Skip to content

Add sandbox user provisioning roles#11

Closed
prakhar1985 wants to merge 15 commits intomainfrom
namespace-mcp-with-openshift
Closed

Add sandbox user provisioning roles#11
prakhar1985 wants to merge 15 commits intomainfrom
namespace-mcp-with-openshift

Conversation

@prakhar1985
Copy link
Contributor

@prakhar1985 prakhar1985 commented Feb 16, 2026

Summary

  • Add three reusable sandbox roles for user provisioning on shared OCP clusters:
    • ocp4_workload_ocpsandbox_keycloak_user — kubeconfig setup, cluster discovery, Keycloak user creation
    • ocp4_workload_ocpsandbox_gitea_user — Gitea user creation, repository migration
    • ocp4_workload_ocpsandbox_argocd_user — ArgoCD AppProject with user RBAC
  • Trim vault-decrypted admin tokens to prevent invalid HTTP header errors from trailing newlines
  • Support KUBECONFIG env var in keycloak_user role

Test plan

  • Verified provision + destroy on cnv-us-east-ocp-3 (ok=113 changed=13 failed=0 / ok=74 changed=7 failed=0)
  • Verified on test clusters zfmv7, n9hm5, xtfpx

prakhar added 15 commits February 13, 2026 12:17
Add sandbox user provisioning roles
fb52265 
Three reusable roles for user provisioning on shared OCP clusters:
- ocp4_workload_ocpsandbox_keycloak_user: kubeconfig, cluster
  discovery, Keycloak user creation
- ocp4_workload_ocpsandbox_gitea_user: Gitea user and repo migration
- ocp4_workload_ocpsandbox_argocd_user: ArgoCD AppProject with RBAC
Support KUBECONFIG env var in keycloak_user role
d9c155e 
Use KUBECONFIG env var when set, fall back to ~/.kube/config.
Allows concurrent cluster testing without clobbering default kubeconfig.
Add README to sandbox roles with when/why/how and AgV usage patterns
d489253
Clarify keycloak_user role requires RHBK as cluster auth
687b42d
Trim admin token to fix invalid HTTP header from vault newline
26cbe97
Add gitea_instance role for per-user Gitea CR deployment
5460866 
Deploys a per-user Gitea instance via the Gitea operator CR.
The operator is installed at the cluster level by the cluster
provisioner; this role creates the CR in the user's sandbox
namespace, waits for route and API readiness, and exports
gitea_url and gitea_internal_url facts for downstream roles.
Add fallback namespace creation in gitea_instance role
d7cd806 
Sandbox API may not create the gitea namespace. Create it if missing
before deploying the Gitea CR.
Delete gitea namespace on destroy instead of no-op
0feaa51
Add extra_destinations support to argocd_user AppProject
37db5ed 
The AppProject destination pattern *-{username} doesn't match
namespace names created by the sandbox API (sandbox-{guid}-{suffix}).
Add an extra_destinations list variable so catalog items can
explicitly allow additional namespaces that don't follow the
default naming pattern.
Remove fallback namespace creation -- sandbox API handles it
a71e6b4
Restore fallback namespace creation -- sandbox API still unreliable
2675a26
fix: remove namespace creation from gitea_instance role
ec027a8 
Namespaces are now managed by the sandbox API via cluster_condition.
The gitea namespace is requested as a sandbox entry and created/deleted
automatically by the sandbox API. No fallback creation or explicit
deletion needed in the role.
fix: discover gitea namespace via sandbox-api labels instead of var i…
36f43a5 
…njection
fix: extract guid from sandbox_openshift_namespace, fix gitea pattern…
9292950 
…, set gitea_user namespace
fix: remove label discovery, namespace now set via sandbox API var dict
db183e4
@prakhar1985 prakhar1985 closed this Mar 3, 2026
@prakhar1985 prakhar1985 deleted the namespace-mcp-with-openshift branch March 3, 2026 08:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@prakhar1985