Add tier for -claw namespace

[alexeykazakov]

Paired with codeready-toolchain/host-operator#1265

Summary by CodeRabbit

• New Features

  • Added support for a new "claw" tier with tailored namespaces, quotas, and role bindings.
  • Introduced a namespace ResourceQuota that limits space-requested sub-spaces to 1.

• Tests

  • Updated tier-template expectations to include the new tier.
  • Added end-to-end tests for claw provisioning, space request lifecycle, quota enforcement, and cleanup.

• Chores

  • Included the claw tier in the bundled tier list.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: ff71b088-1124-4e83-a80a-279bad75e24e

📥 Commits

Reviewing files that changed from the base of the PR and between 866e31c and 945521b.

📒 Files selected for processing (1)

• deploy/base1ns-gotemplate/ns_dev.yaml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build & push operator bundles & dashboard image for e2e tests

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• deploy/base1ns-gotemplate/ns_dev.yaml

🔀 Multi-repo context codeready-toolchain/api, codeready-toolchain/toolchain-common, codeready-toolchain/host-operator

[::codeready-toolchain/api::]

• No occurrences of "claw" or "compute-spacerequests" found. API types/schema for NSTemplateTier/TierTemplate exist and require no changes. (see api/v1alpha1/nstemplatetier_types.go, tiertemplate_types.go, zz_generated.openapi.go) [::codeready-toolchain/api::]

[::codeready-toolchain/toolchain-common::]

• Several tests and generator code assume the current bundled tier set and/or exact counts:
  • pkg/template/nstemplatetiers/nstemplatetier_generator_test.go — tests verify the number of generated NSTemplateTier/TierTemplate objects (comments/assertions expecting 4 tiers). [::codeready-toolchain/toolchain-common::]
  • pkg/template/nstemplatetiers/nstemplatetier_generator.go — generator loads templates from testdata and produces tiers (init/create functions). Changes to bundled tiers require adding files under testdata/nstemplatetiers and will affect generator behavior. [::codeready-toolchain/toolchain-common::]
  • pkg/hash/hash_test.go and various pkg/test/* helpers reference "base1ns" (tier name) and compute tier hashes; adding a new tier may require updating tests that assert exact sets or specific tier names. [::codeready-toolchain/toolchain-common::]

[::codeready-toolchain/host-operator::]

• Bundled NSTemplateTier templates and code that enumerates/validates them will need updates to add "claw":
  • deploy/templates/nstemplatetiers/ — current bundled tiers live here (base1ns variants, base). To support "claw" you must add deploy/templates/nstemplatetiers/claw/* (tier.yaml, namespace templates, cluster resources, space roles, metadata). (see deploy/resources.go and make files referencing NSTemplateTiersFS) [::codeready-toolchain/host-operator::]
  • pkg/templates/nstemplatetiers/nstemplatetier_generator_test.go — unit tests load and assert bundled tiers/templates; they assert counts and specific template refs (multiple places). These tests will need updates to include "claw" and the new template files. [::codeready-toolchain/host-operator::]
  • pkg/templates/nstemplatetiers/nstemplatetier_generator.go — SyncResources/Delete logic relies on the set of bundled tiers (it removes tiers no longer bundled). Adding "claw" requires updating the embedded FS and any code/tests that validate the bundle. [::codeready-toolchain/host-operator::]
  • controllers and controller tests (controllers/nstemplatetier/, controllers/tiertemplate/ and many tests under test/nstemplatetier, test/tiertemplate) build and assert NSTemplateTier fixtures (Base1nsTier/CurrentBase1nsTemplates). Those tests may need adjustments where they assert exact numbers of TierTemplates/NSTemplateTier refs. Examples: controllers/nstemplatetier/nstemplatetier_controller_test.go (initTierTemplates, verify expectations). [::codeready-toolchain/host-operator::]

Cross-repo assessment (relevant to this PR pair)

• The e2e repo changes add a "claw" tier and a new ResourceQuota name (compute-spacerequests). I found no existing "claw" or that ResourceQuota in these three repos. For the e2e tests to pass, the paired host-operator PR must add the bundled "claw" templates (deploy/templates/nstemplatetiers/claw/*) and update embedded/template FS and generator tests. Additionally, toolchain-common unit tests and helpers that assert exact bundled tier counts/names likely require updates to include "claw". The API repo requires no change. [::codeready-toolchain/api::] [::codeready-toolchain/toolchain-common::] [::codeready-toolchain/host-operator::]

🔇 Additional comments (1)

deploy/base1ns-gotemplate/ns_dev.yaml (1)

124-131: LGTM!

