    apiVersion: template.openshift.io/v1
+    kind: Template
+    metadata: {}
+    objects: []
+  tierName: konflux-eaas
+  type: admin
diff --git a/components/sandbox/tiers/production/konflux-eaas/tiertemplate-konflux-eaas-clusterresources-885501723-885501723.yaml b/components/sandbox/tiers/production/konflux-eaas/tiertemplate-konflux-eaas-clusterresources-885501723-885501723.yaml
@@ -0,0 +1,29 @@
+# ----------------------------------------------------------------
+# Generated by cli - DO NOT EDIT
+# ----------------------------------------------------------------
+
+apiVersion: toolchain.dev.openshift.com/v1alpha1
+kind: TierTemplate
+metadata:
+  name: konflux-eaas-clusterresources-885501723-885501723
+  namespace: toolchain-host-operator
+spec:
+  revision: 885501723-885501723
+  template:
+    apiVersion: template.openshift.io/v1
+    kind: Template
+    metadata: {}
+    objects:
+    - apiVersion: toolchain.dev.openshift.com/v1alpha1
+      kind: Idler
+      metadata:
+        name: ${SPACE_NAME}-eaas
+      spec:
+        timeoutSeconds: ${{IDLER_TIMEOUT_SECONDS}}
+    parameters:
+    - name: SPACE_NAME
+      required: true
+    - name: IDLER_TIMEOUT_SECONDS
+      value: "0"
+  tierName: konflux-eaas
+  type: clusterresources
diff --git a/components/sandbox/tiers/production/konflux-eaas/tiertemplate-konflux-eaas-contributor-37575401-37575401.yaml b/components/sandbox/tiers/production/konflux-eaas/tiertemplate-konflux-eaas-contributor-37575401-37575401.yaml
@@ -0,0 +1,18 @@
+# ----------------------------------------------------------------
+# Generated by cli - DO NOT EDIT
+# ----------------------------------------------------------------
+
+apiVersion: toolchain.dev.openshift.com/v1alpha1
+kind: TierTemplate
+metadata:
+  name: konflux-eaas-contributor-37575401-37575401
+  namespace: toolchain-host-operator
+spec:
+  revision: 37575401-37575401
+  template:
+    apiVersion: template.openshift.io/v1
+    kind: Template
+    metadata: {}
+    objects: []
+  tierName: konflux-eaas
+  type: contributor
diff --git a/components/sandbox/tiers/production/konflux-eaas/tiertemplate-konflux-eaas-eaas-3975606140-3975606140.yaml b/components/sandbox/tiers/production/konflux-eaas/tiertemplate-konflux-eaas-eaas-3975606140-3975606140.yaml
@@ -0,0 +1,76 @@
+# ----------------------------------------------------------------
+# Generated by cli - DO NOT EDIT
+# ----------------------------------------------------------------
+
+apiVersion: toolchain.dev.openshift.com/v1alpha1
+kind: TierTemplate
+metadata:
+  name: konflux-eaas-eaas-3975606140-3975606140
+  namespace: toolchain-host-operator
+spec:
+  revision: 3975606140-3975606140
+  template:
+    apiVersion: template.openshift.io/v1
+    kind: Template
+    metadata: {}
+    objects:
+    - apiVersion: v1
+      kind: Namespace
+      metadata:
+        annotations:
+          openshift.io/description: ${SPACE_NAME}
+          openshift.io/display-name: ${SPACE_NAME}
+          openshift.io/requester: ${SPACE_NAME}
+        labels:
+          name: ${SPACE_NAME}-eaas
+        name: ${SPACE_NAME}-eaas
+    - apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: namespace-manager
+        namespace: ${SPACE_NAME}-eaas
+    - apiVersion: rbac.authorization.k8s.io/v1
+      kind: RoleBinding
+      metadata:
+        name: cluster-provisioner-rb
