chore(RHTAPWATCH-1169): Reduce permissions in the appstudio-env tier

Restrict the permissions the service account in ephemeral namespace
has in creating, updating and patching the Routes and
Ingresses resources.

Jira-Url: https://issues.redhat.com/browse/RHTAPWATCH-1169
Signed-off-by: Homaja Marisetty <[email protected]>

components/sandbox/tiers/src/appstudio-env/cluster.yaml

@@ -38,8 +38,8 @@ objects:
   spec:
     quota:
       hard:
-        count/ingresses.extensions: "30"
-        count/routes.route.openshift.io: "30"
+        count/ingresses.extensions: "0"
+        count/routes.route.openshift.io: "0"
     selector:
       annotations: null
       labels:

components/sandbox/tiers/staging/appstudio-env/kustomization.yaml

@@ -7,6 +7,7 @@ kind: Kustomization
 resources:
 - nstemplatetier-appstudio-env.yaml
 - tiertemplate-appstudio-env-admin-37575401-37575401.yaml
+- tiertemplate-appstudio-env-clusterresources-1854252301-1854252301.yaml
 - tiertemplate-appstudio-env-clusterresources-266544570-266544570.yaml
 - tiertemplate-appstudio-env-contributor-37575401-37575401.yaml
 - tiertemplate-appstudio-env-env-1082365650-1082365650.yaml

components/sandbox/tiers/staging/appstudio-env/nstemplatetier-appstudio-env.yaml

@@ -9,7 +9,7 @@ metadata:
   namespace: toolchain-host-operator
 spec:
   clusterResources:
-    templateRef: appstudio-env-clusterresources-266544570-266544570
+    templateRef: appstudio-env-clusterresources-1854252301-1854252301
   namespaces:
   - templateRef: appstudio-env-env-1082365650-1082365650
   spaceRequestConfig:

components/sandbox/tiers/staging/appstudio-env/tiertemplate-appstudio-env-clusterresources-1854252301-1854252301.yaml

@@ -0,0 +1,140 @@
+# ----------------------------------------------------------------
+# Generated by cli - DO NOT EDIT
+# ----------------------------------------------------------------
+
+apiVersion: toolchain.dev.openshift.com/v1alpha1
+kind: TierTemplate
+metadata:
+  name: appstudio-env-clusterresources-1854252301-1854252301
+  namespace: toolchain-host-operator
+spec:
+  revision: 1854252301-1854252301
+  template:
+    apiVersion: template.openshift.io/v1
+    kind: Template
+    metadata: {}
+    objects:
+    - apiVersion: quota.openshift.io/v1
+      kind: ClusterResourceQuota
+      metadata:
+        name: for-${SPACE_NAME}-deployments
+      spec:
+        quota:
+          hard:
+            count/deploymentconfigs.apps: "30"
+            count/deployments.apps: "30"
+            count/pods: "150"
+        selector:
+          annotations: null
+          labels:
+            matchLabels:
+              toolchain.dev.openshift.com/space: ${SPACE_NAME}
+    - apiVersion: quota.openshift.io/v1
+      kind: ClusterResourceQuota
+      metadata:
+        name: for-${SPACE_NAME}-replicas
+      spec:
+        quota:
+          hard:
+            count/replicasets.apps: "30"
+            count/replicationcontrollers: "30"
+        selector:
+          annotations: null
+          labels:
+            matchLabels:
+              toolchain.dev.openshift.com/space: ${SPACE_NAME}
+    - apiVersion: quota.openshift.io/v1
+      kind: ClusterResourceQuota
+      metadata:
+        name: for-${SPACE_NAME}-routes
+      spec:
+        quota:
+          hard:
+            count/ingresses.extensions: "0"
+            count/routes.route.openshift.io: "0"
+        selector:
+          annotations: null
+          labels:
+            matchLabels:
+              toolchain.dev.openshift.com/space: ${SPACE_NAME}
+    - apiVersion: quota.openshift.io/v1
+      kind: ClusterResourceQuota
+      metadata:
+        name: for-${SPACE_NAME}-jobs
+      spec:
+        quota:
+          hard:
+            count/cronjobs.batch: "30"
+            count/daemonsets.apps: "30"
+            count/jobs.batch: "30"
+            count/statefulsets.apps: "30"
+        selector:
+          annotations: null
+          labels:
+            matchLabels:
+              toolchain.dev.openshift.com/space: ${SPACE_NAME}
+    - apiVersion: quota.openshift.io/v1
+      kind: ClusterResourceQuota
+      metadata:
+        name: for-${SPACE_NAME}-services
+      spec:
+        quota:
+          hard:
+            count/services: "30"
+        selector:
+          annotations: null
+          labels:
+            matchLabels:
+              toolchain.dev.openshift.com/space: ${SPACE_NAME}
+    - apiVersion: quota.openshift.io/v1
+      kind: ClusterResourceQuota
+      metadata:
+        name: for-${SPACE_NAME}-bc
+      spec:
+        quota:
+          hard:
+            count/buildconfigs.build.openshift.io: "30"
+        selector:
+          annotations: null
+          labels:
+            matchLabels:
+              toolchain.dev.openshift.com/space: ${SPACE_NAME}
+    - apiVersion: quota.openshift.io/v1
+      kind: ClusterResourceQuota
+      metadata:
+        name: for-${SPACE_NAME}-secrets
+      spec:
+        quota:
+          hard:
+            count/secrets: "100"
+        selector:
+          annotations: null
+          labels:
+            matchLabels:
+              toolchain.dev.openshift.com/space: ${SPACE_NAME}
+    - apiVersion: quota.openshift.io/v1
+      kind: ClusterResourceQuota
+      metadata:
+        name: for-${SPACE_NAME}-cm
+      spec:
+        quota:
+          hard:
+            count/configmaps: "100"
+        selector:
+          annotations: null
+          labels:
+            matchLabels:
+              toolchain.dev.openshift.com/space: ${SPACE_NAME}
+    - apiVersion: toolchain.dev.openshift.com/v1alpha1
+      kind: Idler
+      metadata:
+        name: ${SPACE_NAME}-env
+      spec:
+        timeoutSeconds: ${{IDLER_TIMEOUT_SECONDS}}
+    parameters:
+    - name: SPACE_NAME
+      required: true
+    - name: IDLER_TIMEOUT_SECONDS
+      value: "0"
+  tierName: appstudio-env
+  type: clusterresources