Skip to content

kubearchive's policy: add support for new tenant label #5847

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 1 commit into from
Mar 28, 2025
Merged

kubearchive's policy: add support for new tenant label #5847

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions components/kubearchive/policies/.chainsaw-test/chainsaw-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,46 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: mutate-new-namespace-konfluxcidev
spec:
description: |
tests that the KubeArchiveConfig is created in a namespace
labelled with `konflux-ci.dev/type=tenant`
concurrent: false
namespace: 'generate-new-namespace'
bindings:
- name: suffix
value: konfluxcidev
steps:
- name: given-kubearchiveconfig-crd-exists
try:
- apply:
file: resources/kubearchive-crd.yaml
- name: given-kyverno-has-permission-on-resources
try:
- apply:
file: ../kyverno_rbac.yaml
- name: given-cluster-policy-is-ready
try:
- apply:
file: ../bootstrap-namespace.yaml
- assert:
file: chainsaw-assert-clusterpolicy.yaml
- name: when-konfluxcidev-labeled-namespace-is-created
try:
- apply:
file: resources/actual-namespace-konfluxcidev.yaml
template: true
- name: then-kubearchiveconfig-is-created
try:
- assert:
file: resources/expected-kubearchiveconfig.yaml
template: true
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: mutate-new-namespace-konflux
spec:
Expand Down Expand Up @@ -200,6 +240,46 @@ spec:
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: mutate-existing-namespace-konfluxcidev
spec:
description: |
tests that the KubeArchiveConfig is created in an already existing
namespace labelled with `konflux-ci.dev/type=tenant`
concurrent: false
namespace: 'generate-existing-namespace'
bindings:
- name: suffix
value: konflux
steps:
- name: given-kubearchiveconfig-crd-exists
try:
- apply:
file: resources/kubearchive-crd.yaml
- name: given-kyverno-has-permission-on-resources
try:
- apply:
file: ../kyverno_rbac.yaml
- name: given-konfluxci-labeled-namespace-is-created
try:
- apply:
file: resources/actual-namespace-konfluxcidev.yaml
template: true
- name: when-cluster-policy-is-ready
try:
- apply:
file: ../bootstrap-namespace.yaml
- assert:
file: chainsaw-assert-clusterpolicy.yaml
- name: then-kubearchiveconfig-is-created
try:
- assert:
file: resources/expected-kubearchiveconfig.yaml
template: true
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: mutate-existing-namespace-toolchain
spec:
Expand Down
6 changes: 6 additions & 0 deletions components/kubearchive/policies/.chainsaw-test/resources/actual-namespace-konfluxcidev.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: (join('-', [$namespace, $suffix]))
labels:
konflux-ci.dev/type: tenant
6 changes: 6 additions & 0 deletions components/kubearchive/policies/bootstrap-namespace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,12 @@ spec:
selector:
matchLabels:
konflux.ci/type: user
- resources:
kinds:
- Namespace
selector:
matchLabels:
konflux-ci.dev/type: tenant
generate:
generateExisting: true
apiVersion: kubearchive.kubearchive.org/v1alpha1
Expand Down