github/capsule
1
0
Fork 0
mirror of https://github.com/projectcapsule/capsule.git synced 2026-02-14 18:09:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(helm): introduce new installation and CRD lifecycle (#1065)

Browse Source 
* chore: name change for webhook names

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: remove apidocs

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(helm): implement crd lifecycle and values consistency

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: change default group name

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
This commit is contained in:
Oliver Bähler
2024-06-12 19:36:01 +02:00
committed by GitHub
parent 7d78f5f488
commit 9ebbbed785
63 changed files with 2444 additions and 1843 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.github/workflows/diff.yml vendored
View File

@@ -22,12 +22,9 @@ jobs:
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with: with:
go-version-file: 'go.mod' go-version-file: 'go.mod'
- run: make installer - run: make manifests
- name: Checking if YAML installer file is not aligned - name: Checking if YAML installer file is not aligned
run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> Untracked generated files have not been committed" && git --no-pager diff && exit 1; fi run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> Untracked generated files have not been committed" && git --no-pager diff && exit 1; fi
- run: make apidoc
- name: Checking if the CRDs documentation is not aligned
run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> CRDs generated documentation have not been committed" && git --no-pager diff && exit 1; fi
- name: Checking if YAML installer generated untracked files - name: Checking if YAML installer generated untracked files
run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)" run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
- name: Checking if source code is not formatted - name: Checking if source code is not formatted

1
.goreleaser.yml
View File

@@ -44,6 +44,7 @@ release:
- `ghcr.io/projectcapsule/charts/{{ .ProjectName }}:{{ .Version }}` - `ghcr.io/projectcapsule/charts/{{ .ProjectName }}:{{ .Version }}`
[Review the Major Changes section first before upgrading to a new version](https://artifacthub.io/packages/helm/projectcapsule/capsule/{{ .Version }}#major-changes)
checksum: checksum:
name_template: 'checksums.txt' name_template: 'checksums.txt'
changelog: changelog:

81
Makefile
View File

@@ -52,40 +52,14 @@ manager: generate golint
run: generate manifests run: generate manifests
go run . go run .
# Creates the single file to install Capsule without any external dependency
installer: manifests kustomize
cd config/manager && $(KUSTOMIZE) edit set image controller=${CAPSULE_IMG}
$(KUSTOMIZE) build config/default > config/install.yaml
# Install CRDs into a cluster
install: installer
$(KUSTOMIZE) build config/crd | kubectl apply -f -
# Uninstall CRDs from a cluster
uninstall: installer
$(KUSTOMIZE) build config/crd | kubectl delete -f -
# Deploy controller in the configured Kubernetes cluster in ~/.kube/config
deploy: installer
kubectl apply -f config/install.yaml
# Remove controller in the configured Kubernetes cluster in ~/.kube/config
remove: installer
kubectl delete -f config/install.yaml
kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
# Generate manifests e.g. CRD, RBAC etc. # Generate manifests e.g. CRD, RBAC etc.
manifests: controller-gen manifests: controller-gen
$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=charts/capsule/crds
# Generate code # Generate code
generate: controller-gen generate: controller-gen
$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
apidoc: apidocs-gen
$(APIDOCS_GEN) crdoc --resources config/crd/bases --output docs/content/general/crds-apis.md --template docs/template/reference-cr.tmpl
# Helm # Helm
SRC_ROOT = $(shell git rev-parse --show-toplevel) SRC_ROOT = $(shell git rev-parse --show-toplevel)
@@ -137,7 +111,7 @@ IP.1 = $(LAPTOP_HOST_IP)
endef endef
export TLS_CNF export TLS_CNF
dev-setup: dev-setup:
kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0 kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0 || true
mkdir -p /tmp/k8s-webhook-server/serving-certs mkdir -p /tmp/k8s-webhook-server/serving-certs
echo "$${TLS_CNF}" > _tls.cnf echo "$${TLS_CNF}" > _tls.cnf
openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \ openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
@@ -149,35 +123,19 @@ dev-setup:
rm -f _tls.cnf rm -f _tls.cnf
export WEBHOOK_URL="https://$${LAPTOP_HOST_IP}:9443"; \ export WEBHOOK_URL="https://$${LAPTOP_HOST_IP}:9443"; \
export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`; \ export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`; \
kubectl patch MutatingWebhookConfiguration capsule-mutating-webhook-configuration \ helm upgrade \
--type='json' -p="[\ --dependency-update \
{'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/defaults\",'caBundle':\"$${CA_BUNDLE}\"}},\ --debug \
{'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/defaults\",'caBundle':\"$${CA_BUNDLE}\"}},\ --install \
{'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/defaults\",'caBundle':\"$${CA_BUNDLE}\"}},\ --namespace capsule-system \
{'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/namespace-owner-reference\",'caBundle':\"$${CA_BUNDLE}\"}}\ --create-namespace \
]" && \ --set 'crds.install=true' \
kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \ --set 'crds.exclusive=true'\
--type='json' -p="[\ --set "webhooks.exclusive=true"\
{'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/cordoning\",'caBundle':\"$${CA_BUNDLE}\"}},\ --set "webhooks.service.url=$${WEBHOOK_URL}" \
{'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/ingresses\",'caBundle':\"$${CA_BUNDLE}\"}},\ --set "webhooks.service.caBundle=$${CA_BUNDLE}" \
{'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/namespaces\",'caBundle':\"$${CA_BUNDLE}\"}},\ capsule \
{'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/networkpolicies\",'caBundle':\"$${CA_BUNDLE}\"}},\ ./charts/capsule
{'op': 'replace', 'path': '/webhooks/4/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/nodes\",'caBundle':\"$${CA_BUNDLE}\"}},\
{'op': 'replace', 'path': '/webhooks/5/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/pods\",'caBundle':\"$${CA_BUNDLE}\"}},\
{'op': 'replace', 'path': '/webhooks/6/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/persistentvolumeclaims\",'caBundle':\"$${CA_BUNDLE}\"}},\
{'op': 'replace', 'path': '/webhooks/7/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/services\",'caBundle':\"$${CA_BUNDLE}\"}},\
{'op': 'replace', 'path': '/webhooks/8/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/tenantresource-objects\",'caBundle':\"$${CA_BUNDLE}\"}},\
{'op': 'replace', 'path': '/webhooks/9/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/tenants\",'caBundle':\"$${CA_BUNDLE}\"}}\
]" && \
kubectl patch crd tenants.capsule.clastix.io \
--type='json' -p="[\
{'op': 'replace', 'path': '/spec/conversion/webhook/clientConfig', 'value':{'url': \"$${WEBHOOK_URL}\", 'caBundle': \"$${CA_BUNDLE}\"}}\
]" && \
kubectl patch crd capsuleconfigurations.capsule.clastix.io \
--type='json' -p="[\
{'op': 'replace', 'path': '/spec/conversion/webhook/clientConfig', 'value':{'url': \"$${WEBHOOK_URL}\", 'caBundle': \"$${CA_BUNDLE}\"}}\
]";
#################### ####################
# -- Docker # -- Docker
@@ -237,11 +195,6 @@ CONTROLLER_GEN_VERSION := v0.15.0
controller-gen: ## Download controller-gen locally if necessary. controller-gen: ## Download controller-gen locally if necessary.
$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION)) $(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
APIDOCS_GEN := $(shell pwd)/bin/crdoc
APIDOCS_GEN_VERSION := latest
apidocs-gen: ## Download crdoc locally if necessary.
$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@$(APIDOCS_GEN_VERSION))
GINKGO := $(shell pwd)/bin/ginkgo GINKGO := $(shell pwd)/bin/ginkgo
GINGKO_VERSION := v2.17.2 GINGKO_VERSION := v2.17.2
ginkgo: ## Download ginkgo locally if necessary. ginkgo: ## Download ginkgo locally if necessary.
@@ -321,11 +274,10 @@ e2e/%: ginkgo
e2e-build/%: e2e-build/%:
kind create cluster --wait=60s --name capsule --image=kindest/node:$* kind create cluster --wait=60s --name capsule --image=kindest/node:$*
make e2e-load-image
make e2e-install make e2e-install
.PHONY: e2e-install .PHONY: e2e-install
e2e-install: e2e-install: e2e-load-image
helm upgrade \ helm upgrade \
--dependency-update \ --dependency-update \
--debug \ --debug \
@@ -337,7 +289,6 @@ e2e-install:
--set "manager.image.tag=$(VERSION)" \ --set "manager.image.tag=$(VERSION)" \
--set 'manager.livenessProbe.failureThreshold=10' \ --set 'manager.livenessProbe.failureThreshold=10' \
--set 'manager.readinessProbe.failureThreshold=10' \ --set 'manager.readinessProbe.failureThreshold=10' \
--set 'podSecurityContext.seccompProfile=null' \
capsule \ capsule \
./charts/capsule ./charts/capsule

12
charts/capsule/Chart.yaml
View File

@@ -38,9 +38,9 @@ annotations:
email: cncf-capsule-maintainers@lists.cncf.io email: cncf-capsule-maintainers@lists.cncf.io
artifacthub.io/links: | artifacthub.io/links: |
- name: Documentation - name: Documentation
url: https://capsule.clastix.io/ url: https://projectcapsule.dev/
# artifacthub.io/changes: | artifacthub.io/changes: |
# - kind: added - kind: added
# description: artifacthub annotations description: bundled crd lifecycle
# - kind: changed - kind: changed
# description: maintainers contact description: removed PodSecurityPolicy support

129
charts/capsule/README.md
View File

@@ -16,21 +16,39 @@ Use the Capsule Operator for easily implementing, managing, and maintaining mult
* A [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file accessing the Kubernetes cluster with cluster admin permissions. * A [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file accessing the Kubernetes cluster with cluster admin permissions.
## Quick Start ## Major Changes
In the following sections you see actions which are required when you are upgrading to a specific version.
### Upgrading to 0.7.x
Introduces a new methode to manage all capsule CRDs and their lifecycle. We are no longer relying on the [native CRD hook with the Helm Chart](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). The hook only allows to manage CRDs on install and uninstall but we can't deliver updates to the CRDs.
When you newly install the chart we recommend to set `crds.install` to `true`. This will manage the CRDs with the Helm Chart. This behavior is the new default.
#### Changed Values
The following Values have changed key or Value:
* All values from previous releases under `webhooks` have moved to `webhooks.hooks`.
* `mutatingWebhooksTimeoutSeconds` has moved to `webhooks.mutatingWebhooksTimeoutSeconds`
* `validatingWebhooksTimeoutSeconds` has moved to `webhooks.validatingWebhooksTimeoutSeconds`
## Installation
The Capsule Operator requires it's CRDs to be installed before the operator itself. Since the Helm CRD lifecycle has limitations, we recommend to install the CRDs separately. Our chart supports the installation of crds via a dedicated Release.
The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster. The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster.
1. Add this repository: 1. Add this repository:
$ helm repo add projectcapsule https://projectcapsule.github.io/charts $ helm repo add projectcapsule https://projectcapsule.github.io/charts
2. Install the Chart: 2. Install Capsule:
$ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace $ helm install capsule projectcapsule/capsule --version 0.7.0 -n capsule-system --create-namespace
or or
$ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6 -n capsule-system --create-namespace $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.7.0 -n capsule-system --create-namespace
3. Show the status: 3. Show the status:
@@ -58,7 +76,7 @@ Specify your overrides file when you install the chart:
$ helm install capsule capsule-helm-chart --values myvalues.yaml -n capsule-system $ helm install capsule capsule-helm-chart --values myvalues.yaml -n capsule-system
The values in your overrides file `myvalues.yaml` will override their counterparts in the charts values.yaml file. Any values in `values.yaml` that werent overridden will keep their defaults. The values in your overrides file `myvalues.yaml` will override their counterparts in the chart's values.yaml file. Any values in `values.yaml` that werent overridden will keep their defaults.
If you only need to make minor customizations, you can specify them on the command line by using the `--set` option. For example: If you only need to make minor customizations, you can specify them on the command line by using the `--set` option. For example:
@@ -66,6 +84,15 @@ If you only need to make minor customizations, you can specify them on the comma
Here the values you can override: Here the values you can override:
### CustomResourceDefinition Lifecycle
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| crds.annnotations | object | `{}` | Extra Annotations for CRDs |
| crds.exclusive | bool | `false` | Only install the CRDs, no other primitives |
| crds.install | bool | `true` | Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations) |
| crds.labels | object | `{}` | Extra Labels for CRDs |
### General Parameters ### General Parameters
| Key | Type | Default | Description | | Key | Type | Default | Description |
@@ -75,28 +102,36 @@ Here the values you can override:
| customAnnotations | object | `{}` | Additional annotations which will be added to all resources created by Capsule helm chart | | customAnnotations | object | `{}` | Additional annotations which will be added to all resources created by Capsule helm chart |
| customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart | | customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart |
| imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. | | imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. |
| jobs.affinity | object | `{}` | Set affinity rules |
| jobs.annotations | object | `{"helm.sh/hook-delete-policy":"before-hook-creation,hook-succeeded"}` | Annotations to add to the certgen job. |
| jobs.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job | | jobs.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job |
| jobs.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job | | jobs.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job |
| jobs.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job | | jobs.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job |
| jobs.image.tag | string | `""` | Set the image tag of the helm chart job | | jobs.image.tag | string | `""` | Set the image tag of the helm chart job |
| mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks | | jobs.nodeSelector | object | `{}` | Set the node selector |
| jobs.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the job pods. |
| jobs.priorityClassName | string | `""` | Set a pod priorityClassName |
| jobs.resources | object | `{}` | Job resources |
| jobs.restartPolicy | string | `"Never"` | Set the restartPolicy |
| jobs.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Security context for the job containers. |
| jobs.tolerations | list | `[]` | Set list of tolerations |
| jobs.topologySpreadConstraints | list | `[]` | Set Topology Spread Constraints |
| jobs.ttlSecondsAfterFinished | int | `60` | Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete. |
| nodeSelector | object | `{}` | Set the node selector for the Capsule pod | | nodeSelector | object | `{}` | Set the node selector for the Capsule pod |
| podAnnotations | object | `{}` | Annotations to add to the capsule pod. | | podAnnotations | object | `{}` | Annotations to add to the capsule pod. |
| podSecurityContext | object | `{"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002,"seccompProfile":{"type":"RuntimeDefault"}}` | Set the securityContext for the Capsule pod | | podSecurityContext | object | `{"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002,"seccompProfile":{"type":"RuntimeDefault"}}` | Set the securityContext for the Capsule pod |
| podSecurityPolicy.enabled | bool | `false` | Specify if a Pod Security Policy must be created |
| priorityClassName | string | `""` | Set the priority class name of the Capsule pod | | priorityClassName | string | `""` | Set the priority class name of the Capsule pod |
| proxy.enabled | bool | `false` | Enable Installation of Capsule Proxy | | proxy.enabled | bool | `false` | Enable Installation of Capsule Proxy |
| replicaCount | int | `1` | Set the replica count for capsule pod | | replicaCount | int | `1` | Set the replica count for capsule pod |
| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | Set the securityContext for the Capsule container | | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | Set the securityContext for the Capsule container |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
| serviceAccount.name | string | `"capsule"` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
| tls.create | bool | `true` | When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion. | | tls.create | bool | `true` | When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion. |
| tls.enableController | bool | `true` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. | | tls.enableController | bool | `true` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. |
| tls.name | string | `""` | Override name of the Capsule TLS Secret name when externally managed. | | tls.name | string | `""` | Override name of the Capsule TLS Secret name when externally managed. |
| tolerations | list | `[]` | Set list of tolerations for the Capsule pod | | tolerations | list | `[]` | Set list of tolerations for the Capsule pod |
| topologySpreadConstraints | list | `[]` | Set topology spread constraints for the Capsule pod | | topologySpreadConstraints | list | `[]` | Set topology spread constraints for the Capsule pod |
| validatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for validating webhooks |
### Manager Parameters ### Manager Parameters
@@ -109,7 +144,7 @@ Here the values you can override:
| manager.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | manager.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
| manager.kind | string | `"Deployment"` | Set the controller deployment mode as `Deployment` or `DaemonSet`. | | manager.kind | string | `"Deployment"` | Set the controller deployment mode as `Deployment` or `DaemonSet`. |
| manager.livenessProbe | object | `{"httpGet":{"path":"/healthz","port":10080}}` | Configure the liveness probe using Deployment probe spec | | manager.livenessProbe | object | `{"httpGet":{"path":"/healthz","port":10080}}` | Configure the liveness probe using Deployment probe spec |
| manager.options.capsuleUserGroups | list | `["capsule.clastix.io"]` | Override the Capsule user groups | | manager.options.capsuleUserGroups | list | `["projectcapsule.dev"]` | Override the Capsule user groups |
| manager.options.forceTenantPrefix | bool | `false` | Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash | | manager.options.forceTenantPrefix | bool | `false` | Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash |
| manager.options.generateCertificates | bool | `true` | Specifies whether capsule webhooks certificates should be generated by capsule operator | | manager.options.generateCertificates | bool | `true` | Specifies whether capsule webhooks certificates should be generated by capsule operator |
| manager.options.logLevel | string | `"4"` | Set the log verbosity of the capsule with a value from 1 to 10 | | manager.options.logLevel | string | `"4"` | Set the log verbosity of the capsule with a value from 1 to 10 |
@@ -137,42 +172,50 @@ Here the values you can override:
| serviceMonitor.namespace | string | `""` | Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one) | | serviceMonitor.namespace | string | `""` | Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one) |
| serviceMonitor.targetLabels | list | `[]` | Set targetLabels for the serviceMonitor | | serviceMonitor.targetLabels | list | `[]` | Set targetLabels for the serviceMonitor |
### Webhook Parameters ### Webhooks Parameters
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| webhooks.cordoning.failurePolicy | string | `"Fail"` | | | webhooks.exclusive | bool | `false` | When `crds.exclusive` is `true` the webhooks will be installed |
| webhooks.cordoning.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | | webhooks.hooks.cordoning.failurePolicy | string | `"Fail"` | |
| webhooks.cordoning.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | | webhooks.hooks.cordoning.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.defaults.ingress.failurePolicy | string | `"Fail"` | | | webhooks.hooks.cordoning.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.defaults.ingress.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | | webhooks.hooks.defaults.ingress.failurePolicy | string | `"Fail"` | |
| webhooks.defaults.ingress.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | | webhooks.hooks.defaults.ingress.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.defaults.pods.failurePolicy | string | `"Fail"` | | | webhooks.hooks.defaults.ingress.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.defaults.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | | webhooks.hooks.defaults.pods.failurePolicy | string | `"Fail"` | |
| webhooks.defaults.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | | webhooks.hooks.defaults.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.defaults.pvc.failurePolicy | string | `"Fail"` | | | webhooks.hooks.defaults.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.defaults.pvc.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | | webhooks.hooks.defaults.pvc.failurePolicy | string | `"Fail"` | |
| webhooks.defaults.pvc.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | | webhooks.hooks.defaults.pvc.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.ingresses.failurePolicy | string | `"Fail"` | | | webhooks.hooks.defaults.pvc.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.ingresses.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | | webhooks.hooks.ingresses.failurePolicy | string | `"Fail"` | |
| webhooks.ingresses.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | | webhooks.hooks.ingresses.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.namespaceOwnerReference.failurePolicy | string | `"Fail"` | | | webhooks.hooks.ingresses.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.namespaces.failurePolicy | string | `"Fail"` | | | webhooks.hooks.namespaceOwnerReference.failurePolicy | string | `"Fail"` | |
| webhooks.networkpolicies.failurePolicy | string | `"Fail"` | | | webhooks.hooks.namespaces.failurePolicy | string | `"Fail"` | |
| webhooks.networkpolicies.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | | webhooks.hooks.networkpolicies.failurePolicy | string | `"Fail"` | |
| webhooks.networkpolicies.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | | webhooks.hooks.networkpolicies.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.nodes.failurePolicy | string | `"Fail"` | | | webhooks.hooks.networkpolicies.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.persistentvolumeclaims.failurePolicy | string | `"Fail"` | | | webhooks.hooks.nodes.failurePolicy | string | `"Fail"` | |
| webhooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | | webhooks.hooks.persistentvolumeclaims.failurePolicy | string | `"Fail"` | |
| webhooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | | webhooks.hooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.pods.failurePolicy | string | `"Fail"` | | | webhooks.hooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | | webhooks.hooks.pods.failurePolicy | string | `"Fail"` | |
| webhooks.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | | webhooks.hooks.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.services.failurePolicy | string | `"Fail"` | | | webhooks.hooks.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.services.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | | webhooks.hooks.services.failurePolicy | string | `"Fail"` | |
| webhooks.services.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | | webhooks.hooks.services.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.tenantResourceObjects.failurePolicy | string | `"Fail"` | | | webhooks.hooks.services.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.tenants.failurePolicy | string | `"Fail"` | | | webhooks.hooks.tenantResourceObjects.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.tenants.failurePolicy | string | `"Fail"` | |
| webhooks.mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks |
| webhooks.service.caBundle | string | `""` | CABundle for the webhook service |
| webhooks.service.name | string | `""` | Custom service name for the webhook service |
| webhooks.service.namespace | string | `""` | Custom service namespace for the webhook service |
| webhooks.service.port | string | `nil` | Custom service port for the webhook service |
| webhooks.service.url | string | `""` | The URL where the capsule webhook services are running (Overwrites cluster scoped service definition) |
| webhooks.validatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for validating webhooks |
## Created resources ## Created resources

43
charts/capsule/README.md.gotmpl
View File

@@ -16,21 +16,40 @@ Use the Capsule Operator for easily implementing, managing, and maintaining mult
* A [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file accessing the Kubernetes cluster with cluster admin permissions. * A [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file accessing the Kubernetes cluster with cluster admin permissions.
## Quick Start ## Major Changes
In the following sections you see actions which are required when you are upgrading to a specific version.
### Upgrading to 0.7.x
Introduces a new methode to manage all capsule CRDs and their lifecycle. We are no longer relying on the [native CRD hook with the Helm Chart](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). The hook only allows to manage CRDs on install and uninstall but we can't deliver updates to the CRDs.
When you newly install the chart we recommend to set `crds.install` to `true`. This will manage the CRDs with the Helm Chart. This behavior is the new default.
#### Changed Values
The following Values have changed key or Value:
* All values from previous releases under `webhooks` have moved to `webhooks.hooks`.
* `mutatingWebhooksTimeoutSeconds` has moved to `webhooks.mutatingWebhooksTimeoutSeconds`
* `validatingWebhooksTimeoutSeconds` has moved to `webhooks.validatingWebhooksTimeoutSeconds`
## Installation
The Capsule Operator requires it's CRDs to be installed before the operator itself. Since the Helm CRD lifecycle has limitations, we recommend to install the CRDs separately. Our chart supports the installation of crds via a dedicated Release.
The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster. The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster.
1. Add this repository: 1. Add this repository:
$ helm repo add projectcapsule https://projectcapsule.github.io/charts $ helm repo add projectcapsule https://projectcapsule.github.io/charts
2. Install the Chart: 2. Install Capsule:
$ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace $ helm install capsule projectcapsule/capsule --version 0.7.0 -n capsule-system --create-namespace
or or
$ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6 -n capsule-system --create-namespace $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.7.0 -n capsule-system --create-namespace
3. Show the status: 3. Show the status:
@@ -58,7 +77,7 @@ Specify your overrides file when you install the chart:
$ helm install capsule capsule-helm-chart --values myvalues.yaml -n capsule-system $ helm install capsule capsule-helm-chart --values myvalues.yaml -n capsule-system
The values in your overrides file `myvalues.yaml` will override their counterparts in the charts values.yaml file. Any values in `values.yaml` that werent overridden will keep their defaults. The values in your overrides file `myvalues.yaml` will override their counterparts in the chart's values.yaml file. Any values in `values.yaml` that werent overridden will keep their defaults.
If you only need to make minor customizations, you can specify them on the command line by using the `--set` option. For example: If you only need to make minor customizations, you can specify them on the command line by using the `--set` option. For example:
@@ -66,13 +85,23 @@ If you only need to make minor customizations, you can specify them on the comma
Here the values you can override: Here the values you can override:
### CustomResourceDefinition Lifecycle
| Key | Type | Default | Description |
|-----|------|---------|-------------|
{{- range .Values }}
{{- if (hasPrefix "crds" .Key) }}
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
{{- end }}
{{- end }}
### General Parameters ### General Parameters
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
{{- range .Values }} {{- range .Values }}
{{- if not (or (hasPrefix "manager" .Key) (hasPrefix "serviceMonitor" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) ) }} {{- if not (or (hasPrefix "manager" .Key) (hasPrefix "crds" .Key) (hasPrefix "serviceMonitor" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) ) }}
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | | {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
{{- end }} {{- end }}
{{- end }} {{- end }}
@@ -97,7 +126,7 @@ Here the values you can override:
{{- end }} {{- end }}
{{- end }} {{- end }}
### Webhook Parameters ### Webhooks Parameters
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|

14
charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.patch Normal file
View File

@@ -0,0 +1,14 @@
metadata:
annotations:
{{- if $.Values.certManager.generateCertificates }}
cert-manager.io/inject-ca-from: {{ $.Release.Namespace }}/{{ include "capsule.fullname" $ }}-webhook-cert
{{- end }}
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/convert" "ctx" $) | nindent 8 }}
conversionReviewVersions:
- v1beta1
- v1beta2

132
charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.yaml Normal file
View File

@@ -0,0 +1,132 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: capsuleconfigurations.capsule.clastix.io
spec:
group: capsule.clastix.io
names:
kind: CapsuleConfiguration
listKind: CapsuleConfigurationList
plural: capsuleconfigurations
singular: capsuleconfiguration
scope: Cluster
versions:
- name: v1beta2
schema:
openAPIV3Schema:
description: CapsuleConfiguration is the Schema for the Capsule configuration
API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: CapsuleConfigurationSpec defines the Capsule configuration.
properties:
enableTLSReconciler:
default: true
description: |-
Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks
when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
type: boolean
forceTenantPrefix:
default: false
description: |-
Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,
separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
type: boolean
nodeMetadata:
description: |-
Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.
This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
properties:
forbiddenAnnotations:
description: Define the annotations that a Tenant Owner cannot
set for their nodes.
properties:
denied:
items:
type: string
type: array
deniedRegex:
type: string
type: object
forbiddenLabels:
description: Define the labels that a Tenant Owner cannot set
for their nodes.
properties:
denied:
items:
type: string
type: array
deniedRegex:
type: string
type: object
required:
- forbiddenAnnotations
- forbiddenLabels
type: object
overrides:
default:
TLSSecretName: capsule-tls
mutatingWebhookConfigurationName: capsule-mutating-webhook-configuration
validatingWebhookConfigurationName: capsule-validating-webhook-configuration
description: |-
Allows to set different name rather than the canonical one for the Capsule configuration objects,
such as webhook secret or configurations.
properties:
TLSSecretName:
default: capsule-tls
description: |-
Defines the Secret name used for the webhook server.
Must be in the same Namespace where the Capsule Deployment is deployed.
type: string
mutatingWebhookConfigurationName:
default: capsule-mutating-webhook-configuration
description: Name of the MutatingWebhookConfiguration which contains
the dynamic admission controller paths and resources.
type: string
validatingWebhookConfigurationName:
default: capsule-validating-webhook-configuration
description: Name of the ValidatingWebhookConfiguration which
contains the dynamic admission controller paths and resources.
type: string
required:
- TLSSecretName
- mutatingWebhookConfigurationName
- validatingWebhookConfigurationName
type: object
protectedNamespaceRegex:
description: Disallow creation of namespaces, whose name matches this
regexp
type: string
userGroups:
default:
- capsule.clastix.io
description: Names of the groups for Capsule users.
items:
type: string
type: array
required:
- enableTLSReconciler
type: object
type: object
served: true
storage: true

298
charts/capsule/crds/capsule.clastix.io_globaltenantresources.yaml Normal file
View File

@@ -0,0 +1,298 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: globaltenantresources.capsule.clastix.io
spec:
group: capsule.clastix.io
names:
kind: GlobalTenantResource
listKind: GlobalTenantResourceList
plural: globaltenantresources
singular: globaltenantresource
scope: Cluster
versions:
- name: v1beta2
schema:
openAPIV3Schema:
description: GlobalTenantResource allows to propagate resource replications
to a specific subset of Tenant resources.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: GlobalTenantResourceSpec defines the desired state of GlobalTenantResource.
properties:
pruningOnDelete:
default: true
description: |-
When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
Disable this to keep replicated resources although the deletion of the replication manifest.
type: boolean
resources:
description: Defines the rules to select targeting Namespace, along
with the objects that must be replicated.
items:
properties:
additionalMetadata:
description: |-
Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
added to the replicated resources.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
namespaceSelector:
description: |-
Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
In case of nil value, all the Tenant Namespaces are targeted.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespacedItems:
description: List of the resources already existing in other
Namespaces that must be replicated.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
namespace:
description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
selector:
description: Label selector used to select the given resources
in the given Namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- kind
- namespace
- selector
type: object
type: array
rawItems:
description: List of raw resources that must be replicated.
items:
type: object
x-kubernetes-embedded-resource: true
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
type: array
resyncPeriod:
default: 60s
description: |-
Define the period of time upon a second reconciliation must be invoked.
Keep in mind that any change to the manifests will trigger a new reconciliation.
type: string
tenantSelector:
description: Defines the Tenant selector used target the tenants on
which resources must be propagated.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- resources
- resyncPeriod
type: object
status:
description: GlobalTenantResourceStatus defines the observed state of
GlobalTenantResource.
properties:
processedItems:
description: List of the replicated resources for the given TenantResource.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
required:
- kind
- name
- namespace
type: object
type: array
selectedTenants:
description: List of Tenants addressed by the GlobalTenantResource.
items:
type: string
type: array
required:
- processedItems
- selectedTenants
type: object
type: object
served: true
storage: true
subresources:
status: {}

246
charts/capsule/crds/capsule.clastix.io_tenantresources.yaml Normal file
View File

@@ -0,0 +1,246 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: tenantresources.capsule.clastix.io
spec:
group: capsule.clastix.io
names:
kind: TenantResource
listKind: TenantResourceList
plural: tenantresources
singular: tenantresource
scope: Namespaced
versions:
- name: v1beta2
schema:
openAPIV3Schema:
description: |-
TenantResource allows a Tenant Owner, if enabled with proper RBAC, to propagate resources in its Namespace.
The object must be deployed in a Tenant Namespace, and cannot reference object living in non-Tenant namespaces.
For such cases, the GlobalTenantResource must be used.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: TenantResourceSpec defines the desired state of TenantResource.
properties:
pruningOnDelete:
default: true
description: |-
When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
Disable this to keep replicated resources although the deletion of the replication manifest.
type: boolean
resources:
description: Defines the rules to select targeting Namespace, along
with the objects that must be replicated.
items:
properties:
additionalMetadata:
description: |-
Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
added to the replicated resources.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
namespaceSelector:
description: |-
Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
In case of nil value, all the Tenant Namespaces are targeted.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespacedItems:
description: List of the resources already existing in other
Namespaces that must be replicated.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
namespace:
description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
selector:
description: Label selector used to select the given resources
in the given Namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- kind
- namespace
- selector
type: object
type: array
rawItems:
description: List of raw resources that must be replicated.
items:
type: object
x-kubernetes-embedded-resource: true
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
type: array
resyncPeriod:
default: 60s
description: |-
Define the period of time upon a second reconciliation must be invoked.
Keep in mind that any change to the manifests will trigger a new reconciliation.
type: string
required:
- resources
- resyncPeriod
type: object
status:
description: TenantResourceStatus defines the observed state of TenantResource.
properties:
processedItems:
description: List of the replicated resources for the given TenantResource.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
required:
- kind
- name
- namespace
type: object
type: array
required:
- processedItems
type: object
type: object
served: true
storage: true
subresources:
status: {}

14
charts/capsule/crds/capsule.clastix.io_tenants.patch Normal file
View File

@@ -0,0 +1,14 @@
metadata:
annotations:
{{- if $.Values.certManager.generateCertificates }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "capsule.fullname" . }}-webhook-cert
{{- end }}
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/convert" "ctx" $) | nindent 8 }}
conversionReviewVersions:
- v1beta1
- v1beta2

1463
charts/capsule/crds/tenant-crd.yaml → charts/capsule/crds/capsule.clastix.io_tenants.yaml
View File

File diff suppressed because it is too large Load Diff

119
charts/capsule/crds/capsuleconfiguration-crd.yaml
View File

@@ -1,119 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
name: capsuleconfigurations.capsule.clastix.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
name: capsule-webhook-service
namespace: capsule-system
path: /convert
conversionReviewVersions:
- v1beta1
- v1beta2
group: capsule.clastix.io
names:
kind: CapsuleConfiguration
listKind: CapsuleConfigurationList
plural: capsuleconfigurations
singular: capsuleconfiguration
scope: Cluster
versions:
- name: v1beta2
schema:
openAPIV3Schema:
description: CapsuleConfiguration is the Schema for the Capsule configuration API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: CapsuleConfigurationSpec defines the Capsule configuration.
properties:
enableTLSReconciler:
default: true
description: Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
type: boolean
forceTenantPrefix:
default: false
description: Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
type: boolean
nodeMetadata:
description: Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant. This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
properties:
forbiddenAnnotations:
description: Define the annotations that a Tenant Owner cannot set for their nodes.
properties:
denied:
items:
type: string
type: array
deniedRegex:
type: string
type: object
forbiddenLabels:
description: Define the labels that a Tenant Owner cannot set for their nodes.
properties:
denied:
items:
type: string
type: array
deniedRegex:
type: string
type: object
required:
- forbiddenAnnotations
- forbiddenLabels
type: object
overrides:
default:
TLSSecretName: capsule-tls
mutatingWebhookConfigurationName: capsule-mutating-webhook-configuration
validatingWebhookConfigurationName: capsule-validating-webhook-configuration
description: Allows to set different name rather than the canonical one for the Capsule configuration objects, such as webhook secret or configurations.
properties:
TLSSecretName:
default: capsule-tls
description: Defines the Secret name used for the webhook server. Must be in the same Namespace where the Capsule Deployment is deployed.
type: string
mutatingWebhookConfigurationName:
default: capsule-mutating-webhook-configuration
description: Name of the MutatingWebhookConfiguration which contains the dynamic admission controller paths and resources.
type: string
validatingWebhookConfigurationName:
default: capsule-validating-webhook-configuration
description: Name of the ValidatingWebhookConfiguration which contains the dynamic admission controller paths and resources.
type: string
required:
- TLSSecretName
- mutatingWebhookConfigurationName
- validatingWebhookConfigurationName
type: object
protectedNamespaceRegex:
description: Disallow creation of namespaces, whose name matches this regexp
type: string
userGroups:
default:
- capsule.clastix.io
description: Names of the groups for Capsule users.
items:
type: string
type: array
required:
- enableTLSReconciler
type: object
type: object
served: true
storage: true

222
charts/capsule/crds/globaltenantresources-crd.yaml
View File

@@ -1,222 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
creationTimestamp: null
name: globaltenantresources.capsule.clastix.io
spec:
group: capsule.clastix.io
names:
kind: GlobalTenantResource
listKind: GlobalTenantResourceList
plural: globaltenantresources
singular: globaltenantresource
scope: Cluster
versions:
- name: v1beta2
schema:
openAPIV3Schema:
description: GlobalTenantResource allows to propagate resource replications to a specific subset of Tenant resources.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: GlobalTenantResourceSpec defines the desired state of GlobalTenantResource.
properties:
pruningOnDelete:
default: true
description: When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted. Disable this to keep replicated resources although the deletion of the replication manifest.
type: boolean
resources:
description: Defines the rules to select targeting Namespace, along with the objects that must be replicated.
items:
properties:
additionalMetadata:
description: Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be added to the replicated resources.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
namespaceSelector:
description: Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated. In case of nil value, all the Tenant Namespaces are targeted.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespacedItems:
description: List of the resources already existing in other Namespaces that must be replicated.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
selector:
description: Label selector used to select the given resources in the given Namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- kind
- namespace
- selector
type: object
type: array
rawItems:
description: List of raw resources that must be replicated.
items:
type: object
x-kubernetes-embedded-resource: true
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
type: array
resyncPeriod:
default: 60s
description: Define the period of time upon a second reconciliation must be invoked. Keep in mind that any change to the manifests will trigger a new reconciliation.
type: string
tenantSelector:
description: Defines the Tenant selector used target the tenants on which resources must be propagated.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- resources
- resyncPeriod
type: object
status:
description: GlobalTenantResourceStatus defines the observed state of GlobalTenantResource.
properties:
processedItems:
description: List of the replicated resources for the given TenantResource.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
required:
- kind
- name
- namespace
type: object
type: array
selectedTenants:
description: List of Tenants addressed by the GlobalTenantResource.
items:
type: string
type: array
required:
- processedItems
- selectedTenants
type: object
type: object
served: true
storage: true
subresources:
status: {}

185
charts/capsule/crds/tenantresources-crd.yaml
View File

@@ -1,185 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
creationTimestamp: null
name: tenantresources.capsule.clastix.io
spec:
group: capsule.clastix.io
names:
kind: TenantResource
listKind: TenantResourceList
plural: tenantresources
singular: tenantresource
scope: Namespaced
versions:
- name: v1beta2
schema:
openAPIV3Schema:
description: TenantResource allows a Tenant Owner, if enabled with proper RBAC, to propagate resources in its Namespace. The object must be deployed in a Tenant Namespace, and cannot reference object living in non-Tenant namespaces. For such cases, the GlobalTenantResource must be used.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: TenantResourceSpec defines the desired state of TenantResource.
properties:
pruningOnDelete:
default: true
description: When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted. Disable this to keep replicated resources although the deletion of the replication manifest.
type: boolean
resources:
description: Defines the rules to select targeting Namespace, along with the objects that must be replicated.
items:
properties:
additionalMetadata:
description: Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be added to the replicated resources.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
namespaceSelector:
description: Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated. In case of nil value, all the Tenant Namespaces are targeted.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespacedItems:
description: List of the resources already existing in other Namespaces that must be replicated.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
selector:
description: Label selector used to select the given resources in the given Namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- kind
- namespace
- selector
type: object
type: array
rawItems:
description: List of raw resources that must be replicated.
items:
type: object
x-kubernetes-embedded-resource: true
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
type: array
resyncPeriod:
default: 60s
description: Define the period of time upon a second reconciliation must be invoked. Keep in mind that any change to the manifests will trigger a new reconciliation.
type: string
required:
- resources
- resyncPeriod
type: object
status:
description: TenantResourceStatus defines the observed state of TenantResource.
properties:
processedItems:
description: List of the replicated resources for the given TenantResource.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
required:
- kind
- name
- namespace
type: object
type: array
required:
- processedItems
type: object
type: object
served: true
storage: true
subresources:
status: {}

29
charts/capsule/templates/_helpers.tpl
View File

@@ -125,3 +125,32 @@ Create the Capsule TLS Secret name to use
{{- define "capsule.secretTlsName" -}} {{- define "capsule.secretTlsName" -}}
{{ default ( printf "%s-tls" ( include "capsule.fullname" . ) ) .Values.tls.name }} {{ default ( printf "%s-tls" ( include "capsule.fullname" . ) ) .Values.tls.name }}
{{- end }} {{- end }}
{{/*
Capsule Webhook service (Called with $.Path)
*/}}
{{- define "capsule.webhooks.service" -}}
{{- include "capsule.webhooks.cabundle" $.ctx | nindent 0 }}
{{- if $.ctx.Values.webhooks.service.url }}
url: {{ printf "%s/%s" (trimSuffix "/" $.ctx.Values.webhooks.service.url ) (trimPrefix "/" (required "Path is required for the function" $.path)) }}
{{- else }}
service:
name: {{ default (printf "%s-webhook-service" (include "capsule.fullname" $.ctx)) $.ctx.Values.webhooks.service.name }}
namespace: {{ default $.ctx.Release.Namespace $.ctx.Values.webhooks.service.namespace }}
port: {{ default 443 $.ctx.Values.webhooks.service.port }}
path: {{ required "Path is required for the function" $.path }}
{{- end }}
{{- end }}
{{/*
Capsule Webhook endpoint CA Bundle
*/}}
{{- define "capsule.webhooks.cabundle" -}}
{{- if $.Values.webhooks.service.caBundle -}}
caBundle: {{ $.Values.webhooks.service.caBundle -}}
{{- end -}}
{{- end -}}

2
charts/capsule/templates/certificate.yaml
View File

@@ -1,3 +1,4 @@
{{- if not $.Values.crds.exclusive }}
{{- if .Values.certManager.generateCertificates }} {{- if .Values.certManager.generateCertificates }}
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Issuer kind: Issuer
@@ -34,3 +35,4 @@ spec:
organizations: organizations:
- clastix.io - clastix.io
{{- end }} {{- end }}
{{- end }}

2
charts/capsule/templates/certs.yaml
View File

@@ -1,3 +1,4 @@
{{- if not $.Values.crds.exclusive }}
{{- if or (not .Values.certManager.generateCertificates) (.Values.tls.create) }} {{- if or (not .Values.certManager.generateCertificates) (.Values.tls.create) }}
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
@@ -10,3 +11,4 @@ metadata:
{{- end }} {{- end }}
name: {{ include "capsule.secretTlsName" . }} name: {{ include "capsule.secretTlsName" . }}
{{- end }} {{- end }}
{{- end }}

2
charts/capsule/templates/configuration-default.yaml
View File

@@ -1,3 +1,4 @@
{{- if not $.Values.crds.exclusive }}
apiVersion: capsule.clastix.io/v1beta2 apiVersion: capsule.clastix.io/v1beta2
kind: CapsuleConfiguration kind: CapsuleConfiguration
metadata: metadata:
@@ -24,3 +25,4 @@ spec:
nodeMetadata: nodeMetadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
{{- end }}

20
charts/capsule/templates/crd-lifecycle/_helpers.tpl Normal file
View File

@@ -0,0 +1,20 @@
{{- define "capsule.crds.name" -}}
{{- printf "%s-crds" (include "capsule.name" $) -}}
{{- end }}
{{- define "capsule.crds.annotations" -}}
"helm.sh/hook": "pre-install,pre-upgrade"
{{- with $.Values.jobs.annotations }}
{{- . | toYaml | nindent 0 }}
{{- end }}
{{- end }}
{{- define "capsule.crds.component" -}}
crd-install-hook
{{- end }}
{{- define "capsule.crds.regexReplace" -}}
{{- printf "%s" ($ | base | trimSuffix ".yaml" | regexReplaceAll "[_.]" "-") -}}
{{- end }}

56
charts/capsule/templates/crd-lifecycle/crds.tpl Normal file
View File

@@ -0,0 +1,56 @@
{{/* CustomResources Lifecycle */}}
{{- if $.Values.crds.install }}
{{ range $path, $_ := .Files.Glob "crds/**.yaml" }}
{{- with $ }}
{{- $content := (tpl (.Files.Get $path) $) -}}
{{- $p := (fromYaml $content) -}}
{{- if $p.Error }}
{{- fail (printf "found YAML error in file %s - %s - raw:\n\n%s" $path $p.Error $content) -}}
{{- end -}}
{{/* Add Common Lables */}}
{{- $_ := set $p.metadata "labels" (mergeOverwrite (default dict (get $p.metadata "labels")) (default dict $.Values.crds.labels) (fromYaml (include "capsule.labels" $))) -}}
{{/* Add Common Lables */}}
{{- $_ := set $p.metadata "annotations" (mergeOverwrite (default dict (get $p.metadata "annotations")) (default dict $.Values.crds.annotations)) -}}
{{/* Add Keep annotation to CRDs */}}
{{- if $.Values.crds.keep }}
{{- $_ := set $p.metadata.annotations "helm.sh/resource-policy" "keep" -}}
{{- end }}
{{/* Add Spec Patches for the CRD */}}
{{- $patchFile := $path | replace ".yaml" ".patch" }}
{{- $patchRawContent := (tpl (.Files.Get $patchFile) $) -}}
{{- if $patchRawContent -}}
{{- $patchContent := (fromYaml $patchRawContent) -}}
{{- if $patchContent.Error }}
{{- fail (printf "found YAML error in patch file %s - %s - raw:\n\n%s" $patchFile $patchContent.Error $patchRawContent) -}}
{{- end -}}
{{- $tmp := deepCopy $p | mergeOverwrite $patchContent -}}
{{- $p = $tmp -}}
{{- end -}}
{{- if $p }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "capsule.crds.name" . }}-{{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-5"
{{- include "capsule.crds.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
data:
content: |
{{- printf "---\n%s" (toYaml $p) | nindent 4 }}
{{- end }}
{{ end }}
{{- end }}
{{- end }}

96
charts/capsule/templates/crd-lifecycle/job.yaml Normal file
View File

@@ -0,0 +1,96 @@
{{- if .Values.crds.install }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "capsule.crds.name" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-1"
{{- include "capsule.crds.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
spec:
{{- if ge .Values.jobs.ttlSecondsAfterFinished 0.0 }}
ttlSecondsAfterFinished: {{ .Values.jobs.ttlSecondsAfterFinished }}
{{- end }}
template:
metadata:
name: "{{ include "capsule.crds.name" . }}"
labels:
app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
{{- include "capsule.selectorLabels" . | nindent 8 }}
spec:
restartPolicy: {{ $.Values.jobs.restartPolicy }}
{{- with $.Values.jobs.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "capsule.crds.name" . }}
containers:
- name: crds-hook
image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
{{- with $.Values.jobs.securityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
command:
- sh
- -c
- |
set -o errexit ; set -o xtrace ; set -o nounset
# piping stderr to stdout means kubectl's errors are surfaced
# in the pod's logs.
kubectl apply --server-side=true --overwrite=true --force-conflicts=true -f /data/ 2>&1
volumeMounts:
{{- range $path, $_ := .Files.Glob "crds/**.yaml" }}
- name: {{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }}
mountPath: /data/{{ $path | base }}
subPath: {{ $path | base }}
{{- end }}
{{- with .Values.jobs.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
volumes:
{{ $currentScope := . }}
{{- range $path, $_ := .Files.Glob "crds/**.yaml" }}
{{- with $currentScope }}
- name: {{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }}
configMap:
name: {{ include "capsule.crds.name" $ }}-{{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }}
items:
- key: content
path: {{ $path | base }}
{{- end }}
{{- end }}
restartPolicy: Never
backoffLimit: 4
{{- end }}

