VMO Namespace Management 1.0.3 (#145)

kreeuwijk · web-flow · commit f46f5344fb1d · 2025-08-25T15:54:30.000+05:30
diff --git a/packs/vmo-ns-mgmt-1.0.3/README.md b/packs/vmo-ns-mgmt-1.0.3/README.md
@@ -0,0 +1,57 @@
+# VMO Namespace Management
+
+## Overview
+The VMO Namespace Management pack enables centralized administration of VMO namespaces, including quotas and RBAC permissions.
+
+With this pack you can centrally manage the namespaces used for running virtual machines on all your VMO clusters:
+* Define a list of namespaces that should be able to run VMs and deploy VMs from golden images
+* Set quotas for CPU, Memory, Storage and custom resources on namespaces
+* Set VMO-specific or custom RBAC permissions on namespaces
+* Filter quotas or RBAC permissions to only apply to specific Palette clusters
+
+## Kubernetes compatibility
+Kubernetes versions supported by VMO (1.28+).
+
+## CloudTypes supported:
+Supported on all cloud types, but only relevant to cloud types supported by VMO.
+
+## Parameters
+
+The table lists commonly used parameters you can configure when adding this pack.
+
+| Parameter                   | Description | Required | Default |
+|-----------------------------|-------------|----------|---------|
+| `goldenImagesNamespace`     | Namespace that contains your VMO golden images. Should match the setting by the same name in the VMO pack. | Yes | `vmo-golden-images` |
+| `vmEnabledNamespaces`       | A list of namespaces that you want to enable for VMO. If the namespace does not exist, it will be created. If you remove a namespace from the list, it will not be removed from the cluster; you will need to manually clean it up when necessary. | Yes | |
+| `quotas`                    | A list of quota definitions that limit the amount of resources that can be consumed in a each namespace. | Yes | Empty list |
+| `quotas.[].namespace`       | The name of the namespace to define the quota for. | Yes | |
+| `quotas.[].clusters`        | A list of clusters that the quota should apply to. | No | |
+| `quotas.[].limits`          | The resource limits quota you want to apply. We recommend using this to set CPU quota: ensure to leave some headroom for CPU overhead (15 millicore per VM) and live migration (at least twice the CPU of the biggest VM). | No | |
+| `quotas.[].requests`        | The resource requests quota you want to apply. We recommend using this to set Memory and Storage quota: ensure to leave some headroom for overhead (~315MB per VM) and live migration (at least twice the memory of the biggest VM). | No | |
+| `rbac`                      | A list of RBAC definitions that control what users can do in each namespace. | Yes | Empty list |
+| `rbac.[].namespace`         | The name of the namespace to define the RBAC permissions for. | Yes | |
+| `rbac.[].clusters`          | A list of clusters that the RBAC permissions should apply to. | No | |
+| `rbac.[].admins`            | Define this block if you want to give users/teams the `spectro-vm-admin` permission for the namespace. | No | |
+| `rbac.[].admins.groups`     | A list of Palette Teams (case sensitive!) that should receive the `spectro-vm-admin` permission for the namespace. | No | |
+| `rbac.[].admins.users`      | A list of Palette Users, by email address (case sensitive!), that should receive the `spectro-vm-admin` permission for the namespace. | No | |
+| `rbac.[].powerusers`        | Define this block if you want to give users/teams the `spectro-vm-poweruser` permission for the namespace. | No | |
+| `rbac.[].powerusers.groups` | A list of Palette Teams (case sensitive!) that should receive the `spectro-vm-poweruser` permission for the namespace. | No | |
+| `rbac.[].powerusers.users`  | A list of Palette Users, by email address (case sensitive!), that should receive the `spectro-vm-poweruser` permission for the namespace. | No | |
+| `rbac.[].users`             | Define this block if you want to give users/teams the `spectro-vm-user` permission for the namespace. | No | |
+| `rbac.[].users.groups`      | A list of Palette Teams (case sensitive!) that should receive the `spectro-vm-user` permission for the namespace. | No | |
+| `rbac.[].users.users`       | A list of Palette Users, by email address (case sensitive!), that should receive the `spectro-vm-user` permission for the namespace. | No | |
+| `rbac.[].viewers`           | Define this block if you want to give users/teams the `spectro-vm-viewer` permission for the namespace. | No | |
