@mikeb @csomh @gnaponie This implements the on-demand OpenShift project creation job for C3I clients. PTAL.

Test runs: https://jenkins-c3i.cloud.paas.psi.redhat.com/job/c3i/job/c3i-c3iaas-request-project

Test runs: https://jenkins-c3i.cloud.paas.psi.redhat.com/job/c3i/job/c3i-c3iaas-request-project

I cannot log in with OpenShift. After entering correct credentials the "Log in with OpenShift" button shows again. (If I don't have access to given project on OpenShift, why doesn't it say so?)

Test runs: https://jenkins-c3i.cloud.paas.psi.redhat.com/job/c3i/job/c3i-c3iaas-request-project

I cannot log in with OpenShift. After entering correct credentials the "Log in with OpenShift" button shows again. (If I don't have access to given project on OpenShift, why doesn't it say so?)

I've seen some issues with OpenShift oauth. Maybe you can try incognito mode or clean up your browser cache.

We might have discussed this in the past already, but I'll ask it again anyways: wouldn't it be the same to make this a symlink? B/c the way it is used currently is very similar to that.

I assume this is here for debugging purposes, but it also can leak secrets. Would it make sense to remove it?

In case the c3i- prefix is a requirement, I think it would be easier for users, if it would be automatically added if missing.

Why does this say 'delete'?

Hm, I was expecting, for each project to have it's own quota, but this seems to be shared instead. Will not this create issues later on?

Thanks @rayson, this is very nice! I had a few comments.

Each project has it's own quota, because the quota is created in the project (this method is called inside a openshift.withProject(env.PROJECT_NAME)). The quota of each project will be independent, but will count against the total cluster quota assigned to the service account.

Should the last argument be projectName instead of 'c3i-temp'?

One question, but otherwise it looks great!

Should this also grant view permissions to the system:authenticated group?

We might have discussed this in the past already, but I'll ask it again anyways: wouldn't it be the same to make this a symlink? B/c the way it is used currently is very similar to that.

Sounds good to me. I will make a change.

I assume this is here for debugging purposes, but it also can leak secrets. Would it make sense to remove it?

Yes, it is a leftover.

In case the c3i- prefix is a requirement, I think it would be easier for users, if it would be automatically added if missing.

Auto adding the prefix may cause confusion. I would prefer explicit over implicit.
I am also considering making PROJECT_NAME a mandatory parameter rather than generating a name if unspecified. What do you think?

Why does this say 'delete'?

It is a leftover. Let me remove it.

Hm, I was expecting, for each project to have it's own quota, but this seems to be shared instead. Will not this create issues later on?

It is a project-scoped quota. @mikeb already gave a good explanation.

Thanks @rayson, this is very nice! I had a few comments.

Thanks, I'll make an update. Please take another look.

Should the last argument be projectName instead of 'c3i-temp'?

This is a mistake. I will fix it.

Should this also grant view permissions to the system:authenticated group?

Sounds good. I'd like to add new a build parameter to let use make the choice, but the default behavior is open to system:authenticated group.

Thank @rayson, this looks good :thumbsup:

@csomh Thanks!