Merge pull request #157 from appuio/template-sync

Update from component template

.cruft.json

@@ -1,6 +1,6 @@
 {
   "template": "https://github.com/projectsyn/commodore-component-template.git",
-  "commit": "5b2799d8242f1c59beaa9502599ca88f9e006db4",
+  "commit": "956a1b342ed680b02b1fb1b646dc5d4c640e2028",
   "checkout": "main",
   "context": {
     "cookiecutter": {

Makefile.vars.mk

@@ -40,10 +40,10 @@ YAMLLINT_CONFIG ?= .yamllint.yml
 YAMLLINT_IMAGE  ?= docker.io/cytopia/yamllint:latest
 YAMLLINT_DOCKER ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) $(YAMLLINT_IMAGE)
 
-VALE_CMD  ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --volume "$${PWD}"/docs/modules:/pages docker.io/vshn/vale:2.1.1
+VALE_CMD  ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --volume "$${PWD}"/docs/modules:/pages ghcr.io/vshn/vale:2.15.5
 VALE_ARGS ?= --minAlertLevel=error --config=/pages/ROOT/pages/.vale.ini /pages
 
-ANTORA_PREVIEW_CMD ?= $(DOCKER_CMD) run --rm --publish 35729:35729 --publish 2020:2020 $(antora_git_volume) --volume "${PWD}/docs":/preview/antora/docs docker.io/vshn/antora-preview:3.0.1.1 --style=syn --antora=docs
+ANTORA_PREVIEW_CMD ?= $(DOCKER_CMD) run --rm --publish 35729:35729 --publish 2020:2020 $(antora_git_volume) --volume "${PWD}/docs":/preview/antora/docs ghcr.io/vshn/antora-preview:3.1.2.3 --style=syn --antora=docs
 
 COMMODORE_CMD  ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(git_volume) $(root_volume) docker.io/projectsyn/commodore:latest
 COMPILE_CMD    ?= $(COMMODORE_CMD) component compile . $(commodore_args)

docs/modules/ROOT/pages/.vale.ini

@@ -0,0 +1 @@
+# Vale config

docs/modules/ROOT/pages/references/policies/02_disallow_reserved_namespaces.adoc

@@ -37,35 +37,19 @@ kind: ClusterPolicy
 metadata:
   annotations:
     policies.kyverno.io/category: Namespace Ownership
-    policies.kyverno.io/description: 'This policy will:
+    policies.kyverno.io/description: |
+      This policy will:
 
+      - Check if the namespace name of the request matches one of the disallowed namespace patterns.
+      - Check if the requesting user/serviceaccount has a cluster role that allows them to create reserved namespaces.
 
-      - Check if the namespace name of the request matches one of the disallowed namespace
-      patterns.
+      If the namespace matches a disallowed pattern and the requester doesn't have a cluster role which allows them to bypass the policy, the request is denied.
+      The policy is applied for requests to create `Namespace` and `ProjectRequest` resources.
+      This ensures that unprivileged users can't use disallowed patterns regardless of whether they use `oc new-project`, `kubectl create ns` or the OpenShift web console.
 
-      - Check if the requesting user/serviceaccount has a cluster role that allows
-      them to create reserved namespaces.
+      The list of reserved namespace patterns is configured with xref:references/parameters#_reservednamespaces[component parameter `reservedNamespaces`].
 
-
-      If the namespace matches a disallowed pattern and the requester doesn''t have
-      a cluster role which allows them to bypass the policy, the request is denied.
-
-      The policy is applied for requests to create `Namespace` and `ProjectRequest`
-      resources.
-
-      This ensures that unprivileged users can''t use disallowed patterns regardless
-      of whether they use `oc new-project`, `kubectl create ns` or the OpenShift web
-      console.
-
-
-      The list of reserved namespace patterns is configured with xref:references/parameters#_reservednamespaces[component
-      parameter `reservedNamespaces`].
-
-
-      Requesters which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component
-      parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
-
-      '
+      Requesters which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
     policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet
     policies.kyverno.io/minversion: v1
     policies.kyverno.io/subject: APPUiO Organizations

docs/modules/ROOT/pages/references/policies/02_organization_namespaces.adoc

@@ -40,37 +40,22 @@ kind: ClusterPolicy
 metadata:
   annotations:
     policies.kyverno.io/category: Namespace Ownership
-    policies.kyverno.io/description: 'This policy will:
+    policies.kyverno.io/description: |
+      This policy will:
 
+      - Check that each namespace created by a user without cluster-admin  permissions has a label appuio.io/organization which isn't empty.
+      - Check that the creating user is in the organization it tries to create a namespace for.
 
-      - Check that each namespace created by a user without cluster-admin  permissions
-      has a label appuio.io/organization which isn''t empty.
-
-      - Check that the creating user is in the organization it tries to create a namespace
-      for.
-
-
-      The user''s organization membership is checked by:
-
+      The user's organization membership is checked by:
 
       - Fetching all OpenShift groups
+      - Reading the `appuio.io/organization` label of the request and finding a group with the same name
 
-      - Reading the `appuio.io/organization` label of the request and finding a group
-      with the same name
-
-
-      If a group matching the label value exists, the policy checks that the user
-      which issued the request is a member of that group.
-
-
-      If the label `appuio.io/organization` is missing or empty or the user isn''t
-      a member of the group, the request is denied.
-
+      If a group matching the label value exists, the policy checks that the user which issued the request is a member of that group.
 
-      Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component
-      parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
+      If the label `appuio.io/organization` is missing or empty or the user isn't a member of the group, the request is denied.
 
-      '
+      Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
     policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet
     policies.kyverno.io/minversion: v1
     policies.kyverno.io/subject: APPUiO Organizations

docs/modules/ROOT/pages/references/policies/02_organization_projects.adoc

@@ -39,36 +39,21 @@ kind: ClusterPolicy
 metadata:
   annotations:
     policies.kyverno.io/category: Namespace Ownership
-    policies.kyverno.io/description: 'This policy will:
+    policies.kyverno.io/description: |
+      This policy will:
 
+      - Check that each project created by a user without cluster-admin  permissions has a label appuio.io/organization which isn't empty.
+      - Check that the creating user is in the organization they try to create a project for.
 
-      - Check that each project created by a user without cluster-admin  permissions
-      has a label appuio.io/organization which isn''t empty.
-
-      - Check that the creating user is in the organization they try to create a project
-      for.
-
-
-      The user''s organization membership is checked by:
-
-
-      - Reading the project''s annotation `openshift.io/requester` which contains
-      the username of the user who originally requested the project.
+      The user's organization membership is checked by:
 
+      - Reading the project's annotation `openshift.io/requester` which contains the username of the user who originally requested the project.
       - Fetching all OpenShift groups
+      - Reading the `appuio.io/organization` label of the request and finding a group with the same name
 
-      - Reading the `appuio.io/organization` label of the request and finding a group
-      with the same name
-
-
-      If a group matching the label value exists, the policy checks that the user
-      which requested the project is a member of that group.
-
-
-      If the label `appuio.io/organization` is missing or empty or the user isn''t
-      a member of the group, the request is denied.
+      If a group matching the label value exists, the policy checks that the user which requested the project is a member of that group.
 
-      '
+      If the label `appuio.io/organization` is missing or empty or the user isn't a member of the group, the request is denied.
     policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet
     policies.kyverno.io/minversion: v1
     policies.kyverno.io/subject: APPUiO Organizations

docs/modules/ROOT/pages/references/policies/02_organization_sa_namespaces.adoc

@@ -38,33 +38,20 @@ kind: ClusterPolicy
 metadata:
   annotations:
     policies.kyverno.io/category: Namespace Ownership
-    policies.kyverno.io/description: 'This policy will:
+    policies.kyverno.io/description: |
+      This policy will:
 
+      - Check that each namespace created by a serviceaccount without cluster-admin permissions has a label appuio.io/organization which isn't empty.
+      - Check that the creating serviceaccount is part of the organization it tries to create a namespace for.
 
-      - Check that each namespace created by a serviceaccount without cluster-admin
-      permissions has a label appuio.io/organization which isn''t empty.
+      The serviceaccount's organization membership is checked by:
 
-      - Check that the creating serviceaccount is part of the organization it tries
-      to create a namespace for.
+      - Fetching the serviceaccount's namespace
+      - Comparing that namespace's `appuio.io/organization` label value with the request's `appuio.io/organization` label value.
 
