fix(helm): remove matchExpressions selector from ingresses webhook

charts/capsule/Chart.yaml

@@ -21,7 +21,7 @@ sources:
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.1.1
+version: 0.1.2
 
 # This is the version number of the application being deployed.
 # This version number should be incremented each time you make changes to the application.

charts/capsule/templates/validatingwebhookconfiguration.yaml

@@ -23,7 +23,7 @@ webhooks:
   matchPolicy: Equivalent
   name: cordoning.tenant.capsule.clastix.io
   namespaceSelector:
-    {{- toYaml .Values.webhooks.cordoning.namespaceSelector | nindent 4}}
+  {{- toYaml .Values.webhooks.cordoning.namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -53,10 +53,7 @@ webhooks:
   matchPolicy: Equivalent
   name: ingress.capsule.clastix.io
   namespaceSelector:
-    {{- toYaml .Values.webhooks.ingresses.namespaceSelector | nindent 4}}
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.ingresses.namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:

docs/operator/use-cases/deny-wildcard-hostnames.md

@@ -0,0 +1,32 @@
+# Deny Wildcard Hostnames
+
+Bill, the cluster admin, can deny the use of wildcard hostnames.
+
+Let's assume that we had a big organization, having a domain `bigorg.com` and there are two tenants, `gas` and `oil`.
+
+As a tenant-owner of `gas`, Alice create ingress with the host like `- host: "*.bigorg.com"`. That can lead to big problems for the `oil` tenant because Alice can deliberately create ingress with host: `oil.bigorg.com`.
+
+To avoid this kind of problems, Bill can deny the use of wildcard hostnames in the following way:
+
+```yaml
+kubectl apply -f - << EOF
+apiVersion: capsule.clastix.io/v1beta1
+kind: Tenant
+metadata:
+  name: gas
+  annotations:
+    capsule.clastix.io/deny-wildcard: true
+spec:
+  owners:
+  - name: alice
+    kind: User
+EOF
+```
+
+Doing this, Alice will not be able to use `oil.bigorg.com`, being the tenant-owner of `gas`.
+
+# What’s next
+
+This ends our tour in Capsule use cases. As we improve Capsule, more  use cases about multi-tenancy, policy admission control, and cluster  governance will be covered in the future.
+
+Stay tuned!

docs/operator/use-cases/namespace-labels-and-annotations.md

@@ -25,6 +25,4 @@ EOF
 ```
 
 # What’s next
-This ends our tour in Capsule use cases. As we improve Capsule, more use cases about multi-tenancy, policy admission control, and cluster governance will be covered in the future.
-
-Stay tuned!
+Let's check it out how to restore Tenants after a Velero Backup. [Velero Backup Restoration](./velero-backup-restoration.md).

docs/operator/use-cases/overview.md

@@ -42,6 +42,7 @@ Use Capsule to address any of the following scenarios:
 * [Taint Services](./taint-services.md)
 * [Allow adding labels and annotations on namespaces](./namespace-labels-and-annotations.md)
 * [Velero Backup Restoration](./velero-backup-restoration.md)
+* [Deny Wildcard Hostnames](./deny-wildcard-hostnames.md)
 
 > NB: as we improve Capsule, more use cases about multi-tenancy and cluster governance will be covered.
 

docs/operator/use-cases/velero-backup-restoration.md

@@ -20,4 +20,8 @@ Additionally, you can also specify a selected range of tenants to be restored:
 ./velero-restore.sh --tenant "gas oil" restore
 ```
 
-In this way, only the tenants **gas** and **oil** will be restored.
+In this way, only the tenants **gas** and **oil** will be restored.
+
+# What's next
+
+See how Bill, the cluster admin, can deny wildcard hostnames to a Tenant. [Deny Wildcard Hostnames](./deny-wildcard-hostnames.md)