Implement ResourceQuota and LimitRange generation in agent (#204)

class/defaults.yml

@@ -17,7 +17,7 @@ parameters:
       agent:
         registry: ghcr.io
         repository: appuio/appuio-cloud-agent
-        tag: v0.18.1
+        tag: v0.19.0
 
     secrets: {}
 
@@ -88,6 +88,13 @@ parameters:
         PodRunOnceActiveDeadlineSecondsOverrideAnnotation: ${appuio_cloud:runOnceActiveDeadlineSeconds:overrideAnnotationKey}
         PodRunOnceActiveDeadlineSecondsDefault: ${appuio_cloud:runOnceActiveDeadlineSeconds:defaultActiveDeadlineSeconds}
 
+        LegacyResourceQuotaAnnotationBase: resourcequota.appuio.io
+        _LegacyDefaultResourceQuotas: ${appuio_cloud:generatedResourceQuota}
+
+        LegacyLimitRangeName: ${appuio_cloud:generatedLimitRange:name}
+        _LegacyDefaultLimitRange:
+          _limits: ${appuio_cloud:generatedLimitRange:limits}
+
     clusterRoles:
       namespace-owner:
         rules:

component/agent.jsonnet

@@ -117,6 +117,16 @@ local configMap =
         _allowedAnnotations:: null,
         AllowedLabels: common.FlattenSet(super._allowedLabels),
         _allowedLabels:: null,
+
+        local legacyDefaultResourceQuotas = super._LegacyDefaultResourceQuotas,
+        LegacyDefaultResourceQuotas: std.foldl(function(prev, k) prev { [k]: legacyDefaultResourceQuotas[k] + legacyDefaultResourceQuotas[k].spec { synchronize:: null, spec:: null } }, std.objectFields(legacyDefaultResourceQuotas), {}),
+        _LegacyDefaultResourceQuotas:: null,
+
+        local legacyDefaultLimitRange = super._LegacyDefaultLimitRange,
+        LegacyDefaultLimitRange: {
+          limits: std.map(function(l) legacyDefaultLimitRange._limits[l] { type: l }, std.objectFields(legacyDefaultLimitRange._limits)),
+        },
+        _LegacyDefaultLimitRange:: null,
       }),
     },
   };

tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_config_map.yaml

@@ -26,7 +26,59 @@ data:
       "monitoring-edit-probe": "monitoring-edit-probe"
       "namespace-owner": "namespace-owner"
       "resource-quota-edit": "resource-quota-edit"
+    "LegacyDefaultLimitRange":
+      "limits":
+      - "default":
+          "cpu": "600m"
+          "memory": "768Mi"
+        "defaultRequest":
+          "cpu": "10m"
+          "memory": "100Mi"
+        "min":
+          "cpu": "10m"
+          "ephemeral-storage": "100Ki"
+          "memory": "4Mi"
+        "type": "Container"
+    "LegacyDefaultResourceQuotas":
+      "organization-compute":
+        "hard":
+          "limits.cpu": 8
+          "limits.memory": "20Gi"
+          "pods": "45"
+          "requests.cpu": 4
+          "requests.memory": "4Gi"
+        "scopes":
+        - "NotTerminating"
+      "organization-compute-terminating":
+        "hard":
+          "limits.cpu": "4000m"
+          "limits.memory": "4Gi"
+          "pods": "5"
+          "requests.cpu": "500m"
+          "requests.memory": "2Gi"
+        "scopes":
+        - "Terminating"
+      "organization-objects":
+        "hard":
+          "cephfs-fspool-cluster.storageclass.storage.k8s.io/requests.storage": "25Gi"
+          "count/configmaps": "150"
+          "count/jobs.batch": "150"
+          "count/replicationcontrollers": "100"
+          "count/secrets": "150"
+          "count/services": "20"
+          "count/services.loadbalancers": "0"
+          "count/services.nodeports": "0"
+          "limits.ephemeral-storage": "500Mi"
+          "localblock-storage.storageclass.storage.k8s.io/persistentvolumeclaims": "0"
+          "openshift.io/imagestreams": "20"
+          "openshift.io/imagestreamtags": "50"
+          "persistentvolumeclaims": "10"
+          "rbd-storagepool-cluster.storageclass.storage.k8s.io/requests.storage": "25Gi"
+          "requests.ephemeral-storage": "250Mi"
+          "requests.storage": "1000Gi"
+    "LegacyLimitRangeName": "organization"
     "LegacyNamespaceQuota": 25
+    "LegacyResourceQuotaAnnotationBase": "resourcequota.appuio.io"
     "MemoryPerCoreLimit": "4Gi"
     "OrganizationLabel": "appuio.io/organization"
     "PodRunOnceActiveDeadlineSecondsDefault": 1800

tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/02_deployment.yaml

@@ -13,7 +13,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: ae18fd44fae34c4d84d9d3599cfa6a84
+        checksum/config: 477f1a3132751bf3e9e3f16b868e1ccb
         kubectl.kubernetes.io/default-container: agent
       labels:
         control-plane: appuio-cloud-agent
@@ -26,7 +26,7 @@ spec:
           command:
             - appuio-cloud-agent
           env: []
-          image: ghcr.io/appuio/appuio-cloud-agent:v0.18.1
+          image: ghcr.io/appuio/appuio-cloud-agent:v0.19.0
           livenessProbe:
             httpGet:
               path: /healthz

tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/10_webhook_config.yaml

@@ -109,6 +109,34 @@ kind: ValidatingWebhookConfiguration
 metadata:
   name: appuio-cloud-validating-webhook-configuration
 webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZlRENDQTJDZ0F3SUJBZ0lVSCt4V3hxTWNBWXAydDlqbVJaOFNsWjNta05zd0RRWUpLb1pJaHZjTkFRRUwKQlFBd01URXZNQzBHQTFVRUF3d21kMlZpYUc5dmF5MXpaWEoyYVdObExtRndjSFZwYnkxamIyNTBjbTlzTFdGdwphUzV6ZG1Nd0hoY05Nakl3TXpJNU1Ea3lOVE0xV2hjTk16SXdNekkyTURreU5UTTFXakF4TVM4d0xRWURWUVFECkRDWjNaV0pvYjI5ckxYTmxjblpwWTJVdVlYQndkV2x2TFdOdmJuUnliMnd0WVhCcExuTjJZekNDQWlJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDQWdvQ2dnSUJBTnVMWGpoQzFZeU80QWpLUmRyS2E0YVlJcjkzd3RRVQpGaEdhdlpVNStOc0Q0RGFldUJ0QXlsblEyaTJ5Nmx0VWxYOExXVHdES0dZYTJ6TGlXT05YZFpNWFhhZCtoWXo2CmZWVEo2ODFHSDQva28yZE1jVTdJQUlSS0RROGNMOHJiM0dVWHNPR1JMUU0xRTRmTkNiR2k2b1VSeXhjQUdScVEKWW0xOFBmR2ZxalhDMEhVVmprV0FQUXVjOWxHektqRlRSNThwVkVvNXBvNGdTaHJHN1FPZFpvc1Z4VnJJOHFIWQpaVGdLZVpzZW9EV280SWVIcGtlOXVaZzIwSy9tUFlTV3lBNFExQzFiaFh5dmJBb25oejBlRTBqelJveU5sUmZnCjBnSkZEbzhIY2FQTGdTM3hHTnhJUXRIWEY0Z1p2OFZoVmpNNENBTEVwNE00ajNiTkoyTU4rdEJvRXZ5N2VhYTUKSERuRlJic2tUcmdhU082R1ZkSDJRTmVZUXcxd3hmMVd6QkwvR2Z0QVJuOG1hUnl6SmU0L3BpS3lreDYrVTUxUwpvend2RXh2YzdVT251QUxGS2h6Wk1aeWlTUkRSK3J5aE1za3ZrNHpQemxZcTI0NnNzQ1NuZmRvczJDaE1pdmhxCi9IZnM1N1I2VWpDM0gyYUx5cGR5eDNhaWZBSndaaUR3WjBMaWpjb1dmWGZIc2prK0Y5YTErdnRHQXhGZnQ1QW8KZERzd2NldDRnbnpSMmxEcEloYTBmNlE3MDY1c0VnV1FBL1h6MGdoaUdnOTRVc0JKVGs4VTZxR3JzbmdhZnhIaApybUNGWk9PZXhuMnY2RnBrWWFORkhTdko4ZmNrV1lSN01sVFppM2lodjJPZFpVUzhNdG5acWd6ckRmaldaL29oCnlyNlY3SGoxcjF0dEFnTUJBQUdqZ1ljd2dZUXdIUVlEVlIwT0JCWUVGQ2ZEQ0R3eFlzM1hlZVc0NWpFVStCNksKSDNNME1COEdBMVVkSXdRWU1CYUFGQ2ZEQ0R3eFlzM1hlZVc0NWpFVStCNktIM00wTUE4R0ExVWRFd0VCL3dRRgpNQU1CQWY4d01RWURWUjBSQkNvd0tJSW1kMlZpYUc5dmF5MXpaWEoyYVdObExtRndjSFZwYnkxamIyNTBjbTlzCkxXRndhUzV6ZG1Nd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFJZVo5bEpoUHlBN0ZJOThaOGJMUDNrQy9hNm4KcGJ6dDlleGt6YytFUmlObVV5OW4zUTF5a0lEcE1NbERtdHpjaTNFZWp1SEw4MmkvQTRKdHVqK0IvaVJnSWtHWQpMM1BoOEJzSk5TWmhzdkV2aHFKVTAyL05yMDRTWWlmeTRkcWU0U2paTG52ZDQ1d2RITmFDbWxvUmNLdHowUVROCkUwdG5iSklTdnBUbFI4cGF0ZnRFTjRydTFhbWQrR01VUHVub3lrRVJaVGZ0SHcwU08vbFZPbFZBVERqTHBOSlAKMElXYkJyWkpUTFNGN3Voa0dmcFIyYUl1a3FVaTBRdkRSUUo0RDc3VmEzRHF3ZXRtV1NFQUJsZzFyZnh1dlAwawoza2JEMS9KWDFJM0EyNlNxczlYNWxTcVhUcTFzVEt6ZCsyZ3RFdWxJSjV6MEV0Mnkwck9XblB2WHhKNExkNEMvCnpBY3JvOWFNMTF5cVAvQmptZEwrbDNyWVJqOE4zOHMzOUV6aEFZM012WW5TeTFQMlJtTC9wNEJzck9Fdk41TXEKL0U5ektFWHNUUVh2aVpjNTZKK2lDck1BdVJmUUhYRElrd3RJRDJvUnVQMHQ0eHRhdFFvcmY0SlYvUFJNQXcwaQpadnJHTXpYNjFyMGVxbjF0M2JFSjQ5UCtZdnphd0VySC9sM3pkSVRNYzEzc09XWlExTmF5ZWt4ZVZJT2E2aHlkClNGT2JNZExWSkNVV2NkejUyRUFrNGpscU4wdk44aU1TRm5COG1CVDRYKzhyZWF1b3BmV0FuRkg4VldmTjh0eU4KbTJqNkw3TGIydXdCQ3EyTmFPWTlITlNpNTJOL0o2RG5RWmVnb2dReENVaVQ3WUpyNFh0a2Fidjk5YzZtbjIzMAphbCtMOSsxVmNkZmFac1BJCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+      service:
+        name: webhook-service
+        namespace: appuio-cloud
+        path: /validate-reserved-resourcequota-limitrange
+    failurePolicy: Fail
+    matchPolicy: Equivalent
+    name: reserved-resourcequota-limitrange-validator.appuio.io
+    namespaceSelector:
+      matchExpressions:
+        - key: appuio.io/organization
+          operator: Exists
+    rules:
+      - apiGroups:
+          - ''
+        apiVersions:
+          - v1
+        operations:
+          - CREATE
+          - UPDATE
+          - DELETE
+        resources:
+          - resourcequotas
+          - limitranges
+    sideEffects: None
   - admissionReviewVersions:
       - v1
     clientConfig: