Switch CodeOwners to Aldebaran Tech

CODEOWNERS

@@ -1,2 +1,2 @@
 
-* @appuio/aldebaran
+* @appuio/aldebaran-tech

tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_config_map.yaml

@@ -1,23 +1,41 @@
 apiVersion: v1
 data:
-  config.yaml: "\"DefaultNamespaceNodeSelectorAnnotation\": \"appuio.io/default-node-selector\"\
-    \n\"DefaultNodeSelector\": {}\n\"DefaultOrganizationClusterRoles\":\n  \"admin\"\
-    : \"admin\"\n  \"alert-routing-edit\": \"alert-routing-edit\"\n  \"monitoring-edit\"\
-    : \"monitoring-edit\"\n  \"monitoring-edit-probe\": \"monitoring-edit-probe\"\n\
-    \  \"namespace-owner\": \"namespace-owner\"\n\"MemoryPerCoreLimit\": \"4Gi\"\n\
-    \"OrganizationLabel\": \"appuio.io/organization\"\n\"PrivilegedClusterRoles\"\
-    :\n- \"cluster-admin\"\n- \"cluster-image-registry-operator\"\n- \"cluster-node-tuning-operator\"\
-    \n- \"kyverno:generatecontroller\"\n- \"kyverno:policycontroller\"\n- \"multus-admission-controller-webhook\"\
-    \n- \"openshift-dns-operator\"\n- \"openshift-ingress-operator\"\n- \"syn-admin\"\
-    \n- \"syn-argocd-application-controller\"\n- \"syn-argocd-server\"\n- \"system:controller:generic-garbage-collector\"\
-    \n- \"system:controller:operator-lifecycle-manager\"\n- \"system:master\"\n- \"\
-    system:openshift:controller:namespace-security-allocation-controller\"\n- \"system:openshift:controller:podsecurity-admission-label-syncer-controller\"\
-    \n\"PrivilegedGroups\": []\n\"PrivilegedUsers\":\n- \"system:serviceaccount:argocd:argocd-application-controller\"\
-    \n- \"system:serviceaccount:openshift-logging:cluster-logging-operator\"\n- \"\
-    system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount\"\
-    \n- \"system:serviceaccount:syn-resource-locker:namespace-openshift-config-2c8343f13594d63-manager\"\
-    \n- \"system:serviceaccount:syn-resource-locker:namespace-default-d6a0af6dd07e8a3-manager\"\
-    \n- \"system:serviceaccount:syn-resource-locker:namespace-openshift-monitoring-c4273dc15ddfdf7-manager\""
+  config.yaml: |-
+    "DefaultNamespaceNodeSelectorAnnotation": "appuio.io/default-node-selector"
+    "DefaultNodeSelector": {}
+    "DefaultOrganizationClusterRoles":
+      "admin": "admin"
+      "alert-routing-edit": "alert-routing-edit"
+      "monitoring-edit": "monitoring-edit"
+      "monitoring-edit-probe": "monitoring-edit-probe"
+      "namespace-owner": "namespace-owner"
+    "MemoryPerCoreLimit": "4Gi"
+    "OrganizationLabel": "appuio.io/organization"
+    "PrivilegedClusterRoles":
+    - "cluster-admin"
+    - "cluster-image-registry-operator"
+    - "cluster-node-tuning-operator"
+    - "kyverno:generatecontroller"
+    - "kyverno:policycontroller"
+    - "multus-admission-controller-webhook"
+    - "openshift-dns-operator"
+    - "openshift-ingress-operator"
+    - "syn-admin"
+    - "syn-argocd-application-controller"
+    - "syn-argocd-server"
+    - "system:controller:generic-garbage-collector"
+    - "system:controller:operator-lifecycle-manager"
+    - "system:master"
+    - "system:openshift:controller:namespace-security-allocation-controller"
+    - "system:openshift:controller:podsecurity-admission-label-syncer-controller"
+    "PrivilegedGroups": []
+    "PrivilegedUsers":
+    - "system:serviceaccount:argocd:argocd-application-controller"
+    - "system:serviceaccount:openshift-logging:cluster-logging-operator"
+    - "system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount"
+    - "system:serviceaccount:syn-resource-locker:namespace-openshift-config-2c8343f13594d63-manager"
+    - "system:serviceaccount:syn-resource-locker:namespace-default-d6a0af6dd07e8a3-manager"
+    - "system:serviceaccount:syn-resource-locker:namespace-openshift-monitoring-c4273dc15ddfdf7-manager"
 kind: ConfigMap
 metadata:
   annotations: {}

tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/02_webhook_cert_secret.yaml