---

Walkthrough

Registers a new claw NSTemplate tier, implements its TierChecks and helpers (quotas, RBAC, ClusterResourceQuota), updates bundled tiers and base tier checks, adds an E2E test validating claw SpaceRequest provisioning and quota enforcement, and raises the TierTemplate count assertion.

Changes

Claw tier end-to-end testing

Layer / File(s)	Summary
Tier registration testsupport/tiers/checks.go, testsupport/wait/host.go	Adds the claw tier constant, wires NewChecksForTier to return clawTierChecks, and appends "claw" to BundledNSTemplateTiers.
Claw TierChecks and helpers testsupport/tiers/checks.go	Implements clawTierChecks with namespace ResourceQuota, network policy, template ref, and RBAC checks; adds clusterResourceQuotaClaw, resourceQuotaComputeDeployNoScope, RBAC helper checks, and idler/ClusterResourceQuota assertions.
Base/base1ns namespace quota additions testsupport/tiers/checks.go	Adds resourceQuotaSpaceRequests() expectation to base and base1ns namespace checks to assert compute-spacerequests hard limit.
Claw SpaceRequest E2E test & TierTemplate assertion test/e2e/parallel/spacerequest_test.go, test/e2e/parallel/nstemplatetier_test.go, deploy/base1ns-gotemplate/ns_dev.yaml	Adds imports for explicit error assertions and TestCreateClawSpaceRequest to provision/verify a claw sub-space via SpaceRequest (including forbidden-error assertion for duplicate requests), updates the TierTemplate minimum count from 19 to 22, and inserts a compute-spacerequests ResourceQuota into the base1ns dev template.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

feature, test

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 7.14% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add tier for -claw namespace' accurately describes the main change: introducing a new 'claw' tier with associated namespace configurations, test cases, and support infrastructure.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@testsupport/tiers/checks.go`:
- Around line 596-603: The CRQ currently only sets
hard[count("deployments.apps")] and hard[count("routes.route.openshift.io")],
allowing deploymentconfigs and ingresses to bypass limits; update the hard quota
map to also set hard[count("deploymentconfigs.apps")] and
hard[count("ingresses.extensions")] (using resource.ParseQuantity like the other
entries) alongside the existing hard[count(corev1.ResourcePods)] and
hard[count(corev1.ResourceServices)] assignments so the claw CRQ matches the
existing deployment/route quota surface (refer to the hard map,
count("deployments.apps"), count("routes.route.openshift.io"), and the
resource.ParseQuantity calls).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 523212f8-4753-4911-9065-7386ab99ca49

📥 Commits

Reviewing files that changed from the base of the PR and between b57dc7a and 8287436.

📒 Files selected for processing (4)

• test/e2e/parallel/nstemplatetier_test.go
• test/e2e/parallel/spacerequest_test.go
• testsupport/tiers/checks.go
• testsupport/wait/host.go

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: govulncheck
• GitHub Check: GolangCI Lint
• GitHub Check: Build & push operator bundles & dashboard image for e2e tests

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• test/e2e/parallel/nstemplatetier_test.go
• testsupport/wait/host.go
• test/e2e/parallel/spacerequest_test.go
• testsupport/tiers/checks.go

🪛 GitHub Check: SonarCloud Code Analysis

testsupport/tiers/checks.go

[failure] 633-633: Define a constant instead of duplicating this literal "compute-deploy" 4 times.

See more on https://sonarcloud.io/project/issues?id=codeready-toolchain_toolchain-e2e&issues=AZ5IY1iQIQnTQqJg8rkM&open=AZ5IY1iQIQnTQqJg8rkM&pullRequest=1282

🔀 Multi-repo context codeready-toolchain/api, codeready-toolchain/toolchain-common, codeready-toolchain/host-operator

[::codeready-toolchain/api::]

• NSTemplateTier types and generated deepcopy/openapi are present; no code referencing a specific tier name found here. Files:
  • api/v1alpha1/nstemplatetier_types.go (type definitions)
  • api/v1alpha1/zz_generated.deepcopy.go (deepcopy)
  • api/v1alpha1/zz_generated.openapi.go (openapi)

[::codeready-toolchain/toolchain-common::]

• Tier generator and test helpers that create/handle NSTemplateTier objects — adding a new bundled tier likely requires providing templates that the generator will load:
  • pkg/template/nstemplatetiers/nstemplatetier_generator.go — generates/creates NSTemplateTier resources from bundled templates; error if unexpected number of tiers.
  • pkg/template/nstemplatetiers/testdata/nstemplatetiers/* (tier.yaml test data)
  • pkg/templates/nstemplatetiers/nstemplatetier_generator_test.go — tests expect specific tier names (cases include "base1ns", "base1nsnoidling", "base1ns6didler", "test"); new tier name "claw" is not present here and tests may need updating.
• Code that computes/applies tier hashes and labels (affects Spaces/NSTemplateSet logic):
  • pkg/hash/hash.go and hash tests reference specific tier-name patterns (e.g., "base1ns-*").
• Test fixtures and helpers assume default tier names (many occurrences of "base1ns") and may need to be updated to include/handle "claw":
  • pkg/test/space/space.go, pkg/test/nstemplateset/nstemplateset.go, pkg/test/socialevent/socialevent.go and multiple tests reference "base1ns".

[::codeready-toolchain/host-operator::]

• Host operator contains the bundled NSTemplateTier templates and controllers that consume NSTemplateTier CRs; adding a new bundled tier requires adding its template files and possibly updating lists of bundled tiers:
  • deploy/templates/nstemplatetiers/base1ns/tier.yaml (existing bundled tier templates)
  • deploy/templates/nstemplatetiers/base/tier.yaml
  • pkg/templates/nstemplatetiers/nstemplatetier_generator.go — SyncResources / LoadFiles loads deploy.NSTemplateTiersFS; uses bundledTierKeys and removeNoLongerBundledTiers to delete tiers no longer bundled.
  • test/nstemplatetier/nstemplatetier.go — test helpers / sample NSTemplateTier specs (PreviousBase1nsTemplates, CurrentBase1nsTemplates).
  • controllers/** (space, usersignup, spacerequest, nstemplatetier controllers) — many controllers read NSTemplateTier by name (validate/get) and rely on tiers being present; tests reference "base1ns" widely (e.g., controllers/usersignup/, controllers/space/, controllers/spacerequest/*).
• CRD manifests present for NSTemplateTier:
  • config/crd/bases/toolchain.dev.openshift.com_nstemplatetiers.yaml

Implications (observed evidence)

• The host-operator loads bundled NSTemplateTier templates from deploy/templates/nstemplatetiers via the generator; to actually bundle a new "claw" tier you must add its template files under deploy/templates/nstemplatetiers and ensure the generator picks them up. [::codeready-toolchain/host-operator::pkg/templates/nstemplatetiers/nstemplatetier_generator.go, deploy/templates/nstemplatetiers/*]
• Many components/tests in host-operator and toolchain-common assume default tiers (numerous references to "base1ns"). Adding a new tier in e2e tests (toolchain-e2e) may be sufficient for tests, but production code/users of host-operator will only see the new tier if host-operator is updated to bundle/install the "claw" NSTemplateTier templates. [::codeready-toolchain/host-operator::controllers/*] [::codeready-toolchain/toolchain-common::pkg/template/nstemplatetiers/nstemplatetier_generator.go]
• Tests and generator unit tests that enumerate expected tiers (toolchain-common and host-operator tests) may need updates to include "claw" where explicit expectations exist (e.g., test cases and length/assertions). Examples:
  • toolchain-common: pkg/template/nstemplatetiers/nstemplatetier_generator_test.go (case lists), pkg/template/nstemplatetiers/testdata
  • host-operator: controllers/nstemplatetier_controller_test.go and many controller tests referencing "base1ns" in expectations. [::codeready-toolchain/toolchain-common::pkg/template/nstemplatetiers/nstemplatetier_generator_test.go] [::codeready-toolchain/host-operator::controllers/nstemplatetier_controller_test.go]

Conclusion

• Cross-repo: API CRD types exist in api repo and do not need changes.
• To fully support the new "claw" tier beyond e2e tests, host-operator must bundle corresponding NSTemplateTier template files (deploy/templates/nstemplatetiers) so controllers/generator/loaders see it; toolchain-common/unit tests and host-operator controller tests that assert exact sets/counts of tiers should be reviewed/updated to include "claw" where applicable.
• I found cross-repo references that are relevant to this PR and its paired host-operator PR.

🔇 Additional comments (4)

test/e2e/parallel/spacerequest_test.go (1)

14-16: LGTM!

Also applies to: 346-414

test/e2e/parallel/nstemplatetier_test.go (1)

304-306: LGTM!

testsupport/tiers/checks.go (1)

35-35: LGTM!

Also applies to: 66-67, 531-582, 618-692

testsupport/wait/host.go (1)

53-53: Verify the paired host-operator change is always deployed with this bundled-tier update.

Once claw is listed here, shared helpers will treat it as always present. If an environment still runs a host-operator build without bundled claw templates, tier discovery/wait logic will fail against a missing tier.

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
12.3% Duplication on New Code

See analysis details on SonarQube Cloud

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexeykazakov, MatousJobanek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [MatousJobanek,alexeykazakov]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment