refactor(api): switching to v1beta2 as storage version

api/v1alpha1/capsuleconfiguration_webhook.go

@@ -0,0 +1,21 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"os"
+
+	ctrl "sigs.k8s.io/controller-runtime"
+)
+
+func (in *CapsuleConfiguration) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	certData, _ := os.ReadFile("/tmp/k8s-webhook-server/serving-certs/tls.crt")
+	if len(certData) == 0 {
+		return nil
+	}
+
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(in).
+		Complete()
+}

api/v1alpha1/tenant_func.go

@@ -9,14 +9,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 )
 
-func (in *Tenant) IsCordoned() bool {
-	if v, ok := in.Labels["capsule.clastix.io/cordon"]; ok && v == "enabled" {
-		return true
-	}
-
-	return false
-}
-
 func (in *Tenant) IsFull() bool {
 	// we don't have limits on assigned Namespaces
 	if in.Spec.NamespaceQuota == nil {

api/v1beta1/namespace_options.go

@@ -18,11 +18,11 @@ type NamespaceOptions struct {
 }
 
 func (in *Tenant) hasForbiddenNamespaceLabelsAnnotations() bool {
-	if _, ok := in.Annotations[ForbiddenNamespaceLabelsAnnotation]; ok {
+	if _, ok := in.Annotations[api.ForbiddenNamespaceLabelsAnnotation]; ok {
 		return true
 	}
 
-	if _, ok := in.Annotations[ForbiddenNamespaceLabelsRegexpAnnotation]; ok {
+	if _, ok := in.Annotations[api.ForbiddenNamespaceLabelsRegexpAnnotation]; ok {
 		return true
 	}
 
@@ -30,11 +30,11 @@ func (in *Tenant) hasForbiddenNamespaceLabelsAnnotations() bool {
 }
 
 func (in *Tenant) hasForbiddenNamespaceAnnotationsAnnotations() bool {
-	if _, ok := in.Annotations[ForbiddenNamespaceAnnotationsAnnotation]; ok {
+	if _, ok := in.Annotations[api.ForbiddenNamespaceAnnotationsAnnotation]; ok {
 		return true
 	}
 
-	if _, ok := in.Annotations[ForbiddenNamespaceAnnotationsRegexpAnnotation]; ok {
+	if _, ok := in.Annotations[api.ForbiddenNamespaceAnnotationsRegexpAnnotation]; ok {
 		return true
 	}
 
@@ -47,8 +47,8 @@ func (in *Tenant) ForbiddenUserNamespaceLabels() *api.ForbiddenListSpec {
 	}
 
 	return &api.ForbiddenListSpec{
-		Exact: strings.Split(in.Annotations[ForbiddenNamespaceLabelsAnnotation], ","),
-		Regex: in.Annotations[ForbiddenNamespaceLabelsRegexpAnnotation],
+		Exact: strings.Split(in.Annotations[api.ForbiddenNamespaceLabelsAnnotation], ","),
+		Regex: in.Annotations[api.ForbiddenNamespaceLabelsRegexpAnnotation],
 	}
 }
 
@@ -58,7 +58,7 @@ func (in *Tenant) ForbiddenUserNamespaceAnnotations() *api.ForbiddenListSpec {
 	}
 
 	return &api.ForbiddenListSpec{
-		Exact: strings.Split(in.Annotations[ForbiddenNamespaceAnnotationsAnnotation], ","),
-		Regex: in.Annotations[ForbiddenNamespaceAnnotationsRegexpAnnotation],
+		Exact: strings.Split(in.Annotations[api.ForbiddenNamespaceAnnotationsAnnotation], ","),
+		Regex: in.Annotations[api.ForbiddenNamespaceAnnotationsRegexpAnnotation],
 	}
 }

api/v1beta1/tenant_annotations.go

@@ -1,25 +0,0 @@
-// Copyright 2020-2021 Clastix Labs
-// SPDX-License-Identifier: Apache-2.0
-
-package v1beta1
-
-import (
-	"fmt"
-	"strings"
-)
-
-const (
-	ForbiddenNamespaceLabelsAnnotation            = "capsule.clastix.io/forbidden-namespace-labels"
-	ForbiddenNamespaceLabelsRegexpAnnotation      = "capsule.clastix.io/forbidden-namespace-labels-regexp"
-	ForbiddenNamespaceAnnotationsAnnotation       = "capsule.clastix.io/forbidden-namespace-annotations"
-	ForbiddenNamespaceAnnotationsRegexpAnnotation = "capsule.clastix.io/forbidden-namespace-annotations-regexp"
-	ProtectedTenantAnnotation                     = "capsule.clastix.io/protected"
-)
-
-func UsedQuotaFor(resource fmt.Stringer) string {
-	return "quota.capsule.clastix.io/used-" + strings.ReplaceAll(resource.String(), "/", "_")
-}
-
-func HardQuotaFor(resource fmt.Stringer) string {
-	return "quota.capsule.clastix.io/hard-" + strings.ReplaceAll(resource.String(), "/", "_")
-}

api/v1beta1/tenant_webhook.go

@@ -0,0 +1,21 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import (
+	"os"
+
+	ctrl "sigs.k8s.io/controller-runtime"
+)
+
+func (in *Tenant) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	certData, _ := os.ReadFile("/tmp/k8s-webhook-server/serving-certs/tls.crt")
+	if len(certData) == 0 {
+		return nil
+	}
+
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(in).
+		Complete()
+}

api/v1beta2/capsuleconfiguration_types.go

@@ -22,10 +22,11 @@ type CapsuleConfigurationSpec struct {
 	ProtectedNamespaceRegexpString string `json:"protectedNamespaceRegex,omitempty"`
 	// Allows to set different name rather than the canonical one for the Capsule configuration objects,
 	// such as webhook secret or configurations.
-	CapsuleResources CapsuleResources `json:"overrides"`
+	// +kubebuilder:default={TLSSecretName:"capsule-tls",mutatingWebhookConfigurationName:"capsule-mutating-webhook-configuration",validatingWebhookConfigurationName:"capsule-validating-webhook-configuration"}
+	CapsuleResources CapsuleResources `json:"overrides,omitempty"`
 	// Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.
 	// This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
-	NodeMetadata *NodeMetadata `json:"nodeMetadata"`
+	NodeMetadata *NodeMetadata `json:"nodeMetadata,omitempty"`
 	// Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks
 	// when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
 	// +kubebuilder:default=true

api/v1beta2/tenant_annotations.go

@@ -0,0 +1,17 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	"fmt"
+	"strings"
+)
+
+func UsedQuotaFor(resource fmt.Stringer) string {
+	return "quota.capsule.clastix.io/used-" + strings.ReplaceAll(resource.String(), "/", "_")
+}
+
+func HardQuotaFor(resource fmt.Stringer) string {
+	return "quota.capsule.clastix.io/hard-" + strings.ReplaceAll(resource.String(), "/", "_")
+}

api/v1beta2/tenant_conversion_hub.go

@@ -11,6 +11,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/conversion"
 
 	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+	"github.com/clastix/capsule/pkg/api"
 )
 
 func (in *Tenant) ConvertFrom(raw conversion.Hub) error {
@@ -58,28 +59,28 @@ func (in *Tenant) ConvertFrom(raw conversion.Hub) error {
 
 		in.Spec.NamespaceOptions.AdditionalMetadata = nsOpts.AdditionalMetadata
 
-		if value, found := annotations[capsulev1beta1.ForbiddenNamespaceLabelsAnnotation]; found {
+		if value, found := annotations[api.ForbiddenNamespaceLabelsAnnotation]; found {
 			in.Spec.NamespaceOptions.ForbiddenLabels.Exact = strings.Split(value, ",")
 
-			delete(annotations, capsulev1beta1.ForbiddenNamespaceLabelsAnnotation)
+			delete(annotations, api.ForbiddenNamespaceLabelsAnnotation)
 		}
 
-		if value, found := annotations[capsulev1beta1.ForbiddenNamespaceLabelsRegexpAnnotation]; found {
+		if value, found := annotations[api.ForbiddenNamespaceLabelsRegexpAnnotation]; found {
 			in.Spec.NamespaceOptions.ForbiddenLabels.Regex = value
 
