feat(namespace-configuration): Add operator for namespace management

This patch enables the namespace-configuration-operator, which allows
to deploy object template into all namespaces matching a selector,
making it very useful for management of basic namespace infrastructure.
It also enforces the existence of these objects.

infrastructure/kustomization.yaml

@@ -3,6 +3,8 @@ kind: Kustomization
 resources:
   - sources
   - rook
+  - namespace-configuration
   - postgres
   - openshift-monitoring
   - cert-manager
+

infrastructure/namespace-configuration/kustomization.yaml

+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: zalando-postgres
+resources:
+- namespace.yaml
+- subscription.yaml
+- network-policy.yaml

infrastructure/namespace-configuration/namespace.yaml

+apiVersion: v1
+kind: Namespace
+metadata:
+  name: namespace-configuration-operator

infrastructure/namespace-configuration/network-policy.yaml

+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: NamespaceConfig
+metadata:
+  name: default-networkpolicy
+spec:
+  annotationSelector:
+    matchExpressions:
+      - operator: Exists
+        key: "openshift.io/requester"
+  templates:
+    - objectTemplate: |
+        apiVersion: networking.k8s.io/v1
+        kind: NetworkPolicy
+        metadata:
+          name: allow-from-same-namespace
+          namespace: {{ .Name }}
+        spec:
+          podSelector: {}
+          ingress:
+          - from:
+            - podSelector: {}
+
+    - objectTemplate: |
+        apiVersion: networking.k8s.io/v1
+        kind: NetworkPolicy
+        metadata:
+          name: allow-from-openshift-ingress
+          namespace: {{ .Name }}
+        spec:
+          ingress:
+          - from:
+            - namespaceSelector:
+                matchLabels:
+                  network.openshift.io/policy-group: ingress
+          podSelector: {}
+          policyTypes:
+          - Ingress
+    - objectTemplate: |
+        apiVersion: networking.k8s.io/v1
+        kind: NetworkPolicy
+        metadata:
+          name: allow-from-openshift-monitoring
+          namespace: {{ .Name }}
+        spec:
+          ingress:
+          - from:
+            - namespaceSelector:
+                matchLabels:
+                  network.openshift.io/policy-group: monitoring
+          podSelector: {}
+          policyTypes:
+          - Ingress

infrastructure/namespace-configuration/subscription.yaml

+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: namespace-configuration-operator
+  namespace: namespace-configuration-operator
+spec:
+  channel: alpha
+  name: namespace-configuration-operator
+  source: community-operators
+  sourceNamespace: openshift-marketplace

infrastructure/postgres/kustomization.yaml

@@ -4,3 +4,4 @@ namespace: zalando-postgres
 resources:
   - namespace.yaml
   - release.yaml
+  - user-namespace-network-policy.yaml

infrastructure/postgres/user-namespace-network-policy.yaml

+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: NamespaceConfig
+metadata:
+  name: user-namespaces-network-policy-zalando-postgres
+spec:
+  annotationSelector:
+    matchExpressions:
+      - operator: Exists
+        key: "openshift.io/requester"
+  templates:
+    - objectTemplate: |
+        apiVersion: networking.k8s.io/v1
+        kind: NetworkPolicy
+        metadata:
+          name: allow-from-zalando-postgres
+          namespace: {{ .Name }}
+        spec:
+          ingress:
+          - from:
+            - namespaceSelector:
+                matchLabels:
+                  name: zalando-postgres
+          podSelector: {}
+          policyTypes:
+          - Ingress