Provisionning Ns + TearDown Ns

tools/kubernetes.go

@@ -208,6 +208,43 @@ func (k *KubernetesService) CreateRoleBinding(ctx context.Context, ns string, ro
 	return nil
 }
 
+// ProvisionExecutionNamespace creates the full Argo execution environment for a
+// namespace: namespace, service-account, role and role-binding. Idempotent — if
+// the namespace already exists the call is a no-op.
+func (k *KubernetesService) ProvisionExecutionNamespace(ctx context.Context, ns string) error {
+	existing, err := k.GetNamespace(ctx, ns)
+	if err != nil {
+		return err
+	}
+	if existing != nil {
+		return nil
+	}
+	if err := k.CreateNamespace(ctx, ns); err != nil {
+		return err
+	}
+	if err := k.CreateServiceAccount(ctx, ns); err != nil {
+		return err
+	}
+	role := "argo-role"
+	if err := k.CreateRole(ctx, ns, role,
+		[][]string{{"coordination.k8s.io"}, {""}, {""}},
+		[][]string{{"leases"}, {"secrets"}, {"pods"}},
+		[][]string{{"get", "create", "update"}, {"get"}, {"patch"}},
+	); err != nil {
+		return err
+	}
+	return k.CreateRoleBinding(ctx, ns, "argo-role-binding", role)
+}
+
+// TeardownExecutionNamespace deletes the namespace and lets Kubernetes cascade
+// the deletion of all contained resources (SA, Role, RoleBinding, pods…).
+func (k *KubernetesService) TeardownExecutionNamespace(ctx context.Context, ns string) error {
+	if err := k.Set.CoreV1().Namespaces().Delete(ctx, ns, metav1.DeleteOptions{}); err != nil {
+		return errors.New("error deleting namespace " + ns + ": " + err.Error())
+	}
+	return nil
+}
+
 func (k *KubernetesService) DeleteNamespace(ctx context.Context, ns string, f func()) error {
 	targetGVR := schema.GroupVersionResource{
 		Group:    "multicluster.admiralty.io",