feat: limits enforcement in runtime installation (#457)

Author: andrii-codefresh

charts/gitops-runtime/templates/hooks/pre-install/rbac.yaml

@@ -41,3 +41,48 @@ metadata:
     helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
     helm.sh/hook-weight: "-10"
 {{- end }}
+
+{{- if  not .Values.installer.skipUsageValidation }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: validate-usage-cr
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
+    helm.sh/hook-weight: "5"
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: validate-usage-crb
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
+    helm.sh/hook-weight: "5"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: validate-usage-cr
+subjects:
+  - kind: ServiceAccount
+    name: validate-usage-sa
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: validate-usage-sa
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
+    helm.sh/hook-weight: "5"
+{{- end }}

charts/gitops-runtime/templates/hooks/pre-install/validate-usage.yaml

@@ -0,0 +1,50 @@
+{{- if  not .Values.installer.skipUsageValidation }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: validate-usage-config
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
+    helm.sh/hook-weight: "5"
+data:
+  values.yaml: |
+{{ .Values | toYaml | indent 4 }}
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: validate-usage
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
+    helm.sh/hook-weight: "10"
+spec:
+  backoffLimit: 0
+  ttlSecondsAfterFinished: 300
+  template:
+    spec:
+      serviceAccountName: validate-usage-sa
+      restartPolicy: Never
+      containers:
+      - name: validate-usage
+        image: "{{ .Values.installer.image.repository }}:{{ .Values.installer.image.tag | default .Chart.Version }}"
+        imagePullPolicy: {{ .Values.installer.image.pullPolicy }}
+        env:
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        command: ["sh", "-c"]
+        args: 
+        - |
+          cf account validate-usage --fail-condition=reached --subject=clusters --values /job_tmp/values.yaml --namespace ${NAMESPACE} --hook --log-level debug
+        volumeMounts:
+          - name: validate-usage-volume
+            mountPath: "/job_tmp"
+      volumes:
+        - name: validate-usage-volume
+          configMap:
+            name: validate-usage-config
+{{- end }}

charts/gitops-runtime/values.yaml

@@ -177,6 +177,8 @@ global:
 installer:
   # -- if set to true, pre-install hook will *not* run
   skipValidation: false
+  # -- if set to true, pre-install hook will *not* run
+  skipUsageValidation: false
   image:
     repository: quay.io/codefresh/gitops-runtime-installer
     tag: ""

installer-image/Dockerfile

@@ -8,7 +8,7 @@ FROM debian:12.10-slim
 
 RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections
 
-ARG CF_CLI_VERSION=v0.2.6
+ARG CF_CLI_VERSION=v0.2.7
 ARG TARGETARCH
 
 RUN apt-get update && apt-get install curl jq -y