feat(api): add tenant funcs to retrieve subjects based on clusterrole bindings (#1231)

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,18 +1,7 @@
 <!--
-# General contribution criteria
+Read the contribution guidelines before creating a pull request.
+
+https://github.com/projectcapsule/capsule/blob/main/CONTRIBUTING.md
 
 Thanks for spending some time for improving and fixing Capsule!
-
-We're still working on the outline of the contribution guidelines but we're
-following ourselves these points:
-
-- reference a previously opened issue: https://docs.github.com/en/github/writing-on-github/autolinked-references-and-urls#issues-and-pull-requests 
-- including a sentence or two in the commit description for the
-  changelog/release notes
-- splitting changes into several and documented small commits
-- limit the git subject to 50 characters and write as the continuation of the
-  sentence "If applied, this commit will ..."
-- explain what and why in the body, if more than a trivial change, wrapping at
-  72 characters
-
 -->

.github/configs/ct.yaml

@@ -2,6 +2,8 @@ remote: origin
 target-branch: main
 chart-dirs:
   - charts
+chart-repos:
+  - capsule=https://projectcapsule.github.io/charts/
 helm-extra-args: "--timeout 600s"  
 validate-chart-schema: false
 validate-maintainers: false

.github/dependabot.yml

@@ -13,4 +13,4 @@ updates:
       interval: daily
     rebase-strategy: disabled
     commit-message:
-      prefix: "ci"
+      prefix: "ci(deps)"

.github/maintainers.yaml

@@ -18,6 +18,12 @@
     - https://github.com/clastix/capsule-proxy
 - name: Oliver Bähler
   github: https://github.com/oliverbaehler
-  company: Bedag Informatik AG
+  company: Peak Scale
   projects:
     - https://github.com/projectcapsule/capsule
+- name: Massimiliano Giovagnoli
+  github: https://github.com/maxgio92
+  company: Proximus
+  projects:
+    - https://github.com/projectcapsule/capsule
+    - https://github.com/projectcapsule/capsule-proxy

.github/workflows/check-actions.yml

@@ -14,9 +14,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       - name: Ensure SHA pinned actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1 # v2.1.4
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@ed00f72a3ca5b6eff8ad4d3ffdcacedb67a21db1 # v3.0.15
         with:
           # slsa-github-generator requires using a semver tag for reusable workflows. 
           # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators

.github/workflows/check-commit.yml

@@ -15,9 +15,9 @@ jobs:
   commit_lint:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@6319f54d83768b60acd6fd60e61007ccc583e62f #v5.4.3
+      - uses: wagoid/commitlint-github-action@3d28780bbf0365e29b144e272b2121204d5be5f3 #v6.1.2
         with:
           firstParent: true

.github/workflows/check-pr.yml

@@ -0,0 +1,37 @@
+name: "Check Pull Request"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions:
+  pull-requests: write
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          types: |
+            chore
+            ci
+            docs
+            feat
+            fix
+            test
+            sec
+          requireScope: false
+          wip: false
+          # If the PR only contains a single commit, the action will validate that
+          # it matches the configured pattern.
+          validateSingleCommit: true
+          # Related to `validateSingleCommit` you can opt-in to validate that the PR
+          # title matches a single commit to avoid confusion.
+          validateSingleCommitMatchesPrTitle: true

.github/workflows/codecov.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       - name: Setup caches
         uses: ./.github/actions/setup-caches
         timeout-minutes: 5
@@ -31,7 +31,7 @@ jobs:
         run: make test
       - name: Upload Report to Codecov
         if: steps.checksecret.outputs.result == 'true'
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
         with:
           file: ./coverage.out
           fail_ci_if_error: true

.github/workflows/diff.yml

@@ -16,18 +16,15 @@ jobs:
     name: diff
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: '1.19'
-      - run: make installer
+          go-version-file: 'go.mod'
+      - run: make manifests
       - name: Checking if YAML installer file is not aligned
         run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> Untracked generated files have not been committed" && git --no-pager diff && exit 1; fi
-      - run: make apidoc
-      - name: Checking if the CRDs documentation is not aligned
-        run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> CRDs generated documentation have not been committed" && git --no-pager diff && exit 1; fi
       - name: Checking if YAML installer generated untracked files
         run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
       - name: Checking if source code is not formatted

.github/workflows/docker-publish.yml

@@ -20,7 +20,7 @@ jobs:
       capsule-digest: ${{ steps.publish-capsule.outputs.digest }}
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       - name: Setup caches
         uses: ./.github/actions/setup-caches
         timeout-minutes: 5
@@ -28,7 +28,7 @@ jobs:
         with:
           build-cache-key: publish-images
       - name: Run Trivy vulnerability (Repo)
-        uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
         with:
           scan-type: 'fs'
           ignore-unfixed: true
@@ -36,10 +36,10 @@ jobs:
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
       - name: Install Cosign
-        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
       - name: Publish Capsule
         id: publish-capsule
-        uses: oliverbaehler/github-actions/ko-publish-image@979018716f7d0cbe8d2711f572b350afad4ef211 # v0.1.1
+        uses: peak-scale/github-actions/make-ko-publish@38322faabccd75abfa581c435e367d446b6d2c3b # v0.1.0
         with:
           makefile-target: ko-publish-capsule
           registry: ghcr.io
@@ -60,7 +60,7 @@ jobs:
       id-token: write   # To sign the provenance.
       packages: write   # To upload assets to release.
       actions: read     # To read the workflow path.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
     with:
       image: ghcr.io/${{ github.repository_owner }}/capsule
       digest: "${{ needs.publish-images.outputs.capsule-digest }}"

.github/workflows/docs-lint.yml

@@ -22,10 +22,10 @@ jobs:
     name: Spell Check
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+      - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: 18
       - run: make docs-lint

.github/workflows/e2e.yml

@@ -37,26 +37,21 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        k8s-version: ['v1.20.7', 'v1.21.2', 'v1.22.4', 'v1.23.6', 'v1.24.7', 'v1.25.3', 'v1.26.3', 'v1.27.2']
+        k8s-version: [ 'v1.24.7', 'v1.25.3', 'v1.26.3', 'v1.27.2', 'v1.28.0', 'v1.29.0', 'v1.30.0', 'v1.31.0' ]
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: '1.19'
-      - run: make manifests
-      - name: Checking if manifests are disaligned
-        run: test -z "$(git diff 2> /dev/null)"
-      - name: Checking if manifests generated untracked files
-        run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
+          go-version-file: 'go.mod'
       - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
         with:
           skipClusterCreation: true
           version: v0.14.0
-      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
+      - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v3
         with:
-          version: 3.3.4
+          version: v3.14.2
       - name: e2e testing
         run: make e2e/${{ matrix.k8s-version }}

.github/workflows/fossa.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: "Checkout Code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       - name: Check secret
         id: checksecret
         uses: ./.github/actions/exists
@@ -24,12 +24,12 @@ jobs:
           value: ${{ secrets.FOSSA_API_KEY }}
       - name: "Run FOSSA Scan"
         if: steps.checksecret.outputs.result == 'true'
-        uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
+        uses: fossas/fossa-action@09bcf127dc0ccb4b5a023f6f906728878e8610ba # v1.4.0
         with:
           api-key: ${{ secrets.FOSSA_API_KEY }}
       - name: "Run FOSSA Test"
         if: steps.checksecret.outputs.result == 'true'
-        uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
+        uses: fossas/fossa-action@09bcf127dc0ccb4b5a023f6f906728878e8610ba # v1.4.0
         with:
           api-key: ${{ secrets.FOSSA_API_KEY }}
           run-tests: true

.github/workflows/gosec.yml

@@ -1,5 +1,10 @@
 name: CI gosec
-permissions: {}
+permissions:
+  # required for all workflows
+  security-events: write
+  # only required for workflows in private repositories
+  actions: read
+  contents: read
 on:
   push:
     branches: [ "*" ]
@@ -17,8 +22,16 @@ jobs:
       GO111MODULE: on
     steps:
       - name: Checkout Source
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Run Gosec Security Scanner
-        uses: securego/gosec@0ec6cd95d7bf02aef4ec2786e884868e0044875b # v2.18.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          args: ./...
+          go-version-file: 'go.mod'
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@d4617f51baf75f4f809066386a4f9d27b3ac3e46 # v2.21.4
+        with:
+          args:  '-no-fail -fmt sarif -out gosec.sarif ./...'
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@c4fb451437765abf5018c6fbf22cce1a7da1e5cc
+        with:
+          sarif_file: gosec.sarif
+

.github/workflows/helm-publish.yml

@@ -2,7 +2,8 @@ name: Publish charts
 permissions: read-all
 on:
   push:
-    tags: [ "helm-v*" ]
+    tags:
+      - 'v*'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,12 +15,20 @@ jobs:
     if: github.repository_owner == 'projectcapsule'
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - name: "Extract Version"
+        id: extract_version
+        run: |
+          GIT_TAG=${GITHUB_REF##*/}
+          VERSION=${GIT_TAG##*v}
+          echo "version=$(echo $VERSION)" >> $GITHUB_OUTPUT
       - name: Publish Helm chart
         uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
         with:
           token: "${{ secrets.HELM_CHARTS_PUSH_TOKEN }}"
           linting: off
+          chart_version: ${{ steps.extract_version.outputs.version }}
+          app_version: ${{ steps.extract_version.outputs.version }}
           charts_dir: charts
           charts_url: https://${{ github.repository_owner }}.github.io/charts
           owner: ${{ github.repository_owner }}
@@ -35,15 +44,23 @@ jobs:
     outputs:
       chart-digest: ${{ steps.helm_publish.outputs.digest }}
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+      - name: "Extract Version"
+        id: extract_version
+        run: |
+          GIT_TAG=${GITHUB_REF##*/}
+          VERSION=${GIT_TAG##*v}
+          echo "version=$(echo $VERSION)" >> $GITHUB_OUTPUT
       - name: Helm | Publish
         id: helm_publish
-        uses: oliverbaehler/github-actions/helm-oci-chart@8dfd42735c85f6c58d5d4d6f3232cd0e39d1fe73 # v0.1.0
+        uses: peak-scale/github-actions/helm-oci-chart@38322faabccd75abfa581c435e367d446b6d2c3b # v0.1.0
         with:
           registry: ghcr.io
           repository: ${{ github.repository_owner }}/charts
           name: "capsule"
+          version: ${{ steps.extract_version.outputs.version }}
+          app-version: ${{ steps.extract_version.outputs.version }}
           registry-username: ${{ github.actor }}
           registry-password: ${{ secrets.GITHUB_TOKEN }}
           update-dependencies: 'true' # Defaults to false
@@ -55,7 +72,7 @@ jobs:
       id-token: write   # To sign the provenance.
       packages: write   # To upload assets to release.
       actions: read     # To read the workflow path.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
     with:
       image: ghcr.io/${{ github.repository_owner }}/charts/capsule
       digest: "${{ needs.publish-helm-oci.outputs.chart-digest }}"