+        namespace: ${SPACE_NAME}-eaas
+      roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: ClusterRole
+        name: cluster-provisioner
+      subjects:
+      - kind: ServiceAccount
+        name: namespace-manager
+        namespace: ${SPACE_NAME}-eaas
+    - apiVersion: v1
+      kind: ResourceQuota
+      metadata:
+        name: quota
+        namespace: ${SPACE_NAME}-eaas
+      spec:
+        hard:
+          count/clustertemplateinstances.clustertemplate.openshift.io: "5"
+          count/configmaps: "0"
+          count/cronjobs: "0"
+          count/deployments.apps: "0"
+          count/jobs: "0"
+          count/persistentvolumeclaims: "0"
+          count/pods: "0"
+          count/replicasets.apps: "0"
+          count/replicationcontrollers: "0"
+          count/routes: "0"
+          count/secrets: "100"
+          count/services: "0"
+          count/statefulsets.apps: "0"
+          limits.cpu: "0"
+          limits.ephemeral-storage: "0"
+          limits.memory: "0"
+          requests.cpu: "0"
+          requests.ephemeral-storage: "0"
+          requests.memory: "0"
+          requests.storage: "0"
+    parameters:
+    - name: SPACE_NAME
+      required: true
+  tierName: konflux-eaas
+  type: eaas
diff --git a/components/sandbox/tiers/production/konflux-eaas/tiertemplate-konflux-eaas-maintainer-37575401-37575401.yaml b/components/sandbox/tiers/production/konflux-eaas/tiertemplate-konflux-eaas-maintainer-37575401-37575401.yaml
@@ -0,0 +1,18 @@
+# ----------------------------------------------------------------
+# Generated by cli - DO NOT EDIT
+# ----------------------------------------------------------------
+
+apiVersion: toolchain.dev.openshift.com/v1alpha1
+kind: TierTemplate
+metadata:
+  name: konflux-eaas-maintainer-37575401-37575401
+  namespace: toolchain-host-operator
+spec:
+  revision: 37575401-37575401
+  template:
+    apiVersion: template.openshift.io/v1
+    kind: Template
+    metadata: {}
+    objects: []
+  tierName: konflux-eaas
+  type: maintainer
diff --git a/components/sandbox/tiers/production/konflux-eaas/tiertemplate-konflux-eaas-viewer-37575401-37575401.yaml b/components/sandbox/tiers/production/konflux-eaas/tiertemplate-konflux-eaas-viewer-37575401-37575401.yaml
@@ -0,0 +1,18 @@
+# ----------------------------------------------------------------
+# Generated by cli - DO NOT EDIT
+# ----------------------------------------------------------------
+
+apiVersion: toolchain.dev.openshift.com/v1alpha1
+kind: TierTemplate
+metadata:
+  name: konflux-eaas-viewer-37575401-37575401
+  namespace: toolchain-host-operator
+spec:
+  revision: 37575401-37575401
+  template:
+    apiVersion: template.openshift.io/v1
+    kind: Template
+    metadata: {}
+    objects: []
+  tierName: konflux-eaas
+  type: viewer
diff --git a/components/sandbox/tiers/production/kustomization.yaml b/components/sandbox/tiers/production/kustomization.yaml
@@ -8,3 +8,4 @@ resources:
 - appstudio
 - appstudio-env
 - appstudiolarge
+- konflux-eaas
diff --git a/components/sandbox/tiers/src/konflux-eaas/cluster.yaml b/components/sandbox/tiers/src/konflux-eaas/cluster.yaml
@@ -0,0 +1,17 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata: {}
+objects:
+- apiVersion: toolchain.dev.openshift.com/v1alpha1
+  kind: Idler
+  metadata:
+    name: ${SPACE_NAME}-eaas
