fix(helm): avoiding overwriting secrets upon helm upgrade

Signed-off-by: gkarthiks <github.gkarthiks@gmail.com>

api/v1beta1/tenant_annotations.go

@@ -5,6 +5,7 @@ package v1beta1
 
 import (
 	"fmt"
+	"strings"
 )
 
 const (
@@ -21,9 +22,9 @@ const (
 )
 
 func UsedQuotaFor(resource fmt.Stringer) string {
-	return "quota.capsule.clastix.io/used-" + resource.String()
+	return "quota.capsule.clastix.io/used-" + strings.ReplaceAll(resource.String(), "/", "_")
 }
 
 func HardQuotaFor(resource fmt.Stringer) string {
-	return "quota.capsule.clastix.io/hard-" + resource.String()
+	return "quota.capsule.clastix.io/hard-" + strings.ReplaceAll(resource.String(), "/", "_")
 }

api/v1beta1/tenant_types.go

@@ -21,11 +21,11 @@ type TenantSpec struct {
 	IngressOptions IngressOptions `json:"ingressOptions,omitempty"`
 	// Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.
 	ContainerRegistries *AllowedListSpec `json:"containerRegistries,omitempty"`
-	// Specifies the label to control the placement of pods on a given pool of worker nodes. All namesapces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
+	// Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
 	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
 	// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
 	NetworkPolicies NetworkPolicySpec `json:"networkPolicies,omitempty"`
-	// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
+	// Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
 	LimitRanges LimitRangesSpec `json:"limitRanges,omitempty"`
 	// Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional.
 	ResourceQuota ResourceQuotaSpec `json:"resourceQuotas,omitempty"`

charts/capsule/Chart.yaml

@@ -21,7 +21,7 @@ sources:
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.1.5
+version: 0.1.7
 
 # This is the version number of the application being deployed.
 # This version number should be incremented each time you make changes to the application.

charts/capsule/README.md

@@ -24,23 +24,19 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator
 
         $ helm repo add clastix https://clastix.github.io/charts
 
-2. Create the Namespace:
+2. Install the Chart:
 
-        $ kubectl create namespace capsule-system
+        $ helm install capsule clastix/capsule -n capsule-system --create-namespace
 
-3. Install the Chart:
-
-        $ helm install capsule clastix/capsule -n capsule-system
-
-4. Show the status:
+3. Show the status:
 
         $ helm status capsule -n capsule-system
 
-5. Upgrade the Chart
+4. Upgrade the Chart
 
         $ helm upgrade capsule clastix/capsule -n capsule-system
 
-6. Uninstall the Chart
+5. Uninstall the Chart
 
         $ helm uninstall capsule -n capsule-system
 
@@ -111,6 +107,7 @@ This Helm Chart creates the following Kubernetes resources in the release namesp
 * CA Secret
 * Certificate Secret
 * Tenant Custom Resource Definition
+* CapsuleConfiguration Custom Resource Definition
 * MutatingWebHookConfiguration
 * ValidatingWebHookConfiguration
 * RBAC Cluster Roles
@@ -130,4 +127,4 @@ Capsule, as many other add-ons, defines its own set of Custom Resource Definitio
 
 ## More
 
-See Capsule [use cases](https://github.com/clastix/capsule/blob/master/use_cases.md) for more information about how to use Capsule.
+See Capsule [tutorial](https://github.com/clastix/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.

charts/capsule/templates/_helpers.tpl

@@ -91,6 +91,17 @@ Create the proxy fully-qualified Docker image to use
 {{- printf "%s:%s" .Values.proxy.image.repository .Values.proxy.image.tag -}}
 {{- end }}
 
