github/capsule
1
0
Fork 0
mirror of https://github.com/projectcapsule/capsule.git synced 2026-02-14 09:59:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: add remaining chart improvements (#1347)

Browse Source 
* chore(repo): rework makefile and add renovate mangers for pre-commit and makefile binaries

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
This commit is contained in:
Oliver Bähler
2025-02-06 17:31:31 +01:00
committed by GitHub
parent b7a2072b0f
commit e808118b43
96 changed files with 455 additions and 6658 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.github/configs/lintconf.yaml vendored
View File

@@ -1,6 +1,12 @@
--- ---
ignore:
- config/
- charts/*/templates/
- charts/**/templates/
rules: rules:
truthy:
level: warning
check-keys: false
braces: braces:
min-spaces-inside: 0 min-spaces-inside: 0
max-spaces-inside: 0 max-spaces-inside: 0
@@ -39,5 +45,3 @@ rules:
new-lines: new-lines:
type: unix type: unix
trailing-spaces: enable trailing-spaces: enable
truthy:
level: warning

3
.github/workflows/check-actions.yml vendored
View File

@@ -3,7 +3,8 @@ permissions: {}
on: on:
pull_request: pull_request:
branches: [ "main" ] branches:
- "*"
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}

9
.github/workflows/check-commit.yml vendored
View File

@@ -3,14 +3,15 @@ permissions: {}
on: on:
push: push:
branches: [ "*" ] branches:
- "*"
pull_request: pull_request:
branches: [ "*" ] branches:
- "*"
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
jobs: jobs:
commit_lint: commit_lint:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
@@ -19,5 +20,3 @@ jobs:
with: with:
fetch-depth: 0 fetch-depth: 0
- uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1 - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1
with:
firstParent: true

38
.github/workflows/codecov.yml vendored
View File

@@ -1,38 +0,0 @@
name: Codecov
permissions: {}
on:
pull_request:
branches: [ "main" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
codecov:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup caches
uses: ./.github/actions/setup-caches
timeout-minutes: 5
continue-on-error: true
with:
build-cache-key: codecov
- name: Check secret
id: checksecret
uses: ./.github/actions/exists
with:
value: ${{ secrets.CODECOV_TOKEN }}
- name: Generate Code Coverage Report
if: steps.checksecret.outputs.result == 'true'
run: make test
- name: Upload Report to Codecov
if: steps.checksecret.outputs.result == 'true'
uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
with:
file: ./coverage.out
fail_ci_if_error: true
verbose: true

84
.github/workflows/coverage.yml vendored Normal file
View File

@@ -0,0 +1,84 @@
name: Coverage
on:
push:
branches:
- "main"
pull_request:
types: [opened, reopened, synchronize]
branches:
- "main"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
compliance:
name: "License Compliance"
runs-on: ubuntu-24.04
steps:
- name: "Checkout Code"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Check secret
id: checksecret
uses: ./.github/actions/exists
with:
value: ${{ secrets.FOSSA_API_KEY }}
- name: "Run FOSSA Scan"
if: steps.checksecret.outputs.result == 'true'
uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
with:
api-key: ${{ secrets.FOSSA_API_KEY }}
- name: "Run FOSSA Test"
if: steps.checksecret.outputs.result == 'true'
uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
with:
api-key: ${{ secrets.FOSSA_API_KEY }}
run-tests: true
sast:
name: "SAST"
runs-on: ubuntu-24.04
env:
GO111MODULE: on
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout Source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version-file: 'go.mod'
- name: Run Gosec Security Scanner
uses: securego/gosec@e0cca6fe95306b7e7790d6f1bf6a7bec6d622459 # v2.22.0
with:
args: '-no-fail -fmt sarif -out gosec.sarif ./...'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@08bc0cf022445eacafaa248bf48da20f26b8fd40
with:
sarif_file: gosec.sarif
unit_tests:
name: "Unit tests"
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version-file: 'go.mod'
- name: Unit Test
run: make test
- name: Check secret
id: checksecret
uses: ./.github/actions/exists
with:
value: ${{ secrets.CODECOV_TOKEN }}
- name: Upload Report to Codecov
if: ${{ steps.checksecret.outputs.result == 'true' }}
uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
with:
file: ./coverage.out
fail_ci_if_error: true
verbose: true

31
.github/workflows/diff.yml vendored
View File

@@ -1,31 +0,0 @@
name: Diff checks
permissions: {}
on:
push:
branches: [ "*" ]
pull_request:
branches: [ "*" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
diff:
name: diff
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version-file: 'go.mod'
- run: make manifests
- name: Checking if YAML installer file is not aligned
run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> Untracked generated files have not been committed" && git --no-pager diff && exit 1; fi
- name: Checking if YAML installer generated untracked files
run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
- name: Checking if source code is not formatted
run: test -z "$(git diff 2> /dev/null)"

45
.github/workflows/docker-build.yml vendored Normal file
View File

@@ -0,0 +1,45 @@
name: Build images
permissions: {}
on:
pull_request:
branches:
- "*"
paths:
- '.github/workflows/docker-*.yml'
- 'api/**'
- 'controllers/**'
- 'pkg/**'
- 'e2e/*'
- '.ko.yaml'
- 'go.*'
- 'main.go'
- 'Makefile'
jobs:
build-images:
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: ko build
run: VERSION=${{ github.sha }} make ko-build-all
- name: Trivy Scan Image
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
env:
# Trivy is returning TOOMANYREQUESTS
# See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@08bc0cf022445eacafaa248bf48da20f26b8fd40
with:
sarif_file: 'trivy-results.sarif'

6
.github/workflows/docs-lint.yml vendored
View File

@@ -3,12 +3,14 @@ permissions: {}
on: on:
push: push:
branches: [ "*" ] branches:
- "*"
paths: paths:
- '.github/workflows/docs-lint.yml' - '.github/workflows/docs-lint.yml'
- 'docs/content/**' - 'docs/content/**'
pull_request: pull_request:
branches: [ "*" ] branches:
- "*"
paths: paths:
- '.github/workflows/docs-lint.yml' - '.github/workflows/docs-lint.yml'
- 'docs/content/**' - 'docs/content/**'

13
.github/workflows/e2e.yml vendored
View File

@@ -3,7 +3,8 @@ permissions: {}
on: on:
pull_request: pull_request:
branches: [ "*" ] branches:
- "*"
paths: paths:
- '.github/workflows/e2e.yml' - '.github/workflows/e2e.yml'
- 'api/**' - 'api/**'
@@ -25,7 +26,15 @@ jobs:
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
k8s-version: [ 'v1.24.7', 'v1.25.3', 'v1.26.3', 'v1.27.2', 'v1.28.0', 'v1.29.0', 'v1.30.0', 'v1.31.0' ] k8s-version:
- "v1.24.7"
- "v1.25.3"
- "v1.26.3"
- "v1.27.2"
- "v1.28.0"
- "v1.29.0"
- "v1.30.0"
- "v1.31.0"
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

35
.github/workflows/fossa.yml vendored
View File

@@ -1,35 +0,0 @@
name: FOSSA
permissions: {}
on:
push:
branches: [ "*" ]
pull_request:
branches: [ "*" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
fossa-scan:
runs-on: ubuntu-24.04
steps:
- name: "Checkout Code"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Check secret
id: checksecret
uses: ./.github/actions/exists
with:
value: ${{ secrets.FOSSA_API_KEY }}
- name: "Run FOSSA Scan"
if: steps.checksecret.outputs.result == 'true'
uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
with:
api-key: ${{ secrets.FOSSA_API_KEY }}
- name: "Run FOSSA Test"
if: steps.checksecret.outputs.result == 'true'
uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
with:
api-key: ${{ secrets.FOSSA_API_KEY }}
run-tests: true

37
.github/workflows/gosec.yml vendored
View File

@@ -1,37 +0,0 @@
name: CI gosec
permissions:
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read
on:
push:
branches: [ "*" ]
pull_request:
branches: [ "*" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
tests:
runs-on: ubuntu-24.04
env:
GO111MODULE: on
steps:
- name: Checkout Source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version-file: 'go.mod'
- name: Run Gosec Security Scanner
uses: securego/gosec@e0cca6fe95306b7e7790d6f1bf6a7bec6d622459 # v2.22.0
with:
args: '-no-fail -fmt sarif -out gosec.sarif ./...'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@08bc0cf022445eacafaa248bf48da20f26b8fd40
with:
sarif_file: gosec.sarif

