Aplly Validating Admission Policy on repository validation on stg (#8462)

---------

Signed-off-by: Max Shaposhnyk <[email protected]>

Author: mshaposhnik

components/repository-validator/base/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - validating-admission-policy.yaml
+  - validating-admission-policy-binding.yaml

components/repository-validator/base/validating-admission-policy-binding.yaml

@@ -0,0 +1,24 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: repository-url-validator-binding
+spec:
+  policyName: repository-url-validator
+  validationActions: [Deny, Audit]
+  paramRef:
+    namespace: repository-validator
+    parameterNotFoundAction: Deny
+    selector:
+      matchLabels:
+        app.kubernetes.io/name: repository-validator
+  # Apply to all namespaces except system namespaces
+  matchResources:
+    namespaceSelector:
+      matchExpressions:
+      - key: kubernetes.io/metadata.name
+        operator: NotIn
+        values:
+        - kube-system
+        - kube-public
+        - kube-node-lease
+        - repository-validator

components/repository-validator/base/validating-admission-policy.yaml

@@ -0,0 +1,41 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: repository-url-validator
+spec:
+  failurePolicy: Fail
+  paramKind:
+    apiVersion: v1
+    kind: ConfigMap
+  matchConstraints:
+    resourceRules:
+    - apiGroups: ["pipelinesascode.tekton.dev"]
+      apiVersions: ["v1alpha1"]
+      operations: ["CREATE", "UPDATE"]
+      resources: ["repositories"]
+  variables:
+    # Parse the JSON config from the ConfigMap
+    - name: allowedPrefixes
+      expression: |
+        has(params.data) && has(params.data['config.json']) ? 
+        json.decode(params.data['config.json']) : []
+    # Check if any prefix is empty (allow-all case)
+    - name: allowAll
+      expression: |
+        size(variables.allowedPrefixes) == 1 &&
+        variables.allowedPrefixes[0] == ""
+  validations:
+    - expression: |
+        variables.allowAll || 
+        variables.allowedPrefixes.exists(prefix, 
+          prefix != "" && object.spec.url.startsWith(prefix)
+        )
+      messageExpression: |
+        'Repository URL "' + object.spec.url + 
+        '" is not allowed on this cluster. Contact support.' 
+      reason: Forbidden
+  auditAnnotations:
+    - key: "repository-url-validation"
+      valueExpression: |
+        'Repository URL: ' + object.spec.url + 
+        ', Allowed prefixes: ' + string(variables.allowedPrefixes)

components/repository-validator/staging/kustomization.yaml

@@ -1,10 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - https://github.com/konflux-ci/repository-validator/config/ocp?ref=1a1bd5856c7caf40ebf3d9a24fce209ba8a74bd9
-  - https://github.com/redhat-appstudio/internal-infra-deployments/components/repository-validator/staging?ref=da151a856b711f28e49a42658d6c17fec5d228dd
-images:
-  - name: controller
-    newName: quay.io/redhat-user-workloads/konflux-infra-tenant/repository-validator/repository-validator
-    newTag: 1a1bd5856c7caf40ebf3d9a24fce209ba8a74bd9
-namespace: repository-validator
+  -  https://github.com/redhat-appstudio/internal-infra-deployments/components/repository-validator/staging?ref=ae250b8d6062d019ee9e539c655eab91745b4fb0
+  - ../base
+