.github/workflows/helm-test.yml

@@ -13,15 +13,15 @@ jobs:
   lint:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
-      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
+      - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v3
       - name: Linting Chart
         run: helm lint ./charts/capsule
       - name: Setup Chart Linting
         id: lint
-        uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76 # v2.4.0
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
       - name: Run chart-testing (list-changed)
         id: list-changed
         run: |
@@ -43,27 +43,6 @@ jobs:
             echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
           fi
 
-      # ATTENTION: This is a workaround for the upcoming ApiVersion Conversions for the capsule CRDs
-      # With this workflow the current docker image is build and loaded into kind, otherwise the install fails
-      # In the future this must be removed and the chart-testing-action must be used
       - name: Run chart-testing (install)
         run: make helm-test
-        if: steps.list-changed.outputs.changed == 'true'
-
-      ## Create KIND Cluster
-      - name: Create kind cluster
-        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
-        if: steps.list-changed.outputs.changed == 'true'
-      # Install Required Operators/CRDs
-      - name: Prepare Cluster Operators/CRDs
-        run: |
-          # Cert-Manager CRDs
-          kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
-          
-          # Prometheus CRDs
-          kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
-        if: steps.list-changed.outputs.changed == 'true'
-      # Install Charts
-      - name: Run chart-testing (install)
-        run: ct install --debug --config ./.github/configs/ct.yaml
-        if: steps.list-changed.outputs.changed == 'true'
+        if: steps.list-changed.outputs.changed == 'true'

.github/workflows/lint.yml

@@ -16,10 +16,13 @@ jobs:
     name: lint
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          version: v1.51.2
+          go-version-file: 'go.mod'
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
+        with:
+          version: v1.56.2
           only-new-issues: false
           args: --timeout 5m --config .golangci.yml

.github/workflows/releaser.yml

@@ -18,19 +18,25 @@ jobs:
       id-token: write
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          fetch-depth: 0
+      - name: Install Go
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version-file: 'go.mod'
       - name: Setup caches
         uses: ./.github/actions/setup-caches
         timeout-minutes: 5
         continue-on-error: true
       - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
-      - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1
+      - uses: anchore/sbom-action/download-syft@1ca97d9028b51809cf6d3c934c3e160716e1b605
       - name: Install Cosign
-        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
         with:
           version: latest
-          args: release --clean --timeout 90m --debug
+          args: release --clean --timeout 90m
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/scorecard.yml

@@ -20,23 +20,23 @@ jobs:
       id-token: write
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           persist-credentials: false
       - name: Run analysis
-        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
           repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
           publish_results: true
       - name: Upload artifact
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/upload-sarif@c4fb451437765abf5018c6fbf22cce1a7da1e5cc # v2.13.4
         with:
           sarif_file: results.sarif

.golangci.yml

@@ -1,3 +1,4 @@
+
 linters-settings:
   govet:
     check-shadowing: true
@@ -19,10 +20,21 @@ linters-settings:
     template: |-
       Copyright 2020-2023 Project Capsule Authors.
       SPDX-License-Identifier: Apache-2.0
-
+  gofumpt:
+    module-path: github.com/projectcapsule/capsule
+    extra-rules: false
+  inamedparam:
+    # Skips check for interface methods with only a single parameter.
+    # Default: false
+    skip-single-param: true
+  nakedret:
+    # Make an issue if func has more lines of code than this setting, and it has naked returns.
+    max-func-lines: 50
 linters:
   enable-all: true
   disable:
+    - depguard
+    - perfsprint
     - funlen
     - gochecknoinits
     - lll
@@ -48,8 +60,13 @@ linters:
     - nonamedreturns
 
 service:
-  golangci-lint-version: 1.51.2
+  golangci-lint-version: 1.56.x
 
 run:
+  timeout: 3m
+  go: '1.21'
   skip-files:
     - "zz_.*\\.go$"
+    - ".+\\.generated.go"
+    - ".+_test.go"
+    - ".+_test_.+.go"

.goreleaser.yml

@@ -25,8 +25,8 @@ builds:
           -X main.Version={{ .Tag }}
           -X main.GitCommit={{ .Commit }}
           -X main.GitTag={{ .Tag }}
-          -X main.GitTreeState={{ .Date }}
-          -X main.BuildDate={{ .Date }}
+          -X main.GitDirty={{ .Date }}
+          -X main.BuildTime={{ .Date }}
           -X main.GitRepo={{ .ProjectName }}
 release:
   prerelease: auto
@@ -36,8 +36,15 @@ release:
     **Full Changelog**: https://github.com/projectcapsule/{{ .ProjectName }}/compare/{{ .PreviousTag }}...{{ .Tag }}
     
     **Docker Images**
-    - `ghcr.io/projectcapsule/{{ .ProjectName }}:{{ .Tag }}`
+    - `ghcr.io/projectcapsule/{{ .ProjectName }}:{{ .Version }}`
     - `ghcr.io/projectcapsule/{{ .ProjectName }}:latest`
+
+    **Helm Chart**
+    View this release on [Artifact Hub](https://artifacthub.io/packages/helm/projectcapsule/capsule/{{ .Version }}) or use the OCI helm chart:
+
+    - `ghcr.io/projectcapsule/charts/{{ .ProjectName }}:{{ .Version }}`
+
+    [Review the Major Changes section first before upgrading to a new version](https://artifacthub.io/packages/helm/projectcapsule/capsule/{{ .Version }}#major-changes)
 checksum:
   name_template: 'checksums.txt'
 changelog:
@@ -66,9 +73,12 @@ changelog:
     - title: '📖 Documentation updates'
       regexp: ^.*?docs(\([[:word:]]+\))??!?:.+$
       order: 400
+    - title: '🛡️ Security updates'
+      regexp: ^.*?(sec)(\([[:word:]]+\))??!?:.+$
+      order: 500
     - title: '🚀 Build process updates'
       regexp: ^.*?(build|ci)(\([[:word:]]+\))??!?:.+$
-      order: 400
+      order: 600
     - title: '📦 Other work'
       order: 9999
 sboms:
@@ -80,4 +90,4 @@ signs:
   - "--output-signature=${signature}"
   - "${artifact}"
   - "--yes"
-  artifacts: all
+  artifacts: all

.ko.yaml

@@ -1,6 +1,7 @@
 defaultPlatforms:
 - linux/arm64
 - linux/amd64
+- linux/arm
 builds:
 - id: capsule
   main: ./

ADOPTERS.md

@@ -7,6 +7,12 @@ This is a list of companies that have adopted Capsule, feel free to open a Pull-
 ### [Bedag Informatik AG](https://www.bedag.ch/)
 ![Bedag](https://www.bedag.ch/wGlobal/wGlobal/layout/images/logo.svg)
 
+### [Department of Defense](https://www.defense.gov/)
+![United States Department of Defense](https://www.access-board.gov/images/dod-seal.png)
+
+### [KubeRocketCI](https://docs.kuberocketci.io/)
+![KubeRocketCI](https://raw.githubusercontent.com/epam/edp-install/master/docs/assets/krci-logo-267×150-white.png)
+
 ### [Fastweb](https://www.fastweb.it/)
 ![Fastweb](https://www.fastweb.it/grandi-aziende/gfx/common/logo-fastweb-header.svg)
 
@@ -22,6 +28,9 @@ This is a list of companies that have adopted Capsule, feel free to open a Pull-
 ### [Reevo](https://www.reevo.it/)
 ![Reevo Cloud and CyberSecurity](https://www.dropbox.com/s/x3q6r0oqstgvtdr/Logo_ReeVo_270x200px.svg)
 
+### [Seeweb](https://seeweb.it/en)
+![Seeweb x Serverless GPU](https://www.seeweb.it/assets/images/logo-seeweb.svg)
+
 ### [University of Torino](https://www.unito.it)
 ![University of Torino](https://www.unito.it/sites/all/themes/bsunito/img/logo_new_2022.svg)
 

CHANGELOG.md

@@ -0,0 +1,10 @@
+# Changelog
+
+Changes are published with their type and scope for each release in the release description. Changes are assigned based on their commit description. Read more on how commits should be formatted in the [Contributing](CONTRIBUTING.md#commits) guide.
+
+See the [Releases](https://github.com/projectcapsule/capsule/releases)
+
+
+## Helm Chart
+
+For the helm chart, a dedicated changelog is created based on the chart's annotations ([See](./DEVELOPMENT.md#helm-changelog)).

CONTRIBUTING.md

@@ -2,48 +2,154 @@
 
 All contributions are welcome! If you find a bug or have a feature request, please open an issue or submit a pull request.
 
+## Ways to contribute
+
+### 1. Report Issues
+
+Issues to Capsule help improve the project in multiple ways including the following:
+
+  * Report potential bugs
+  * Request a feature
+  * Request a sample policy
+
+### 2. Engagement
+Engage with the community on [Slack](https://kubernetes.slack.com/archives/C03GETTJQRL) and help new users with questions or issues they may have.
+
+### 3. Submit changes
+Submit technical changes via pull requests. New contributors may easily view all open issues labeled as [good first issues](https://github.com/projectcapsule/capsule/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) allowing you to get started in an approachable manner.
+
+Once you wish to get started contributing to the code base, please refer to our [development guide](DEVELOPMENT.md) for a how-to. **[We accept pull requests from forks only](#create-a-pull-request)**.
+
+Before creating a pull request, please ensure that your changes are tested and that the documentation is updated accordingly.
+
+When creating a pull request, please visit:
+
+  * [commits](#commits)
 
 ## Guidelines
 
+The following guidelines outline the semantics and processes which apply to technical contributions to the project.
+
+## Supported Versions
+Versions follow [Semantic Versioning](https://semver.org/) terminology and are expressed as `x.y.z`:
+
+- where x is the major version
+- y is the minor version
+- and z is the patch version
+
+Security fixes, may be backported to the three most recent minor releases, depending on severity and feasibility.
+
+Prereleases are marked as `-rc.x` (release candidate) and may refere to any type of version bump.
 
