Enable cost-management in stone-prod-p01 (#9358)

* Apply cost management policies to stone-prod-p01 in prod

---------

Co-authored-by: rrajashe <[email protected]>

Author: raks-tt

components/policies/production/base/cost-management/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- propagate-cost-management-labels/
+- validate-cost-management-labels/

components/policies/production/base/cost-management/propagate-cost-management-labels/.chainsaw-test/chainsaw-assert-clusterpolicy.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: propagate-cost-management-labels
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

components/policies/production/base/cost-management/propagate-cost-management-labels/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,195 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: label-propagation-valid-cost-center
+spec:
+  concurrent: false
+  description: |
+    tests that the labels are correctly set on pods in tenant namespace
+    that have the `cost-center` label
+  steps:
+    - name: Create namespaces for testing
+      try:
+        - create:
+            file: ./resources/namespace-cost-center.yaml
+            template: true
+            bindings:
+              - name: namespace
+                value: tenant
+              - name: cost_center
+                value: "670"
+    - name: Apply RBAC
+      try:
+        - apply:
+            file: ../kyverno-rbac.yaml
+    - name: Apply kyverno Cluster Policy and assert it exists
+      try:
+        - apply:
+            file: ../propagate-cost-management-labels.yaml
+        - assert:
+            file: chainsaw-assert-clusterpolicy.yaml
+            template: true
+            bindings:
+              - name: cluster_policy_name
+                value: propagate-cost-management-labels
+    - name: create pods in tenant
+      try:
+        - create:
+            file: ./resources/pod.yaml
+            bindings:
+              - name: namespace
+                value: tenant
+            template: true
+    - name: assert pods in the tenant are labeled
+      try:
+        - assert:
+            file: ./resources/expected-pod-matching.yaml
+            template: true
+            bindings:
+              - name: namespace
+                value: tenant
+              - name: cost_center
+                value: "670"
+---
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: label-not-applied-random-ns
+spec:
+  concurrent: false
+  description: |
+    tests that the label is not applied to pods in a non-tenant namespace
+  steps:
+    - name: Create namespaces for testing
+      try:
+        - create:
+            file: ./resources/namespace-nonmatching.yaml
+    - name: Apply RBAC
+      try:
+        - apply:
+            file: ../kyverno-rbac.yaml
+    - name: Apply kyverno Cluster Policy and assert it exists
+      try:
+        - apply:
+            file: ../propagate-cost-management-labels.yaml
+        - assert:
+            file: chainsaw-assert-clusterpolicy.yaml
+            template: true
+            bindings:
+              - name: cluster_policy_name
+                value: propagate-cost-management-labels
+    - name: create pods in random-ns
+      try:
+        - create:
+            file: ./resources/pod.yaml
+            template: true
+            bindings:
+              - name: namespace
+                value: random-ns
+    - name: assert pods in random-ns are not labeled
+      try:
+        - assert:
+            file: ./resources/pod.yaml
+            template: true
+            bindings:
+              - name: namespace
+                value: random-ns
+---
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: rule-not-applied-to-rhtap-releng-tenant
+spec:
+  concurrent: false
+  description: |
+    Tests that the Kyverno policy does not apply to pods in managed tenant namespaces.
+  steps:
+    - name: Create a managed namespace
+      try:
+        - create:
+            file: ./resources/namespace-no-cost-center.yaml
+            template: true
+            bindings:
+              - name: namespace
+                value: rhtap-releng-tenant
+    - name: Apply RBAC
+      try:
+        - apply:
+            file: ../kyverno-rbac.yaml
+    - name: Apply Kyverno Cluster Policy and assert it exists
+      try:
+        - apply:
+            file: ../propagate-cost-management-labels.yaml
+        - assert:
+            file: chainsaw-assert-clusterpolicy.yaml
+            template: true
+            bindings:
+              - name: cluster_policy_name
+                value: propagate-cost-management-labels
+    - name: Create a pod in the namespace
+      try:
+        - create:
+            file: ./resources/pod.yaml
+            template: true
+            bindings:
+              - name: namespace
+                value: rhtap-releng-tenant
+    - name: Assert pod in namespace is not labeled
+      try:
+        - assert:
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                name: demo-pod
+                namespace: rhtap-releng-tenant
+                labels: {}
+---
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: create-pod-in-tenant-namespace-without-cost-center
+spec:
+  concurrent: false
+  description: |
+    Tests that it is possible to create a pod in an existing tenant namespace
+    that does not have the `cost-center` label.
+  steps:
+    - name: Create a tenant namespace without cost-center label
+      try:
+        - create:
+            file: ./resources/namespace-no-cost-center.yaml
+            template: true
+            bindings:
+              - name: namespace
+                value: tenant-no-cost-center
+    - name: Apply RBAC
+      try:
+        - apply:
+            file: ../kyverno-rbac.yaml
+    - name: Apply Kyverno Cluster Policy and assert it exists
+      try:
+        - apply:
+            file: ../propagate-cost-management-labels.yaml
+        - assert:
+            file: chainsaw-assert-clusterpolicy.yaml
+            template: true
+            bindings:
+              - name: cluster_policy_name
+                value: propagate-cost-management-labels
+    - name: Create a pod in the tenant namespace without cost-center label
+      try:
+        - create:
+            file: ./resources/pod.yaml
+            template: true
+            bindings:
+              - name: namespace
+                value: tenant-no-cost-center
+    - name: Assert pod in tenant namespace is created successfully
+      try:
+        - assert:
+            file: ./resources/pod.yaml
+            template: true
+            bindings:
+              - name: namespace
+                value: tenant-no-cost-center

components/policies/production/base/cost-management/propagate-cost-management-labels/.chainsaw-test/resources/expected-pod-matching.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: demo-pod
+  namespace: ($namespace)
+  labels:
+    cost-center: ($cost_center)
+    cost_management_optimizations: "true"

components/policies/production/base/cost-management/propagate-cost-management-labels/.chainsaw-test/resources/namespace-cost-center.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ($namespace)
+  labels:
+    konflux-ci.dev/type: tenant
+    cost-center: ($cost_center)
+    cost_management_optimizations: "true"

components/policies/production/base/cost-management/propagate-cost-management-labels/.chainsaw-test/resources/namespace-no-cost-center.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ($namespace)
+  labels:
+    konflux-ci.dev/type: tenant

components/policies/production/base/cost-management/propagate-cost-management-labels/.chainsaw-test/resources/namespace-nonmatching.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: random-ns

components/policies/production/base/cost-management/propagate-cost-management-labels/.chainsaw-test/resources/pod.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: demo-pod
+  namespace: ($namespace)
+  labels:
+    app: test-app
+spec:
+  containers:
+    - name: test-container
+      image: nginx

components/policies/production/base/cost-management/propagate-cost-management-labels/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- propagate-cost-management-labels.yaml
+- kyverno-rbac.yaml

components/policies/production/base/cost-management/propagate-cost-management-labels/kyverno-rbac.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno-admission-propagate-cost-management-labels
+  labels:
+    rbac.kyverno.io/aggregate-to-admission-controller: "true"
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - namespaces
+  verbs:
+  - list
+  - get