diff --git a/argo-cd-apps/base/member/infra-deployments/kustomization.yaml b/argo-cd-apps/base/member/infra-deployments/kustomization.yaml index e4816af4eeb..9b79bb0f026 100644 --- a/argo-cd-apps/base/member/infra-deployments/kustomization.yaml +++ b/argo-cd-apps/base/member/infra-deployments/kustomization.yaml @@ -30,5 +30,6 @@ resources: - konflux-rbac - konflux-info - vector-tekton-logs-collector + - namespace-lister components: - ../../../k-components/inject-infra-deployments-repo-details diff --git a/argo-cd-apps/base/member/infra-deployments/namespace-lister/kustomization.yaml b/argo-cd-apps/base/member/infra-deployments/namespace-lister/kustomization.yaml new file mode 100644 index 00000000000..c5af5975255 --- /dev/null +++ b/argo-cd-apps/base/member/infra-deployments/namespace-lister/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- namespace-lister.yaml +components: + - ../../../../k-components/inject-infra-deployments-repo-details + - ../../../../k-components/deploy-to-member-cluster-merge-generator diff --git a/argo-cd-apps/base/member/infra-deployments/namespace-lister/namespace-lister.yaml b/argo-cd-apps/base/member/infra-deployments/namespace-lister/namespace-lister.yaml new file mode 100644 index 00000000000..14998d6638e --- /dev/null +++ b/argo-cd-apps/base/member/infra-deployments/namespace-lister/namespace-lister.yaml @@ -0,0 +1,43 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: namespace-lister +spec: + generators: + - merge: + mergeKeys: + - nameNormalized + generators: + - clusters: + values: + sourceRoot: components/namespace-lister + environment: staging + clusterDir: "" + - list: + elements: + - nameNormalized: stone-stg-rh01 + values.clusterDir: stone-stg-rh01 + template: + metadata: + name: namespace-lister-{{nameNormalized}} + spec: + project: default + source: + path: '{{values.sourceRoot}}/{{values.environment}}/{{values.clusterDir}}' + repoURL: https://github.com/redhat-appstudio/infra-deployments.git + targetRevision: main + destination: + namespace: namespace-lister + server: '{{server}}' + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: -1 + backoff: + duration: 10s + factor: 2 + maxDuration: 3m diff --git a/argo-cd-apps/overlays/development/delete-applications.yaml b/argo-cd-apps/overlays/development/delete-applications.yaml index 01d93bf0f7f..dab27dd9101 100644 --- a/argo-cd-apps/overlays/development/delete-applications.yaml +++ b/argo-cd-apps/overlays/development/delete-applications.yaml @@ -118,3 +118,9 @@ kind: ApplicationSet metadata: name: konflux-info $patch: delete +--- +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: namespace-lister +$patch: delete diff --git a/argo-cd-apps/overlays/konflux-public-production/delete-applications.yaml b/argo-cd-apps/overlays/konflux-public-production/delete-applications.yaml index 86d219e95ac..b391bba34a1 100644 --- a/argo-cd-apps/overlays/konflux-public-production/delete-applications.yaml +++ b/argo-cd-apps/overlays/konflux-public-production/delete-applications.yaml @@ -39,3 +39,9 @@ kind: ApplicationSet metadata: name: nvme-storage-configurator $patch: delete +--- +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: namespace-lister +$patch: delete diff --git a/argo-cd-apps/overlays/konflux-public-staging/delete-applications.yaml b/argo-cd-apps/overlays/konflux-public-staging/delete-applications.yaml index dd63b9e3552..5516b8b0d67 100644 --- a/argo-cd-apps/overlays/konflux-public-staging/delete-applications.yaml +++ b/argo-cd-apps/overlays/konflux-public-staging/delete-applications.yaml @@ -11,3 +11,9 @@ kind: ApplicationSet metadata: name: konflux-rbac $patch: delete +--- +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: namespace-lister +$patch: delete diff --git a/components/namespace-lister/OWNERS b/components/namespace-lister/OWNERS new file mode 100644 index 00000000000..c4915cf2cde --- /dev/null +++ b/components/namespace-lister/OWNERS @@ -0,0 +1,11 @@ +# See the OWNERS docs: https://go.k8s.io/owners + +approvers: +- dperaza4dustbit +- filariow +- sadlerap + +reviewers: +- dperaza4dustbit +- filariow +- sadlerap diff --git a/components/namespace-lister/base/deployment.yaml b/components/namespace-lister/base/deployment.yaml new file mode 100644 index 00000000000..2ee76e22f5b --- /dev/null +++ b/components/namespace-lister/base/deployment.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: namespace-lister + namespace: namespace-lister + labels: + apps: namespace-lister +spec: + selector: + matchLabels: + apps: namespace-lister + replicas: 1 + template: + metadata: + labels: + apps: namespace-lister + spec: + # securityContext: + # runAsNonRoot: true + serviceAccountName: namespace-lister + containers: + - image: namespace-lister:foo + name: namespace-lister + imagePullPolicy: IfNotPresent + env: + - name: LOG_LEVEL + value: "0" + # - name: AUTH_USERNAME_HEADER + # value: "X-User" + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + ports: + - containerPort: 8080 + name: http + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - "ALL" + terminationGracePeriodSeconds: 60 diff --git a/components/namespace-lister/base/kustomization.yaml b/components/namespace-lister/base/kustomization.yaml new file mode 100644 index 00000000000..7c6c604636e --- /dev/null +++ b/components/namespace-lister/base/kustomization.