SANDBOX-1847 | feature: NSTemplateTier for OpenClaw namespaces

[MikelAlejoBR]

We need a new NSTemplateTier in order to be able to begin testing OpenClaw in our environments.

Jira ticket: [SANDBOX-1847]

Summary by CodeRabbit

• New Features
  • Added support for a new "openclaw" tier, enabling additional namespace provisioning and management capabilities.
  • Introduced resource quotas, memory limits, and network policies for improved resource management and security controls.
  • Added role-based access control configurations to manage admin and user permissions within namespaces.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MikelAlejoBR
Once this PR has been reviewed and has the lgtm label, please assign jrosental for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

This PR introduces a new OpenClaw namespace template tier (openclaw) by adding OpenShift template definitions for cluster-scoped resources, two parameterized namespaces (dev and openclaw), namespace-level RBAC and network policies, space role definitions, and corresponding test expectations.

Changes

OpenClaw Namespace Tier

Layer / File(s)	Summary
Tier definition and test expectations deploy/templates/nstemplatetiers/openclaw/tier.yaml, deploy/templates/usertiers/openclaw/tier.yaml, pkg/templates/nstemplatetiers/nstemplatetier_generator_test.go	NSTemplateTier openclaw and UserTier openclaw are defined with parameterized namespace and deactivation timeout. Test expectations are updated to recognize openclaw as a production tier with dev and openclaw namespace types.
Cluster-scoped resources deploy/templates/nstemplatetiers/openclaw/cluster.yaml	ClusterResourceQuota objects filter deployment, replica, job, service, buildconfig, secret, and configmap limits by space name. ClusterRoleBinding grants lightspeed operator query access. Two Idler resources (dev and openclaw) share a configurable timeout parameter.
Dev namespace configuration deploy/templates/nstemplatetiers/openclaw/ns_dev.yaml	Creates ${SPACE_NAME}-dev namespace with RBAC roles for CRT pod exec administration and user admin permissions. ResourceQuota and LimitRange govern compute and storage. Multiple ingress NetworkPolicies allow traffic from system namespaces, OLM, console, virtualization, and specific ODS applications including mariadb on port 3306.
Openclaw namespace configuration deploy/templates/nstemplatetiers/openclaw/ns_openclaw.yaml	Creates ${SPACE_NAME}-openclaw namespace with pod exec RBAC, ResourceQuota for deployments/builds/storage, LimitRange with CPU/memory defaults, and restrictive ingress NetworkPolicies allowing only enumerated system and pod selector sources.
Admin space role template deploy/templates/nstemplatetiers/openclaw/spacerole_admin.yaml	Defines openclaw-user role and binding granting users full lifecycle access to OpenClaw claws custom resources, read-only troubleshooting access (pods, logs, events, routes), and secret write/delete without read permissions.

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

test

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly and specifically describes the main change: introducing a new NSTemplateTier for OpenClaw namespaces, which aligns with the changeset that adds multiple OpenShift template files for OpenClaw tier configuration.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@deploy/templates/nstemplatetiers/openclaw/cluster.yaml`:
- Around line 140-146: The template uses invalid interpolation
`${{IDLER_TIMEOUT_SECONDS}}` for the Idler.spec.timeoutSeconds causing
substitution/parsing failures; replace all occurrences of
`${{IDLER_TIMEOUT_SECONDS}}` with the correct OpenShift template syntax
`${IDLER_TIMEOUT_SECONDS}` (including the two places shown: the top-level
timeoutSeconds and the spec.timeoutSeconds inside the Idler resource), and sweep
other tier templates (base, base1ns, etc.) to make the same replacement where
`timeoutSeconds` or similar parameters appear; verify the Idler resource
(metadata name `${SPACE_NAME}-openclaw`, kind Idler) now receives an integer
value.

In `@deploy/templates/nstemplatetiers/openclaw/ns_openclaw.yaml`:
- Around line 223-230: The NetworkPolicy resource
"allow-from-dev-sandbox-managed-ns" is missing the required spec.podSelector;
update the resource by adding a podSelector (e.g., podSelector: {} ) under spec
so the policy applies to pods and passes API validation, keeping the existing
spec.ingress and spec.policyTypes intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f11722b3-f403-4cab-b238-682442066bfd

📥 Commits

Reviewing files that changed from the base of the PR and between 65483a0 and 6cf46ba.

📒 Files selected for processing (7)

• deploy/templates/nstemplatetiers/openclaw/cluster.yaml
• deploy/templates/nstemplatetiers/openclaw/ns_dev.yaml
• deploy/templates/nstemplatetiers/openclaw/ns_openclaw.yaml
• deploy/templates/nstemplatetiers/openclaw/spacerole_admin.yaml
• deploy/templates/nstemplatetiers/openclaw/tier.yaml
• deploy/templates/usertiers/openclaw/tier.yaml
• pkg/templates/nstemplatetiers/nstemplatetier_generator_test.go

✅ Files skipped from review due to trivial changes (1)

• deploy/templates/usertiers/openclaw/tier.yaml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: GolangCI Lint
• GitHub Check: test
• GitHub Check: Build & push operator bundles & dashboard image for e2e tests

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• deploy/templates/nstemplatetiers/openclaw/tier.yaml
• deploy/templates/nstemplatetiers/openclaw/spacerole_admin.yaml
• pkg/templates/nstemplatetiers/nstemplatetier_generator_test.go
• deploy/templates/nstemplatetiers/openclaw/cluster.yaml
• deploy/templates/nstemplatetiers/openclaw/ns_openclaw.yaml
• deploy/templates/nstemplatetiers/openclaw/ns_dev.yaml

🔀 Multi-repo context codeready-toolchain/api, codeready-toolchain/toolchain-common, codeready-toolchain/toolchain-e2e, codeready-toolchain/registration-service, codeready-toolchain/member-operator

Findings

codeready-toolchain/api

• Confirms NSTemplateTier CRD/types used across repos: definitions and OpenAPI for NSTemplateTier (api/v1alpha1/nstemplatetier_types.go, zz_generated.openapi.go). New NSTemplateTier must conform to these types. [::codeready-toolchain/api::api/v1alpha1/nstemplatetier_types.go:16-39] [::codeready-toolchain/api::api/v1alpha1/zz_generated.openapi.go:1848-1895]

codeready-toolchain/toolchain-common

• Tier generator enforces rules around based_on_tier.yaml and regular templates and is responsible for generating NSTemplateTier objects from tier templates; any new tier files (openclaw) will be processed here. Key logic and tests: pkg/template/nstemplatetiers/nstemplatetier_generator.go and related tests. [::codeready-toolchain/toolchain-common::pkg/template/nstemplatetiers/nstemplatetier_generator.go:124-196]
• Hashing / labels for NSTemplateTier status are used widely; new tier will produce a hash used by other components/tests: pkg/hash/hash.go and tests under pkg/test. [::codeready-toolchain/toolchain-common::pkg/hash/hash.go:15-16]
• Tests expect certain layouts and may validate counts of generated NSTemplateTiers (generator tests reference expected numbers). If openclaw adds additional NSTemplateTier CRs, test expectations may need updates. [::codeready-toolchain/toolchain-common::pkg/template/nstemplatetiers/nstemplatetier_generator_test.go:239-246]

codeready-toolchain/toolchain-e2e

• E2E helpers and tests enumerate bundled tiers and assume specific bundled lists (BundledNSTemplateTiers includes base1ns, base1nsnoidling, base1ns6didler, base). New bundled tier (openclaw) will need to be added here if intended to be part of bundled tiers for e2e: testsupport/wait/host.go. [::codeready-toolchain/toolchain-e2e::testsupport/wait/host.go:53-55]
• Many e2e tests wait for NSTemplateTier objects by name (e.g., WaitForNSTemplateTier calls for base1ns/appstudio). If openclaw is added as a bundled tier and tests expect specific counts or lists, adjust tests/deploy manifests accordingly. See deploy config references to defaultSpaceTier using 'base1ns' in deploy/*toolchainconfig.yaml. [::codeready-toolchain/toolchain-e2e::deploy/host-operator/e2e-tests/nstemplatetier-base.yaml] [::codeready-toolchain/toolchain-e2e::deploy/host-operator/e2e-tests/toolchainconfig.yaml:33]

