chore(github): using new secrets for GH pages Helm chart push

Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>

.github/PULL_REQUEST_TEMPLATE.md

@@ -15,6 +15,4 @@ following ourselves these points:
 - explain what and why in the body, if more than a trivial change, wrapping at
   72 characters
 
-If you have any issue or question, reach out us!
-https://clastix.slack.com >>> #capsule channel 
 -->

.github/actions/exists/action.yaml

@@ -0,0 +1,21 @@
+name: Checks if an input is defined
+
+description: Checks if an input is defined and outputs 'true' or 'false'.
+
+inputs:
+  value:
+    description: value to test
+    required: true
+
+outputs:
+  result:
+    description: outputs 'true' or 'false' if input value is defined or not
+    value: ${{ steps.check.outputs.result }}
+
+runs:
+  using: composite
+  steps:
+    - shell: bash
+      id: check
+      run: |
+        echo "result=${{ inputs.value != '' }}" >> $GITHUB_OUTPUT

.github/actions/setup-caches/action.yaml

@@ -0,0 +1,20 @@
+name: Setup caches
+
+description: Setup caches for go modules and build cache.
+
+inputs:
+  build-cache-key:
+    description: build cache prefix
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
+      with:
+        path: ~/go/pkg/mod
+        key: ${{ runner.os }}-go-pkg-mod-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
+    - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
+      if: ${{ inputs.build-cache-key }}
+      with:
+        path: ~/.cache/go-build
+        key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}

.github/configs/ct.yaml

@@ -1,5 +1,5 @@
 remote: origin
-target-branch: master
+target-branch: main
 chart-dirs:
   - charts
 helm-extra-args: "--timeout 600s"  

.github/dependabot.yml

@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: daily
+    rebase-strategy: disabled
+    commit-message:
+      prefix: "feat(deps)"
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+    rebase-strategy: disabled
+    commit-message:
+      prefix: "ci"

.github/maintainers.yaml

@@ -2,22 +2,22 @@
   github: https://github.com/bsctl
   company: Clastix
   projects:
-    - https://github.com/clastix/capsule
+    - https://github.com/projectcapsule/capsule
     - https://github.com/clastix/capsule-proxy
 - name: Dario Tranchitella
   github: https://github.com/prometherion
   company: Clastix
   projects:
-    - https://github.com/clastix/capsule
+    - https://github.com/projectcapsule/capsule
     - https://github.com/clastix/capsule-proxy
 - name: Maksim Fedotov
   github: https://github.com/MaxFedotov
   company: wargaming.net
   projects:
-    - https://github.com/clastix/capsule
+    - https://github.com/projectcapsule/capsule
     - https://github.com/clastix/capsule-proxy
 - name: Oliver Bähler
   github: https://github.com/oliverbaehler
   company: Bedag Informatik AG
   projects:
-    - https://github.com/clastix/capsule
+    - https://github.com/projectcapsule/capsule

.github/workflows/check-actions.yml

@@ -0,0 +1,24 @@
+name: Check actions
+permissions: {}
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1 # v2.1.4
+        with:
+          # slsa-github-generator requires using a semver tag for reusable workflows. 
+          # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
+          allowlist: |
+            slsa-framework/slsa-github-generator

.github/workflows/check-commit.yml

@@ -0,0 +1,23 @@
+name: Check Commit
+permissions: {}
+
+on:
+  push:
+    branches: [ "*" ]
+  pull_request:
+    branches: [ "*" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  commit_lint:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+      - uses: wagoid/commitlint-github-action@6319f54d83768b60acd6fd60e61007ccc583e62f #v5.4.3
+        with:
+          firstParent: true

.github/workflows/codecov.yml

@@ -0,0 +1,38 @@
+name: Codecov
+permissions: {}
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  codecov:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Setup caches
+        uses: ./.github/actions/setup-caches
+        timeout-minutes: 5
+        continue-on-error: true
+        with:
+          build-cache-key: codecov
+      - name: Check secret
+        id: checksecret
+        uses: ./.github/actions/exists
+        with:
+          value: ${{ secrets.CODECOV_TOKEN }}
+      - name: Generate Code Coverage Report
+        if: steps.checksecret.outputs.result == 'true'
+        run: make test
+      - name: Upload Report to Codecov
+        if: steps.checksecret.outputs.result == 'true'
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
+        with:
+          file: ./coverage.out
+          fail_ci_if_error: true
+          verbose: true

.github/workflows/diff.yml

@@ -1,4 +1,5 @@
-name: CI
+name: Diff checks
+permissions: {}
 
 on:
   push:
@@ -6,35 +7,19 @@ on:
   pull_request:
     branches: [ "*" ]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  commit_lint:
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@v2
-        with:
-          firstParent: true
-  golangci:
-    name: lint
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v2
-      - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v2.3.0
-        with:
-          version: v1.51.2
-          only-new-issues: false
-          args: --timeout 5m --config .golangci.yml
   diff:
     name: diff
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: '1.19'
       - run: make installer

.github/workflows/docker-ci.yml

@@ -1,97 +0,0 @@
-name: docker-ci
-
-on:
-  push:
-    tags:        
-      - "v*"
-
-jobs:
-  docker-ci:
-    runs-on: ubuntu-20.04
-    steps:
-
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Generate build-args
-        id: build-args
-        run: |
-          # Declare vars for internal use
-          VERSION=$(git describe --abbrev=0 --tags)
-          GIT_HEAD_COMMIT=$(git rev-parse --short HEAD)
-          GIT_TAG_COMMIT=$(git rev-parse --short $VERSION)
-          GIT_MODIFIED_1=$(git diff $GIT_HEAD_COMMIT $GIT_TAG_COMMIT --quiet && echo "" || echo ".dev")
-          GIT_MODIFIED_2=$(git diff --quiet && echo "" || echo ".dirty")
-          # Export to GH_ENV
-          echo "GIT_LAST_TAG=$VERSION" >> $GITHUB_ENV
-          echo "GIT_HEAD_COMMIT=$GIT_HEAD_COMMIT" >> $GITHUB_ENV
-          echo "GIT_TAG_COMMIT=$GIT_TAG_COMMIT" >> $GITHUB_ENV
-          echo "GIT_MODIFIED=$(echo "$GIT_MODIFIED_1""$GIT_MODIFIED_2")" >> $GITHUB_ENV
-          echo "GIT_REPO=$(git config --get remote.origin.url)" >> $GITHUB_ENV
-          echo "BUILD_DATE=$(git log -1 --format="%at" | xargs -I{} date -d @{} +%Y-%m-%dT%H:%M:%S)" >> $GITHUB_ENV
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v3
-        with:
-          images: |
-             quay.io/${{ github.repository }}
-             docker.io/${{ github.repository }}
-          tags: |
-            type=semver,pattern={{raw}}
-          flavor: |
-            latest=false
-
-      - name: Set up QEMU
-        id: qemu
-        uses: docker/setup-qemu-action@v1
-        with:
-          platforms: arm64,arm
-
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          install: true
-
-      - name: Inspect builder
-        run: |
-          echo "Name:      ${{ steps.buildx.outputs.name }}"
-          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
-          echo "Status:    ${{ steps.buildx.outputs.status }}"
-          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
-          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
-
-      - name: Login to quay.io Container Registry
-        uses: docker/login-action@v1 
-        with:
-          registry: quay.io
-          username: ${{ github.repository_owner }}+github
-          password: ${{ secrets.BOT_QUAY_IO }}
-
-      - name: Login to docker.io Container Registry
-        uses: docker/login-action@v1 
-        with:
-          registry: docker.io
-          username: ${{ secrets.USER_DOCKER_IO }}
-          password: ${{ secrets.BOT_DOCKER_IO }}
-
-      - name: Build and push
-        id: build-release
-        uses: docker/build-push-action@v2
-        with:
-          file: Dockerfile
-          context: .
-          platforms: linux/amd64,linux/arm64,linux/arm
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          build-args: |
-            GIT_HEAD_COMMIT=${{ env.GIT_HEAD_COMMIT }}
-            GIT_TAG_COMMIT=${{ env.GIT_TAG_COMMIT }}
-            GIT_REPO=${{ env.GIT_REPO }}
-            GIT_LAST_TAG=${{ env.GIT_LAST_TAG }}
-            GIT_MODIFIED=${{ env.GIT_MODIFIED }}
-            BUILD_DATE=${{ env.BUILD_DATE }}
-
-      - name: Image digest
-        run: echo ${{ steps.build-release.outputs.digest }}