+{{/*
+Determine the Kubernetes version to use for jobsFullyQualifiedDockerImage tag
+*/}}
+{{- define "capsule.jobsTagKubeVersion" -}}
+{{- if contains "-eks-" .Capabilities.KubeVersion.GitVersion }}
+{{- print "v" .Capabilities.KubeVersion.Major "." (.Capabilities.KubeVersion.Minor | replace "+" "") -}}
+{{- else }}
+{{- print "v" .Capabilities.KubeVersion.Major "." .Capabilities.KubeVersion.Minor -}}
+{{- end }}
+{{- end }}
+
 {{/*
 Create the jobs fully-qualified Docker image to use
 */}}
@@ -98,8 +109,7 @@ Create the jobs fully-qualified Docker image to use
 {{- if .Values.jobs.image.tag }}
 {{- printf "%s:%s" .Values.jobs.image.repository .Values.jobs.image.tag -}}
 {{- else }}
-{{- $kubeversion := print "v" .Capabilities.KubeVersion.Major "." .Capabilities.KubeVersion.Minor -}}
-{{- printf "%s:%s" .Values.jobs.image.repository $kubeversion -}}
+{{- printf "%s:%s" .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
 {{- end }}
 {{- end }}
 

charts/capsule/templates/ca.yaml

@@ -8,4 +8,3 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
   name: {{ include "capsule.secretCaName" . }}
-data:

charts/capsule/templates/certs.yaml

@@ -8,4 +8,3 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
   name: {{ include "capsule.secretTlsName" . }}
-data:

config/crd/bases/capsule.clastix.io_tenants.yaml

@@ -697,7 +697,7 @@ spec:
                     type: string
                 type: object
               limitRanges:
-                description: Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
+                description: Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
                 properties:
                   items:
                     items:
@@ -1055,7 +1055,7 @@ spec:
               nodeSelector:
                 additionalProperties:
                   type: string
-                description: Specifies the label to control the placement of pods on a given pool of worker nodes. All namesapces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
+                description: Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
                 type: object
               owners:
                 description: Specifies the owners of the Tenant. Mandatory.

config/install.yaml

@@ -769,7 +769,7 @@ spec:
                     type: string
                 type: object
               limitRanges:
-                description: Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
+                description: Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
                 properties:
                   items:
                     items:
@@ -1127,7 +1127,7 @@ spec:
               nodeSelector:
                 additionalProperties:
                   type: string
-                description: Specifies the label to control the placement of pods on a given pool of worker nodes. All namesapces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
+                description: Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
                 type: object
               owners:
                 description: Specifies the owners of the Tenant. Mandatory.

docs/content/contributing/development.md

@@ -104,7 +104,7 @@ Do remember to change the `myuser` to yours.
 $ git clone git@github.com:myuser/capsule.git && cd capsule
 ```
 
-It's a good practice to add the upsteam as the remote too so we can easily fetch and merge the upstream to our fork:
+It's a good practice to add the upstream as the remote too so we can easily fetch and merge the upstream to our fork:
 
 ```shell
 $ git remote add upstream https://github.com/clastix/capsule.git
@@ -273,14 +273,15 @@ $ kubectl get MutatingWebhookConfiguration capsule-mutating-webhook-configuratio
 # Note: there is a list of validating webhook endpoints, not just one
 $ kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \
     --type='json' -p="[\
-      {'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/cordoning\",'caBundle':\"${CA_BUNDLE}\"}},\
-      {'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/ingresses\",'caBundle':\"${CA_BUNDLE}\"}},\
-      {'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/namespaces\",'caBundle':\"${CA_BUNDLE}\"}},\
-      {'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/networkpolicies\",'caBundle':\"${CA_BUNDLE}\"}},\
-      {'op': 'replace', 'path': '/webhooks/4/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/pods\",'caBundle':\"${CA_BUNDLE}\"}},\
-      {'op': 'replace', 'path': '/webhooks/5/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/persistentvolumeclaims\",'caBundle':\"${CA_BUNDLE}\"}},\
-      {'op': 'replace', 'path': '/webhooks/6/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/services\",'caBundle':\"${CA_BUNDLE}\"}},\
-      {'op': 'replace', 'path': '/webhooks/7/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/tenants\",'caBundle':\"${CA_BUNDLE}\"}}\
+       {'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/cordoning\",'caBundle':\"${CA_BUNDLE}\"}},\
+       {'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/ingresses\",'caBundle':\"${CA_BUNDLE}\"}},\
+       {'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/namespaces\",'caBundle':\"${CA_BUNDLE}\"}},\
+       {'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/networkpolicies\",'caBundle':\"${CA_BUNDLE}\"}},\
+       {'op': 'replace', 'path': '/webhooks/4/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/pods\",'caBundle':\"${CA_BUNDLE}\"}},\
+       {'op': 'replace', 'path': '/webhooks/5/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/persistentvolumeclaims\",'caBundle':\"${CA_BUNDLE}\"}},\
+       {'op': 'replace', 'path': '/webhooks/6/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/services\",'caBundle':\"${CA_BUNDLE}\"}},\
+       {'op': 'replace', 'path': '/webhooks/7/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/tenants\",'caBundle':\"${CA_BUNDLE}\"}},\
+       {'op': 'replace', 'path': '/webhooks/8/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/nodes\",'caBundle':\"${CA_BUNDLE}\"}}\
     ]"
 
