Add the capability to define teams from git repository

We're currently using the workload-team-defs helm-chart to provision new tenants in management cluster, and give them the ability to deploy & configure workload clusters from their git repositories.

This approach give autonomy to the teams controlling workload clusters, but since workload-team-defs helmrelease is controlled from management-cluster-values, the management-cluster administrator has to provision each of these teams, which is not very flexible.

Similarly to what we are doing for workload clusters, we should enable the definition of teams within a git repository, and inject these values in workload-team-defs helmchart values.

Proposal:

In order to be usable by workload-team-defs helmrelease, the gitrepository(ies) should define a kustomization that will produce ConfigMaps containing values that will be consumed by the chart, for example we could have the following repository structure:

.
├── kustomization.yaml
├── team-1.yaml
└── team-2.yaml

the kustomization would generate configmaps:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

configMapGenerator:
- name: team-1-def
  files:
  - values=team-1.yaml
- name: team-2-def
  files:
  - values=team-2.yaml

team definitions would contain the team definition using the schema expected by workload-team-defs chart (as a follow-up, we should add a json schema to that chart):

team-1.yaml

kustomization_spec:
  interval: 15m
  sourceRef:
    kind: GitRepository
    name: team-a-repo
gitrepository_spec:
  url: https://gitlab.com/example/private_repo1
  ref: 
    branch: main 
  interval: 120m 
gitrepository_path: "manifests/team-a"
git_secret_path: gitsecret
external_secret:
  annotations:
    external-secrets.io/refresh-interval: 15m

In order to consume these values in workload-team-defs HelmRelease, we'll define a new unit in management-cluster that will configure all the required components to sync these values:

  • A gitrepository syncing
  • A kustomization that will add a label to all the configmaps using patches
  • A kyverno policy that will merge all the configmaps matching this label, and generate a "merged-teams-defs" configmap that will be configured as valuesFrom by workload-team-defs HelmRelease

Since there will likely be a single repository containing the team definitions, a kustomization will probably be sufficient to define these resource (if we need to configure more that one repository, another intstance/unit using the same kustomization could be defined)

Finally, the admin of the management cluster will be able to delegate the definition of teams to an external repository by configuring that unit:

units:
  ...
  workload-teams-git:
    ...
    kustomization_spec:
      postBuild:
        substitute:
          repo_url: https://gitlab.com/example/team-definitions