fix(helm): jobs in capsule helm chart should use the same tolerations as deployment

Signed-off-by: gkarthiks <github.gkarthiks@gmail.com>

.github/workflows/ci.yml

@@ -36,7 +36,7 @@ jobs:
           fetch-depth: 0
       - uses: actions/setup-go@v2
         with:
-          go-version: '^1.16'
+          go-version: '1.16'
       - run: make installer
       - name: Checking if YAML installer file is not aligned
         run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> Untracked generated files have not been committed" && git --no-pager diff && exit 1; fi

.github/workflows/e2e.yml

@@ -37,7 +37,7 @@ jobs:
           fetch-depth: 0
       - uses: actions/setup-go@v2
         with:
-          go-version: '^1.16'
+          go-version: '1.16'
       - run: make manifests
       - name: Checking if manifests are disaligned
         run: test -z "$(git diff 2> /dev/null)"
@@ -47,7 +47,7 @@ jobs:
         run: go get github.com/onsi/ginkgo/ginkgo
       - uses: actions/setup-go@v2
         with:
-          go-version: '^1.16'
+          go-version: '1.16'
       - uses: engineerd/setup-kind@v0.5.0
         with:
           skipClusterCreation: true

api/v1alpha1/capsuleconfiguration_annotations.go

@@ -5,4 +5,8 @@ const (
 	ForbiddenNodeLabelsRegexpAnnotation      = "capsule.clastix.io/forbidden-node-labels-regexp"
 	ForbiddenNodeAnnotationsAnnotation       = "capsule.clastix.io/forbidden-node-annotations"
 	ForbiddenNodeAnnotationsRegexpAnnotation = "capsule.clastix.io/forbidden-node-annotations-regexp"
+	CASecretNameAnnotation                   = "capsule.clastix.io/ca-secret-name"
+	TLSSecretNameAnnotation                  = "capsule.clastix.io/tls-secret-name"
+	MutatingWebhookConfigurationName         = "capsule.clastix.io/mutating-webhook-configuration-name"
+	ValidatingWebhookConfigurationName       = "capsule.clastix.io/validating-webhook-configuration-name"
 )

api/v1beta1/tenant_annotations.go

@@ -5,6 +5,7 @@ package v1beta1
 
 import (
 	"fmt"
+	"strings"
 )
 
 const (
@@ -21,9 +22,9 @@ const (
 )
 
 func UsedQuotaFor(resource fmt.Stringer) string {
-	return "quota.capsule.clastix.io/used-" + resource.String()
+	return "quota.capsule.clastix.io/used-" + strings.ReplaceAll(resource.String(), "/", "_")
 }
 
 func HardQuotaFor(resource fmt.Stringer) string {
-	return "quota.capsule.clastix.io/hard-" + resource.String()
+	return "quota.capsule.clastix.io/hard-" + strings.ReplaceAll(resource.String(), "/", "_")
 }

api/v1beta1/tenant_types.go

@@ -21,11 +21,11 @@ type TenantSpec struct {
 	IngressOptions IngressOptions `json:"ingressOptions,omitempty"`
 	// Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.
 	ContainerRegistries *AllowedListSpec `json:"containerRegistries,omitempty"`
-	// Specifies the label to control the placement of pods on a given pool of worker nodes. All namesapces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
+	// Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
 	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
 	// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
 	NetworkPolicies NetworkPolicySpec `json:"networkPolicies,omitempty"`
-	// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
+	// Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
 	LimitRanges LimitRangesSpec `json:"limitRanges,omitempty"`
 	// Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional.
 	ResourceQuota ResourceQuotaSpec `json:"resourceQuotas,omitempty"`

charts/capsule/Chart.yaml

@@ -21,7 +21,7 @@ sources:
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.1.6
+version: 0.1.8
 
 # This is the version number of the application being deployed.
 # This version number should be incremented each time you make changes to the application.

charts/capsule/README.md

@@ -24,23 +24,19 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator
 
         $ helm repo add clastix https://clastix.github.io/charts
 
-2. Create the Namespace:
+2. Install the Chart:
 
-        $ kubectl create namespace capsule-system
+        $ helm install capsule clastix/capsule -n capsule-system --create-namespace
 
-3. Install the Chart:
-
-        $ helm install capsule clastix/capsule -n capsule-system
-
-4. Show the status:
+3. Show the status:
 
         $ helm status capsule -n capsule-system
 
-5. Upgrade the Chart
+4. Upgrade the Chart
 
         $ helm upgrade capsule clastix/capsule -n capsule-system
 
-6. Uninstall the Chart
+5. Uninstall the Chart
 
         $ helm uninstall capsule -n capsule-system
 
@@ -111,6 +107,7 @@ This Helm Chart creates the following Kubernetes resources in the release namesp
 * CA Secret
 * Certificate Secret
 * Tenant Custom Resource Definition
+* CapsuleConfiguration Custom Resource Definition
 * MutatingWebHookConfiguration
 * ValidatingWebHookConfiguration
 * RBAC Cluster Roles
@@ -130,4 +127,4 @@ Capsule, as many other add-ons, defines its own set of Custom Resource Definitio
 
 ## More
 
-See Capsule [use cases](https://github.com/clastix/capsule/blob/master/use_cases.md) for more information about how to use Capsule.
+See Capsule [tutorial](https://github.com/clastix/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.

charts/capsule/templates/ca.yaml

@@ -8,4 +8,3 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
   name: {{ include "capsule.secretCaName" . }}
-data:

charts/capsule/templates/certs.yaml

@@ -8,4 +8,3 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
   name: {{ include "capsule.secretTlsName" . }}
-data:

charts/capsule/templates/configuration-default.yaml

@@ -4,8 +4,12 @@ metadata:
   name: default
   labels:
   {{- include "capsule.labels" . | nindent 4 }}
-  {{- with .Values.customAnnotations }}
   annotations:
+    capsule.clastix.io/ca-secret-name: {{ include "capsule.secretCaName" . }}
+    capsule.clastix.io/mutating-webhook-configuration-name: {{ include "capsule.fullname" . }}-mutating-webhook-configuration
+    capsule.clastix.io/tls-secret-name: {{ include "capsule.secretTlsName" . }}
+    capsule.clastix.io/validating-webhook-configuration-name: {{ include "capsule.fullname" . }}-validating-webhook-configuration
+  {{- with .Values.customAnnotations }}
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:

charts/capsule/templates/post-install-job.yaml

@@ -1,4 +1,4 @@
-{{- $cmd := "while [ -z $$(kubectl -n $NAMESPACE get secret capsule-tls -o jsonpath='{.data.tls\\\\.crt}') ];" -}}
+{{- $cmd := printf "while [ -z $$(kubectl -n $NAMESPACE get secret %s -o jsonpath='{.data.tls\\\\.crt}') ];" (include "capsule.secretCaName" .) -}}
 {{- $cmd = printf "%s do echo 'waiting Capsule to be up and running...' && sleep 5;" $cmd -}}
 {{- $cmd = printf "%s done" $cmd -}}
 apiVersion: batch/v1
@@ -29,6 +29,10 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       restartPolicy: Never
       containers:
       - name: post-install-job

charts/capsule/templates/pre-delete-job.yaml

@@ -30,6 +30,10 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       restartPolicy: Never
       containers:
         - name: pre-delete-job

config/crd/bases/capsule.clastix.io_tenants.yaml

@@ -697,7 +697,7 @@ spec:
                     type: string
                 type: object
               limitRanges:
-                description: Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
+                description: Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
                 properties:
                   items:
                     items:
@@ -1055,7 +1055,7 @@ spec:
               nodeSelector:
                 additionalProperties:
                   type: string
-                description: Specifies the label to control the placement of pods on a given pool of worker nodes. All namesapces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
+                description: Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
                 type: object
               owners:
                 description: Specifies the owners of the Tenant. Mandatory.

config/install.yaml

@@ -769,7 +769,7 @@ spec:
                     type: string
                 type: object
               limitRanges:
-                description: Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
+                description: Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
                 properties:
                   items:
                     items:
@@ -1127,7 +1127,7 @@ spec:
               nodeSelector:
                 additionalProperties:
                   type: string
-                description: Specifies the label to control the placement of pods on a given pool of worker nodes. All namesapces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
+                description: Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
                 type: object
               owners:
                 description: Specifies the owners of the Tenant. Mandatory.

controllers/secret/ca.go

@@ -24,18 +24,20 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	"github.com/clastix/capsule/pkg/cert"
+	"github.com/clastix/capsule/pkg/configuration"
 )
 
 type CAReconciler struct {
 	client.Client
-	Log       logr.Logger
-	Scheme    *runtime.Scheme
-	Namespace string
+	Log           logr.Logger
+	Scheme        *runtime.Scheme
+	Namespace     string
+	Configuration configuration.Configuration
 }
 
 func (r *CAReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&corev1.Secret{}, forOptionPerInstanceName(CASecretName)).
+		For(&corev1.Secret{}).
 		Complete(r)
 }
 
@@ -78,7 +80,7 @@ func (r *CAReconciler) UpdateCustomResourceDefinition(caBundle []byte) error {
 func (r CAReconciler) UpdateValidatingWebhookConfiguration(caBundle []byte) error {
 	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
 		vw := &admissionregistrationv1.ValidatingWebhookConfiguration{}
-		err = r.Get(context.TODO(), types.NamespacedName{Name: "capsule-validating-webhook-configuration"}, vw)
+		err = r.Get(context.TODO(), types.NamespacedName{Name: r.Configuration.ValidatingWebhookConfigurationName()}, vw)
 		if err != nil {
 			r.Log.Error(err, "cannot retrieve ValidatingWebhookConfiguration")
 			return err
@@ -97,7 +99,7 @@ func (r CAReconciler) UpdateValidatingWebhookConfiguration(caBundle []byte) erro
 func (r CAReconciler) UpdateMutatingWebhookConfiguration(caBundle []byte) error {
 	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
 		mw := &admissionregistrationv1.MutatingWebhookConfiguration{}
-		err = r.Get(context.TODO(), types.NamespacedName{Name: "capsule-mutating-webhook-configuration"}, mw)
+		err = r.Get(context.TODO(), types.NamespacedName{Name: r.Configuration.MutatingWebhookConfigurationName()}, mw)
 		if err != nil {
 			r.Log.Error(err, "cannot retrieve MutatingWebhookConfiguration")
 			return err
@@ -115,6 +117,10 @@ func (r CAReconciler) UpdateMutatingWebhookConfiguration(caBundle []byte) error
 func (r CAReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) {
 	var err error
 
+	if request.Name != r.Configuration.CASecretName() {
+		return ctrl.Result{}, nil
+	}
+
 	r.Log = r.Log.WithValues("Request.Namespace", request.Namespace, "Request.Name", request.Name)
 	r.Log.Info("Reconciling CA Secret")
 
@@ -128,7 +134,7 @@ func (r CAReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl
 
 	var ca cert.CA
 	var rq time.Duration
-	ca, err = getCertificateAuthority(r.Client, r.Namespace)
+	ca, err = getCertificateAuthority(r.Client, r.Namespace, r.Configuration.CASecretName())
 	if err != nil && errors.Is(err, MissingCaError{}) {
 		ca, err = cert.GenerateCertificateAuthority()
 		if err != nil {
@@ -189,7 +195,7 @@ func (r CAReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl
 		tls := &corev1.Secret{}
 		err = r.Get(ctx, types.NamespacedName{
 			Namespace: r.Namespace,
-			Name:      TLSSecretName,
+			Name:      r.Configuration.TLSSecretName(),
 		}, tls)
 		if err != nil {
 			r.Log.Error(err, "Capsule TLS Secret missing")

controllers/secret/const.go

@@ -6,7 +6,4 @@ package secret
 const (
 	certSecretKey       = "tls.crt"
 	privateKeySecretKey = "tls.key"
-
-	CASecretName  = "capsule-ca"
-	TLSSecretName = "capsule-tls"
 )

controllers/secret/reconciler.go

@@ -9,23 +9,20 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/event"
-	"sigs.k8s.io/controller-runtime/pkg/predicate"
 
 	"github.com/clastix/capsule/pkg/cert"
 )
 
-func getCertificateAuthority(client client.Client, namespace string) (ca cert.CA, err error) {
+func getCertificateAuthority(client client.Client, namespace, name string) (ca cert.CA, err error) {
 	instance := &corev1.Secret{}
 
 	err = client.Get(context.TODO(), types.NamespacedName{
 		Namespace: namespace,
-		Name:      CASecretName,
+		Name:      name,
 	}, instance)
 	if err != nil {
-		return nil, fmt.Errorf("missing secret %s, cannot reconcile", CASecretName)
+		return nil, fmt.Errorf("missing secret %s, cannot reconcile", name)
 	}
 
 	if instance.Data == nil {
@@ -39,24 +36,3 @@ func getCertificateAuthority(client client.Client, namespace string) (ca cert.CA
 
 	return
 }
-
-func forOptionPerInstanceName(instanceName string) builder.ForOption {
-	return builder.WithPredicates(predicate.Funcs{
-		CreateFunc: func(event event.CreateEvent) bool {
-			return filterByName(event.Object.GetName(), instanceName)
-		},
-		DeleteFunc: func(deleteEvent event.DeleteEvent) bool {
-			return filterByName(deleteEvent.Object.GetName(), instanceName)
-		},
-		UpdateFunc: func(updateEvent event.UpdateEvent) bool {
-			return filterByName(updateEvent.ObjectNew.GetName(), instanceName)
-		},
-		GenericFunc: func(genericEvent event.GenericEvent) bool {
-			return filterByName(genericEvent.Object.GetName(), instanceName)
-		},
-	})
-}
-
-func filterByName(objName, desired string) bool {
-	return objName == desired
-}

controllers/secret/tls.go

@@ -22,24 +22,30 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	"github.com/clastix/capsule/pkg/cert"
+	"github.com/clastix/capsule/pkg/configuration"
 )
 
 type TLSReconciler struct {
 	client.Client
-	Log       logr.Logger
-	Scheme    *runtime.Scheme
-	Namespace string
+	Log           logr.Logger
+	Scheme        *runtime.Scheme
+	Namespace     string
+	Configuration configuration.Configuration
 }
 
 func (r *TLSReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&corev1.Secret{}, forOptionPerInstanceName(TLSSecretName)).
+		For(&corev1.Secret{}).
 		Complete(r)
 }
 
 func (r TLSReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) {
 	var err error
 
+	if request.Name != r.Configuration.TLSSecretName() {
+		return ctrl.Result{}, nil
+	}
+
 	r.Log = r.Log.WithValues("Request.Namespace", request.Namespace, "Request.Name", request.Name)
 	r.Log.Info("Reconciling TLS Secret")
 
@@ -54,7 +60,7 @@ func (r TLSReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctr
 	var ca cert.CA
 	var rq time.Duration
 
-	ca, err = getCertificateAuthority(r.Client, r.Namespace)
+	ca, err = getCertificateAuthority(r.Client, r.Namespace, r.Configuration.CASecretName())
 	if err != nil {
 		return reconcile.Result{}, err
 	}
@@ -112,7 +118,7 @@ func (r TLSReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctr
 		return reconcile.Result{}, err
 	}
 
-	if instance.Name == TLSSecretName && res == controllerutil.OperationResultUpdated {
+	if instance.Name == r.Configuration.TLSSecretName() && res == controllerutil.OperationResultUpdated {
 		r.Log.Info("Capsule TLS certificates has been updated, Controller pods must be restarted to load new certificate")
 
 		hostname, _ := os.Hostname()

docs/content/contributing/development.md

@@ -104,7 +104,7 @@ Do remember to change the `myuser` to yours.
 $ git clone git@github.com:myuser/capsule.git && cd capsule
 ```
 
-It's a good practice to add the upsteam as the remote too so we can easily fetch and merge the upstream to our fork:
+It's a good practice to add the upstream as the remote too so we can easily fetch and merge the upstream to our fork:
 