 ## Pull Requests
 
+The pull request title is checked according to the described [semantics](#semantics) (pull requests don't require a scope). However pull requests are currently not used to generate the changelog. Check if your pull requests body meets the following criteria:
+
+- reference a previously opened issue: https://docs.github.com/en/github/writing-on-github/autolinked-references-and-urls#issues-and-pull-requests 
+- splitting changes into several and documented small commits
+- limit the git subject to 50 characters and write as the continuation of the
+  sentence "If applied, this commit will ..."
+- explain what and why in the body, if more than a trivial change, wrapping at
+  72 characters
+
+If your pull request in a draft state and not ready yet for review, you can prefix the title with `[WIP]`. This will indicate that work is still ongoing:
+
+    [WIP] feat(controller): new cool feature
+
+### Create a Pull Request
+
+Head over to the project repository on GitHub and click the **"Fork"** button. With the forked copy, you can try new ideas and implement changes to the project.
+
+1. **Clone the repository to your device:**
+
+Get the link of your forked repository, paste it in your device terminal and clone it using the command.
+
+```sh
+git clone https://hostname/YOUR-USERNAME/YOUR-REPOSITORY
+```
+
+2. **Create a branch:**
+
+Create a new branch and navigate to it using this command.
+
+```sh
+git checkout -b <new-branch>
+```
+
+3. **Stage, Commit, and Push changes:**
+
+Now that we have implemented the required changes, use the command below to stage the changes and commit them.
+
+```sh
+git add .
+```
+
+```sh
+git commit -s -m "Commit message"
+```
+
+Go ahead and push your changes to GitHub using this command.
+
+```sh
+git push
+```
 
 ## Commits
 
-Commit messages should indicate the change and it's impact. The general format for commit messages is the following:
+The commit message is checked according to the described [semantics](#semantics). Commits are used to generate the changelog and their author will be referenced in the changelog.
 
-    feat(ui): Add `Button` component
-    ^    ^    ^
-    |    |    |__ Subject
-    |    |_______ Scope
-    |____________ Type
+### Reorganising commits
 
- The commits are checked on pull-request. If the commit message does not follow the format, the workflow will fail. See the [Types](#types) and [Scopes](#scopes) sections for more information.
+To reorganise your commits, do the following (or use your way of doing it):
 
-## Types
 
-The following types are allowed for commits and pull requests:
+1. Pull upstream changes
+   
+```bash
+git remote add upstream git@github.com:projectcapsule/capsule.git
+git pull upstream main
+```
 
-  * `ci` or `build`: changes to buillding process/workflows
-  * `docs`: changes to documentation
-  * `feat`: new features
-  * `fix`: bug fixes
+2. Pick the current upstream HEAD (the commit is marked with `(remote/main, main)`)
 
-## Scopes
+```bash
+git log
+....
+commit 10bbf39ac1ac3ad4f8485422e54faa9aadf03315 (remote/main, main)
+Author: Oliver Bähler <oliverbaehler@hotmail.com>
+Date:   Mon Oct 23 10:24:44 2023 +0200
 
-The following types are allowed for commits and pull requests:
+    docs(repo): add sbom reference
 
-  * `all`: changes that affect all components
-  * `chart`: changes to the Helm chart
-  * `operator`: changes to the operator
-  * `docs`: changes to the documentation
-  * `website`: changes to the website
-  * `ci`: changes to the CI/CD workflows
-  * `build`: changes to the build process
-  * `test`: changes to the testing process
-  * `release`: changes to the release process
-  * `deps`: dependency updates
+    Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
+```
+
+3. Soft reset to the commit of the upstream HEAD
+
+```bash
+git reset --soft 10bbf39ac1ac3ad4f8485422e54faa9aadf03315
+```
+
+4. Remove staged files (if any)
+
+```bash
+git restore --staged .
+```
+
+5. Add files manually and create new [commits](#commits), until all files are included
+
+```bash
+git add charts/capsule/
+git commit -s -m "feat(chart): add nodeselector value"
+
+...
+```
+
+6. Force push the changes to your fork
+
+```bash
+git push origin main -f
+```
 
 ### Sign-Off
 
@@ -55,4 +161,29 @@ To sign your work, just add a line like this at the end of your commit message:
 Signed-off-by: Random J Developer <random@developer.example.org>
 This can easily be done with the -s command line option to append this automatically to your commit message.
 
-git commit -s -m 'This is my commit message'
+    git commit -s -m 'This is my commit message'
+
+## Semantics
+
+The semantics should indicate the change and it's impact. The general format for commit messages and pull requests is the following:
+
+    feat(ui): Add `Button` component
+    ^    ^    ^
+    |    |    |__ Subject
+    |    |_______ Scope
+    |____________ Type
+
+ The commits are checked on pull-request. If the commit message does not follow the format, the workflow will fail. See the [Types](#types) for the supported types. The scope is not required but helps to provide more context for your changes. Try to use a scope if possible.
+
+### Types
+
+The following types are allowed for commits and pull requests:
+
+  * `chore`: housekeeping changes, no production code change
+  * `ci`: changes to building process/workflows
+  * `docs`: changes to documentation
+  * `feat`: new features
+  * `fix`: bug fixes
+  * `test`: test related changes
+  * `sec`: security related changes
+

DEPENDENCY.md

@@ -0,0 +1,47 @@
+# Environment Dependencies Policy
+
+## Purpose
+
+This policy describes how Capsule maintainers consume third-party packages.
+
+## Scope
+
+This policy applies to all Capsule maintainers and all third-party packages used in the Capsule project.
+
+## Policy
+
+Capsule maintainers must follow these guidelines when consuming third-party packages:
+
+- Only use third-party packages that are necessary for the functionality of Capsule.
+- Use the latest version of all third-party packages whenever possible.
+- Avoid using third-party packages that are known to have security vulnerabilities.
+- Pin all third-party packages to specific versions in the Capsule codebase.
+- Use a dependency management tool, such as Go modules, to manage third-party dependencies.
+- Dependencies must pass all automated tests before being merged into the Capsule codebase.
+
+## Procedure
+
+When adding a new third-party package to Capsule, maintainers must follow these steps:
+
+1. Evaluate the need for the package. Is it necessary for the functionality of Capsule? 
+2. Research the package. Is it well-maintained? Does it have a good reputation? 
+3. Choose a version of the package. Use the latest version whenever possible. 
+4. Pin the package to the specific version in the Capsule codebase. 
+5. Update the Capsule documentation to reflect the new dependency.
+
+## Archive/Deprecation
+
+When a third-party package is discontinued, the Capsule maintainers must fensure to replace the package with a suitable alternative.
+
+## Enforcement
+
+This policy is enforced by the Capsule maintainers.
+Maintainers are expected to review each other's code changes to ensure that they comply with this policy.
+
+## Exceptions
+
+Exceptions to this policy may be granted by the Capsule project lead on a case-by-case basis.
+
+## Credits
+
+This policy was adapted from the [Kubescape Community](https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md)

