feat: add dynamic capsule user evaluation (#1811)

* chore: improve dev targets Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(controller): implement deterministic rolebinding reflection Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(controller): capsule users are determined from configuration status Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(tenantowners): added agreggate option - tenantowners are always considered capsule users Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(tenantowner): add implicit aggregation for tenants Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: remove helm flags Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * fix(config): remove usergroups default Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> --------- Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2026-02-14 18:09:58 +00:00 · 2025-12-31 11:37:30 +01:00
parent bbbb9a2aa1
commit 730151cb44
44 changed files with 1441 additions and 290 deletions
--- a/hack/distro/capsule/example-setup/kustomization.yaml
+++ b/hack/distro/capsule/example-setup/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - owners.yaml
+  - tenants.yaml
+  - resource.yaml
--- a/hack/distro/capsule/example-setup/owners.yaml
+++ b/hack/distro/capsule/example-setup/owners.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: capsule.clastix.io/v1beta2
+kind: TenantOwner
+metadata:
+  labels:
+    team: devops
+  name: devops
+spec:
+  kind: Group
+  name: "oidc:org:devops"
+---
+apiVersion: capsule.clastix.io/v1beta2
+kind: TenantOwner
+metadata:
+  labels:
+    team: platform
+  name: platform
+spec:
+  kind: Group
+  name: "oidc:org:platform"
--- a/hack/distro/capsule/example-setup/resource.yaml
+++ b/hack/distro/capsule/example-setup/resource.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: capsule.clastix.io/v1beta2
+kind: GlobalTenantResource
+metadata:
+  name: custom-cm
+  namespace: solar-system
+spec:
+  resyncPeriod: 60s
+  resources:
+    - additionalMetadata:
+        labels:
+          "replicated-by": "capsule"
+      rawItems:
+        - apiVersion: v1
+          kind: ConfigMap
+          metadata:
+            name: game-demo
+          data:
+            # property-like keys; each key maps to a simple value
+            player_initial_lives: "3"
+            ui_properties_file_name: "user-interface.properties"
--- a/hack/distro/capsule/example-setup/tenants.yaml
+++ b/hack/distro/capsule/example-setup/tenants.yaml
@@ -0,0 +1,63 @@
+---
+apiVersion: capsule.clastix.io/v1beta2
+kind: Tenant
+metadata:
+  name: solar
+spec:
+  permissions:
+    matchOwners:
+    - matchLabels:
+        team: platform
+    - matchLabels:
+        tenant: solar
+  owners:
+  - name: alice
+    kind: User
+  additionalRoleBindings:
+  - clusterRoleName: 'view'
+    subjects:
+    - apiGroup: rbac.authorization.k8s.io
+      kind: User
+      name: joe
+---
+apiVersion: capsule.clastix.io/v1beta2
+kind: Tenant
+metadata:
+  name: green
+spec:
+  permissions:
+    matchOwners:
+    - matchLabels:
+        team: devops
+    - matchLabels:
+        tenant: green
+  owners:
+  - name: bob
+    kind: User
+  additionalRoleBindings:
+  - clusterRoleName: 'view'
+    subjects:
+    - apiGroup: rbac.authorization.k8s.io
+      kind: User
+      name: alice
+---
+apiVersion: capsule.clastix.io/v1beta2
+kind: Tenant
+metadata:
+  name: wind
+spec:
+  permissions:
+    matchOwners:
+    - matchLabels:
+        team: devops
+    - matchLabels:
+        tenant: wind
+  owners:
+  - name: joe
+    kind: User
+  additionalRoleBindings:
+  - clusterRoleName: 'view'
+    subjects:
+    - apiGroup: rbac.authorization.k8s.io
+      kind: Group
+      name: wind-users
--- a/hack/distro/capsule/kustomization.yaml
+++ b/hack/distro/capsule/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - release.flux.yaml
--- a/hack/distro/capsule/release.flux.yaml
+++ b/hack/distro/capsule/release.flux.yaml
@@ -0,0 +1,42 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: capsule
+  namespace: flux-system
+spec:
+  serviceAccountName: kustomize-controller
+  interval: 30s
+  timeout: 10m
+  targetNamespace: capsule-system
+  releaseName: "capsule"
+  chart:
+    spec:
+      chart: capsule
+      version: "0.12.4"
+      sourceRef:
+        kind: HelmRepository
+        name: capsule
+      interval: 24h
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      remediateLastFailure: true
+      retries: -1
+  driftDetection:
+    mode: enabled
+    ignore:
+      - paths: ["/spec/replicas"]
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: capsule
+  namespace: flux-system
+spec:
+  type: "oci"
+  interval: 12h0m0s
+  url: oci://ghcr.io/projectcapsule/charts