1
.github/workflows/helm-publish.yml vendored
View File

@@ -1,5 +1,6 @@
name: Publish charts name: Publish charts
permissions: read-all permissions: read-all
on: on:
push: push:
tags: tags:

26
.github/workflows/helm-test.yml vendored
View File

@@ -3,13 +3,25 @@ permissions: {}
on: on:
pull_request: pull_request:
branches: [ "main" ] branches:
- "main"
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
jobs: jobs:
linter-artifacthub:
runs-on: ubuntu-latest
container:
image: artifacthub/ah
options: --user root
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Run ah lint
working-directory: ./charts/
run: ah lint
lint: lint:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
@@ -43,7 +55,17 @@ jobs:
else else
echo -e '\033[0;32mDocumentation up to date\033[0m ✔' echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
fi fi
- name: Run schema-testing (helm-schema)
id: helm-schema
run: |
make helm-schema
if [[ $(git diff --stat) != '' ]]; then
echo -e '\033[0;31mSchema outdated! (Run make helm-schema locally and commit)\033[0m ❌'
git diff --color
exit 1
else
echo -e '\033[0;32mSchema up to date\033[0m ✔'
fi
- name: Run chart-testing (install) - name: Run chart-testing (install)
run: HELM_KIND_CONFIG="./hack/kind-cluster.yml" make helm-test run: HELM_KIND_CONFIG="./hack/kind-cluster.yml" make helm-test
if: steps.list-changed.outputs.changed == 'true' if: steps.list-changed.outputs.changed == 'true'

38
.github/workflows/lint.yml vendored
View File

@@ -1,17 +1,45 @@
name: Linting name: Linting
permissions: {} permissions: {}
on: on:
push: push:
branches: [ "*" ] branches:
- "*"
pull_request: pull_request:
branches: [ "*" ] branches:
- "*"
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
jobs: jobs:
manifests:
name: diff
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version-file: 'go.mod'
- name: Generate manifests
run: |
make manifests
if [[ $(git diff --stat) != '' ]]; then
echo -e '\033[0;31mManifests outdated! (Run make manifests locally and commit)\033[0m ❌'
git diff --color
exit 1
else
echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
fi
yamllint:
name: yamllint
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install yamllint
run: pip install yamllint
- name: Lint YAML files
run: yamllint -c=.github/configs/lintconf.yaml .
golangci: golangci:
name: lint name: lint
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04

3
.github/workflows/releaser.yml vendored
View File

@@ -19,7 +19,8 @@ jobs:
# differently from the e2e workflow # differently from the e2e workflow
# we don't need all the versions of kubernetes # we don't need all the versions of kubernetes
# to generate the seccomp profile. # to generate the seccomp profile.
k8s-version: [ 'v1.30.0' ] k8s-version:
- "v1.30.0"
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

13
.github/workflows/seccomp.yaml vendored
View File

@@ -3,14 +3,16 @@ permissions: {}
on: on:
pull_request: pull_request:
branches: [ "*" ] branches:
- "*"
paths: paths:
- '.github/workflows/e2e.yml' - '.github/workflows/e2e.yml'
- 'api/**' - 'api/**'
- 'controllers/**' - 'controllers/**'
- 'pkg/**' - 'pkg/**'
- 'e2e/*' - 'e2e/*'
- 'Dockerfile' - '.ko.yaml'
- 'Dockerfile.tracing'
- 'go.*' - 'go.*'
- 'main.go' - 'main.go'
- 'Makefile' - 'Makefile'
@@ -25,10 +27,8 @@ jobs:
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
# differently from the e2e workflow k8s-version:
# we don't need all the versions of kubernetes - "v1.30.0"
# to generate the seccomp profile.
k8s-version: [ 'v1.30.0' ]
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -51,4 +51,3 @@ jobs:
with: with:
name: capsule-seccomp name: capsule-seccomp
path: capsule-seccomp.json path: capsule-seccomp.json

8
.golangci.yml
View File

@@ -1,4 +1,3 @@
linters-settings: linters-settings:
govet: govet:
check-shadowing: true check-shadowing: true
@@ -58,13 +57,10 @@ linters:
- deadcode - deadcode
- ifshort - ifshort
- nonamedreturns - nonamedreturns
service:
golangci-lint-version: 1.56.x
run: run:
timeout: 3m timeout: 3m
go: '1.21' allow-parallel-runners: true
tests: false
skip-files: skip-files:
- "zz_.*\\.go$" - "zz_.*\\.go$"
- ".+\\.generated.go" - ".+\\.generated.go"

46
.pre-commit-config.yaml
View File

@@ -13,6 +13,11 @@ repos:
- id: double-quote-string-fixer - id: double-quote-string-fixer
- id: end-of-file-fixer - id: end-of-file-fixer
- id: trailing-whitespace - id: trailing-whitespace
- repo: https://github.com/adrienverge/yamllint
rev: v1.29.0
hooks:
- id: yamllint
args: [-c=.github/configs/lintconf.yaml]
- repo: local - repo: local
hooks: hooks:
- id: run-helm-docs - id: run-helm-docs
@@ -30,23 +35,24 @@ repos:
entry: make helm-lint entry: make helm-lint
language: system language: system
files: ^charts/ files: ^charts/
- id: golangci-lint # Currently too slow smw
name: Execute golangci-lint # - id: golangci-lint
entry: make golint # name: Execute golangci-lint
language: system # entry: make golint
files: \.go$ # language: system
- repo: https://github.com/tekwizely/pre-commit-golang # files: \.go$
rev: v1.0.0-rc.1 # - repo: https://github.com/tekwizely/pre-commit-golang
hooks: # rev: v1.0.0-rc.1
- id: go-vet # hooks:
- id: go-vet-mod # - id: go-vet
- id: go-vet-pkg # - id: go-vet-mod
- id: go-vet-repo-mod # - id: go-vet-pkg
- id: go-vet-repo-pkg # - id: go-vet-repo-mod
- id: go-revive # - id: go-vet-repo-pkg
- id: go-revive-mod # - id: go-revive
- id: go-revive-repo-mod # - id: go-revive-mod
- id: go-sec-mod # - id: go-revive-repo-mod
- id: go-sec-pkg # - id: go-sec-mod
- id: go-sec-repo-mod # - id: go-sec-pkg
- id: go-sec-repo-pkg # - id: go-sec-repo-mod
# - id: go-sec-repo-pkg

