KFLUXINFRA-2027: Deploy Kueue policy to production (#7558)

The Kueue policy will create the local queues in the mintmaker
namespace and the tenant namespaces.

Signed-off-by: Gal Ben Haim <[email protected]>

Author: gbenhaim

components/kueue/production/base/queue-config/kustomization.yaml

@@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - workload-priority-class.yaml
-- mintmaker-local-queue.yaml
 
 # ensure that installation starts after the installation of kueue complete
 commonAnnotations:

components/kueue/production/base/queue-config/mintmaker-local-queue.yaml

@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
 - ../base
 - ../policies/kubearchive/
+- ../policies/kueue/

components/policies/production/kflux-ocp-p01/kustomization.yaml

@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../base
+- ../policies/kueue/

components/policies/production/kflux-prd-rh02/kustomization.yaml

@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
 - ../base
 - ../policies/kubearchive/
+- ../policies/kueue/

components/policies/production/kflux-prd-rh03/kustomization.yaml

@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
 - ../base
 - ../policies/kubearchive/
+- ../policies/kueue/

components/policies/production/kflux-rhel-p01/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- queue-config

components/policies/production/policies/kueue/kustomization.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: bootstrap-tenant-namespace-queue
+spec:
+  rules:
+  - name: create-local-queue
+    skipBackgroundRequests: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          selector:
+            matchLabels:
+              konflux-ci.dev/type: tenant
+      - resources:
+          kinds:
+          - Namespace
+          names:
+          - mintmaker
+    generate:
+      generateExisting: true
+      synchronize: true
+      apiVersion: kueue.x-k8s.io/v1beta1
+      kind: LocalQueue
+      name: pipelines-queue
+      namespace: '{{request.object.metadata.name}}'
+      data:
+        spec:
+          clusterQueue: cluster-pipeline-queue

components/policies/production/policies/kueue/queue-config/cluster-policy.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- cluster-policy.yaml
+- kyverno-rbac.yaml
+
+# ensure that installation starts after the installation of kueue complete
+commonAnnotations:
+  argocd.argoproj.io/sync-wave: "10"

components/policies/production/policies/kueue/queue-config/kustomization.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno-admission:manage-queue
+  labels:
+    rbac.kyverno.io/aggregate-to-admission-controller: "true"
+rules:
+- apiGroups:
+  - kueue.x-k8s.io
+  resources:
+  - localqueues
+  verbs:
+  - list
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno-background:manage-queue
+  labels:
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+rules:
+- apiGroups:
+  - kueue.x-k8s.io
+  resources:
+  - localqueues
+  verbs:
+  - create
+  - get
+  - list
+  - delete
+  - update
+  - watch