redhat-na-ssa · codekow · Oct 31, 2023 · Oct 30, 2023 · Oct 31, 2023 · Oct 31, 2023
diff --git a/clusters/default/kustomization.yaml b/clusters/default/kustomization.yaml
@@ -2,9 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-- ../../components/configs/cluster/sandbox-cleanup
 - ../../components/operators/web-terminal/operator/overlays/fast
 - ../../components/configs/cluster/web-terminal/overlays/enhanced
+- ../../components/configs/cluster/namespace-cleanup/overlays/sandbox
 - ../../components/configs/cluster/namespaces/overlays/default
 - ../../components/configs/cluster/console/overlays/default
 - ../../components/configs/cluster/rbac/overlays/default

diff --git a/...bac/base/99-master-ssh-machineconfig.yaml → ...fig/base/99-master-ssh-machineconfig.yaml b/...bac/base/99-master-ssh-machineconfig.yaml → ...fig/base/99-master-ssh-machineconfig.yaml
diff --git a/...bac/base/99-worker-ssh-machineconfig.yaml → ...fig/base/99-worker-ssh-machineconfig.yaml b/...bac/base/99-worker-ssh-machineconfig.yaml → ...fig/base/99-worker-ssh-machineconfig.yaml
diff --git a/components/configs/cluster/machine-config/base/kustomization.yaml b/components/configs/cluster/machine-config/base/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - 99-master-ssh-machineconfig.yaml
+  - 99-worker-ssh-machineconfig.yaml
diff --git a/...-config/hugepages-1g/hugepages-1g-mcp.yml → ...ig/dump/hugepages-1g/hugepages-1g-mcp.yml b/...-config/hugepages-1g/hugepages-1g-mcp.yml → ...ig/dump/hugepages-1g/hugepages-1g-mcp.yml
diff --git a/...e-config/hugepages-1g/hugepages-1g-ms.yml → ...fig/dump/hugepages-1g/hugepages-1g-ms.yml b/...e-config/hugepages-1g/hugepages-1g-ms.yml → ...fig/dump/hugepages-1g/hugepages-1g-ms.yml
diff --git a/...epages-1g/hugepages-1g-tuned-boottime.yml → ...epages-1g/hugepages-1g-tuned-boottime.yml b/...epages-1g/hugepages-1g-tuned-boottime.yml → ...epages-1g/hugepages-1g-tuned-boottime.yml
diff --git a/...onfig/hugepages-2m/hugepages-2m-mc-50.yml → .../dump/hugepages-2m/hugepages-2m-mc-50.yml b/...onfig/hugepages-2m/hugepages-2m-mc-50.yml → .../dump/hugepages-2m/hugepages-2m-mc-50.yml
diff --git a/...-config/hugepages-2m/hugepages-2m-mcp.yml → ...ig/dump/hugepages-2m/hugepages-2m-mcp.yml b/...-config/hugepages-2m/hugepages-2m-mcp.yml → ...ig/dump/hugepages-2m/hugepages-2m-mcp.yml
diff --git a/...e-config/hugepages-2m/hugepages-2m-ms.yml → ...fig/dump/hugepages-2m/hugepages-2m-ms.yml b/...e-config/hugepages-2m/hugepages-2m-ms.yml → ...fig/dump/hugepages-2m/hugepages-2m-ms.yml
diff --git a/...epages-2m/hugepages-2m-tuned-boottime.yml → ...epages-2m/hugepages-2m-tuned-boottime.yml b/...epages-2m/hugepages-2m-tuned-boottime.yml → ...epages-2m/hugepages-2m-tuned-boottime.yml
diff --git a/components/configs/cluster/machine-config/overlays/default/exclude-ssh-master.yaml b/components/configs/cluster/machine-config/overlays/default/exclude-ssh-master.yaml
@@ -0,0 +1,5 @@
+$patch: delete
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  name: 99-master-ssh
diff --git a/components/configs/cluster/machine-config/overlays/default/exclude-ssh-worker.yaml b/components/configs/cluster/machine-config/overlays/default/exclude-ssh-worker.yaml
@@ -0,0 +1,5 @@
+$patch: delete
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  name: 99-worker-ssh
diff --git a/components/configs/cluster/machine-config/overlays/default/kustomization.yaml b/components/configs/cluster/machine-config/overlays/default/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+
+patches:
+  - path: exclude-ssh-master.yaml
+  - path: exclude-ssh-worker.yaml
diff --git a/components/configs/cluster/machine-config/overlays/ssh-example/kustomization.yaml b/components/configs/cluster/machine-config/overlays/ssh-example/kustomization.yaml
@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+
+patches:
+  - target:
+      group: machineconfiguration.openshift.io
+      version: v1
+      kind: MachineConfig
+      name: 99-master-ssh
