github/capsule
1
0
Fork 0
mirror of https://github.com/projectcapsule/capsule.git synced 2026-02-14 09:59:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: add remaining chart improvements (#1347)

Browse Source 
* chore(repo): rework makefile and add renovate mangers for pre-commit and makefile binaries

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
This commit is contained in:
Oliver Bähler
2025-02-06 17:31:31 +01:00
committed by GitHub
parent b7a2072b0f
commit e808118b43
96 changed files with 455 additions and 6658 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/actions/exists/action.yaml vendored
View File

@@ -18,4 +18,4 @@ runs:
- shell: bash
id: check
run: |
echo "result=${{ inputs.value != '' }}" >> $GITHUB_OUTPUT
echo "result=${{ inputs.value != '' }}" >> $GITHUB_OUTPUT

2
.github/actions/setup-caches/action.yaml vendored
View File

@@ -17,4 +17,4 @@ runs:
if: ${{ inputs.build-cache-key }}
with:
path: ~/.cache/go-build
key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}

2
.github/configs/ct.yaml vendored
View File

@@ -4,7 +4,7 @@ chart-dirs:
- charts
chart-repos:
- capsule=https://projectcapsule.github.io/charts/
helm-extra-args: "--timeout 600s"
helm-extra-args: "--timeout 600s"
validate-chart-schema: false
validate-maintainers: false
validate-yaml: true

10
.github/configs/lintconf.yaml vendored
View File

@@ -1,6 +1,12 @@
---
ignore:
- config/
- charts/*/templates/
- charts/**/templates/
rules:
truthy:
level: warning
check-keys: false
braces:
min-spaces-inside: 0
max-spaces-inside: 0
@@ -39,5 +45,3 @@ rules:
new-lines:
type: unix
trailing-spaces: enable
truthy:
level: warning

7
.github/workflows/check-actions.yml vendored
View File

@@ -3,7 +3,8 @@ permissions: {}
on:
pull_request:
branches: [ "main" ]
branches:
- "*"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -18,7 +19,7 @@ jobs:
- name: Ensure SHA pinned actions
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@c3a2b64f69b7a1542a68f44d9edbd9ec3fc1455e # v3.0.20
with:
# slsa-github-generator requires using a semver tag for reusable workflows.
# slsa-github-generator requires using a semver tag for reusable workflows.
# See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
allowlist: |
slsa-framework/slsa-github-generator
slsa-framework/slsa-github-generator

9
.github/workflows/check-commit.yml vendored
View File

@@ -3,14 +3,15 @@ permissions: {}
on:
push:
branches: [ "*" ]
branches:
- "*"
pull_request:
branches: [ "*" ]
branches:
- "*"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
commit_lint:
runs-on: ubuntu-24.04
@@ -19,5 +20,3 @@ jobs:
with:
fetch-depth: 0
- uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1
with:
firstParent: true

38
.github/workflows/codecov.yml vendored
View File

@@ -1,38 +0,0 @@
name: Codecov
permissions: {}
on:
pull_request:
branches: [ "main" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
codecov:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup caches
uses: ./.github/actions/setup-caches
timeout-minutes: 5
continue-on-error: true
with:
build-cache-key: codecov
- name: Check secret
id: checksecret
uses: ./.github/actions/exists
with:
value: ${{ secrets.CODECOV_TOKEN }}
- name: Generate Code Coverage Report
if: steps.checksecret.outputs.result == 'true'
run: make test
- name: Upload Report to Codecov
if: steps.checksecret.outputs.result == 'true'
uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
with:
file: ./coverage.out
fail_ci_if_error: true
verbose: true

84
.github/workflows/coverage.yml vendored Normal file
View File

@@ -0,0 +1,84 @@
name: Coverage
on:
push:
branches:
- "main"
pull_request:
types: [opened, reopened, synchronize]
branches:
- "main"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
compliance:
name: "License Compliance"
runs-on: ubuntu-24.04
steps:
- name: "Checkout Code"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Check secret
id: checksecret
uses: ./.github/actions/exists
with:
value: ${{ secrets.FOSSA_API_KEY }}
- name: "Run FOSSA Scan"
if: steps.checksecret.outputs.result == 'true'
uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
with:
api-key: ${{ secrets.FOSSA_API_KEY }}
- name: "Run FOSSA Test"
if: steps.checksecret.outputs.result == 'true'
uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
with:
api-key: ${{ secrets.FOSSA_API_KEY }}
run-tests: true
sast:
name: "SAST"
runs-on: ubuntu-24.04
env:
GO111MODULE: on
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout Source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version-file: 'go.mod'
- name: Run Gosec Security Scanner
uses: securego/gosec@e0cca6fe95306b7e7790d6f1bf6a7bec6d622459 # v2.22.0
with:
args: '-no-fail -fmt sarif -out gosec.sarif ./...'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@08bc0cf022445eacafaa248bf48da20f26b8fd40
with:
sarif_file: gosec.sarif
unit_tests:
name: "Unit tests"
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version-file: 'go.mod'
- name: Unit Test
run: make test
- name: Check secret
id: checksecret
uses: ./.github/actions/exists
with:
value: ${{ secrets.CODECOV_TOKEN }}
- name: Upload Report to Codecov
if: ${{ steps.checksecret.outputs.result == 'true' }}
uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
with:
file: ./coverage.out
fail_ci_if_error: true
verbose: true

31
.github/workflows/diff.yml vendored
View File

@@ -1,31 +0,0 @@
name: Diff checks
permissions: {}
on:
push:
branches: [ "*" ]
pull_request:
branches: [ "*" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
diff:
name: diff
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version-file: 'go.mod'
- run: make manifests
- name: Checking if YAML installer file is not aligned
run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> Untracked generated files have not been committed" && git --no-pager diff && exit 1; fi
- name: Checking if YAML installer generated untracked files
run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
- name: Checking if source code is not formatted
run: test -z "$(git diff 2> /dev/null)"

45
.github/workflows/docker-build.yml vendored Normal file
View File

@@ -0,0 +1,45 @@
name: Build images
permissions: {}
on:
pull_request:
branches:
- "*"
paths:
- '.github/workflows/docker-*.yml'
- 'api/**'
- 'controllers/**'
- 'pkg/**'
- 'e2e/*'
- '.ko.yaml'
- 'go.*'
- 'main.go'
- 'Makefile'
jobs:
build-images:
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: ko build
run: VERSION=${{ github.sha }} make ko-build-all
- name: Trivy Scan Image
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
env:
# Trivy is returning TOOMANYREQUESTS
# See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@08bc0cf022445eacafaa248bf48da20f26b8fd40
with:
sarif_file: 'trivy-results.sarif'

8
.github/workflows/docs-lint.yml vendored
View File

@@ -3,12 +3,14 @@ permissions: {}
on:
push:
branches: [ "*" ]
branches:
- "*"
paths:
- '.github/workflows/docs-lint.yml'
- 'docs/content/**'
pull_request:
branches: [ "*" ]
branches:
- "*"
paths:
- '.github/workflows/docs-lint.yml'
- 'docs/content/**'
@@ -28,4 +30,4 @@ jobs:
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 18
- run: make docs-lint
- run: make docs-lint

13
.github/workflows/e2e.yml vendored
View File

@@ -3,7 +3,8 @@ permissions: {}
on:
pull_request:
branches: [ "*" ]
branches:
- "*"
paths:
- '.github/workflows/e2e.yml'
- 'api/**'
@@ -25,7 +26,15 @@ jobs:
strategy:
fail-fast: false
matrix:
k8s-version: [ 'v1.24.7', 'v1.25.3', 'v1.26.3', 'v1.27.2', 'v1.28.0', 'v1.29.0', 'v1.30.0', 'v1.31.0' ]
k8s-version:
- "v1.24.7"
- "v1.25.3"
- "v1.26.3"
- "v1.27.2"
- "v1.28.0"
- "v1.29.0"
- "v1.30.0"
- "v1.31.0"
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