@@ -8,68 +8,38 @@ metadata:
   name: webhook-service-tls
   namespace: appuio-cloud
 stringData:
-  tls.crt: '-----BEGIN CERTIFICATE-----
-
+  tls.crt: |-
+    -----BEGIN CERTIFICATE-----
     MIIFeDCCA2CgAwIBAgIUH+xWxqMcAYp2t9jmRZ8SlZ3mkNswDQYJKoZIhvcNAQEL
-
     BQAwMTEvMC0GA1UEAwwmd2ViaG9vay1zZXJ2aWNlLmFwcHVpby1jb250cm9sLWFw
-
     aS5zdmMwHhcNMjIwMzI5MDkyNTM1WhcNMzIwMzI2MDkyNTM1WjAxMS8wLQYDVQQD
-
     DCZ3ZWJob29rLXNlcnZpY2UuYXBwdWlvLWNvbnRyb2wtYXBpLnN2YzCCAiIwDQYJ
-
     KoZIhvcNAQEBBQADggIPADCCAgoCggIBANuLXjhC1YyO4AjKRdrKa4aYIr93wtQU
-
     FhGavZU5+NsD4DaeuBtAylnQ2i2y6ltUlX8LWTwDKGYa2zLiWONXdZMXXad+hYz6
-
     fVTJ681GH4/ko2dMcU7IAIRKDQ8cL8rb3GUXsOGRLQM1E4fNCbGi6oURyxcAGRqQ
-
     Ym18PfGfqjXC0HUVjkWAPQuc9lGzKjFTR58pVEo5po4gShrG7QOdZosVxVrI8qHY
-
     ZTgKeZseoDWo4IeHpke9uZg20K/mPYSWyA4Q1C1bhXyvbAonhz0eE0jzRoyNlRfg
-
     0gJFDo8HcaPLgS3xGNxIQtHXF4gZv8VhVjM4CALEp4M4j3bNJ2MN+tBoEvy7eaa5
-
     HDnFRbskTrgaSO6GVdH2QNeYQw1wxf1WzBL/GftARn8maRyzJe4/piKykx6+U51S
-
     ozwvExvc7UOnuALFKhzZMZyiSRDR+ryhMskvk4zPzlYq246ssCSnfdos2ChMivhq
-
     /Hfs57R6UjC3H2aLypdyx3aifAJwZiDwZ0LijcoWfXfHsjk+F9a1+vtGAxFft5Ao
-
     dDswcet4gnzR2lDpIha0f6Q7065sEgWQA/Xz0ghiGg94UsBJTk8U6qGrsngafxHh
-
     rmCFZOOexn2v6FpkYaNFHSvJ8fckWYR7MlTZi3ihv2OdZUS8MtnZqgzrDfjWZ/oh
-
     yr6V7Hj1r1ttAgMBAAGjgYcwgYQwHQYDVR0OBBYEFCfDCDwxYs3XeeW45jEU+B6K
-
     H3M0MB8GA1UdIwQYMBaAFCfDCDwxYs3XeeW45jEU+B6KH3M0MA8GA1UdEwEB/wQF
-
     MAMBAf8wMQYDVR0RBCowKIImd2ViaG9vay1zZXJ2aWNlLmFwcHVpby1jb250cm9s
-
     LWFwaS5zdmMwDQYJKoZIhvcNAQELBQADggIBAIeZ9lJhPyA7FI98Z8bLP3kC/a6n
-
     pbzt9exkzc+ERiNmUy9n3Q1ykIDpMMlDmtzci3EejuHL82i/A4Jtuj+B/iRgIkGY
-
     L3Ph8BsJNSZhsvEvhqJU02/Nr04SYify4dqe4SjZLnvd45wdHNaCmloRcKtz0QTN
-
     E0tnbJISvpTlR8patftEN4ru1amd+GMUPunoykERZTftHw0SO/lVOlVATDjLpNJP
-
     0IWbBrZJTLSF7uhkGfpR2aIukqUi0QvDRQJ4D77Va3DqwetmWSEABlg1rfxuvP0k
-
     3kbD1/JX1I3A26Sqs9X5lSqXTq1sTKzd+2gtEulIJ5z0Et2y0rOWnPvXxJ4Ld4C/
-
     zAcro9aM11yqP/BjmdL+l3rYRj8N38s39EzhAY3MvYnSy1P2RmL/p4BsrOEvN5Mq
-
     /E9zKEXsTQXviZc56J+iCrMAuRfQHXDIkwtID2oRuP0t4xtatQorf4JV/PRMAw0i
-
     ZvrGMzX61r0eqn1t3bEJ49P+YvzawErH/l3zdITMc13sOWZQ1NayekxeVIOa6hyd
-
     SFObMdLVJCUWcdz52EAk4jlqN0vN8iMSFnB8mBT4X+8reauopfWAnFH8VWfN8tyN
-
     m2j6L7Lb2uwBCq2NaOY9HNSi52N/J6DnQZegogQxCUiT7YJr4Xtkabv99c6mn230
-
     al+L9+1VcdfaZsPI
-
-    -----END CERTIFICATE-----'
+    -----END CERTIFICATE-----
   tls.key: t-silent-test-1234/c-green-test-1234/appuio-cloud/webhook-key
 type: kubernetes.io/tls

tests/golden/defaults/appuio-cloud/appuio-cloud/02_disallow_reserved_namespaces.yaml

@@ -3,35 +3,19 @@ kind: ClusterPolicy
 metadata:
   annotations:
     policies.kyverno.io/category: Namespace Ownership
-    policies.kyverno.io/description: 'This policy will:
+    policies.kyverno.io/description: |
+      This policy will:
 
+      - Check if the namespace name of the request matches one of the disallowed namespace patterns.
+      - Check if the requesting user/serviceaccount has a cluster role that allows them to create reserved namespaces.
 
-      - Check if the namespace name of the request matches one of the disallowed namespace
-      patterns.
+      If the namespace matches a disallowed pattern and the requester doesn't have a cluster role which allows them to bypass the policy, the request is denied.
+      The policy is applied for requests to create `Namespace` and `ProjectRequest` resources.
+      This ensures that unprivileged users can't use disallowed patterns regardless of whether they use `oc new-project`, `kubectl create ns` or the OpenShift web console.
 
-      - Check if the requesting user/serviceaccount has a cluster role that allows
-      them to create reserved namespaces.
+      The list of reserved namespace patterns is configured with xref:references/parameters#_reservednamespaces[component parameter `reservedNamespaces`].
 
-
-      If the namespace matches a disallowed pattern and the requester doesn''t have
-      a cluster role which allows them to bypass the policy, the request is denied.
-
-      The policy is applied for requests to create `Namespace` and `ProjectRequest`
-      resources.
-
-      This ensures that unprivileged users can''t use disallowed patterns regardless
-      of whether they use `oc new-project`, `kubectl create ns` or the OpenShift web
-      console.
-
-
-      The list of reserved namespace patterns is configured with xref:references/parameters#_reservednamespaces[component
-      parameter `reservedNamespaces`].
-
-
-      Requesters which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component
-      parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
-
-      '
+      Requesters which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
     policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet
     policies.kyverno.io/minversion: v1
     policies.kyverno.io/subject: APPUiO Organizations

tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_namespaces.yaml

@@ -3,37 +3,22 @@ kind: ClusterPolicy
 metadata:
   annotations:
     policies.kyverno.io/category: Namespace Ownership
-    policies.kyverno.io/description: 'This policy will:
+    policies.kyverno.io/description: |
+      This policy will:
 
+      - Check that each namespace created by a user without cluster-admin  permissions has a label appuio.io/organization which isn't empty.
+      - Check that the creating user is in the organization it tries to create a namespace for.
 