52
charts/capsule/templates/crd-lifecycle/rbac.yaml Normal file
View File

@@ -0,0 +1,52 @@
{{- if .Values.crds.install }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "capsule.crds.name" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-3"
{{- include "capsule.crds.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- jobs
verbs:
- create
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- delete
- get
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "capsule.crds.name" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-2"
{{- include "capsule.crds.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "capsule.crds.name" . }}
subjects:
- kind: ServiceAccount
name: {{ include "capsule.crds.name" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

14
charts/capsule/templates/crd-lifecycle/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{- if .Values.crds.install }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "capsule.crds.name" . }}
namespace: {{ .Release.Namespace }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-4"
{{- include "capsule.crds.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
{{- end }}

2
charts/capsule/templates/daemonset.yaml
View File

@@ -1,3 +1,4 @@
{{- if not $.Values.crds.exclusive }}
{{- if eq .Values.manager.kind "DaemonSet" }} {{- if eq .Values.manager.kind "DaemonSet" }}
apiVersion: apps/v1 apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
@@ -91,3 +92,4 @@ spec:
securityContext: securityContext:
{{- toYaml .Values.securityContext | nindent 12 }} {{- toYaml .Values.securityContext | nindent 12 }}
{{- end }} {{- end }}
{{- end }}

2
charts/capsule/templates/deployment.yaml
View File

@@ -1,3 +1,4 @@
{{- if not $.Values.crds.exclusive }}
{{- if eq .Values.manager.kind "Deployment" }} {{- if eq .Values.manager.kind "Deployment" }}
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
@@ -92,3 +93,4 @@ spec:
securityContext: securityContext:
{{- toYaml .Values.securityContext | nindent 12 }} {{- toYaml .Values.securityContext | nindent 12 }}
{{- end }} {{- end }}
{{- end }}

2
charts/capsule/templates/metrics-service.yaml
View File

@@ -1,3 +1,4 @@
{{- if not $.Values.crds.exclusive }}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
@@ -18,3 +19,4 @@ spec:
{{- include "capsule.selectorLabels" . | nindent 4 }} {{- include "capsule.selectorLabels" . | nindent 4 }}
sessionAffinity: None sessionAffinity: None
type: ClusterIP type: ClusterIP
{{- end }}

58
charts/capsule/templates/mutatingwebhookconfiguration.yaml
View File

@@ -1,3 +1,4 @@
{{- if or (not $.Values.crds.exclusive) ($.Values.webhooks.exclusive) }}
apiVersion: admissionregistration.k8s.io/v1 apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration kind: MutatingWebhookConfiguration
metadata: metadata:
@@ -12,19 +13,13 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
webhooks: webhooks:
{{- with .Values.webhooks.defaults.pods }} {{- with .Values.webhooks.hooks.defaults.pods }}
- admissionReviewVersions: - admissionReviewVersions:
- v1 - v1
clientConfig: clientConfig:
{{- if not $.Values.certManager.generateCertificates }} {{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }}
caBundle: Cg==
{{- end }}
service:
name: {{ include "capsule.fullname" $ }}-webhook-service
namespace: {{ $.Release.Namespace }}
path: /defaults
failurePolicy: {{ .failurePolicy }} failurePolicy: {{ .failurePolicy }}
name: pod.defaults.capsule.clastix.io name: pod.defaults.projectcapsule.dev
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
@@ -37,20 +32,15 @@ webhooks:
namespaceSelector: namespaceSelector:
{{- toYaml .namespaceSelector | nindent 4}} {{- toYaml .namespaceSelector | nindent 4}}
sideEffects: None sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
{{- end }} {{- end }}
{{- with .Values.webhooks.defaults.pvc }} {{- with .Values.webhooks.hooks.defaults.pvc }}
- admissionReviewVersions: - admissionReviewVersions:
- v1 - v1
clientConfig: clientConfig:
{{- if not $.Values.certManager.generateCertificates }} {{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }}
caBundle: Cg==
{{- end }}
service:
name: {{ include "capsule.fullname" $ }}-webhook-service
namespace: {{ $.Release.Namespace }}
path: /defaults
failurePolicy: {{ .failurePolicy }} failurePolicy: {{ .failurePolicy }}
name: storage.defaults.capsule.clastix.io name: storage.defaults.projectcapsule.dev
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
@@ -63,20 +53,15 @@ webhooks:
namespaceSelector: namespaceSelector:
{{- toYaml .namespaceSelector | nindent 4}} {{- toYaml .namespaceSelector | nindent 4}}
sideEffects: None sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
{{- end }} {{- end }}
{{- with .Values.webhooks.defaults.ingress }} {{- with .Values.webhooks.hooks.defaults.ingress }}
- admissionReviewVersions: - admissionReviewVersions:
- v1 - v1
clientConfig: clientConfig:
{{- if not $.Values.certManager.generateCertificates }} {{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }}
caBundle: Cg==
{{- end }}
service:
name: {{ include "capsule.fullname" $ }}-webhook-service
namespace: {{ $.Release.Namespace }}
path: /defaults
failurePolicy: {{ .failurePolicy }} failurePolicy: {{ .failurePolicy }}
name: ingress.defaults.capsule.clastix.io name: ingress.defaults.projectcapsule.dev
rules: rules:
- apiGroups: - apiGroups:
- networking.k8s.io - networking.k8s.io
@@ -91,22 +76,17 @@ webhooks:
namespaceSelector: namespaceSelector:
{{- toYaml .namespaceSelector | nindent 4}} {{- toYaml .namespaceSelector | nindent 4}}
sideEffects: None sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
{{- end }} {{- end }}
{{- with .Values.webhooks.hooks.namespaceOwnerReference }}
- admissionReviewVersions: - admissionReviewVersions:
- v1 - v1
- v1beta1 - v1beta1
clientConfig: clientConfig:
{{- if not .Values.certManager.generateCertificates }} {{- include "capsule.webhooks.service" (dict "path" "/namespace-owner-reference" "ctx" $) | nindent 4 }}
caBundle: Cg== failurePolicy: {{ .failurePolicy }}
{{- end }}
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /namespace-owner-reference
port: 443
failurePolicy: {{ .Values.webhooks.namespaceOwnerReference.failurePolicy }}
matchPolicy: Equivalent matchPolicy: Equivalent
name: owner.namespace.capsule.clastix.io name: owner.namespace.projectcapsule.dev
namespaceSelector: {} namespaceSelector: {}
objectSelector: {} objectSelector: {}
reinvocationPolicy: Never reinvocationPolicy: Never
@@ -122,4 +102,6 @@ webhooks:
- namespaces - namespaces
scope: '*' scope: '*'
sideEffects: NoneOnDryRun sideEffects: NoneOnDryRun
timeoutSeconds: {{ .Values.mutatingWebhooksTimeoutSeconds }} timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
{{- end }}
{{- end }}

58
charts/capsule/templates/podsecuritypolicy.yaml
View File

@@ -1,58 +0,0 @@
{{- if .Values.podSecurityPolicy.enabled }}
kind: PodSecurityPolicy
apiVersion: policy/v1beta1
metadata:
name: {{ include "capsule.fullname" . }}
labels:
{{- include "capsule.labels" . | nindent 4 }}
{{- with .Values.customAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
fsGroup:
rule: RunAsAny
hostPorts:
- max: 0
min: 0
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- secret
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "capsule.fullname" . }}-use-psp
labels:
{{- include "capsule.labels" . | nindent 4 }}
rules:
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- {{ include "capsule.fullname" . }}
verbs:
- use
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "capsule.fullname" . }}-use-psp
labels:
{{- include "capsule.labels" . | nindent 4 }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "capsule.fullname" . }}-use-psp
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "capsule.serviceAccountName" . }}
{{- end }}

55
charts/capsule/templates/post-install-job.yaml
View File

@@ -1,55 +0,0 @@
{{- if .Values.tls.create }}
{{- $cmd := printf "while [ -z $$(kubectl -n $NAMESPACE get secret %s -o jsonpath='{.data.tls\\\\.crt}') ];" (include "capsule.secretTlsName" .) -}}
{{- $cmd = printf "%s do echo 'waiting Capsule to be up and running...' && sleep 5;" $cmd -}}
{{- $cmd = printf "%s done" $cmd -}}
apiVersion: batch/v1
kind: Job
metadata:
name: "{{ .Release.Name }}-waiting-certs"
labels:
{{- include "capsule.labels" . | nindent 4 }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": post-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded
{{- with .Values.customAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
template:
metadata:
name: "{{ .Release.Name }}"
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
restartPolicy: Never
containers:
- name: post-install-job
image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
command: ["sh", "-c", "{{ $cmd }}"]
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
serviceAccountName: {{ include "capsule.serviceAccountName" . }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

15
charts/capsule/templates/post-install/_helpers.tpl Normal file
View File

@@ -0,0 +1,15 @@
{{- define "capsule.post-install.name" -}}
{{- printf "%s-post-install" (include "capsule.name" $) -}}
{{- end }}
{{- define "capsule.post-install.annotations" -}}
"helm.sh/hook": post-install
{{- with $.Values.jobs.annotations }}
{{- . | toYaml | nindent 0 }}
{{- end }}
{{- end }}
{{- define "capsule.post-install.component" -}}
post-install-hook
{{- end }}

78
charts/capsule/templates/post-install/job.yaml Normal file
View File

@@ -0,0 +1,78 @@
{{- if .Values.tls.create }}
{{- if not $.Values.crds.exclusive }}
apiVersion: batch/v1
kind: Job
metadata:
name: "{{ include "capsule.post-install.name" . }}"
labels:
app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
annotations:
"helm.sh/hook-weight": "-1"
{{- include "capsule.post-install.annotations" . | nindent 4 }}
{{- with .Values.customAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
template:
metadata:
labels:
app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
{{- include "capsule.selectorLabels" . | nindent 8 }}
spec:
restartPolicy: {{ $.Values.jobs.restartPolicy }}
{{- with $.Values.jobs.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "capsule.post-install.name" . }}
containers:
- name: post-install
image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
command:
- "sh"
- "-c"
- |
set -o errexit ; set -o nounset
while [ -z $(kubectl -n $NAMESPACE get secret {{ include "capsule.secretTlsName" $ }} -o jsonpath='{.data.tls\.crt}') ]; do
echo 'waiting Capsule to be up and running...' && sleep 5;
done
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with $.Values.jobs.securityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.jobs.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- end }}
{{- end }}

44
charts/capsule/templates/post-install/rbac.yaml Normal file
View File

@@ -0,0 +1,44 @@
{{- if .Values.tls.create }}
{{- if not $.Values.crds.exclusive }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "capsule.post-install.name" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-3"
{{- include "capsule.post-install.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "capsule.post-install.name" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-2"
{{- include "capsule.post-install.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "capsule.post-install.name" . }}
subjects:
- kind: ServiceAccount
name: {{ include "capsule.post-install.name" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
{{- end }}