35
.github/workflows/fossa.yml vendored
View File

@@ -1,35 +0,0 @@
name: FOSSA
permissions: {}
on:
push:
branches: [ "*" ]
pull_request:
branches: [ "*" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
fossa-scan:
runs-on: ubuntu-24.04
steps:
- name: "Checkout Code"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Check secret
id: checksecret
uses: ./.github/actions/exists
with:
value: ${{ secrets.FOSSA_API_KEY }}
- name: "Run FOSSA Scan"
if: steps.checksecret.outputs.result == 'true'
uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
with:
api-key: ${{ secrets.FOSSA_API_KEY }}
- name: "Run FOSSA Test"
if: steps.checksecret.outputs.result == 'true'
uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
with:
api-key: ${{ secrets.FOSSA_API_KEY }}
run-tests: true

37
.github/workflows/gosec.yml vendored
View File

@@ -1,37 +0,0 @@
name: CI gosec
permissions:
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read
on:
push:
branches: [ "*" ]
pull_request:
branches: [ "*" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
tests:
runs-on: ubuntu-24.04
env:
GO111MODULE: on
steps:
- name: Checkout Source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version-file: 'go.mod'
- name: Run Gosec Security Scanner
uses: securego/gosec@e0cca6fe95306b7e7790d6f1bf6a7bec6d622459 # v2.22.0
with:
args: '-no-fail -fmt sarif -out gosec.sarif ./...'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@08bc0cf022445eacafaa248bf48da20f26b8fd40
with:
sarif_file: gosec.sarif

1
.github/workflows/helm-publish.yml vendored
View File

@@ -1,5 +1,6 @@
name: Publish charts
permissions: read-all
on:
push:
tags:

30
.github/workflows/helm-test.yml vendored
View File

@@ -3,13 +3,25 @@ permissions: {}
on:
pull_request:
branches: [ "main" ]
branches:
- "main"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
linter-artifacthub:
runs-on: ubuntu-latest
container:
image: artifacthub/ah
options: --user root
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Run ah lint
working-directory: ./charts/
run: ah lint
lint:
runs-on: ubuntu-24.04
steps:
@@ -31,7 +43,7 @@ jobs:
fi
- name: Run chart-testing (lint)
run: ct lint --debug --config ./.github/configs/ct.yaml --lint-conf ./.github/configs/lintconf.yaml
- name: Run docs-testing (helm-docs)
id: helm-docs
run: |
@@ -43,7 +55,17 @@ jobs:
else
echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
fi
- name: Run schema-testing (helm-schema)
id: helm-schema
run: |
make helm-schema
if [[ $(git diff --stat) != '' ]]; then
echo -e '\033[0;31mSchema outdated! (Run make helm-schema locally and commit)\033[0m ❌'
git diff --color
exit 1
else
echo -e '\033[0;32mSchema up to date\033[0m ✔'
fi
- name: Run chart-testing (install)
run: HELM_KIND_CONFIG="./hack/kind-cluster.yml" make helm-test
if: steps.list-changed.outputs.changed == 'true'
if: steps.list-changed.outputs.changed == 'true'

38
.github/workflows/lint.yml vendored
View File

@@ -1,17 +1,45 @@
name: Linting
permissions: {}
on:
push:
branches: [ "*" ]
branches:
- "*"
pull_request:
branches: [ "*" ]
branches:
- "*"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
manifests:
name: diff
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version-file: 'go.mod'
- name: Generate manifests
run: |
make manifests
if [[ $(git diff --stat) != '' ]]; then
echo -e '\033[0;31mManifests outdated! (Run make manifests locally and commit)\033[0m ❌'
git diff --color
exit 1
else
echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
fi
yamllint:
name: yamllint
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install yamllint
run: pip install yamllint
- name: Lint YAML files
run: yamllint -c=.github/configs/lintconf.yaml .
golangci:
name: lint
runs-on: ubuntu-24.04

3
.github/workflows/releaser.yml vendored
View File

@@ -19,7 +19,8 @@ jobs:
# differently from the e2e workflow
# we don't need all the versions of kubernetes
# to generate the seccomp profile.
k8s-version: [ 'v1.30.0' ]
k8s-version:
- "v1.30.0"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

2
.github/workflows/scorecard.yml vendored
View File

@@ -39,4 +39,4 @@ jobs:
- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
with:
sarif_file: results.sarif
sarif_file: results.sarif

13
.github/workflows/seccomp.yaml vendored
View File

@@ -3,14 +3,16 @@ permissions: {}
on:
pull_request:
branches: [ "*" ]
branches:
- "*"
paths:
- '.github/workflows/e2e.yml'
- 'api/**'
- 'controllers/**'
- 'pkg/**'
- 'e2e/*'
- 'Dockerfile'
- '.ko.yaml'
- 'Dockerfile.tracing'
- 'go.*'
- 'main.go'
- 'Makefile'
@@ -25,10 +27,8 @@ jobs:
strategy:
fail-fast: false
matrix:
# differently from the e2e workflow
# we don't need all the versions of kubernetes
# to generate the seccomp profile.
k8s-version: [ 'v1.30.0' ]
k8s-version:
- "v1.30.0"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -51,4 +51,3 @@ jobs:
with:
name: capsule-seccomp
path: capsule-seccomp.json

8
.golangci.yml
View File

@@ -1,4 +1,3 @@
linters-settings:
govet:
check-shadowing: true
@@ -58,13 +57,10 @@ linters:
- deadcode
- ifshort
- nonamedreturns
service:
golangci-lint-version: 1.56.x
run:
timeout: 3m
go: '1.21'
allow-parallel-runners: true
tests: false
skip-files:
- "zz_.*\\.go$"
- ".+\\.generated.go"

2
.goreleaser.yml
View File

@@ -34,7 +34,7 @@ release:
Thanks to all the contributors!
**Full Changelog**: https://github.com/projectcapsule/{{ .ProjectName }}/compare/{{ .PreviousTag }}...{{ .Tag }}
**Docker Images**
- `ghcr.io/projectcapsule/{{ .ProjectName }}:{{ .Version }}`
- `ghcr.io/projectcapsule/{{ .ProjectName }}:latest`

2
.ko.yaml
View File

@@ -6,4 +6,4 @@ builds:
- id: capsule
main: ./
ldflags:
- '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}'
- '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}'

82
.pre-commit-config.yaml
View File

@@ -2,9 +2,9 @@ repos:
- repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
rev: v9.20.0
hooks:
- id: commitlint
stages: [commit-msg]
additional_dependencies: ['@commitlint/config-conventional', 'commitlint-plugin-function-rules']
- id: commitlint
stages: [commit-msg]
additional_dependencies: ['@commitlint/config-conventional', 'commitlint-plugin-function-rules']
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v3.2.0
hooks:
@@ -13,40 +13,46 @@ repos:
- id: double-quote-string-fixer
- id: end-of-file-fixer
- id: trailing-whitespace
- repo: https://github.com/adrienverge/yamllint
rev: v1.29.0
hooks:
- id: yamllint
args: [-c=.github/configs/lintconf.yaml]
- repo: local
hooks:
- id: run-helm-docs
name: Execute helm-docs
entry: make helm-docs
language: system
files: ^charts/
- id: run-helm-schema
name: Execute helm-schema
entry: make helm-schema
language: system
files: ^charts/
- id: run-helm-lint
name: Execute helm-lint
entry: make helm-lint
language: system
files: ^charts/
- id: golangci-lint
name: Execute golangci-lint
entry: make golint
language: system
files: \.go$
- repo: https://github.com/tekwizely/pre-commit-golang
rev: v1.0.0-rc.1
hooks:
- id: go-vet
- id: go-vet-mod
- id: go-vet-pkg
- id: go-vet-repo-mod
- id: go-vet-repo-pkg
- id: go-revive
- id: go-revive-mod
- id: go-revive-repo-mod
- id: go-sec-mod
- id: go-sec-pkg
- id: go-sec-repo-mod
- id: go-sec-repo-pkg
- id: run-helm-docs
name: Execute helm-docs
entry: make helm-docs
language: system
files: ^charts/
- id: run-helm-schema
name: Execute helm-schema
entry: make helm-schema
language: system
files: ^charts/
- id: run-helm-lint
name: Execute helm-lint
entry: make helm-lint
language: system
files: ^charts/
# Currently too slow smw
# - id: golangci-lint
# name: Execute golangci-lint
# entry: make golint
# language: system
# files: \.go$
# - repo: https://github.com/tekwizely/pre-commit-golang
# rev: v1.0.0-rc.1
# hooks:
# - id: go-vet
# - id: go-vet-mod
# - id: go-vet-pkg
# - id: go-vet-repo-mod
# - id: go-vet-repo-pkg
# - id: go-revive
# - id: go-revive-mod
# - id: go-revive-repo-mod
# - id: go-sec-mod
# - id: go-sec-pkg
# - id: go-sec-repo-mod
# - id: go-sec-repo-pkg

211
Makefile
View File

@@ -58,8 +58,8 @@ run: generate manifests
go run .
# Generate manifests e.g. CRD, RBAC etc.
manifests: controller-gen
$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=charts/capsule/crds
manifests: generate
$(CONTROLLER_GEN) crd paths="./..." output:crd:artifacts:config=charts/capsule/crds
# Generate code
generate: controller-gen
@@ -68,15 +68,14 @@ generate: controller-gen
# Helm
SRC_ROOT = $(shell git rev-parse --show-toplevel)
helm-docs: HELMDOCS_VERSION := v1.11.0
helm-docs: docker
@docker run -v "$(SRC_ROOT):/helm-docs" jnorwood/helm-docs:$(HELMDOCS_VERSION) --chart-search-root /helm-docs
helm-docs: helm-doc
$(HELM_DOCS) --chart-search-root ./charts
helm-lint: docker
@docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:$(CT_VERSION) -c "cd /workdir; ct lint --config .github/configs/ct.yaml --lint-conf .github/configs/lintconf.yaml --all --debug"
helm-lint: ct
@$(CT) lint --config .github/configs/ct.yaml --validate-yaml=false --all --debug
helm-schema: helm-plugin-schema
cd charts/capsule && $(HELM) schema
cd charts/capsule && $(HELM) schema -output values.schema.json
helm-test: HELM_KIND_CONFIG ?= ""
helm-test: kind ct ko-build-all
@@ -89,9 +88,9 @@ helm-test-exec: kind
$(MAKE) docker-build-capsule-trace
$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=latest
$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=tracing
@kubectl create ns capsule-system || true
@kubectl apply --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
@kubectl apply --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
@$(KUBECTL) create ns capsule-system || true
@$(KUBECTL) apply --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
@$(KUBECTL) apply --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
@$(CT) install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
docker:
@@ -123,7 +122,6 @@ IP.1 = $(LAPTOP_HOST_IP)
endef
export TLS_CNF
dev-setup:
kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0 || true
mkdir -p /tmp/k8s-webhook-server/serving-certs
echo "$${TLS_CNF}" > _tls.cnf
openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
@@ -132,13 +130,13 @@ dev-setup:
-config _tls.cnf \
-keyout /tmp/k8s-webhook-server/serving-certs/tls.key \
-out /tmp/k8s-webhook-server/serving-certs/tls.crt
kubectl create secret tls capsule-tls -n capsule-system \
$(KUBECTL) create secret tls capsule-tls -n capsule-system \
--cert=/tmp/k8s-webhook-server/serving-certs/tls.crt\
--key=/tmp/k8s-webhook-server/serving-certs/tls.key || true
rm -f _tls.cnf
export WEBHOOK_URL="https://$${LAPTOP_HOST_IP}:9443"; \
export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`; \
helm upgrade \
$(HELM) upgrade \
--dependency-update \
--debug \
--install \
@@ -151,6 +149,7 @@ dev-setup:
--set "webhooks.service.caBundle=$${CA_BUNDLE}" \
capsule \
./charts/capsule
$(KUBECTL) -n capsule-system scale deployment capsule-controller-manager --replicas=0 || true
####################
# -- Docker
@@ -209,95 +208,15 @@ ko-publish-capsule: ko-login ## Build and publish kyvernopre image (with ko)
.PHONY: ko-publish-all
ko-publish-all: ko-publish-capsule
####################
# -- Helm Plugins
####################
HELM_SCHEMA_VERSION := ""
helm-plugin-schema:
$(HELM) plugin install https://github.com/losisin/helm-values-schema-json.git --version $(HELM_SCHEMA_VERSION) || true
####################
# -- Binaries
####################
CONTROLLER_GEN := $(shell pwd)/bin/controller-gen
CONTROLLER_GEN_VERSION := v0.16.1
controller-gen: ## Download controller-gen locally if necessary.
$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
GINKGO := $(shell pwd)/bin/ginkgo
ginkgo: ## Download ginkgo locally if necessary.
$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo)
CT := $(shell pwd)/bin/ct
CT_VERSION := v3.10.1
ct: ## Download ct locally if necessary.
$(call go-install-tool,$(CT),github.com/helm/chart-testing/v3/ct@$(CT_VERSION))
KIND := $(shell pwd)/bin/kind
KIND_VERSION := v0.17.0
kind: ## Download kind locally if necessary.
$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@$(KIND_VERSION))
KUSTOMIZE := $(shell pwd)/bin/kustomize
KUSTOMIZE_VERSION := 3.8.7
kustomize: ## Download kustomize locally if necessary.
$(call install-kustomize,$(KUSTOMIZE),$(KUSTOMIZE_VERSION))
KO = $(shell pwd)/bin/ko
KO_VERSION = v0.14.1
ko:
$(call go-install-tool,$(KO),github.com/google/ko@$(KO_VERSION))
HARPOON := $(shell pwd)/bin/harpoon
HARPOON_VERSION := v0.9.4
harpoon: ## Download harpoon locally if necessary.
@mkdir $(shell pwd)/bin
@curl -s https://raw.githubusercontent.com/alegrey91/harpoon/main/install | \
sudo bash -s -- --install-version $(HARPOON_VERSION) --install-dir $(shell pwd)/bin
####################
# -- Helpers
####################
pull-upstream:
git remote add upstream https://github.com/capsuleproject/capsule.git
git fetch --all && git pull upstream
define install-kustomize
@[ -f $(1) ] || { \
set -e ;\
echo "Installing v$(2)" ;\
cd bin ;\
wget "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" ;\
bash ./install_kustomize.sh $(2) ;\
}
endef
# go-install-tool will 'go install' any package $2 and install it to $1.
PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
define go-install-tool
@[ -f $(1) ] || { \
set -e ;\
GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
}
endef
# Sorting imports
.PHONY: goimports
goimports:
goimports -w -l -local "github.com/projectcapsule/capsule" .
GOLANGCI_LINT = $(shell pwd)/bin/golangci-lint
GOLANGCI_LINT_VERSION = v1.56.2
golangci-lint: ## Download golangci-lint locally if necessary.
$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION))
# Linting code as PR is expecting
.PHONY: golint
golint: golangci-lint
$(GOLANGCI_LINT) run -c .golangci.yml
$(GOLANGCI_LINT) run -c .golangci.yml --verbose --fix
# Running e2e tests in a KinD instance
.PHONY: e2e
@@ -306,12 +225,12 @@ e2e: ginkgo
e2e-build: kind
$(KIND) create cluster --wait=60s --name $(CLUSTER_NAME) --image kindest/node:$${KIND_K8S_VERSION:-v1.27.0}
$(MAKE) e2e-load-image CLUSTER_NAME=$(CLUSTER_NAME) IMAGE=$(CAPSULE_IMG) VERSION=$(VERSION)
$(MAKE) e2e-install
.PHONY: e2e-install
e2e-install:
helm upgrade \
$(MAKE) e2e-load-image CLUSTER_NAME=$(CLUSTER_NAME) IMAGE=$(CAPSULE_IMG) VERSION=$(VERSION)
$(HELM) upgrade \
--dependency-update \
--debug \
--install \
@@ -326,7 +245,7 @@ e2e-install:
./charts/capsule
.PHONY: trace-install
trace-install:
trace-install:
helm upgrade \
--dependency-update \
--debug \
@@ -349,7 +268,7 @@ trace-e2e: kind
$(MAKE) e2e-exec
$(KIND) delete cluster --name capsule-tracing
.PHONY: trace-unit
.PHONY: trace-unit
trace-unit: harpoon
$(HARPOON) analyze -e .git/ -e assets/ -e charts/ -e config/ -e docs/ -e e2e/ -e hack/ --directory /tmp/artifacts/ --save
$(HARPOON) hunt -D /tmp/results -F harpoon-report.yml --include-cmd-stdout --save
@@ -359,7 +278,6 @@ seccomp:
$(HARPOON) build --add-syscall-sets=dynamic,docker -D /tmp/results --name capsule-seccomp.json --save
.PHONY: e2e-load-image
e2e-load-image: LOAD_IMAGE ?= $(IMAGE):$(VERSION)
e2e-load-image: kind ko-build-all
$(KIND) load docker-image $(IMAGE):$(VERSION) --name $(CLUSTER_NAME)
@@ -374,3 +292,96 @@ e2e-destroy: kind
SPELL_CHECKER = npx spellchecker-cli
docs-lint:
cd docs/content && $(SPELL_CHECKER) -f "*.md" "*/*.md" "!general/crds-apis.md" -d dictionary.txt
####################
# -- Helpers
####################
pull-upstream:
git remote add upstream https://github.com/capsuleproject/capsule.git
git fetch --all && git pull upstream
## Location to install dependencies to
LOCALBIN ?= $(shell pwd)/bin
$(LOCALBIN):
mkdir -p $(LOCALBIN)
####################
# -- Helm Plugins
####################
HELM_SCHEMA_VERSION := ""
helm-plugin-schema:
@$(HELM) plugin install https://github.com/losisin/helm-values-schema-json.git --version $(HELM_SCHEMA_VERSION) || true
HELM_DOCS := $(LOCALBIN)/helm-docs
HELM_DOCS_VERSION := v1.14.1
HELM_DOCS_LOOKUP := norwoodj/helm-docs
helm-doc:
@test -s $(HELM_DOCS) || \
$(call go-install-tool,$(HELM_DOCS),github.com/$(HELM_DOCS_LOOKUP)/cmd/helm-docs@$(HELM_DOCS_VERSION))
####################
# -- Tools
####################
CONTROLLER_GEN := $(LOCALBIN)/controller-gen
CONTROLLER_GEN_VERSION ?= v0.16.3
CONTROLLER_GEN_LOOKUP := kubernetes-sigs/controller-tools
controller-gen:
@test -s $(CONTROLLER_GEN) && $(CONTROLLER_GEN) --version | grep -q $(CONTROLLER_GEN_VERSION) || \
$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
GINKGO := $(LOCALBIN)/ginkgo
ginkgo:
$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo)
CT := $(LOCALBIN)/ct
CT_VERSION := v3.11.0
CT_LOOKUP := helm/chart-testing
ct:
@test -s $(CT) && $(CT) version | grep -q $(CT_VERSION) || \
$(call go-install-tool,$(CT),github.com/$(CT_LOOKUP)/v3/ct@$(CT_VERSION))
KIND := $(LOCALBIN)/kind
KIND_VERSION := v0.17.0
KIND_LOOKUP := kubernetes-sigs/kind
kind:
@test -s $(KIND) && $(KIND) --version | grep -q $(KIND_VERSION) || \
$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@$(KIND_VERSION))
KO := $(LOCALBIN)/ko
KO_VERSION := v0.14.1
KO_LOOKUP := google/ko
ko:
@test -s $(KO) && $(KO) -h | grep -q $(KO_VERSION) || \
$(call go-install-tool,$(KO),github.com/$(KO_LOOKUP)@$(KO_VERSION))
GOLANGCI_LINT := $(LOCALBIN)/golangci-lint
GOLANGCI_LINT_VERSION := v1.63.4
GOLANGCI_LINT_LOOKUP := golangci/golangci-lint
golangci-lint: ## Download golangci-lint locally if necessary.
@test -s $(GOLANGCI_LINT) && $(GOLANGCI_LINT) -h | grep -q $(GOLANGCI_LINT_VERSION) || \
$(call go-install-tool,$(GOLANGCI_LINT),github.com/$(GOLANGCI_LINT_LOOKUP)/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION))
APIDOCS_GEN := $(LOCALBIN)/crdoc
APIDOCS_GEN_VERSION := v0.6.2
APIDOCS_GEN_LOOKUP := fybrik/crdoc
apidocs-gen: ## Download crdoc locally if necessary.
@test -s $(APIDOCS_GEN) && $(APIDOCS_GEN) --version | grep -q $(APIDOCS_GEN_VERSION) || \
$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@$(APIDOCS_GEN_VERSION))
HARPOON := $(LOCALBIN)/harpoon
HARPOON_VERSION := v0.9.4
HARPOON_LOOKUP := alegrey91/harpoon
harpoon:
@mkdir $(LOCALBIN)
@curl -s https://raw.githubusercontent.com/alegrey91/harpoon/main/install | \
sudo bash -s -- --install-version $(HARPOON_VERSION) --install-dir $(LOCALBIN)
# go-install-tool will 'go install' any package $2 and install it to $1.
PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
define go-install-tool
[ -f $(1) ] || { \
set -e ;\
GOBIN=$(LOCALBIN) go install $(2) ;\
}
endef

