add template for gardener soil project

metal-stack · Jun 21, 2024 · 4ddbcb6 · 4ddbcb6
1 parent baeb80b
commit 4ddbcb6
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 28 deletions.
diff --git a/control-plane/roles/gardener/defaults/main/gardener.yaml b/control-plane/roles/gardener/defaults/main/gardener.yaml
@@ -41,6 +41,11 @@ gardener_soil_name: "{{ metal_control_plane_stage_name }}"
 gardener_soil_kubeconfig_file_path: "{{ lookup('env', 'KUBECONFIG') }}"
 gardener_soil_vertical_pod_autoscaler_enabled: false
 gardener_soil_project_owner_name: admin
+gardener_soil_project_members:
+  - name: admin
+    role: admin
+    roles:
+    - owner
 
 gardener_gardenlet_shoot_concurrent_syncs: 20
 gardener_gardenlet_shoot_reconcile_in_maintenance_only: false

diff --git a/control-plane/roles/gardener/tasks/main.yaml b/control-plane/roles/gardener/tasks/main.yaml
@@ -121,34 +121,7 @@
 
 - name: Create Gardener project for shooted seeds
   k8s:
-    definition:
-      apiVersion: core.gardener.cloud/v1beta1
-      kind: Project
-      metadata:
-        name: "{{ gardener_soil_name }}"
-        labels:
-          gardener.cloud/role: "project"
-          project.gardener.cloud/name: "{{ gardener_soil_name }}"
-      spec:
-        namespace: garden
-        tolerations:
-          defaults:
-            - key: seed.gardener.cloud/protected
-            - key: seed.gardener.cloud/invisible
-            - key: seed.gardener.cloud/disable-capacity-reservation
-          whitelist:
-            - key: seed.gardener.cloud/protected
-            - key: seed.gardener.cloud/invisible
-            - key: seed.gardener.cloud/disable-capacity-reservation
-        owner:
-          apiGroup: rbac.authorization.k8s.io
-          kind: User
-          name: "{{ gardener_soil_project_owner_name }}"
-        members:
-        - apiGroup: rbac.authorization.k8s.io
-          kind: User
-          name: "{{ gardener_soil_project_owner_name }}"
-          role: admin
+    definition: "{{ lookup('template', 'gardener-soil-project.yaml.j2') }}"
     kubeconfig: "{{ gardener_kube_apiserver_kubeconfig_path }}"
   when: not lookup('k8s', kubeconfig=gardener_kube_apiserver_kubeconfig_path, api_version='core.gardener.cloud/v1beta1', kind='Project', resource_name=gardener_soil_name)
 

diff --git a/control-plane/roles/gardener/templates/gardener-soil-project.yaml.j2 b/control-plane/roles/gardener/templates/gardener-soil-project.yaml.j2
@@ -0,0 +1,32 @@
+apiVersion: core.gardener.cloud/v1beta1
+kind: Project
+metadata:
+  name: "{{ gardener_soil_name }}"
+  labels:
+    gardener.cloud/role: "project"
+    project.gardener.cloud/name: "{{ gardener_soil_name }}"
+spec:
+  namespace: garden
+  tolerations:
+    defaults:
+      - key: seed.gardener.cloud/protected
+      - key: seed.gardener.cloud/invisible
+      - key: seed.gardener.cloud/disable-capacity-reservation
+    whitelist:
+      - key: seed.gardener.cloud/protected
+      - key: seed.gardener.cloud/invisible
+      - key: seed.gardener.cloud/disable-capacity-reservation
+  owner:
+    apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: "{{ gardener_soil_project_owner_name }}"
+  members:
+    apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: "{{ user.name }}"
+    role: "{{ user.role }}"
+    roles:
+      loop: "{{ user.roles }}"
+    loop: "{{ gardener_soil_project_members }}"
+    loop_control:
+      loop_var: user