207
Makefile
View File

@@ -58,8 +58,8 @@ run: generate manifests
go run . go run .
# Generate manifests e.g. CRD, RBAC etc. # Generate manifests e.g. CRD, RBAC etc.
manifests: controller-gen manifests: generate
$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=charts/capsule/crds $(CONTROLLER_GEN) crd paths="./..." output:crd:artifacts:config=charts/capsule/crds
# Generate code # Generate code
generate: controller-gen generate: controller-gen
@@ -68,15 +68,14 @@ generate: controller-gen
# Helm # Helm
SRC_ROOT = $(shell git rev-parse --show-toplevel) SRC_ROOT = $(shell git rev-parse --show-toplevel)
helm-docs: HELMDOCS_VERSION := v1.11.0 helm-docs: helm-doc
helm-docs: docker $(HELM_DOCS) --chart-search-root ./charts
@docker run -v "$(SRC_ROOT):/helm-docs" jnorwood/helm-docs:$(HELMDOCS_VERSION) --chart-search-root /helm-docs
helm-lint: docker helm-lint: ct
@docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:$(CT_VERSION) -c "cd /workdir; ct lint --config .github/configs/ct.yaml --lint-conf .github/configs/lintconf.yaml --all --debug" @$(CT) lint --config .github/configs/ct.yaml --validate-yaml=false --all --debug
helm-schema: helm-plugin-schema helm-schema: helm-plugin-schema
cd charts/capsule && $(HELM) schema cd charts/capsule && $(HELM) schema -output values.schema.json
helm-test: HELM_KIND_CONFIG ?= "" helm-test: HELM_KIND_CONFIG ?= ""
helm-test: kind ct ko-build-all helm-test: kind ct ko-build-all
@@ -89,9 +88,9 @@ helm-test-exec: kind
$(MAKE) docker-build-capsule-trace $(MAKE) docker-build-capsule-trace
$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=latest $(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=latest
$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=tracing $(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=tracing
@kubectl create ns capsule-system || true @$(KUBECTL) create ns capsule-system || true
@kubectl apply --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml @$(KUBECTL) apply --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
@kubectl apply --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml @$(KUBECTL) apply --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
@$(CT) install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug @$(CT) install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
docker: docker:
@@ -123,7 +122,6 @@ IP.1 = $(LAPTOP_HOST_IP)
endef endef
export TLS_CNF export TLS_CNF
dev-setup: dev-setup:
kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0 || true
mkdir -p /tmp/k8s-webhook-server/serving-certs mkdir -p /tmp/k8s-webhook-server/serving-certs
echo "$${TLS_CNF}" > _tls.cnf echo "$${TLS_CNF}" > _tls.cnf
openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \ openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
@@ -132,13 +130,13 @@ dev-setup:
-config _tls.cnf \ -config _tls.cnf \
-keyout /tmp/k8s-webhook-server/serving-certs/tls.key \ -keyout /tmp/k8s-webhook-server/serving-certs/tls.key \
-out /tmp/k8s-webhook-server/serving-certs/tls.crt -out /tmp/k8s-webhook-server/serving-certs/tls.crt
kubectl create secret tls capsule-tls -n capsule-system \ $(KUBECTL) create secret tls capsule-tls -n capsule-system \
--cert=/tmp/k8s-webhook-server/serving-certs/tls.crt\ --cert=/tmp/k8s-webhook-server/serving-certs/tls.crt\
--key=/tmp/k8s-webhook-server/serving-certs/tls.key || true --key=/tmp/k8s-webhook-server/serving-certs/tls.key || true
rm -f _tls.cnf rm -f _tls.cnf
export WEBHOOK_URL="https://$${LAPTOP_HOST_IP}:9443"; \ export WEBHOOK_URL="https://$${LAPTOP_HOST_IP}:9443"; \
export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`; \ export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`; \
helm upgrade \ $(HELM) upgrade \
--dependency-update \ --dependency-update \
--debug \ --debug \
--install \ --install \
@@ -151,6 +149,7 @@ dev-setup:
--set "webhooks.service.caBundle=$${CA_BUNDLE}" \ --set "webhooks.service.caBundle=$${CA_BUNDLE}" \
capsule \ capsule \
./charts/capsule ./charts/capsule
$(KUBECTL) -n capsule-system scale deployment capsule-controller-manager --replicas=0 || true
#################### ####################
# -- Docker # -- Docker
@@ -209,95 +208,15 @@ ko-publish-capsule: ko-login ## Build and publish kyvernopre image (with ko)
.PHONY: ko-publish-all .PHONY: ko-publish-all
ko-publish-all: ko-publish-capsule ko-publish-all: ko-publish-capsule
####################
# -- Helm Plugins
####################
HELM_SCHEMA_VERSION := ""
helm-plugin-schema:
$(HELM) plugin install https://github.com/losisin/helm-values-schema-json.git --version $(HELM_SCHEMA_VERSION) || true
####################
# -- Binaries
####################
CONTROLLER_GEN := $(shell pwd)/bin/controller-gen
CONTROLLER_GEN_VERSION := v0.16.1
controller-gen: ## Download controller-gen locally if necessary.
$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
GINKGO := $(shell pwd)/bin/ginkgo
ginkgo: ## Download ginkgo locally if necessary.
$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo)
CT := $(shell pwd)/bin/ct
CT_VERSION := v3.10.1
ct: ## Download ct locally if necessary.
$(call go-install-tool,$(CT),github.com/helm/chart-testing/v3/ct@$(CT_VERSION))
KIND := $(shell pwd)/bin/kind
KIND_VERSION := v0.17.0
kind: ## Download kind locally if necessary.
$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@$(KIND_VERSION))
KUSTOMIZE := $(shell pwd)/bin/kustomize
KUSTOMIZE_VERSION := 3.8.7
kustomize: ## Download kustomize locally if necessary.
$(call install-kustomize,$(KUSTOMIZE),$(KUSTOMIZE_VERSION))
KO = $(shell pwd)/bin/ko
KO_VERSION = v0.14.1
ko:
$(call go-install-tool,$(KO),github.com/google/ko@$(KO_VERSION))
HARPOON := $(shell pwd)/bin/harpoon
HARPOON_VERSION := v0.9.4
harpoon: ## Download harpoon locally if necessary.
@mkdir $(shell pwd)/bin
@curl -s https://raw.githubusercontent.com/alegrey91/harpoon/main/install | \
sudo bash -s -- --install-version $(HARPOON_VERSION) --install-dir $(shell pwd)/bin
####################
# -- Helpers
####################
pull-upstream:
git remote add upstream https://github.com/capsuleproject/capsule.git
git fetch --all && git pull upstream
define install-kustomize
@[ -f $(1) ] || { \
set -e ;\
echo "Installing v$(2)" ;\
cd bin ;\
wget "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" ;\
bash ./install_kustomize.sh $(2) ;\
}
endef
# go-install-tool will 'go install' any package $2 and install it to $1.
PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
define go-install-tool
@[ -f $(1) ] || { \
set -e ;\
GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
}
endef
# Sorting imports # Sorting imports
.PHONY: goimports .PHONY: goimports
goimports: goimports:
goimports -w -l -local "github.com/projectcapsule/capsule" . goimports -w -l -local "github.com/projectcapsule/capsule" .
GOLANGCI_LINT = $(shell pwd)/bin/golangci-lint
GOLANGCI_LINT_VERSION = v1.56.2
golangci-lint: ## Download golangci-lint locally if necessary.
$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION))
# Linting code as PR is expecting # Linting code as PR is expecting
.PHONY: golint .PHONY: golint
golint: golangci-lint golint: golangci-lint
$(GOLANGCI_LINT) run -c .golangci.yml $(GOLANGCI_LINT) run -c .golangci.yml --verbose --fix
# Running e2e tests in a KinD instance # Running e2e tests in a KinD instance
.PHONY: e2e .PHONY: e2e
@@ -306,12 +225,12 @@ e2e: ginkgo
e2e-build: kind e2e-build: kind
$(KIND) create cluster --wait=60s --name $(CLUSTER_NAME) --image kindest/node:$${KIND_K8S_VERSION:-v1.27.0} $(KIND) create cluster --wait=60s --name $(CLUSTER_NAME) --image kindest/node:$${KIND_K8S_VERSION:-v1.27.0}
$(MAKE) e2e-load-image CLUSTER_NAME=$(CLUSTER_NAME) IMAGE=$(CAPSULE_IMG) VERSION=$(VERSION)
$(MAKE) e2e-install $(MAKE) e2e-install
.PHONY: e2e-install .PHONY: e2e-install
e2e-install: e2e-install:
helm upgrade \ $(MAKE) e2e-load-image CLUSTER_NAME=$(CLUSTER_NAME) IMAGE=$(CAPSULE_IMG) VERSION=$(VERSION)
$(HELM) upgrade \
--dependency-update \ --dependency-update \
--debug \ --debug \
--install \ --install \
@@ -359,7 +278,6 @@ seccomp:
$(HARPOON) build --add-syscall-sets=dynamic,docker -D /tmp/results --name capsule-seccomp.json --save $(HARPOON) build --add-syscall-sets=dynamic,docker -D /tmp/results --name capsule-seccomp.json --save
.PHONY: e2e-load-image .PHONY: e2e-load-image
e2e-load-image: LOAD_IMAGE ?= $(IMAGE):$(VERSION)
e2e-load-image: kind ko-build-all e2e-load-image: kind ko-build-all
$(KIND) load docker-image $(IMAGE):$(VERSION) --name $(CLUSTER_NAME) $(KIND) load docker-image $(IMAGE):$(VERSION) --name $(CLUSTER_NAME)
@@ -374,3 +292,96 @@ e2e-destroy: kind
SPELL_CHECKER = npx spellchecker-cli SPELL_CHECKER = npx spellchecker-cli
docs-lint: docs-lint:
cd docs/content && $(SPELL_CHECKER) -f "*.md" "*/*.md" "!general/crds-apis.md" -d dictionary.txt cd docs/content && $(SPELL_CHECKER) -f "*.md" "*/*.md" "!general/crds-apis.md" -d dictionary.txt
####################
# -- Helpers
####################
pull-upstream:
git remote add upstream https://github.com/capsuleproject/capsule.git
git fetch --all && git pull upstream
## Location to install dependencies to
LOCALBIN ?= $(shell pwd)/bin
$(LOCALBIN):
mkdir -p $(LOCALBIN)
####################
# -- Helm Plugins
####################
HELM_SCHEMA_VERSION := ""
helm-plugin-schema:
@$(HELM) plugin install https://github.com/losisin/helm-values-schema-json.git --version $(HELM_SCHEMA_VERSION) || true
HELM_DOCS := $(LOCALBIN)/helm-docs
HELM_DOCS_VERSION := v1.14.1
HELM_DOCS_LOOKUP := norwoodj/helm-docs
helm-doc:
@test -s $(HELM_DOCS) || \
$(call go-install-tool,$(HELM_DOCS),github.com/$(HELM_DOCS_LOOKUP)/cmd/helm-docs@$(HELM_DOCS_VERSION))
####################
# -- Tools
####################
CONTROLLER_GEN := $(LOCALBIN)/controller-gen
CONTROLLER_GEN_VERSION ?= v0.16.3
CONTROLLER_GEN_LOOKUP := kubernetes-sigs/controller-tools
controller-gen:
@test -s $(CONTROLLER_GEN) && $(CONTROLLER_GEN) --version | grep -q $(CONTROLLER_GEN_VERSION) || \
$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
GINKGO := $(LOCALBIN)/ginkgo
ginkgo:
$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo)
CT := $(LOCALBIN)/ct
CT_VERSION := v3.11.0
CT_LOOKUP := helm/chart-testing
ct:
@test -s $(CT) && $(CT) version | grep -q $(CT_VERSION) || \
$(call go-install-tool,$(CT),github.com/$(CT_LOOKUP)/v3/ct@$(CT_VERSION))
KIND := $(LOCALBIN)/kind
KIND_VERSION := v0.17.0
KIND_LOOKUP := kubernetes-sigs/kind
kind:
@test -s $(KIND) && $(KIND) --version | grep -q $(KIND_VERSION) || \
$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@$(KIND_VERSION))
KO := $(LOCALBIN)/ko
KO_VERSION := v0.14.1
KO_LOOKUP := google/ko
ko:
@test -s $(KO) && $(KO) -h | grep -q $(KO_VERSION) || \
$(call go-install-tool,$(KO),github.com/$(KO_LOOKUP)@$(KO_VERSION))
GOLANGCI_LINT := $(LOCALBIN)/golangci-lint
GOLANGCI_LINT_VERSION := v1.63.4
GOLANGCI_LINT_LOOKUP := golangci/golangci-lint
golangci-lint: ## Download golangci-lint locally if necessary.
@test -s $(GOLANGCI_LINT) && $(GOLANGCI_LINT) -h | grep -q $(GOLANGCI_LINT_VERSION) || \
$(call go-install-tool,$(GOLANGCI_LINT),github.com/$(GOLANGCI_LINT_LOOKUP)/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION))
APIDOCS_GEN := $(LOCALBIN)/crdoc
APIDOCS_GEN_VERSION := v0.6.2
APIDOCS_GEN_LOOKUP := fybrik/crdoc
apidocs-gen: ## Download crdoc locally if necessary.
@test -s $(APIDOCS_GEN) && $(APIDOCS_GEN) --version | grep -q $(APIDOCS_GEN_VERSION) || \
$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@$(APIDOCS_GEN_VERSION))
HARPOON := $(LOCALBIN)/harpoon
HARPOON_VERSION := v0.9.4
HARPOON_LOOKUP := alegrey91/harpoon
harpoon:
@mkdir $(LOCALBIN)
@curl -s https://raw.githubusercontent.com/alegrey91/harpoon/main/install | \
sudo bash -s -- --install-version $(HARPOON_VERSION) --install-dir $(LOCALBIN)
# go-install-tool will 'go install' any package $2 and install it to $1.
PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
define go-install-tool
[ -f $(1) ] || { \
set -e ;\
GOBIN=$(LOCALBIN) go install $(2) ;\
}
endef