26
README.md
View File

@@ -82,24 +82,6 @@ Please, check the project [documentation](https://projectcapsule.dev) for the co
Capsule is Open Source with Apache 2 license and any contribution is welcome.
## Chart Development
### Chart Linting
The chart is linted with [ct](https://github.com/helm/chart-testing). You can run the linter locally with this command:
```
make helm-lint
```
### Chart Documentation
The documentation for each chart is done with [helm-docs](https://github.com/norwoodj/helm-docs). This way we can ensure that values are consistent with the chart documentation. Run this anytime you make changes to a `values.yaml` file:
```
make helm-docs
```
## Community meeting
Join the community, share and learn from it. You can find all the resources to how to contribute code and docs, connect with people in the [community repository](https://github.com/projectcapsule/capsule-community).
@@ -118,6 +100,12 @@ You can find how the Capsule project is governed [here](https://projectcapsule.d
Please, refer to the maintainers file available [here](.github/maintainers.yaml).
## CLOMonitor
CLOMonitor is a tool that periodically checks open source projects repositories to verify they meet certain project health best practices.
[![CloMonitor report summary](https://clomonitor.io/api/projects/cncf/capsule/report-summary?theme=light)](https://clomonitor.io/projects/cncf/capsule)
### Changelog
Read how we log changes [here](CHANGELOG.md)
@@ -142,4 +130,4 @@ All OCI release artifacts include a Software Bill of Materials (SBOM) in Cyclone
- Q. Do you provide commercial support?
A. Yes, we're available to help and provide commercial support. [Clastix](https://clastix.io) is the company behind Capsule. Please, contact us for a quote.
A. Yes, we're available to help and provide commercial support. [Clastix](https://clastix.io) is the company behind Capsule. Please, contact us for a quote.

1
SECURITY-INSIGHTS.yml
View File

@@ -57,4 +57,3 @@ security-contacts:
- type: email
value: cncf-capsule-maintainers@lists.cncf.io
primary: true

1
charts/capsule/.helmignore
View File

@@ -22,3 +22,4 @@
*.tmproj
.vscode/
README.md.gotmpl
artifacthub-repo.yml

6
charts/capsule/Chart.yaml
View File

@@ -40,7 +40,5 @@ annotations:
- name: Documentation
url: https://projectcapsule.dev/
artifacthub.io/changes: |
- kind: fixed
description: added scope for mutating webhook configurations
- kind: changed
description: moved job configuration from jobs to global.jobs.kubectl
- kind: added
description: oci chart reference

2
charts/capsule/README.md
View File

@@ -35,6 +35,8 @@ The following Values have changed key or Value:
## Installation
**When using OCI we recommend our dedicated [OCI Repository](https://artifacthub.io/packages/helm/capsule/capsule) for this chart**
The Capsule Operator requires it's CRDs to be installed before the operator itself. Since the Helm CRD lifecycle has limitations, we recommend to install the CRDs separately. Our chart supports the installation of crds via a dedicated Release.
The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster.