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- deployment.yaml +- namespace.yaml +- rbac.yaml +- proxy.yaml +- route.yaml +- service.yaml +namespace: namespace-lister +configMapGenerator: +- files: + - nginx.conf=nginx.conf + name: nginx +images: +- name: namespace-lister + newName: quay.io/konflux-ci/namespace-lister + newTag: fd195c941b3151c165ddf376ce5f44d57db3f071 diff --git a/components/namespace-lister/base/namespace.yaml b/components/namespace-lister/base/namespace.yaml new file mode 100644 index 00000000000..57ae11170fd --- /dev/null +++ b/components/namespace-lister/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: namespace-lister diff --git a/components/namespace-lister/base/nginx.conf b/components/namespace-lister/base/nginx.conf new file mode 100644 index 00000000000..e6cf75ca6c4 --- /dev/null +++ b/components/namespace-lister/base/nginx.conf @@ -0,0 +1,59 @@ +worker_processes auto; +error_log /var/log/nginx/error.log; +pid /run/nginx.pid; + +# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name $host to: $proxy_host $upstream_addr: $request $status upstream_response_time $upstream_response_time msec $msec request_time $request_time'; + access_log /dev/stderr upstreamlog; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 4096; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + server { + listen 8080 default_server; + server_name _; + + location ~* /api/v1/namespaces(/?)$ { + # namespace-lister endpoint + rewrite ^/(.*)/$ /$1 permanent; + proxy_pass https://kubernetes.default.svc; + if ($request_method = GET) { + proxy_pass http://namespace-lister.namespace-lister.svc.cluster.local:12000; + } + proxy_read_timeout 1m; + } + + + location / { + proxy_pass https://kubernetes.default.svc; + proxy_ssl_verify off; + proxy_read_timeout 30m; + proxy_set_header KONFLUX-REQUEST YES; + } + + + location /health { + # Used for liveness probes + return 200; + } + } +} + diff --git a/components/namespace-lister/base/patches/with-header-auth.yaml b/components/namespace-lister/base/patches/with-header-auth.yaml new file mode 100644 index 00000000000..7d74e05eaf3 --- /dev/null +++ b/components/namespace-lister/base/patches/with-header-auth.yaml @@ -0,0 +1,5 @@ +- op: add + path: /spec/template/spec/containers/0/env/- + value: + name: AUTH_USERNAME_HEADER + value: Impersonate-User diff --git a/components/namespace-lister/base/proxy.yaml b/components/namespace-lister/base/proxy.yaml new file mode 100644 index 00000000000..1f3d7fd35c0 --- /dev/null +++ b/components/namespace-lister/base/proxy.yaml @@ -0,0 +1,96 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: proxy + name: proxy + namespace: namespace-lister +spec: + minReadySeconds: 60 + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: proxy + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: proxy + spec: + containers: + - command: + - nginx + - -g + - daemon off; + image: registry.access.redhat.com/ubi9/nginx-120@sha256:88a4f2d184f52c4d3956be06b12d578d0bf681ec9d0a8b80e558a98c1860fa12 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 1 + name: nginx-120 + ports: + - containerPort: 8080 + name: web + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 3 + timeoutSeconds: 1 + resources: + limits: + cpu: 300m + memory: 256Mi + requests: + cpu: 30m + memory: 128Mi + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/nginx/nginx.conf + name: proxy + readOnly: true + subPath: nginx.conf + - mountPath: /var/log/nginx + name: logs + - mountPath: /var/lib/nginx/tmp + name: nginx-tmp + - mountPath: /run + name: run + dnsPolicy: ClusterFirst + volumes: + - configMap: + defaultMode: 420 + items: + - key: nginx.conf + path: nginx.conf + name: proxy-konflux + name: proxy + - emptyDir: {} + name: logs + - emptyDir: {} + name: nginx-tmp + - emptyDir: {} + name: run diff --git a/components/namespace-lister/base/rbac.yaml b/components/namespace-lister/base/rbac.yaml new file mode 100644 index 00000000000..b0d63ff929e --- /dev/null +++ b/components/namespace-lister/base/rbac.yaml @@ -0,0 +1,50 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: namespace-lister + namespace: namespace-lister +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: namespace-lister-authorizer +subjects: +- apiGroup: "" + kind: ServiceAccount + name: namespace-lister + namespace: namespace-lister +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: namespace-lister-authorizer +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: namespace-lister-auth-delegator +subjects: +- apiGroup: "" + kind: ServiceAccount + name: namespace-lister + namespace: namespace-lister +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: namespace-lister-authorizer +rules: +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: ["get", "list", "watch"] diff --git a/components/namespace-lister/base/route.yaml b/components/namespace-lister/base/route.yaml new file mode 100644 index 00000000000..4f59155d838 --- /dev/null +++ b/components/namespace-lister/base/route.yaml @@ -0,0 +1,17 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + labels: + app: namespace-lister + name: namespace-lister + namespace: namespace-lister +spec: + port: + targetPort: 12000 + tls: + termination: edge + to: + kind: Service + name: namespace-lister + weight: 100 + wildcardPolicy: None diff --git a/components/namespace-lister/base/service.yaml b/components/namespace-lister/base/service.yaml new file mode 100644 index 00000000000..45787607f07 --- /dev/null +++ b/components/namespace-lister/base/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: namespace-lister + namespace: namespace-lister +spec: + selector: + apps: namespace-lister + type: ClusterIP + ports: + - name: http + targetPort: 8080 + port: 12000 diff --git a/components/namespace-lister/staging/stone-stg-rh01/kustomization.yaml b/components/namespace-lister/staging/stone-stg-rh01/kustomization.yaml new file mode 100644 index 00000000000..4f7380c54b3 --- /dev/null +++ b/components/namespace-lister/staging/stone-stg-rh01/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base/