+      If the label `appuio.io/organization` is missing or empty or the serviceaccount's organization doesn't match the request's organization the request is denied.
 
-      The serviceaccount''s organization membership is checked by:
-
-
-      - Fetching the serviceaccount''s namespace
-
-      - Comparing that namespace''s `appuio.io/organization` label value with the
-      request''s `appuio.io/organization` label value.
-
-
-      If the label `appuio.io/organization` is missing or empty or the serviceaccount''s
-      organization doesn''t match the request''s organization the request is denied.
-
-
-      Serviceaccounts which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component
-      parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
-
-      '
+      Serviceaccounts which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
     policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet
     policies.kyverno.io/minversion: v1
     policies.kyverno.io/subject: APPUiO Organizations

docs/modules/ROOT/pages/references/policies/02_validate_namespace_metadata.adoc

@@ -35,26 +35,16 @@ metadata:
   annotations:
     pod-policies.kyverno.io/autogen-controllers: none
     policies.kyverno.io/category: Namespace Ownership
-    policies.kyverno.io/description: 'This policy will:
-
+    policies.kyverno.io/description: |
+      This policy will:
 
       - Check annotations and labels on new and modified namespaces against a whitelist.
 
+      If the namespace has an annotation or label which isn't whitelisted and the requester doesn't have a cluster role which allows them to bypass the policy, the request is denied.
 
-      If the namespace has an annotation or label which isn''t whitelisted and the
-      requester doesn''t have a cluster role which allows them to bypass the policy,
-      the request is denied.
-
-
-      The list of allowed namespace annotations and labels is configured with xref:references/parameters#_allowednamespaceannotations[component
-      parameter `allowedNamespaceAnnotations`] and xref:references/parameters#_allowednamespacelabels[component
-      parameter `allowedNamespaceLabels`] respectively.
-
-
-      Requesters which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component
-      parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
+      The list of allowed namespace annotations and labels is configured with xref:references/parameters#_allowednamespaceannotations[component parameter `allowedNamespaceAnnotations`] and xref:references/parameters#_allowednamespacelabels[component parameter `allowedNamespaceLabels`] respectively.
 
-      '
+      Requesters which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
     policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet
     policies.kyverno.io/minversion: v1
     policies.kyverno.io/subject: APPUiO Organizations
@@ -140,11 +130,13 @@ spec:
             list: 'request.object&& merge(    not_null(request.object.metadata.labels,
               `{}`)   ,not_null(request.oldObject.metadata.labels, `{}`))  | map(&{key:
               @}, keys(@))'
-        message: "The following labels can be modified:\n    appuio.io/organization,\
-          \ custom.appuio.io/*, kubernetes.io/metadata.name, network-policies.syn.tools/no-defaults,\
-          \ network-policies.syn.tools/purge-defaults, test.appuio.io/*, compute.test.appuio.io/cpu.\n\
-          labels given:\n    {{request.object.metadata.labels}}.\nlabels before modification:\n\
-          \    {{request.oldObject.metadata.labels}}."
+        message: |-
+          The following labels can be modified:
+              appuio.io/organization, custom.appuio.io/*, kubernetes.io/metadata.name, network-policies.syn.tools/no-defaults, network-policies.syn.tools/purge-defaults, test.appuio.io/*, compute.test.appuio.io/cpu.
+          labels given:
+              {{request.object.metadata.labels}}.
+          labels before modification:
+              {{request.oldObject.metadata.labels}}.
     - exclude:
         any:
           - clusterRoles:
@@ -218,12 +210,13 @@ spec:
             list: 'request.object&& merge(    not_null(request.object.metadata.annotations,
               `{}`)   ,not_null(request.oldObject.metadata.annotations, `{}`))  |
               map(&{key: @}, keys(@))'
-        message: "The following annotations can be modified:\n    custom.appuio.io/*,\
-          \ appuio.io/default-node-selector, kubectl.kubernetes.io/last-applied-configuration,\
-          \ policies.kyverno.io/last-applied-patches, appuio.io/active-deadline-seconds-override,\
-          \ test.appuio.io/*, compute.test.appuio.io/cpu.\nannotations given:\n  \
-          \  {{request.object.metadata.annotations}}.\nannotations before modification:\n\
-          \    {{request.oldObject.metadata.annotations}}."
+        message: |-
+          The following annotations can be modified:
+              custom.appuio.io/*, appuio.io/default-node-selector, kubectl.kubernetes.io/last-applied-configuration, policies.kyverno.io/last-applied-patches, appuio.io/active-deadline-seconds-override, test.appuio.io/*, compute.test.appuio.io/cpu.
+          annotations given:
+              {{request.object.metadata.annotations}}.
+          annotations before modification:
+              {{request.oldObject.metadata.annotations}}.
   validationFailureAction: enforce
 