DEVELOPMENT.md

@@ -0,0 +1,233 @@
+# Development
+
+Our Makefile helps you with the development of new changes or fixes. [You may have a look at it](./Makefile), since not all targets are documented.
+
+To execute your changes locally, you can run the binary locally. This will run just the capsule controller. We recommend [to setup a development environment](#development-environment) for a better development experience:
+
+```bash
+make run
+```
+## Building
+
+You can build the docker image locally, Ko will be installed via go, so you don't need to install it manually.
+
+```bash
+make ko-build-all
+```
+
+This will push the build to your local docker images.
+
+## Test
+
+Execute unit testing:
+
+```bash
+make test
+```
+
+## E2E Test
+
+**New changes always require dedcated E2E tests. E2E help us to ensure the quality of the code and it's functionality.**
+
+For E2E test we use the [ginkgo](https://github.com/onsi/ginkgo) framework. Ou can see all the test under [e2e](./e2e/).
+
+
+With the following command a new KinD cluster is created with the Kubernetes version `v1.20.7` (This can be done with any available Kubernetes version). A docker image is created and pushed and loaded into the KinD cluster. Then the E2E tests are executed against the KinD cluster.
+
+```bash
+make e2e/v1.20.7
+```
+
+You can also just run the e2e tests without the creation of a new kind cluster:
+
+```
+make e2e-exec
+```
+
+The E2E tests are also executed via the [github workflow](./.github/workflows/e2e.yaml) on every PR and push to the main branch.
+
+# Development Environment
+
+During development, we prefer that the code is running within our IDE locally, instead of running as the normal Pod(s) within the Kubernetes cluster.
+
+Such a setup can be illustrated as below diagram:
+
+![Development Environment](./assets/docs/dev-env.png)
+
+## Setup Development Environment
+
+To achieve that, there are some necessary steps we need to walk through, which have been made as a make target within our Makefile.
+
+So the TL;DR answer is:
+
+**Make sure a *KinD* cluster is running on your laptop, and then run `make dev-setup` to setup the dev environment.**. This is not done in the `make dev-setup` setup. 
+
+```bash
+# If you haven't installed or run `make deploy` before, do it first
+# Note: please retry if you saw errors
+$ make deploy
+
+# To retrieve your laptop's IP and execute `make dev-setup` to setup dev env
+# For example: LAPTOP_HOST_IP=192.168.10.101 make dev-setup
+$ LAPTOP_HOST_IP="<YOUR_LAPTOP_IP>" make dev-setup
+```
+
+### Explenation
+
+We recommend to setup the development environment with the make `dev-setup` target. However here is a step by step guide to setup the development environment for understanding.
+
+1. Scaling down the deployed Pod(s) to 0
+We need to scale the existing replicas of capsule-controller-manager to 0 to avoid reconciliation competition between the Pod(s) and the code running outside of the cluster, in our preferred IDE for example.
+
+```bash
+$ kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0
+deployment.apps/capsule-controller-manager scaled
+```
+
+2. Preparing TLS certificate for the webhooks
+Running webhooks requires TLS, we can prepare the TLS key pair in our development env to handle HTTPS requests.
+
+```bash
+# Prepare a simple OpenSSL config file
+# Do remember to export LAPTOP_HOST_IP before running this command
+$ cat > _tls.cnf <<EOF
+[ req ]
+default_bits       = 4096
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+[ req_distinguished_name ]
+countryName                = SG
+stateOrProvinceName        = SG
+localityName               = SG
+organizationName           = CAPSULE
+commonName                 = CAPSULE
+[ req_ext ]
+subjectAltName = @alt_names
+[alt_names]
+IP.1   = ${LAPTOP_HOST_IP}
+EOF
+
+# Create this dir to mimic the Pod mount point
+$ mkdir -p /tmp/k8s-webhook-server/serving-certs
+
+# Generate the TLS cert/key under /tmp/k8s-webhook-server/serving-certs
+$ openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
+  -subj "/C=SG/ST=SG/L=SG/O=CAPSULE/CN=CAPSULE" \
+  -extensions req_ext \
+  -config _tls.cnf \
+  -keyout /tmp/k8s-webhook-server/serving-certs/tls.key \
+  -out /tmp/k8s-webhook-server/serving-certs/tls.crt
+
+# Clean it up
+$ rm -f _tls.cnf
+```
+
+3. Patching the Webhooks
+By default, the webhooks will be registered with the services, which will route to the Pods, inside the cluster. We need to delegate the controllers' and webhook's services to the code running in our IDE by patching the `MutatingWebhookConfiguration` and `ValidatingWebhookConfiguration`.
+
+```bash
+# Export your laptop's IP with the 9443 port exposed by controllers/webhooks' services
+$ export WEBHOOK_URL="https://${LAPTOP_HOST_IP}:9443"
+
+# Export the cert we just generated as the CA bundle for webhook TLS
+$ export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`
+
+kubectl patch MutatingWebhookConfiguration capsule-mutating-webhook-configuration \
+	--type='json' -p="[\
+		{'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/defaults\",'caBundle':\"$${CA_BUNDLE}\"}},\
+		{'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/defaults\",'caBundle':\"$${CA_BUNDLE}\"}},\
+		{'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/defaults\",'caBundle':\"$${CA_BUNDLE}\"}},\
+		{'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/namespace-owner-reference\",'caBundle':\"$${CA_BUNDLE}\"}}\
+    ]"
+
+kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \
+    --type='json' -p="[\
+		{'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/cordoning\",'caBundle':\"$${CA_BUNDLE}\"}},\
+		{'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/ingresses\",'caBundle':\"$${CA_BUNDLE}\"}},\
+		{'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/namespaces\",'caBundle':\"$${CA_BUNDLE}\"}},\
+		{'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/networkpolicies\",'caBundle':\"$${CA_BUNDLE}\"}},\
+		{'op': 'replace', 'path': '/webhooks/4/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/nodes\",'caBundle':\"$${CA_BUNDLE}\"}},\
+		{'op': 'replace', 'path': '/webhooks/5/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/pods\",'caBundle':\"$${CA_BUNDLE}\"}},\
+		{'op': 'replace', 'path': '/webhooks/6/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/persistentvolumeclaims\",'caBundle':\"$${CA_BUNDLE}\"}},\
+		{'op': 'replace', 'path': '/webhooks/7/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/services\",'caBundle':\"$${CA_BUNDLE}\"}},\
+		{'op': 'replace', 'path': '/webhooks/8/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/tenants\",'caBundle':\"$${CA_BUNDLE}\"}}\
+	]"
+
+kubectl patch crd tenants.capsule.clastix.io \
+	--type='json' -p="[\
+		{'op': 'replace', 'path': '/spec/conversion/webhook/clientConfig', 'value':{'url': \"$${WEBHOOK_URL}\", 'caBundle': \"$${CA_BUNDLE}\"}}\
+	]"
+
+kubectl patch crd capsuleconfigurations.capsule.clastix.io \
+	--type='json' -p="[\
+		{'op': 'replace', 'path': '/spec/conversion/webhook/clientConfig', 'value':{'url': \"$${WEBHOOK_URL}\", 'caBundle': \"$${CA_BUNDLE}\"}}\
+	]";
+```
+
+## Running Capsule
+
+When the Development Environment is set up, we can run Capsule controllers with webhooks outside of the Kubernetes cluster:
+
+```bash
+$ export NAMESPACE=capsule-system && export TMPDIR=/tmp/
+$ go run .
+```
+
+To verify that, we can open a new console and create a new Tenant in a new shell:
+
+```bash
+$ kubectl apply -f - <<EOF
+apiVersion: capsule.clastix.io/v1beta2
+kind: Tenant
+metadata:
+  name: gas
+spec:
+  owners:
+  - name: alice
+    kind: User
+EOF
+```
+
+We should see output and logs in the make run console.
+
+Now it's time to work through our familiar inner loop for development in our preferred IDE. For example, if you're using [Visual Studio Code](https://code.visualstudio.com/), this launch.json file can be a good start.
+
+
+## Helm Chart
+
+You can test your changes made to the helm chart locally. They are almost identical to the checks executed in the github workflows.
+
+Run chart linting (ct lint):
+
+```bash
+make helm-lint
+```
+
+Run chart tests (ct install). This creates a KinD cluster, builds the current image and loads it into the cluster and installs the helm chart:
+
+```bash
+make helm-test
+```
+
+### Documentation
+
+Documentation of the chart is done with [helm-docs](https://github.com/norwoodj/helm-docs). Therefor all documentation relevant changes for the chart must be done in the [README.md.gotmpl](./charts/capsule/README.md.gotmpl) file. You can run this locally with this command (requires running docker daemon):
+
+```bash
+make helm-docs
+
+...
+
+time="2023-10-23T13:45:08Z" level=info msg="Found Chart directories [charts/capsule]"
+time="2023-10-23T13:45:08Z" level=info msg="Generating README Documentation for chart /helm-docs/charts/capsule"
+```
+
+This will update the documentation for the chart in the `README.md` file. 
+
+### Helm Changelog 
+
+The `version` of the chart does not require a bump, since it's driven by our release process. The `appVersion` of the chart is the version of the Capsule project. This is the version that should be bumped when a new Capsule version is released. This will be done by the maintainers.
+
+To create the proper changelog for the helm chart, all changes which affect the helm chart must be documented as chart annotation. See all the available [chart annotations](https://artifacthub.io/docs/topics/annotations/helm/).
+
+This annotation can be provided using two different formats: using a plain list of strings with the description of the change or using a list of objects with some extra structured information (see example below). Please feel free to use the one that better suits your needs. The UI experience will be slightly different depending on the choice. When using the list of objects option the valid supported kinds are `added`, `changed`, `deprecated`, `removed`, `fixed` and `security`.

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.19.10 as builder
+FROM golang:1.20.10 as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests

GOVERNANCE.md

@@ -0,0 +1,133 @@
+# Capsule Project Governance
+
+The **Capsule** project is dedicated to creating a multi-tenancy and policy-based framework for Kubernetes. This governance explains how the project is run.
+
+- [Values](#values)
+- [Maintainers](#maintainers)
+- [Becoming a Maintainer](#becoming-a-maintainer)
+- [Meetings](#meetings)
+- [CNCF Resources](#cncf-resources)
+- [Code of Conduct Enforcement](#code-of-conduct)
+- [Security Response Team](#security-response-team)
+- [Voting](#voting)
+- [Modifications](#modifying-this-charter)
+
+## Values
+
+The Capsule and its leadership embrace the following values:
+
+* Openness: Communication and decision-making happens in the open and is discoverable for future
+  reference. As much as possible, all discussions and work take place in public
+  Slack channels and open repositories.
+
+* Fairness: All stakeholders have the opportunity to provide feedback and submit
+  contributions, which will be considered on their merits.
+
+* Community over Product or Company: Sustaining and growing our community takes
+  priority over shipping code or sponsors' organizational goals.  Each
+  contributor participates in the project as an individual.
+
+* Community Before Individual Demand: As a community-driven open source project, we emphasize
+  the importance of collaboration and contribution. Maintainers and contributors work together towards the project's growth, not to serve unilateral user demands. Users pretending features or enhancements for their sole benefit without contributing to the effort are not aligned with our community values.
+
+* Inclusivity: We innovate through different perspectives and skill sets, which
+  can only be accomplished in a welcoming and respectful environment.
+
+* Participation: Responsibilities within the project are earned through
+  participation, and there is a clear path up the contributor ladder into leadership
+  positions.
+
+## Maintainers
+
+Capsule Maintainers have write access to the [project GitHub repository](https://github.com/orgs/projectcapsule). They can merge their own patches or patches from others. The current maintainers
+can be found in [MAINTAINERS.md](./MAINTAINERS.md).  Maintainers collectively manage the project's
+resources and contributors.
+
+This privilege is granted with some expectation of responsibility: maintainers
+are people who care about the Capsule project and want to help it grow and
+improve. A maintainer is not just someone who can make changes, but someone who
+has demonstrated their ability to collaborate with the team, get the most
+knowledgeable people to review code and docs.
+
+A maintainer is a contributor to the project's success and a citizen helping
+the project succeed. The collective team of all Maintainers is known as the Maintainer Council, which
+is the governing body for the project.
+
+### Becoming a Maintainer
+
+To become a Maintainer you need to demonstrate the following:
+
+  * commitment to the project:
+    * participate in discussions, contributions, code and documentation reviews,
+    * perform reviews for non-trivial pull requests,
+    * contribute non-trivial pull requests and have them merged,
+  * ability to write quality code and/or documentation,
+  * ability to collaborate with the team,
+  * understanding of how the team works (policies, processes for testing and code review, etc),
+  * understanding of the project's purpose, code base and coding and documentation style.
+
+A new Maintainer must be proposed by an existing maintainer by sending a message to all the other existing Maintainers. A simple majority vote of existing Maintainers
+approves the application. Maintainers nominations will be evaluated without prejudice
+to employer or demographics.
+
+Maintainers who are selected will be granted the necessary GitHub rights.
+
+### Removing a Maintainer
+
+Maintainers may resign at any time if they feel that they will not be able to
+continue fulfilling their project duties.
+
+Maintainers may also be removed after being inactive, failure to fulfill their 
+Maintainer responsibilities, violating the Code of Conduct, or other reasons.
+A Maintainer may be removed at any time by a 2/3 vote of the remaining maintainers.
+
+Depending on the reason for removal, a Maintainer may be converted to Emeritus
+status.  Emeritus Maintainers will still be consulted on some project matters,
+and can be rapidly returned to Maintainer status if their availability changes.
+
+## Meetings
+
+Time zones permitting, Maintainers are expected to participate in the public
+developer meeting and/or public discussions.  
+
+Maintainers will also have closed meetings in order to discuss security reports
+or Code of Conduct violations. Such meetings should be scheduled by any
+Maintainer on receipt of a security issue or CoC report. All current Maintainers
+must be invited to such closed meetings, except for any Maintainer who is
+accused of a CoC violation.
+
+## CNCF Resources
+
+Any Maintainer may suggest a request for CNCF resources. A simple majority of Maintainers
+approves the request. The Maintainers may also choose to delegate working with the CNCF to non-Maintainer community members, who will then be added to the [CNCF's Maintainer List](https://github.com/cncf/foundation/blob/main/project-maintainers.csv) for that purpose.
+
+## Code of Conduct
+
+[Code of Conduct](./CODE_OF_CONDUCT.md)
+violations by community members will be discussed and resolved in private Maintainer meetings. If a Maintainer is directly involved in the report, the Maintainers will instead designate two Maintainers to work with the CNCF Code of Conduct Committee in resolving it.
+
+## Security Response Team
+
+The Maintainers will appoint a Security Response Team to handle security reports.
+This committee may simply consist of the Maintainer Council themselves.  If this
+responsibility is delegated, the Maintainers will appoint a team of at least two 
+contributors to handle it.  The Maintainers will review who is assigned to this
+at least once a year.
+
+The Security Response Team is responsible for handling all reports of security
+holes and breaches according to the [security policy](TODO:Link to security.md).
+
+## Voting
+
+While most business in Capsule Project is conducted by "[lazy consensus](https://community.apache.org/committers/lazyConsensus.html)", 
+periodically the Maintainers may need to vote on specific actions or changes.
+Any Maintainer may demand a vote be taken.
+
+Most votes require a simple majority of all Maintainers to succeed, except where
+otherwise noted. Two-thirds majority votes mean at least two-thirds of all 
+existing maintainers.
+
+## Modifying this Charter
+
+Changes to this Governance and its supporting documents may be approved by 
+a 2/3 vote of the Maintainers.