-			delete(annotations, capsulev1beta1.ForbiddenNamespaceLabelsRegexpAnnotation)
+			delete(annotations, api.ForbiddenNamespaceLabelsRegexpAnnotation)
 		}
 
-		if value, found := annotations[capsulev1beta1.ForbiddenNamespaceAnnotationsAnnotation]; found {
+		if value, found := annotations[api.ForbiddenNamespaceAnnotationsAnnotation]; found {
 			in.Spec.NamespaceOptions.ForbiddenAnnotations.Exact = strings.Split(value, ",")
 
-			delete(annotations, capsulev1beta1.ForbiddenNamespaceAnnotationsAnnotation)
+			delete(annotations, api.ForbiddenNamespaceAnnotationsAnnotation)
 		}
 
-		if value, found := annotations[capsulev1beta1.ForbiddenNamespaceAnnotationsRegexpAnnotation]; found {
+		if value, found := annotations[api.ForbiddenNamespaceAnnotationsRegexpAnnotation]; found {
 			in.Spec.NamespaceOptions.ForbiddenAnnotations.Regex = value
 
-			delete(annotations, capsulev1beta1.ForbiddenNamespaceAnnotationsRegexpAnnotation)
+			delete(annotations, api.ForbiddenNamespaceAnnotationsRegexpAnnotation)
 		}
 	}
 
@@ -126,10 +127,10 @@ func (in *Tenant) ConvertFrom(raw conversion.Hub) error {
 		in.Spec.Cordoned = value
 	}
 
-	if _, found := annotations[capsulev1beta1.ProtectedTenantAnnotation]; found {
+	if _, found := annotations[api.ProtectedTenantAnnotation]; found {
 		in.Spec.PreventDeletion = true
 
-		delete(annotations, capsulev1beta1.ProtectedTenantAnnotation)
+		delete(annotations, api.ProtectedTenantAnnotation)
 	}
 
 	in.SetAnnotations(annotations)
@@ -189,19 +190,19 @@ func (in *Tenant) ConvertTo(raw conversion.Hub) error {
 		dst.Spec.NamespaceOptions.AdditionalMetadata = nsOpts.AdditionalMetadata
 
 		if exact := nsOpts.ForbiddenAnnotations.Exact; len(exact) > 0 {
-			annotations[capsulev1beta1.ForbiddenNamespaceAnnotationsAnnotation] = strings.Join(exact, ",")
+			annotations[api.ForbiddenNamespaceAnnotationsAnnotation] = strings.Join(exact, ",")
 		}
 
 		if regex := nsOpts.ForbiddenAnnotations.Regex; len(regex) > 0 {
-			annotations[capsulev1beta1.ForbiddenNamespaceAnnotationsRegexpAnnotation] = regex
+			annotations[api.ForbiddenNamespaceAnnotationsRegexpAnnotation] = regex
 		}
 
 		if exact := nsOpts.ForbiddenLabels.Exact; len(exact) > 0 {
-			annotations[capsulev1beta1.ForbiddenNamespaceLabelsAnnotation] = strings.Join(exact, ",")
+			annotations[api.ForbiddenNamespaceLabelsAnnotation] = strings.Join(exact, ",")
 		}
 
 		if regex := nsOpts.ForbiddenLabels.Regex; len(regex) > 0 {
-			annotations[capsulev1beta1.ForbiddenNamespaceLabelsRegexpAnnotation] = regex
+			annotations[api.ForbiddenNamespaceLabelsRegexpAnnotation] = regex
 		}
 	}
 
@@ -233,7 +234,7 @@ func (in *Tenant) ConvertTo(raw conversion.Hub) error {
 	dst.Spec.PriorityClasses = in.Spec.PriorityClasses
 
 	if in.Spec.PreventDeletion {
-		annotations[capsulev1beta1.ProtectedTenantAnnotation] = "true" //nolint:goconst
+		annotations[api.ProtectedTenantAnnotation] = "true" //nolint:goconst
 	}
 
 	if in.Spec.Cordoned {