Namespace prefix for multi-tenancy support

applications/cluster-resources/monitoring/netpols/prometheus-allow-scraping.ftl.yaml

@@ -9,7 +9,7 @@ spec:
     - from:
         - namespaceSelector:
             matchLabels:
-              kubernetes.io/metadata.name: ${namePrefix}monitoring
+              kubernetes.io/metadata.name: "${namePrefix}monitoring"
           podSelector:
             matchLabels:
               prometheus: kube-prometheus-stack-prometheus

argocd/argocd/operator/rbac/example-apps-production.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  namespace: example-apps-production
+  namespace: "${namePrefix}example-apps-production"
   name: argocd
 rules:
   - apiGroups:
@@ -166,7 +166,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: argocd
-  namespace: example-apps-production
+  namespace: "${namePrefix}example-apps-production"
 subjects:
   - kind: ServiceAccount
     name: argocd-argocd-server
@@ -180,4 +180,4 @@ subjects:
 roleRef:
   kind: Role
   name: argocd
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io

argocd/argocd/operator/rbac/example-apps-staging.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  namespace: example-apps-staging
+  namespace: "${namePrefix}example-apps-staging"
   name: argocd
 rules:
   - apiGroups:
@@ -166,7 +166,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: argocd
-  namespace: example-apps-staging
+  namespace: "${namePrefix}example-apps-staging"
 subjects:
   - kind: ServiceAccount
     name: argocd-argocd-server
@@ -180,4 +180,4 @@ subjects:
 roleRef:
   kind: Role
   name: argocd
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io

argocd/argocd/operator/rbac/ingress-nginx.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  namespace: ingress-nginx
+  namespace: "${namePrefix}ingress-nginx"
   name: argocd
 rules:
   - apiGroups:
@@ -166,7 +166,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: argocd
-  namespace: ingress-nginx
+  namespace: "${namePrefix}ingress-nginx"
 subjects:
   - kind: ServiceAccount
     name: argocd-argocd-server
@@ -180,4 +180,4 @@ subjects:
 roleRef:
   kind: Role
   name: argocd
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io

argocd/argocd/operator/rbac/monitoring.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  namespace: monitoring
+  namespace: "${namePrefix}monitoring"
   name: argocd
 rules:
   - apiGroups:
@@ -166,7 +166,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: argocd
-  namespace: monitoring
+  namespace: "${namePrefix}monitoring"
 subjects:
   - kind: ServiceAccount
     name: argocd-argocd-server
@@ -180,4 +180,4 @@ subjects:
 roleRef:
   kind: Role
   name: argocd
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io

argocd/argocd/operator/rbac/secrets.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  namespace: secrets
+  namespace: "${namePrefix}secrets"
   name: argocd
 rules:
   - apiGroups:
@@ -166,7 +166,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: argocd
-  namespace: secrets
+  namespace: "${namePrefix}secrets"
 subjects:
   - kind: ServiceAccount
     name: argocd-argocd-server
@@ -180,4 +180,4 @@ subjects:
 roleRef:
   kind: Role
   name: argocd
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io

src/main/groovy/com/cloudogu/gitops/Application.groovy

@@ -12,12 +12,11 @@ class Application {
     final Config config
 
     Application(Config config,
-            List<Feature> features
+                List<Feature> features
     ) {
-        this.config=config
+        this.config = config
         // Order is important. Enforced by @Order-Annotation on the Singletons
         this.features = features
-
     }
 
     def start() {
@@ -36,15 +35,10 @@ class Application {
 
     void setNamespaceListToConfig(Config config) {
         Set<String> namespaces = new HashSet<>()
-        String namePrefix = config.application.namePrefix;
+        String namePrefix = config.application.namePrefix
 
-        if(config.registry.internal || config.scmm.internal || config.jenkins.internal){
-            namespaces.add(namePrefix + "default")
-        }
-
         if (config.features.argocd.active) {
             namespaces.addAll(Arrays.asList(
-                    namePrefix + "argocd",
                     namePrefix + "example-apps-staging",
                     namePrefix + "example-apps-production"
             ))
@@ -55,14 +49,9 @@ class Application {
                 .collect { it.activeNamespaceFromFeature }
                 .findAll { it }
                 .unique()
-                .collect { "${namePrefix}${it}".toString() })
-
-        //TODO remove after Jenkins/SCMM/Registry got their own namespaces
-        if(config.application.openshift){
-            namespaces.remove(namePrefix + "default")
-        }
+                .collect { "${it}".toString() })
 
         log.debug("Active namespaces retrieved: {}", namespaces);
         config.application.activeNamespaces = namespaces.toList()
     }
-}
+}