MAINTAINERS.md

@@ -0,0 +1,13 @@
+The current Maintainers Group for the [TODO: Projectname] Project consists of:
+
+| Name                      | Employer    | Responsibilities |
+| ------------------------- | ----------- | ---------------- |
+|  Adriano Pezzuto          | Clastix     |  Maintainer      |
+|  Dario Tranchitella       | Clastix     |  Maintainer      |
+|  Maksim Fedotov           | Wargaming   |  Maintainer      |
+|  Oliver Bähler            | Peak Scale  |  Maintainer      |
+|  Massimiliano Giovagnoli  | Proximus    |  Maintainer      |
+
+This list must be kept in sync with the [CNCF Project Maintainers list](https://github.com/cncf/foundation/blob/master/project-maintainers.csv).
+
+See [the project Governance](GOVERNANCE.md) for how maintainers are selected and replaced.

Makefile

@@ -1,9 +1,8 @@
 # Version
 GIT_HEAD_COMMIT ?= $(shell git rev-parse --short HEAD)
-VERSION          ?= $(shell git describe --abbrev=0 --tags --match "v*")
-ifndef VERSION
-VERSION          = $(GIT_HEAD_COMMIT)
-endif
+VERSION         ?= $(or $(shell git describe --abbrev=0 --tags --match "v*" 2>/dev/null),$(GIT_HEAD_COMMIT))
+GOOS                 ?= $(shell go env GOOS)
+GOARCH               ?= $(shell go env GOARCH)
 
 # Defaults
 REGISTRY        ?= ghcr.io
@@ -53,40 +52,14 @@ manager: generate golint
 run: generate manifests
 	go run .
 
-# Creates the single file to install Capsule without any external dependency
-installer: manifests kustomize
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${CAPSULE_IMG}
-	$(KUSTOMIZE) build config/default > config/install.yaml
-
-# Install CRDs into a cluster
-install: installer
-	$(KUSTOMIZE) build config/crd | kubectl apply -f -
-
-# Uninstall CRDs from a cluster
-uninstall: installer
-	$(KUSTOMIZE) build config/crd | kubectl delete -f -
-
-# Deploy controller in the configured Kubernetes cluster in ~/.kube/config
-deploy: installer
-	kubectl apply -f config/install.yaml
-
-# Remove controller in the configured Kubernetes cluster in ~/.kube/config
-remove: installer
-	kubectl delete -f config/install.yaml
-	kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
-	kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
-
 # Generate manifests e.g. CRD, RBAC etc.
 manifests: controller-gen
-	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=charts/capsule/crds
 
 # Generate code
 generate: controller-gen
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
 
-apidoc: apidocs-gen
-	$(APIDOCS_GEN) crdoc --resources config/crd/bases --output docs/content/general/crds-apis.md --template docs/template/reference-cr.tmpl
-
 # Helm
 SRC_ROOT = $(shell git rev-parse --show-toplevel)
 
@@ -94,17 +67,21 @@ helm-docs: HELMDOCS_VERSION := v1.11.0
 helm-docs: docker
 	@docker run -v "$(SRC_ROOT):/helm-docs" jnorwood/helm-docs:$(HELMDOCS_VERSION) --chart-search-root /helm-docs
 
-helm-lint: CT_VERSION := v3.3.1
 helm-lint: docker
 	@docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:$(CT_VERSION) -c "cd /workdir; ct lint --config .github/configs/ct.yaml  --lint-conf .github/configs/lintconf.yaml  --all --debug"
 
 helm-test: kind ct ko-build-all
 	@kind create cluster --wait=60s --name capsule-charts
-	@kind load docker-image --name capsule-charts $(LOCAL_CAPSULE_IMG)
-	@kubectl create ns capsule-system
-	@ct install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
+	@make helm-test-exec
 	@kind delete cluster --name capsule-charts
 
+helm-test-exec:
+	@kind load docker-image --name capsule-charts $(CAPSULE_IMG):$(VERSION)
+	@kubectl create ns capsule-system || true
+	@kubectl apply --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
+	@kubectl apply --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
+	@ct install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
+
 docker:
 	@hash docker 2>/dev/null || {\
 		echo "You need docker" &&\
@@ -134,7 +111,7 @@ IP.1   = $(LAPTOP_HOST_IP)
 endef
 export TLS_CNF
 dev-setup:
-	kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0
+	kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0 || true
 	mkdir -p /tmp/k8s-webhook-server/serving-certs
 	echo "$${TLS_CNF}" > _tls.cnf
 	openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
@@ -143,42 +120,31 @@ dev-setup:
 		-config _tls.cnf \
 		-keyout /tmp/k8s-webhook-server/serving-certs/tls.key \
 		-out /tmp/k8s-webhook-server/serving-certs/tls.crt
+	kubectl create secret tls capsule-tls -n capsule-system \
+		--cert=/tmp/k8s-webhook-server/serving-certs/tls.crt\
+		--key=/tmp/k8s-webhook-server/serving-certs/tls.key || true
 	rm -f _tls.cnf 
 	export WEBHOOK_URL="https://$${LAPTOP_HOST_IP}:9443"; \
 	export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`; \
-	kubectl patch MutatingWebhookConfiguration capsule-mutating-webhook-configuration \
-		--type='json' -p="[\
-		    {'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/defaults\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/defaults\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/defaults\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/namespace-owner-reference\",'caBundle':\"$${CA_BUNDLE}\"}}\
-		]" && \
-	kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \
-		--type='json' -p="[\
-			{'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/cordoning\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/ingresses\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/namespaces\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/networkpolicies\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/4/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/nodes\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/5/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/pods\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/6/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/persistentvolumeclaims\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/7/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/services\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/8/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/tenants\",'caBundle':\"$${CA_BUNDLE}\"}}\
-		]" && \
-	kubectl patch crd tenants.capsule.clastix.io \
-		--type='json' -p="[\
-			{'op': 'replace', 'path': '/spec/conversion/webhook/clientConfig', 'value':{'url': \"$${WEBHOOK_URL}\", 'caBundle': \"$${CA_BUNDLE}\"}}\
-		]" && \
-	kubectl patch crd capsuleconfigurations.capsule.clastix.io \
-		--type='json' -p="[\
-			{'op': 'replace', 'path': '/spec/conversion/webhook/clientConfig', 'value':{'url': \"$${WEBHOOK_URL}\", 'caBundle': \"$${CA_BUNDLE}\"}}\
-		]";
-
+	helm upgrade \
+	    --dependency-update \
+		--debug \
+		--install \
+		--namespace capsule-system \
+		--create-namespace \
+		--set 'crds.install=true' \
+		--set 'crds.exclusive=true'\
+		--set "webhooks.exclusive=true"\
+		--set "webhooks.service.url=$${WEBHOOK_URL}" \
+		--set "webhooks.service.caBundle=$${CA_BUNDLE}" \
+		capsule \
+		./charts/capsule
 
 ####################
 # -- Docker
 ####################
 
+KO_PLATFORM     ?= linux/$(GOARCH)
 KOCACHE         ?= /tmp/ko-cache
 KO_REGISTRY     := ko.local
 KO_TAGS         ?= "latest"
@@ -189,20 +155,18 @@ endif
 LD_FLAGS        := "-X main.Version=$(VERSION) \
 					-X main.GitCommit=$(GIT_HEAD_COMMIT) \
 					-X main.GitTag=$(VERSION) \
-					-X main.GitTreeState=$(GIT_MODIFIED) \
-					-X main.BuildDate=$(BUILD_DATE) \
+					-X main.GitDirty=$(GIT_MODIFIED) \
+					-X main.BuildTime=$(BUILD_DATE) \
 					-X main.GitRepo=$(GIT_REPO)"
 
 # Docker Image Build
 # ------------------
 
 .PHONY: ko-build-capsule
-LOCAL_CAPSULE_IMG_BASE := github.com/$(REPOSITORY)
-LOCAL_CAPSULE_IMG := $(KO_REGISTRY)/$(LOCAL_CAPSULE_IMG_BASE)
 ko-build-capsule: ko
-	@echo Building Capsule $(KO_TAGS) >&2
-	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(KO_REGISTRY) \
-		$(KO) build ./ --preserve-import-paths --tags=$(KO_TAGS)  --push=false
+	@echo Building Capsule $(KO_TAGS) for $(KO_PLATFORM) >&2
+	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(CAPSULE_IMG) \
+		$(KO) build ./ --bare --tags=$(KO_TAGS) --push=false --local --platform=$(KO_PLATFORM)
 
 .PHONY: ko-build-all
 ko-build-all: ko-build-capsule
@@ -230,22 +194,16 @@ ko-publish-all: ko-publish-capsule
 ####################
 
 CONTROLLER_GEN         := $(shell pwd)/bin/controller-gen
-CONTROLLER_GEN_VERSION := v0.10.0
+CONTROLLER_GEN_VERSION := v0.16.1
 controller-gen: ## Download controller-gen locally if necessary.
 	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
 
-APIDOCS_GEN         := $(shell pwd)/bin/crdoc
-APIDOCS_GEN_VERSION := latest
-apidocs-gen: ## Download crdoc locally if necessary.
-	$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@$(APIDOCS_GEN_VERSION))
-
 GINKGO         := $(shell pwd)/bin/ginkgo
-GINGKO_VERSION := v2.9.5
 ginkgo: ## Download ginkgo locally if necessary.
-	$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo@$(GINGKO_VERSION))
+	$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo)
 
 CT         := $(shell pwd)/bin/ct
-CT_VERSION := v3.7.1
+CT_VERSION := v3.10.1
 ct: ## Download ct locally if necessary.
 	$(call go-install-tool,$(CT),github.com/helm/chart-testing/v3/ct@$(CT_VERSION))
 
@@ -262,7 +220,7 @@ kustomize: ## Download kustomize locally if necessary.
 KO = $(shell pwd)/bin/ko
 KO_VERSION = v0.14.1
 ko:
-	$(call go-install-tool,$(KO),github.com/google/ko@v0.14.1)
+	$(call go-install-tool,$(KO),github.com/google/ko@$(KO_VERSION))
 
 ####################
 # -- Helpers
@@ -302,8 +260,9 @@ goimports:
 	goimports -w -l -local "github.com/projectcapsule/capsule" .
 