codeready-toolchain/registration-service

• Contains test helpers creating a fake base1ns NSTemplateTier (test/fake/utils.go). No direct references to openclaw found; ensure any tests expecting specific tier names or counts are unaffected. [::codeready-toolchain/registration-service::test/fake/utils.go:54-61]

codeready-toolchain/member-operator

• No direct references to NSTemplateTier-specific names detected in search; member-operator consumes NSTemplateTier CRs generically via API types — no code changes appear required here. [::codeready-toolchain/member-operator::]

Summary implication:

• The new openclaw NSTemplateTier files will be processed by toolchain-common's generator and consumed in e2e tests and host/operator deploys. Update bundled-tier lists and any test expectations (toolchain-e2e tests and toolchain-common generator tests) if openclaw should be treated as a bundled NSTemplateTier. Ensure the generated NSTemplateTier conforms to api types. Tests that assert exact counts or lists of bundled tiers may need updating.

🔇 Additional comments (1)

deploy/templates/nstemplatetiers/openclaw/ns_dev.yaml (1)

313-320: ⚡ Quick win

The review comment is incorrect. According to official Kubernetes documentation, podSelector is not a required field in networking.k8s.io/v1 NetworkPolicy specifications. When podSelector is omitted, it defaults to an empty selector that matches all pods in the namespace, which is valid behavior. The NetworkPolicy allow-from-dev-sandbox-managed-ns is valid as written without an explicit podSelector field.

			> Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether any OpenShift templates in this repo use invalid `${{...}}` interpolation.
rg -n '\$\{\{[A-Z0-9_]+\}\}' deploy/templates

Repository: codeready-toolchain/host-operator

Length of output: 1594

---

🏁 Script executed:

#!/bin/bash
# Find template processing logic - search for how deploy/templates are used
grep -r "IDLER_TIMEOUT_SECONDS" --include="*.go" --include="*.yaml" | head -20

Repository: codeready-toolchain/host-operator

Length of output: 1023

---

🏁 Script executed:

#!/bin/bash
# Check if there's custom template expansion logic
rg -l "template|Template" pkg/ --include="*.go" | head -10

Repository: codeready-toolchain/host-operator

Length of output: 519

---

🏁 Script executed:

#!/bin/bash
# Look for template variable substitution patterns in Go code
rg '\$\{\{|\$\{' pkg/ --include="*.go" -A 2 -B 2 | head -40

Repository: codeready-toolchain/host-operator

Length of output: 519

---

🏁 Script executed:

#!/bin/bash
# Find how templates are processed - look for template handling in Go code
find pkg -name "*.go" -type f | xargs grep -l "template\|Template" | head -5

Repository: codeready-toolchain/host-operator

Length of output: 313

---

🏁 Script executed:

#!/bin/bash
# Search for template processing logic in toolchain-common
rg "IDLER_TIMEOUT_SECONDS" . -A 3 -B 3 | head -50

Repository: codeready-toolchain/toolchain-common

Length of output: 2260

---

🏁 Script executed:

#!/bin/bash
# Check how template parameters are expanded in nstemplatetier_generator
rg '\$\{|\$\{\{' pkg/template -A 2 -B 2

Repository: codeready-toolchain/toolchain-common

Length of output: 27798

---

🏁 Script executed:

#!/bin/bash
# Look for template processing in host-operator
find pkg -name "*.go" -type f -exec grep -l "template\|Template" {} \; | xargs grep -l "IDLER_TIMEOUT" 2>/dev/null | head -5

Repository: codeready-toolchain/host-operator

Length of output: 59

---

🏁 Script executed:

#!/bin/bash
# Check the notification template generator to see how templates are processed
cat pkg/templates/notificationtemplates/notification_generator.go | head -100

Repository: codeready-toolchain/host-operator

Length of output: 3490

---

🏁 Script executed:

#!/bin/bash
# Search for how NSTemplateTier templates are actually loaded and processed
rg "timeoutSeconds" pkg/template -B 5 -A 5

Repository: codeready-toolchain/toolchain-common

Length of output: 62

---

🏁 Script executed:

#!/bin/bash
# Read the nstemplatetier generator to see how templates are processed
head -300 pkg/template/nstemplatetiers/nstemplatetier_generator.go

Repository: codeready-toolchain/toolchain-common

Length of output: 11300

---

🏁 Script executed:

#!/bin/bash
# Search for parameter substitution logic
grep -n "parameters\|substitute\|Replace" pkg/template/nstemplatetiers/nstemplatetier_generator.go | head -20

Repository: codeready-toolchain/toolchain-common

Length of output: 2072

---

🏁 Script executed:

#!/bin/bash
# Look for any yaml processing or content generation
rg "Spec|Content|Resources" pkg/template/nstemplatetiers/nstemplatetier_generator.go -B 2 -A 2 | head -60

Repository: codeready-toolchain/toolchain-common

Length of output: 1652

---

🏁 Script executed:

#!/bin/bash
# Look at the setParams function to understand how OpenShift templates work
grep -A 30 "^func setParams" pkg/template/nstemplatetiers/nstemplatetier_generator.go

Repository: codeready-toolchain/toolchain-common

Length of output: 1468

---

🏁 Script executed:

#!/bin/bash
# Search for how TierTemplate resources are consumed/processed
rg "TierTemplate" pkg -A 3 -B 3 | head -100

Repository: codeready-toolchain/member-operator

Length of output: 655

---

🏁 Script executed:

#!/bin/bash
# Check the TierTemplate API definition
grep -A 20 "type TierTemplate" api/v1alpha1/tiertemplates_types.go

Repository: codeready-toolchain/api

Length of output: 136

---

🏁 Script executed:

#!/bin/bash
# Find TierTemplate definition files
find api -name "*tier*" -type f | grep -v vendor

Repository: codeready-toolchain/api

Length of output: 213

---

🏁 Script executed:

#!/an/bash
# Search for TierTemplate type definition
rg "type TierTemplate" api/ -A 15

Repository: codeready-toolchain/api

Length of output: 5378

---

🏁 Script executed:

#!/bin/bash
# Search for where template content is actually processed/applied
rg "Objects\|Content\|Template" pkg/space -A 3 -B 3 | head -80

Repository: codeready-toolchain/member-operator

Length of output: 129

---

🏁 Script executed:

#!/bin/bash
# Find where templates are processed
find pkg -name "*.go" -type f | xargs grep -l "TemplateObjects\|processTemplate" | head -5

Repository: codeready-toolchain/member-operator

Length of output: 213

---

🏁 Script executed:

#!/bin/bash
# Search for Space provisioning logic
rg "provision|template" pkg/controllers -l | head -5

Repository: codeready-toolchain/member-operator

Length of output: 135

---

🏁 Script executed:

#!/bin/bash
# Look for how TemplateObjects are processed and parameter values substituted
rg "TemplateObjects|Parameter.*substitut|replace.*parameter" pkg -A 3 -B 3 | head -100

Repository: codeready-toolchain/toolchain-common

Length of output: 1401

---

🏁 Script executed:

#!/bin/bash
# Look at test cases to see how templates are created and parameters substituted
grep -A 10 "IDLER_TIMEOUT" pkg/template/nstemplatetiers/nstemplatetier_generator_test.go | head -30

Repository: codeready-toolchain/toolchain-common

Length of output: 62

---

🏁 Script executed:

#!/bin/bash
# Check the test data to see actual example templates
cat pkg/template/nstemplatetiers/testdata/nstemplatetiers/base/cluster.yaml | grep -A 5 -B 5 "timeoutSeconds"

Repository: codeready-toolchain/toolchain-common

Length of output: 62

---

🏁 Script executed:

#!/bin/bash
# Check what the actual templates look like and how they're used
head -200 deploy/templates/nstemplatetiers/base/cluster.yaml | tail -100