src/main/groovy/com/cloudogu/gitops/cli/GitopsPlaygroundCliMainScripted.groovy

@@ -19,7 +19,8 @@ import com.cloudogu.gitops.scmm.ScmmRepoProvider
 import com.cloudogu.gitops.utils.*
 import groovy.util.logging.Slf4j
 import io.micronaut.context.ApplicationContext
-import jakarta.inject.Provider 
+import jakarta.inject.Provider
+
 /**
  * Micronaut's dependency injection relies on statically compiled class files with seems incompatible with groovy 
  * scripting/interpretation (without prior compilation).
@@ -52,7 +53,7 @@ class GitopsPlaygroundCliMainScripted {
             def helmClient = new HelmClient(executor)
 
             def httpClientFactory = new HttpClientFactory()
-            
+
             def scmmRepoProvider = new ScmmRepoProvider(config, fileSystemUtils)
             def retrofitFactory = new RetrofitFactory()
 
@@ -72,7 +73,7 @@ class GitopsPlaygroundCliMainScripted {
                     httpClientFactory.okHttpClient(httpClientFactory.createLoggingInterceptor(), jenkinsConfiguration, insecureSslContextProvider))
 
             context.registerSingleton(k8sClient)
-            
+
             if (config.application.destroy) {
                 context.registerSingleton(new Destroyer([
                         new ArgoCDDestructionHandler(config, k8sClient, scmmRepoProvider, helmClient, fileSystemUtils),
@@ -86,9 +87,9 @@ class GitopsPlaygroundCliMainScripted {
 
                 def airGappedUtils = new AirGappedUtils(config, scmmRepoProvider, repoApi, fileSystemUtils, helmClient)
 
-                context.registerSingleton(new Application(config,[
+                context.registerSingleton(new Application(config, [
                         new Registry(config, fileSystemUtils, k8sClient, helmStrategy),
-                        new ScmManager(config, executor, fileSystemUtils, helmStrategy),
+                        new ScmManager(config, executor, fileSystemUtils, helmStrategy, k8sClient),
                         new Jenkins(config, executor, fileSystemUtils, new GlobalPropertyManager(jenkinsApiClient),
                                 new JobManager(jenkinsApiClient), new UserManager(jenkinsApiClient),
                                 new PrometheusConfigurator(jenkinsApiClient), helmStrategy, k8sClient),
@@ -104,4 +105,4 @@ class GitopsPlaygroundCliMainScripted {
             }
         }
     }
-}
+}

src/main/groovy/com/cloudogu/gitops/features/CertManager.groovy

@@ -28,7 +28,7 @@ class CertManager extends Feature implements FeatureWithImage {
     private AirGappedUtils airGappedUtils
     final K8sClient k8sClient
     final Config config
-    final String namespace = "cert-manager"
+    final String namespace = "${config.application.namePrefix}cert-manager"
 
     CertManager(
             Config config,
@@ -82,7 +82,7 @@ class CertManager extends Feature implements FeatureWithImage {
                     'cert-manager',
                     '.',
                     certManagerVersion,
-                    'cert-manager',
+                    namespace,
                     'cert-manager',
                     tempValuesPath, DeploymentStrategy.RepoType.GIT)
         } else {
@@ -91,7 +91,7 @@ class CertManager extends Feature implements FeatureWithImage {
                     'cert-manager',
                     helmConfig.chart,
                     helmConfig.version,
-                    'cert-manager',
+                    namespace,
                     'cert-manager',
                     tempValuesPath
             )
@@ -100,10 +100,10 @@ class CertManager extends Feature implements FeatureWithImage {
 
     private URI getScmmUri() {
         if (config.scmm.internal) {
-            new URI('http://scmm-scm-manager.default.svc.cluster.local/scm')
+            new URI("http://scmm-scm-manager.${config.application.namePrefix}scm-manager.svc.cluster.local/scm")
         } else {
             new URI("${config.scmm.url}")
         }
     }
 
-}
+}

src/main/groovy/com/cloudogu/gitops/features/Content.groovy

@@ -36,10 +36,9 @@ class Content extends Feature {
             String registryUsername = config.registry.readOnlyUsername ?: config.registry.username
             String registryPassword = config.registry.readOnlyPassword ?: config.registry.password
 
