Single tenancy init job (#264)

Co-authored-by: GitHub Action <[email protected]>
Co-authored-by: sys-orch <[email protected]>

Author: 3 people

.github/workflows/lint-test-build-publish.yml

@@ -321,6 +321,7 @@ jobs:
             squidProxy,
             tokenFS,
             tenancyAPIMapping,
+            tenancyInit,
             tenancyManager,
             tenancyDatamodel,
             nexusAPIGateway,

.trivyignore.yaml

@@ -33,6 +33,7 @@ misconfigurations:
       - "charts/statefulset-wait/templates/job.yaml"
       - "charts/token-fs/templates/deployment.yaml"
       - "charts/vertical-pod-autoscaler/templates/deployment.yaml"
+      - "charts/tenancy-init/templates/serviceAccount.yaml"
     statement: readOnlyRootFilesystem is injected by Kyverno policy in charts/kyverno-extra-policies/templates/restricted-policy-orch.yaml
 
   - id: AVD-KSV-0118
@@ -54,3 +55,11 @@ misconfigurations:
       - "charts/keycloak-tenant-controller/templates/configmap.yaml"
       - "charts/traefik-pre/templates/jwt-plugin-configmap-generated.yaml"
     statement: ConfigMaps contain legitimate scripts and configuration templates, not actual secrets in production
+  - id: AVD-KSV-0041
+    paths:
+      - "charts/tenancy-init/templates/serviceAccount.yaml"
+    statement: Cross-namespace secret access required for tenancy initialization
+  - id: AVD-KSV-0056
+    paths:
+      - "charts/tenancy-init/templates/serviceAccount.yaml"
+    statement: Service access required for pod communication and tenancy initialization operations

Makefile

@@ -54,6 +54,9 @@ docker-build-squid-proxy:
 docker-build-tenancy-api-mapping:
 	mage build:tenancyAPIMapping
 
+docker-build-tenancy-init:
+	mage build:tenancyInit
+
 docker-build-tenancy-datamodel:
 	mage build:tenancyDatamodel
 

charts/tenancy-init/.appref.yaml

@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2025 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+---
+
+repo: https://github.com/open-edge-platform/orch-utils.git
+filter: "*.*.*"

charts/tenancy-init/.helmignore

@@ -0,0 +1,24 @@
+# SPDX-FileCopyrightText: 2025 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/tenancy-init/Chart.yaml

@@ -0,0 +1,10 @@
+---
+# SPDX-FileCopyrightText: 2025 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v2
+name: tenancy-init
+description: A Helm chart for bootstrapping the 'tenancy-init'
+type: application
+version: 25.2.5
+appVersion: "25.2.0"

charts/tenancy-init/templates/_helpers.tpl

@@ -0,0 +1,67 @@
+# SPDX-FileCopyrightText: 2025 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "iam.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "iam.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "iam.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "iam.labels" -}}
+helm.sh/chart: {{ include "iam.chart" . }}
+{{ include "iam.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "iam.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "iam.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "iam.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "iam.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/tenancy-init/templates/job.yaml

@@ -0,0 +1,89 @@
+---
+
+# SPDX-FileCopyrightText: 2025 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+---
+
+{{- $registry := .Values.global.registry -}}
+{{ if .Values.image.registry }}
+  {{- $registry = .Values.image.registry -}}
+{{ end }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "iam.fullname" . }}
+  labels:
+    {{- include "iam.labels" . | nindent 4 }}
+  namespace: {{ default  .Release.Namespace .Values.global.namespace }}
+  annotations:
+    "helm.sh/hook": post-install
+spec:
+  ttlSecondsAfterFinished: 600
+  backoffLimit: 6
+  template:
+    metadata:
+      annotations:
+        "sidecar.istio.io/inject": "false"
+    spec:
+      activeDeadlineSeconds: 600
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      serviceAccountName: {{ include "iam.serviceAccountName" . }}
+      restartPolicy: Never
+      initContainers:
+      - name: job-wait-for-tenancy-crds
+        image: alpine/kubectl:1.34.1
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+        command: ["/bin/sh", "-c"]
+        args:
+        - |
+            set -e
+            echo "Waiting for Tenant CRDs to be available..."
+            for CRD in "orgs.org.edge-orchestrator.intel.com" \
+                      "orgwatchers.orgwatcher.edge-orchestrator.intel.com" \
+                      "orgactivewatchers.orgactivewatcher.edge-orchestrator.intel.com" \
+                      "runtimeorgs.runtimeorg.edge-orchestrator.intel.com" \
+                      "projects.project.edge-orchestrator.intel.com" \
+                      "projectwatchers.projectwatcher.edge-orchestrator.intel.com" \
+                      "projectactivewatchers.projectactivewatcher.edge-orchestrator.intel.com" \
+                      "runtimeprojects.runtimeproject.edge-orchestrator.intel.com"; do
+              echo "Checking for CRD: $CRD"
+                until kubectl get crd $CRD; do
+                  echo "CRD $CRD not found, waiting..."
+                  sleep 30
+                done
+              echo "CRD $CRD is available."
+            done
+            echo "Checking for KTC pod existence"
+            until kubectl get po -l app=keycloak-tenant-controller-pod -A | grep -qv "No resources found"; do
+              echo "KTC pod not found, waiting..."
+              sleep 30
+            done
+            echo "KTC pod found. Checking for KTC status"
+            while kubectl wait --for=condition=Ready po -l app=keycloak-tenant-controller-pod -A 2>&1 | grep -q "error: timed out waiting for the condition on pods"; do
+              echo "KTC pod not ready, retrying..."
+            done
+      containers:
+      - name: {{ .Chart.Name }}
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+        image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        args:
+          - "--org={{ .Values.tenant.orgName }}"
+          - "--project={{ .Values.tenant.projectName }}"
+        env:
+        - name: LOG_LEVEL
+          value: {{ .Values.logLevel }}
+        - name: KEYCLOAK_SERVICE
+          value: {{ .Values.keycloak.service.name }}
+        - name: KEYCLOAK_PORT
+          value: "{{ .Values.keycloak.service.port }}"
+        - name: KEYCLOAK_NAMESPACE
+          value: {{ .Values.keycloak.service.namespace }}