 ----

docs/modules/ROOT/pages/references/policies/03_projectrequest.adoc

@@ -32,23 +32,14 @@ kind: ClusterPolicy
 metadata:
   annotations:
     policies.kyverno.io/category: Namespace Ownership
-    policies.kyverno.io/description: 'This policy will check that the requesting user
-      has the `appuio.io/default-organization` annotation.
+    policies.kyverno.io/description: |
+      This policy will check that the requesting user has the `appuio.io/default-organization` annotation.
+      The content of the annotation isn't validated.
+      Instead the policy assumes that any default organization annotations which are present on user objects are valid.
 
-      The content of the annotation isn''t validated.
+      If the requesting user doesn't have the `appuio.io/default-organization` annotation, the project request is denied.
 
-      Instead the policy assumes that any default organization annotations which are
-      present on user objects are valid.
-
-
-      If the requesting user doesn''t have the `appuio.io/default-organization` annotation,
-      the project request is denied.
-
-
-      Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component
-      parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
-
-      '
+      Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
     policies.kyverno.io/jsonnet: component/project-policies.jsonnet
     policies.kyverno.io/minversion: v1
     policies.kyverno.io/subject: APPUiO Organizations

docs/modules/ROOT/pages/references/policies/11_generate_quota_limit_range_in_ns.adoc

@@ -32,26 +32,14 @@ kind: ClusterPolicy
 metadata:
   annotations:
     policies.kyverno.io/category: Resource Quota
-    policies.kyverno.io/description: 'This policy generates `ResourceQuota` and `LimitRange`
-      objects in namespaces which have the `appuio.io/organization` label.
+    policies.kyverno.io/description: |
+      This policy generates `ResourceQuota` and `LimitRange` objects in namespaces which have the `appuio.io/organization` label.
 
+      The default values for the generated `ResourceQuota` and `LimitRange` objects are configured in component parameters xref:references/parameters.adoc#_generatedresourcequota[`generatedResourceQuota`] and xref:references/parameters.adoc#_generatedlimitrange[`generatedLimitRange`] respectively.
 
-      The default values for the generated `ResourceQuota` and `LimitRange` objects
-      are configured in component parameters xref:references/parameters.adoc#_generatedresourcequota[`generatedResourceQuota`]
-      and xref:references/parameters.adoc#_generatedlimitrange[`generatedLimitRange`]
-      respectively.
+      Quota entries can be overridden for single namespaces by annotating the namespace, see the xref:references/parameters.adoc#_generatedresourcequota_spec[parameter docs] for an example.
 
-
-      Quota entries can be overridden for single namespaces by annotating the namespace,
-      see the xref:references/parameters.adoc#_generatedresourcequota_spec[parameter
-      docs] for an example.
-
-
-      If field `synchronize` in the `ResourceQuota` or `LimitRange` component parameter
-      is set to `true`, the policy is configured to continuously keep the generated
-      objects in sync with the specification in the policy.
-
-      '
+      If field `synchronize` in the `ResourceQuota` or `LimitRange` component parameter is set to `true`, the policy is configured to continuously keep the generated objects in sync with the specification in the policy.
     policies.kyverno.io/jsonnet: component/quota-limitrange.jsonnet
     policies.kyverno.io/minversion: v1
     policies.kyverno.io/subject: APPUiO Organizations