 # Verify it if you want

docs/content/general/proxy.md

@@ -42,7 +42,7 @@ All other requests are proxied transparently to the APIs server, so no side effe
 
 ## Installation
 
-Capsule Proxy is an optional add-on of the main Capsule Operator, so make sure you have a working instance of Caspule before attempting to install it.
+Capsule Proxy is an optional add-on of the main Capsule Operator, so make sure you have a working instance of Capsule before attempting to install it.
 Use the `capsule-proxy` only if you want Tenant Owners to list their own Cluster-Scope resources.
 
 The `capsule-proxy` can be deployed in standalone mode, e.g. running as a pod bridging any Kubernetes client to the APIs server.
@@ -50,7 +50,7 @@ Optionally, it can be deployed as a sidecar container in the backend of a dashbo
 
 Running outside a Kubernetes cluster is also viable, although a valid `KUBECONFIG` file must be provided, using the environment variable `KUBECONFIG` or the default file in `$HOME/.kube/config`.
 
-A Helm Chart is available [here](https://github.com/clastix/capsule/blob/master/charts/capsule/README.md).
+A Helm Chart is available [here](https://github.com/clastix/capsule-proxy/blob/master/charts/capsule-proxy/README.md).
 
 Depending on your environment, you can expose the `capsule-proxy` by:
 

docs/content/general/references.md

@@ -73,9 +73,8 @@ FIELDS:
      IngressClass. Optional.
 
    limitRanges  <Object>
-     Specifies the NetworkPolicies assigned to the Tenant. The assigned
-     NetworkPolicies are inherited by any namespace created in the Tenant.
-     Optional.
+     Specifies the resource min/max usage restrictions to the Tenant. The assigned
+     values are inherited by any namespace created in the Tenant. Optional.
 
    namespaceOptions     <Object>
      Specifies options for the Namespaces, such as additional metadata or

docs/content/general/tutorial.md

@@ -141,8 +141,6 @@ metadata:
   name: oil
 spec:
   owners:
-  - name: oil-users
-    kind: Group
   - name: system:serviceaccount:default:robot
     kind: ServiceAccount
 EOF
@@ -164,18 +162,18 @@ metadata:
   name: default
 spec:
   userGroups:
-  - capsule.clastix.io
   - system:serviceaccounts:default
 ```
 
-because, by default, each service account is a member of following groups:
+since each service account in a namespace is a member of following group:
 
 ```
-system:serviceaccounts
 system:serviceaccounts:{service-account-namespace}
-system:authenticated
 ```
 
+> Please, pay attention when setting a service account acting as tenant owner. Make sure you're not using the group `system:serviceaccounts` or the group `system:serviceaccounts:{capsule-namespace}` as Capsule group, otherwise you'll create a short-circuit in the Capsule controller, being Capsule itself controlled by a serviceaccount. 
+
+
 ## Create namespaces
 Alice, once logged with her credentials, can create a new namespace in her tenant, as simply issuing:
 
@@ -402,7 +400,7 @@ spec:
 EOF
 ```
 