24
README.md
View File

@@ -82,24 +82,6 @@ Please, check the project [documentation](https://projectcapsule.dev) for the co
Capsule is Open Source with Apache 2 license and any contribution is welcome. Capsule is Open Source with Apache 2 license and any contribution is welcome.
## Chart Development
### Chart Linting
The chart is linted with [ct](https://github.com/helm/chart-testing). You can run the linter locally with this command:
```
make helm-lint
```
### Chart Documentation
The documentation for each chart is done with [helm-docs](https://github.com/norwoodj/helm-docs). This way we can ensure that values are consistent with the chart documentation. Run this anytime you make changes to a `values.yaml` file:
```
make helm-docs
```
## Community meeting ## Community meeting
Join the community, share and learn from it. You can find all the resources to how to contribute code and docs, connect with people in the [community repository](https://github.com/projectcapsule/capsule-community). Join the community, share and learn from it. You can find all the resources to how to contribute code and docs, connect with people in the [community repository](https://github.com/projectcapsule/capsule-community).
@@ -118,6 +100,12 @@ You can find how the Capsule project is governed [here](https://projectcapsule.d
Please, refer to the maintainers file available [here](.github/maintainers.yaml). Please, refer to the maintainers file available [here](.github/maintainers.yaml).
## CLOMonitor
CLOMonitor is a tool that periodically checks open source projects repositories to verify they meet certain project health best practices.
[![CloMonitor report summary](https://clomonitor.io/api/projects/cncf/capsule/report-summary?theme=light)](https://clomonitor.io/projects/cncf/capsule)
### Changelog ### Changelog
Read how we log changes [here](CHANGELOG.md) Read how we log changes [here](CHANGELOG.md)

1
SECURITY-INSIGHTS.yml
View File

@@ -57,4 +57,3 @@ security-contacts:
- type: email - type: email
value: cncf-capsule-maintainers@lists.cncf.io value: cncf-capsule-maintainers@lists.cncf.io
primary: true primary: true

1
charts/capsule/.helmignore
View File

@@ -22,3 +22,4 @@
*.tmproj *.tmproj
.vscode/ .vscode/
README.md.gotmpl README.md.gotmpl
artifacthub-repo.yml

6
charts/capsule/Chart.yaml
View File

@@ -40,7 +40,5 @@ annotations:
- name: Documentation - name: Documentation
url: https://projectcapsule.dev/ url: https://projectcapsule.dev/
artifacthub.io/changes: | artifacthub.io/changes: |
- kind: fixed - kind: added
description: added scope for mutating webhook configurations description: oci chart reference
- kind: changed
description: moved job configuration from jobs to global.jobs.kubectl

2
charts/capsule/README.md
View File

@@ -35,6 +35,8 @@ The following Values have changed key or Value:
## Installation ## Installation
**When using OCI we recommend our dedicated [OCI Repository](https://artifacthub.io/packages/helm/capsule/capsule) for this chart**
The Capsule Operator requires it's CRDs to be installed before the operator itself. Since the Helm CRD lifecycle has limitations, we recommend to install the CRDs separately. Our chart supports the installation of crds via a dedicated Release. The Capsule Operator requires it's CRDs to be installed before the operator itself. Since the Helm CRD lifecycle has limitations, we recommend to install the CRDs separately. Our chart supports the installation of crds via a dedicated Release.
The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster. The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster.

2
charts/capsule/README.md.gotmpl
View File

@@ -36,6 +36,8 @@ The following Values have changed key or Value:
## Installation ## Installation
**When using OCI we recommend our dedicated [OCI Repository](https://artifacthub.io/packages/helm/capsule/capsule) for this chart**
The Capsule Operator requires it's CRDs to be installed before the operator itself. Since the Helm CRD lifecycle has limitations, we recommend to install the CRDs separately. Our chart supports the installation of crds via a dedicated Release. The Capsule Operator requires it's CRDs to be installed before the operator itself. Since the Helm CRD lifecycle has limitations, we recommend to install the CRDs separately. Our chart supports the installation of crds via a dedicated Release.
The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster. The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster.

4
charts/capsule/artifacthub-repo.yml Normal file
View File

@@ -0,0 +1,4 @@
repositoryID: 783775bb-96c2-4915-8c7d-ba4a1118323c
owners:
- name: capsule-maintainers
email: cncf-capsule-maintainers@lists.cncf.io

2
charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.16.1 controller-gen.kubebuilder.io/version: v0.16.3
name: capsuleconfigurations.capsule.clastix.io name: capsuleconfigurations.capsule.clastix.io
spec: spec:
group: capsule.clastix.io group: capsule.clastix.io

2
charts/capsule/crds/capsule.clastix.io_globaltenantresources.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.16.1 controller-gen.kubebuilder.io/version: v0.16.3
name: globaltenantresources.capsule.clastix.io name: globaltenantresources.capsule.clastix.io
spec: spec:
group: capsule.clastix.io group: capsule.clastix.io

2
charts/capsule/crds/capsule.clastix.io_tenantresources.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.16.1 controller-gen.kubebuilder.io/version: v0.16.3
name: tenantresources.capsule.clastix.io name: tenantresources.capsule.clastix.io
spec: spec:
group: capsule.clastix.io group: capsule.clastix.io

2
charts/capsule/crds/capsule.clastix.io_tenants.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.16.1 controller-gen.kubebuilder.io/version: v0.16.3
name: tenants.capsule.clastix.io name: tenants.capsule.clastix.io
spec: spec:
group: capsule.clastix.io group: capsule.clastix.io

16
charts/capsule/values.schema.json
View File

@@ -171,6 +171,9 @@
"hostNetwork": { "hostNetwork": {
"type": "boolean" "type": "boolean"
}, },
"hostPID": {
"type": "boolean"
},
"image": { "image": {
"properties": { "properties": {
"pullPolicy": { "pullPolicy": {
@@ -312,6 +315,16 @@
}, },
"type": "object" "type": "object"
}, },
"securityContext": {
"properties": {},
"type": "object"
},
"volumeMounts": {
"type": "array"
},
"volumes": {
"type": "array"
},
"webhookPort": { "webhookPort": {
"type": "integer" "type": "integer"
} }
@@ -348,6 +361,9 @@
}, },
"type": "object" "type": "object"
}, },
"ports": {
"type": "array"
},
"priorityClassName": { "priorityClassName": {
"type": "string" "type": "string"
}, },

132
config/crd/bases/capsule.clastix.io_capsuleconfigurations.yaml
View File

@@ -1,132 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: capsuleconfigurations.capsule.clastix.io
spec:
group: capsule.clastix.io
names:
kind: CapsuleConfiguration
listKind: CapsuleConfigurationList
plural: capsuleconfigurations
singular: capsuleconfiguration
scope: Cluster
versions:
- name: v1beta2
schema:
openAPIV3Schema:
description: CapsuleConfiguration is the Schema for the Capsule configuration
API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: CapsuleConfigurationSpec defines the Capsule configuration.
properties:
enableTLSReconciler:
default: true
description: |-
Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks
when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
type: boolean
forceTenantPrefix:
default: false
description: |-
Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,
separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
type: boolean
nodeMetadata:
description: |-
Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.
This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
properties:
forbiddenAnnotations:
description: Define the annotations that a Tenant Owner cannot
set for their nodes.
properties:
denied:
items:
type: string
type: array
deniedRegex:
type: string
type: object
forbiddenLabels:
description: Define the labels that a Tenant Owner cannot set
for their nodes.
properties:
denied:
items:
type: string
type: array
deniedRegex:
type: string
type: object
required:
- forbiddenAnnotations
- forbiddenLabels
type: object
overrides:
default:
TLSSecretName: capsule-tls
mutatingWebhookConfigurationName: capsule-mutating-webhook-configuration
validatingWebhookConfigurationName: capsule-validating-webhook-configuration
description: |-
Allows to set different name rather than the canonical one for the Capsule configuration objects,
such as webhook secret or configurations.
properties:
TLSSecretName:
default: capsule-tls
description: |-
Defines the Secret name used for the webhook server.
Must be in the same Namespace where the Capsule Deployment is deployed.
type: string
mutatingWebhookConfigurationName:
default: capsule-mutating-webhook-configuration
description: Name of the MutatingWebhookConfiguration which contains
the dynamic admission controller paths and resources.
type: string
validatingWebhookConfigurationName:
default: capsule-validating-webhook-configuration
description: Name of the ValidatingWebhookConfiguration which
contains the dynamic admission controller paths and resources.
type: string
required:
- TLSSecretName
- mutatingWebhookConfigurationName
- validatingWebhookConfigurationName
type: object
protectedNamespaceRegex:
description: Disallow creation of namespaces, whose name matches this
regexp
type: string
userGroups:
default:
- capsule.clastix.io
description: Names of the groups for Capsule users.
items:
type: string
type: array
required:
- enableTLSReconciler
type: object
type: object
served: true
storage: true

298
config/crd/bases/capsule.clastix.io_globaltenantresources.yaml
View File

@@ -1,298 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: globaltenantresources.capsule.clastix.io
spec:
group: capsule.clastix.io
names:
kind: GlobalTenantResource
listKind: GlobalTenantResourceList
plural: globaltenantresources
singular: globaltenantresource
scope: Cluster
versions:
- name: v1beta2
schema:
openAPIV3Schema:
description: GlobalTenantResource allows to propagate resource replications
to a specific subset of Tenant resources.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: GlobalTenantResourceSpec defines the desired state of GlobalTenantResource.
properties:
pruningOnDelete:
default: true
description: |-
When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
Disable this to keep replicated resources although the deletion of the replication manifest.
type: boolean
resources:
description: Defines the rules to select targeting Namespace, along
with the objects that must be replicated.
items:
properties:
additionalMetadata:
description: |-
Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
added to the replicated resources.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
namespaceSelector:
description: |-
Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
In case of nil value, all the Tenant Namespaces are targeted.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespacedItems:
description: List of the resources already existing in other
Namespaces that must be replicated.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
namespace:
description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
selector:
description: Label selector used to select the given resources
in the given Namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- kind
- namespace
- selector
type: object
type: array
rawItems:
description: List of raw resources that must be replicated.
items:
type: object
x-kubernetes-embedded-resource: true
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
type: array
resyncPeriod:
default: 60s
description: |-
Define the period of time upon a second reconciliation must be invoked.
Keep in mind that any change to the manifests will trigger a new reconciliation.
type: string
tenantSelector:
description: Defines the Tenant selector used target the tenants on
which resources must be propagated.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- resources
- resyncPeriod
type: object
status:
description: GlobalTenantResourceStatus defines the observed state of
GlobalTenantResource.
properties:
processedItems:
description: List of the replicated resources for the given TenantResource.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
required:
- kind
- name
- namespace
type: object
type: array
selectedTenants:
description: List of Tenants addressed by the GlobalTenantResource.
items:
type: string
type: array
required:
- processedItems
- selectedTenants
type: object
type: object
served: true
storage: true
subresources:
status: {}