+  spec:
+    timeoutSeconds: ${{IDLER_TIMEOUT_SECONDS}}
+
+parameters:
+- name: SPACE_NAME
+  required: true
+- name: IDLER_TIMEOUT_SECONDS
+  # No Idling
+  value: "0"
diff --git a/components/sandbox/tiers/src/konflux-eaas/ns_eaas.yaml b/components/sandbox/tiers/src/konflux-eaas/ns_eaas.yaml
@@ -0,0 +1,70 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata: {}
+objects:
+- apiVersion: v1
+  kind: Namespace
+  metadata:
+    annotations:
+      openshift.io/description: ${SPACE_NAME}
+      openshift.io/display-name: ${SPACE_NAME}
+      openshift.io/requester: ${SPACE_NAME}
+    labels:
+      name: ${SPACE_NAME}-eaas
+    name: ${SPACE_NAME}-eaas
+
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    namespace: ${SPACE_NAME}-eaas
+    name: namespace-manager
+
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: RoleBinding
+  metadata:
+    name: cluster-provisioner-rb
+    namespace: ${SPACE_NAME}-eaas
+  subjects:
+  - kind: ServiceAccount
+    name: namespace-manager
+    namespace: ${SPACE_NAME}-eaas
+  roleRef:
+    kind: ClusterRole
+    name: cluster-provisioner
+    apiGroup: rbac.authorization.k8s.io
+
+- apiVersion: v1
+  kind: ResourceQuota
+  metadata:
+    name: quota
+    namespace: ${SPACE_NAME}-eaas
+  spec:
+    hard:
+      # compute
+      limits.cpu: "0"
+      limits.memory: "0"
+      requests.cpu: "0"
+      requests.memory: "0"
+      # storage
+      requests.storage: "0"
+      limits.ephemeral-storage: "0"
+      requests.ephemeral-storage: "0"
+      # disallowed resource counts
+      count/configmaps: "0"
+      count/cronjobs: "0"
+      count/deployments.apps: "0"
+      count/jobs: "0"
+      count/persistentvolumeclaims: "0"
+      count/pods: "0"
+      count/replicasets.apps: "0"
+      count/replicationcontrollers: "0"
+      count/routes: "0"
+      count/services: "0"
+      count/statefulsets.apps: "0"
+      # allowed resource counts
+      count/clustertemplateinstances.clustertemplate.openshift.io: "5"
+      count/secrets: "100"
+
+parameters:
+- name: SPACE_NAME
+  required: true
diff --git a/components/sandbox/tiers/src/konflux-eaas/spacerole_admin.yaml b/components/sandbox/tiers/src/konflux-eaas/spacerole_admin.yaml
@@ -0,0 +1,5 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata: {}
+objects: []
+# The user doesn't have any permissions in the namespace
diff --git a/components/sandbox/tiers/src/konflux-eaas/spacerole_contributor.yaml b/components/sandbox/tiers/src/konflux-eaas/spacerole_contributor.yaml
@@ -0,0 +1,5 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata: {}
+objects: []
+# The user doesn't have any permissions in the namespace
diff --git a/components/sandbox/tiers/src/konflux-eaas/spacerole_maintainer.yaml b/components/sandbox/tiers/src/konflux-eaas/spacerole_maintainer.yaml
@@ -0,0 +1,5 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata: {}
+objects: []
+# The user doesn't have any permissions in the namespace
diff --git a/components/sandbox/tiers/src/konflux-eaas/spacerole_viewer.yaml b/components/sandbox/tiers/src/konflux-eaas/spacerole_viewer.yaml
@@ -0,0 +1,5 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata: {}
+objects: []
+# The user doesn't have any permissions in the namespace
diff --git a/components/sandbox/tiers/src/konflux-eaas/tier.yaml b/components/sandbox/tiers/src/konflux-eaas/tier.yaml