15
charts/capsule/templates/post-install/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if .Values.tls.create }}
{{- if not $.Values.crds.exclusive }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "capsule.post-install.name" . }}
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook-weight": "-4"
{{- include "capsule.post-install.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
{{- end }}
{{- end }}

56
charts/capsule/templates/pre-delete-job.yaml
View File

@@ -1,56 +0,0 @@
{{- $cmd := ""}}
{{- if or (.Values.tls.create) (.Values.certManager.generateCertificates) }}
{{- $cmd = printf "%s kubectl delete secret -n $NAMESPACE %s --ignore-not-found &&" $cmd (include "capsule.secretTlsName" .) -}}
{{- end }}
{{- $cmd = printf "%s kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found &&" $cmd -}}
{{- $cmd = printf "%s kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found" $cmd -}}
apiVersion: batch/v1
kind: Job
metadata:
name: "{{ .Release.Name }}-rbac-cleaner"
labels:
{{- include "capsule.labels" . | nindent 4 }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-delete
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded
{{- with .Values.customAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
template:
metadata:
name: "{{ .Release.Name }}"
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
restartPolicy: Never
containers:
- name: pre-delete-job
image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
command: [ "sh", "-c", "{{ $cmd }}"]
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
serviceAccountName: {{ include "capsule.serviceAccountName" . }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}

15
charts/capsule/templates/pre-delete/_helpers.tpl Normal file
View File

@@ -0,0 +1,15 @@
{{- define "capsule.pre-delete.name" -}}
{{- printf "%s-pre-delete" (include "capsule.name" $) -}}
{{- end }}
{{- define "capsule.pre-delete.annotations" -}}
"helm.sh/hook": pre-delete
{{- with $.Values.jobs.annotations }}
{{- . | toYaml | nindent 0 }}
{{- end }}
{{- end }}
{{- define "capsule.pre-delete.component" -}}
pre-delete-hook
{{- end }}

82
charts/capsule/templates/pre-delete/job.yaml Normal file
View File

@@ -0,0 +1,82 @@
{{- if not $.Values.crds.exclusive }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: "{{ include "capsule.pre-delete.name" $ }}"
labels:
app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
annotations:
"helm.sh/hook-weight": "-1"
{{- include "capsule.pre-delete.annotations" . | nindent 4 }}
{{- with .Values.customAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if ge .Values.jobs.ttlSecondsAfterFinished 0.0 }}
ttlSecondsAfterFinished: {{ .Values.jobs.ttlSecondsAfterFinished }}
{{- end }}
template:
metadata:
labels:
app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
{{- include "capsule.selectorLabels" . | nindent 8 }}
spec:
restartPolicy: {{ $.Values.jobs.restartPolicy }}
{{- with $.Values.jobs.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "capsule.pre-delete.name" . }}
containers:
- name: pre-delete-job
image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
command:
- "/bin/sh"
- "-c"
- |
set -o errexit ; set -o xtrace ; set -o nounset
{{- if or (.Values.tls.create) (.Values.certManager.generateCertificates) }}
kubectl delete secret -n $NAMESPACE {{ include "capsule.secretTlsName" $ }} --ignore-not-found
{{- end }}
kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with $.Values.jobs.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.jobs.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}

90
charts/capsule/templates/pre-delete/rbac.yaml Normal file
View File

@@ -0,0 +1,90 @@
{{- if not $.Values.crds.exclusive }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "capsule.pre-delete.name" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-3"
{{- include "capsule.pre-delete.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
rules:
- apiGroups:
- rbac.authorization.k8s.io
resourceNames:
- capsule-namespace-deleter
- capsule-namespace-provisioner
resources:
- clusterroles
- clusterrolebindings
verbs:
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "capsule.pre-delete.name" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-3"
{{- include "capsule.pre-delete.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- delete
resourceNames:
- {{ include "capsule.secretTlsName" $ }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "capsule.pre-delete.name" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-2"
{{- include "capsule.pre-delete.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "capsule.pre-delete.name" . }}
subjects:
- kind: ServiceAccount
name: {{ include "capsule.pre-delete.name" . }}
namespace: {{ .Release.Namespace | quote }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "capsule.pre-delete.name" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-2"
{{- include "capsule.pre-delete.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "capsule.pre-delete.name" . }}
subjects:
- kind: ServiceAccount
name: {{ include "capsule.pre-delete.name" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

14
charts/capsule/templates/pre-delete/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{- if not $.Values.crds.exclusive }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "capsule.pre-delete.name" . }}
namespace: {{ $.Release.Namespace }}
annotations:
"helm.sh/hook-weight": "-4"
{{- include "capsule.pre-delete.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
{{- end }}

2
charts/capsule/templates/rbac.yaml
View File

@@ -1,3 +1,4 @@
{{- if not $.Values.crds.exclusive }}
{{- if $.Values.manager.rbac.create }} {{- if $.Values.manager.rbac.create }}
--- ---
kind: ClusterRoleBinding kind: ClusterRoleBinding
@@ -61,3 +62,4 @@ subjects:
name: {{ include "capsule.serviceAccountName" $ }} name: {{ include "capsule.serviceAccountName" $ }}
namespace: {{ $.Release.Namespace }} namespace: {{ $.Release.Namespace }}
{{- end }} {{- end }}
{{- end }}

2
charts/capsule/templates/serviceaccount.yaml
View File

@@ -1,3 +1,4 @@
{{- if not $.Values.crds.exclusive }}
{{- if .Values.serviceAccount.create -}} {{- if .Values.serviceAccount.create -}}
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@@ -10,3 +11,4 @@ metadata:
{{- include "capsule.serviceAccountAnnotations" . | nindent 4 }} {{- include "capsule.serviceAccountAnnotations" . | nindent 4 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}

2
charts/capsule/templates/servicemonitor.yaml
View File

@@ -1,3 +1,4 @@
{{- if not $.Values.crds.exclusive }}
{{- if .Values.serviceMonitor.enabled }} {{- if .Values.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
@@ -44,4 +45,5 @@ spec:
matchNames: matchNames:
- {{ .Release.Namespace }} - {{ .Release.Namespace }}
{{- end }} {{- end }}
{{- end }}

181
charts/capsule/templates/validatingwebhookconfiguration.yaml
View File

@@ -1,3 +1,4 @@
{{- if or (not $.Values.crds.exclusive) ($.Values.webhooks.exclusive) }}
apiVersion: admissionregistration.k8s.io/v1 apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration kind: ValidatingWebhookConfiguration
metadata: metadata:
@@ -12,23 +13,17 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
webhooks: webhooks:
{{- with .Values.webhooks.hooks.cordoning }}
- admissionReviewVersions: - admissionReviewVersions:
- v1 - v1
- v1beta1 - v1beta1
clientConfig: clientConfig:
{{- if not .Values.certManager.generateCertificates }} {{- include "capsule.webhooks.service" (dict "path" "/cordoning" "ctx" $) | nindent 4 }}
caBundle: Cg== failurePolicy: {{ .failurePolicy }}
{{- end }}
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /cordoning
port: 443
failurePolicy: {{ .Values.webhooks.cordoning.failurePolicy }}
matchPolicy: Equivalent matchPolicy: Equivalent
name: cordoning.tenant.capsule.clastix.io name: cordoning.tenant.projectcapsule.dev
namespaceSelector: namespaceSelector:
{{- toYaml .Values.webhooks.cordoning.namespaceSelector | nindent 4}} {{- toYaml .namespaceSelector | nindent 4}}
objectSelector: {} objectSelector: {}
rules: rules:
- apiGroups: - apiGroups:
@@ -43,24 +38,19 @@ webhooks:
- '*' - '*'
scope: Namespaced scope: Namespaced
sideEffects: None sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }} timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.ingresses }}
- admissionReviewVersions: - admissionReviewVersions:
- v1 - v1
- v1beta1 - v1beta1
clientConfig: clientConfig:
{{- if not .Values.certManager.generateCertificates }} {{- include "capsule.webhooks.service" (dict "path" "/ingresses" "ctx" $) | nindent 4 }}
caBundle: Cg== failurePolicy: {{ .failurePolicy }}
{{- end }}
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /ingresses
port: 443
failurePolicy: {{ .Values.webhooks.ingresses.failurePolicy }}
matchPolicy: Equivalent matchPolicy: Equivalent
name: ingress.capsule.clastix.io name: ingress.projectcapsule.dev
namespaceSelector: namespaceSelector:
{{- toYaml .Values.webhooks.ingresses.namespaceSelector | nindent 4}} {{- toYaml .namespaceSelector | nindent 4}}
objectSelector: {} objectSelector: {}
rules: rules:
- apiGroups: - apiGroups:
@@ -76,22 +66,17 @@ webhooks:
- ingresses - ingresses
scope: Namespaced scope: Namespaced
sideEffects: None sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }} timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{ with .Values.webhooks.hooks.namespaces }}
- admissionReviewVersions: - admissionReviewVersions:
- v1 - v1
- v1beta1 - v1beta1
clientConfig: clientConfig:
{{- if not .Values.certManager.generateCertificates }} {{- include "capsule.webhooks.service" (dict "path" "/namespaces" "ctx" $) | nindent 4 }}
caBundle: Cg== failurePolicy: {{ .failurePolicy }}
{{- end }}
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /namespaces
port: 443
failurePolicy: {{ .Values.webhooks.namespaces.failurePolicy }}
matchPolicy: Equivalent matchPolicy: Equivalent
name: namespaces.capsule.clastix.io name: namespaces.projectcapsule.dev
namespaceSelector: {} namespaceSelector: {}
objectSelector: {} objectSelector: {}
rules: rules:
@@ -107,24 +92,19 @@ webhooks:
- namespaces - namespaces
scope: '*' scope: '*'
sideEffects: None sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }} timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.networkpolicies }}
- admissionReviewVersions: - admissionReviewVersions:
- v1 - v1
- v1beta1 - v1beta1
clientConfig: clientConfig:
{{- if not .Values.certManager.generateCertificates }} {{- include "capsule.webhooks.service" (dict "path" "/networkpolicies" "ctx" $) | nindent 4 }}
caBundle: Cg== failurePolicy: {{ .failurePolicy }}
{{- end }}
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /networkpolicies
port: 443
failurePolicy: {{ .Values.webhooks.networkpolicies.failurePolicy }}
matchPolicy: Equivalent matchPolicy: Equivalent
name: networkpolicies.capsule.clastix.io name: networkpolicies.projectcapsule.dev
namespaceSelector: namespaceSelector:
{{- toYaml .Values.webhooks.networkpolicies.namespaceSelector | nindent 4}} {{- toYaml .namespaceSelector | nindent 4}}
objectSelector: {} objectSelector: {}
rules: rules:
- apiGroups: - apiGroups:
@@ -138,21 +118,16 @@ webhooks:
- networkpolicies - networkpolicies
scope: Namespaced scope: Namespaced
sideEffects: None sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }} timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.nodes }}
- admissionReviewVersions: - admissionReviewVersions:
- v1 - v1
- v1beta1 - v1beta1
clientConfig: clientConfig:
{{- if not .Values.certManager.generateCertificates }} {{- include "capsule.webhooks.service" (dict "path" "/nodes" "ctx" $) | nindent 4 }}
caBundle: Cg== failurePolicy: {{ .failurePolicy }}
{{- end }} name: nodes.projectcapsule.dev
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /nodes
port: 443
failurePolicy: {{ .Values.webhooks.nodes.failurePolicy }}
name: nodes.capsule.clastix.io
matchPolicy: Exact matchPolicy: Exact
namespaceSelector: {} namespaceSelector: {}
objectSelector: {} objectSelector: {}
@@ -166,24 +141,19 @@ webhooks:
resources: resources:
- nodes - nodes
sideEffects: None sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }} timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.pods }}
- admissionReviewVersions: - admissionReviewVersions:
- v1 - v1
- v1beta1 - v1beta1
clientConfig: clientConfig:
{{- if not .Values.certManager.generateCertificates }} {{- include "capsule.webhooks.service" (dict "path" "/pods" "ctx" $) | nindent 4 }}
caBundle: Cg== failurePolicy: {{ .failurePolicy }}
{{- end }}
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /pods
port: 443
failurePolicy: {{ .Values.webhooks.pods.failurePolicy }}
matchPolicy: Exact matchPolicy: Exact
name: pods.capsule.clastix.io name: pods.projectcapsule.dev
namespaceSelector: namespaceSelector:
{{- toYaml .Values.webhooks.pods.namespaceSelector | nindent 4}} {{- toYaml .namespaceSelector | nindent 4}}
objectSelector: {} objectSelector: {}
rules: rules:
- apiGroups: - apiGroups:
@@ -197,22 +167,18 @@ webhooks:
- pods - pods
scope: Namespaced scope: Namespaced
sideEffects: None sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }} timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.persistentvolumeclaims }}
- admissionReviewVersions: - admissionReviewVersions:
- v1 - v1
- v1beta1 - v1beta1
clientConfig: clientConfig:
{{- if not .Values.certManager.generateCertificates }} {{- include "capsule.webhooks.service" (dict "path" "/persistentvolumeclaims" "ctx" $) | nindent 4 }}
caBundle: Cg== failurePolicy: {{ .failurePolicy }}
{{- end }} name: pvc.projectcapsule.dev
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /persistentvolumeclaims
failurePolicy: {{ .Values.webhooks.persistentvolumeclaims.failurePolicy }}
name: pvc.capsule.clastix.io
namespaceSelector: namespaceSelector:
{{- toYaml .Values.webhooks.persistentvolumeclaims.namespaceSelector | nindent 4}} {{- toYaml .namespaceSelector | nindent 4}}
objectSelector: {} objectSelector: {}
rules: rules:
- apiGroups: - apiGroups:
@@ -225,24 +191,19 @@ webhooks:
- persistentvolumeclaims - persistentvolumeclaims
scope: Namespaced scope: Namespaced
sideEffects: None sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }} timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.services }}
- admissionReviewVersions: - admissionReviewVersions:
- v1 - v1
- v1beta1 - v1beta1
clientConfig: clientConfig:
{{- if not .Values.certManager.generateCertificates }} {{- include "capsule.webhooks.service" (dict "path" "/services" "ctx" $) | nindent 4 }}
caBundle: Cg== failurePolicy: {{ .failurePolicy }}
{{- end }}
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /services
port: 443
failurePolicy: {{ .Values.webhooks.services.failurePolicy }}
matchPolicy: Exact matchPolicy: Exact
name: services.capsule.clastix.io name: services.projectcapsule.dev
namespaceSelector: namespaceSelector:
{{- toYaml .Values.webhooks.services.namespaceSelector | nindent 4}} {{- toYaml .namespaceSelector | nindent 4}}
objectSelector: {} objectSelector: {}
rules: rules:
- apiGroups: - apiGroups:
@@ -256,19 +217,15 @@ webhooks:
- services - services
scope: Namespaced scope: Namespaced
sideEffects: None sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }} timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.tenantResourceObjects }}
- admissionReviewVersions: - admissionReviewVersions:
- v1 - v1
clientConfig: clientConfig:
{{- if not .Values.certManager.generateCertificates }} {{- include "capsule.webhooks.service" (dict "path" "/tenantresource-objects" "ctx" $) | nindent 4 }}
caBundle: Cg== failurePolicy: {{ .failurePolicy }}
{{- end }} name: resource-objects.tenant.projectcapsule.dev
service:
name: capsule-webhook-service
namespace: {{ .Release.Namespace }}
path: /tenantresource-objects
failurePolicy: {{ .Values.webhooks.tenantResourceObjects.failurePolicy }}
name: resource-objects.tenant.capsule.clastix.io
namespaceSelector: namespaceSelector:
matchExpressions: matchExpressions:
- key: capsule.clastix.io/tenant - key: capsule.clastix.io/tenant
@@ -289,21 +246,17 @@ webhooks:
- '*' - '*'
scope: Namespaced scope: Namespaced
sideEffects: None sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.tenants }}
- admissionReviewVersions: - admissionReviewVersions:
- v1 - v1
- v1beta1 - v1beta1
clientConfig: clientConfig:
{{- if not .Values.certManager.generateCertificates }} {{- include "capsule.webhooks.service" (dict "path" "/tenants" "ctx" $) | nindent 4 }}
caBundle: Cg== failurePolicy: {{ .failurePolicy }}
{{- end }}
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /tenants
port: 443
failurePolicy: {{ .Values.webhooks.tenants.failurePolicy }}
matchPolicy: Exact matchPolicy: Exact
name: tenants.capsule.clastix.io name: tenants.projectcapsule.dev
namespaceSelector: {} namespaceSelector: {}
objectSelector: {} objectSelector: {}
rules: rules:
@@ -319,4 +272,6 @@ webhooks:
- tenants - tenants
scope: '*' scope: '*'
sideEffects: None sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }} timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- end }}

2
charts/capsule/templates/webhook-service.yaml
View File

@@ -1,3 +1,4 @@
{{- if not $.Values.crds.exclusive }}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
@@ -18,3 +19,4 @@ spec:
{{- include "capsule.selectorLabels" . | nindent 4 }} {{- include "capsule.selectorLabels" . | nindent 4 }}
sessionAffinity: None sessionAffinity: None
type: ClusterIP type: ClusterIP
{{- end }}

81
charts/capsule/values.yaml
View File

@@ -2,6 +2,17 @@
# This is a YAML-formatted file. # This is a YAML-formatted file.
# Declare variables to be passed into your templates. # Declare variables to be passed into your templates.
# Manage CRD Lifecycle
crds:
# -- Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations)
install: true
# -- Only install the CRDs, no other primitives
exclusive: false
# -- Extra Labels for CRDs
labels: {}
# -- Extra Annotations for CRDs
annnotations: {}
# Secret Options # Secret Options
tls: tls:
# -- Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. # -- Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well.
@@ -64,7 +75,7 @@ manager:
# -- Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash # -- Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash
forceTenantPrefix: false forceTenantPrefix: false
# -- Override the Capsule user groups # -- Override the Capsule user groups
capsuleUserGroups: ["capsule.clastix.io"] capsuleUserGroups: ["projectcapsule.dev"]
# -- If specified, disallows creation of namespaces matching the passed regexp # -- If specified, disallows creation of namespaces matching the passed regexp
protectedNamespaceRegex: "" protectedNamespaceRegex: ""
# -- Specifies whether capsule webhooks certificates should be generated by capsule operator # -- Specifies whether capsule webhooks certificates should be generated by capsule operator
@@ -142,10 +153,6 @@ affinity: {}
# -- Set topology spread constraints for the Capsule pod # -- Set topology spread constraints for the Capsule pod
topologySpreadConstraints: [] topologySpreadConstraints: []
podSecurityPolicy:
# -- Specify if a Pod Security Policy must be created
enabled: false
jobs: jobs:
image: image:
# -- Set the image repository of the helm chart job # -- Set the image repository of the helm chart job
@@ -156,6 +163,40 @@ jobs:
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# -- Set the image tag of the helm chart job # -- Set the image tag of the helm chart job
tag: "" tag: ""
# -- Annotations to add to the certgen job.
annotations:
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
# -- Set the restartPolicy
restartPolicy: Never
# -- Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete.
ttlSecondsAfterFinished: 60
# -- Security context for the job pods.
podSecurityContext:
seccompProfile:
type: "RuntimeDefault"
# -- Security context for the job containers.
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1002
runAsNonRoot: true
runAsUser: 1002
# -- Job resources
resources: {}
# -- Set the node selector
nodeSelector: {}
# -- Set list of tolerations
tolerations: []
# -- Set affinity rules
affinity: {}
# -- Set Topology Spread Constraints
topologySpreadConstraints: []
# -- Set a pod priorityClassName
priorityClassName: ""
# ServiceAccount # ServiceAccount
serviceAccount: serviceAccount:
@@ -164,7 +205,7 @@ serviceAccount:
# -- Annotations to add to the service account. # -- Annotations to add to the service account.
annotations: {} annotations: {}
# -- The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template # -- The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template
name: "capsule" name: ""
certManager: certManager:
# -- Specifies whether capsule webhooks certificates should be generated using cert-manager # -- Specifies whether capsule webhooks certificates should be generated using cert-manager
@@ -178,6 +219,28 @@ customAnnotations: {}
# Webhooks configurations # Webhooks configurations
webhooks: webhooks:
# -- When `crds.exclusive` is `true` the webhooks will be installed
exclusive: false
# -- Timeout in seconds for mutating webhooks
mutatingWebhooksTimeoutSeconds: 30
# -- Timeout in seconds for validating webhooks
validatingWebhooksTimeoutSeconds: 30
# Configure custom webhook service
service:
# -- The URL where the capsule webhook services are running (Overwrites cluster scoped service definition)
url: ""
# -- CABundle for the webhook service
caBundle: ""
# -- Custom service name for the webhook service
name: ""
# -- Custom service namespace for the webhook service
namespace: ""
# -- Custom service port for the webhook service
port:
# Hook Configuration
hooks:
namespaceOwnerReference: namespaceOwnerReference:
failurePolicy: Fail failurePolicy: Fail
cordoning: cordoning:
@@ -244,12 +307,6 @@ webhooks:
- key: capsule.clastix.io/tenant - key: capsule.clastix.io/tenant
operator: Exists operator: Exists
# -- Timeout in seconds for mutating webhooks
mutatingWebhooksTimeoutSeconds: 30
# -- Timeout in seconds for validating webhooks
validatingWebhooksTimeoutSeconds: 30
# ServiceMonitor # ServiceMonitor
serviceMonitor: serviceMonitor:
# -- Enable ServiceMonitor # -- Enable ServiceMonitor

28
config/webhook/manifests.yaml
View File

@@ -12,7 +12,7 @@ webhooks:
namespace: system namespace: system
path: /defaults path: /defaults
failurePolicy: Fail failurePolicy: Fail
name: ingress.defaults.capsule.clastix.io name: ingress.defaults.projectcapsule.dev
rules: rules:
- apiGroups: - apiGroups:
- networking.k8s.io - networking.k8s.io
@@ -33,7 +33,7 @@ webhooks:
namespace: system namespace: system
path: /namespace-owner-reference path: /namespace-owner-reference
failurePolicy: Fail failurePolicy: Fail
name: owner.namespace.capsule.clastix.io name: owner.namespace.projectcapsule.dev
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
@@ -53,7 +53,7 @@ webhooks:
namespace: system namespace: system
path: /defaults path: /defaults
failurePolicy: Fail failurePolicy: Fail
name: pod.defaults.capsule.clastix.io name: pod.defaults.projectcapsule.dev
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
@@ -72,7 +72,7 @@ webhooks:
namespace: system namespace: system
path: /defaults path: /defaults
failurePolicy: Fail failurePolicy: Fail
name: storage.defaults.capsule.clastix.io name: storage.defaults.projectcapsule.dev
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
@@ -97,7 +97,7 @@ webhooks:
namespace: system namespace: system
path: /cordoning path: /cordoning
failurePolicy: Fail failurePolicy: Fail
name: cordoning.tenant.capsule.clastix.io name: cordoning.tenant.projectcapsule.dev
rules: rules:
- apiGroups: - apiGroups:
- '*' - '*'
@@ -118,7 +118,7 @@ webhooks:
namespace: system namespace: system
path: /ingresses path: /ingresses
failurePolicy: Fail failurePolicy: Fail
name: ingress.capsule.clastix.io name: ingress.projectcapsule.dev
rules: rules:
- apiGroups: - apiGroups:
- networking.k8s.io - networking.k8s.io
@@ -140,7 +140,7 @@ webhooks:
namespace: system namespace: system
path: /namespaces path: /namespaces
failurePolicy: Fail failurePolicy: Fail
name: namespaces.capsule.clastix.io name: namespaces.projectcapsule.dev
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
@@ -161,7 +161,7 @@ webhooks:
namespace: system namespace: system
path: /networkpolicies path: /networkpolicies
failurePolicy: Fail failurePolicy: Fail
name: networkpolicies.capsule.clastix.io name: networkpolicies.projectcapsule.dev
rules: rules:
- apiGroups: - apiGroups:
- networking.k8s.io - networking.k8s.io
@@ -181,7 +181,7 @@ webhooks:
namespace: system namespace: system
path: /nodes path: /nodes
failurePolicy: Fail failurePolicy: Fail
name: nodes.capsule.clastix.io name: nodes.projectcapsule.dev
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
@@ -200,7 +200,7 @@ webhooks:
namespace: system namespace: system
path: /pods path: /pods
failurePolicy: Fail failurePolicy: Fail
name: pods.capsule.clastix.io name: pods.projectcapsule.dev
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
@@ -220,7 +220,7 @@ webhooks:
namespace: system namespace: system
path: /persistentvolumeclaims path: /persistentvolumeclaims
failurePolicy: Fail failurePolicy: Fail
name: pvc.capsule.clastix.io name: pvc.projectcapsule.dev
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
@@ -239,7 +239,7 @@ webhooks:
namespace: system namespace: system
path: /tenantresource-objects path: /tenantresource-objects
failurePolicy: Fail failurePolicy: Fail
name: resource-objects.tenant.capsule.clastix.io name: resource-objects.tenant.projectcapsule.dev
rules: rules:
- apiGroups: - apiGroups:
- '*' - '*'
@@ -259,7 +259,7 @@ webhooks:
namespace: system namespace: system
path: /services path: /services
failurePolicy: Fail failurePolicy: Fail
name: services.capsule.clastix.io name: services.projectcapsule.dev
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
@@ -279,7 +279,7 @@ webhooks:
namespace: system namespace: system
path: /tenants path: /tenants
failurePolicy: Fail failurePolicy: Fail
name: tenants.capsule.clastix.io name: tenants.projectcapsule.dev
rules: rules:
- apiGroups: - apiGroups:
- capsule.clastix.io - capsule.clastix.io

2
e2e/custom_capsule_group_test.go
View File

@@ -62,7 +62,7 @@ var _ = Describe("creating a Namespace as Tenant owner with custom --capsule-gro
It("should succeed and be available in Tenant namespaces list with default single group", func() { It("should succeed and be available in Tenant namespaces list with default single group", func() {
ModifyCapsuleConfigurationOpts(func(configuration *capsulev1beta2.CapsuleConfiguration) { ModifyCapsuleConfigurationOpts(func(configuration *capsulev1beta2.CapsuleConfiguration) {
configuration.Spec.UserGroups = []string{"capsule.clastix.io"} configuration.Spec.UserGroups = []string{"projectcapsule.dev"}
}) })
ns := NewNamespace("") ns := NewNamespace("")

2
e2e/suite_test.go
View File

@@ -68,7 +68,7 @@ var _ = AfterSuite(func() {
func ownerClient(owner capsulev1beta2.OwnerSpec) (cs kubernetes.Interface) { func ownerClient(owner capsulev1beta2.OwnerSpec) (cs kubernetes.Interface) {
c, err := config.GetConfig() c, err := config.GetConfig()
Expect(err).ToNot(HaveOccurred()) Expect(err).ToNot(HaveOccurred())
c.Impersonate.Groups = []string{capsulev1beta2.GroupVersion.Group, owner.Name} c.Impersonate.Groups = []string{"projectcapsule.dev", owner.Name}
c.Impersonate.UserName = owner.Name c.Impersonate.UserName = owner.Name
cs, err = kubernetes.NewForConfig(c) cs, err = kubernetes.NewForConfig(c)
Expect(err).ToNot(HaveOccurred()) Expect(err).ToNot(HaveOccurred())

2
hack/create-user-openshift.sh
View File

@@ -43,7 +43,7 @@ if [[ -z ${TENANT} ]]; then
fi fi
if [[ -z ${GROUP} ]]; then if [[ -z ${GROUP} ]]; then
GROUP=capsule.clastix.io GROUP=projectcapsule.dev
fi fi
TMPDIR=$(mktemp -d) TMPDIR=$(mktemp -d)

2
hack/create-user.sh
View File

@@ -38,7 +38,7 @@ if [[ -z ${TENANT} ]]; then
fi fi
if [[ -z ${GROUP} ]]; then if [[ -z ${GROUP} ]]; then
GROUP=capsule.clastix.io GROUP=projectcapsule.dev
fi fi

2
pkg/configuration/client.go
View File

@@ -30,7 +30,7 @@ func NewCapsuleConfiguration(ctx context.Context, client client.Client, name str
if apierrors.IsNotFound(err) { if apierrors.IsNotFound(err) {
return &capsulev1beta2.CapsuleConfiguration{ return &capsulev1beta2.CapsuleConfiguration{
Spec: capsulev1beta2.CapsuleConfigurationSpec{ Spec: capsulev1beta2.CapsuleConfigurationSpec{
UserGroups: []string{"capsule.clastix.io"}, UserGroups: []string{"projectcapsule.dev"},
ForceTenantPrefix: false, ForceTenantPrefix: false,
ProtectedNamespaceRegexpString: "", ProtectedNamespaceRegexpString: "",
}, },

2
pkg/webhook/route/cordoning.go
View File

@@ -7,7 +7,7 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/cordoning,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="*",resources="*",verbs=create;update;delete,versions="*",name=cordoning.tenant.capsule.clastix.io // +kubebuilder:webhook:path=/cordoning,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="*",resources="*",verbs=create;update;delete,versions="*",name=cordoning.tenant.projectcapsule.dev
type cordoning struct { type cordoning struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler

6
pkg/webhook/route/defaults.go
View File

@@ -7,9 +7,9 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=pods,verbs=create,versions=v1,name=pod.defaults.capsule.clastix.io // +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=pods,verbs=create,versions=v1,name=pod.defaults.projectcapsule.dev
// +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=persistentvolumeclaims,verbs=create,versions=v1,name=storage.defaults.capsule.clastix.io // +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=persistentvolumeclaims,verbs=create,versions=v1,name=storage.defaults.projectcapsule.dev
// +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups=networking.k8s.io,resources=ingresses,verbs=create;update,versions=v1beta1;v1,name=ingress.defaults.capsule.clastix.io // +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups=networking.k8s.io,resources=ingresses,verbs=create;update,versions=v1beta1;v1,name=ingress.defaults.projectcapsule.dev
type defaults struct { type defaults struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler

2
pkg/webhook/route/ingresses.go
View File

@@ -7,7 +7,7 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/ingresses,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups=networking.k8s.io;extensions,resources=ingresses,verbs=create;update,versions=v1beta1;v1,name=ingress.capsule.clastix.io // +kubebuilder:webhook:path=/ingresses,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups=networking.k8s.io;extensions,resources=ingresses,verbs=create;update,versions=v1beta1;v1,name=ingress.projectcapsule.dev
type ingress struct { type ingress struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler

2
pkg/webhook/route/namespaces.go
View File

@@ -7,7 +7,7 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/namespaces,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=namespaces,verbs=create;update;delete,versions=v1,name=namespaces.capsule.clastix.io // +kubebuilder:webhook:path=/namespaces,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=namespaces,verbs=create;update;delete,versions=v1,name=namespaces.projectcapsule.dev
type namespace struct { type namespace struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler

2
pkg/webhook/route/networkpolicies.go
View File

@@ -7,7 +7,7 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/networkpolicies,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="networking.k8s.io",resources=networkpolicies,verbs=update;delete,versions=v1,name=networkpolicies.capsule.clastix.io // +kubebuilder:webhook:path=/networkpolicies,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="networking.k8s.io",resources=networkpolicies,verbs=update;delete,versions=v1,name=networkpolicies.projectcapsule.dev
type networkPolicy struct { type networkPolicy struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler

2
pkg/webhook/route/node.go
View File

@@ -7,7 +7,7 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/nodes,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=nodes,verbs=update,versions=v1,name=nodes.capsule.clastix.io // +kubebuilder:webhook:path=/nodes,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=nodes,verbs=update,versions=v1,name=nodes.projectcapsule.dev
type node struct { type node struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler

2
pkg/webhook/route/ownerreference.go
View File

@@ -7,7 +7,7 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/namespace-owner-reference,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=namespaces,verbs=create;update,versions=v1,name=owner.namespace.capsule.clastix.io // +kubebuilder:webhook:path=/namespace-owner-reference,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=namespaces,verbs=create;update,versions=v1,name=owner.namespace.projectcapsule.dev
type webhook struct { type webhook struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler

2
pkg/webhook/route/pods.go
View File

@@ -7,7 +7,7 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/pods,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=pods,verbs=create;update,versions=v1,name=pods.capsule.clastix.io // +kubebuilder:webhook:path=/pods,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=pods,verbs=create;update,versions=v1,name=pods.projectcapsule.dev
type pod struct { type pod struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler

2
pkg/webhook/route/pvc.go
View File

@@ -7,7 +7,7 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/persistentvolumeclaims,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=persistentvolumeclaims,verbs=create,versions=v1,name=pvc.capsule.clastix.io // +kubebuilder:webhook:path=/persistentvolumeclaims,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=persistentvolumeclaims,verbs=create,versions=v1,name=pvc.projectcapsule.dev
type pvc struct { type pvc struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler

2
pkg/webhook/route/services.go
View File

@@ -7,7 +7,7 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/services,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=services,verbs=create;update,versions=v1,name=services.capsule.clastix.io // +kubebuilder:webhook:path=/services,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=services,verbs=create;update,versions=v1,name=services.projectcapsule.dev
type service struct { type service struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler

2
pkg/webhook/route/tenantresource_objs.go
View File

@@ -7,7 +7,7 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/tenantresource-objects,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="*",resources="*",verbs=update;delete,versions="*",name=resource-objects.tenant.capsule.clastix.io // +kubebuilder:webhook:path=/tenantresource-objects,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="*",resources="*",verbs=update;delete,versions="*",name=resource-objects.tenant.projectcapsule.dev
type tntResourceObjs struct { type tntResourceObjs struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler

2
pkg/webhook/route/tenants.go
View File

@@ -7,7 +7,7 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/tenants,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="capsule.clastix.io",resources=tenants,verbs=create;update;delete,versions=v1beta2,name=tenants.capsule.clastix.io // +kubebuilder:webhook:path=/tenants,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="capsule.clastix.io",resources=tenants,verbs=create;update;delete,versions=v1beta2,name=tenants.projectcapsule.dev
type tenant struct { type tenant struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler