github/capsule
1
0
Fork 0
mirror of https://github.com/projectcapsule/capsule.git synced 2026-02-14 09:59:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: use cert-manager certificates by default (#1818)

Browse Source 
* fix(controller): decode old object for delete requests

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: modernize golang

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(helm): use cert-manager certificates by default

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: move dependencies to trackable resources

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: move dependencies to trackable resources

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: move dependencies to trackable resources

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: move dependencies to trackable resources

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: move dependencies to trackable resources

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: move dependencies to trackable resources

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
This commit is contained in:
Oliver Bähler
2026-01-06 11:18:56 +01:00
committed by GitHub
parent 26cd514fc2
commit 0515880bf2
6 changed files with 78 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
Makefile
View File

@@ -99,9 +99,7 @@ helm-test: kind
helm-test-exec: ct helm-controller-version ko-build-all helm-test-exec: ct helm-controller-version ko-build-all
$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=v0.0.0 $(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=v0.0.0
@$(KUBECTL) create ns capsule-system || true @$(KUBECTL) create ns capsule-system || true
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/grafana/grafana-operator/releases/download/v5.18.0/crds.yaml $(MAKE) dev-install-deps
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
@$(CT) install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug @$(CT) install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
# Setup development env # Setup development env
@@ -113,12 +111,27 @@ dev-build: kind
dev-destroy: kind dev-destroy: kind
$(KIND) delete cluster --name capsule $(KIND) delete cluster --name capsule
dev-install-deps: dev-setup-fluxcd dev-setup-cert-manager dev-install-gw-api-crds dev-install-grafana-operator-crds dev-install-prometheus-crds wait-for-helmreleases
API_GW := none API_GW := none
API_GW_VERSION := v1.3.0 API_GW_VERSION := v1.3.0
API_GW_LOOKUP := kubernetes-sigs/gateway-api API_GW_LOOKUP := kubernetes-sigs/gateway-api
dev-install-deps: dev-install-gw-api-crds:
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/$(API_GW_LOOKUP)/releases/download/$(API_GW_VERSION)/standard-install.yaml @$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/$(API_GW_LOOKUP)/releases/download/$(API_GW_VERSION)/standard-install.yaml
GRAFANA := none
GRAFANA_VERSION := v5.18.0
GRAFANA_LOOKUP := grafana/grafana-operator
dev-install-grafana-operator-crds:
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/grafana/grafana-operator/releases/download/$(GRAFANA_VERSION)/crds.yaml
PROMETHEUS := none
PROMETHEUS_VERSION := v0.58.0
PROMETHEUS_LOOKUP := prometheus-operator/prometheus-operator
dev-install-prometheus-crds:
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/$(PROMETHEUS_VERSION)/bundle.yaml
# Usage: # Usage:
# LAPTOP_HOST_IP=<YOUR_LAPTOP_IP> make dev-setup # LAPTOP_HOST_IP=<YOUR_LAPTOP_IP> make dev-setup
# For example: # For example:
@@ -191,9 +204,13 @@ dev-setup-argocd: dev-setup-fluxcd
@printf " \033[1mkubectl get secret -n argocd argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d\033[0m\n\n" @printf " \033[1mkubectl get secret -n argocd argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d\033[0m\n\n"
@printf " \033[1mkubectl port-forward svc/argocd-server 9091:80 -n argocd\033[0m\n\n" @printf " \033[1mkubectl port-forward svc/argocd-server 9091:80 -n argocd\033[0m\n\n"
dev-setup-cert-manager:
@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/cert-manager | envsubst | kubectl apply -f -
dev-setup-fluxcd: dev-setup-fluxcd:
@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/fluxcd | envsubst | kubectl apply -f - @$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/fluxcd | envsubst | kubectl apply -f -
# Here to setup the current capsule version # Here to setup the current capsule version
# Intended to test updates to new version # Intended to test updates to new version
dev-setup-capsule: dev-setup-fluxcd dev-setup-capsule: dev-setup-fluxcd
@@ -307,6 +324,7 @@ e2e-install: ko-build-all
--install \ --install \
--namespace capsule-system \ --namespace capsule-system \
--create-namespace \ --create-namespace \
--set 'replicaCount=2'\
--set 'manager.image.pullPolicy=Never' \ --set 'manager.image.pullPolicy=Never' \
--set 'manager.resources=null'\ --set 'manager.resources=null'\
--set "manager.image.tag=$(VERSION)" \ --set "manager.image.tag=$(VERSION)" \

6
charts/capsule/README.md
View File

@@ -67,7 +67,7 @@ The following Values have changed key or Value:
|-----|------|---------|-------------| |-----|------|---------|-------------|
| affinity | object | `{}` | Set affinity rules for the Capsule pod | | affinity | object | `{}` | Set affinity rules for the Capsule pod |
| certManager.additionalSANS | list | `[]` | Specify additional SANS to add to the certificate | | certManager.additionalSANS | list | `[]` | Specify additional SANS to add to the certificate |
| certManager.generateCertificates | bool | `false` | Specifies whether capsule webhooks certificates should be generated using cert-manager | | certManager.generateCertificates | bool | `true` | Specifies whether capsule webhooks certificates should be generated using cert-manager |
| customAnnotations | object | `{}` | Additional annotations which will be added to all resources created by Capsule helm chart | | customAnnotations | object | `{}` | Additional annotations which will be added to all resources created by Capsule helm chart |
| customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart | | customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart |
| extraManifests | list | `[]` | Array of additional resources to be created alongside Capsule helm chart | | extraManifests | list | `[]` | Array of additional resources to be created alongside Capsule helm chart |
@@ -89,8 +89,8 @@ The following Values have changed key or Value:
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
| tls.create | bool | `true` | When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion. | | tls.create | bool | `false` | When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion. |
| tls.enableController | bool | `true` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. | | tls.enableController | bool | `false` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. |
| tls.name | string | `""` | Override name of the Capsule TLS Secret name when externally managed. | | tls.name | string | `""` | Override name of the Capsule TLS Secret name when externally managed. |
| tolerations | list | `[]` | Set list of tolerations for the Capsule pod | | tolerations | list | `[]` | Set list of tolerations for the Capsule pod |
| topologySpreadConstraints | list | `[]` | Set topology spread constraints for the Capsule pod | | topologySpreadConstraints | list | `[]` | Set topology spread constraints for the Capsule pod |

4
charts/capsule/ci/ha-values.yaml Normal file
View File

@@ -0,0 +1,4 @@
replicaCount: 2
manager:
extraArgs:
- "--enable-leader-election=true"

6
charts/capsule/values.yaml
View File

@@ -83,9 +83,9 @@ crds:
# Secret Options # Secret Options
tls: tls:
# -- Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. # -- Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well.
enableController: true enableController: false
# -- When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion. # -- When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion.
create: true create: false
# -- Override name of the Capsule TLS Secret name when externally managed. # -- Override name of the Capsule TLS Secret name when externally managed.
name: "" name: ""
@@ -320,7 +320,7 @@ serviceAccount:
certManager: certManager:
# -- Specifies whether capsule webhooks certificates should be generated using cert-manager # -- Specifies whether capsule webhooks certificates should be generated using cert-manager
generateCertificates: false generateCertificates: true
# -- Specify additional SANS to add to the certificate # -- Specify additional SANS to add to the certificate
additionalSANS: [] additionalSANS: []
# -- Additional labels which will be added to all resources created by Capsule helm chart # -- Additional labels which will be added to all resources created by Capsule helm chart

4
hack/distro/cert-manager/kustomization.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- release.flux.yaml

42
hack/distro/cert-manager/release.flux.yaml Normal file
View File

@@ -0,0 +1,42 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
namespace: flux-system
spec:
serviceAccountName: kustomize-controller
interval: 15s
timeout: 10m
targetNamespace: cert-manager
releaseName: "cert-manager"
chart:
spec:
chart: cert-manager
version: "1.19.2"
sourceRef:
kind: HelmRepository
name: cert-manager
interval: 24h
install:
createNamespace: true
remediation:
retries: -1
upgrade:
remediation:
remediateLastFailure: true
retries: -1
driftDetection:
mode: enabled
values:
crds:
enabled: true
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: cert-manager
namespace: flux-system
spec:
interval: 24h0m0s
url: https://charts.jetstack.io