redhat-appstudio · sadlerap · Dec 16, 2024 · gbenhaim · Jan 11, 2025 · filariow
diff --git a/argo-cd-apps/base/member/infra-deployments/kustomization.yaml b/argo-cd-apps/base/member/infra-deployments/kustomization.yaml
@@ -30,5 +30,6 @@ resources:
   - konflux-rbac
   - konflux-info
   - vector-tekton-logs-collector
+  - namespace-lister
 components:
   - ../../../k-components/inject-infra-deployments-repo-details
diff --git a/argo-cd-apps/base/member/infra-deployments/namespace-lister/kustomization.yaml b/argo-cd-apps/base/member/infra-deployments/namespace-lister/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- namespace-lister.yaml
+components:
+  - ../../../../k-components/inject-infra-deployments-repo-details
+  - ../../../../k-components/deploy-to-member-cluster-merge-generator
diff --git a/argo-cd-apps/base/member/infra-deployments/namespace-lister/namespace-lister.yaml b/argo-cd-apps/base/member/infra-deployments/namespace-lister/namespace-lister.yaml
@@ -0,0 +1,43 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: namespace-lister
+spec:
+  generators:
+    - merge:
+        mergeKeys:
+          - nameNormalized
+        generators:
+          - clusters:
+              values:
+                sourceRoot: components/namespace-lister
+                environment: staging
+                clusterDir: ""
+          - list:
+              elements:
+                - nameNormalized: stone-stg-rh01
+                  values.clusterDir: stone-stg-rh01
+  template:
+    metadata:
+      name: namespace-lister-{{nameNormalized}}
+    spec:
+      project: default
+      source:
+        path: '{{values.sourceRoot}}/{{values.environment}}/{{values.clusterDir}}'
+        repoURL: https://github.com/redhat-appstudio/infra-deployments.git
+        targetRevision: main
+      destination:
+        namespace: namespace-lister
+        server: '{{server}}'
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+        syncOptions:
+          - CreateNamespace=true
+        retry:
+          limit: -1
+          backoff:
+            duration: 10s
+            factor: 2
+            maxDuration: 3m
diff --git a/argo-cd-apps/overlays/development/delete-applications.yaml b/argo-cd-apps/overlays/development/delete-applications.yaml
@@ -118,3 +118,9 @@ kind: ApplicationSet
 metadata:
   name: konflux-info
 $patch: delete
+---
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: namespace-lister
+$patch: delete
diff --git a/argo-cd-apps/overlays/konflux-public-production/delete-applications.yaml b/argo-cd-apps/overlays/konflux-public-production/delete-applications.yaml
@@ -39,3 +39,9 @@ kind: ApplicationSet
 metadata:
   name: nvme-storage-configurator
 $patch: delete
+---
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: namespace-lister
+$patch: delete
diff --git a/argo-cd-apps/overlays/konflux-public-staging/delete-applications.yaml b/argo-cd-apps/overlays/konflux-public-staging/delete-applications.yaml
@@ -11,3 +11,9 @@ kind: ApplicationSet
 metadata:
   name: konflux-rbac
 $patch: delete
+---
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: namespace-lister
+$patch: delete
diff --git a/components/namespace-lister/OWNERS b/components/namespace-lister/OWNERS
@@ -0,0 +1,11 @@
+# See the OWNERS docs: https://go.k8s.io/owners
+
+approvers:
+- dperaza4dustbit
+- filariow
+- sadlerap
+
+reviewers:
+- dperaza4dustbit
+- filariow
+- sadlerap
diff --git a/components/namespace-lister/base/deployment.yaml b/components/namespace-lister/base/deployment.yaml
@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: namespace-lister
+  namespace: namespace-lister
+  labels:
+    apps: namespace-lister
+spec:
+  selector:
+    matchLabels:
+      apps: namespace-lister
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        apps: namespace-lister
+    spec:
+      # securityContext:
+      #   runAsNonRoot: true
+      serviceAccountName: namespace-lister
+      containers:
+      - image: namespace-lister:foo
+        name: namespace-lister
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: LOG_LEVEL
+          value: "0"
+        # - name: AUTH_USERNAME_HEADER
+        #   value: "X-User"
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 10m
+            memory: 64Mi
+        ports:
+        - containerPort: 8080
+          name: http
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - "ALL"
+      terminationGracePeriodSeconds: 60
diff --git a/components/namespace-lister/base/kustomization.yaml b/components/namespace-lister/base/kustomization.yaml
@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- deployment.yaml
+- namespace.yaml
+- rbac.yaml
+- proxy.yaml
+- route.yaml
+- service.yaml
+namespace: namespace-lister
+configMapGenerator:
+- files:
+  - nginx.conf=nginx.conf
+  name: nginx
+images:
