Skip to content

SANDBOX-1847 | feature: NSTemplateTier for OpenClaw namespaces #1264

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
MikelAlejoBR wants to merge 1 commit into from
Closed

SANDBOX-1847 | feature: NSTemplateTier for OpenClaw namespaces #1264

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
152 changes: 152 additions & 0 deletions deploy/templates/nstemplatetiers/openclaw/cluster.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
apiVersion: template.openshift.io/v1
kind: Template
metadata:
name: openclaw-cluster-resources
objects:
# ClusterResourceQuotas aggregate limits across both -dev and -openclaw namespaces.
# Limits are base1ns values + modest headroom for the -openclaw namespace.
- apiVersion: quota.openshift.io/v1
kind: ClusterResourceQuota
metadata:
name: for-${SPACE_NAME}-deployments
spec:
quota:
hard:
count/deployments.apps: "33"
count/deploymentconfigs.apps: "30"
count/pods: "55"
count/virtualmachines.kubevirt.io: "2"
selector:
annotations: null
labels:
matchLabels:
toolchain.dev.openshift.com/space: ${SPACE_NAME}
- apiVersion: quota.openshift.io/v1
kind: ClusterResourceQuota
metadata:
name: for-${SPACE_NAME}-replicas
spec:
quota:
hard:
count/replicasets.apps: "33"
count/replicationcontrollers: "30"
selector:
annotations: null
labels:
matchLabels:
toolchain.dev.openshift.com/space: ${SPACE_NAME}
- apiVersion: quota.openshift.io/v1
kind: ClusterResourceQuota
metadata:
name: for-${SPACE_NAME}-routes
spec:
quota:
hard:
count/ingresses.extensions: "31"
count/routes.route.openshift.io: "31"
selector:
annotations: null
labels:
matchLabels:
toolchain.dev.openshift.com/space: ${SPACE_NAME}
- apiVersion: quota.openshift.io/v1
kind: ClusterResourceQuota
metadata:
name: for-${SPACE_NAME}-jobs
spec:
quota:
hard:
count/jobs.batch: "30"
count/daemonsets.apps: "30"
count/cronjobs.batch: "30"
count/statefulsets.apps: "30"
selector:
annotations: null
labels:
matchLabels:
toolchain.dev.openshift.com/space: ${SPACE_NAME}
- apiVersion: quota.openshift.io/v1
kind: ClusterResourceQuota
metadata:
name: for-${SPACE_NAME}-services
spec:
quota:
hard:
count/services: "33"
services.loadbalancers: '0'
selector:
annotations: null
labels:
matchLabels:
toolchain.dev.openshift.com/space: ${SPACE_NAME}
- apiVersion: quota.openshift.io/v1
kind: ClusterResourceQuota
metadata:
name: for-${SPACE_NAME}-bc
spec:
quota:
hard:
count/buildconfigs.build.openshift.io: "30"
selector:
annotations: null
labels:
matchLabels:
toolchain.dev.openshift.com/space: ${SPACE_NAME}
- apiVersion: quota.openshift.io/v1
kind: ClusterResourceQuota
metadata:
name: for-${SPACE_NAME}-secrets
spec:
quota:
hard:
count/secrets: "110"
selector:
annotations: null
labels:
matchLabels:
toolchain.dev.openshift.com/space: ${SPACE_NAME}
- apiVersion: quota.openshift.io/v1
kind: ClusterResourceQuota
metadata:
name: for-${SPACE_NAME}-cm
spec:
quota:
hard:
count/configmaps: "110"
selector:
annotations: null
labels:
matchLabels:
toolchain.dev.openshift.com/space: ${SPACE_NAME}
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: osl-access-${SPACE_NAME}
annotations:
toolchain.dev.openshift.com/feature: openshift-lightspeed
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: lightspeed-operator-query-access
subjects:
- kind: User
apiGroup: rbac.authorization.k8s.io
name: ${SPACE_NAME}
- apiVersion: toolchain.dev.openshift.com/v1alpha1
kind: Idler
metadata:
name: ${SPACE_NAME}-dev
spec:
timeoutSeconds: ${{IDLER_TIMEOUT_SECONDS}}
- apiVersion: toolchain.dev.openshift.com/v1alpha1
kind: Idler
metadata:
name: ${SPACE_NAME}-openclaw
spec:
timeoutSeconds: ${{IDLER_TIMEOUT_SECONDS}}
Comment on lines +140 to +146