-      - Check that each namespace created by a user without cluster-admin  permissions
-      has a label appuio.io/organization which isn''t empty.
-
-      - Check that the creating user is in the organization it tries to create a namespace
-      for.
-
-
-      The user''s organization membership is checked by:
-
+      The user's organization membership is checked by:
 
       - Fetching all OpenShift groups
+      - Reading the `appuio.io/organization` label of the request and finding a group with the same name
 
-      - Reading the `appuio.io/organization` label of the request and finding a group
-      with the same name
-
-
-      If a group matching the label value exists, the policy checks that the user
-      which issued the request is a member of that group.
-
-
-      If the label `appuio.io/organization` is missing or empty or the user isn''t
-      a member of the group, the request is denied.
-
+      If a group matching the label value exists, the policy checks that the user which issued the request is a member of that group.
 
-      Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component
-      parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
+      If the label `appuio.io/organization` is missing or empty or the user isn't a member of the group, the request is denied.
 
-      '
+      Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
     policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet
     policies.kyverno.io/minversion: v1
     policies.kyverno.io/subject: APPUiO Organizations

tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_projects.yaml

@@ -3,36 +3,21 @@ kind: ClusterPolicy
 metadata:
   annotations:
     policies.kyverno.io/category: Namespace Ownership
-    policies.kyverno.io/description: 'This policy will:
+    policies.kyverno.io/description: |
+      This policy will:
 
+      - Check that each project created by a user without cluster-admin  permissions has a label appuio.io/organization which isn't empty.
+      - Check that the creating user is in the organization they try to create a project for.
 
-      - Check that each project created by a user without cluster-admin  permissions
-      has a label appuio.io/organization which isn''t empty.
-
-      - Check that the creating user is in the organization they try to create a project
-      for.
-
-
-      The user''s organization membership is checked by:
-
-
-      - Reading the project''s annotation `openshift.io/requester` which contains
-      the username of the user who originally requested the project.
+      The user's organization membership is checked by:
 
+      - Reading the project's annotation `openshift.io/requester` which contains the username of the user who originally requested the project.
       - Fetching all OpenShift groups
+      - Reading the `appuio.io/organization` label of the request and finding a group with the same name
 
-      - Reading the `appuio.io/organization` label of the request and finding a group
-      with the same name
-
-
-      If a group matching the label value exists, the policy checks that the user
-      which requested the project is a member of that group.
-
-
-      If the label `appuio.io/organization` is missing or empty or the user isn''t
-      a member of the group, the request is denied.
+      If a group matching the label value exists, the policy checks that the user which requested the project is a member of that group.
 
-      '
+      If the label `appuio.io/organization` is missing or empty or the user isn't a member of the group, the request is denied.
     policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet
     policies.kyverno.io/minversion: v1
     policies.kyverno.io/subject: APPUiO Organizations

tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_sa_namespaces.yaml

@@ -3,33 +3,20 @@ kind: ClusterPolicy
 metadata:
   annotations:
     policies.kyverno.io/category: Namespace Ownership
-    policies.kyverno.io/description: 'This policy will:
+    policies.kyverno.io/description: |
+      This policy will:
 
+      - Check that each namespace created by a serviceaccount without cluster-admin permissions has a label appuio.io/organization which isn't empty.
+      - Check that the creating serviceaccount is part of the organization it tries to create a namespace for.
 
-      - Check that each namespace created by a serviceaccount without cluster-admin
-      permissions has a label appuio.io/organization which isn''t empty.
+      The serviceaccount's organization membership is checked by:
 
-      - Check that the creating serviceaccount is part of the organization it tries
-      to create a namespace for.
+      - Fetching the serviceaccount's namespace
+      - Comparing that namespace's `appuio.io/organization` label value with the request's `appuio.io/organization` label value.
 
+      If the label `appuio.io/organization` is missing or empty or the serviceaccount's organization doesn't match the request's organization the request is denied.
 
-      The serviceaccount''s organization membership is checked by:
-
-
-      - Fetching the serviceaccount''s namespace
-
-      - Comparing that namespace''s `appuio.io/organization` label value with the
-      request''s `appuio.io/organization` label value.
-
-
-      If the label `appuio.io/organization` is missing or empty or the serviceaccount''s
-      organization doesn''t match the request''s organization the request is denied.
-
-
-      Serviceaccounts which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component
-      parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
-
-      '
+      Serviceaccounts which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
     policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet
     policies.kyverno.io/minversion: v1
     policies.kyverno.io/subject: APPUiO Organizations

tests/golden/defaults/appuio-cloud/appuio-cloud/02_validate_namespace_metadata.yaml

@@ -4,26 +4,16 @@ metadata:
   annotations:
     pod-policies.kyverno.io/autogen-controllers: none
     policies.kyverno.io/category: Namespace Ownership
-    policies.kyverno.io/description: 'This policy will:
-
+    policies.kyverno.io/description: |
+      This policy will:
 
       - Check annotations and labels on new and modified namespaces against a whitelist.
 
+      If the namespace has an annotation or label which isn't whitelisted and the requester doesn't have a cluster role which allows them to bypass the policy, the request is denied.
 
-      If the namespace has an annotation or label which isn''t whitelisted and the
-      requester doesn''t have a cluster role which allows them to bypass the policy,
-      the request is denied.
-
-
-      The list of allowed namespace annotations and labels is configured with xref:references/parameters#_allowednamespaceannotations[component
-      parameter `allowedNamespaceAnnotations`] and xref:references/parameters#_allowednamespacelabels[component
-      parameter `allowedNamespaceLabels`] respectively.
-
-
-      Requesters which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component
-      parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
+      The list of allowed namespace annotations and labels is configured with xref:references/parameters#_allowednamespaceannotations[component parameter `allowedNamespaceAnnotations`] and xref:references/parameters#_allowednamespacelabels[component parameter `allowedNamespaceLabels`] respectively.
 
-      '
+      Requesters which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
     policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet
     policies.kyverno.io/minversion: v1
     policies.kyverno.io/subject: APPUiO Organizations
@@ -109,11 +99,13 @@ spec:
             list: 'request.object&& merge(    not_null(request.object.metadata.labels,
               `{}`)   ,not_null(request.oldObject.metadata.labels, `{}`))  | map(&{key:
               @}, keys(@))'
-        message: "The following labels can be modified:\n    appuio.io/organization,\
-          \ custom.appuio.io/*, kubernetes.io/metadata.name, network-policies.syn.tools/no-defaults,\
-          \ network-policies.syn.tools/purge-defaults, test.appuio.io/*, compute.test.appuio.io/cpu.\n\
-          labels given:\n    {{request.object.metadata.labels}}.\nlabels before modification:\n\
-          \    {{request.oldObject.metadata.labels}}."
+        message: |-
+          The following labels can be modified:
+              appuio.io/organization, custom.appuio.io/*, kubernetes.io/metadata.name, network-policies.syn.tools/no-defaults, network-policies.syn.tools/purge-defaults, test.appuio.io/*, compute.test.appuio.io/cpu.
+          labels given:
+              {{request.object.metadata.labels}}.
+          labels before modification:
+              {{request.oldObject.metadata.labels}}.
     - exclude:
         any:
           - clusterRoles:
@@ -187,10 +179,11 @@ spec:
             list: 'request.object&& merge(    not_null(request.object.metadata.annotations,
               `{}`)   ,not_null(request.oldObject.metadata.annotations, `{}`))  |
               map(&{key: @}, keys(@))'
-        message: "The following annotations can be modified:\n    custom.appuio.io/*,\
-          \ appuio.io/default-node-selector, kubectl.kubernetes.io/last-applied-configuration,\
-          \ policies.kyverno.io/last-applied-patches, appuio.io/active-deadline-seconds-override,\
-          \ test.appuio.io/*, compute.test.appuio.io/cpu.\nannotations given:\n  \
-          \  {{request.object.metadata.annotations}}.\nannotations before modification:\n\
-          \    {{request.oldObject.metadata.annotations}}."
+        message: |-
+          The following annotations can be modified:
+              custom.appuio.io/*, appuio.io/default-node-selector, kubectl.kubernetes.io/last-applied-configuration, policies.kyverno.io/last-applied-patches, appuio.io/active-deadline-seconds-override, test.appuio.io/*, compute.test.appuio.io/cpu.
+          annotations given:
+              {{request.object.metadata.annotations}}.
+          annotations before modification:
+              {{request.oldObject.metadata.annotations}}.
   validationFailureAction: enforce