.github/workflows/docker-publish.yml

@@ -0,0 +1,69 @@
+name: Publish images
+permissions: {}
+
+on:
+  push:
+    tags:
+      - "v*"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  publish-images:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      id-token: write 
+    outputs:
+      capsule-digest: ${{ steps.publish-capsule.outputs.digest }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Setup caches
+        uses: ./.github/actions/setup-caches
+        timeout-minutes: 5
+        continue-on-error: true
+        with:
+          build-cache-key: publish-images
+      - name: Run Trivy vulnerability (Repo)
+        uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+      - name: Publish Capsule
+        id: publish-capsule
+        uses: oliverbaehler/github-actions/ko-publish-image@979018716f7d0cbe8d2711f572b350afad4ef211 # v0.1.1
+        with:
+          makefile-target: ko-publish-capsule
+          registry: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
+          repository: ${{ github.repository_owner }}
+          version: ${{ github.ref_name }}
+          sign-image: true
+          sbom-name: capsule
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
+          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          main-path: ./
+        env:
+          REPOSITORY: ${{ github.repository }}
+  generate-capsule-provenance:
+    needs: publish-images
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/capsule
+      digest: "${{ needs.publish-images.outputs.capsule-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/docs-lint.yml

@@ -0,0 +1,31 @@
+name: docs-lint
+permissions: {}
+
+on:
+  push:
+    branches: [ "*" ]
+    paths:
+      - '.github/workflows/docs-lint.yml'
+      - 'docs/content/**'
+  pull_request:
+    branches: [ "*" ]
+    paths:
+      - '.github/workflows/docs-lint.yml'
+      - 'docs/content/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  spelling:
+    name: Spell Check
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        with:
+          node-version: 18
+      - run: make docs-lint

.github/workflows/e2e.yml

@@ -1,4 +1,5 @@
 name: e2e
+permissions: {}
 
 on:
   push:
@@ -26,6 +27,10 @@ on:
       - 'main.go'
       - 'Makefile'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   kind:
     name: Kubernetes
@@ -35,10 +40,10 @@ jobs:
         k8s-version: ['v1.20.7', 'v1.21.2', 'v1.22.4', 'v1.23.6', 'v1.24.7', 'v1.25.3', 'v1.26.3', 'v1.27.2']
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: '1.19'
       - run: make manifests
@@ -46,11 +51,11 @@ jobs:
         run: test -z "$(git diff 2> /dev/null)"
       - name: Checking if manifests generated untracked files
         run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
-      - uses: engineerd/setup-kind@v0.5.0
+      - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
         with:
           skipClusterCreation: true
           version: v0.14.0
-      - uses: azure/setup-helm@v1
+      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
         with:
           version: 3.3.4
       - name: e2e testing

.github/workflows/fossa.yml

@@ -0,0 +1,35 @@
+name: FOSSA
+permissions: {}
+
+on:
+  push:
+    branches: [ "*" ]
+  pull_request:
+    branches: [ "*" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true    
+
+jobs:
+  fossa-scan:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: "Checkout Code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Check secret
+        id: checksecret
+        uses: ./.github/actions/exists
+        with:
+          value: ${{ secrets.FOSSA_API_KEY }}
+      - name: "Run FOSSA Scan"
+        if: steps.checksecret.outputs.result == 'true'
+        uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+      - name: "Run FOSSA Test"
+        if: steps.checksecret.outputs.result == 'true'
+        uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+          run-tests: true

.github/workflows/gosec.yml

@@ -1,9 +1,15 @@
 name: CI gosec
+permissions: {}
 on:
   push:
     branches: [ "*" ]
   pull_request:
     branches: [ "*" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   tests:
     runs-on: ubuntu-20.04
@@ -11,8 +17,8 @@ jobs:
       GO111MODULE: on
     steps:
       - name: Checkout Source
-        uses: actions/checkout@v2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Run Gosec Security Scanner
-        uses: securego/gosec@master
+        uses: securego/gosec@0ec6cd95d7bf02aef4ec2786e884868e0044875b # v2.18.1
         with:
           args: ./...

.github/workflows/helm-publish.yml

@@ -0,0 +1,64 @@
+name: Publish charts
+permissions: read-all
+on:
+  push:
+    tags: [ "helm-v*" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  publish-helm:
+    # Skip this Release on forks
+    if: github.repository_owner == 'projectcapsule'
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Publish Helm chart
+        uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
+        with:
+          token: "${{ secrets.HELM_CHARTS_PUSH_TOKEN }}"
+          linting: off
+          charts_dir: charts
+          charts_url: https://${{ github.repository_owner }}.github.io/charts
+          owner: ${{ github.repository_owner }}
+          repository: charts
+          branch: gh-pages
+          commit_username: ${{ github.actor }}
+  publish-helm-oci:
+    runs-on: ubuntu-20.04
+    permissions:
+      contents: write
+      id-token: write
+      packages: write
+    outputs:
+      chart-digest: ${{ steps.helm_publish.outputs.digest }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+      - name: Helm | Publish
+        id: helm_publish
+        uses: oliverbaehler/github-actions/helm-oci-chart@8dfd42735c85f6c58d5d4d6f3232cd0e39d1fe73 # v0.1.0
+        with:
+          registry: ghcr.io
+          repository: ${{ github.repository_owner }}/charts
+          name: "capsule"
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
+          update-dependencies: 'true' # Defaults to false
+          sign-image: 'true'
+          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+  helm-provenance:
+    needs: publish-helm-oci
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/charts/capsule
+      digest: "${{ needs.publish-helm-oci.outputs.chart-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/helm-test.yml

@@ -0,0 +1,69 @@
+name: Test charts
+permissions: {}
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
+      - name: Linting Chart
+        run: helm lint ./charts/capsule
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76 # v2.4.0
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --config ./.github/configs/ct.yaml)
+          if [[ -n "$changed" ]]; then
+            echo "::set-output name=changed::true"
+          fi
+      - name: Run chart-testing (lint)
+        run: ct lint --debug --config ./.github/configs/ct.yaml --lint-conf ./.github/configs/lintconf.yaml
+      - name: Run docs-testing (helm-docs)
+        id: helm-docs
+        run: |
+          make helm-docs
+          if [[ $(git diff --stat) != '' ]]; then
+            echo -e '\033[0;31mDocumentation outdated! (Run make helm-docs locally and commit)\033[0m ❌'
+            git diff --color
+            exit 1
+          else
+            echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
+          fi
+
+      # ATTENTION: This is a workaround for the upcoming ApiVersion Conversions for the capsule CRDs
+      # With this workflow the current docker image is build and loaded into kind, otherwise the install fails
+      # In the future this must be removed and the chart-testing-action must be used
+      - name: Run chart-testing (install)
+        run: make helm-test
+        if: steps.list-changed.outputs.changed == 'true'
+
+      ## Create KIND Cluster
+      - name: Create kind cluster
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
+        if: steps.list-changed.outputs.changed == 'true'
+      # Install Required Operators/CRDs
+      - name: Prepare Cluster Operators/CRDs
+        run: |
+          # Cert-Manager CRDs
+          kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
+          
+          # Prometheus CRDs
+          kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
+        if: steps.list-changed.outputs.changed == 'true'
+      # Install Charts
+      - name: Run chart-testing (install)
+        run: ct install --debug --config ./.github/configs/ct.yaml
+        if: steps.list-changed.outputs.changed == 'true'

