add namespace-lister deployment to staging

This is largely for testing purposes, to see if this deployment
configuration is functional.  As such, we're only going to deploy this
to one of the member clusters for the time being, and we're not going to
integrate this with the UI's nginx config until we have a stable
deployment.

Signed-off-by: Andy Sadler <[email protected]>

argo-cd-apps/base/member/infra-deployments/kustomization.yaml

@@ -30,5 +30,6 @@ resources:
   - konflux-rbac
   - konflux-info
   - vector-tekton-logs-collector
+  - namespace-lister
 components:
   - ../../../k-components/inject-infra-deployments-repo-details

argo-cd-apps/base/member/infra-deployments/namespace-lister/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- namespace-lister.yaml
+components:
+  - ../../../../k-components/inject-infra-deployments-repo-details
+  - ../../../../k-components/deploy-to-member-cluster-merge-generator

argo-cd-apps/base/member/infra-deployments/namespace-lister/namespace-lister.yaml

@@ -0,0 +1,43 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: namespace-lister
+spec:
+  generators:
+    - merge:
+        mergeKeys:
+          - nameNormalized
+        generators:
+          - clusters:
+              values:
+                sourceRoot: components/namespace-lister
+                environment: staging
+                clusterDir: ""
+          - list:
+              elements:
+                - nameNormalized: stone-stg-rh01
+                  values.clusterDir: stone-stg-rh01
+  template:
+    metadata:
+      name: namespace-lister-{{nameNormalized}}
+    spec:
+      project: default
+      source:
+        path: '{{values.sourceRoot}}/{{values.environment}}/{{values.clusterDir}}'
+        repoURL: https://github.com/redhat-appstudio/infra-deployments.git
+        targetRevision: main
+      destination:
+        namespace: namespace-lister
+        server: '{{server}}'
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+        syncOptions:
+          - CreateNamespace=true
+        retry:
+          limit: -1
+          backoff:
+            duration: 10s
+            factor: 2
+            maxDuration: 3m

argo-cd-apps/overlays/development/delete-applications.yaml

@@ -118,3 +118,9 @@ kind: ApplicationSet
 metadata:
   name: konflux-info
 $patch: delete
+---
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: namespace-lister
+$patch: delete

argo-cd-apps/overlays/konflux-public-production/delete-applications.yaml

@@ -39,3 +39,9 @@ kind: ApplicationSet
 metadata:
   name: nvme-storage-configurator
 $patch: delete
+---
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: namespace-lister
+$patch: delete

argo-cd-apps/overlays/konflux-public-staging/delete-applications.yaml

@@ -11,3 +11,9 @@ kind: ApplicationSet
 metadata:
   name: konflux-rbac
 $patch: delete
+---
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: namespace-lister
+$patch: delete

components/namespace-lister/OWNERS

@@ -0,0 +1,11 @@
+# See the OWNERS docs: https://go.k8s.io/owners
+
+approvers:
+- dperaza4dustbit
+- filariow
+- sadlerap
+
+reviewers:
+- dperaza4dustbit
+- filariow
+- sadlerap

components/namespace-lister/base/deployment.yaml

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: namespace-lister
+  namespace: namespace-lister
+  labels:
+    apps: namespace-lister
+spec:
+  selector:
+    matchLabels:
+      apps: namespace-lister
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        apps: namespace-lister
+    spec:
+      # securityContext:
+      #   runAsNonRoot: true
+      serviceAccountName: namespace-lister
+      containers:
+      - image: namespace-lister:foo
+        name: namespace-lister
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: LOG_LEVEL
+          value: "0"
+        # - name: AUTH_USERNAME_HEADER
+        #   value: "X-User"
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 10m
+            memory: 64Mi
+        ports:
+        - containerPort: 8080
+          name: http
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - "ALL"
+      terminationGracePeriodSeconds: 60

components/namespace-lister/base/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- deployment.yaml
+- namespace.yaml
+- rbac.yaml
+- proxy.yaml
+- route.yaml
+- service.yaml
+namespace: namespace-lister
+configMapGenerator:
+- files:
+  - nginx.conf=nginx.conf
+  name: nginx
+images:
+- name: namespace-lister
+  newName: quay.io/konflux-ci/namespace-lister
+  newTag: fd195c941b3151c165ddf376ce5f44d57db3f071

components/namespace-lister/base/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: namespace-lister

components/namespace-lister/base/nginx.conf

@@ -0,0 +1,59 @@
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name $host to: $proxy_host  $upstream_addr: $request $status upstream_response_time $upstream_response_time msec $msec request_time $request_time';
+    access_log /dev/stderr upstreamlog;
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 4096;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
+    server {
+        listen 8080 default_server;
+        server_name _;
+
+        location ~* /api/v1/namespaces(/?)$ {
+            # namespace-lister endpoint
+            rewrite ^/(.*)/$ /$1 permanent;
+            proxy_pass https://kubernetes.default.svc;
+            if ($request_method = GET) {
+                proxy_pass http://namespace-lister.namespace-lister.svc.cluster.local:12000;
+            }
+            proxy_read_timeout 1m;
+        }
+
+
+        location / {
+            proxy_pass https://kubernetes.default.svc;
+            proxy_ssl_verify off;
+            proxy_read_timeout 30m;
+            proxy_set_header KONFLUX-REQUEST YES;
+        }
+
+
+        location /health {
+            # Used for liveness probes
+            return 200;
+        }
+    }
+}
+

components/namespace-lister/base/patches/with-header-auth.yaml

@@ -0,0 +1,5 @@
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: AUTH_USERNAME_HEADER
+    value: Impersonate-User

components/namespace-lister/base/proxy.yaml

@@ -0,0 +1,96 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: proxy
+  name: proxy
+  namespace: namespace-lister
+spec:
+  minReadySeconds: 60
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: proxy
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+    type: RollingUpdate
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: proxy
+    spec:
+      containers:
+      - command:
+        - nginx
+        - -g
+        - daemon off;
+        image: registry.access.redhat.com/ubi9/nginx-120@sha256:88a4f2d184f52c4d3956be06b12d578d0bf681ec9d0a8b80e558a98c1860fa12
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /health
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 60
+          periodSeconds: 60
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: nginx-120
+        ports:
+        - containerPort: 8080
+          name: web
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /health
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 60
+          periodSeconds: 30
+          successThreshold: 3
+          timeoutSeconds: 1
+        resources:
+          limits:
+            cpu: 300m
+            memory: 256Mi
+          requests:
+            cpu: 30m
+            memory: 128Mi
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /etc/nginx/nginx.conf
+          name: proxy
+          readOnly: true
+          subPath: nginx.conf
+        - mountPath: /var/log/nginx
+          name: logs
+        - mountPath: /var/lib/nginx/tmp
+          name: nginx-tmp
+        - mountPath: /run
+          name: run
+      dnsPolicy: ClusterFirst
+      volumes:
+      - configMap:
+          defaultMode: 420
+          items:
+          - key: nginx.conf
+            path: nginx.conf
+          name: proxy-konflux
+        name: proxy
+      - emptyDir: {}
+        name: logs
+      - emptyDir: {}
+        name: nginx-tmp
+      - emptyDir: {}
+        name: run

components/namespace-lister/base/rbac.yaml

@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: namespace-lister
+  namespace: namespace-lister
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: namespace-lister-authorizer
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: namespace-lister
+  namespace: namespace-lister
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: namespace-lister-authorizer
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: namespace-lister-auth-delegator
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: namespace-lister
+  namespace: namespace-lister
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: namespace-lister-authorizer
+rules:
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - "rbac.authorization.k8s.io"
+  resources:
+  - clusterroles
+  - clusterrolebindings
+  - roles
+  - rolebindings
+  verbs: ["get", "list", "watch"]