-            // Name prefix is added by k8sClient
             List exampleAppNamespaces = [ "example-apps-staging", "example-apps-production"]
             exampleAppNamespaces.each {
-                def namespace = it
+                String namespace = "${config.application.namePrefix}it"
                 def registrySecretName = 'registry'
 
                 k8sClient.createNamespace(it)
@@ -59,4 +58,4 @@ class Content extends Feature {
             }
         }
     }
-}
+}

src/main/groovy/com/cloudogu/gitops/features/ExternalSecretsOperator.groovy

@@ -23,7 +23,7 @@ class ExternalSecretsOperator extends Feature implements FeatureWithImage {
 
     static final String HELM_VALUES_PATH = 'applications/cluster-resources/secrets/external-secrets/values.ftl.yaml'
 
-    String namespace = 'secrets'
+    String namespace = "${config.application.namePrefix}secrets"
     Config config
     K8sClient k8sClient
 
@@ -97,10 +97,10 @@ class ExternalSecretsOperator extends Feature implements FeatureWithImage {
 
     private URI getScmmUri() {
         if (config.scmm.internal) {
-            new URI('http://scmm-scm-manager.default.svc.cluster.local/scm')
+            new URI("http://scmm-scm-manager.${config.application.namePrefix}scm-manager.svc.cluster.local/scm")
         } else {
             new URI("${config.scmm.url}")
         }
     }
 
-}
+}

src/main/groovy/com/cloudogu/gitops/features/IngressNginx.groovy

@@ -23,7 +23,7 @@ class IngressNginx extends Feature implements FeatureWithImage {
 
     static final String HELM_VALUES_PATH = "applications/cluster-resources/ingress-nginx-helm-values.ftl.yaml"
 
-    String namespace = 'ingress-nginx'
+    String namespace = "${config.application.namePrefix}ingress-nginx"
     Config config
     K8sClient k8sClient
 
@@ -95,9 +95,9 @@ class IngressNginx extends Feature implements FeatureWithImage {
 
     private URI getScmmUri() {
         if (config.scmm.internal) {
-            new URI('http://scmm-scm-manager.default.svc.cluster.local/scm')
+            new URI("http://scmm-scm-manager.${config.application.namePrefix}scm-manager.svc.cluster.local/scm")
         } else {
             new URI("${config.scmm.url}")
         }
     }
-}
+}

src/main/groovy/com/cloudogu/gitops/features/Jenkins.groovy

@@ -25,7 +25,7 @@ class Jenkins extends Feature {
 
     static final String HELM_VALUES_PATH = "jenkins/values.ftl.yaml"
 
-    String namespace = 'default'
+    String namespace = "${config.application.namePrefix}jenkins"
 
     private Config config
     private CommandExecutor commandExecutor
@@ -69,6 +69,9 @@ class Jenkins extends Feature {
     void enable() {
 
         if (config.jenkins.internal) {
+
+            k8sClient.createNamespace(namespace)
+
             // Mark the first node for Jenkins and agents. See jenkins/values.ftl.yaml "agent.workingDir" for details.
             // Remove first (in case new nodes were added)
             k8sClient.labelRemove('node', '--all', '', 'node')
@@ -113,7 +116,6 @@ class Jenkins extends Feature {
                 JENKINS_PASSWORD          : config.jenkins.password,
                 // Used indirectly in utils.sh 😬
                 REMOTE_CLUSTER            : config.application.remote,
-                //TODO SCMM wording SCM?
                 SCMM_URL                  : config.scmm.urlForJenkins,
                 SCMM_PASSWORD             : config.scmm.password,
                 SCM_PROVIDER              : config.scmm.provider,
@@ -162,7 +164,6 @@ class Jenkins extends Feature {
         if (config.features.argocd.active) {
 
             String jobName = "${config.application.namePrefix}example-apps"
-            //TODO refactor and rename scmm->scm
             def credentialId = "scmm-user"
 
             jobManger.createJob(jobName,

src/main/groovy/com/cloudogu/gitops/features/Mailhog.groovy

@@ -26,7 +26,7 @@ class Mailhog extends Feature implements FeatureWithImage {
 
     static final String HELM_VALUES_PATH = "applications/cluster-resources/mailhog-helm-values.ftl.yaml"
 
-    String namespace = 'monitoring'
+    String namespace = "${config.application.namePrefix}monitoring"
     Config config
     K8sClient k8sClient
 
@@ -113,9 +113,9 @@ class Mailhog extends Feature implements FeatureWithImage {
 
     private URI getScmmUri() {
         if (config.scmm.internal) {
-            new URI('http://scmm-scm-manager.default.svc.cluster.local/scm')
+            new URI("http://scmm-scm-manager.${config.application.namePrefix}scm-manager.svc.cluster.local/scm")
         } else {
             new URI("${config.scmm.url}")
         }
     }
-}
+}