246
config/crd/bases/capsule.clastix.io_tenantresources.yaml
View File

@@ -1,246 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: tenantresources.capsule.clastix.io
spec:
group: capsule.clastix.io
names:
kind: TenantResource
listKind: TenantResourceList
plural: tenantresources
singular: tenantresource
scope: Namespaced
versions:
- name: v1beta2
schema:
openAPIV3Schema:
description: |-
TenantResource allows a Tenant Owner, if enabled with proper RBAC, to propagate resources in its Namespace.
The object must be deployed in a Tenant Namespace, and cannot reference object living in non-Tenant namespaces.
For such cases, the GlobalTenantResource must be used.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: TenantResourceSpec defines the desired state of TenantResource.
properties:
pruningOnDelete:
default: true
description: |-
When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
Disable this to keep replicated resources although the deletion of the replication manifest.
type: boolean
resources:
description: Defines the rules to select targeting Namespace, along
with the objects that must be replicated.
items:
properties:
additionalMetadata:
description: |-
Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
added to the replicated resources.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
namespaceSelector:
description: |-
Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
In case of nil value, all the Tenant Namespaces are targeted.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespacedItems:
description: List of the resources already existing in other
Namespaces that must be replicated.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
namespace:
description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
selector:
description: Label selector used to select the given resources
in the given Namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- kind
- namespace
- selector
type: object
type: array
rawItems:
description: List of raw resources that must be replicated.
items:
type: object
x-kubernetes-embedded-resource: true
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
type: array
resyncPeriod:
default: 60s
description: |-
Define the period of time upon a second reconciliation must be invoked.
Keep in mind that any change to the manifests will trigger a new reconciliation.
type: string
required:
- resources
- resyncPeriod
type: object
status:
description: TenantResourceStatus defines the observed state of TenantResource.
properties:
processedItems:
description: List of the replicated resources for the given TenantResource.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
required:
- kind
- name
- namespace
type: object
type: array
required:
- processedItems
type: object
type: object
served: true
storage: true
subresources:
status: {}

2345
config/crd/bases/capsule.clastix.io_tenants.yaml
View File

File diff suppressed because it is too large Load Diff

17
config/crd/kustomization.yaml
View File

@@ -1,17 +0,0 @@
# This kustomization.yaml is not intended to be run by itself,
# since it depends on service name and namespace that are out of this kustomize package.
# It should be run by config/default
resources:
- bases/capsule.clastix.io_tenants.yaml
- bases/capsule.clastix.io_capsuleconfigurations.yaml
- bases/capsule.clastix.io_tenantresources.yaml
- bases/capsule.clastix.io_globaltenantresources.yaml
# +kubebuilder:scaffold:crdkustomizeresource
# the following config is for teaching kustomize how to do kustomization for CRDs.
configurations:
- kustomizeconfig.yaml
patchesStrategicMerge:
- patches/webhook_in_tenants.yaml
- patches/webhook_in_capsuleconfiguration.yaml

19
config/crd/kustomizeconfig.yaml
View File

@@ -1,19 +0,0 @@
# This file is for teaching kustomize how to substitute name and namespace reference in CRD
nameReference:
- kind: Service
version: v1
fieldSpecs:
- kind: CustomResourceDefinition
version: v1
group: apiextensions.k8s.io
path: spec/conversion/webhook/clientConfig/service/name
namespace:
- kind: CustomResourceDefinition
version: v1
group: apiextensions.k8s.io
path: spec/conversion/webhook/clientConfig/service/namespace
create: false
varReference:
- path: metadata/annotations

7
config/crd/patches/cainjection_in_globaltenantresources.yaml
View File

@@ -1,7 +0,0 @@
# The following patch adds a directive for certmanager to inject CA into the CRD
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
name: globaltenantresources.capsule.clastix.io

7
config/crd/patches/cainjection_in_tenantresources.yaml
View File

@@ -1,7 +0,0 @@
# The following patch adds a directive for certmanager to inject CA into the CRD
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
name: tenantresources.capsule.clastix.io

17
config/crd/patches/webhook_in_capsuleconfiguration.yaml
View File

@@ -1,17 +0,0 @@
# The following patch enables a conversion webhook for the CRD
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: capsuleconfigurations.capsule.clastix.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
namespace: system
name: webhook-service
path: /convert
conversionReviewVersions:
- v1beta1
- v1beta2

16
config/crd/patches/webhook_in_globaltenantresources.yaml
View File

@@ -1,16 +0,0 @@
# The following patch enables a conversion webhook for the CRD
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: globaltenantresources.capsule.clastix.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
namespace: system
name: webhook-service
path: /convert
conversionReviewVersions:
- v1

16
config/crd/patches/webhook_in_tenantresources.yaml
View File

@@ -1,16 +0,0 @@
# The following patch enables a conversion webhook for the CRD
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: tenantresources.capsule.clastix.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
namespace: system
name: webhook-service
path: /convert
conversionReviewVersions:
- v1

17
config/crd/patches/webhook_in_tenants.yaml
View File

@@ -1,17 +0,0 @@
# The following patch enables a conversion webhook for the CRD
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: tenants.capsule.clastix.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
namespace: system
name: webhook-service
path: /convert
conversionReviewVersions:
- v1beta1
- v1beta2

25
config/default/kustomization.yaml
View File

@@ -1,25 +0,0 @@
# Adds namespace to all resources.
namespace: capsule-system
# Value of this field is prepended to the
# names of all resources, e.g. a deployment named
# "wordpress" becomes "alices-wordpress".
# Note that it should also match with the prefix (text before '-') of the namespace
# field above.
namePrefix: capsule-
# Labels to add to all resources and selectors.
#commonLabels:
# someName: someValue
bases:
- ../crd
- ../rbac
- ../manager
- ../secret
- ../webhook
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
#- ../prometheus
patchesStrategicMerge:
- manager_webhook_patch.yaml

26
config/default/manager_webhook_patch.yaml
View File

@@ -1,26 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
- containerPort: 8080
name: metrics
protocol: TCP
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
volumes:
- name: cert
secret:
defaultMode: 420
secretName: capsule-tls

2138
config/grafana/dashboard.json
View File

File diff suppressed because it is too large Load Diff

7
config/grafana/dashboard.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
labels:
# label selector used by Grafana to load the dashboards from Config Maps
grafana_dashboard: "1"
name: capsule-grafana-dashboard

8
config/grafana/kustomization.yaml
View File

@@ -1,8 +0,0 @@
configMapGenerator:
- name: capsule-grafana-dashboard
files:
- dashboard.json
generatorOptions:
disableNameSuffixHash: true
patchesStrategicMerge:
- dashboard.yaml

9
config/manager/configuration.yaml
View File

@@ -1,9 +0,0 @@
apiVersion: capsule.clastix.io/v1beta2
kind: CapsuleConfiguration
metadata:
name: default
spec:
userGroups: ["capsule.clastix.io"]
forceTenantPrefix: false
protectedNamespaceRegex: ""
enableTLSReconciler: true

9
config/manager/kustomization.yaml
View File

@@ -1,9 +0,0 @@
resources:
- configuration.yaml
- manager.yaml
- metrics_service.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
images:
- name: controller
newName: ghcr.io/projectcapsule/capsule

46
config/manager/manager.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: controller-manager
name: system
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
labels:
control-plane: controller-manager
spec:
selector:
matchLabels:
control-plane: controller-manager
replicas: 1
template:
metadata:
labels:
control-plane: controller-manager
spec:
containers:
- args:
- --enable-leader-election
- --zap-encoder=console
- --zap-log-level=debug
- --configuration-name=capsule-default
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: controller
imagePullPolicy: IfNotPresent
name: manager
resources:
limits:
cpu: 200m
memory: 128Mi
requests:
cpu: 200m
memory: 128Mi
terminationGracePeriodSeconds: 10

14
config/manager/metrics_service.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
labels:
control-plane: controller-manager
name: controller-manager-metrics-service
namespace: system
spec:
ports:
- name: metrics
port: 8080
targetPort: metrics
selector:
control-plane: controller-manager

2
config/prometheus/kustomization.yaml
View File

@@ -1,2 +0,0 @@
resources:
- monitor.yaml

18
config/prometheus/monitor.yaml
View File

@@ -1,18 +0,0 @@
# Prometheus Monitor Service (Metrics)
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
labels:
control-plane: controller-manager
name: capsule-monitor
namespace: system
spec:
endpoints:
- interval: 15s
path: /metrics
port: metrics
jobLabel: controller-manager
namespaceSelector:
selector:
matchLabels:
control-plane: controller-manager

24
config/rbac/globaltenantresource_editor_role.yaml
View File

@@ -1,24 +0,0 @@
# permissions for end users to edit globaltenantresources.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: globaltenantresource-editor-role
rules:
- apiGroups:
- capsule.clastix.io
resources:
- globaltenantresources
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- capsule.clastix.io
resources:
- globaltenantresources/status
verbs:
- get

20
config/rbac/globaltenantresource_viewer_role.yaml
View File

@@ -1,20 +0,0 @@
# permissions for end users to view globaltenantresources.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: globaltenantresource-viewer-role
rules:
- apiGroups:
- capsule.clastix.io
resources:
- globaltenantresources
verbs:
- get
- list
- watch
- apiGroups:
- capsule.clastix.io
resources:
- globaltenantresources/status
verbs:
- get