Repository: codeready-toolchain/host-operator

Length of output: 2511

---

🏁 Script executed:

#!/bin/bash
# Check the Idler CRD to verify what type timeoutSeconds should be
rg -A 30 "kind: Idler" api/v1alpha1/ | grep -A 20 "spec:"

Repository: codeready-toolchain/api

Length of output: 49

---

🏁 Script executed:

#!/bin/bash
# Search for Idler type definition
find api -name "*idler*" -type f

Repository: codeready-toolchain/api

Length of output: 95

---

🏁 Script executed:

#!/bin/bash
# Search for Idler in all Go files
rg "type Idler" api/

Repository: codeready-toolchain/api

Length of output: 273

---

🏁 Script executed:

#!/bin/bash
# Get the full IdlerSpec definition
grep -A 15 "type IdlerSpec struct" api/v1alpha1/idler_types.go

Repository: codeready-toolchain/api

Length of output: 837

---

Fix invalid template parameter syntax for timeoutSeconds (Lines 140, 146).

${{IDLER_TIMEOUT_SECONDS}} is not valid OpenShift template interpolation syntax. The correct syntax is ${IDLER_TIMEOUT_SECONDS} (single braces). Without the fix, the parameter substitution will fail, leaving a literal string that cannot be parsed as the required int32 type for the Idler spec.

Note: This syntax error also exists in other tier templates (base, base1ns) and should be corrected wherever it appears.

Proposed fix

-    timeoutSeconds: ${{IDLER_TIMEOUT_SECONDS}}
+    timeoutSeconds: ${IDLER_TIMEOUT_SECONDS}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/templates/nstemplatetiers/openclaw/cluster.yaml` around lines 140 -
146, The template uses invalid interpolation `${{IDLER_TIMEOUT_SECONDS}}` for
the Idler.spec.timeoutSeconds causing substitution/parsing failures; replace all
occurrences of `${{IDLER_TIMEOUT_SECONDS}}` with the correct OpenShift template
syntax `${IDLER_TIMEOUT_SECONDS}` (including the two places shown: the top-level
timeoutSeconds and the spec.timeoutSeconds inside the Idler resource), and sweep
other tier templates (base, base1ns, etc.) to make the same replacement where
`timeoutSeconds` or similar parameters appear; verify the Idler resource
(metadata name `${SPACE_NAME}-openclaw`, kind Idler) now receives an integer
value.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the same missing-field pattern in the openclaw namespace template.
rg -n -C6 'kind:\s*NetworkPolicy|name:\s*allow-from-dev-sandbox-managed-ns|^\s*spec:' deploy/templates/nstemplatetiers/openclaw/ns_openclaw.yaml

Repository: codeready-toolchain/host-operator

Length of output: 4596

---

Add required podSelector to NetworkPolicy allow-from-dev-sandbox-managed-ns (line 223).

The allow-from-dev-sandbox-managed-ns NetworkPolicy is missing the mandatory spec.podSelector field, which will cause API validation to fail. All other NetworkPolicies in this file correctly include podSelector: {}.

Proposed fix

  spec:
+   podSelector: {}
    ingress:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	spec:
	ingress:
	- from:
	- namespaceSelector:
	matchLabels:
	dev-sandbox/policy-group: ingress
	policyTypes:
	- Ingress
	spec:
	podSelector: {}
	ingress:
	- from:
	- namespaceSelector:
	matchLabels:
	dev-sandbox/policy-group: ingress
	policyTypes:
	- Ingress

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/templates/nstemplatetiers/openclaw/ns_openclaw.yaml` around lines 223
- 230, The NetworkPolicy resource "allow-from-dev-sandbox-managed-ns" is missing
the required spec.podSelector; update the resource by adding a podSelector
(e.g., podSelector: {} ) under spec so the policy applies to pods and passes API
validation, keeping the existing spec.ingress and spec.policyTypes intact.

[openshift-ci]

@MikelAlejoBR: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e	6cf46ba	link	true	/test e2e

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[alexeykazakov]

Replaced by #1265