-The two tenants remain isolated from each other in terms of resources assignments, e.g. _ResourceQuota_, _Nodes Pool_, _Storage Calsses_ and _Ingress Classes_, and in terms of governance, e.g. _NetworkPolicies_, _PodSecurityPolicies_, _Trusted Registries_, etc.
+The two tenants remain isolated from each other in terms of resources assignments, e.g. _ResourceQuota_, _Nodes Pool_, _Storage Classes_ and _Ingress Classes_, and in terms of governance, e.g. _NetworkPolicies_, _PodSecurityPolicies_, _Trusted Registries_, etc.
 
 
 When Alice logs in, she has access to all namespaces belonging to both the `oil` and `gas` tenants.

docs/package.json

@@ -16,7 +16,7 @@
   "devDependencies": {
     "autoprefixer": "^9.8.8",
     "gridsome-plugin-tailwindcss": "^4.1.1",
-    "postcss": "^7.0.39",
+    "postcss": "^8.2.13",
     "postcss-import": "^14.0.2",
     "postcss-preset-env": "^6.7.0",
     "prism-themes": "^1.9.0",

docs/yarn.lock

@@ -2576,6 +2576,11 @@ color@^4.0.1:
     color-convert "^2.0.1"
     color-string "^1.6.0"
 
+colorette@^1.2.2:
+  version "1.4.0"
+  resolved "https://registry.yarnpkg.com/colorette/-/colorette-1.4.0.tgz#5190fbb87276259a86ad700bff2c6d6faa3fca40"
+  integrity sha512-Y2oEozpomLn7Q3HFP7dpww7AtMJplbM9lGZP6RDfHqmbeRjiwRg4n6VM6j4KLmRke85uWEI7JqF17f3pqdRA0g==
+
 columnify@^1.5.4:
   version "1.5.4"
   resolved "https://registry.yarnpkg.com/columnify/-/columnify-1.5.4.tgz#4737ddf1c7b69a8a7c340570782e947eec8e78bb"
@@ -6486,10 +6491,10 @@ nan@^2.12.1:
   resolved "https://registry.yarnpkg.com/nan/-/nan-2.15.0.tgz#3f34a473ff18e15c1b5626b62903b5ad6e665fee"
   integrity sha512-8ZtvEnA2c5aYCZYd1cvgdnU6cqwixRoYg70xPLWUws5ORTa/lnw+u4amixRS/Ac5U5mQVgp9pnlSUnbNWFaWZQ==
 
-nanoid@^3.1.28:
-  version "3.1.29"
-  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.1.29.tgz#214fb2d7a33e1a5bef4757b779dfaeb6a4e5aeb4"
-  integrity sha512-dW2pUSGZ8ZnCFIlBIA31SV8huOGCHb6OwzVCc7A69rb/a+SgPBwfmLvK5TKQ3INPbRkcI8a/Owo0XbiTNH19wg==
+nanoid@^3.1.22, nanoid@^3.1.28:
+  version "3.2.0"
+  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.2.0.tgz#62667522da6673971cca916a6d3eff3f415ff80c"
+  integrity sha512-fmsZYa9lpn69Ad5eDn7FMcnnSR+8R34W9qJEijxYhTbfOWzr22n1QxCMzXLK+ODyW2973V3Fux959iQoUxzUIA==
 
 nanomatch@^1.2.9:
   version "1.2.13"
@@ -7873,7 +7878,7 @@ postcss@^6.0.9:
     source-map "^0.6.1"
     supports-color "^5.4.0"
 