@coderabbitai coderabbitai Bot May 20, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether any OpenShift templates in this repo use invalid `${{...}}` interpolation.
rg -n '\$\{\{[A-Z0-9_]+\}\}' deploy/templates

Repository: codeready-toolchain/host-operator

Length of output: 1594

🏁 Script executed:

#!/bin/bash
# Find template processing logic - search for how deploy/templates are used
grep -r "IDLER_TIMEOUT_SECONDS" --include="*.go" --include="*.yaml" | head -20

Repository: codeready-toolchain/host-operator

Length of output: 1023

🏁 Script executed:

#!/bin/bash
# Check if there's custom template expansion logic
rg -l "template|Template" pkg/ --include="*.go" | head -10

Repository: codeready-toolchain/host-operator

Length of output: 519

🏁 Script executed:

#!/bin/bash
# Look for template variable substitution patterns in Go code
rg '\$\{\{|\$\{' pkg/ --include="*.go" -A 2 -B 2 | head -40

Repository: codeready-toolchain/host-operator

Length of output: 519

🏁 Script executed:

#!/bin/bash
# Find how templates are processed - look for template handling in Go code
find pkg -name "*.go" -type f | xargs grep -l "template\|Template" | head -5

Repository: codeready-toolchain/host-operator

Length of output: 313

🏁 Script executed:

#!/bin/bash
# Search for template processing logic in toolchain-common
rg "IDLER_TIMEOUT_SECONDS" . -A 3 -B 3 | head -50

Repository: codeready-toolchain/toolchain-common

Length of output: 2260

🏁 Script executed:

#!/bin/bash
# Check how template parameters are expanded in nstemplatetier_generator
rg '\$\{|\$\{\{' pkg/template -A 2 -B 2

Repository: codeready-toolchain/toolchain-common

Length of output: 27798

🏁 Script executed:

#!/bin/bash
# Look for template processing in host-operator
find pkg -name "*.go" -type f -exec grep -l "template\|Template" {} \; | xargs grep -l "IDLER_TIMEOUT" 2>/dev/null | head -5

Repository: codeready-toolchain/host-operator

Length of output: 59

🏁 Script executed:

#!/bin/bash
# Check the notification template generator to see how templates are processed
cat pkg/templates/notificationtemplates/notification_generator.go | head -100

Repository: codeready-toolchain/host-operator

Length of output: 3490

🏁 Script executed:

#!/bin/bash
# Search for how NSTemplateTier templates are actually loaded and processed
rg "timeoutSeconds" pkg/template -B 5 -A 5

Repository: codeready-toolchain/toolchain-common

Length of output: 62

🏁 Script executed:

#!/bin/bash
# Read the nstemplatetier generator to see how templates are processed
head -300 pkg/template/nstemplatetiers/nstemplatetier_generator.go

Repository: codeready-toolchain/toolchain-common

Length of output: 11300

🏁 Script executed:

#!/bin/bash
# Search for parameter substitution logic
grep -n "parameters\|substitute\|Replace" pkg/template/nstemplatetiers/nstemplatetier_generator.go | head -20

Repository: codeready-toolchain/toolchain-common

Length of output: 2072

🏁 Script executed:

#!/bin/bash
# Look for any yaml processing or content generation
rg "Spec|Content|Resources" pkg/template/nstemplatetiers/nstemplatetier_generator.go -B 2 -A 2 | head -60

Repository: codeready-toolchain/toolchain-common

Length of output: 1652

🏁 Script executed:

#!/bin/bash
# Look at the setParams function to understand how OpenShift templates work
grep -A 30 "^func setParams" pkg/template/nstemplatetiers/nstemplatetier_generator.go

Repository: codeready-toolchain/toolchain-common

Length of output: 1468

🏁 Script executed:

#!/bin/bash
# Search for how TierTemplate resources are consumed/processed
rg "TierTemplate" pkg -A 3 -B 3 | head -100

Repository: codeready-toolchain/member-operator

Length of output: 655

🏁 Script executed:

#!/bin/bash
# Check the TierTemplate API definition
grep -A 20 "type TierTemplate" api/v1alpha1/tiertemplates_types.go

Repository: codeready-toolchain/api

Length of output: 136

🏁 Script executed:

#!/bin/bash
# Find TierTemplate definition files
find api -name "*tier*" -type f | grep -v vendor

Repository: codeready-toolchain/api

Length of output: 213

🏁 Script executed:

#!/an/bash
# Search for TierTemplate type definition
rg "type TierTemplate" api/ -A 15

Repository: codeready-toolchain/api

Length of output: 5378

🏁 Script executed:

#!/bin/bash
# Search for where template content is actually processed/applied
rg "Objects\|Content\|Template" pkg/space -A 3 -B 3 | head -80

Repository: codeready-toolchain/member-operator

Length of output: 129

🏁 Script executed:

#!/bin/bash
# Find where templates are processed
find pkg -name "*.go" -type f | xargs grep -l "TemplateObjects\|processTemplate" | head -5

Repository: codeready-toolchain/member-operator

Length of output: 213

🏁 Script executed:

#!/bin/bash
# Search for Space provisioning logic
rg "provision|template" pkg/controllers -l | head -5

Repository: codeready-toolchain/member-operator

Length of output: 135

🏁 Script executed:

#!/bin/bash
# Look for how TemplateObjects are processed and parameter values substituted
rg "TemplateObjects|Parameter.*substitut|replace.*parameter" pkg -A 3 -B 3 | head -100

Repository: codeready-toolchain/toolchain-common

Length of output: 1401

🏁 Script executed:

#!/bin/bash
# Look at test cases to see how templates are created and parameters substituted
grep -A 10 "IDLER_TIMEOUT" pkg/template/nstemplatetiers/nstemplatetier_generator_test.go | head -30

Repository: codeready-toolchain/toolchain-common

Length of output: 62

🏁 Script executed:

#!/bin/bash
# Check the test data to see actual example templates
cat pkg/template/nstemplatetiers/testdata/nstemplatetiers/base/cluster.yaml | grep -A 5 -B 5 "timeoutSeconds"

Repository: codeready-toolchain/toolchain-common

Length of output: 62

🏁 Script executed:

#!/bin/bash
# Check what the actual templates look like and how they're used
head -200 deploy/templates/nstemplatetiers/base/cluster.yaml | tail -100

Repository: codeready-toolchain/host-operator

Length of output: 2511

🏁 Script executed:

#!/bin/bash
# Check the Idler CRD to verify what type timeoutSeconds should be
rg -A 30 "kind: Idler" api/v1alpha1/ | grep -A 20 "spec:"

Repository: codeready-toolchain/api

Length of output: 49

🏁 Script executed:

#!/bin/bash
# Search for Idler type definition
find api -name "*idler*" -type f

Repository: codeready-toolchain/api

Length of output: 95

🏁 Script executed:

#!/bin/bash
# Search for Idler in all Go files
rg "type Idler" api/

Repository: codeready-toolchain/api

Length of output: 273

🏁 Script executed:

#!/bin/bash
# Get the full IdlerSpec definition
grep -A 15 "type IdlerSpec struct" api/v1alpha1/idler_types.go

Repository: codeready-toolchain/api

Length of output: 837

Fix invalid template parameter syntax for timeoutSeconds (Lines 140, 146).

${{IDLER_TIMEOUT_SECONDS}} is not valid OpenShift template interpolation syntax. The correct syntax is ${IDLER_TIMEOUT_SECONDS} (single braces). Without the fix, the parameter substitution will fail, leaving a literal string that cannot be parsed as the required int32 type for the Idler spec.

Note: This syntax error also exists in other tier templates (base, base1ns) and should be corrected wherever it appears.

Proposed fix 
-    timeoutSeconds: ${{IDLER_TIMEOUT_SECONDS}}
+    timeoutSeconds: ${IDLER_TIMEOUT_SECONDS}
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/templates/nstemplatetiers/openclaw/cluster.yaml` around lines 140 -
146, The template uses invalid interpolation `${{IDLER_TIMEOUT_SECONDS}}` for
the Idler.spec.timeoutSeconds causing substitution/parsing failures; replace all
occurrences of `${{IDLER_TIMEOUT_SECONDS}}` with the correct OpenShift template
syntax `${IDLER_TIMEOUT_SECONDS}` (including the two places shown: the top-level
timeoutSeconds and the spec.timeoutSeconds inside the Idler resource), and sweep
other tier templates (base, base1ns, etc.) to make the same replacement where
`timeoutSeconds` or similar parameters appear; verify the Idler resource
(metadata name `${SPACE_NAME}-openclaw`, kind Idler) now receives an integer
value.

parameters:
- name: SPACE_NAME
required: true
- name: IDLER_TIMEOUT_SECONDS
# 12 hours
value: "43200"
Loading
Loading