+    path: patch-ssh.yaml
+  - target:
+      group: machineconfiguration.openshift.io
+      version: v1
+      kind: MachineConfig
+      name: 99-worker-ssh
+    path: patch-ssh.yaml
diff --git a/...ster/rbac/overlays/default/patch-ssh.yaml → ...onfig/overlays/ssh-example/patch-ssh.yaml b/...ster/rbac/overlays/default/patch-ssh.yaml → ...onfig/overlays/ssh-example/patch-ssh.yaml
diff --git a/components/configs/cluster/namespace-cleanup/base/cleanup-cj.yaml b/components/configs/cluster/namespace-cleanup/base/cleanup-cj.yaml
@@ -0,0 +1,85 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: namespace-cleanup
+  namespace: openshift-config
+spec:
+  schedule: "0 12 * * 6"
+  successfulJobsHistoryLimit: 3  # Remove after successful completion
+  failedJobsHistoryLimit: 1  # Retain failed so that we see it
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          serviceAccountName: namespace-cleanup
+          containers:
+          - name: namespace-cleanup
+            image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest
+            env:
+              - name: OBJECTS
+                value: all,cm,secret,pvc,dw,pipeline,el
+              - name: TARGET_NS
+                value: sandbox
+            command:
+              - bash
+              - -c
+              - |
+                #!/bin/sh
+
+                k8s_null_finalizers(){
+                  OBJ=${1}
+                  [ -z ${OBJ+x} ] && return 1
+
+                  NAMESPACE=${NAMESPACE:-$(oc project -q)}
+
+                  kubectl \
+                    patch "${OBJ}" \
+                    -n "${NAMESPACE}" \
+                    --type=merge \
+                    -p '{"metadata":{"finalizers":null}}'
+                }
+
+                k8s_get_most_api_resources(){
+                    kubectl api-resources \
+                        --verbs=list \
+                        --namespaced \
+                        -o name | \
+                        grep -v "events.events.k8s.io" | \
+                        grep -v "events" | \
+                        grep -v "packagemanifests" | \
+                        grep -v "operator.openshift.io" | \
+                        grep -v "operators.coreos.com" | \
+                        grep -v "authorization.openshift.io" | \
+                        grep -v "serviceaccount" | \
+                        grep -v "rbac" | \
+                        sort | uniq
+                }
+
+                k8s_null_finalizers_for_all_resource_instances(){
+                  RESOURCE=${1}
+                  [ -z ${RESOURCE+x} ] && return 1
+
+                  NAMESPACE=${NAMESPACE:-$(oc project -q)}
+
+                  for OBJ in $(oc -n "${NAMESPACE}" get "${RESOURCE}" -o name)
+                  do
+                    k8s_null_finalizers "${OBJ}"
+                  done
+                }
+
+                k8s_ns_delete_most_resources_force(){
+                  NAMESPACE=${1:-sandbox}
+
+                  for i in $(k8s_get_most_api_resources)
+                  do
+                    echo "Resource:" "${i}"
+                    k8s_null_finalizers_for_all_resource_instances "${i}"
+                    kubectl -n "${NAMESPACE}" \
+                      delete "${i}" \
+                      --all
+                  done
+                }
+
+                k8s_ns_delete_most_resources_force "${TARGET_NS}"
diff --git a/...r/sandbox-cleanup/sandbox-cleanup-rb.yaml → ...er/namespace-cleanup/base/cleanup-rb.yaml b/...r/sandbox-cleanup/sandbox-cleanup-rb.yaml → ...er/namespace-cleanup/base/cleanup-rb.yaml
@@ -1,12 +1,11 @@
-kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
 metadata:
-  name: sandbox-cleanup
-  namespace: sandbox
+  name: namespace-cleanup
 subjects:
 - kind: ServiceAccount
-  name: sandbox-cleanup
-  namespace: openshift-gitops
+  name: namespace-cleanup
+  namespace: openshift-config
 roleRef:
   kind: ClusterRole
   name: edit

diff --git a/...r/sandbox-cleanup/sandbox-cleanup-sa.yaml → ...er/namespace-cleanup/base/cleanup-sa.yaml b/...r/sandbox-cleanup/sandbox-cleanup-sa.yaml → ...er/namespace-cleanup/base/cleanup-sa.yaml
@@ -3,4 +3,5 @@ kind: ServiceAccount
 metadata:
   annotations:
     argocd.argoproj.io/compare-options: IgnoreExtraneous
-  name: sandbox-cleanup
+  name: namespace-cleanup
+  namespace: openshift-config
diff --git a/components/configs/cluster/namespace-cleanup/base/kustomization.yaml b/components/configs/cluster/namespace-cleanup/base/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - cleanup-cj.yaml
+  - cleanup-rb.yaml
+  - cleanup-sa.yaml
diff --git a/components/configs/cluster/namespace-cleanup/overlays/sandbox/kustomization.yaml b/components/configs/cluster/namespace-cleanup/overlays/sandbox/kustomization.yaml
@@ -0,0 +1,39 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+commonLabels:
+  cleanup: sandbox
+
+resources:
+  - ../../base
+
+patches:
+  - target:
+      group: batch
+      kind: CronJob
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: sandbox-cleanup
+      - op: replace
+        path: /spec/jobTemplate/spec/template/spec/serviceAccountName
+        value: sandbox-cleanup
+  - target:
+      group: rbac.authorization.k8s.io
+      kind: RoleBinding
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: sandbox-cleanup
+      - op: replace
+        path: /metadata/namespace
+        value: sandbox
+      - op: replace
+        path: /subjects/0/name
+        value: sandbox-cleanup
+  - target:
+      kind: ServiceAccount
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: sandbox-cleanup
diff --git a/components/configs/cluster/namespaces/base/kustomization.yaml b/components/configs/cluster/namespaces/base/kustomization.yaml
@@ -4,4 +4,3 @@ kind: Kustomization
 resources:
   - cluster-config-project.yaml
   - project-request-template.yaml
-  - self-provisioner-clusterrolebinding.yaml
diff --git a/components/configs/cluster/namespaces/instance/registry/rolebinding-edit.yaml b/components/configs/cluster/namespaces/instance/registry/rolebinding-edit.yaml
@@ -10,4 +10,4 @@ roleRef:
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group
-  name: lab-cluster-readers
+  name: workshop-admins
diff --git a/components/configs/cluster/namespaces/instance/sandbox/group-admin.yaml b/components/configs/cluster/namespaces/instance/sandbox/group-admin.yaml
diff --git a/components/configs/cluster/namespaces/instance/sandbox/kustomization.yaml b/components/configs/cluster/namespaces/instance/sandbox/kustomization.yaml
@@ -4,7 +4,6 @@ kind: Kustomization
 namespace: sandbox
 
 resources:
-  # - group-admin.yaml
   - limit-range.yaml
   - namespace.yaml
   - quota.yaml

diff --git a/components/configs/cluster/namespaces/overlays/default-limited/kustomization.yaml b/components/configs/cluster/namespaces/overlays/default-limited/kustomization.yaml
@@ -5,13 +5,6 @@ resources:
   - ../default
 
 patches:
-  - target:
-      kind: ClusterRoleBinding
-      name: self-provisioners
-    patch: |
-      - op: replace
-        path: /subjects
-        value:
   - target:
       kind: LimitRange
       name: limit-range

diff --git a/...dp/cluster-admins-custom-rolebinding.yaml → ...e/cluster-admins-rolebinding-default.yaml b/...dp/cluster-admins-custom-rolebinding.yaml → ...e/cluster-admins-rolebinding-default.yaml
@@ -1,11 +1,16 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: cluster-admins-custom
+  name: cluster-admins
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: 'true'
 subjects:
   - kind: Group
     apiGroup: rbac.authorization.k8s.io
-    name: cluster-admins-custom
+    name: 'system:cluster-admins'
+  - kind: User
+    apiGroup: rbac.authorization.k8s.io
+    name: 'system:admin'
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/components/configs/cluster/rbac/base/cluster-admins-rolebinding.yaml b/components/configs/cluster/rbac/base/cluster-admins-rolebinding.yaml
@@ -1,7 +1,8 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: cluster-admins
+  # added `-group` to name to avoid collision with default
+  name: cluster-admins-group
 subjects:
   - kind: Group
     apiGroup: rbac.authorization.k8s.io

diff --git a/components/configs/cluster/rbac/base/cluster-readers-rolebinding.yaml b/components/configs/cluster/rbac/base/cluster-readers-rolebinding.yaml
@@ -1,7 +1,8 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: cluster-readers
+  # added `-group` to name to be consistent with cluster-admins
+  name: cluster-readers-group
 subjects:
   - kind: Group
     apiGroup: rbac.authorization.k8s.io

diff --git a/components/configs/cluster/rbac/base/kustomization.yaml b/components/configs/cluster/rbac/base/kustomization.yaml
@@ -2,9 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - 99-master-ssh-machineconfig.yaml
-  - 99-worker-ssh-machineconfig.yaml
-  - workshop-admins-group.yaml
-  - workshop-users-group.yaml
-  # see components/configs/namespaces/base
-  # - self-provisioner-clusterrolebinding.yaml
+  - cluster-admins-group.yaml
+  - cluster-admins-rolebinding.yaml
+  - cluster-readers-group.yaml
+  - cluster-readers-rolebinding.yaml
+  - self-provisioner-clusterrolebinding.yaml
diff --git a/.../self-provisioner-clusterrolebinding.yaml → .../self-provisioner-clusterrolebinding.yaml b/.../self-provisioner-clusterrolebinding.yaml → .../self-provisioner-clusterrolebinding.yaml
diff --git a/components/configs/cluster/rbac/overlays/default/cluster-admins-custom-group.yaml b/components/configs/cluster/rbac/overlays/default/cluster-admins-custom-group.yaml
diff --git a/components/configs/cluster/rbac/overlays/default/cluster-admins-custom-rolebinding.yaml b/components/configs/cluster/rbac/overlays/default/cluster-admins-custom-rolebinding.yaml
diff --git a/components/configs/cluster/rbac/overlays/default/cluster-readers-custom-group.yaml b/components/configs/cluster/rbac/overlays/default/cluster-readers-custom-group.yaml
diff --git a/components/configs/cluster/rbac/overlays/default/cluster-readers-custom-rolebinding.yaml b/components/configs/cluster/rbac/overlays/default/cluster-readers-custom-rolebinding.yaml
diff --git a/components/configs/cluster/rbac/overlays/default/exclude-self-provisioner.yaml b/components/configs/cluster/rbac/overlays/default/exclude-self-provisioner.yaml
@@ -0,0 +1,5 @@
+$patch: delete
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: self-provisioners
diff --git a/components/configs/cluster/rbac/overlays/default/kustomization.yaml b/components/configs/cluster/rbac/overlays/default/kustomization.yaml
@@ -5,15 +5,4 @@ resources:
   - ../../base
 
 patches:
-  - target:
-      group: machineconfiguration.openshift.io
-      version: v1
-      kind: MachineConfig
-      name: 99-master-ssh
-    path: patch-ssh.yaml
-  - target:
-      group: machineconfiguration.openshift.io
-      version: v1
-      kind: MachineConfig
-      name: 99-worker-ssh
-    path: patch-ssh.yaml
+  - path: exclude-self-provisioner.yaml
diff --git a/components/configs/cluster/rbac/overlays/rhdp/cluster-admins-custom-group.yaml b/components/configs/cluster/rbac/overlays/rhdp/cluster-admins-custom-group.yaml
diff --git a/components/configs/cluster/rbac/overlays/rhdp/cluster-readers-custom-group.yaml b/components/configs/cluster/rbac/overlays/rhdp/cluster-readers-custom-group.yaml