@@ -0,0 +1,34 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  name: konflux-eaas-tier
+objects:
+- kind: NSTemplateTier
+  apiVersion: toolchain.dev.openshift.com/v1alpha1
+  metadata:
+    name: konflux-eaas
+    namespace: ${NAMESPACE}
+  spec:
+    clusterResources:
+      templateRef: ${CLUSTER_TEMPL_REF}
+    namespaces:
+    - templateRef: ${EAAS_TEMPL_REF}
+    spaceRoles:
+      admin:
+        templateRef: ${ADMIN_TEMPL_REF}
+      maintainer:
+        templateRef: ${MAINTAINER_TEMPL_REF}
+      contributor:
+        templateRef: ${CONTRIBUTOR_TEMPL_REF}
+      viewer:
+        templateRef: ${VIEWER_TEMPL_REF}
+    spaceRequestConfig:
+      serviceAccountName: namespace-manager
+parameters:
+- name: NAMESPACE
+- name: CLUSTER_TEMPL_REF
+- name: EAAS_TEMPL_REF
+- name: ADMIN_TEMPL_REF
+- name: MAINTAINER_TEMPL_REF
+- name: CONTRIBUTOR_TEMPL_REF
+- name: VIEWER_TEMPL_REF
diff --git a/components/sandbox/tiers/staging/konflux-eaas/kustomization.yaml b/components/sandbox/tiers/staging/konflux-eaas/kustomization.yaml
@@ -0,0 +1,14 @@
+# ----------------------------------------------------------------
+# Generated by cli - DO NOT EDIT
+# ----------------------------------------------------------------
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- nstemplatetier-konflux-eaas.yaml
+- tiertemplate-konflux-eaas-admin-37575401-37575401.yaml
+- tiertemplate-konflux-eaas-clusterresources-885501723-885501723.yaml
+- tiertemplate-konflux-eaas-contributor-37575401-37575401.yaml
+- tiertemplate-konflux-eaas-eaas-3975606140-3975606140.yaml
+- tiertemplate-konflux-eaas-maintainer-37575401-37575401.yaml
+- tiertemplate-konflux-eaas-viewer-37575401-37575401.yaml
diff --git a/components/sandbox/tiers/staging/konflux-eaas/nstemplatetier-konflux-eaas.yaml b/components/sandbox/tiers/staging/konflux-eaas/nstemplatetier-konflux-eaas.yaml
diff --git a/components/sandbox/tiers/staging/konflux-eaas/tiertemplate-konflux-eaas-admin-37575401-37575401.yaml b/components/sandbox/tiers/staging/konflux-eaas/tiertemplate-konflux-eaas-admin-37575401-37575401.yaml
diff --git a/components/sandbox/tiers/staging/konflux-eaas/tiertemplate-konflux-eaas-clusterresources-885501723-885501723.yaml b/components/sandbox/tiers/staging/konflux-eaas/tiertemplate-konflux-eaas-clusterresources-885501723-885501723.yaml
diff --git a/components/sandbox/tiers/staging/konflux-eaas/tiertemplate-konflux-eaas-contributor-37575401-37575401.yaml b/components/sandbox/tiers/staging/konflux-eaas/tiertemplate-konflux-eaas-contributor-37575401-37575401.yaml
diff --git a/components/sandbox/tiers/staging/konflux-eaas/tiertemplate-konflux-eaas-eaas-3975606140-3975606140.yaml b/components/sandbox/tiers/staging/konflux-eaas/tiertemplate-konflux-eaas-eaas-3975606140-3975606140.yaml
diff --git a/components/sandbox/tiers/staging/konflux-eaas/tiertemplate-konflux-eaas-maintainer-37575401-37575401.yaml b/components/sandbox/tiers/staging/konflux-eaas/tiertemplate-konflux-eaas-maintainer-37575401-37575401.yaml
diff --git a/components/sandbox/tiers/staging/konflux-eaas/tiertemplate-konflux-eaas-viewer-37575401-37575401.yaml b/components/sandbox/tiers/staging/konflux-eaas/tiertemplate-konflux-eaas-viewer-37575401-37575401.yaml
diff --git a/components/sandbox/tiers/staging/kustomization.yaml b/components/sandbox/tiers/staging/kustomization.yaml