.github/workflows/helm.yml

@@ -1,86 +0,0 @@
-name: Helm Chart
-
-on:
-  push:
-    branches: [ "*" ]
-    tags: [ "helm-v*" ]
-  pull_request:
-    branches: [ "*" ]
-
-jobs:
-  lint:
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - uses: azure/setup-helm@v1
-        with:
-          version: 3.3.4
-      - name: Linting Chart
-        run: helm lint ./charts/capsule
-      - name: Setup Chart Linting
-        id: lint
-        uses: helm/chart-testing-action@v2.3.0
-      - name: Run chart-testing (list-changed)
-        id: list-changed
-        run: |
-          changed=$(ct list-changed --config ./.github/configs/ct.yaml)
-          if [[ -n "$changed" ]]; then
-            echo "::set-output name=changed::true"
-          fi
-      - name: Run chart-testing (lint)
-        run: ct lint --debug --config ./.github/configs/ct.yaml --lint-conf ./.github/configs/lintconf.yaml
-      - name: Run docs-testing (helm-docs)
-        id: helm-docs
-        run: |
-          make helm-docs
-          if [[ $(git diff --stat) != '' ]]; then
-            echo -e '\033[0;31mDocumentation outdated! (Run make helm-docs locally and commit)\033[0m ❌'
-            git diff --color
-            exit 1
-          else
-            echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
-          fi
-
-      # ATTENTION: This is a workaround for the upcoming ApiVersion Conversions for the capsule CRDs
-      # With this workflow the current docker image is build and loaded into kind, otherwise the install fails
-      # In the future this must be removed and the chart-testing-action must be used
-      - name: Run chart-testing (install)
-        run: make helm-test
-        if: steps.list-changed.outputs.changed == 'true'
-
-      ## Create KIND Cluster
-      #- name: Create kind cluster
-      #  uses: helm/kind-action@v1.2.0
-      #  if: steps.list-changed.outputs.changed == 'true'
-      ## Install Required Operators/CRDs
-      #- name: Prepare Cluster Operators/CRDs
-      #  run: |
-      #    # Cert-Manager CRDs
-      #    kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
-      #    
-      #    # Prometheus CRDs
-      #    kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
-      #  if: steps.list-changed.outputs.changed == 'true'
-      ## Install Charts
-      #- name: Run chart-testing (install)
-      #  run: ct install --debug --config ./.github/configs/ct.yaml
-      #  if: steps.list-changed.outputs.changed == 'true'
-  release:
-    if: startsWith(github.ref, 'refs/tags/helm-v')
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v2
-      - name: Publish Helm chart
-        uses: stefanprodan/helm-gh-pages@master
-        with:
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
-          charts_dir: charts
-          charts_url: https://clastix.github.io/charts
-          owner: clastix
-          repository: charts
-          branch: gh-pages
-          target_dir: .
-          commit_username: prometherion
-          commit_email: dario@tranchitella.eu

.github/workflows/lint.yml

@@ -0,0 +1,25 @@
+name: Linting
+permissions: {}
+
+on:
+  push:
+    branches: [ "*" ]
+  pull_request:
+    branches: [ "*" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
+        with:
+          version: v1.51.2
+          only-new-issues: false
+          args: --timeout 5m --config .golangci.yml

.github/workflows/releaser.yml

@@ -0,0 +1,36 @@
+name: Go Release
+
+permissions: {}
+on:
+  push:
+    tags:
+      - 'v*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  create-release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Setup caches
+        uses: ./.github/actions/setup-caches
+        timeout-minutes: 5
+        continue-on-error: true
+      - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
+      - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+        with:
+          version: latest
+          args: release --clean --timeout 90m --debug
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/scorecard.yml

@@ -0,0 +1,42 @@
+name: Scorecards supply-chain security
+permissions: {}
+
+on:
+  schedule:
+    - cron: '0 0 * * 5'
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analysis:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+      - name: Run analysis
+        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+          publish_results: true
+      - name: Upload artifact
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        with:
+          sarif_file: results.sarif

.gitignore

@@ -6,6 +6,7 @@
 *.so
 *.dylib
 bin
+dist/
 
 # Test binary, build with `go test -c`
 *.test

.golangci.yml

@@ -14,10 +14,10 @@ linters-settings:
     sections:
       - standard
       - default
-      - prefix(github.com/clastix/capsule)
+      - prefix(github.com/projectcapsule/capsule)
   goheader:
     template: |-
-      Copyright 2020-2021 Clastix Labs
+      Copyright 2020-2023 Project Capsule Authors.
       SPDX-License-Identifier: Apache-2.0
 
 linters:

.goreleaser.yml

@@ -0,0 +1,83 @@
+project_name: capsule
+env:
+  - COSIGN_EXPERIMENTAL=true
+  - GO111MODULE=on
+before:
+  hooks:
+    - go mod download
+gomod:
+  proxy: false
+builds:
+  - main: .
+    binary: "{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}"
+    env:
+      - CGO_ENABLED=0
+    goarch:
+      - amd64
+      - arm64
+    goos:
+      - linux
+    flags:
+      - -trimpath
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    ldflags:
+      - >-
+          -X main.Version={{ .Tag }}
+          -X main.GitCommit={{ .Commit }}
+          -X main.GitTag={{ .Tag }}
+          -X main.GitTreeState={{ .Date }}
+          -X main.BuildDate={{ .Date }}
+          -X main.GitRepo={{ .ProjectName }}
+release:
+  prerelease: auto
+  footer: |
+    Thanks to all the contributors!
+
+    **Full Changelog**: https://github.com/projectcapsule/{{ .ProjectName }}/compare/{{ .PreviousTag }}...{{ .Tag }}
+    
+    **Docker Images**
+    - `ghcr.io/projectcapsule/{{ .ProjectName }}:{{ .Tag }}`
+    - `ghcr.io/projectcapsule/{{ .ProjectName }}:latest`
+checksum:
+  name_template: 'checksums.txt'
+changelog:
+  sort: asc
+  use: github
+  filters:
+    exclude:
+    - '^test:'
+    - '^chore'
+    - '^rebase:'
+    - 'merge conflict'
+    - Merge pull request
+    - Merge remote-tracking branch
+    - Merge branch
+  groups:
+    # https://github.com/conventional-changelog/commitlint/tree/master/%40commitlint/config-conventional
+    - title: '🛠 Dependency updates'
+      regexp: '^.*?(feat|fix)\(deps\)!?:.+$'
+      order: 300
+    - title: '✨ New Features'
+      regexp: '^.*?feat(\([[:word:]]+\))??!?:.+$'
+      order: 100
+    - title: '🐛 Bug fixes'
+      regexp: '^.*?fix(\([[:word:]]+\))??!?:.+$'
+      order: 200
+    - title: '📖 Documentation updates'
+      regexp: ^.*?docs(\([[:word:]]+\))??!?:.+$
+      order: 400
+    - title: '🚀 Build process updates'
+      regexp: ^.*?(build|ci)(\([[:word:]]+\))??!?:.+$
+      order: 400
+    - title: '📦 Other work'
+      order: 9999
+sboms:
+  - artifacts: archive
+signs:
+- cmd: cosign
+  args:
+  - "sign-blob"
+  - "--output-signature=${signature}"
+  - "${artifact}"
+  - "--yes"
+  artifacts: all

.ko.yaml

@@ -0,0 +1,8 @@
+defaultPlatforms:
+- linux/arm64
+- linux/amd64
+builds:
+- id: capsule
+  main: ./
+  ldflags:
+  - '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}'

CODE_OF_CONDUCT.md

@@ -1,5 +1,7 @@
 # Contributor Covenant Code of Conduct
 
+Capsule follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
+
 ## Our Pledge
 
 We as members, contributors, and leaders pledge to make participation in our
@@ -114,7 +116,7 @@ the community.
 
 ## Attribution
 
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+This Code of Conduct follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md) and is adapted from the [Contributor Covenant][homepage],
 version 2.0, available at
 https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
 

CONTRIBUTING.md

@@ -0,0 +1,58 @@
+# Contributing
+
+All contributions are welcome! If you find a bug or have a feature request, please open an issue or submit a pull request.
+
+
+## Guidelines
+
+
+## Pull Requests
+
+
+## Commits
+
+Commit messages should indicate the change and it's impact. The general format for commit messages is the following:
+
+    feat(ui): Add `Button` component
+    ^    ^    ^
+    |    |    |__ Subject
+    |    |_______ Scope
+    |____________ Type
+
+ The commits are checked on pull-request. If the commit message does not follow the format, the workflow will fail. See the [Types](#types) and [Scopes](#scopes) sections for more information.
+
+## Types
+
+The following types are allowed for commits and pull requests:
+
+  * `ci` or `build`: changes to buillding process/workflows
+  * `docs`: changes to documentation
+  * `feat`: new features
+  * `fix`: bug fixes
+
+## Scopes
+
+The following types are allowed for commits and pull requests:
+
+  * `all`: changes that affect all components
+  * `chart`: changes to the Helm chart
+  * `operator`: changes to the operator
+  * `docs`: changes to the documentation
+  * `website`: changes to the website
+  * `ci`: changes to the CI/CD workflows
+  * `build`: changes to the build process
+  * `test`: changes to the testing process
+  * `release`: changes to the release process
+  * `deps`: dependency updates
+
+### Sign-Off
+
+Developer Certificate of Origin (DCO) Sign off
+For contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project, we are requiring everyone to acknowledge this by signing their work which indicates you agree to the DCO found here.
+
+To sign your work, just add a line like this at the end of your commit message:
+
+Signed-off-by: Random J Developer <random@developer.example.org>
+This can easily be done with the -s command line option to append this automatically to your commit message.
+
+git commit -s -m 'This is my commit message'

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.19 as builder
+FROM golang:1.19.10 as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests

Makefile

@@ -1,8 +1,23 @@
-# Current Operator version
-VERSION ?= $$(git describe --abbrev=0 --tags --match "v*")
+# Version
+GIT_HEAD_COMMIT ?= $(shell git rev-parse --short HEAD)
+VERSION          ?= $(shell git describe --abbrev=0 --tags --match "v*")
+ifndef VERSION
+VERSION          = $(GIT_HEAD_COMMIT)
+endif
+
+# Defaults
+REGISTRY        ?= ghcr.io
+REPOSITORY      ?= projectcapsule/capsule
+GIT_TAG_COMMIT  ?= $(shell git rev-parse --short $(VERSION))
+GIT_MODIFIED_1  ?= $(shell git diff $(GIT_HEAD_COMMIT) $(GIT_TAG_COMMIT) --quiet && echo "" || echo ".dev")
+GIT_MODIFIED_2  ?= $(shell git diff --quiet && echo "" || echo ".dirty")
+GIT_MODIFIED    ?= $(shell echo "$(GIT_MODIFIED_1)$(GIT_MODIFIED_2)")
+GIT_REPO        ?= $(shell git config --get remote.origin.url)
+BUILD_DATE      ?= $(shell git log -1 --format="%at" | xargs -I{} sh -c 'if [ "$(shell uname)" = "Darwin" ]; then date -r {} +%Y-%m-%dT%H:%M:%S; else date -d @{} +%Y-%m-%dT%H:%M:%S; fi')
+IMG_BASE        ?= $(REPOSITORY)
+IMG             ?= $(IMG_BASE):$(VERSION)
+CAPSULE_IMG     ?= $(REGISTRY)/$(IMG_BASE)
 
-# Default bundle image tag
-BUNDLE_IMG ?= clastix/capsule:$(VERSION)-bundle
 # Options for 'bundle-build'
 ifneq ($(origin CHANNELS), undefined)
 BUNDLE_CHANNELS := --channels=$(CHANNELS)
@@ -12,9 +27,6 @@ BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL)
 endif
 BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)
 
-# Image URL to use all building/pushing image targets
-IMG ?= clastix/capsule:$(VERSION)
-
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
@@ -22,20 +34,16 @@ else
 GOBIN=$(shell go env GOBIN)
 endif
 
-# Get information about git current status
-GIT_HEAD_COMMIT ?= $$(git rev-parse --short HEAD)
-GIT_TAG_COMMIT  ?= $$(git rev-parse --short $(VERSION))
-GIT_MODIFIED_1  ?= $$(git diff $(GIT_HEAD_COMMIT) $(GIT_TAG_COMMIT) --quiet && echo "" || echo ".dev")
-GIT_MODIFIED_2  ?= $$(git diff --quiet && echo "" || echo ".dirty")
-GIT_MODIFIED    ?= $$(echo "$(GIT_MODIFIED_1)$(GIT_MODIFIED_2)")
-GIT_REPO        ?= $$(git config --get remote.origin.url)
-BUILD_DATE      ?= $$(git log -1 --format="%at" | xargs -I{} date -d @{} +%Y-%m-%dT%H:%M:%S)
-
 all: manager
 
 # Run tests
-test: generate manifests
-	go test ./... -coverprofile cover.out
+.PHONY: test
+test: test-clean generate manifests test-clean
+	@GO111MODULE=on go test -v ./... -coverprofile coverage.out
+
+.PHONY: test-clean
+test-clean: ## Clean tests cache
+	@go clean -testcache
 
 # Build manager binary
 manager: generate golint
@@ -47,7 +55,7 @@ run: generate manifests
 
 # Creates the single file to install Capsule without any external dependency
 installer: manifests kustomize
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
+	cd config/manager && $(KUSTOMIZE) edit set image controller=${CAPSULE_IMG}
 	$(KUSTOMIZE) build config/default > config/install.yaml
 
 # Install CRDs into a cluster
@@ -86,12 +94,13 @@ helm-docs: HELMDOCS_VERSION := v1.11.0
 helm-docs: docker
 	@docker run -v "$(SRC_ROOT):/helm-docs" jnorwood/helm-docs:$(HELMDOCS_VERSION) --chart-search-root /helm-docs
 
-helm-lint: ct
-	@ct lint --config $(SRC_ROOT)/.github/configs/ct.yaml --lint-conf $(SRC_ROOT)/.github/configs/lintconf.yaml --all --debug
+helm-lint: CT_VERSION := v3.3.1
+helm-lint: docker
+	@docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:$(CT_VERSION) -c "cd /workdir; ct lint --config .github/configs/ct.yaml  --lint-conf .github/configs/lintconf.yaml  --all --debug"
 
-helm-test: kind ct docker-build
+helm-test: kind ct ko-build-all
 	@kind create cluster --wait=60s --name capsule-charts
-	@kind load docker-image --name capsule-charts ${IMG}
+	@kind load docker-image --name capsule-charts $(LOCAL_CAPSULE_IMG)
 	@kubectl create ns capsule-system
 	@ct install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
 	@kind delete cluster --name capsule-charts
@@ -166,42 +175,101 @@ dev-setup:
 		]";
 
 
-# Build the docker image
-docker-build: test
-	docker build . -t ${IMG} --build-arg GIT_HEAD_COMMIT=$(GIT_HEAD_COMMIT) \
- 							 --build-arg GIT_TAG_COMMIT=$(GIT_TAG_COMMIT) \
- 							 --build-arg GIT_MODIFIED=$(GIT_MODIFIED) \
- 							 --build-arg GIT_REPO=$(GIT_REPO) \
- 							 --build-arg GIT_LAST_TAG=$(VERSION) \
- 							 --build-arg BUILD_DATE=$(BUILD_DATE)
+####################
+# -- Docker
+####################
 
-# Push the docker image
-docker-push:
-	docker push ${IMG}
+KOCACHE         ?= /tmp/ko-cache
+KO_REGISTRY     := ko.local
+KO_TAGS         ?= "latest"
+ifdef VERSION
+KO_TAGS         := $(KO_TAGS),$(VERSION)
+endif
 
-CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
+LD_FLAGS        := "-X main.Version=$(VERSION) \
+					-X main.GitCommit=$(GIT_HEAD_COMMIT) \
+					-X main.GitTag=$(VERSION) \
+					-X main.GitTreeState=$(GIT_MODIFIED) \
+					-X main.BuildDate=$(BUILD_DATE) \
+					-X main.GitRepo=$(GIT_REPO)"
+
+# Docker Image Build
+# ------------------
+
+.PHONY: ko-build-capsule
+LOCAL_CAPSULE_IMG_BASE := github.com/$(REPOSITORY)
+LOCAL_CAPSULE_IMG := $(KO_REGISTRY)/$(LOCAL_CAPSULE_IMG_BASE)
+ko-build-capsule: ko
+	@echo Building Capsule $(KO_TAGS) >&2
+	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(KO_REGISTRY) \
+		$(KO) build ./ --preserve-import-paths --tags=$(KO_TAGS)  --push=false
+
+.PHONY: ko-build-all
+ko-build-all: ko-build-capsule
+
+# Docker Image Publish
+# ------------------
+
+REGISTRY_PASSWORD   ?= dummy
+REGISTRY_USERNAME   ?= dummy
+
+.PHONY: ko-login
+ko-login: ko
+	@$(KO) login $(REGISTRY) --username $(REGISTRY_USERNAME) --password $(REGISTRY_PASSWORD)
+
+.PHONY: ko-publish-capsule
+ko-publish-capsule: ko-login ## Build and publish kyvernopre image (with ko)
+	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(CAPSULE_IMG) \
+		$(KO) build ./ --bare --tags=$(KO_TAGS)
+
+.PHONY: ko-publish-all
+ko-publish-all: ko-publish-capsule
+
+####################
+# -- Binaries
+####################
+
+CONTROLLER_GEN         := $(shell pwd)/bin/controller-gen
+CONTROLLER_GEN_VERSION := v0.10.0
 controller-gen: ## Download controller-gen locally if necessary.
-	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.10.0)
+	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
 
-APIDOCS_GEN = $(shell pwd)/bin/crdoc
+APIDOCS_GEN         := $(shell pwd)/bin/crdoc
+APIDOCS_GEN_VERSION := latest
 apidocs-gen: ## Download crdoc locally if necessary.
-	$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@latest)
+	$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@$(APIDOCS_GEN_VERSION))
 
-GINKGO = $(shell pwd)/bin/ginkgo
+GINKGO         := $(shell pwd)/bin/ginkgo
+GINGKO_VERSION := v2.9.5
 ginkgo: ## Download ginkgo locally if necessary.
-	$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo@v2.9.5)
+	$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo@$(GINGKO_VERSION))
 
-CT = $(shell pwd)/bin/ct
+CT         := $(shell pwd)/bin/ct
+CT_VERSION := v3.7.1
 ct: ## Download ct locally if necessary.
-	$(call go-install-tool,$(CT),github.com/helm/chart-testing/v3/ct@v3.7.1)
+	$(call go-install-tool,$(CT),github.com/helm/chart-testing/v3/ct@$(CT_VERSION))
 
-KIND = $(shell pwd)/bin/kind
+KIND         := $(shell pwd)/bin/kind
+KIND_VERSION := v0.17.0
 kind: ## Download kind locally if necessary.
-	$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@v0.17.0)
+	$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@$(KIND_VERSION))
 
-KUSTOMIZE = $(shell pwd)/bin/kustomize
+KUSTOMIZE         := $(shell pwd)/bin/kustomize
+KUSTOMIZE_VERSION := 3.8.7
 kustomize: ## Download kustomize locally if necessary.
-	$(call install-kustomize,$(KUSTOMIZE),3.8.7)
+	$(call install-kustomize,$(KUSTOMIZE),$(KUSTOMIZE_VERSION))
+
+KO = $(shell pwd)/bin/ko
+KO_VERSION = v0.14.1
+ko:
+	$(call go-install-tool,$(KO),github.com/google/ko@v0.14.1)
+
+####################
+# -- Helpers
+####################
+pull-upstream:
+	git remote add upstream https://github.com/capsuleproject/capsule.git
+	git fetch --all && git pull upstream
 
 define install-kustomize
 @[ -f $(1) ] || { \
@@ -218,7 +286,6 @@ PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
 define go-install-tool
 @[ -f $(1) ] || { \
 set -e ;\
-echo "Installing $(2)" ;\
 GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
 }
 endef
@@ -229,14 +296,10 @@ bundle: manifests
 	kustomize build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
 	operator-sdk bundle validate ./bundle
 
-# Build the bundle image.
-bundle-build:
-	docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) .
-
 # Sorting imports
 .PHONY: goimports
 goimports:
-	goimports -w -l -local "github.com/clastix/capsule" .
+	goimports -w -l -local "github.com/projectcapsule/capsule" .
 
 GOLANGCI_LINT = $(shell pwd)/bin/golangci-lint
 golangci-lint: ## Download golangci-lint locally if necessary.
@@ -254,8 +317,11 @@ e2e/%: ginkgo
 
 e2e-build/%:
 	kind create cluster --wait=60s --name capsule --image=kindest/node:$*
-	make docker-build
-	kind load docker-image --nodes capsule-control-plane --name capsule $(IMG)
+	make e2e-load-image
+	make e2e-install
+
+.PHONY: e2e-install
+e2e-install:
 	helm upgrade \
 		--debug \
 		--install \
@@ -264,14 +330,27 @@ e2e-build/%:
 		--set 'manager.image.pullPolicy=Never' \
 		--set 'manager.resources=null'\
 		--set "manager.image.tag=$(VERSION)" \
+		--set 'manager.image.registry=$(KO_REGISTRY)' \
+		--set 'manager.image.repository=$(LOCAL_CAPSULE_IMG_BASE)' \
 		--set 'manager.livenessProbe.failureThreshold=10' \
 		--set 'manager.readinessProbe.failureThreshold=10' \
 		--set 'podSecurityContext.seccompProfile=null' \
 		capsule \
 		./charts/capsule
 
+.PHONY: e2e-load-image
+e2e-load-image: ko-build-all
+	kind load docker-image --nodes capsule-control-plane --name capsule $(LOCAL_CAPSULE_IMG):$(VERSION)
+
+.PHONY: e2e-exec
 e2e-exec: ginkgo
 	$(GINKGO) -v -tags e2e ./e2e
 
+.PHONY: e2e-destroy
 e2e-destroy:
 	kind delete cluster --name capsule
+
+SPELL_CHECKER = npx spellchecker-cli
+docs-lint:
+	cd docs/content && $(SPELL_CHECKER) -f "*.md" "*/*.md" -d dictionary.txt
+

PROJECT

@@ -5,7 +5,7 @@ plugins:
   manifests.sdk.operatorframework.io/v2: {}
   scorecard.sdk.operatorframework.io/v2: {}
 projectName: capsule
-repo: github.com/clastix/capsule
+repo: github.com/projectcapsule/capsule
 resources:
 - api:
     crdVersion: v1
@@ -13,7 +13,7 @@ resources:
   domain: clastix.io
   group: capsule
   kind: Tenant
-  path: github.com/clastix/capsule/api/v1alpha1
+  path: github.com/projectcapsule/capsule/api/v1alpha1
   version: v1alpha1
   webhooks:
     conversion: true
@@ -24,21 +24,21 @@ resources:
   domain: clastix.io
   group: capsule
   kind: CapsuleConfiguration
-  path: github.com/clastix/capsule/api/v1alpha1
+  path: github.com/projectcapsule/capsule/api/v1alpha1
   version: v1alpha1
 - api:
     crdVersion: v1
   domain: clastix.io
   group: capsule
   kind: Tenant
-  path: github.com/clastix/capsule/api/v1beta1
+  path: github.com/projectcapsule/capsule/api/v1beta1
   version: v1beta1
 - api:
     crdVersion: v1
   domain: clastix.io
   group: capsule
   kind: Tenant
-  path: github.com/clastix/capsule/api/v1beta2
+  path: github.com/projectcapsule/capsule/api/v1beta2
   version: v1beta2
 - api:
     crdVersion: v1
@@ -46,7 +46,7 @@ resources:
   domain: clastix.io
   group: capsule
   kind: CapsuleConfiguration
-  path: github.com/clastix/capsule/api/v1beta2
+  path: github.com/projectcapsule/capsule/api/v1beta2
   version: v1beta2
 - api:
     crdVersion: v1
@@ -54,13 +54,13 @@ resources:
   domain: clastix.io
   group: capsule
   kind: TenantResource
-  path: github.com/clastix/capsule/api/v1beta2
+  path: github.com/projectcapsule/capsule/api/v1beta2
   version: v1beta2
 - api:
     crdVersion: v1
   domain: clastix.io
   group: capsule
   kind: GlobalTenantResource
-  path: github.com/clastix/capsule/api/v1beta2
+  path: github.com/projectcapsule/capsule/api/v1beta2
   version: v1beta2
 version: "3"

README.md

@@ -1,14 +1,20 @@
 
 <p align="left">
-  <img src="https://github.com/clastix/capsule/actions/workflows/ci.yml/badge.svg"/>
+  <img src="https://github.com/projectcapsule/capsule/actions/workflows/ci.yml/badge.svg"/>
   <img src="https://img.shields.io/github/license/clastix/capsule"/>
   <img src="https://img.shields.io/github/go-mod/go-version/clastix/capsule"/>
-  <a href="https://github.com/clastix/capsule/releases">
+  <a href="https://github.com/projectcapsule/capsule/releases">
     <img src="https://img.shields.io/github/v/release/clastix/capsule"/>
   </a>
   <a href="https://charmhub.io/capsule-k8s">
     <img src="https://charmhub.io/capsule-k8s/badge.svg"/>
   </a>
+  <a href="https://www.bestpractices.dev/projects/5601">
+    <img src="https://www.bestpractices.dev/projects/5601/badge"/>
+  </a>
+  <a href="https://api.securityscorecards.dev/projects/github.com/projectcapsule/capsule/badge">
+    <img src="https://api.securityscorecards.dev/projects/github.com/projectcapsule/capsule/badge"/>
+  </a>
 </p>
 
 <p align="center">
@@ -91,7 +97,9 @@ make helm-docs
 
 ## Community
 
-Join the community, share and learn from it. You can find all the resources to how to contribute code and docs, connect with people in the [community repository](https://github.com/clastix/capsule-community).
+Join the community, share and learn from it. You can find all the resources to how to contribute code and docs, connect with people in the [community repository](https://github.com/projectcapsule/capsule-community).
+
+Please read the [code of conduct](CODE_OF_CONDUCT.md).
 
 ## Adopters
 
@@ -105,6 +113,10 @@ You can find how the Capsule project is governed [here](https://capsule.clastix.
 
 Please, refer to the maintainers file available [here](.github/maintainers.yaml).
 
+## Release process
+
+Please, refer to the [documentation page](https://capsule.clastix.io/docs/contributing/release).
+
 # FAQ
 
 - Q. How to pronounce Capsule?
@@ -113,7 +125,7 @@ Please, refer to the maintainers file available [here](.github/maintainers.yaml)
 
 - Q. Is it production grade?
 
-  A. Although under frequent development and improvements, Capsule is ready to be used in production environments as currently, people are using it in public and private deployments. Check out the [release](https://github.com/clastix/capsule/releases) page for a detailed list of available versions.
+  A. Although under frequent development and improvements, Capsule is ready to be used in production environments as currently, people are using it in public and private deployments. Check out the [release](https://github.com/projectcapsule/capsule/releases) page for a detailed list of available versions.
 
 - Q. Does it work with my Kubernetes XYZ distribution?
 

api/v1alpha1/additional_metadata.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1

api/v1alpha1/capsuleconfiguration_annotations.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1

api/v1alpha1/capsuleconfiguration_types.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1

api/v1alpha1/capsuleconfiguration_webhook.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1

api/v1alpha1/conversion_hub.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -13,8 +13,8 @@ import (
 	"k8s.io/utils/pointer"
 	"sigs.k8s.io/controller-runtime/pkg/conversion"
 
-	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
-	"github.com/clastix/capsule/pkg/api"
+	capsulev1beta1 "github.com/projectcapsule/capsule/api/v1beta1"
+	"github.com/projectcapsule/capsule/pkg/api"
 )
 
 const (

api/v1alpha1/conversion_hub_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -15,8 +15,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/pointer"
 
-	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
-	"github.com/clastix/capsule/pkg/api"
+	capsulev1beta1 "github.com/projectcapsule/capsule/api/v1beta1"
+	"github.com/projectcapsule/capsule/pkg/api"
 )
 
 //nolint:maintidx

api/v1alpha1/groupversion_info.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package v1alpha1 contains API Schema definitions for the capsule.clastix.io v1alpha1 API group

api/v1alpha1/owner.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1

api/v1alpha1/tenant_func.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1

api/v1alpha1/tenant_types.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
@@ -8,7 +8,7 @@ import (
 	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/clastix/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api"
 )
 
 // TenantSpec defines the desired state of Tenant.

api/v1alpha1/tenant_webhook.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1

api/v1alpha1/zz_generated.deepcopy.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by controller-gen. DO NOT EDIT.
@@ -9,7 +9,7 @@
 package v1alpha1
 
 import (
-	"github.com/clastix/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/api/networking/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"

api/v1beta1/custom_resource_quota.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta1

api/v1beta1/deny_wildcard.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta1

api/v1beta1/groupversion_info.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package v1beta1 contains API Schema definitions for the capsule v1beta1 API group

api/v1beta1/ingress_options.go

@@ -1,10 +1,10 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta1
 
 import (
-	"github.com/clastix/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api"
 )
 
 type IngressOptions struct {

api/v1beta1/namespace_options.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta1
@@ -6,7 +6,7 @@ package v1beta1
 import (
 	"strings"
 
-	"github.com/clastix/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api"
 )
 
 type NamespaceOptions struct {

api/v1beta1/owner.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta1

api/v1beta1/owner_list.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta1

api/v1beta1/owner_list_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta1

api/v1beta1/owner_role.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta1

api/v1beta1/service_allowed_types.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta1

api/v1beta1/service_options.go

@@ -1,10 +1,10 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta1
 
 import (
-	"github.com/clastix/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api"
 )
 
 type ServiceOptions struct {

api/v1beta1/tenant_func.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta1

api/v1beta1/tenant_status.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta1

api/v1beta1/tenant_types.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta1
@@ -6,7 +6,7 @@ package v1beta1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/clastix/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api"
 )
 
 // TenantSpec defines the desired state of Tenant.

api/v1beta1/tenant_webhook.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta1

api/v1beta1/zz_generated.deepcopy.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by controller-gen. DO NOT EDIT.
@@ -9,7 +9,7 @@
 package v1beta1
 
 import (
-	"github.com/clastix/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 

api/v1beta2/additional_role_bindings.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2

api/v1beta2/capsuleconfiguration_convertion_hub.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2
@@ -10,7 +10,7 @@ import (
 
 	"sigs.k8s.io/controller-runtime/pkg/conversion"
 
-	capsulev1alpha1 "github.com/clastix/capsule/api/v1alpha1"
+	capsulev1alpha1 "github.com/projectcapsule/capsule/api/v1alpha1"
 )
 
 func (in *CapsuleConfiguration) ConvertTo(raw conversion.Hub) error {

api/v1beta2/capsuleconfiguration_types.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2
@@ -6,7 +6,7 @@ package v1beta2
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/clastix/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api"
 )
 
 // CapsuleConfigurationSpec defines the Capsule configuration.

api/v1beta2/custom_resource_quota.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2

api/v1beta2/groupversion_info.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package v1beta2 contains API Schema definitions for the capsule v1beta2 API group

api/v1beta2/ingress_options.go

@@ -1,10 +1,10 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2
 
 import (
-	"github.com/clastix/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api"
 )
 
 type IngressOptions struct {

api/v1beta2/namespace_options.go

@@ -1,10 +1,10 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2
 
 import (
-	"github.com/clastix/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api"
 )
 
 type NamespaceOptions struct {

api/v1beta2/owner.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2

api/v1beta2/owner_list.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2

api/v1beta2/owner_list_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2

api/v1beta2/tenant_annotations.go

@@ -1,17 +1,44 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2
 
 import (
+	"crypto/md5" //#nosec
+	"encoding/hex"
 	"fmt"
-	"strings"
 )
 
-func UsedQuotaFor(resource fmt.Stringer) string {
-	return "quota.capsule.clastix.io/used-" + strings.ReplaceAll(resource.String(), "/", "_")
+const (
+	// Annotation name part must be no more than 63 characters.
+	maxAnnotationLength = 63
+)
+
+func createAnnotation(format string, resource fmt.Stringer) (string, error) {
+	suffix := resource.String()
+
+	hash := md5.Sum([]byte(resource.String())) //#nosec
+
+	hashed := hex.EncodeToString(hash[:])
+	capsuleHashed := format + hashed
+	capsuleAnnotation := format + suffix
+
+	switch {
+	case len(capsuleAnnotation) <= maxAnnotationLength:
+		return capsuleAnnotation, nil
+	case len(capsuleHashed) <= maxAnnotationLength:
+		return capsuleHashed, nil
+	case len(hashed) <= maxAnnotationLength:
+		return hashed, nil
+	default:
+		return "", fmt.Errorf("the annotation name would exceed the maximum supported length (%d), skipping", maxAnnotationLength)
+	}
 }
 
-func HardQuotaFor(resource fmt.Stringer) string {
-	return "quota.capsule.clastix.io/hard-" + strings.ReplaceAll(resource.String(), "/", "_")
+func UsedQuotaFor(resource fmt.Stringer) (string, error) {
+	return createAnnotation("quota.capsule.clastix.io/used-", resource)
+}
+
+func HardQuotaFor(resource fmt.Stringer) (string, error) {
+	return createAnnotation("quota.capsule.clastix.io/hard-", resource)
 }

api/v1beta2/tenant_conversion_hub.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2
@@ -10,8 +10,8 @@ import (
 
 	"sigs.k8s.io/controller-runtime/pkg/conversion"
 
-	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
-	"github.com/clastix/capsule/pkg/api"
+	capsulev1beta1 "github.com/projectcapsule/capsule/api/v1beta1"
+	"github.com/projectcapsule/capsule/pkg/api"
 )
 
 func (in *Tenant) ConvertFrom(raw conversion.Hub) error {

api/v1beta2/tenant_func.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2

api/v1beta2/tenant_labels.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2

api/v1beta2/tenant_status.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2

api/v1beta2/tenant_types.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2
@@ -6,7 +6,7 @@ package v1beta2
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/clastix/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api"
 )
 
 // TenantSpec defines the desired state of Tenant.

api/v1beta2/tenantresource_global.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2

api/v1beta2/tenantresource_namespaced.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2
@@ -7,7 +7,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 
-	"github.com/clastix/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api"
 )
 
 // TenantResourceSpec defines the desired state of TenantResource.

api/v1beta2/tenantresource_types.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package v1beta2

api/v1beta2/zz_generated.deepcopy.go

@@ -1,7 +1,7 @@
 //go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 // Code generated by controller-gen. DO NOT EDIT.
@@ -9,7 +9,7 @@
 package v1beta2
 
 import (
-	"github.com/clastix/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api"
 	"k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"

charts/capsule/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 type: application
 description: A Helm chart to deploy the Capsule Operator for easily implementing,
   managing, and maintaining mutitenancy and access control in Kubernetes.
-home: https://github.com/clastix/capsule
-icon: https://github.com/clastix/capsule/raw/master/assets/logo/capsule_small.png
+home: https://github.com/projectcapsule/capsule
+icon: https://github.com/projectcapsule/capsule/raw/master/assets/logo/capsule_small.png
 keywords:
 - kubernetes
 - operator
@@ -17,12 +17,12 @@ maintainers:
   name: Clastix Labs Team
 name: capsule
 sources:
-- https://github.com/clastix/capsule
+- https://github.com/projectcapsule/capsule
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.4.3
+version: 0.4.6
 
 # This is the version number of the application being deployed.
 # This version number should be incremented each time you make changes to the application.
-appVersion: 0.3.2
+appVersion: 0.3.3

charts/capsule/README.md

@@ -22,11 +22,15 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator
 
 1. Add this repository:
 
-        $ helm repo add clastix https://clastix.github.io/charts
+        $ helm repo add projectcapsule https://projectcapsule.github.io/charts
 
 2. Install the Chart:
 
-        $ helm install capsule clastix/capsule -n capsule-system --create-namespace
+        $ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace
+
+        or
+
+        $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6  -n capsule-system --create-namespace
 
 3. Show the status:
 
@@ -34,7 +38,11 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator
 
 4. Upgrade the Chart
 
-        $ helm upgrade capsule clastix/capsule -n capsule-system
+        $ helm upgrade capsule projectcapsule/capsule -n capsule-system
+
+        or
+
+        $ helm upgrade capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.7
 
 5. Uninstall the Chart
 
@@ -68,6 +76,7 @@ Here the values you can override:
 | customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart |
 | imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. |
 | jobs.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job |
+| jobs.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job |
 | jobs.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job |
 | jobs.image.tag | string | `""` | Set the image tag of the helm chart job |
 | mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks |
@@ -85,6 +94,7 @@ Here the values you can override:
 | tls.enableController | bool | `true` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. |
 | tls.name | string | `""` | Override name of the Capsule TLS Secret name when externally managed. |
 | tolerations | list | `[]` | Set list of tolerations for the Capsule pod |
+| topologySpreadConstraints | list | `[]` | Set topology spread constraints for the Capsule pod |
 | validatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for validating webhooks |
 
 ### Manager Parameters
@@ -93,7 +103,8 @@ Here the values you can override:
 |-----|------|---------|-------------|
 | manager.hostNetwork | bool | `false` | Specifies if the container should be started in hostNetwork mode.  Required for use in some managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working |
 | manager.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy. |
-| manager.image.repository | string | `"clastix/capsule"` | Set the image repository of the capsule. |
+| manager.image.registry | string | `"ghcr.io"` | Set the image registry of capsule. |
+| manager.image.repository | string | `"projectcapsule/capsule"` | Set the image repository of capsule. |
 | manager.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
 | manager.kind | string | `"Deployment"` | Set the controller deployment mode as `Deployment` or `DaemonSet`. |
 | manager.livenessProbe | object | `{"httpGet":{"path":"/healthz","port":10080}}` | Configure the liveness probe using Deployment probe spec |
@@ -195,7 +206,7 @@ Capsule, as many other add-ons, defines its own set of Custom Resource Definitio
 You can enable the generation of certificates using `cert-manager` as follows.
 
 ```
-helm upgrade --install capsule clastix/capsule --namespace capsule-system --create-namespace \
+helm upgrade --install capsule projectcapsule/capsule --namespace capsule-system --create-namespace \
   --set "certManager.generateCertificates=true" \
   --set "tls.create=false" \
   --set "tls.enableController=false"
@@ -220,4 +231,4 @@ metadata:
 
 ## More
 
-See Capsule [tutorial](https://github.com/clastix/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.
+See Capsule [tutorial](https://github.com/projectcapsule/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.

charts/capsule/README.md.gotmpl

@@ -22,11 +22,15 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator
 
 1. Add this repository:
 
-        $ helm repo add clastix https://clastix.github.io/charts
+        $ helm repo add projectcapsule https://projectcapsule.github.io/charts
 
 2. Install the Chart:
 
-        $ helm install capsule clastix/capsule -n capsule-system --create-namespace
+        $ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace
+
+        or
+
+        $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6  -n capsule-system --create-namespace
 
 3. Show the status:
 
@@ -34,7 +38,11 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator
 
 4. Upgrade the Chart
 
-        $ helm upgrade capsule clastix/capsule -n capsule-system
+        $ helm upgrade capsule projectcapsule/capsule -n capsule-system
+
+        or
+
+        $ helm upgrade capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.7
 
 5. Uninstall the Chart
 
@@ -132,7 +140,7 @@ Capsule, as many other add-ons, defines its own set of Custom Resource Definitio
 You can enable the generation of certificates using `cert-manager` as follows.
 
 ```
-helm upgrade --install capsule clastix/capsule --namespace capsule-system --create-namespace \
+helm upgrade --install capsule projectcapsule/capsule --namespace capsule-system --create-namespace \
   --set "certManager.generateCertificates=true" \
   --set "tls.create=false" \
   --set "tls.enableController=false"
@@ -157,4 +165,4 @@ metadata:
 
 ## More
 
-See Capsule [tutorial](https://github.com/clastix/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.
+See Capsule [tutorial](https://github.com/projectcapsule/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.

charts/capsule/templates/_helpers.tpl

@@ -80,7 +80,7 @@ Create the name of the service account to use
 Create the manager fully-qualified Docker image to use
 */}}
 {{- define "capsule.managerFullyQualifiedDockerImage" -}}
-{{- printf "%s:%s" .Values.manager.image.repository ( .Values.manager.image.tag | default (printf "v%s" .Chart.AppVersion) ) -}}
+{{- printf "%s/%s:%s" .Values.manager.image.registry  .Values.manager.image.repository ( .Values.manager.image.tag | default (printf "v%s" .Chart.AppVersion) ) -}}
 {{- end }}
 
 {{/*
@@ -106,9 +106,9 @@ Create the jobs fully-qualified Docker image to use
 */}}
 {{- define "capsule.jobsFullyQualifiedDockerImage" -}}
 {{- if .Values.jobs.image.tag }}
-{{- printf "%s:%s" .Values.jobs.image.repository .Values.jobs.image.tag -}}
+{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository .Values.jobs.image.tag -}}
 {{- else }}
-{{- printf "%s:%s" .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
+{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
 {{- end }}
 {{- end }}
 

charts/capsule/templates/deployment.yaml

@@ -49,6 +49,10 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
         - name: cert
           secret:
@@ -56,8 +60,6 @@ spec:
             secretName: {{ include "capsule.secretTlsName" . }}
       containers:
         - name: manager
-          command:
-          - /manager
           args:
           - --webhook-port={{ .Values.manager.webhookPort }}
           - --enable-leader-election

charts/capsule/templates/validatingwebhookconfiguration.yaml

@@ -265,7 +265,7 @@ webhooks:
 {{- end }}
     service:
       name: capsule-webhook-service
-      namespace: capsule-system
+      namespace: {{ .Release.Namespace }}
       path: /tenantresource-objects
   failurePolicy:  {{ .Values.webhooks.tenantResourceObjects.failurePolicy }}
   name: resource-objects.tenant.capsule.clastix.io

charts/capsule/values.yaml

@@ -18,8 +18,10 @@ manager:
   kind: Deployment
 
   image:
-    # -- Set the image repository of the capsule.
-    repository: clastix/capsule
+     # -- Set the image registry of capsule.
+    registry: ghcr.io
+    # -- Set the image repository of capsule.
+    repository: projectcapsule/capsule
     # -- Set the image pull policy.
     pullPolicy: IfNotPresent
     # -- Overrides the image tag whose default is the chart appVersion.
@@ -126,12 +128,17 @@ replicaCount: 1
 # -- Set affinity rules for the Capsule pod
 affinity: {}
 
+# -- Set topology spread constraints for the Capsule pod
+topologySpreadConstraints: []
+
 podSecurityPolicy:
   # -- Specify if a Pod Security Policy must be created
   enabled: false
 
 jobs:
   image:
+    # -- Set the image repository of the helm chart job
+    registry: docker.io
     # -- Set the image repository of the helm chart job
     repository: clastix/kubectl
     # -- Set the image pull policy of the helm chart job

config/install.yaml

@@ -2762,14 +2762,12 @@ spec:
         - --zap-encoder=console
         - --zap-log-level=debug
         - --configuration-name=capsule-default
-        command:
-        - /manager
         env:
         - name: NAMESPACE
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: clastix/capsule:v0.3.2
+        image: ghcr.io/projectcapsule/capsule
         imagePullPolicy: IfNotPresent
         name: manager
         ports:

config/manager/kustomization.yaml

@@ -6,5 +6,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: clastix/capsule
-  newTag: v0.3.2
+  newName: ghcr.io/projectcapsule/capsule

config/manager/manager.yaml

@@ -23,9 +23,7 @@ spec:
         control-plane: controller-manager
     spec:
       containers:
-      - command:
-        - /manager
-        args:
+      - args:
         - --enable-leader-election
         - --zap-encoder=console
         - --zap-log-level=debug

controllers/config/manager.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package config
@@ -12,9 +12,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
-	capsulev1beta2 "github.com/clastix/capsule/api/v1beta2"
-	"github.com/clastix/capsule/controllers/utils"
-	"github.com/clastix/capsule/pkg/configuration"
+	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
+	"github.com/projectcapsule/capsule/controllers/utils"
+	"github.com/projectcapsule/capsule/pkg/configuration"
 )
 
 type Manager struct {

controllers/pv/controller.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package pv
@@ -16,9 +16,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
-	capsulev1beta2 "github.com/clastix/capsule/api/v1beta2"
-	capsuleutils "github.com/clastix/capsule/pkg/utils"
-	webhookutils "github.com/clastix/capsule/pkg/webhook/utils"
+	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
+	capsuleutils "github.com/projectcapsule/capsule/pkg/utils"
+	webhookutils "github.com/projectcapsule/capsule/pkg/webhook/utils"
 )
 
 type Controller struct {

controllers/rbac/const.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package rbac

controllers/rbac/manager.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package rbac
@@ -20,9 +20,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
-	capsulev1beta2 "github.com/clastix/capsule/api/v1beta2"
-	"github.com/clastix/capsule/controllers/utils"
-	"github.com/clastix/capsule/pkg/configuration"
+	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
+	"github.com/projectcapsule/capsule/controllers/utils"
+	"github.com/projectcapsule/capsule/pkg/configuration"
 )
 
 type Manager struct {

controllers/resources/global.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package resources
@@ -21,7 +21,7 @@ import (
 	ctrllog "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
-	capsulev1beta2 "github.com/clastix/capsule/api/v1beta2"
+	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
 )
 
 type Global struct {
@@ -40,7 +40,9 @@ func (r *Global) enqueueRequestFromTenant(ctx context.Context, object client.Obj
 	set := sets.NewString()
 
 	for _, res := range resList.Items {
-		selector, err := metav1.LabelSelectorAsSelector(&res.Spec.TenantSelector)
+		tntSelector := res.Spec.TenantSelector
+
+		selector, err := metav1.LabelSelectorAsSelector(&tntSelector)
 		if err != nil {
 			continue
 		}

controllers/resources/namespaced.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package resources
@@ -18,7 +18,7 @@ import (
 	ctrllog "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
-	capsulev1beta2 "github.com/clastix/capsule/api/v1beta2"
+	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
 )
 
 type Namespaced struct {

controllers/resources/processor.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package resources
@@ -22,7 +22,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	ctrllog "sigs.k8s.io/controller-runtime/pkg/log"
 
-	capsulev1beta2 "github.com/clastix/capsule/api/v1beta2"
+	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
 )
 
 const (
@@ -146,7 +146,9 @@ func (r *Processor) HandleSection(ctx context.Context, tnt capsulev1beta2.Tenant
 			}
 			// Namespaced Items are relying on selecting resources, rather than specifying a specific name:
 			// creating it to get used by the client List action.
-			itemSelector, selectorErr := metav1.LabelSelectorAsSelector(&item.Selector)
+			objSelector := item.Selector
+
+			itemSelector, selectorErr := metav1.LabelSelectorAsSelector(&objSelector)
 			if selectorErr != nil {
 				log.Error(selectorErr, "cannot create Selector for namespacedItem", keysAndValues...)
 
@@ -172,6 +174,7 @@ func (r *Processor) HandleSection(ctx context.Context, tnt capsulev1beta2.Tenant
 			for _, o := range objs.Items {
 				obj := o
 				obj.SetNamespace(ns.Name)
+				obj.SetOwnerReferences(nil)
 
 				multiErr.Go(func() error {
 					kv := keysAndValues

controllers/servicelabels/abstract.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package servicelabels
@@ -20,8 +20,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
-	capsulev1beta2 "github.com/clastix/capsule/api/v1beta2"
-	"github.com/clastix/capsule/pkg/utils"
+	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
+	"github.com/projectcapsule/capsule/pkg/utils"
 )
 
 type abstractServiceLabelsReconciler struct {

controllers/servicelabels/endpoint.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package servicelabels

controllers/servicelabels/endpoint_slices.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Clastix Labs
+// Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
 package servicelabels