+- name: namespace-lister
+  newName: quay.io/konflux-ci/namespace-lister
+  newTag: fd195c941b3151c165ddf376ce5f44d57db3f071
diff --git a/components/namespace-lister/base/namespace.yaml b/components/namespace-lister/base/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: namespace-lister
diff --git a/components/namespace-lister/base/nginx.conf b/components/namespace-lister/base/nginx.conf
@@ -0,0 +1,59 @@
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name $host to: $proxy_host  $upstream_addr: $request $status upstream_response_time $upstream_response_time msec $msec request_time $request_time';
+    access_log /dev/stderr upstreamlog;
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 4096;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
+    server {
+        listen 8080 default_server;
+        server_name _;
+
+        location ~* /api/v1/namespaces(/?)$ {
+            # namespace-lister endpoint
+            rewrite ^/(.*)/$ /$1 permanent;
+            proxy_pass https://kubernetes.default.svc;
+            if ($request_method = GET) {
+                proxy_pass http://namespace-lister.namespace-lister.svc.cluster.local:12000;
+            }
+            proxy_read_timeout 1m;
+        }
+
+
+        location / {
+            proxy_pass https://kubernetes.default.svc;
+            proxy_ssl_verify off;
+            proxy_read_timeout 30m;
+            proxy_set_header KONFLUX-REQUEST YES;
+        }
+
+
+        location /health {
+            # Used for liveness probes
+            return 200;
+        }
+    }
+}
+
diff --git a/components/namespace-lister/base/patches/with-header-auth.yaml b/components/namespace-lister/base/patches/with-header-auth.yaml
@@ -0,0 +1,5 @@
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: AUTH_USERNAME_HEADER
+    value: Impersonate-User
diff --git a/components/namespace-lister/base/proxy.yaml b/components/namespace-lister/base/proxy.yaml
@@ -0,0 +1,96 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: proxy
+  name: proxy
+  namespace: namespace-lister
+spec:
+  minReadySeconds: 60
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: proxy
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+    type: RollingUpdate
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: proxy
+    spec:
+      containers:
+      - command:
+        - nginx
+        - -g
+        - daemon off;
+        image: registry.access.redhat.com/ubi9/nginx-120@sha256:88a4f2d184f52c4d3956be06b12d578d0bf681ec9d0a8b80e558a98c1860fa12
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /health
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 60
+          periodSeconds: 60
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: nginx-120
+        ports:
+        - containerPort: 8080
+          name: web
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /health
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 60
+          periodSeconds: 30
+          successThreshold: 3
+          timeoutSeconds: 1
+        resources:
+          limits:
+            cpu: 300m
+            memory: 256Mi
+          requests:
+            cpu: 30m
+            memory: 128Mi
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /etc/nginx/nginx.conf
+          name: proxy
+          readOnly: true
+          subPath: nginx.conf
+        - mountPath: /var/log/nginx
+          name: logs
+        - mountPath: /var/lib/nginx/tmp
+          name: nginx-tmp
+        - mountPath: /run
+          name: run
+      dnsPolicy: ClusterFirst
+      volumes:
+      - configMap:
+          defaultMode: 420
+          items:
+          - key: nginx.conf
+            path: nginx.conf
+          name: proxy-konflux
+        name: proxy
+      - emptyDir: {}
+        name: logs
+      - emptyDir: {}
+        name: nginx-tmp
+      - emptyDir: {}
+        name: run
diff --git a/components/namespace-lister/base/rbac.yaml b/components/namespace-lister/base/rbac.yaml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: namespace-lister
+  namespace: namespace-lister
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: namespace-lister-authorizer
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: namespace-lister
+  namespace: namespace-lister
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: namespace-lister-authorizer
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: namespace-lister-auth-delegator
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: namespace-lister
+  namespace: namespace-lister
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: namespace-lister-authorizer
+rules:
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - "rbac.authorization.k8s.io"
+  resources:
+  - clusterroles
+  - clusterrolebindings
+  - roles
+  - rolebindings
+  verbs: ["get", "list", "watch"]