 GOLANGCI_LINT = $(shell pwd)/bin/golangci-lint
+GOLANGCI_LINT_VERSION = v1.56.2
 golangci-lint: ## Download golangci-lint locally if necessary.
-	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint@v1.51.2)
+	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION))
 
 # Linting code as PR is expecting
 .PHONY: golint
@@ -317,12 +276,12 @@ e2e/%: ginkgo
 
 e2e-build/%:
 	kind create cluster --wait=60s --name capsule --image=kindest/node:$*
-	make e2e-load-image
-	make e2e-install
+	$(MAKE) e2e-install
 
 .PHONY: e2e-install
-e2e-install:
+e2e-install: e2e-load-image
 	helm upgrade \
+	    --dependency-update \
 		--debug \
 		--install \
 		--namespace capsule-system \
@@ -330,17 +289,14 @@ e2e-install:
 		--set 'manager.image.pullPolicy=Never' \
 		--set 'manager.resources=null'\
 		--set "manager.image.tag=$(VERSION)" \
-		--set 'manager.image.registry=$(KO_REGISTRY)' \
-		--set 'manager.image.repository=$(LOCAL_CAPSULE_IMG_BASE)' \
 		--set 'manager.livenessProbe.failureThreshold=10' \
 		--set 'manager.readinessProbe.failureThreshold=10' \
-		--set 'podSecurityContext.seccompProfile=null' \
 		capsule \
 		./charts/capsule
 
 .PHONY: e2e-load-image
 e2e-load-image: ko-build-all
-	kind load docker-image --nodes capsule-control-plane --name capsule $(LOCAL_CAPSULE_IMG):$(VERSION)
+	kind load docker-image --nodes capsule-control-plane --name capsule $(CAPSULE_IMG):$(VERSION)
 
 .PHONY: e2e-exec
 e2e-exec: ginkgo
@@ -352,5 +308,5 @@ e2e-destroy:
 
 SPELL_CHECKER = npx spellchecker-cli
 docs-lint:
-	cd docs/content && $(SPELL_CHECKER) -f "*.md" "*/*.md" -d dictionary.txt
+	cd docs/content && $(SPELL_CHECKER) -f "*.md" "*/*.md" "!general/crds-apis.md" -d dictionary.txt
 

PROJECT

@@ -7,25 +7,6 @@ plugins:
 projectName: capsule
 repo: github.com/projectcapsule/capsule
 resources:
-- api:
-    crdVersion: v1
-  controller: true
-  domain: clastix.io
-  group: capsule
-  kind: Tenant
-  path: github.com/projectcapsule/capsule/api/v1alpha1
-  version: v1alpha1
-  webhooks:
-    conversion: true
-    webhookVersion: v1
-- api:
-    crdVersion: v1
-  controller: true
-  domain: clastix.io
-  group: capsule
-  kind: CapsuleConfiguration
-  path: github.com/projectcapsule/capsule/api/v1alpha1
-  version: v1alpha1
 - api:
     crdVersion: v1
   domain: clastix.io

README.md

@@ -1,6 +1,5 @@
 
 <p align="left">
-  <img src="https://github.com/projectcapsule/capsule/actions/workflows/ci.yml/badge.svg"/>
   <img src="https://img.shields.io/github/license/clastix/capsule"/>
   <img src="https://img.shields.io/github/go-mod/go-version/clastix/capsule"/>
   <a href="https://github.com/projectcapsule/capsule/releases">
@@ -15,6 +14,12 @@
   <a href="https://api.securityscorecards.dev/projects/github.com/projectcapsule/capsule/badge">
     <img src="https://api.securityscorecards.dev/projects/github.com/projectcapsule/capsule/badge"/>
   </a>
+  <a href="https://artifacthub.io/packages/search?repo=projectcapsule">
+    <img src="https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/projectcapsule"/>
+  </a>
+  <a href="https://app.fossa.com/projects/git%2Bgithub.com%2Fprojectcapsule%2Fcapsule?ref=badge_shield&issueType=license" alt="FOSSA Status">
+    <img src="https://app.fossa.com/api/projects/git%2Bgithub.com%2Fprojectcapsule%2Fcapsule.svg?type=shield&issueType=license"/>
+  </a>
 </p>
 