-postcss@^7, postcss@^7.0.0, postcss@^7.0.1, postcss@^7.0.14, postcss@^7.0.17, postcss@^7.0.18, postcss@^7.0.2, postcss@^7.0.27, postcss@^7.0.32, postcss@^7.0.36, postcss@^7.0.39, postcss@^7.0.5, postcss@^7.0.6:
+postcss@^7, postcss@^7.0.0, postcss@^7.0.1, postcss@^7.0.14, postcss@^7.0.17, postcss@^7.0.18, postcss@^7.0.2, postcss@^7.0.27, postcss@^7.0.32, postcss@^7.0.36, postcss@^7.0.5, postcss@^7.0.6:
   version "7.0.39"
   resolved "https://registry.yarnpkg.com/postcss/-/postcss-7.0.39.tgz#9624375d965630e2e1f2c02a935c82a59cb48309"
   integrity sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==
@@ -7890,6 +7895,15 @@ postcss@^8.2.1:
     picocolors "^0.2.1"
     source-map-js "^0.6.2"
 
+postcss@^8.2.13:
+  version "8.2.13"
+  resolved "https://registry.yarnpkg.com/postcss/-/postcss-8.2.13.tgz#dbe043e26e3c068e45113b1ed6375d2d37e2129f"
+  integrity sha512-FCE5xLH+hjbzRdpbRb1IMCvPv9yZx2QnDarBEYSN0N0HYk+TcXsEhwdFcFb+SRWOKzKGErhIEbBK2ogyLdTtfQ==
+  dependencies:
+    colorette "^1.2.2"
+    nanoid "^3.1.22"
+    source-map "^0.6.1"
+
 prebuild-install@^5.3.4:
   version "5.3.6"
   resolved "https://registry.yarnpkg.com/prebuild-install/-/prebuild-install-5.3.6.tgz#7c225568d864c71d89d07f8796042733a3f54291"
@@ -7950,9 +7964,9 @@ prism-themes@^1.9.0:
   integrity sha512-tX2AYsehKDw1EORwBps+WhBFKc2kxfoFpQAjxBndbZKr4fRmMkv47XN0BghC/K1qwodB1otbe4oF23vUTFDokw==
 
 prismjs@^1.15.0:
-  version "1.25.0"
-  resolved "https://registry.yarnpkg.com/prismjs/-/prismjs-1.25.0.tgz#6f822df1bdad965734b310b315a23315cf999756"
-  integrity sha512-WCjJHl1KEWbnkQom1+SzftbtXMKQoezOCYs5rECqMN+jP+apI7ftoflyqigqzopSO3hMhTEb0mFClA8lkolgEg==
+  version "1.27.0"
+  resolved "https://registry.yarnpkg.com/prismjs/-/prismjs-1.27.0.tgz#bb6ee3138a0b438a3653dd4d6ce0cc6510a45057"
+  integrity sha512-t13BGPUlFDR7wRB5kQDG4jjl7XeuH6jbJGt11JHPL96qwsEHNX2+68tFXqc1/k+/jALsbSWJKUOT/hcYAZ5LkA==
 
 probe-image-size@^4.0.0:
   version "4.1.1"
@@ -8858,9 +8872,9 @@ simple-concat@^1.0.0:
   integrity sha512-cSFtAPtRhljv69IK0hTVZQ+OfE9nePi/rtJmw5UjHeVyVroEqJXP1sFztKUy1qU+xvz3u/sfYJLa947b7nAN2Q==
 
 simple-get@^3.0.3:
-  version "3.1.0"
-  resolved "https://registry.yarnpkg.com/simple-get/-/simple-get-3.1.0.tgz#b45be062435e50d159540b576202ceec40b9c6b3"
-  integrity sha512-bCR6cP+aTdScaQCnQKbPKtJOKDp/hj9EDLJo3Nw4y1QksqaovlW/bnptB6/c1e+qmNIDHRK+oXFDdEqBT8WzUA==
+  version "3.1.1"
+  resolved "https://registry.yarnpkg.com/simple-get/-/simple-get-3.1.1.tgz#cc7ba77cfbe761036fbfce3d021af25fc5584d55"
+  integrity sha512-CQ5LTKGfCpvE1K0n2us+kuMPbk/q0EKl82s4aheV9oXjFEz6W/Y7oQFVJuU6QG77hRT4Ghb5RURteF5vnWjupA==
   dependencies:
     decompress-response "^4.2.0"
     once "^1.3.1"
@@ -10019,9 +10033,9 @@ url-parse-lax@^3.0.0:
     prepend-http "^2.0.0"
 