charts/tenancy-init/templates/serviceAccount.yaml

@@ -0,0 +1,102 @@
+---
+
+# SPDX-FileCopyrightText: 2025 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "iam.serviceAccountName" . }}
+  namespace: {{ default  .Release.Namespace .Values.global.namespace }}
+automountServiceAccountToken: true
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tenant-init-installer-role
+  namespace: {{ default  .Release.Namespace .Values.global.namespace }}
+rules:
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get","list"]
+# Access to organization and project CRDs
+- apiGroups: ["orgactivewatcher.edge-orchestrator.intel.com"]
+  resources: ["orgactivewatchers"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["orgwatcher.edge-orchestrator.intel.com"]
+  resources: ["orgwatchers"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["projectactivewatcher.edge-orchestrator.intel.com"]
+  resources: ["projectactivewatchers"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["projectwatcher.edge-orchestrator.intel.com"]
+  resources: ["projectwatchers"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# Access to runtime org and project resources
+- apiGroups: ["runtimeorg.edge-orchestrator.intel.com"]
+  resources: ["runtimeorgs"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["runtimeproject.edge-orchestrator.intel.com"]
+  resources: ["runtimeprojects"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# Access to org resources
+- apiGroups: ["org.edge-orchestrator.intel.com"]
+  resources: ["orgs"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# Access to project resources
+- apiGroups: ["project.edge-orchestrator.intel.com"]
+  resources: ["projects"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# Access to config resources
+- apiGroups: ["config.edge-orchestrator.intel.com"]
+  resources: ["configs"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# Access to folder resources
+- apiGroups: ["folder.edge-orchestrator.intel.com"]
+  resources: ["folders"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# Access to tenancy resources
+- apiGroups: ["tenancy.edge-orchestrator.intel.com"]
+  resources: ["multitenancies"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# Access to runtime folder resources
+- apiGroups: ["runtimefolder.edge-orchestrator.intel.com"]
+  resources: ["runtimefolders"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# Access to runtime resources
+- apiGroups: ["runtime.edge-orchestrator.intel.com"]
+  resources: ["runtimes"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# Access to API mapping config resources
+- apiGroups: ["apimappingconfig.edge-orchestrator.intel.com"]
+  resources: ["apimappingconfigs"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# Access to network resources
+- apiGroups: ["network.edge-orchestrator.intel.com"]
+  resources: ["networks"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# Access to pods
+- apiGroups: [""]
+  resources: ["pods", "namespaces", "configmaps", "services"]
+  verbs: ["get", "list", "watch", "create", "update"]
+# Access to secrets
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch", "create", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tenant-init-installer
+  namespace: {{ default  .Release.Namespace .Values.global.namespace }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "iam.serviceAccountName" . }}
+  namespace: {{ default  .Release.Namespace .Values.global.namespace }}
+roleRef:
+  kind: ClusterRole
+  name: tenant-init-installer-role
+  apiGroup: rbac.authorization.k8s.io
+

charts/tenancy-init/values.yaml

@@ -0,0 +1,54 @@
+# SPDX-FileCopyrightText: 2025 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+---
+
+global:
+  name: tenancy-init
+
+imagePullSecrets: ""
+image:
+  registry: registry-rs.edgeorchestration.intel.com/edge-orch
+  repository: common/tenancy-init
+  pullPolicy: IfNotPresent
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: tenant-init-k8s-api-service-account
+
+podSecurityContext:
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  runAsNonRoot: true
+  runAsUser: 1000
+
+tolerations: []
+
+affinity: {}
+
+nodeSelector: {}
+
+podAnnotations: {}
+
+logLevel: info
+
+tenant:
+  orgName: "default"
+  projectName: "default"
+keycloak:
+  service:
+    name: "platform-keycloak"
+    port: "8080"
+    namespace: "orch-platform"