 <p align="center">
@@ -95,7 +100,7 @@ The documentation for each chart is done with [helm-docs](https://github.com/nor
 make helm-docs
 ```
 
-## Community
+## Community meeting
 
 Join the community, share and learn from it. You can find all the resources to how to contribute code and docs, connect with people in the [community repository](https://github.com/projectcapsule/capsule-community).
 
@@ -117,6 +122,14 @@ Please, refer to the maintainers file available [here](.github/maintainers.yaml)
 
 Please, refer to the [documentation page](https://capsule.clastix.io/docs/contributing/release).
 
+### Changelog
+
+Read how we log changes [here](CHANGELOG.md)
+
+### Software Bill of Materials
+
+All OCI release artifacts include a Software Bill of Materials (SBOM) in CycloneDX JSON format. More information on this is available [here](SECURITY.md#software-bill-of-materials-sbom)
+
 # FAQ
 
 - Q. How to pronounce Capsule?

ROADMAP.md

@@ -0,0 +1,3 @@
+# Roadmap
+
+future features and fixes are planned with [release milestones on GitHub](https://github.com/projectcapsule/capsule/milestones?direction=asc&sort=due_date&state=open). You can influence the roadmap by opening issues or joining our community meetings.

SECURITY-INSIGHTS.yml

@@ -0,0 +1,60 @@
+# Reference https://github.com/ossf/security-insights-spec/blob/v1.0.0/specification.md
+header:
+  schema-version: 1.0.0
+  expiration-date: '2024-10-24T01:00:00.000Z'
+  last-updated: '2023-10-24'
+  last-reviewed: '2023-10-24'
+  project-url: https://github.com/projectcapsule/capsule
+  changelog: https://github.com/projectcapsule/capsule/blob/main/CHANGELOG.md
+  license: https://github.com/projectcapsule/capsule/blob/main/LICENSE
+project-lifecycle:
+  status: active
+  bug-fixes-only: false
+  core-maintainers:
+  - github:prometherion
+  - github:oliverbaehler
+  - github:bsctl
+  - github:MaxFedotov
+distribution-points:
+  - https://github.com/orgs/projectcapsule/packages?repo_name=capsule
+contribution-policy:
+  accepts-pull-requests: true
+  accepts-automated-pull-requests: true
+  contributing-policy: https://github.com/projectcapsule/capsule/blob/main/CONTRIBUTING.md
+  code-of-conduct: https://github.com/projectcapsule/capsule/blob/main/CODE_OF_CONDUCT.md
+vulnerability-reporting:
+  accepts-vulnerability-reports: true
+  security-policy: https://github.com/projectcapsule/capsule/blob/main/SECURITY.md
+  email-contact: cncf-capsule-maintainers@lists.cncf.io
+  comment: |
+    Report a vulnerability by using private security issues in GitHub.
+security-testing:
+- tool-type: sca
+  tool-name: Dependabot
+  tool-version: latest
+  integration:
+    ad-hoc: false
+    ci: true
+    before-release: true
+  comment: |
+    Dependabot is enabled for this repo.
+dependencies:
+  third-party-packages: true
+  dependencies-lists:
+  - https://github.com/projectcapsule/capsule/blob/main/go.mod
+  env-dependencies-policy:
+    policy-url: https://github.com/projectcapsule/capsule/blob/main/DEPENDENCY.md
+  sbom:
+  - sbom-file: https://github.com/projectcapsule/capsule/pkgs/container/sbom
+    sbom-format: CycloneDX
+    sbom-url: https://github.com/projectcapsule/capsule/blob/main/SECURITY.md#software-bill-of-materials-sbom
+security-artifacts:
+  self-assessment:
+    self-assessment-created: true
+    evidence-url:
+    - https://github.com/projectcapsule/capsule/blob/main/SELF_ASSESSMENT.md
+security-contacts:
+- type: email
+  value: cncf-capsule-maintainers@lists.cncf.io
+  primary: true
+

SECURITY.md

@@ -0,0 +1,115 @@
+# Security Policy
+
+The Capsule community has adopted this security disclosures and response policy to ensure we responsibly handle critical issues.
+
+## Bulletins
+
+For information regarding the security of this project please join our [slack channel](https://kubernetes.slack.com/archives/C03GETTJQRL).
+
+
+## Covered Repositories and Issues
+
+When we say "a security vulnerability in capsule" we mean a security issue
+in any repository under the [projectcapsule GitHub organization](https://github.com/projectcapsule/).
+
+This reporting process is intended only for security issues in the capsule
+project itself, and doesn't apply to applications _using_ capsule or to
+issues which do not affect security.
+
+Don't use this process if:
+
+  * You have issues with your capsule installation or configuration
+  * Your issue is not security related
+
+
+### Explicitly Not Covered: Vulnerability Scanner Reports
+
+We do not accept reports which amount to copy and pasted output from a vulnerability
+scanning tool **unless** work has specifically been done to confirm that a vulnerability
+reported by the tool _actually exists_ in capsule.
+
+## Reporting a Vulnerability
+
+To report a security issue or vulnerability, [submit a private vulnerability report via GitHub](https://github.com/projectcapsule/capsule/security/advisories/new) to the repository maintainers with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
+
+Describe the issue in English, ideally with some example configuration or code which allows the issue to be reproduced. Explain why you believe this to be a security issue in capsule, if that's not obvious. should contain the following:
+
+     * description of the problem
+     * precise and detailed steps (include screenshots) 
+     * the affected version(s). This may also include environment relevant versions.
+     * any possible mitigations
+
+If the issue is confirmed as a vulnerability, we will open a Security Advisory and acknowledge your contributions as part of it.
+
+## Reponse
+
+Response times could be affected by weekends, holidays, breaks or time zone differences. That said, the security response team will endeavour to reply as soon as possible, ideally within 5 working days.
+
+## Security Contacts
+
+[Maintainers](./github/maintainers.yaml) of this project are responsible for the security of the project as outlined in this policy.
+
+# Release Artifacts
+
+[See all the available artifacts](https://github.com/orgs/projectcapsule/packages?repo_name=capsule)
+
+## Verifing
+
+To verify artifacts you need to have [cosign installed](https://github.com/sigstore/cosign#installation). This guide assumes you are using v2.x of cosign. All of the signatures are created using [keyless signing](https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect). We have a seperate repository for all the signatures for all the artifacts released under the projectcapsule - `ghcr.io/projectcapsule/signatures`. You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
+
+    export COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures
+
+To verify the signature of the docker image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/capsule):
+
+    COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures cosign verify ghcr.io/projectcapsule/capsule:<release_tag> \
+      --certificate-identity-regexp="https://github.com/projectcapsule/capsule/.github/workflows/docker-publish.yml@refs/tags/*" \
+      --certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq
+
+To verify the signature of the helm image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/charts%2Fcapsule):
+
+    COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures cosign verify ghcr.io/projectcapsule/charts/capsule:<release_tag> \
+      --certificate-identity-regexp="https://github.com/projectcapsule/capsule/.github/workflows/helm-publish.yml@refs/tags/*" \
+      --certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq
+
+
+## Verifying Provenance
+
+Capsule creates and attests to the provenance of its builds using the [SLSA standard](https://slsa.dev/spec/v0.2/provenance) and meets the [SLSA Level 3](https://slsa.dev/spec/v0.1/levels) specification. The attested provenance may be verified using the cosign tool.
+
+Verify the provenance of the docker image. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/capsule)
+
+```bash
+cosign verify-attestation --type slsaprovenance \
+  --certificate-identity-regexp="https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/*" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+  ghcr.io/projectcapsule/capsule:<release_tag> | jq .payload -r | base64 --decode | jq
+```
+
+Verify the provenance of the helm image. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/charts%2Fcapsule)
+
+```bash
+cosign verify-attestation --type slsaprovenance \
+  --certificate-identity-regexp="https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/*" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+  ghcr.io/projectcapsule/charts/capsule:<release_tag> | jq .payload -r | base64 --decode | jq
+```
+
+## Software Bill of Materials (SBOM)
+
+An SBOM (Software Bill of Materials) in CycloneDX JSON format is published for each Kyverno release, including pre-releases. Like signatures, SBOMs are stored in a separate repository at `ghcr.io/projectcapsule/sbom`. You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
+
+    export COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom
+
+To inspect the SBOM of the docker image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/capsule):
+
+
+    COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom cosign download sbom ghcr.io/projectcapsule/capsule:<release_tag>
+    
+To inspect the SBOM of the helm image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/charts%2Fcapsule):
+
+    COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom cosign download sbom ghcr.io/projectcapsule/charts/capsule:<release_tag>
+
+
+# Credits
+
+Our Security Policy and Workflows are based on the work of the [Kyverno](https://github.com/kyverno) and [Cert-Manager](https://github.com/cert-manager) community.

SELF_ASSESSMENT.md

@@ -0,0 +1,201 @@
+# Capsule Security Self-Assessment
+
+## Metadata
+<table>
+  <tr>
+   <td>Software
+   </td>
+   <td><a href="https://github.com/projectcapsule/capsule">https://github.com/projectcapsule/capsule</a>
+   </td>
+  </tr>
+  <tr>
+   <td>Website
+   </td>
+   <td><a href="https://capsule.clastix.io/">https://capsule.clastix.io/</a>
+   </td>
+  </tr>
+  <tr>
+   <td>Security Provider
+   </td>
+   <td>No
+   </td>
+  </tr>
+  <tr>
+   <td>Languages
+   </td>
+   <td>Golang
+   </td>
+  </tr>
+  <tr>
+   <td>SBOM
+   </td>
+   <td><a href="https://github.com/projectcapsule/capsule/pkgs/container/sbom">https://github.com/projectcapsule/capsule/pkgs/container/sbom</a>
+   </td>
+  </tr>
+</table>
+
+## Security Links
+
+<table>
+  <tr>
+   <td><strong>Doc</strong>
+   </td>
+   <td><strong>URL</strong>
+   </td>
+  </tr>
+  <tr>
+   <td>Security file
+   </td>
+   <td><a href="https://github.com/projectcapsule/capsule/blob/main/SECURITY.md">https://github.com/projectcapsule/capsule/blob/main/SECURITY.md</a>
+   </td>
+  </tr>
+  <tr>
+   <td>Default and optional configs
+   </td>
+   <td><a href="https://github.com/projectcapsule/capsule/blob/main/charts/capsule/values.yaml">https://github.com/projectcapsule/capsule/blob/main/charts/capsule/values.yaml</a>
+   </td>
+  </tr>
+</table>
+
+## Overview
+
+Capsule implements a multi-tenant and policy-based environment in your Kubernetes cluster.
+It is designed as a micro-services-based ecosystem with a minimalist approach, leveraging only upstream Kubernetes.
+
+### Background
+
+Capsule takes a different approach.
+In a single cluster, the Capsule Controller aggregates multiple namespaces in a lightweight abstraction called Tenant, basically a grouping of Kubernetes Namespaces.
+Within each tenant, users are free to create their namespaces and share all the assigned resources.
+
+On the other side, the Capsule Policy Engine keeps the different tenants isolated from each other.
+Network and Security Policies, Resource Quota, Limit Ranges, RBAC, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant.
+Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator.
+
+Capsule was accepted as a CNCF sandbox project in December 2022.
+
+## Actors
+
+### Capsule Operator
+
+It's the Operator which provides all the multi-tenant capabilities offered by Capsule.
+It's made of two internal components, such as the webhooks server (known as _policy engine_), and the _tenant controller_.
+
+**Capsule Tenant Controller** 
+
+The controller is responsible for managing the tenants by reconciling the required objects at the Namespace level, such as _Network Policy_, _LimitRange_, _ResourceQuota_, _Role Binding_, as well as labelling the Namespace objects belonging to a Tenant according to their desired metadata.
+It is responsible for binding Namespaces to the selected Tenant, and managing their lifecycle.
+
+Furthermore, the manager can replicate objects thanks to the **Tenant Resource** API, which offers two levels of interactions: a cluster-scoped one thanks to the `GlobalTenantResource` API, and a namespace-scoped one named `TenantResource`.
+
+The replicated resources are dynamically created, and replicated by Capsule itself, as well as preserving the deletion of these objects by the Tenant owner.
+
+**Capsule Tenant Controller (Policy Engine)** 
+
+Policies are defined on a Tenant basis: therefore the policy engine is enforcing these policies on the tenants's Namespaces and their children's resources.
+The Policy Engine is currently not a dedicated component, but a part of the Capsule Tenant Controller. 
+
+The webhook server, also known as the policy engine, interpolates the Tenant rules and takes full advantage of the dynamic admission controllers offered by Kubernetes itself (such as `ValidatingWebhookConfiguration` and `MutatingWebhookConfiguration`).
+Thanks to the _policy engine_ the cluster administrators can enforce specific rules such as preventing _Pod_ objects from untrusted registries to run or preventing the creation of _PersistentVolumeClaim_ resources using a non-allowed _StorageClass_, etc.
+
+It also acts as a defaulter webhook, offloading the need to specify some classes (IngressClass, StorageClass, RuntimeClass, etc.).