 url-parse@^1.4.3, url-parse@^1.5.3:
-  version "1.5.3"
-  resolved "https://registry.yarnpkg.com/url-parse/-/url-parse-1.5.3.tgz#71c1303d38fb6639ade183c2992c8cc0686df862"
-  integrity sha512-IIORyIQD9rvj0A4CLWsHkBBJuNqWpFQe224b6j9t/ABmquIS0qDU2pY6kl6AuOrL5OkCXHMCFNe1jBcuAggjvQ==
+  version "1.5.10"
+  resolved "https://registry.yarnpkg.com/url-parse/-/url-parse-1.5.10.tgz#9d3c2f736c1d75dd3bd2be507dcc111f1e2ea9c1"
+  integrity sha512-WypcfiRhfeUP9vvF0j6rw0J3hrWrw6iZv3+22h6iRMJ/8z1Tj6XfLP4DsUix5MhMPnXpiHDoKyoZ/bdCkwBCiQ==
   dependencies:
     querystringify "^2.1.1"
     requires-port "^1.0.0"

e2e/forbidden_annotations_regex_test.go

@@ -0,0 +1,83 @@
+// +build e2e
+
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package e2e
+
+import (
+	"context"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+)
+
+var _ = Describe("creating a tenant with various forbidden regexes", func() {
+	tnt := &capsulev1beta1.Tenant{
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: nil,
+			Name:        "namespace",
+		},
+		Spec: capsulev1beta1.TenantSpec{
+			Owners: capsulev1beta1.OwnerListSpec{
+				{
+					Name: "alice",
+					Kind: "User",
+				},
+			},
+		},
+	}
+
+	It("should succeed when there are no annotations", func() {
+		EventuallyCreation(func() error {
+			tnt.ObjectMeta.Annotations = nil
+			tnt.ResourceVersion = ""
+			return k8sClient.Create(context.TODO(), tnt)
+		}).Should(Succeed())
+		Expect(k8sClient.Delete(context.TODO(), tnt)).Should(Succeed())
+	})
+
+	annotationsToCheck := []string{
+		capsulev1beta1.ForbiddenNamespaceAnnotationsRegexpAnnotation,
+		capsulev1beta1.ForbiddenNamespaceLabelsRegexpAnnotation,
+	}
+
+	errorRegexes := []string{
+		"(.*gitops|.*nsm).[k8s.io/((?!(resource)).*|trusted)](http://k8s.io/((?!(resource)).*%7Ctrusted))",
+	}
+
+	for _, annotation := range annotationsToCheck {
+		for _, annotationValue := range errorRegexes {
+			It("should fail using a non-valid the regex on the annotation "+annotation, func() {
+				EventuallyCreation(func() error {
+					tnt.ResourceVersion = ""
+					tnt.ObjectMeta.Annotations = make(map[string]string)
+					tnt.ObjectMeta.Annotations[annotation] = annotationValue
+					return k8sClient.Create(context.TODO(), tnt)
+				}).ShouldNot(Succeed())
+			})
+		}
+	}
+
+	successRegexes := []string{
+		"",
+		"(.*gitops|.*nsm)",
+	}
+	for _, annotation := range annotationsToCheck {
+		for _, annotationValue := range successRegexes {
+			It("should succeed using a valid regex on the annotation "+annotation, func() {
+				EventuallyCreation(func() error {
+					tnt.ResourceVersion = ""
+					tnt.ObjectMeta.Annotations = make(map[string]string)
+					tnt.ObjectMeta.Annotations[annotation] = annotationValue
+					return k8sClient.Create(context.TODO(), tnt)
+				}).Should(Succeed())
+				Expect(k8sClient.Delete(context.TODO(), tnt)).Should(Succeed())
+			})
+		}
+	}
+
+})

hack/velero-restore.sh

@@ -7,7 +7,7 @@
 # let script exit if a command fails
 #set -o errexit
 
-# let script exit if an unsed variable is used
+# let script exit if an unused variable is used
 #set -o nounset
 
