(#66) Project managed namespaces

This patch uses the existing #ManagedNamespaces definition to create and
manage namespaces on the provisioner and workload clusters so that
SecretStore and eso-creds-refresher resources are managed in the project
environment namespaces and the project stage system namespace.

docs/examples/helpers.cue

@@ -13,12 +13,10 @@ import "encoding/yaml"
 			}
 		}
 		Namespace?: [Name=_]: #Namespace & {metadata: name: Name}
-		SecretStore?: [Name=_]: #SecretStore & {_namespace: Name}
 		ExternalSecret?: [Name=_]: #ExternalSecret & {_name: Name}
 		VirtualService?: [Name=_]: #VirtualService & {metadata: name: Name}
 		Issuer?: [Name=_]: #Issuer & {metadata: name: Name}
 		Gateway?: [Name=_]: #Gateway & {metadata: name: Name}
-		Certificate?: [Name=_]: #Certificate & {metadata: name: Name}
 	}
 
 	// apiObjectMap holds the marshalled representation of apiObjects

docs/examples/platforms/reference/clusters/projects.cue

@@ -22,3 +22,10 @@ _Projects: #Projects & {
 		}
 	}
 }
+
+// Manage namespaces for platform project environments.
+for project in _Projects {
+	for ns in project.managedNamespaces {
+		#ManagedNamespaces: (ns.namespace.metadata.name): ns
+	}
+}

docs/examples/platforms/reference/platform_projects.cue

@@ -19,6 +19,7 @@ import "strings"
 
 	// ExtAuthzHosts maps host names to the backend environment namespace for ExtAuthz.
 	let ExtAuthzHosts = {
+		// Initialize all stages, even if they have no environments.
 		for stage in project.stages {
 			(stage.name): {}
 		}
@@ -62,25 +63,6 @@ import "strings"
 
 	workload: resources: {
 		for stage in project.stages {
-			// System namespace for each project stage
-			let SystemName = "\(stage.slug)-system"
-			(SystemName): #KubernetesObjects & {
-				apiObjectMap: (#APIObjects & {
-					apiObjects: Namespace: (SystemName):   _
-					apiObjects: SecretStore: (SystemName): _
-				}).apiObjectMap
-			}
-
-			// Project namespace for each project environment
-			"\(stage.slug)-namespaces": #KubernetesObjects & {
-				apiObjectMap: (#APIObjects & {
-					for env in project.environments if env.stage == stage.name {
-						apiObjects: Namespace: (env.slug):   _
-						apiObjects: SecretStore: (env.slug): _
-					}
-				}).apiObjectMap
-			}
-
 			// Istio Gateway
 			"\(stage.slug)-gateway": #KubernetesObjects & {
 				apiObjectMap: (#APIObjects & {
@@ -98,15 +80,6 @@ import "strings"
 
 	provisioner: resources: {
 		for stage in project.stages {
-			"\(stage.slug)-namespaces": #KubernetesObjects & {
-				apiObjectMap: (#APIObjects & {
-					apiObjects: Namespace: "\(stage.slug)-system": _
-					for env in project.environments if env.stage == stage.name {
-						apiObjects: Namespace: (env.slug): _
-					}
-				}).apiObjectMap
-			}
-
 			"\(stage.slug)-certs": #KubernetesObjects & {
 				apiObjectMap: (#APIObjects & {
 					for host in ExtAuthzHosts[stage.name] {

docs/examples/project_types.cue

@@ -23,6 +23,27 @@ import h "github.com/holos-run/holos/api/v1alpha1"
 	// clusters are the cluster names the project is configured on.
 	clusters: [Name=string]: #Cluster & {name: Name}
 
+	// managedNamespaces ensures project namespaces have SecretStores that can sync ExternalSecrets from the provisioner cluster.
+	managedNamespaces: {
+		// Define the shape of a managed namespace.
+		[Name=_]: #ManagedNamespace & {
+			namespace: metadata: name: Name
+			clusterNames: ["provisioner", for c in clusters {c.name}]
+		}
+
+		// Manage a system namespace for each stage in the project.
+		for stage in stages {
+			for ns in stage.namespaces {
+				(ns.name): _
+			}
+		}
+
+		// Manage a namespace for each environment in the project.
+		for env in environments {
+			(env.namespace): _
+		}
+	}
+
 	// features is YAGNI maybe? 
 	features: [Name=string]: #Feature & {name: Name}
 }
@@ -47,6 +68,9 @@ import h "github.com/holos-run/holos/api/v1alpha1"
 	name:    string
 	project: string
 	slug:    "\(name)-\(project)"
+	// Manage a system namespace for each stage
+	namespaces: [Name=_]: name: Name
+	namespaces: "\(name)-\(project)-system": _
 }
 
 #Feature: {

pkg/version/embedded/patch

@@ -1 +1 @@
-0
+1