8
config/rbac/kustomization.yaml
View File

@@ -1,8 +0,0 @@
resources:
- role_binding.yaml
# Uncomment the following 3 lines if you are running Capsule
# in a cluster where [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
# are enabled.
# - psp_policy.yaml
# - psp_role.yaml
# - psp_role_binding.yaml

18
config/rbac/psp_policy.yaml
View File

@@ -1,18 +0,0 @@
kind: PodSecurityPolicy
apiVersion: policy/v1beta1
metadata:
name: capsule
spec:
fsGroup:
rule: RunAsAny
hostPorts:
- max: 0
min: 0
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- secret

9
config/rbac/psp_role.yaml
View File

@@ -1,9 +0,0 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: capsule-psp
rules:
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
resourceNames: ['capsule-psp']
verbs: ['use']

12
config/rbac/psp_role_binding.yaml
View File

@@ -1,12 +0,0 @@
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: capsule-use-psp
namespace: system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: capsule-psp
subjects:
- kind: ServiceAccount
name: default

12
config/rbac/role_binding.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: manager-rolebinding
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: default
namespace: system

24
config/rbac/tenantresource_editor_role.yaml
View File

@@ -1,24 +0,0 @@
# permissions for end users to edit tenantresources.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tenantresource-editor-role
rules:
- apiGroups:
- capsule.clastix.io
resources:
- tenantresources
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- capsule.clastix.io
resources:
- tenantresources/status
verbs:
- get

20
config/rbac/tenantresource_viewer_role.yaml
View File

@@ -1,20 +0,0 @@
# permissions for end users to view tenantresources.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tenantresource-viewer-role
rules:
- apiGroups:
- capsule.clastix.io
resources:
- tenantresources
verbs:
- get
- list
- watch
- apiGroups:
- capsule.clastix.io
resources:
- tenantresources/status
verbs:
- get

139
config/samples/capsule_v1beta1_tenant.yaml
View File

@@ -1,139 +0,0 @@
---
apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
name: gas
spec:
additionalRoleBindings:
-
clusterRoleName: tenant-sample-viewer
subjects:
-
kind: User
name: bob
containerRegistries:
allowed:
- docker.io
- quay.io
allowedRegex: ^\w+.gcr.io$
serviceOptions:
additionalMetadata:
annotations:
capsule.clastix.io/bgp: "true"
labels:
capsule.clastix.io/pool: gas
allowedServices:
nodePort: false
externalName: false
externalIPs:
allowed:
- 10.20.0.0/16
- "10.96.42.42"
imagePullPolicies:
- Always
ingressOptions:
hostnameCollisionScope: Cluster
allowedClasses:
allowed:
- default
allowedRegex: ^\w+-lb$
allowedHostnames:
allowed:
- gas.acmecorp.com
allowedRegex: ^.*acmecorp.com$
limitRanges:
items:
-
limits:
-
max:
cpu: "1"
memory: 1Gi
min:
cpu: 50m
memory: 5Mi
type: Pod
-
default:
cpu: 200m
memory: 100Mi
defaultRequest:
cpu: 100m
memory: 10Mi
max:
cpu: "1"
memory: 1Gi
min:
cpu: 50m
memory: 5Mi
type: Container
-
max:
storage: 10Gi
min:
storage: 1Gi
type: PersistentVolumeClaim
namespaceOptions:
quota: 3
additionalMetadata:
annotations:
capsule.clastix.io/backup: "false"
labels:
capsule.clastix.io/tenant: gas
networkPolicies:
items:
-
egress:
-
to:
-
ipBlock:
cidr: 0.0.0.0/0
except:
- 192.168.0.0/12
ingress:
-
from:
-
namespaceSelector:
matchLabels:
capsule.clastix.io/tenant: gas
-
podSelector: {}
-
ipBlock:
cidr: 192.168.0.0/12
podSelector: {}
policyTypes:
- Ingress
- Egress
nodeSelector:
kubernetes.io/os: linux
owners:
-
kind: User
name: bob
priorityClasses:
allowed:
- shared-nodes
allowedRegex: ^\w-gas$
resourceQuotas:
items:
-
hard:
limits.cpu: "8"
limits.memory: 16Gi
requests.cpu: "8"
requests.memory: 16Gi
scopes:
- NotTerminating
-
hard:
pods: "10"
-
hard:
requests.storage: 100Gi
storageClasses:
allowed:
- default
allowedRegex: ^\w+fs$

11
config/samples/capsule_v1beta2_capsuleconfiguration.yaml
View File

@@ -1,11 +0,0 @@
---
apiVersion: capsule.clastix.io/v1beta2
kind: CapsuleConfiguration
metadata:
name: default
spec:
userGroups: ["capsule.clastix.io"]
forceTenantPrefix: false
protectedNamespaceRegex: ""
enableTLSReconciler: true

39
config/samples/capsule_v1beta2_globaltenantresource.yaml
View File

@@ -1,39 +0,0 @@
apiVersion: capsule.clastix.io/v1beta2
kind: GlobalTenantResource
metadata:
name: green-production
spec:
tenantSelector:
matchLabels:
energy: green
resyncPeriod: 60s
pruningOnDelete: true
resources:
- namespaceSelector:
matchLabels:
environment: production
additionalMetadata:
labels:
labels.energy.io: green
annotations:
annotations.energy.io: green
namespacedItems:
- apiVersion: v1
kind: Secret
namespace: default
selector:
matchLabels:
replicate: green
rawItems:
- apiVersion: v1
kind: Secret
metadata:
name: raw-secret-1
- apiVersion: v1
kind: Secret
metadata:
name: raw-secret-2
- apiVersion: v1
kind: Secret
metadata:
name: raw-secret-3

36
config/samples/capsule_v1beta2_tenantresource.yaml
View File

@@ -1,36 +0,0 @@
apiVersion: capsule.clastix.io/v1beta2
kind: TenantResource
metadata:
name: wind-objects
spec:
resyncPeriod: 60s
pruningOnDelete: true
resources:
- namespaceSelector:
matchLabels:
environment: production
additionalMetadata:
labels:
labels.energy.io: wind
annotations:
annotations.energy.io: wind
namespacedItems:
- apiVersion: v1
kind: Secret
namespace: wind-production
selector:
matchLabels:
replicate: solar
rawItems:
- apiVersion: v1
kind: Secret
metadata:
name: wind-secret-1
- apiVersion: v1
kind: Secret
metadata:
name: wind-secret-2
- apiVersion: v1
kind: Secret
metadata:
name: wind-secret-3

3
config/samples/kustomization.yaml
View File

@@ -1,3 +0,0 @@
## This file is auto-generated, do not modify ##
resources:
- capsule_v1beta1_tenant.yaml

3
config/secret/kustomization.yaml
View File

@@ -1,3 +0,0 @@
resources:
- secret-ca.yaml
- secret-tls.yaml

4
config/secret/secret-ca.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: ca

4
config/secret/secret-tls.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: tls

21
config/webhook/kustomization.yaml
View File

@@ -1,21 +0,0 @@
resources:
- manifests.yaml
- service.yaml
patchesJson6902:
- target:
group: admissionregistration.k8s.io
kind: ValidatingWebhookConfiguration
name: validating-webhook-configuration
version: v1
path: patch_validating_ns_selector.yaml
- target:
group: admissionregistration.k8s.io
kind: MutatingWebhookConfiguration
name: mutating-webhook-configuration
version: v1
path: patch_mutating_ns_selector.yaml
configurations:
- kustomizeconfig.yaml

25
config/webhook/kustomizeconfig.yaml
View File

@@ -1,25 +0,0 @@
# the following config is for teaching kustomize where to look at when substituting vars.
# It requires kustomize v2.1.0 or newer to work properly.
nameReference:
- kind: Service
version: v1
fieldSpecs:
- kind: MutatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/name
- kind: ValidatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/name
namespace:
- kind: MutatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/namespace
create: true
- kind: ValidatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/namespace
create: true
varReference:
- path: metadata/annotations

294
config/webhook/manifests.yaml
View File

@@ -1,294 +0,0 @@
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: mutating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /defaults
failurePolicy: Fail
name: ingress.defaults.projectcapsule.dev
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /namespace-owner-reference
failurePolicy: Fail
name: owner.namespace.projectcapsule.dev
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- namespaces
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /defaults
failurePolicy: Fail
name: pod.defaults.projectcapsule.dev
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /defaults
failurePolicy: Fail
name: storage.defaults.projectcapsule.dev
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- persistentvolumeclaims
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /cordoning
failurePolicy: Fail
name: cordoning.tenant.projectcapsule.dev
rules:
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
- DELETE
resources:
- '*'
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /ingresses
failurePolicy: Fail
name: ingress.projectcapsule.dev
rules:
- apiGroups:
- networking.k8s.io
- extensions
apiVersions:
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /namespaces
failurePolicy: Fail
name: namespaces.projectcapsule.dev
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- namespaces
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /networkpolicies
failurePolicy: Fail
name: networkpolicies.projectcapsule.dev
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- UPDATE
- DELETE
resources:
- networkpolicies
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /nodes
failurePolicy: Fail
name: nodes.projectcapsule.dev
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- UPDATE
resources:
- nodes
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /pods
failurePolicy: Fail
name: pods.projectcapsule.dev
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /persistentvolumeclaims
failurePolicy: Fail
name: pvc.projectcapsule.dev
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- persistentvolumeclaims
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /tenantresource-objects
failurePolicy: Fail
name: resource-objects.tenant.projectcapsule.dev
rules:
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- UPDATE
- DELETE
resources:
- '*'
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /services
failurePolicy: Fail
name: services.projectcapsule.dev
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- services
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /tenants
failurePolicy: Fail
name: tenants.projectcapsule.dev
rules:
- apiGroups:
- capsule.clastix.io
apiVersions:
- v1beta2
operations:
- CREATE
- UPDATE
- DELETE
resources:
- tenants
sideEffects: None

27
config/webhook/patch_mutating_ns_selector.yaml
View File

@@ -1,27 +0,0 @@
- op: add
path: /webhooks/0/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/1/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/2/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/0/rules/0/scope
value: Namespaced
- op: add
path: /webhooks/1/rules/0/scope
value: Namespaced
- op: add
path: /webhooks/2/rules/0/scope
value: Namespaced

75
config/webhook/patch_validating_ns_selector.yaml
View File

@@ -1,75 +0,0 @@
- op: add
path: /webhooks/0/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/1/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/3/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/4/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/5/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/6/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/7/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/8/namespaceSelector
value:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- op: add
path: /webhooks/8/objectSelector
value:
matchExpressions:
- key: capsule.clastix.io/resources
operator: Exists
- op: add
path: /webhooks/0/rules/0/scope
value: Namespaced
- op: add
path: /webhooks/1/rules/0/scope
value: Namespaced
- op: add
path: /webhooks/3/rules/0/scope
value: Namespaced
- op: add
path: /webhooks/5/rules/0/scope
value: Namespaced
- op: add
path: /webhooks/6/rules/0/scope
value: Namespaced
- op: add
path: /webhooks/7/rules/0/scope
value: Namespaced
- op: add
path: /webhooks/8/rules/0/scope
value: Namespaced

11
config/webhook/service.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: webhook-service
spec:
ports:
- port: 443
targetPort: 9443
selector:
control-plane: controller-manager

2
pkg/webhook/route/cordoning.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/cordoning,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="*",resources="*",verbs=create;update;delete,versions="*",name=cordoning.tenant.projectcapsule.dev
type cordoning struct { type cordoning struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler
} }

4
pkg/webhook/route/defaults.go
View File

@@ -7,10 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=pods,verbs=create,versions=v1,name=pod.defaults.projectcapsule.dev
// +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=persistentvolumeclaims,verbs=create,versions=v1,name=storage.defaults.projectcapsule.dev
// +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups=networking.k8s.io,resources=ingresses,verbs=create;update,versions=v1beta1;v1,name=ingress.defaults.projectcapsule.dev
type defaults struct { type defaults struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler
} }

2
pkg/webhook/route/ingresses.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/ingresses,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups=networking.k8s.io;extensions,resources=ingresses,verbs=create;update,versions=v1beta1;v1,name=ingress.projectcapsule.dev
type ingress struct { type ingress struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler
} }

2
pkg/webhook/route/namespaces.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/namespaces,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=namespaces,verbs=create;update;delete,versions=v1,name=namespaces.projectcapsule.dev
type namespace struct { type namespace struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler
} }

2
pkg/webhook/route/networkpolicies.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/networkpolicies,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="networking.k8s.io",resources=networkpolicies,verbs=update;delete,versions=v1,name=networkpolicies.projectcapsule.dev
type networkPolicy struct { type networkPolicy struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler
} }

2
pkg/webhook/route/node.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/nodes,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=nodes,verbs=update,versions=v1,name=nodes.projectcapsule.dev
type node struct { type node struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler
} }

2
pkg/webhook/route/ownerreference.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/namespace-owner-reference,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=namespaces,verbs=create;update,versions=v1,name=owner.namespace.projectcapsule.dev
type webhook struct { type webhook struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler
} }

2
pkg/webhook/route/pods.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/pods,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=pods,verbs=create;update,versions=v1,name=pods.projectcapsule.dev
type pod struct { type pod struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler
} }

2
pkg/webhook/route/pvc.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/persistentvolumeclaims,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=persistentvolumeclaims,verbs=create,versions=v1,name=pvc.projectcapsule.dev
type pvc struct { type pvc struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler
} }

2
pkg/webhook/route/services.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/services,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=services,verbs=create;update,versions=v1,name=services.projectcapsule.dev
type service struct { type service struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler
} }

2
pkg/webhook/route/tenantresource_objs.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/tenantresource-objects,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="*",resources="*",verbs=update;delete,versions="*",name=resource-objects.tenant.projectcapsule.dev
type tntResourceObjs struct { type tntResourceObjs struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler
} }

2
pkg/webhook/route/tenants.go
View File

@@ -7,8 +7,6 @@ import (
capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
) )
// +kubebuilder:webhook:path=/tenants,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="capsule.clastix.io",resources=tenants,verbs=create;update;delete,versions=v1beta2,name=tenants.projectcapsule.dev
type tenant struct { type tenant struct {
handlers []capsulewebhook.Handler handlers []capsulewebhook.Handler
} }

24
renovate.json
View File

@@ -21,5 +21,29 @@
"groupName": "all-ci-updates", "groupName": "all-ci-updates",
"updateTypes": ["major", "minor", "patch"] "updateTypes": ["major", "minor", "patch"]
} }
],
"customManagers": [
{
"customType": "regex",
"fileMatch": ["^Makefile$"],
"matchStrings": [
"(?<depName>[A-Z0-9_]+)_VERSION\\s*[:=?]+\\s*\"?(?<currentValue>[^\"\\r\\n]+)\"?[\\s\\S]*?(?<depName2>[A-Z0-9_]+)_LOOKUP\\s*[:=?]+\\s*\"?(?<lookupValue>[^\"\\r\\n]+)\"?(?:[\\s\\S]*?(?<depName3>[A-Z0-9_]+)_SOURCE\\s*[:=?]+\\s*\"?(?<sourceValue>[^\"\\r\\n]+)\"?)?"
],
"depNameTemplate": "{{lookupValue}}",
"datasourceTemplate": "{{#sourceValue}}{{sourceValue}}{{/sourceValue}}{{^sourceValue}}github-tags{{/sourceValue}}",
"lookupNameTemplate": "{{lookupValue}}",
"versioningTemplate": "semver"
},
{
"customType": "regex",
"fileMatch": [".*\\.pre-commit-config\\.ya?ml$"],
"matchStrings": [
"repo:\\s*https://github\\.com/(?<lookupValue>[^/]+/[^\\s]+)[\\s\\S]*?rev:\\s*(?<currentValue>v?\\d+\\.\\d+\\.\\d+)"
],
"depNameTemplate": "{{lookupValue}}",
"datasourceTemplate": "github-tags",
"lookupNameTemplate": "{{lookupValue}}",
"versioningTemplate": "semver"
}
] ]
} }