6
charts/capsule/README.md.gotmpl
View File

@@ -16,7 +16,7 @@ Use the Capsule Operator for easily implementing, managing, and maintaining mult
* A [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file accessing the Kubernetes cluster with cluster admin permissions.
## Major Changes
## Major Changes
In the following sections you see actions which are required when you are upgrading to a specific version.
@@ -25,7 +25,7 @@ In the following sections you see actions which are required when you are upgrad
Introduces a new methode to manage all capsule CRDs and their lifecycle. We are no longer relying on the [native CRD hook with the Helm Chart](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). The hook only allows to manage CRDs on install and uninstall but we can't deliver updates to the CRDs.
When you newly install the chart we recommend to set `crds.install` to `true`. This will manage the CRDs with the Helm Chart. This behavior is the new default.
#### Changed Values
#### Changed Values
The following Values have changed key or Value:
@@ -36,6 +36,8 @@ The following Values have changed key or Value:
## Installation
**When using OCI we recommend our dedicated [OCI Repository](https://artifacthub.io/packages/helm/capsule/capsule) for this chart**
The Capsule Operator requires it's CRDs to be installed before the operator itself. Since the Helm CRD lifecycle has limitations, we recommend to install the CRDs separately. Our chart supports the installation of crds via a dedicated Release.
The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster.

4
charts/capsule/artifacthub-repo.yml Normal file
View File

@@ -0,0 +1,4 @@
repositoryID: 783775bb-96c2-4915-8c7d-ba4a1118323c
owners:
- name: capsule-maintainers
email: cncf-capsule-maintainers@lists.cncf.io

2
charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.16.3
name: capsuleconfigurations.capsule.clastix.io
spec:
group: capsule.clastix.io

2
charts/capsule/crds/capsule.clastix.io_globaltenantresources.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.16.3
name: globaltenantresources.capsule.clastix.io
spec:
group: capsule.clastix.io

2
charts/capsule/crds/capsule.clastix.io_tenantresources.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.16.3
name: tenantresources.capsule.clastix.io
spec:
group: capsule.clastix.io

2
charts/capsule/crds/capsule.clastix.io_tenants.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.16.3
name: tenants.capsule.clastix.io
spec:
group: capsule.clastix.io

16
charts/capsule/values.schema.json
View File

@@ -171,6 +171,9 @@
"hostNetwork": {
"type": "boolean"
},
"hostPID": {
"type": "boolean"
},
"image": {
"properties": {
"pullPolicy": {
@@ -312,6 +315,16 @@
},
"type": "object"
},
"securityContext": {
"properties": {},
"type": "object"
},
"volumeMounts": {
"type": "array"
},
"volumes": {
"type": "array"
},
"webhookPort": {
"type": "integer"
}
@@ -348,6 +361,9 @@
},
"type": "object"
},
"ports": {
"type": "array"
},
"priorityClassName": {
"type": "string"
},

132
config/crd/bases/capsule.clastix.io_capsuleconfigurations.yaml
View File

@@ -1,132 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: capsuleconfigurations.capsule.clastix.io
spec:
group: capsule.clastix.io
names:
kind: CapsuleConfiguration
listKind: CapsuleConfigurationList
plural: capsuleconfigurations
singular: capsuleconfiguration
scope: Cluster
versions:
- name: v1beta2
schema:
openAPIV3Schema:
description: CapsuleConfiguration is the Schema for the Capsule configuration
API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: CapsuleConfigurationSpec defines the Capsule configuration.
properties:
enableTLSReconciler:
default: true
description: |-
Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks
when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
type: boolean
forceTenantPrefix:
default: false
description: |-
Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,
separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
type: boolean
nodeMetadata:
description: |-
Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.
This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
properties:
forbiddenAnnotations:
description: Define the annotations that a Tenant Owner cannot
set for their nodes.
properties:
denied:
items:
type: string
type: array
deniedRegex:
type: string
type: object
forbiddenLabels:
description: Define the labels that a Tenant Owner cannot set
for their nodes.
properties:
denied:
items:
type: string
type: array
deniedRegex:
type: string
type: object
required:
- forbiddenAnnotations
- forbiddenLabels
type: object
overrides:
default:
TLSSecretName: capsule-tls
mutatingWebhookConfigurationName: capsule-mutating-webhook-configuration
validatingWebhookConfigurationName: capsule-validating-webhook-configuration
description: |-
Allows to set different name rather than the canonical one for the Capsule configuration objects,
such as webhook secret or configurations.
properties:
TLSSecretName:
default: capsule-tls
description: |-
Defines the Secret name used for the webhook server.
Must be in the same Namespace where the Capsule Deployment is deployed.
type: string
mutatingWebhookConfigurationName:
default: capsule-mutating-webhook-configuration
description: Name of the MutatingWebhookConfiguration which contains
the dynamic admission controller paths and resources.
type: string
validatingWebhookConfigurationName:
default: capsule-validating-webhook-configuration
description: Name of the ValidatingWebhookConfiguration which
contains the dynamic admission controller paths and resources.
type: string
required:
- TLSSecretName
- mutatingWebhookConfigurationName
- validatingWebhookConfigurationName
type: object
protectedNamespaceRegex:
description: Disallow creation of namespaces, whose name matches this
regexp
type: string
userGroups:
default:
- capsule.clastix.io
description: Names of the groups for Capsule users.
items:
type: string
type: array
required:
- enableTLSReconciler
type: object
type: object
served: true
storage: true

298
config/crd/bases/capsule.clastix.io_globaltenantresources.yaml
View File

@@ -1,298 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: globaltenantresources.capsule.clastix.io
spec:
group: capsule.clastix.io
names:
kind: GlobalTenantResource
listKind: GlobalTenantResourceList
plural: globaltenantresources
singular: globaltenantresource
scope: Cluster
versions:
- name: v1beta2
schema:
openAPIV3Schema:
description: GlobalTenantResource allows to propagate resource replications
to a specific subset of Tenant resources.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: GlobalTenantResourceSpec defines the desired state of GlobalTenantResource.
properties:
pruningOnDelete:
default: true
description: |-
When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
Disable this to keep replicated resources although the deletion of the replication manifest.
type: boolean
resources:
description: Defines the rules to select targeting Namespace, along
with the objects that must be replicated.
items:
properties:
additionalMetadata:
description: |-
Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
added to the replicated resources.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
namespaceSelector:
description: |-
Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
In case of nil value, all the Tenant Namespaces are targeted.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespacedItems:
description: List of the resources already existing in other
Namespaces that must be replicated.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
namespace:
description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
selector:
description: Label selector used to select the given resources
in the given Namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- kind
- namespace
- selector
type: object
type: array
rawItems:
description: List of raw resources that must be replicated.
items:
type: object
x-kubernetes-embedded-resource: true
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
type: array
resyncPeriod:
default: 60s
description: |-
Define the period of time upon a second reconciliation must be invoked.
Keep in mind that any change to the manifests will trigger a new reconciliation.
type: string
tenantSelector:
description: Defines the Tenant selector used target the tenants on
which resources must be propagated.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- resources
- resyncPeriod
type: object
status:
description: GlobalTenantResourceStatus defines the observed state of
GlobalTenantResource.
properties:
processedItems:
description: List of the replicated resources for the given TenantResource.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
required:
- kind
- name
- namespace
type: object
type: array
selectedTenants:
description: List of Tenants addressed by the GlobalTenantResource.
items:
type: string
type: array
required:
- processedItems
- selectedTenants
type: object
type: object
served: true
storage: true
subresources:
status: {}

246
config/crd/bases/capsule.clastix.io_tenantresources.yaml
View File

@@ -1,246 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: tenantresources.capsule.clastix.io
spec:
group: capsule.clastix.io
names:
kind: TenantResource
listKind: TenantResourceList
plural: tenantresources
singular: tenantresource
scope: Namespaced
versions:
- name: v1beta2
schema:
openAPIV3Schema:
description: |-
TenantResource allows a Tenant Owner, if enabled with proper RBAC, to propagate resources in its Namespace.
The object must be deployed in a Tenant Namespace, and cannot reference object living in non-Tenant namespaces.
For such cases, the GlobalTenantResource must be used.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: TenantResourceSpec defines the desired state of TenantResource.
properties:
pruningOnDelete:
default: true
description: |-
When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
Disable this to keep replicated resources although the deletion of the replication manifest.
type: boolean
resources:
description: Defines the rules to select targeting Namespace, along
with the objects that must be replicated.
items:
properties:
additionalMetadata:
description: |-
Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
added to the replicated resources.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
namespaceSelector:
description: |-
Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
In case of nil value, all the Tenant Namespaces are targeted.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespacedItems:
description: List of the resources already existing in other
Namespaces that must be replicated.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
namespace:
description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
selector:
description: Label selector used to select the given resources
in the given Namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- kind
- namespace
- selector
type: object
type: array
rawItems:
description: List of raw resources that must be replicated.
items:
type: object
x-kubernetes-embedded-resource: true
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
type: array
resyncPeriod:
default: 60s
description: |-
Define the period of time upon a second reconciliation must be invoked.
Keep in mind that any change to the manifests will trigger a new reconciliation.
type: string
required:
- resources
- resyncPeriod
type: object
status:
description: TenantResourceStatus defines the observed state of TenantResource.
properties:
processedItems:
description: List of the replicated resources for the given TenantResource.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
required:
- kind
- name
- namespace
type: object
type: array
required:
- processedItems
type: object
type: object
served: true
storage: true
subresources:
status: {}