+| `rbac.[].viewers.groups`    | A list of Palette Teams (case sensitive!) that should receive the `spectro-vm-viewer` permission for the namespace. | No | |
+| `rbac.[].viewers.users`     | A list of Palette Users, by email address (case sensitive!), that should receive the `spectro-vm-viewer` permission for the namespace. | No | |
+| `rbac.[].custom`            | Define this list if you want to give users/teams a custom permission (of type ClusterRole) for the namespace. | No | |
+| `rbac.[].custom.[].role`    | The name of the custom ClusterRole that want assign to users/teams for the namespace. | No | |
+| `rbac.[].custom.[].groups`  | A list of Palette Teams (case sensitive!) that should receive the custom ClusterRole for the namespace. | No | |
+| `rbac.[].custom.[].users`   | A list of Palette Users, by email address (case sensitive!), that should receive the custom ClusterRole for the namespace. | No | |
+
+
+## Presets
+None
+
+
+## References:
+* [VMO Roles and Permissions](https://docs.spectrocloud.com/vm-management/rbac/vm-roles-permissions/)
diff --git a/packs/vmo-ns-mgmt-1.0.3/charts/vmo-ns-mgmt-1.0.3.tgz b/packs/vmo-ns-mgmt-1.0.3/charts/vmo-ns-mgmt-1.0.3.tgz
diff --git a/packs/vmo-ns-mgmt-1.0.3/charts/vmo-ns-mgmt/.helmignore b/packs/vmo-ns-mgmt-1.0.3/charts/vmo-ns-mgmt/.helmignore
@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.github/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/packs/vmo-ns-mgmt-1.0.3/charts/vmo-ns-mgmt/Chart.yaml b/packs/vmo-ns-mgmt-1.0.3/charts/vmo-ns-mgmt/Chart.yaml
@@ -0,0 +1,4 @@
+apiVersion: v2
+name: vmo-ns-mgmt
+version: 1.0.3
+appVersion: 1.0.3
diff --git a/packs/vmo-ns-mgmt-1.0.3/charts/vmo-ns-mgmt/templates/gi-rolebinding.yaml b/packs/vmo-ns-mgmt-1.0.3/charts/vmo-ns-mgmt/templates/gi-rolebinding.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vmo-rolebinding-golden-images
+  namespace: {{ .Values.goldenImagesNamespace | quote }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: vmo-role-golden-images
+subjects:
+{{- range .Values.vmEnabledNamespaces }}
+- kind: ServiceAccount
+  name: default
+  namespace: {{ . | quote }}
+{{- end }}
diff --git a/packs/vmo-ns-mgmt-1.0.3/charts/vmo-ns-mgmt/templates/namespace.yaml b/packs/vmo-ns-mgmt-1.0.3/charts/vmo-ns-mgmt/templates/namespace.yaml
@@ -0,0 +1,9 @@
+{{- range (without .Values.vmEnabledNamespaces list "default" "virtual-machines" .Values.goldenImagesNamespace) }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ . | quote }}
+  annotations:
+    "helm.sh/resource-policy": "keep"
+---
+{{- end }}
diff --git a/packs/vmo-ns-mgmt-1.0.3/charts/vmo-ns-mgmt/templates/resourcequota.yaml b/packs/vmo-ns-mgmt-1.0.3/charts/vmo-ns-mgmt/templates/resourcequota.yaml
@@ -0,0 +1,24 @@
+{{ range $index, $cluster := (lookup "cluster.spectrocloud.com/v1alpha1" "SpectroCluster" "" "").items }}
+  {{- range $quota := $.Values.quotas }}
+    {{- if or (has $cluster.metadata.name $quota.clusters) (not (hasKey $quota "clusters")) }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: vmo-quota
+  namespace:  {{ $quota.namespace }}
+spec:
+  hard:
+  {{- if $quota.limits -}}
+    {{- range $key, $value := $quota.limits }}
+    limits.{{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+  {{- if $quota.requests -}}
+    {{- range $key, $value := $quota.requests }}
+    requests.{{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+---
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/packs/vmo-ns-mgmt-1.0.3/charts/vmo-ns-mgmt/templates/role.yaml b/packs/vmo-ns-mgmt-1.0.3/charts/vmo-ns-mgmt/templates/role.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: vmo-role-golden-images
+  namespace: {{ .Values.goldenImagesNamespace | quote }}
+rules:
+- apiGroups: ["cdi.kubevirt.io"]
+  resources: ["datavolumes/source"]
+  verbs: ["create"]
diff --git a/packs/vmo-ns-mgmt-1.0.3/charts/vmo-ns-mgmt/templates/rolebinding.yaml b/packs/vmo-ns-mgmt-1.0.3/charts/vmo-ns-mgmt/templates/rolebinding.yaml
@@ -0,0 +1,123 @@
+{{ range $index, $cluster := (lookup "cluster.spectrocloud.com/v1alpha1" "SpectroCluster" "" "").items }}
+  {{- range $rbac := $.Values.rbac -}}
+    {{- if or (has $cluster.metadata.name $rbac.clusters) (not (hasKey $rbac "clusters")) }}
+{{- if $rbac.admins }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vmo-rolebinding-admins
+  namespace:  {{ $rbac.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: spectro-vm-admin
+subjects:
+{{- range $group := $rbac.admins.groups }}
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: {{ $group | quote }}
+{{- end }}
+{{- range $user := $rbac.admins.users }}
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: {{ $user | quote }}
+{{- end }}
+{{- end }}
+---
+{{- if $rbac.powerusers }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vmo-rolebinding-powerusers
+  namespace:  {{ $rbac.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: spectro-vm-power-user
+subjects:
+{{- range $group := $rbac.powerusers.groups }}
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: {{ $group | quote }}
+{{- end }}
+{{- range $user := $rbac.powerusers.users }}
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: {{ $user | quote }}
+{{- end }}
+{{- end }}
+---
+{{- if $rbac.users }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vmo-rolebinding-users
+  namespace:  {{ $rbac.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: spectro-vm-user
+subjects:
+{{- range $group := $rbac.users.groups }}
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: {{ $group | quote }}
+{{- end }}
+{{- range $user := $rbac.users.users }}
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: {{ $user | quote }}
+{{- end }}
+{{- end }}
+---
+{{- if $rbac.viewers }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vmo-rolebinding-viewers
+  namespace:  {{ $rbac.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: spectro-vm-viewer
+subjects:
+{{- range $group := $rbac.viewers.groups }}
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: {{ $group | quote }}
+{{- end }}
+{{- range $user := $rbac.viewers.users }}
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: {{ $user | quote }}
+{{- end }}
+{{- end }}
+---
+{{- if $rbac.custom }}
+{{- range $custom := $rbac.custom }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vmo-rolebinding-custom-{{ $custom.role }}
+  namespace:  {{ $rbac.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ $custom.role | quote }}
+subjects:
+{{- range $group := $custom.groups }}
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: {{ $group | quote }}
+{{- end }}
+{{- range $user := $custom.users }}
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: {{ $user | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+    {{- end }}
+  {{- end }}
+---
+{{- end }}
diff --git a/packs/vmo-ns-mgmt-1.0.3/charts/vmo-ns-mgmt/values_lint.yaml b/packs/vmo-ns-mgmt-1.0.3/charts/vmo-ns-mgmt/values_lint.yaml
@@ -0,0 +1,74 @@
+goldenImagesNamespace: vmo-golden-images
+vmEnabledNamespaces:
+  - default
+  - virtual-machines
+  - customer-vm-1
+  - customer-vm-2
+  - customer-vm-3
+
+quotas:
+  - namespace: customer-vm-1
+    clusters:
+      - demo-cluster1
+      - demo-cluster2
+    limits:
+      cpu: 9
+    requests:
+      memory: 33Gi
+      storage: 120Gi
+  - namespace:  customer-vm-2
+    clusters:
+      - demo-cluster1
+    limits:
+      cpu: 40
+    requests:
+      memory: 150Gi
+      storage: 1024Gi
+  - namespace:  customer-vm-3
+    limits:
+      cpu: 100
+    requests:
+      memory: 250Gi
+      storage: 2Ti
+
+rbac:
+  - namespace: default
+    viewers:
+      groups:
+        - Viewers Group 1
+        - Viewers Group 2
+  - namespace: customer-vm-1
+    clusters:
+      - demo-cluster1
+      - demo-cluster2
+    admins:
+      users:
+        - test.user1@company.com
+        - test.user2@company.com
+      groups:
+        - Test Group 1
+        - Test Group 2
+    powerusers:
+      users: []
+      groups: []
+    users:
+      users: []
+      groups: []
+    viewers:
+      users: []
+      groups: []
+    custom:
+      - role: admin
+        groups:
+          - Custom Group 1
+          - Custom Group 2
+        users:
+          - custom.user1@company.com
+          - custom.user2@company.com
+      - role: cluster-admin
+        groups:
+          - Custom Group 3
+          - Custom Group 4
+        users:
+          - custom.user3@company.com
+          - custom.user4@company.com
diff --git a/packs/vmo-ns-mgmt-1.0.3/logo.png b/packs/vmo-ns-mgmt-1.0.3/logo.png
diff --git a/packs/vmo-ns-mgmt-1.0.3/pack.json b/packs/vmo-ns-mgmt-1.0.3/pack.json
@@ -0,0 +1,16 @@
+{
+  "addonType":"system app",
+  "annotations": {
+    "source": "spectrocloud"
+  },
+  "cloudTypes": [
+   "all"
+  ],
+  "displayName": "VMO Namespace Management",
+  "charts": [
+    "charts/vmo-ns-mgmt-1.0.3.tgz"
+  ],
+  "layer": "addon",
+  "name": "vmo-ns-mgmt",
+  "version": "1.0.3"
+}
diff --git a/packs/vmo-ns-mgmt-1.0.3/values.yaml b/packs/vmo-ns-mgmt-1.0.3/values.yaml