 ```shell
 $ git remote add upstream https://github.com/clastix/capsule.git
@@ -273,14 +273,15 @@ $ kubectl get MutatingWebhookConfiguration capsule-mutating-webhook-configuratio
 # Note: there is a list of validating webhook endpoints, not just one
 $ kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \
     --type='json' -p="[\
-      {'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/cordoning\",'caBundle':\"${CA_BUNDLE}\"}},\
-      {'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/ingresses\",'caBundle':\"${CA_BUNDLE}\"}},\
-      {'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/namespaces\",'caBundle':\"${CA_BUNDLE}\"}},\
-      {'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/networkpolicies\",'caBundle':\"${CA_BUNDLE}\"}},\
-      {'op': 'replace', 'path': '/webhooks/4/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/pods\",'caBundle':\"${CA_BUNDLE}\"}},\
-      {'op': 'replace', 'path': '/webhooks/5/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/persistentvolumeclaims\",'caBundle':\"${CA_BUNDLE}\"}},\
-      {'op': 'replace', 'path': '/webhooks/6/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/services\",'caBundle':\"${CA_BUNDLE}\"}},\
-      {'op': 'replace', 'path': '/webhooks/7/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/tenants\",'caBundle':\"${CA_BUNDLE}\"}}\
+       {'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/cordoning\",'caBundle':\"${CA_BUNDLE}\"}},\
+       {'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/ingresses\",'caBundle':\"${CA_BUNDLE}\"}},\
+       {'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/namespaces\",'caBundle':\"${CA_BUNDLE}\"}},\
+       {'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/networkpolicies\",'caBundle':\"${CA_BUNDLE}\"}},\
+       {'op': 'replace', 'path': '/webhooks/4/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/pods\",'caBundle':\"${CA_BUNDLE}\"}},\
+       {'op': 'replace', 'path': '/webhooks/5/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/persistentvolumeclaims\",'caBundle':\"${CA_BUNDLE}\"}},\
+       {'op': 'replace', 'path': '/webhooks/6/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/services\",'caBundle':\"${CA_BUNDLE}\"}},\
+       {'op': 'replace', 'path': '/webhooks/7/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/tenants\",'caBundle':\"${CA_BUNDLE}\"}},\
+       {'op': 'replace', 'path': '/webhooks/8/clientConfig', 'value':{'url':\"${WEBHOOK_URL}/nodes\",'caBundle':\"${CA_BUNDLE}\"}}\
     ]"
 
 # Verify it if you want

docs/content/general/proxy.md

@@ -42,7 +42,7 @@ All other requests are proxied transparently to the APIs server, so no side effe
 
 ## Installation
 
-Capsule Proxy is an optional add-on of the main Capsule Operator, so make sure you have a working instance of Caspule before attempting to install it.
+Capsule Proxy is an optional add-on of the main Capsule Operator, so make sure you have a working instance of Capsule before attempting to install it.
 Use the `capsule-proxy` only if you want Tenant Owners to list their own Cluster-Scope resources.
 
 The `capsule-proxy` can be deployed in standalone mode, e.g. running as a pod bridging any Kubernetes client to the APIs server.
@@ -50,7 +50,7 @@ Optionally, it can be deployed as a sidecar container in the backend of a dashbo
 
 Running outside a Kubernetes cluster is also viable, although a valid `KUBECONFIG` file must be provided, using the environment variable `KUBECONFIG` or the default file in `$HOME/.kube/config`.
 
-A Helm Chart is available [here](https://github.com/clastix/capsule/blob/master/charts/capsule/README.md).
+A Helm Chart is available [here](https://github.com/clastix/capsule-proxy/blob/master/charts/capsule-proxy/README.md).
 
 Depending on your environment, you can expose the `capsule-proxy` by:
 

docs/content/general/references.md

@@ -73,9 +73,8 @@ FIELDS:
      IngressClass. Optional.
 
    limitRanges  <Object>
-     Specifies the NetworkPolicies assigned to the Tenant. The assigned
-     NetworkPolicies are inherited by any namespace created in the Tenant.
-     Optional.
+     Specifies the resource min/max usage restrictions to the Tenant. The assigned
+     values are inherited by any namespace created in the Tenant. Optional.
 
    namespaceOptions     <Object>
      Specifies options for the Namespaces, such as additional metadata or
@@ -152,17 +151,26 @@ apiVersion: capsule.clastix.io/v1alpha1
 kind: CapsuleConfiguration
 metadata:
   name: default
+  annotations:
+    capsule.clastix.io/ca-secret-name: "capsule-ca"
+    capsule.clastix.io/tls-secret-name: "capsule-tls"
+    capsule.clastix.io/mutating-webhook-configuration-name: "capsule-mutating-webhook-configuration"
+    capsule.clastix.io/validating-webhook-configuration-name: "capsule-validating-webhook-configuration"
 spec:
   userGroups: ["capsule.clastix.io"]
   forceTenantPrefix: false
   protectedNamespaceRegex: ""
 ```
 
-Option | Description | Default
---- | --- | ---
-`.spec.forceTenantPrefix` | Force the tenant name as prefix for namespaces: `<tenant_name>-<namespace>`.  | `false`
-`.spec.userGroups` | Array of Capsule groups to which all tenant owners must belong. | `[capsule.clastix.io]`
-`.spec.protectedNamespaceRegex` | Disallows creation of namespaces matching the passed regexp. | `null`
+Option | Description                                                                  | Default
+--- |------------------------------------------------------------------------------| ---
+`.spec.forceTenantPrefix` | Force the tenant name as prefix for namespaces: `<tenant_name>-<namespace>`. | `false`
+`.spec.userGroups` | Array of Capsule groups to which all tenant owners must belong.              | `[capsule.clastix.io]`
+`.spec.protectedNamespaceRegex` | Disallows creation of namespaces matching the passed regexp.                 | `null`
+`.metadata.annotations.capsule.clastix.io/ca-secret-name` | Set the Capsule Certificate Authority secret name                            | `capsule-ca`
+`.metadata.annotations.capsule.clastic.io/tls-secret-name` | Set the Capsule TLS secret name                                              | `capsule-tls`
+`.metadata.annotations.capsule.clastix.io/mutating-webhook-configuration-name` | Set the MutatingWebhookConfiguration name                                    | `mutating-webhook-configuration-name`
+`.metadata.annotations.capsule.clastix.io/validating-webhook-configuration-name` | Set the ValidatingWebhookConfiguration name                                  | `validating-webhook-configuration-name`
 
 Upon installation using Kustomize or Helm, a `capsule-default` resource will be created.
 The reference to this configuration is managed by the CLI flag `--configuration-name`.  

docs/content/general/tutorial.md

@@ -141,8 +141,6 @@ metadata:
   name: oil
 spec:
   owners:
-  - name: oil-users
-    kind: Group
   - name: system:serviceaccount:default:robot
     kind: ServiceAccount
 EOF
@@ -164,18 +162,18 @@ metadata:
   name: default
 spec:
   userGroups:
-  - capsule.clastix.io
   - system:serviceaccounts:default
 ```
 
-because, by default, each service account is a member of following groups:
+since each service account in a namespace is a member of following group:
 
 ```
-system:serviceaccounts
 system:serviceaccounts:{service-account-namespace}
-system:authenticated
 ```
 
+> Please, pay attention when setting a service account acting as tenant owner. Make sure you're not using the group `system:serviceaccounts` or the group `system:serviceaccounts:{capsule-namespace}` as Capsule group, otherwise you'll create a short-circuit in the Capsule controller, being Capsule itself controlled by a serviceaccount. 
+
+
 ## Create namespaces
 Alice, once logged with her credentials, can create a new namespace in her tenant, as simply issuing:
 
@@ -402,7 +400,7 @@ spec:
 EOF
 ```
 
-The two tenants remain isolated from each other in terms of resources assignments, e.g. _ResourceQuota_, _Nodes Pool_, _Storage Calsses_ and _Ingress Classes_, and in terms of governance, e.g. _NetworkPolicies_, _PodSecurityPolicies_, _Trusted Registries_, etc.
+The two tenants remain isolated from each other in terms of resources assignments, e.g. _ResourceQuota_, _Nodes Pool_, _Storage Classes_ and _Ingress Classes_, and in terms of governance, e.g. _NetworkPolicies_, _PodSecurityPolicies_, _Trusted Registries_, etc.
 
 
 When Alice logs in, she has access to all namespaces belonging to both the `oil` and `gas` tenants.

docs/package.json

@@ -16,7 +16,7 @@
   "devDependencies": {
     "autoprefixer": "^9.8.8",
     "gridsome-plugin-tailwindcss": "^4.1.1",
-    "postcss": "^7.0.39",
+    "postcss": "^8.2.13",
     "postcss-import": "^14.0.2",
     "postcss-preset-env": "^6.7.0",
     "prism-themes": "^1.9.0",

docs/yarn.lock

@@ -2576,6 +2576,11 @@ color@^4.0.1:
     color-convert "^2.0.1"
     color-string "^1.6.0"
 
+colorette@^1.2.2:
+  version "1.4.0"
+  resolved "https://registry.yarnpkg.com/colorette/-/colorette-1.4.0.tgz#5190fbb87276259a86ad700bff2c6d6faa3fca40"
+  integrity sha512-Y2oEozpomLn7Q3HFP7dpww7AtMJplbM9lGZP6RDfHqmbeRjiwRg4n6VM6j4KLmRke85uWEI7JqF17f3pqdRA0g==
+
 columnify@^1.5.4:
   version "1.5.4"
   resolved "https://registry.yarnpkg.com/columnify/-/columnify-1.5.4.tgz#4737ddf1c7b69a8a7c340570782e947eec8e78bb"
@@ -6486,10 +6491,10 @@ nan@^2.12.1:
   resolved "https://registry.yarnpkg.com/nan/-/nan-2.15.0.tgz#3f34a473ff18e15c1b5626b62903b5ad6e665fee"
   integrity sha512-8ZtvEnA2c5aYCZYd1cvgdnU6cqwixRoYg70xPLWUws5ORTa/lnw+u4amixRS/Ac5U5mQVgp9pnlSUnbNWFaWZQ==
 
-nanoid@^3.1.28:
-  version "3.1.29"
-  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.1.29.tgz#214fb2d7a33e1a5bef4757b779dfaeb6a4e5aeb4"
-  integrity sha512-dW2pUSGZ8ZnCFIlBIA31SV8huOGCHb6OwzVCc7A69rb/a+SgPBwfmLvK5TKQ3INPbRkcI8a/Owo0XbiTNH19wg==
+nanoid@^3.1.22, nanoid@^3.1.28:
+  version "3.2.0"
+  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.2.0.tgz#62667522da6673971cca916a6d3eff3f415ff80c"
+  integrity sha512-fmsZYa9lpn69Ad5eDn7FMcnnSR+8R34W9qJEijxYhTbfOWzr22n1QxCMzXLK+ODyW2973V3Fux959iQoUxzUIA==
 
 nanomatch@^1.2.9:
   version "1.2.13"
@@ -7873,7 +7878,7 @@ postcss@^6.0.9:
     source-map "^0.6.1"
     supports-color "^5.4.0"
 
-postcss@^7, postcss@^7.0.0, postcss@^7.0.1, postcss@^7.0.14, postcss@^7.0.17, postcss@^7.0.18, postcss@^7.0.2, postcss@^7.0.27, postcss@^7.0.32, postcss@^7.0.36, postcss@^7.0.39, postcss@^7.0.5, postcss@^7.0.6:
+postcss@^7, postcss@^7.0.0, postcss@^7.0.1, postcss@^7.0.14, postcss@^7.0.17, postcss@^7.0.18, postcss@^7.0.2, postcss@^7.0.27, postcss@^7.0.32, postcss@^7.0.36, postcss@^7.0.5, postcss@^7.0.6:
   version "7.0.39"
   resolved "https://registry.yarnpkg.com/postcss/-/postcss-7.0.39.tgz#9624375d965630e2e1f2c02a935c82a59cb48309"
   integrity sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==
@@ -7890,6 +7895,15 @@ postcss@^8.2.1:
     picocolors "^0.2.1"
     source-map-js "^0.6.2"
 
+postcss@^8.2.13:
+  version "8.2.13"
+  resolved "https://registry.yarnpkg.com/postcss/-/postcss-8.2.13.tgz#dbe043e26e3c068e45113b1ed6375d2d37e2129f"
+  integrity sha512-FCE5xLH+hjbzRdpbRb1IMCvPv9yZx2QnDarBEYSN0N0HYk+TcXsEhwdFcFb+SRWOKzKGErhIEbBK2ogyLdTtfQ==
+  dependencies:
+    colorette "^1.2.2"
+    nanoid "^3.1.22"
+    source-map "^0.6.1"
+
 prebuild-install@^5.3.4:
   version "5.3.6"
   resolved "https://registry.yarnpkg.com/prebuild-install/-/prebuild-install-5.3.6.tgz#7c225568d864c71d89d07f8796042733a3f54291"
@@ -7950,9 +7964,9 @@ prism-themes@^1.9.0:
   integrity sha512-tX2AYsehKDw1EORwBps+WhBFKc2kxfoFpQAjxBndbZKr4fRmMkv47XN0BghC/K1qwodB1otbe4oF23vUTFDokw==
 
 prismjs@^1.15.0:
-  version "1.25.0"
-  resolved "https://registry.yarnpkg.com/prismjs/-/prismjs-1.25.0.tgz#6f822df1bdad965734b310b315a23315cf999756"
-  integrity sha512-WCjJHl1KEWbnkQom1+SzftbtXMKQoezOCYs5rECqMN+jP+apI7ftoflyqigqzopSO3hMhTEb0mFClA8lkolgEg==
+  version "1.27.0"
+  resolved "https://registry.yarnpkg.com/prismjs/-/prismjs-1.27.0.tgz#bb6ee3138a0b438a3653dd4d6ce0cc6510a45057"
+  integrity sha512-t13BGPUlFDR7wRB5kQDG4jjl7XeuH6jbJGt11JHPL96qwsEHNX2+68tFXqc1/k+/jALsbSWJKUOT/hcYAZ5LkA==
 
 probe-image-size@^4.0.0:
   version "4.1.1"
@@ -8858,9 +8872,9 @@ simple-concat@^1.0.0:
   integrity sha512-cSFtAPtRhljv69IK0hTVZQ+OfE9nePi/rtJmw5UjHeVyVroEqJXP1sFztKUy1qU+xvz3u/sfYJLa947b7nAN2Q==
 
 simple-get@^3.0.3:
-  version "3.1.0"
-  resolved "https://registry.yarnpkg.com/simple-get/-/simple-get-3.1.0.tgz#b45be062435e50d159540b576202ceec40b9c6b3"
-  integrity sha512-bCR6cP+aTdScaQCnQKbPKtJOKDp/hj9EDLJo3Nw4y1QksqaovlW/bnptB6/c1e+qmNIDHRK+oXFDdEqBT8WzUA==
+  version "3.1.1"
+  resolved "https://registry.yarnpkg.com/simple-get/-/simple-get-3.1.1.tgz#cc7ba77cfbe761036fbfce3d021af25fc5584d55"
+  integrity sha512-CQ5LTKGfCpvE1K0n2us+kuMPbk/q0EKl82s4aheV9oXjFEz6W/Y7oQFVJuU6QG77hRT4Ghb5RURteF5vnWjupA==
   dependencies:
     decompress-response "^4.2.0"
     once "^1.3.1"
@@ -10019,9 +10033,9 @@ url-parse-lax@^3.0.0:
     prepend-http "^2.0.0"
 
 url-parse@^1.4.3, url-parse@^1.5.3:
-  version "1.5.3"
-  resolved "https://registry.yarnpkg.com/url-parse/-/url-parse-1.5.3.tgz#71c1303d38fb6639ade183c2992c8cc0686df862"
-  integrity sha512-IIORyIQD9rvj0A4CLWsHkBBJuNqWpFQe224b6j9t/ABmquIS0qDU2pY6kl6AuOrL5OkCXHMCFNe1jBcuAggjvQ==
+  version "1.5.10"
+  resolved "https://registry.yarnpkg.com/url-parse/-/url-parse-1.5.10.tgz#9d3c2f736c1d75dd3bd2be507dcc111f1e2ea9c1"
+  integrity sha512-WypcfiRhfeUP9vvF0j6rw0J3hrWrw6iZv3+22h6iRMJ/8z1Tj6XfLP4DsUix5MhMPnXpiHDoKyoZ/bdCkwBCiQ==
   dependencies:
     querystringify "^2.1.1"
     requires-port "^1.0.0"

e2e/forbidden_annotations_regex_test.go

@@ -0,0 +1,83 @@
+// +build e2e
+
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package e2e
+
+import (
+	"context"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+)
+
+var _ = Describe("creating a tenant with various forbidden regexes", func() {
+	tnt := &capsulev1beta1.Tenant{
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: nil,
+			Name:        "namespace",
+		},
+		Spec: capsulev1beta1.TenantSpec{
+			Owners: capsulev1beta1.OwnerListSpec{
+				{
+					Name: "alice",
+					Kind: "User",
+				},
+			},
+		},
+	}
+
+	It("should succeed when there are no annotations", func() {
+		EventuallyCreation(func() error {
+			tnt.ObjectMeta.Annotations = nil
+			tnt.ResourceVersion = ""
+			return k8sClient.Create(context.TODO(), tnt)
+		}).Should(Succeed())
+		Expect(k8sClient.Delete(context.TODO(), tnt)).Should(Succeed())
+	})
+
+	annotationsToCheck := []string{
+		capsulev1beta1.ForbiddenNamespaceAnnotationsRegexpAnnotation,
+		capsulev1beta1.ForbiddenNamespaceLabelsRegexpAnnotation,
+	}
+
+	errorRegexes := []string{
+		"(.*gitops|.*nsm).[k8s.io/((?!(resource)).*|trusted)](http://k8s.io/((?!(resource)).*%7Ctrusted))",
+	}
+
+	for _, annotation := range annotationsToCheck {
+		for _, annotationValue := range errorRegexes {
+			It("should fail using a non-valid the regex on the annotation "+annotation, func() {
+				EventuallyCreation(func() error {
+					tnt.ResourceVersion = ""
+					tnt.ObjectMeta.Annotations = make(map[string]string)
+					tnt.ObjectMeta.Annotations[annotation] = annotationValue
+					return k8sClient.Create(context.TODO(), tnt)
+				}).ShouldNot(Succeed())
+			})
+		}
+	}
+
+	successRegexes := []string{
+		"",
+		"(.*gitops|.*nsm)",
+	}
+	for _, annotation := range annotationsToCheck {
+		for _, annotationValue := range successRegexes {
+			It("should succeed using a valid regex on the annotation "+annotation, func() {
+				EventuallyCreation(func() error {
+					tnt.ResourceVersion = ""
+					tnt.ObjectMeta.Annotations = make(map[string]string)
+					tnt.ObjectMeta.Annotations[annotation] = annotationValue
+					return k8sClient.Create(context.TODO(), tnt)
+				}).Should(Succeed())
+				Expect(k8sClient.Delete(context.TODO(), tnt)).Should(Succeed())
+			})
+		}
+	}
+
+})

hack/velero-restore.sh

@@ -7,7 +7,7 @@
 # let script exit if a command fails
 #set -o errexit
 
-# let script exit if an unsed variable is used
+# let script exit if an unused variable is used
 #set -o nounset
 
 KUBECFGFILE="$HOME/.kube/config"

main.go

@@ -20,6 +20,7 @@ import (
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
@@ -127,21 +128,25 @@ func main() {
 
 	ctx := ctrl.SetupSignalHandler()
 
+	cfg := configuration.NewCapsuleConfiguration(manager.GetClient(), configurationName)
+
 	if err = (&secretcontroller.CAReconciler{
-		Client:    manager.GetClient(),
-		Log:       ctrl.Log.WithName("controllers").WithName("CA"),
-		Scheme:    manager.GetScheme(),
-		Namespace: namespace,
+		Client:        manager.GetClient(),
+		Log:           ctrl.Log.WithName("controllers").WithName("CA"),
+		Scheme:        manager.GetScheme(),
+		Namespace:     namespace,
+		Configuration: cfg,
 	}).SetupWithManager(manager); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Namespace")
 		os.Exit(1)
 	}
 
 	if err = (&secretcontroller.TLSReconciler{
-		Client:    manager.GetClient(),
-		Log:       ctrl.Log.WithName("controllers").WithName("Tls"),
-		Scheme:    manager.GetScheme(),
-		Namespace: namespace,
+		Client:        manager.GetClient(),
+		Log:           ctrl.Log.WithName("controllers").WithName("Tls"),
+		Scheme:        manager.GetScheme(),
+		Namespace:     namespace,
+		Configuration: cfg,
 	}).SetupWithManager(manager); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Namespace")
 		os.Exit(1)
@@ -153,13 +158,23 @@ func main() {
 		os.Exit(1)
 	}
 
-	ca, err := clientset.CoreV1().Secrets(namespace).Get(ctx, secretcontroller.CASecretName, metav1.GetOptions{})
+	directClient, err := client.New(ctrl.GetConfigOrDie(), client.Options{
+		Scheme: manager.GetScheme(),
+		Mapper: manager.GetRESTMapper(),
+	})
+	if err != nil {
+		setupLog.Error(err, "unable to create the direct client")
+		os.Exit(1)
+	}
+	directCfg := configuration.NewCapsuleConfiguration(directClient, configurationName)
+
+	ca, err := clientset.CoreV1().Secrets(namespace).Get(ctx, directCfg.CASecretName(), metav1.GetOptions{})
 	if err != nil {
 		setupLog.Error(err, "unable to get Capsule CA secret")
 		os.Exit(1)
 	}
 
-	tls, err := clientset.CoreV1().Secrets(namespace).Get(ctx, secretcontroller.TLSSecretName, metav1.GetOptions{})
+	tls, err := clientset.CoreV1().Secrets(namespace).Get(ctx, directCfg.TLSSecretName(), metav1.GetOptions{})
 	if err != nil {
 		setupLog.Error(err, "unable to get Capsule TLS secret")
 		os.Exit(1)
@@ -194,8 +209,6 @@ func main() {
 			os.Exit(1)
 		}
 
-		cfg := configuration.NewCapsuleConfiguration(manager.GetClient(), configurationName)
-
 		// webhooks: the order matters, don't change it and just append
 		webhooksList := append(
 			make([]webhook.Webhook, 0),
@@ -205,7 +218,7 @@ func main() {
 			route.PVC(pvc.Handler()),
 			route.Service(service.Handler()),
 			route.NetworkPolicy(utils.InCapsuleGroups(cfg, networkpolicy.Handler())),
-			route.Tenant(tenant.NameHandler(), tenant.RoleBindingRegexHandler(), tenant.IngressClassRegexHandler(), tenant.StorageClassRegexHandler(), tenant.ContainerRegistryRegexHandler(), tenant.HostnameRegexHandler(), tenant.FreezedEmitter(), tenant.ServiceAccountNameHandler()),
+			route.Tenant(tenant.NameHandler(), tenant.RoleBindingRegexHandler(), tenant.IngressClassRegexHandler(), tenant.StorageClassRegexHandler(), tenant.ContainerRegistryRegexHandler(), tenant.HostnameRegexHandler(), tenant.FreezedEmitter(), tenant.ServiceAccountNameHandler(), tenant.ForbiddenAnnotationsRegexHandler()),
 			route.OwnerReference(utils.InCapsuleGroups(cfg, ownerreference.Handler(cfg))),
 			route.Cordoning(tenant.CordoningHandler(cfg), tenant.ResourceCounterHandler()),
 			route.Node(utils.InCapsuleGroups(cfg, node.UserMetadataHandler(cfg, kubeVersion))),

pkg/configuration/client.go

@@ -13,9 +13,8 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
-
 	capsulev1alpha1 "github.com/clastix/capsule/api/v1alpha1"
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
 )
 
 // capsuleConfiguration is the Capsule Configuration retrieval mode
@@ -62,6 +61,66 @@ func (c capsuleConfiguration) ForceTenantPrefix() bool {
 	return c.retrievalFn().Spec.ForceTenantPrefix
 }
 
+func (c capsuleConfiguration) CASecretName() (name string) {
+	name = CASecretName
+
+	if c.retrievalFn().Annotations == nil {
+		return
+	}
+
+	v, ok := c.retrievalFn().Annotations[capsulev1alpha1.CASecretNameAnnotation]
+	if ok {
+		return v
+	}
+
+	return
+}
+
+func (c capsuleConfiguration) TLSSecretName() (name string) {
+	name = TLSSecretName
+
+	if c.retrievalFn().Annotations == nil {
+		return
+	}
+
+	v, ok := c.retrievalFn().Annotations[capsulev1alpha1.TLSSecretNameAnnotation]
+	if ok {
+		return v
+	}
+
+	return
+}
+
+func (c capsuleConfiguration) MutatingWebhookConfigurationName() (name string) {
+	name = MutatingWebhookConfigurationName
+
+	if c.retrievalFn().Annotations == nil {
+		return
+	}
+
+	v, ok := c.retrievalFn().Annotations[capsulev1alpha1.MutatingWebhookConfigurationName]
+	if ok {
+		return v
+	}
+
+	return
+}
+
+func (c capsuleConfiguration) ValidatingWebhookConfigurationName() (name string) {
+	name = ValidatingWebhookConfigurationName
+
+	if c.retrievalFn().Annotations == nil {
+		return
+	}
+
+	v, ok := c.retrievalFn().Annotations[capsulev1alpha1.ValidatingWebhookConfigurationName]
+	if ok {
+		return v
+	}
+
+	return
+}
+
 func (c capsuleConfiguration) UserGroups() []string {
 	return c.retrievalFn().Spec.UserGroups
 }

pkg/configuration/configuration.go

@@ -9,9 +9,20 @@ import (
 	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
 )
 
+const (
+	CASecretName                       = "capsule-ca"
+	TLSSecretName                      = "capsule-tls"
+	MutatingWebhookConfigurationName   = "capsule-mutating-webhook-configuration"
+	ValidatingWebhookConfigurationName = "capsule-validating-webhook-configuration"
+)
+
 type Configuration interface {
 	ProtectedNamespaceRegexp() (*regexp.Regexp, error)
 	ForceTenantPrefix() bool
+	CASecretName() string
+	TLSSecretName() string
+	MutatingWebhookConfigurationName() string
+	ValidatingWebhookConfigurationName() string
 	UserGroups() []string
 	ForbiddenUserNodeLabels() *capsulev1beta1.ForbiddenListSpec
 	ForbiddenUserNodeAnnotations() *capsulev1beta1.ForbiddenListSpec

pkg/webhook/tenant/forbidden_annotations_regex.go

@@ -0,0 +1,76 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package tenant
+
+import (
+	"context"
+	"regexp"
+
+	"k8s.io/client-go/tools/record"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+	capsulewebhook "github.com/clastix/capsule/pkg/webhook"
+	"github.com/clastix/capsule/pkg/webhook/utils"
+)
+
+type forbiddenAnnotationsRegexHandler struct {
+}
+
+func ForbiddenAnnotationsRegexHandler() capsulewebhook.Handler {
+	return &forbiddenAnnotationsRegexHandler{}
+}
+
+func (h *forbiddenAnnotationsRegexHandler) validate(decoder *admission.Decoder, req admission.Request) *admission.Response {
+	tenant := &capsulev1beta1.Tenant{}
+	if err := decoder.Decode(req, tenant); err != nil {
+		return utils.ErroredResponse(err)
+	}
+
+	if tenant.Annotations == nil {
+		return nil
+	}
+
+	annotationsToCheck := []string{
+		capsulev1beta1.ForbiddenNamespaceAnnotationsRegexpAnnotation,
+		capsulev1beta1.ForbiddenNamespaceLabelsRegexpAnnotation,
+	}
+
+	for _, annotation := range annotationsToCheck {
+		if _, err := regexp.Compile(tenant.Annotations[annotation]); err != nil {
+			response := admission.Denied("unable to compile " + annotation + " regex annotation")
+
+			return &response
+		}
+	}
+
+	return nil
+}
+
+func (h *forbiddenAnnotationsRegexHandler) OnCreate(_ client.Client, decoder *admission.Decoder, _ record.EventRecorder) capsulewebhook.Func {
+	return func(ctx context.Context, req admission.Request) *admission.Response {
+		if err := h.validate(decoder, req); err != nil {
+			return err
+		}
+
+		return nil
+	}
+}
+
+func (h *forbiddenAnnotationsRegexHandler) OnDelete(client.Client, *admission.Decoder, record.EventRecorder) capsulewebhook.Func {
+	return func(context.Context, admission.Request) *admission.Response {
+		return nil
+	}
+}
+
+func (h *forbiddenAnnotationsRegexHandler) OnUpdate(client client.Client, decoder *admission.Decoder, recorder record.EventRecorder) capsulewebhook.Func {
+	return func(ctx context.Context, req admission.Request) *admission.Response {
+		if response := h.validate(decoder, req); response != nil {
+			return response
+		}
+
+		return nil
+	}
+}