2345
config/crd/bases/capsule.clastix.io_tenants.yaml
View File

File diff suppressed because it is too large Load Diff

17
config/crd/kustomization.yaml
View File

@@ -1,17 +0,0 @@
# This kustomization.yaml is not intended to be run by itself,
# since it depends on service name and namespace that are out of this kustomize package.
# It should be run by config/default
resources:
- bases/capsule.clastix.io_tenants.yaml
- bases/capsule.clastix.io_capsuleconfigurations.yaml
- bases/capsule.clastix.io_tenantresources.yaml
- bases/capsule.clastix.io_globaltenantresources.yaml
# +kubebuilder:scaffold:crdkustomizeresource
# the following config is for teaching kustomize how to do kustomization for CRDs.
configurations:
- kustomizeconfig.yaml
patchesStrategicMerge:
- patches/webhook_in_tenants.yaml
- patches/webhook_in_capsuleconfiguration.yaml

19
config/crd/kustomizeconfig.yaml
View File

@@ -1,19 +0,0 @@
# This file is for teaching kustomize how to substitute name and namespace reference in CRD
nameReference:
- kind: Service
version: v1
fieldSpecs:
- kind: CustomResourceDefinition
version: v1
group: apiextensions.k8s.io
path: spec/conversion/webhook/clientConfig/service/name
namespace:
- kind: CustomResourceDefinition
version: v1
group: apiextensions.k8s.io
path: spec/conversion/webhook/clientConfig/service/namespace
create: false
varReference:
- path: metadata/annotations

7
config/crd/patches/cainjection_in_globaltenantresources.yaml
View File

@@ -1,7 +0,0 @@
# The following patch adds a directive for certmanager to inject CA into the CRD
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
name: globaltenantresources.capsule.clastix.io

7
config/crd/patches/cainjection_in_tenantresources.yaml
View File

@@ -1,7 +0,0 @@
# The following patch adds a directive for certmanager to inject CA into the CRD
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
name: tenantresources.capsule.clastix.io

17
config/crd/patches/webhook_in_capsuleconfiguration.yaml
View File

@@ -1,17 +0,0 @@
# The following patch enables a conversion webhook for the CRD
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: capsuleconfigurations.capsule.clastix.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
namespace: system
name: webhook-service
path: /convert
conversionReviewVersions:
- v1beta1
- v1beta2

16
config/crd/patches/webhook_in_globaltenantresources.yaml
View File

@@ -1,16 +0,0 @@
# The following patch enables a conversion webhook for the CRD
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: globaltenantresources.capsule.clastix.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
namespace: system
name: webhook-service
path: /convert
conversionReviewVersions:
- v1

16
config/crd/patches/webhook_in_tenantresources.yaml
View File

@@ -1,16 +0,0 @@
# The following patch enables a conversion webhook for the CRD
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: tenantresources.capsule.clastix.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
namespace: system
name: webhook-service
path: /convert
conversionReviewVersions:
- v1

17
config/crd/patches/webhook_in_tenants.yaml
View File

@@ -1,17 +0,0 @@
# The following patch enables a conversion webhook for the CRD
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: tenants.capsule.clastix.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
namespace: system
name: webhook-service
path: /convert
conversionReviewVersions:
- v1beta1
- v1beta2

25
config/default/kustomization.yaml
View File

@@ -1,25 +0,0 @@
# Adds namespace to all resources.
namespace: capsule-system
# Value of this field is prepended to the
# names of all resources, e.g. a deployment named
# "wordpress" becomes "alices-wordpress".
# Note that it should also match with the prefix (text before '-') of the namespace
# field above.
namePrefix: capsule-
# Labels to add to all resources and selectors.
#commonLabels:
# someName: someValue
bases:
- ../crd
- ../rbac
- ../manager
- ../secret
- ../webhook
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
#- ../prometheus
patchesStrategicMerge:
- manager_webhook_patch.yaml

26
config/default/manager_webhook_patch.yaml
View File

@@ -1,26 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
- containerPort: 8080
name: metrics
protocol: TCP
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
volumes:
- name: cert
secret:
defaultMode: 420
secretName: capsule-tls

2138
config/grafana/dashboard.json
View File

File diff suppressed because it is too large Load Diff

7
config/grafana/dashboard.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
labels:
# label selector used by Grafana to load the dashboards from Config Maps
grafana_dashboard: "1"
name: capsule-grafana-dashboard

8
config/grafana/kustomization.yaml
View File

@@ -1,8 +0,0 @@
configMapGenerator:
- name: capsule-grafana-dashboard
files:
- dashboard.json
generatorOptions:
disableNameSuffixHash: true
patchesStrategicMerge:
- dashboard.yaml

9
config/manager/configuration.yaml
View File

@@ -1,9 +0,0 @@
apiVersion: capsule.clastix.io/v1beta2
kind: CapsuleConfiguration
metadata:
name: default
spec:
userGroups: ["capsule.clastix.io"]
forceTenantPrefix: false
protectedNamespaceRegex: ""
enableTLSReconciler: true

9
config/manager/kustomization.yaml
View File

@@ -1,9 +0,0 @@
resources:
- configuration.yaml
- manager.yaml
- metrics_service.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
images:
- name: controller
newName: ghcr.io/projectcapsule/capsule

46
config/manager/manager.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: controller-manager
name: system
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
labels:
control-plane: controller-manager
spec:
selector:
matchLabels:
control-plane: controller-manager
replicas: 1
template:
metadata:
labels:
control-plane: controller-manager
spec:
containers:
- args:
- --enable-leader-election
- --zap-encoder=console
- --zap-log-level=debug
- --configuration-name=capsule-default
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: controller
imagePullPolicy: IfNotPresent
name: manager
resources:
limits:
cpu: 200m
memory: 128Mi
requests:
cpu: 200m
memory: 128Mi
terminationGracePeriodSeconds: 10

14
config/manager/metrics_service.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
labels:
control-plane: controller-manager
name: controller-manager-metrics-service
namespace: system
spec:
ports:
- name: metrics
port: 8080
targetPort: metrics
selector:
control-plane: controller-manager

2
config/prometheus/kustomization.yaml
View File

@@ -1,2 +0,0 @@
resources:
- monitor.yaml

18
config/prometheus/monitor.yaml
View File

@@ -1,18 +0,0 @@
# Prometheus Monitor Service (Metrics)
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
labels:
control-plane: controller-manager
name: capsule-monitor
namespace: system
spec:
endpoints:
- interval: 15s
path: /metrics
port: metrics
jobLabel: controller-manager
namespaceSelector:
selector:
matchLabels:
control-plane: controller-manager

24
config/rbac/globaltenantresource_editor_role.yaml
View File

@@ -1,24 +0,0 @@
# permissions for end users to edit globaltenantresources.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: globaltenantresource-editor-role
rules:
- apiGroups:
- capsule.clastix.io
resources:
- globaltenantresources
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- capsule.clastix.io
resources:
- globaltenantresources/status
verbs:
- get

20
config/rbac/globaltenantresource_viewer_role.yaml
View File

@@ -1,20 +0,0 @@
# permissions for end users to view globaltenantresources.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: globaltenantresource-viewer-role
rules:
- apiGroups:
- capsule.clastix.io
resources:
- globaltenantresources
verbs:
- get
- list
- watch
- apiGroups:
- capsule.clastix.io
resources:
- globaltenantresources/status
verbs:
- get

8
config/rbac/kustomization.yaml
View File

@@ -1,8 +0,0 @@
resources:
- role_binding.yaml
# Uncomment the following 3 lines if you are running Capsule
# in a cluster where [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
# are enabled.
# - psp_policy.yaml
# - psp_role.yaml
# - psp_role_binding.yaml

18
config/rbac/psp_policy.yaml
View File

@@ -1,18 +0,0 @@
kind: PodSecurityPolicy
apiVersion: policy/v1beta1
metadata:
name: capsule
spec:
fsGroup:
rule: RunAsAny
hostPorts:
- max: 0
min: 0
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- secret

9
config/rbac/psp_role.yaml
View File

@@ -1,9 +0,0 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: capsule-psp
rules:
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
resourceNames: ['capsule-psp']
verbs: ['use']

12
config/rbac/psp_role_binding.yaml
View File

@@ -1,12 +0,0 @@
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: capsule-use-psp
namespace: system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: capsule-psp
subjects:
- kind: ServiceAccount
name: default

12
config/rbac/role_binding.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: manager-rolebinding
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: default
namespace: system

24
config/rbac/tenantresource_editor_role.yaml
View File

@@ -1,24 +0,0 @@
# permissions for end users to edit tenantresources.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tenantresource-editor-role
rules:
- apiGroups:
- capsule.clastix.io
resources:
- tenantresources
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- capsule.clastix.io
resources:
- tenantresources/status
verbs:
- get

20
config/rbac/tenantresource_viewer_role.yaml
View File

@@ -1,20 +0,0 @@
# permissions for end users to view tenantresources.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tenantresource-viewer-role
rules:
- apiGroups:
- capsule.clastix.io
resources:
- tenantresources
verbs:
- get
- list
- watch
- apiGroups:
- capsule.clastix.io
resources:
- tenantresources/status
verbs:
- get

139
config/samples/capsule_v1beta1_tenant.yaml
View File

@@ -1,139 +0,0 @@
---
apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
name: gas
spec:
additionalRoleBindings:
-
clusterRoleName: tenant-sample-viewer
subjects:
-
kind: User
name: bob
containerRegistries:
allowed:
- docker.io
- quay.io
allowedRegex: ^\w+.gcr.io$
serviceOptions:
additionalMetadata:
annotations:
capsule.clastix.io/bgp: "true"
labels:
capsule.clastix.io/pool: gas
allowedServices:
nodePort: false
externalName: false
externalIPs:
allowed:
- 10.20.0.0/16
- "10.96.42.42"
imagePullPolicies:
- Always
ingressOptions:
hostnameCollisionScope: Cluster
allowedClasses:
allowed:
- default
allowedRegex: ^\w+-lb$
allowedHostnames:
allowed:
- gas.acmecorp.com
allowedRegex: ^.*acmecorp.com$
limitRanges:
items:
-
limits:
-
max:
cpu: "1"
memory: 1Gi
min:
cpu: 50m
memory: 5Mi
type: Pod
-
default:
cpu: 200m
memory: 100Mi
defaultRequest:
cpu: 100m
memory: 10Mi
max:
cpu: "1"
memory: 1Gi
min:
cpu: 50m
memory: 5Mi
type: Container
-
max:
storage: 10Gi
min:
storage: 1Gi
type: PersistentVolumeClaim
namespaceOptions:
quota: 3
additionalMetadata:
annotations:
capsule.clastix.io/backup: "false"
labels:
capsule.clastix.io/tenant: gas
networkPolicies:
items:
-
egress:
-
to:
-
ipBlock:
cidr: 0.0.0.0/0
except:
- 192.168.0.0/12
ingress:
-
from:
-
namespaceSelector:
matchLabels:
capsule.clastix.io/tenant: gas
-
podSelector: {}
-
ipBlock:
cidr: 192.168.0.0/12
podSelector: {}
policyTypes:
- Ingress
- Egress
nodeSelector:
kubernetes.io/os: linux
owners:
-
kind: User
name: bob
priorityClasses:
allowed:
- shared-nodes
allowedRegex: ^\w-gas$
resourceQuotas:
items:
-
hard:
limits.cpu: "8"
limits.memory: 16Gi
requests.cpu: "8"
requests.memory: 16Gi
scopes:
- NotTerminating
-
hard:
pods: "10"
-
hard:
requests.storage: 100Gi
storageClasses:
allowed:
- default
allowedRegex: ^\w+fs$

11
config/samples/capsule_v1beta2_capsuleconfiguration.yaml
View File

@@ -1,11 +0,0 @@
---
apiVersion: capsule.clastix.io/v1beta2
kind: CapsuleConfiguration
metadata:
name: default
spec:
userGroups: ["capsule.clastix.io"]
forceTenantPrefix: false
protectedNamespaceRegex: ""
enableTLSReconciler: true

39
config/samples/capsule_v1beta2_globaltenantresource.yaml
View File

@@ -1,39 +0,0 @@
apiVersion: capsule.clastix.io/v1beta2
kind: GlobalTenantResource
metadata:
name: green-production
spec:
tenantSelector:
matchLabels:
energy: green
resyncPeriod: 60s
pruningOnDelete: true
resources:
- namespaceSelector:
matchLabels:
environment: production
additionalMetadata:
labels:
labels.energy.io: green
annotations:
annotations.energy.io: green
namespacedItems:
- apiVersion: v1
kind: Secret
namespace: default
selector:
matchLabels:
replicate: green
rawItems:
- apiVersion: v1
kind: Secret
metadata:
name: raw-secret-1
- apiVersion: v1
kind: Secret
metadata:
name: raw-secret-2
- apiVersion: v1
kind: Secret
metadata:
name: raw-secret-3

36
config/samples/capsule_v1beta2_tenantresource.yaml
View File

@@ -1,36 +0,0 @@
apiVersion: capsule.clastix.io/v1beta2
kind: TenantResource
metadata:
name: wind-objects
spec:
resyncPeriod: 60s
pruningOnDelete: true
resources:
- namespaceSelector:
matchLabels:
environment: production
additionalMetadata:
labels:
labels.energy.io: wind
annotations:
annotations.energy.io: wind
namespacedItems:
- apiVersion: v1
kind: Secret
namespace: wind-production
selector:
matchLabels:
replicate: solar
rawItems:
- apiVersion: v1
kind: Secret
metadata:
name: wind-secret-1
- apiVersion: v1
kind: Secret
metadata:
name: wind-secret-2
- apiVersion: v1
kind: Secret
metadata:
name: wind-secret-3

3
config/samples/kustomization.yaml
View File

@@ -1,3 +0,0 @@
## This file is auto-generated, do not modify ##
resources:
- capsule_v1beta1_tenant.yaml

3
config/secret/kustomization.yaml
View File

@@ -1,3 +0,0 @@
resources:
- secret-ca.yaml
- secret-tls.yaml

4
config/secret/secret-ca.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: ca

4
config/secret/secret-tls.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: tls

21
config/webhook/kustomization.yaml
View File

@@ -1,21 +0,0 @@
resources:
- manifests.yaml
- service.yaml
patchesJson6902:
- target:
group: admissionregistration.k8s.io
kind: ValidatingWebhookConfiguration
name: validating-webhook-configuration
version: v1
path: patch_validating_ns_selector.yaml
- target:
group: admissionregistration.k8s.io
kind: MutatingWebhookConfiguration
name: mutating-webhook-configuration
version: v1
path: patch_mutating_ns_selector.yaml
configurations:
- kustomizeconfig.yaml

25
config/webhook/kustomizeconfig.yaml
View File

@@ -1,25 +0,0 @@
# the following config is for teaching kustomize where to look at when substituting vars.
# It requires kustomize v2.1.0 or newer to work properly.
nameReference:
- kind: Service
version: v1
fieldSpecs:
- kind: MutatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/name
- kind: ValidatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/name
namespace:
- kind: MutatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/namespace
create: true
- kind: ValidatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/namespace
create: true
varReference:
- path: metadata/annotations

294
config/webhook/manifests.yaml
View File

@@ -1,294 +0,0 @@
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: mutating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /defaults
failurePolicy: Fail
name: ingress.defaults.projectcapsule.dev
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /namespace-owner-reference
failurePolicy: Fail
name: owner.namespace.projectcapsule.dev
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- namespaces
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /defaults
failurePolicy: Fail
name: pod.defaults.projectcapsule.dev
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /defaults
failurePolicy: Fail
name: storage.defaults.projectcapsule.dev
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- persistentvolumeclaims
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /cordoning
failurePolicy: Fail
name: cordoning.tenant.projectcapsule.dev
rules:
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
- DELETE
resources:
- '*'
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /ingresses
failurePolicy: Fail
name: ingress.projectcapsule.dev
rules:
- apiGroups:
- networking.k8s.io
- extensions
apiVersions:
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /namespaces
failurePolicy: Fail
name: namespaces.projectcapsule.dev
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- namespaces
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /networkpolicies
failurePolicy: Fail
name: networkpolicies.projectcapsule.dev
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- UPDATE
- DELETE
resources:
- networkpolicies
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /nodes
failurePolicy: Fail
name: nodes.projectcapsule.dev
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- UPDATE
resources:
- nodes
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /pods
failurePolicy: Fail
name: pods.projectcapsule.dev
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /persistentvolumeclaims
failurePolicy: Fail
name: pvc.projectcapsule.dev
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- persistentvolumeclaims
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /tenantresource-objects
failurePolicy: Fail
name: resource-objects.tenant.projectcapsule.dev
rules:
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- UPDATE
- DELETE
resources:
- '*'
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /services
failurePolicy: Fail
name: services.projectcapsule.dev
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- services
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /tenants
failurePolicy: Fail
name: tenants.projectcapsule.dev
rules:
- apiGroups:
- capsule.clastix.io
apiVersions:
- v1beta2
operations:
- CREATE
- UPDATE
- DELETE
resources:
- tenants
sideEffects: None

27
config/webhook/patch_mutating_ns_selector.yaml
View File

@@ -1,27 +0,0 @@
- op: add
path: /webhooks/0/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/1/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/2/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/0/rules/0/scope
value: Namespaced
- op: add
path: /webhooks/1/rules/0/scope
value: Namespaced
- op: add
path: /webhooks/2/rules/0/scope
value: Namespaced

75
config/webhook/patch_validating_ns_selector.yaml
View File

@@ -1,75 +0,0 @@
- op: add
path: /webhooks/0/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/1/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/3/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/4/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/5/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/6/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/7/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/8/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/8/objectSelector
value:
matchExpressions:
- key: capsule.clastix.io/resources
operator: Exists
- op: add
path: /webhooks/0/rules/0/scope
value: Namespaced
- op: add
path: /webhooks/1/rules/0/scope
value: Namespaced
- op: add
path: /webhooks/3/rules/0/scope
value: Namespaced
- op: add
path: /webhooks/5/rules/0/scope
value: Namespaced
- op: add
path: /webhooks/6/rules/0/scope
value: Namespaced
- op: add
path: /webhooks/7/rules/0/scope
value: Namespaced
- op: add
path: /webhooks/8/rules/0/scope
value: Namespaced

11
config/webhook/service.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: webhook-service
spec:
ports:
- port: 443
targetPort: 9443
selector:
control-plane: controller-manager

2
pkg/webhook/route/cordoning.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
)
// +kubebuilder:webhook:path=/cordoning,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="*",resources="*",verbs=create;update;delete,versions="*",name=cordoning.tenant.projectcapsule.dev
type cordoning struct {
handlers []capsulewebhook.Handler
}

4
pkg/webhook/route/defaults.go
View File

@@ -7,10 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
)
// +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=pods,verbs=create,versions=v1,name=pod.defaults.projectcapsule.dev
// +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=persistentvolumeclaims,verbs=create,versions=v1,name=storage.defaults.projectcapsule.dev
// +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups=networking.k8s.io,resources=ingresses,verbs=create;update,versions=v1beta1;v1,name=ingress.defaults.projectcapsule.dev
type defaults struct {
handlers []capsulewebhook.Handler
}

2
pkg/webhook/route/ingresses.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
)
// +kubebuilder:webhook:path=/ingresses,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups=networking.k8s.io;extensions,resources=ingresses,verbs=create;update,versions=v1beta1;v1,name=ingress.projectcapsule.dev
type ingress struct {
handlers []capsulewebhook.Handler
}

2
pkg/webhook/route/namespaces.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
)
// +kubebuilder:webhook:path=/namespaces,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=namespaces,verbs=create;update;delete,versions=v1,name=namespaces.projectcapsule.dev
type namespace struct {
handlers []capsulewebhook.Handler
}

2
pkg/webhook/route/networkpolicies.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
)
// +kubebuilder:webhook:path=/networkpolicies,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="networking.k8s.io",resources=networkpolicies,verbs=update;delete,versions=v1,name=networkpolicies.projectcapsule.dev
type networkPolicy struct {
handlers []capsulewebhook.Handler
}

2
pkg/webhook/route/node.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
)
// +kubebuilder:webhook:path=/nodes,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=nodes,verbs=update,versions=v1,name=nodes.projectcapsule.dev
type node struct {
handlers []capsulewebhook.Handler
}

2
pkg/webhook/route/ownerreference.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
)
// +kubebuilder:webhook:path=/namespace-owner-reference,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=namespaces,verbs=create;update,versions=v1,name=owner.namespace.projectcapsule.dev
type webhook struct {
handlers []capsulewebhook.Handler
}

2
pkg/webhook/route/pods.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
)
// +kubebuilder:webhook:path=/pods,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=pods,verbs=create;update,versions=v1,name=pods.projectcapsule.dev
type pod struct {
handlers []capsulewebhook.Handler
}

2
pkg/webhook/route/pvc.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
)
// +kubebuilder:webhook:path=/persistentvolumeclaims,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=persistentvolumeclaims,verbs=create,versions=v1,name=pvc.projectcapsule.dev
type pvc struct {
handlers []capsulewebhook.Handler
}

2
pkg/webhook/route/services.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
)
// +kubebuilder:webhook:path=/services,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=services,verbs=create;update,versions=v1,name=services.projectcapsule.dev
type service struct {
handlers []capsulewebhook.Handler
}

2
pkg/webhook/route/tenantresource_objs.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
)
// +kubebuilder:webhook:path=/tenantresource-objects,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="*",resources="*",verbs=update;delete,versions="*",name=resource-objects.tenant.projectcapsule.dev
type tntResourceObjs struct {
handlers []capsulewebhook.Handler
}

2
pkg/webhook/route/tenants.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
)
// +kubebuilder:webhook:path=/tenants,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="capsule.clastix.io",resources=tenants,verbs=create;update;delete,versions=v1beta2,name=tenants.projectcapsule.dev
type tenant struct {
handlers []capsulewebhook.Handler
}

24
renovate.json
View File

@@ -21,5 +21,29 @@
"groupName": "all-ci-updates",
"updateTypes": ["major", "minor", "patch"]
}
],
"customManagers": [
{
"customType": "regex",
"fileMatch": ["^Makefile$"],
"matchStrings": [
"(?<depName>[A-Z0-9_]+)_VERSION\\s*[:=?]+\\s*\"?(?<currentValue>[^\"\\r\\n]+)\"?[\\s\\S]*?(?<depName2>[A-Z0-9_]+)_LOOKUP\\s*[:=?]+\\s*\"?(?<lookupValue>[^\"\\r\\n]+)\"?(?:[\\s\\S]*?(?<depName3>[A-Z0-9_]+)_SOURCE\\s*[:=?]+\\s*\"?(?<sourceValue>[^\"\\r\\n]+)\"?)?"
],
"depNameTemplate": "{{lookupValue}}",
"datasourceTemplate": "{{#sourceValue}}{{sourceValue}}{{/sourceValue}}{{^sourceValue}}github-tags{{/sourceValue}}",
"lookupNameTemplate": "{{lookupValue}}",
"versioningTemplate": "semver"
},
{
"customType": "regex",
"fileMatch": [".*\\.pre-commit-config\\.ya?ml$"],
"matchStrings": [
"repo:\\s*https://github\\.com/(?<lookupValue>[^/]+/[^\\s]+)[\\s\\S]*?rev:\\s*(?<currentValue>v?\\d+\\.\\d+\\.\\d+)"
],
"depNameTemplate": "{{lookupValue}}",
"datasourceTemplate": "github-tags",
"lookupNameTemplate": "{{lookupValue}}",
"versioningTemplate": "semver"
}
]
}