From 10e126612302add405fce439cbae5d61bca016bc Mon Sep 17 00:00:00 2001 From: Bama Charan Kundu Date: Mon, 12 Feb 2024 13:33:07 +0530 Subject: [PATCH] Added more memory tier with proper resource access Signed-off-by: Bama Charan Kundu --- .../nstemplatetiers/appstudio/ns_tenant.yaml | 9 +- .../appstudiolarge/based_on_tier.yaml | 6 + .../nstemplatetier_generator_whitebox_test.go | 24 +- .../nstemplatetiers/appstudio/cluster.yaml | 139 +++++++- .../nstemplatetiers/appstudio/ns_tenant.yaml | 257 +++++++++++++- .../appstudio/spacerole_admin.yaml | 207 ++++++++--- .../appstudio/spacerole_contributor.yaml | 336 +++++++++--------- .../appstudio/spacerole_maintainer.yaml | 308 ++++++++-------- .../nstemplatetiers/appstudio/tier.yaml | 2 +- 9 files changed, 900 insertions(+), 388 deletions(-) diff --git a/deploy/templates/nstemplatetiers/appstudio/ns_tenant.yaml b/deploy/templates/nstemplatetiers/appstudio/ns_tenant.yaml index 57837ae39..a961ef3d7 100644 --- a/deploy/templates/nstemplatetiers/appstudio/ns_tenant.yaml +++ b/deploy/templates/nstemplatetiers/appstudio/ns_tenant.yaml @@ -39,7 +39,6 @@ objects: scopes: - NotTerminating hard: - limits.cpu: "20" limits.memory: ${MEMORY_LIMIT} requests.cpu: 1750m requests.memory: ${MEMORY_REQUEST} @@ -52,9 +51,8 @@ objects: scopes: - Terminating hard: - limits.cpu: "120" limits.memory: ${MEMORY_BUILD_LIMIT} - requests.cpu: "12" + requests.cpu: ${CPU_BUILD_REQUEST} requests.memory: ${MEMORY_BUILD_REQUEST} - apiVersion: v1 kind: ResourceQuota @@ -156,10 +154,9 @@ objects: limits: - type: "Container" default: - cpu: 2000m memory: 2Gi defaultRequest: - cpu: 10m + cpu: 200m memory: 256Mi - apiVersion: networking.k8s.io/v1 @@ -271,5 +268,7 @@ parameters: value: "32Gi" - name: MEMORY_BUILD_LIMIT value: "128Gi" +- name: CPU_BUILD_REQUEST + value: "12" - name: MEMORY_BUILD_REQUEST value: "64Gi" diff --git a/deploy/templates/nstemplatetiers/appstudiolarge/based_on_tier.yaml b/deploy/templates/nstemplatetiers/appstudiolarge/based_on_tier.yaml index 4317dd425..1234c07b8 100644 --- a/deploy/templates/nstemplatetiers/appstudiolarge/based_on_tier.yaml +++ b/deploy/templates/nstemplatetiers/appstudiolarge/based_on_tier.yaml @@ -12,3 +12,9 @@ parameters: value: "300" - name: SECRET_QUOTA value: "300" +- name: MEMORY_BUILD_LIMIT + value: "512Gi" +- name: CPU_BUILD_REQUEST + value: "24" +- name: MEMORY_BUILD_REQUEST + value: "128Gi" \ No newline at end of file diff --git a/pkg/templates/nstemplatetiers/nstemplatetier_generator_whitebox_test.go b/pkg/templates/nstemplatetiers/nstemplatetier_generator_whitebox_test.go index c2777ecc7..8a8b3e8f0 100644 --- a/pkg/templates/nstemplatetiers/nstemplatetier_generator_whitebox_test.go +++ b/pkg/templates/nstemplatetiers/nstemplatetier_generator_whitebox_test.go @@ -41,7 +41,7 @@ var expectedProdTiers = map[string]bool{ } var expectedTestTiers = map[string]bool{ - "advanced": true, // tier_name: true/false (if based on the other tier) + "advanced": true, "base": false, "nocluster": false, "appstudio": false, @@ -49,7 +49,7 @@ var expectedTestTiers = map[string]bool{ func nsTypes(tier string) []string { switch tier { - case "appstudio": + case "appstudio", "appstudiolarge": return []string{"tenant"} case "appstudio-env": return []string{"env"} @@ -62,7 +62,7 @@ func nsTypes(tier string) []string { func roles(tier string) []string { switch tier { - case "appstudio", "appstudio-env": + case "appstudio", "appstudiolarge", "appstudio-env": return []string{"admin", "maintainer", "contributor"} default: return []string{"admin"} @@ -173,7 +173,7 @@ func TestLoadTemplatesByTiers(t *testing.T) { tmpls, err := loadTemplatesByTiers(assets) // then require.NoError(t, err) - require.Len(t, tmpls, 4) + require.Len(t, tmpls, 4) // advanced,appstudio,base,nocluster require.NotContains(t, "foo", tmpls) // make sure that the `foo: bar` entry was ignored for _, tier := range tiers(expectedTestTiers) { @@ -599,11 +599,27 @@ func assertNamespaceTemplate(t *testing.T, decoder runtime.Decoder, actual templ } else { templatePath = fmt.Sprintf("%s/ns_%s.yaml", tier, typeName) } + t.Logf("checking template '%s' (based on another tier: %t)", templatePath, basedOnOtherTier(expectedTiers, tier)) content, err := assets.Asset(templatePath) require.NoError(t, err) expected := templatev1.Template{} _, _, err = decoder.Decode(content, nil, &expected) require.NoError(t, err) + // then override the templates' parameters (if applicable) + if basedOnOtherTier(expectedTiers, tier) { + content, err = assets.Asset(fmt.Sprintf("%s/based_on_tier.yaml", tier)) + require.NoError(t, err) + extension := BasedOnTier{} + err = yaml.Unmarshal(content, &extension) + require.NoError(t, err) + for i, p := range expected.Parameters { + for _, ep := range extension.Parameters { + if p.Name == ep.Name { + expected.Parameters[i].Value = ep.Value + } + } + } + } assert.Equal(t, expected, actual) assert.NotEmpty(t, actual.Objects) } diff --git a/test/templates/nstemplatetiers/appstudio/cluster.yaml b/test/templates/nstemplatetiers/appstudio/cluster.yaml index 35a655623..1bf159cb0 100644 --- a/test/templates/nstemplatetiers/appstudio/cluster.yaml +++ b/test/templates/nstemplatetiers/appstudio/cluster.yaml @@ -6,30 +6,139 @@ objects: - apiVersion: quota.openshift.io/v1 kind: ClusterResourceQuota metadata: - name: for-${SPACE_NAME}-compute + name: for-${SPACE_NAME}-deployments spec: quota: hard: - limits.cpu: 20000m - limits.memory: ${MEMORY_LIMIT} - limits.ephemeral-storage: 7Gi - requests.cpu: 1750m - requests.memory: ${MEMORY_REQUEST} - requests.storage: 15Gi - requests.ephemeral-storage: 7Gi - count/persistentvolumeclaims: "5" + count/deployments.apps: ${{DEPLOYMENT_QUOTA}} + count/deploymentconfigs.apps: ${{DEPLOYMENT_QUOTA}} + count/pods: ${{POD_QUOTA}} selector: annotations: null labels: matchLabels: toolchain.dev.openshift.com/space: ${SPACE_NAME} +- apiVersion: quota.openshift.io/v1 + kind: ClusterResourceQuota + metadata: + name: for-${SPACE_NAME}-replicas + spec: + quota: + hard: + count/replicasets.apps: ${{REPLICASET_QUOTA}} + count/replicationcontrollers: ${{REPLICASET_QUOTA}} + selector: + annotations: null + labels: + matchLabels: + toolchain.dev.openshift.com/space: ${SPACE_NAME} +- apiVersion: quota.openshift.io/v1 + kind: ClusterResourceQuota + metadata: + name: for-${SPACE_NAME}-routes + spec: + quota: + hard: + count/ingresses.extensions: ${{ROUTE_QUOTA}} + count/routes.route.openshift.io: ${{ROUTE_QUOTA}} + selector: + annotations: null + labels: + matchLabels: + toolchain.dev.openshift.com/space: ${SPACE_NAME} + +- apiVersion: quota.openshift.io/v1 + kind: ClusterResourceQuota + metadata: + name: for-${SPACE_NAME}-jobs + spec: + quota: + hard: + count/jobs.batch: "30" + count/daemonsets.apps: "30" + count/cronjobs.batch: "30" + count/statefulsets.apps: "30" + selector: + annotations: null + labels: + matchLabels: + toolchain.dev.openshift.com/space: ${SPACE_NAME} +- apiVersion: quota.openshift.io/v1 + kind: ClusterResourceQuota + metadata: + name: for-${SPACE_NAME}-services + spec: + quota: + hard: + count/services: ${{SERVICE_QUOTA}} + selector: + annotations: null + labels: + matchLabels: + toolchain.dev.openshift.com/space: ${SPACE_NAME} +- apiVersion: quota.openshift.io/v1 + kind: ClusterResourceQuota + metadata: + name: for-${SPACE_NAME}-bc + spec: + quota: + hard: + count/buildconfigs.build.openshift.io: "30" + selector: + annotations: null + labels: + matchLabels: + toolchain.dev.openshift.com/space: ${SPACE_NAME} +- apiVersion: quota.openshift.io/v1 + kind: ClusterResourceQuota + metadata: + name: for-${SPACE_NAME}-secrets + spec: + quota: + hard: + count/secrets: ${{SECRET_QUOTA}} + selector: + annotations: null + labels: + matchLabels: + toolchain.dev.openshift.com/space: ${SPACE_NAME} +- apiVersion: quota.openshift.io/v1 + kind: ClusterResourceQuota + metadata: + name: for-${SPACE_NAME}-cm + spec: + quota: + hard: + count/configmaps: ${{CONFIGMAP_QUOTA}} + selector: + annotations: null + labels: + matchLabels: + toolchain.dev.openshift.com/space: ${SPACE_NAME} +- apiVersion: toolchain.dev.openshift.com/v1alpha1 + kind: Idler + metadata: + name: ${SPACE_NAME} + spec: + timeoutSeconds: ${{IDLER_TIMEOUT_SECONDS}} parameters: - name: SPACE_NAME required: true - name: IDLER_TIMEOUT_SECONDS - # 12 hours - value: "43200" -- name: MEMORY_LIMIT - value: "7Gi" -- name: MEMORY_REQUEST - value: "7Gi" +# No Idling + value: "0" +# Quota +- name: REPLICASET_QUOTA + value: "30" +- name: DEPLOYMENT_QUOTA + value: "30" +- name: POD_QUOTA + value: "300" +- name: ROUTE_QUOTA + value: "30" +- name: SERVICE_QUOTA + value: "30" +- name: CONFIGMAP_QUOTA + value: "100" +- name: SECRET_QUOTA + value: "100" \ No newline at end of file diff --git a/test/templates/nstemplatetiers/appstudio/ns_tenant.yaml b/test/templates/nstemplatetiers/appstudio/ns_tenant.yaml index b265e395f..9baa06757 100644 --- a/test/templates/nstemplatetiers/appstudio/ns_tenant.yaml +++ b/test/templates/nstemplatetiers/appstudio/ns_tenant.yaml @@ -12,11 +12,264 @@ objects: openshift.io/requester: ${SPACE_NAME} labels: name: ${SPACE_NAME}-tenant + argocd.argoproj.io/managed-by: gitops-service-argocd + # billing labels ref: https://github.com/redhat-appstudio/book/blob/main/ADR/0010-namespace-metadata.md appstudio.redhat.com/workspace_name: ${SPACE_NAME} name: ${SPACE_NAME}-tenant +# Built-n developer environment is available for all users OOTB +- apiVersion: appstudio.redhat.com/v1alpha1 + kind: Environment + metadata: + name: development + namespace: ${SPACE_NAME}-tenant + spec: + deploymentStrategy: AppStudioAutomated + displayName: Development + type: Non-POC + +# Quotas and default limits for not-terminating containers (regular long-running containers) +# and terminating (short-lived containers like build) containers +- apiVersion: v1 + kind: ResourceQuota + metadata: + name: compute-deploy + namespace: ${SPACE_NAME}-tenant + spec: + scopes: + - NotTerminating + hard: + limits.memory: ${MEMORY_LIMIT} + requests.cpu: 1750m + requests.memory: ${MEMORY_REQUEST} +- apiVersion: v1 + kind: ResourceQuota + metadata: + name: compute-build + namespace: ${SPACE_NAME}-tenant + spec: + scopes: + - Terminating + hard: + limits.memory: ${MEMORY_BUILD_LIMIT} + requests.cpu: ${CPU_BUILD_REQUEST} + requests.memory: ${MEMORY_BUILD_REQUEST} +- apiVersion: v1 + kind: ResourceQuota + metadata: + name: storage + namespace: ${SPACE_NAME}-tenant + spec: + hard: + limits.ephemeral-storage: 50Gi + requests.storage: 200Gi + requests.ephemeral-storage: 50Gi + count/persistentvolumeclaims: "30" +- apiVersion: v1 + kind: ResourceQuota + metadata: + name: toolchain-crds + namespace: ${SPACE_NAME}-tenant + spec: + hard: + count/spacerequests.toolchain.dev.openshift.com: "32" +- apiVersion: v1 + kind: ResourceQuota + metadata: + name: appstudio-crds + namespace: ${SPACE_NAME}-tenant + spec: + hard: + count/applications.appstudio.redhat.com: "512" + count/componentdetectionqueries.appstudio.redhat.com: "512" + count/components.appstudio.redhat.com: "512" +- apiVersion: v1 + kind: ResourceQuota + metadata: + name: appstudio-crds-build + namespace: ${SPACE_NAME}-tenant + spec: + hard: + count/buildpipelineselectors.appstudio.redhat.com: "512" +- apiVersion: v1 + kind: ResourceQuota + metadata: + name: appstudio-crds-gitops + namespace: ${SPACE_NAME}-tenant + spec: + hard: + count/environments.appstudio.redhat.com: "512" + count/promotionruns.appstudio.redhat.com: "512" + count/deploymenttargetclaims.appstudio.redhat.com: "32" + count/deploymenttargetclasses.appstudio.redhat.com: "32" + count/deploymenttargets.appstudio.redhat.com: "32" +- apiVersion: v1 + kind: ResourceQuota + metadata: + name: appstudio-crds-integration + namespace: ${SPACE_NAME}-tenant + spec: + hard: + count/integrationtestscenarios.appstudio.redhat.com: "512" + count/snapshots.appstudio.redhat.com: "1024" + count/snapshotenvironmentbindings.appstudio.redhat.com: "512" +- apiVersion: v1 + kind: ResourceQuota + metadata: + name: appstudio-crds-release + namespace: ${SPACE_NAME}-tenant + spec: + hard: + count/releaseplanadmissions.appstudio.redhat.com: "512" + count/releaseplans.appstudio.redhat.com: "512" + count/releases.appstudio.redhat.com: "512" + count/releasestrategies.appstudio.redhat.com: "512" + count/internalrequests.appstudio.redhat.com: "512" +- apiVersion: v1 + kind: ResourceQuota + metadata: + name: appstudio-crds-enterprisecontract + namespace: ${SPACE_NAME}-tenant + spec: + hard: + count/enterprisecontractpolicies.appstudio.redhat.com: "512" +- apiVersion: v1 + kind: ResourceQuota + metadata: + name: appstudio-crds-spi + namespace: ${SPACE_NAME}-tenant + spec: + hard: + count/spiaccesschecks.appstudio.redhat.com: "512" + count/spiaccesstokenbindings.appstudio.redhat.com: "512" + count/spiaccesstokendataupdates.appstudio.redhat.com: "512" + count/spiaccesstokens.appstudio.redhat.com: "512" + count/spifilecontentrequests.appstudio.redhat.com: "512" +- apiVersion: v1 + kind: LimitRange + metadata: + name: resource-limits + namespace: ${SPACE_NAME}-tenant + spec: + limits: + - type: "Container" + default: + memory: 2Gi + defaultRequest: + cpu: 200m + memory: 256Mi + +- apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: allow-same-namespace + namespace: ${SPACE_NAME}-tenant + spec: + podSelector: {} + ingress: + - from: + - podSelector: {} +- apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: allow-from-openshift-ingress + namespace: ${SPACE_NAME}-tenant + spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: ingress + podSelector: {} + policyTypes: + - Ingress +- apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: allow-from-openshift-monitoring + namespace: ${SPACE_NAME}-tenant + spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: monitoring + podSelector: {} + policyTypes: + - Ingress +- apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: allow-from-codeready-workspaces-operator + namespace: ${SPACE_NAME}-tenant + spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: codeready-workspaces + podSelector: {} + policyTypes: + - Ingress +- apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: allow-from-olm-namespaces + namespace: ${SPACE_NAME}-tenant + spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + openshift.io/scc: anyuid + podSelector: {} + policyTypes: + - Ingress +- apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: allow-from-console-namespaces + namespace: ${SPACE_NAME}-tenant + spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: console + podSelector: {} + policyTypes: + - Ingress +# ServiceAccount and RoleBindings for running Pipelines. +# appstudio-pipelines-runner-clusterrole is deployed by the pipeline-service component. +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: appstudio-pipeline + namespace: ${SPACE_NAME}-tenant +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: appstudio-pipelines-runner-rolebinding + namespace: ${SPACE_NAME}-tenant + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: appstudio-pipelines-runner + subjects: + - kind: ServiceAccount + namespace: ${SPACE_NAME}-tenant + name: appstudio-pipeline parameters: - name: SPACE_NAME required: true -- name: MEMBER_OPERATOR_NAMESPACE - value: toolchain-member-operator \ No newline at end of file +- name: MEMORY_LIMIT + value: "32G" + +- name: MEMORY_REQUEST + value: "32Gi" +- name: MEMORY_BUILD_LIMIT + value: "128Gi" +- name: CPU_BUILD_REQUEST + value: "12" +- name: MEMORY_BUILD_REQUEST + value: "64Gi" \ No newline at end of file diff --git a/test/templates/nstemplatetiers/appstudio/spacerole_admin.yaml b/test/templates/nstemplatetiers/appstudio/spacerole_admin.yaml index 7006ee6e1..ba6ad10a8 100644 --- a/test/templates/nstemplatetiers/appstudio/spacerole_admin.yaml +++ b/test/templates/nstemplatetiers/appstudio/spacerole_admin.yaml @@ -1,7 +1,7 @@ apiVersion: template.openshift.io/v1 kind: Template metadata: - name: appstudio-spacerole-admin + name: appstudio-spacerole-admin # name is used in e2e tests objects: # ServiceAccounts that represents the AppStudio user - the token of this SA is used by the proxy for forwarding the requests from UI (or any other client) @@ -26,17 +26,14 @@ objects: - components - componentdetectionqueries verbs: - - "*" - - apiGroups: - - appstudio.redhat.com - resources: - - spiaccesstokenbindings - - spiaccesschecks - - spiaccesstokens - - spifilecontentrequests - - spiaccesstokendataupdates - verbs: - - '*' + - get + - list + - watch + - create + - update + - patch + - delete + - deletecollection - apiGroups: - appstudio.redhat.com resources: @@ -45,115 +42,213 @@ objects: - snapshots - environments verbs: - - '*' + - get + - list + - watch + - create + - update + - patch + - delete - apiGroups: - - appstudio.redhat.com + - appstudio.redhat.com resources: - - deploymentttargets - - deploymenttargetclaims + - deploymentttargets + - deploymenttargetclaims verbs: - - '*' + - get + - list + - watch + - create + - update + - patch + - delete - apiGroups: - managed-gitops.redhat.com resources: - - gitopsdeployments - - gitopsdeploymentmanagedenvironments - - gitopsdeploymentrepositorycredentials - - gitopsdeploymentsyncruns + - gitopsdeployments + - gitopsdeploymentmanagedenvironments + - gitopsdeploymentrepositorycredentials + - gitopsdeploymentsyncruns verbs: - - get - - list - - watch + - get + - list + - watch - apiGroups: - tekton.dev resources: - pipelineruns verbs: - - '*' + - get + - list + - watch + - create + - update + - patch + - delete - apiGroups: - results.tekton.dev resources: - results - records + - logs verbs: - get - list - apiGroups: - appstudio.redhat.com resources: + - enterprisecontractpolicies - integrationtestscenarios + - releases + - releasestrategies + - releaseplans + - releaseplanadmissions verbs: - - '*' + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - jvmbuildservice.io + resources: + - jbsconfigs + - artifactbuilds + verbs: + - get + - list + - watch + - create + - update + - patch + - delete - apiGroups: - appstudio.redhat.com resources: - - enterprisecontractpolicies + - spiaccesstokenbindings + - spiaccesschecks + - spiaccesstokens + - spifilecontentrequests + - spiaccesstokendataupdates verbs: - - '*' + - get + - list + - watch + - create + - update + - patch + - delete - apiGroups: - appstudio.redhat.com resources: - - releases - - releasestrategies - - releaseplans + - remotesecrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - configmaps verbs: - - '*' + - get + - list + - watch + - create + - update + - patch + - delete - apiGroups: - appstudio.redhat.com resources: - - releaseplanadmissions + - buildpipelineselectors verbs: - - '*' + - get + - list + - watch + - create + - update + - patch + - delete +# Allow to manage pipeline ServiceAccount for linking secrets used for repositories - apiGroups: - - jvmbuildservice.io + - "" resources: - - jbsconfigs - - artifactbuilds + - serviceaccounts + resourceNames: + - appstudio-pipeline verbs: - - '*' + - get + - list + - watch + - update + - patch + # Allow to exec (rsh) to pods - apiGroups: - - '' + - "" resources: - - configmaps + - pods/exec verbs: - - '*' + - create - apiGroups: - - '' + - toolchain.dev.openshift.com resources: - - secrets + - spacebindingrequests verbs: - - '*' + - get + - list + - watch + - create + - update + - patch + - delete +# RoleBinding that grants limited CRUD permissions to the User - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: ${NAMESPACE} - name: appstudio-${USERNAME}-user-actions + name: appstudio-admin-${USERNAME}-actions-user roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: appstudio-admin-user-actions subjects: - - apiGroup: "" - kind: ServiceAccount - name: appstudio-${USERNAME} - -# Role & RoleBinding that grants view permissions to the user's SA + - kind: User + name: ${USERNAME} +# RoleBinding that grants view permissions to the User - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: ${NAMESPACE} - name: appstudio-${USERNAME}-view + name: appstudio-${USERNAME}-view-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view subjects: - - apiGroup: "" - kind: ServiceAccount - name: appstudio-${USERNAME} + - kind: User + name: ${USERNAME} parameters: -- name: USERNAME - required: true - name: NAMESPACE required: true +- name: USERNAME + required: true diff --git a/test/templates/nstemplatetiers/appstudio/spacerole_contributor.yaml b/test/templates/nstemplatetiers/appstudio/spacerole_contributor.yaml index 3045bbcf5..ecbba475e 100644 --- a/test/templates/nstemplatetiers/appstudio/spacerole_contributor.yaml +++ b/test/templates/nstemplatetiers/appstudio/spacerole_contributor.yaml @@ -3,169 +3,177 @@ kind: Template metadata: name: appstudio-spacerole-contributor # name is used in e2e tests objects: - # ServiceAccounts that represents the AppStudio user - the token of this SA is used by the proxy for forwarding the requests from UI (or any other client) - - apiVersion: v1 - kind: ServiceAccount - metadata: - namespace: ${NAMESPACE} - name: appstudio-${USERNAME} - - # RoleBinding that grants limited CRUD permissions on AppStudio components CRDs & secrets to the user's SA - # Role(s) and RoleBinding(s) that grant limited CRUD permissions on AppStudio components CRDs & secrets to the user's SA - - apiVersion: rbac.authorization.k8s.io/v1 +# RoleBinding that grants limited CRUD permissions on AppStudio components CRDs & secrets to the user's SA +# Role(s) and RoleBinding(s) that grant limited CRUD permissions on AppStudio components CRDs & secrets to the user's SA +- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + namespace: ${NAMESPACE} + name: appstudio-contributor-user-actions + rules: + - apiGroups: + - appstudio.redhat.com + resources: + - applications + - components + - componentdetectionqueries + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - promotionruns + - snapshotenvironmentbindings + - snapshots + - environments + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - deploymenttargets + - deploymenttargetclaims + verbs: + - get + - list + - watch + - apiGroups: + - managed-gitops.redhat.com + resources: + - gitopsdeployments + - gitopsdeploymentmanagedenvironments + - gitopsdeploymentrepositorycredentials + - gitopsdeploymentsyncruns + verbs: + - get + - list + - watch + - apiGroups: + - tekton.dev + resources: + - pipelineruns + verbs: + - get + - list + - watch + - apiGroups: + - results.tekton.dev + resources: + - results + - records + - logs + verbs: + - get + - list + - apiGroups: + - appstudio.redhat.com + resources: + - integrationtestscenarios + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - enterprisecontractpolicies + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - releases + - releasestrategies + - releaseplans + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - releaseplanadmissions + verbs: + - get + - list + - watch + - apiGroups: + - jvmbuildservice.io + resources: + - jbsconfigs + - artifactbuilds + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - spiaccesstokenbindings + - spiaccesschecks + - spiaccesstokens + - spifilecontentrequests + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - remotesecrets + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - buildpipelineselectors + verbs: + - get + - list + - watch +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + namespace: ${NAMESPACE} + name: appstudio-contributor-${USERNAME}-actions-user + roleRef: + apiGroup: rbac.authorization.k8s.io kind: Role - metadata: - namespace: ${NAMESPACE} - name: appstudio-contributor-user-actions - rules: - - apiGroups: - - appstudio.redhat.com - resources: - - applications - - components - - componentdetectionqueries - verbs: - - get - - list - - watch - - apiGroups: - - appstudio.redhat.com - resources: - - promotionruns - - snapshotenvironmentbindings - - snapshots - - environments - verbs: - - get - - list - - watch - - apiGroups: - - appstudio.redhat.com - resources: - - deploymentttargets - - deploymenttargetclaims - verbs: - - get - - list - - watch - - apiGroups: - - managed-gitops.redhat.com - resources: - - gitopsdeployments - - gitopsdeploymentmanagedenvironments - - gitopsdeploymentrepositorycredentials - - gitopsdeploymentsyncruns - verbs: - - get - - list - - watch - - apiGroups: - - tekton.dev - resources: - - pipelineruns - verbs: - - get - - list - - watch - - apiGroups: - - results.tekton.dev - resources: - - results - - records - verbs: - - get - - list - - apiGroups: - - appstudio.redhat.com - resources: - - integrationtestscenarios - verbs: - - get - - list - - watch - - apiGroups: - - appstudio.redhat.com - resources: - - enterprisecontractpolicies - verbs: - - get - - list - - watch - - apiGroups: - - appstudio.redhat.com - resources: - - releases - - releasestrategies - - releaseplans - verbs: - - get - - list - - watch - - apiGroups: - - appstudio.redhat.com - resources: - - releaseplanadmissions - verbs: - - get - - list - - watch - - apiGroups: - - jvmbuildservice.io - resources: - - jbsconfigs - - artifactbuilds - verbs: - - get - - list - - watch - - apiGroups: - - appstudio.redhat.com - resources: - - spiaccesstokenbindings - - spiaccesschecks - - spiaccesstokens - - spifilecontentrequest - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - configmaps - verbs: - - get - - list - - watch - - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - namespace: ${NAMESPACE} - name: appstudio-${USERNAME}-user-actions - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: appstudio-contributor-user-actions - subjects: - - apiGroup: "" - kind: ServiceAccount - name: appstudio-${USERNAME} - # Role & RoleBinding that grants view permissions to the user's SA - - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - namespace: ${NAMESPACE} - name: appstudio-${USERNAME}-view-user - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: view - subjects: - - kind: User - name: ${USERNAME} - + name: appstudio-contributor-user-actions + subjects: + - kind: User + name: ${USERNAME} +# Role & RoleBinding that grants view permissions to the user's SA +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + namespace: ${NAMESPACE} + name: appstudio-${USERNAME}-view-user + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view + subjects: + - kind: User + name: ${USERNAME} parameters: - - name: NAMESPACE - required: true - - name: USERNAME - required: true \ No newline at end of file +- name: NAMESPACE + required: true +- name: USERNAME + required: true \ No newline at end of file diff --git a/test/templates/nstemplatetiers/appstudio/spacerole_maintainer.yaml b/test/templates/nstemplatetiers/appstudio/spacerole_maintainer.yaml index 08846aad8..d62caab54 100644 --- a/test/templates/nstemplatetiers/appstudio/spacerole_maintainer.yaml +++ b/test/templates/nstemplatetiers/appstudio/spacerole_maintainer.yaml @@ -1,16 +1,9 @@ apiVersion: template.openshift.io/v1 kind: Template metadata: - name: appstudio-spacerole-maintainer + name: appstudio-spacerole-maintainer # name is used in e2e tests objects: -# ServiceAccounts that represents the AppStudio user - the token of this SA is used by the proxy for forwarding the requests from UI (or any other client) -- apiVersion: v1 - kind: ServiceAccount - metadata: - namespace: ${NAMESPACE} - name: appstudio-${USERNAME} - # RoleBinding that grants limited CRUD permissions on AppStudio components CRDs & secrets to the user's SA # Role(s) and RoleBinding(s) that grant limited CRUD permissions on AppStudio components CRDs & secrets to the user's SA - apiVersion: rbac.authorization.k8s.io/v1 @@ -19,159 +12,192 @@ objects: namespace: ${NAMESPACE} name: appstudio-maintainer-user-actions rules: - - apiGroups: - - appstudio.redhat.com - resources: - - applications - - components - - componentdetectionqueries - verbs: - - get - - list - - watch - - create - - update - - patch - - apiGroups: - - appstudio.redhat.com - resources: - - promotionruns - - snapshotenvironmentbindings - - snapshots - - environments - verbs: - - get - - list - - watch - - apiGroups: - - appstudio.redhat.com - resources: - - deploymentttargets - - deploymenttargetclaims - verbs: - - get - - list - - watch - - apiGroups: - - managed-gitops.redhat.com - resources: - - gitopsdeployments - - gitopsdeploymentmanagedenvironments - - gitopsdeploymentrepositorycredentials - - gitopsdeploymentsyncruns - verbs: - - get - - list - - watch - - apiGroups: - - tekton.dev - resources: - - pipelineruns - verbs: - - get - - list - - watch - - apiGroups: - - results.tekton.dev - resources: - - results - - records - verbs: - - get - - list - - apiGroups: - - appstudio.redhat.com - resources: - - integrationtestscenarios - verbs: - - '*' - - apiGroups: - - appstudio.redhat.com - resources: - - enterprisecontractpolicies - verbs: - - get - - list - - watch - - apiGroups: - - appstudio.redhat.com - resources: - - releases - - releasestrategies - - releaseplans - verbs: - - '*' - - apiGroups: - - appstudio.redhat.com - resources: - - releaseplanadmissions - verbs: - - '*' - - apiGroups: - - jvmbuildservice.io - resources: - - jbsconfigs - - artifactbuilds - verbs: - - get - - list - - watch - - create - - update - - patch - - apiGroups: - - appstudio.redhat.com - resources: - - spiaccesstokenbindings - - spiaccesschecks - - spiaccesstokens - - spifilecontentrequests - - spiaccesstokendataupdates - verbs: - - get - - list - - watch - - create - - update - - patch - - apiGroups: - - '' - resources: - - configmaps - verbs: - - get - - list - - watch + - apiGroups: + - appstudio.redhat.com + resources: + - applications + - components + - componentdetectionqueries + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - appstudio.redhat.com + resources: + - promotionruns + - snapshotenvironmentbindings + - snapshots + - environments + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - deploymenttargets + - deploymenttargetclaims + verbs: + - get + - list + - watch + - apiGroups: + - managed-gitops.redhat.com + resources: + - gitopsdeployments + - gitopsdeploymentmanagedenvironments + - gitopsdeploymentrepositorycredentials + - gitopsdeploymentsyncruns + verbs: + - get + - list + - watch + - apiGroups: + - tekton.dev + resources: + - pipelineruns + verbs: + - get + - list + - watch + - apiGroups: + - results.tekton.dev + resources: + - results + - records + - logs + verbs: + - get + - list + - apiGroups: + - appstudio.redhat.com + resources: + - integrationtestscenarios + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - appstudio.redhat.com + resources: + - enterprisecontractpolicies + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - releases + - releasestrategies + - releaseplans + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - appstudio.redhat.com + resources: + - releaseplanadmissions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - jvmbuildservice.io + resources: + - jbsconfigs + - artifactbuilds + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - appstudio.redhat.com + resources: + - spiaccesstokenbindings + - spiaccesschecks + - spiaccesstokens + - spifilecontentrequests + - spiaccesstokendataupdates + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - appstudio.redhat.com + resources: + - remotesecrets + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - appstudio.redhat.com + resources: + - buildpipelineselectors + verbs: + - get + - list + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: ${NAMESPACE} - name: appstudio-${USERNAME}-user-actions + name: appstudio-maintainer-${USERNAME}-actions-user roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: appstudio-maintainer-user-actions subjects: - - apiGroup: "" - kind: ServiceAccount - name: appstudio-${USERNAME} + - kind: User + name: ${USERNAME} # Role & RoleBinding that grants view permissions to the user's SA - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: ${NAMESPACE} - name: appstudio-${USERNAME}-view + name: appstudio-${USERNAME}-view-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view subjects: - - apiGroup: "" - kind: ServiceAccount - name: appstudio-${USERNAME} + - - kind: User + name: ${USERNAME} parameters: -- name: USERNAME - required: true - name: NAMESPACE + required: true +- name: USERNAME required: true \ No newline at end of file diff --git a/test/templates/nstemplatetiers/appstudio/tier.yaml b/test/templates/nstemplatetiers/appstudio/tier.yaml index 9d6f424fb..969c493f5 100644 --- a/test/templates/nstemplatetiers/appstudio/tier.yaml +++ b/test/templates/nstemplatetiers/appstudio/tier.yaml @@ -12,7 +12,7 @@ objects: clusterResources: templateRef: ${CLUSTER_TEMPL_REF} namespaces: - - templateRef: ${TENANT_TEMPL_REF} + - templateRef: ${TENANT_TEMPL_REF} spaceRoles: admin: templateRef: ${ADMIN_TEMPL_REF}