 KUBECFGFILE="$HOME/.kube/config"

main.go

@@ -205,7 +205,7 @@ func main() {
 			route.PVC(pvc.Handler()),
 			route.Service(service.Handler()),
 			route.NetworkPolicy(utils.InCapsuleGroups(cfg, networkpolicy.Handler())),
-			route.Tenant(tenant.NameHandler(), tenant.RoleBindingRegexHandler(), tenant.IngressClassRegexHandler(), tenant.StorageClassRegexHandler(), tenant.ContainerRegistryRegexHandler(), tenant.HostnameRegexHandler(), tenant.FreezedEmitter(), tenant.ServiceAccountNameHandler()),
+			route.Tenant(tenant.NameHandler(), tenant.RoleBindingRegexHandler(), tenant.IngressClassRegexHandler(), tenant.StorageClassRegexHandler(), tenant.ContainerRegistryRegexHandler(), tenant.HostnameRegexHandler(), tenant.FreezedEmitter(), tenant.ServiceAccountNameHandler(), tenant.ForbiddenAnnotationsRegexHandler()),
 			route.OwnerReference(utils.InCapsuleGroups(cfg, ownerreference.Handler(cfg))),
 			route.Cordoning(tenant.CordoningHandler(cfg), tenant.ResourceCounterHandler()),
 			route.Node(utils.InCapsuleGroups(cfg, node.UserMetadataHandler(cfg, kubeVersion))),

pkg/webhook/tenant/forbidden_annotations_regex.go

@@ -0,0 +1,76 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package tenant
+
+import (
+	"context"
+	"regexp"
+
+	"k8s.io/client-go/tools/record"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+	capsulewebhook "github.com/clastix/capsule/pkg/webhook"
+	"github.com/clastix/capsule/pkg/webhook/utils"
+)
+
+type forbiddenAnnotationsRegexHandler struct {
+}
+
+func ForbiddenAnnotationsRegexHandler() capsulewebhook.Handler {
+	return &forbiddenAnnotationsRegexHandler{}
+}
+
+func (h *forbiddenAnnotationsRegexHandler) validate(decoder *admission.Decoder, req admission.Request) *admission.Response {
+	tenant := &capsulev1beta1.Tenant{}
+	if err := decoder.Decode(req, tenant); err != nil {
+		return utils.ErroredResponse(err)
+	}
+
+	if tenant.Annotations == nil {
+		return nil
+	}
+
+	annotationsToCheck := []string{
+		capsulev1beta1.ForbiddenNamespaceAnnotationsRegexpAnnotation,
+		capsulev1beta1.ForbiddenNamespaceLabelsRegexpAnnotation,
+	}
+
+	for _, annotation := range annotationsToCheck {
+		if _, err := regexp.Compile(tenant.Annotations[annotation]); err != nil {
+			response := admission.Denied("unable to compile " + annotation + " regex annotation")
+
+			return &response
+		}
+	}
+
+	return nil
+}
+
+func (h *forbiddenAnnotationsRegexHandler) OnCreate(_ client.Client, decoder *admission.Decoder, _ record.EventRecorder) capsulewebhook.Func {
+	return func(ctx context.Context, req admission.Request) *admission.Response {
+		if err := h.validate(decoder, req); err != nil {
+			return err
+		}
+
+		return nil
+	}
+}
+
+func (h *forbiddenAnnotationsRegexHandler) OnDelete(client.Client, *admission.Decoder, record.EventRecorder) capsulewebhook.Func {
+	return func(context.Context, admission.Request) *admission.Response {
+		return nil
+	}
+}
+
+func (h *forbiddenAnnotationsRegexHandler) OnUpdate(client client.Client, decoder *admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
+	return func(ctx context.Context, req admission.Request) *admission.Response {
+		if response := h.validate(decoder, req); response != nil {
+			return response
+		}
+
+		return nil
+	}
+}