+
+### Capsule Proxy
+
+The `capsule-proxy` is an addon which is offering a Kubernetes API Server shim aware of the multi-tenancy levels implemented by Capsule.
+
+It's essentially a reverse proxy that decorates the incoming requests with the required `labelSelector` query string parameters to filter out some objects, such as:
+
+- Namespaces
+- IngressClass
+- StorageClass
+- PriorityClass
+- RuntimeClass
+- PersistentVolumes
+
+Permissions on those resources are not enforced through the classic Kubernetes RBAC but rather at the Tenant Owner level, allowing fine-grained control over specific resources.
+
+`capsule-proxy` is not serving itself Kubernetes API server responses, but rather, it's acting as a middle proxy server offering dynamic filtering of requests: this means the resulting responses from the upstream are not mangled, and don't require any additional plugins, or third-party binaries, and integrating with any external components, such as the Kubernetes dashboard, the `kubectl` binary, etc.
+
+## Actions
+
+Tenants are created by cluster administrators, who have the right to create Tenant custom resource instances.
+End users should not manage tenants.
+Therefore users without any cluster administration rights can't list tenants or create tenants.
+
+## Creating namespaces in a tenant
+
+When creating a tenant, the Capsule controller inspects the user's supplied groups and matches, if the groups were defined in the `capsuleConfiguration`. If at least one matching group is found, the user request is considered by Capsule. If not, Capsule ignores the request and does not perform any action. This also applies to modifications (`UPDATE` request).
+
+To create namespaces within a tenant a User, Group or ServiceAccount must be configured as owner of the tenant.
+A namespace is assigned to a tenant based on its label, its owner (if the owner only has one tenant) or the prefix of the namespace (which matches the tenant name).
+
+If the request is considered, the namespace is created with all the configuration on the tenant, which is relevant. The additional resources (NetworkPolicy, ResourceQuota, LimitRange) are created in the new namespace.
+
+### Applying Workload and configs to namespaces within a tenant
+
+Whenever a tenant user applies new workloads or configs to a namespace, the capsule controller inspects the namespace and checks if it belongs to a tenant. If so, the capsule controller applies policies from the tenant configuration to the given workloads and configs.
+
+If there are defaults defined on the tenant, they are applied to the workloads as well.
+This is a further abstraction from having cluster defaults (eg. default `StorageClass`) to having tenant defaults (eg. default `StorageClass` for a tenant).
+
+### Goals
+
+**General**
+
+* **Multitenancy**: Capsule should be able to support multiple tenants in a single Kubernetes cluster without introducing overhead or cognitive load, and barely relying on Namespace objects.
+* **Kubernetes agnostic**: Capsule should integrate with Kubernetes primitives, such as _RBAC_, _NetworkPolicy_, _LimitRange_, and _ResourceQuota_.
+* **Policy-based**: Capsule should be able to enforce policies on tenants, which are defined on a tenant basis.
+* **Native User Experience**: Capsule shouldn't increase the cognitive load of developers, such as introducing `kubectl` plugins, or forcing the tenant owners to operate their tenant objects using Custom Resource Definitions.
+
+### Non-Goals
+
+**General**
+
+* **Control Plane**: Capsule can't mimic for each tenant a feeling of a dedicated control plane. 
+
+* **Custom Resource Definitions**: Capsule doesn't want to provide virtual cluster capabilities and it's sticking to the native Kubernetes user experience and design; rather, its focus is to provide a governance solution by focusing on resource optimization and security lockdown.
+
+
+## Self-assessment use
+
+This self-assessment is created by the Capsule team to perform an internal analysis of the project's security.
+It is not intended to provide a security audit of Capsule, or function as an independent assessment or attestation of Capsule’s security health.
+
+This document serves to provide Capsule users with an initial understanding of Capsule's security, where to find existing security documentation, Capsule plans for security, and a general overview of Capsule security practices, both for the development of Capsule as well as security of Capsule.
+
+This document provides the CNCF TAG-Security with an initial understanding of Capsule to assist in a joint review, necessary for projects under incubation. Taken together, this document and the joint review serve as a cornerstone for if and when Capsule seeks graduation.
+
+## Security functions and features
+
+See [Actors](#actors) and [Actions](#actions) for a more detailed description of the critical actors, actions, and potential threats.
+
+## Project compliance
+
+As of now, not applicable.
+
+## Secure development practices
+
+The Capsule project follows established CNCF and OSS best practices for code development and delivery.
+Capsule follows [OpenSSF Best Practices](https://www.bestpractices.dev/en/projects/5601).
+Although not perfect yet, we are constantly trying to improve and score optimal scores.
+We will assess the issues during our community meetings and try to plan them for future releases.
+
+### Development Pipeline
+
+Changes must be reviewed and merged by the project maintainers.
+Before changes are merged, all the changes must pass static checks, license checks, verifications on `gofmt`, `go lint`, `go vet`, and pass all unit tests and e2e tests.
+Changes are scanned by trivy for the docker images.
+We run E2E tests for different Kubernetes versions on Pull Requests.
+Code changes are submitted via Pull Requests (PRs) and must be signed and verified.
+Commits to the main branch directly are not allowed.
+
+## Security issue resolution
+
+Capsule project vulnerability handling related processes are recorded in the [Capsule Security Doc](https://github.com/projectcapsule/capsule/blob/main/SECURITY.md).
+Related security vulnerabilities can be reported and communicated via email to [cncf-capsule-maintainers@lists.cncf.io](mailto:cncf-capsule-maintainers@lists.cncf.i).
+
+## Appendix
+
+All Capsule security-related issues (both fixes and enhancements) are labelled with "security" and can be queried using[ https://github.com/projectcapsule/capsule/labels/security](https://github.com/projectcapsule/capsule/labels/security).
+The code review process requires maintainers to consider security while reviewing designs and pull requests.

api/v1alpha1/additional_metadata.go

@@ -1,9 +0,0 @@
-// Copyright 2020-2023 Project Capsule Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package v1alpha1
-
-type AdditionalMetadata struct {
-	Labels      map[string]string `json:"additionalLabels,omitempty"`
-	Annotations map[string]string `json:"additionalAnnotations,omitempty"`
-}

api/v1alpha1/capsuleconfiguration_annotations.go

@@ -1,15 +0,0 @@
-// Copyright 2020-2023 Project Capsule Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package v1alpha1
-
-const (
-	ForbiddenNodeLabelsAnnotation            = "capsule.clastix.io/forbidden-node-labels"
-	ForbiddenNodeLabelsRegexpAnnotation      = "capsule.clastix.io/forbidden-node-labels-regexp"
-	ForbiddenNodeAnnotationsAnnotation       = "capsule.clastix.io/forbidden-node-annotations"
-	ForbiddenNodeAnnotationsRegexpAnnotation = "capsule.clastix.io/forbidden-node-annotations-regexp"
-	TLSSecretNameAnnotation                  = "capsule.clastix.io/tls-secret-name"
-	MutatingWebhookConfigurationName         = "capsule.clastix.io/mutating-webhook-configuration-name"
-	ValidatingWebhookConfigurationName       = "capsule.clastix.io/validating-webhook-configuration-name"
-	EnableTLSConfigurationAnnotationName     = "capsule.clastix.io/enable-tls-configuration"
-)

api/v1alpha1/capsuleconfiguration_types.go

@@ -1,47 +0,0 @@
-// Copyright 2020-2023 Project Capsule Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package v1alpha1
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// CapsuleConfigurationSpec defines the Capsule configuration.
-type CapsuleConfigurationSpec struct {
-	// Names of the groups for Capsule users.
-	// +kubebuilder:default={capsule.clastix.io}
-	UserGroups []string `json:"userGroups,omitempty"`
-	// Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,
-	// separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
-	// +kubebuilder:default=false
-	ForceTenantPrefix bool `json:"forceTenantPrefix,omitempty"`
-	// Disallow creation of namespaces, whose name matches this regexp
-	ProtectedNamespaceRegexpString string `json:"protectedNamespaceRegex,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-// +kubebuilder:resource:scope=Cluster
-
-// CapsuleConfiguration is the Schema for the Capsule configuration API.
-type CapsuleConfiguration struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec CapsuleConfigurationSpec `json:"spec,omitempty"`
-}
-
-func (in *CapsuleConfiguration) Hub() {}
-
-// +kubebuilder:object:root=true
-
-// CapsuleConfigurationList contains a list of CapsuleConfiguration.
-type CapsuleConfigurationList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []CapsuleConfiguration `json:"items"`
-}
-
-func init() {
-	SchemeBuilder.Register(&CapsuleConfiguration{}, &CapsuleConfigurationList{})
-}

api/v1alpha1/capsuleconfiguration_webhook.go

@@ -1,21 +0,0 @@
-// Copyright 2020-2023 Project Capsule Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package v1alpha1
-
-import (
-	"os"
-
-	ctrl "sigs.k8s.io/controller-runtime"
-)
-
-func (in *CapsuleConfiguration) SetupWebhookWithManager(mgr ctrl.Manager) error {
-	certData, _ := os.ReadFile("/tmp/k8s-webhook-server/serving-certs/tls.crt")
-	if len(certData) == 0 {
-		return nil
-	}
-
-	return ctrl.NewWebhookManagedBy(mgr).
-		For(in).
-		Complete()
-}

api/v1alpha1/conversion_hub.go

@@ -1,583 +0,0 @@
-// Copyright 2020-2023 Project Capsule Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package v1alpha1
-
-import (
-	"fmt"
-	"reflect"
-	"strconv"
-	"strings"
-
-	"github.com/pkg/errors"
-	"k8s.io/utils/pointer"
-	"sigs.k8s.io/controller-runtime/pkg/conversion"
-
-	capsulev1beta1 "github.com/projectcapsule/capsule/api/v1beta1"
-	"github.com/projectcapsule/capsule/pkg/api"
-)
-
-const (
-	resourceQuotaScopeAnnotation = "capsule.clastix.io/resource-quota-scope"
-
-	podAllowedImagePullPolicyAnnotation = "capsule.clastix.io/allowed-image-pull-policy"
-
-	podPriorityAllowedAnnotation      = "priorityclass.capsule.clastix.io/allowed"
-	podPriorityAllowedRegexAnnotation = "priorityclass.capsule.clastix.io/allowed-regex"
-
-	enableNodePortsAnnotation    = "capsule.clastix.io/enable-node-ports"
-	enableExternalNameAnnotation = "capsule.clastix.io/enable-external-name"
-	enableLoadBalancerAnnotation = "capsule.clastix.io/enable-loadbalancer-service"
-
-	ownerGroupsAnnotation         = "owners.capsule.clastix.io/group"
-	ownerUsersAnnotation          = "owners.capsule.clastix.io/user"
-	ownerServiceAccountAnnotation = "owners.capsule.clastix.io/serviceaccount"
-
-	enableNodeListingAnnotation           = "capsule.clastix.io/enable-node-listing"
-	enableNodeUpdateAnnotation            = "capsule.clastix.io/enable-node-update"
-	enableNodeDeletionAnnotation          = "capsule.clastix.io/enable-node-deletion"
-	enableStorageClassListingAnnotation   = "capsule.clastix.io/enable-storageclass-listing"
-	enableStorageClassUpdateAnnotation    = "capsule.clastix.io/enable-storageclass-update"
-	enableStorageClassDeletionAnnotation  = "capsule.clastix.io/enable-storageclass-deletion"
-	enableIngressClassListingAnnotation   = "capsule.clastix.io/enable-ingressclass-listing"
-	enableIngressClassUpdateAnnotation    = "capsule.clastix.io/enable-ingressclass-update"
-	enableIngressClassDeletionAnnotation  = "capsule.clastix.io/enable-ingressclass-deletion"
-	enablePriorityClassListingAnnotation  = "capsule.clastix.io/enable-priorityclass-listing"
-	enablePriorityClassUpdateAnnotation   = "capsule.clastix.io/enable-priorityclass-update"
-	enablePriorityClassDeletionAnnotation = "capsule.clastix.io/enable-priorityclass-deletion"
-
-	ingressHostnameCollisionScope = "ingress.capsule.clastix.io/hostname-collision-scope"
-)
-
-func (in *Tenant) convertV1Alpha1OwnerToV1Beta1() capsulev1beta1.OwnerListSpec {
-	serviceKindToAnnotationMap := map[capsulev1beta1.ProxyServiceKind][]string{
-		capsulev1beta1.NodesProxy:           {enableNodeListingAnnotation, enableNodeUpdateAnnotation, enableNodeDeletionAnnotation},
-		capsulev1beta1.StorageClassesProxy:  {enableStorageClassListingAnnotation, enableStorageClassUpdateAnnotation, enableStorageClassDeletionAnnotation},
-		capsulev1beta1.IngressClassesProxy:  {enableIngressClassListingAnnotation, enableIngressClassUpdateAnnotation, enableIngressClassDeletionAnnotation},
-		capsulev1beta1.PriorityClassesProxy: {enablePriorityClassListingAnnotation, enablePriorityClassUpdateAnnotation, enablePriorityClassDeletionAnnotation},
-	}
-	annotationToOperationMap := map[string]capsulev1beta1.ProxyOperation{
-		enableNodeListingAnnotation:           capsulev1beta1.ListOperation,
-		enableNodeUpdateAnnotation:            capsulev1beta1.UpdateOperation,
-		enableNodeDeletionAnnotation:          capsulev1beta1.DeleteOperation,
-		enableStorageClassListingAnnotation:   capsulev1beta1.ListOperation,
-		enableStorageClassUpdateAnnotation:    capsulev1beta1.UpdateOperation,
-		enableStorageClassDeletionAnnotation:  capsulev1beta1.DeleteOperation,
-		enableIngressClassListingAnnotation:   capsulev1beta1.ListOperation,
-		enableIngressClassUpdateAnnotation:    capsulev1beta1.UpdateOperation,
-		enableIngressClassDeletionAnnotation:  capsulev1beta1.DeleteOperation,
-		enablePriorityClassListingAnnotation:  capsulev1beta1.ListOperation,
-		enablePriorityClassUpdateAnnotation:   capsulev1beta1.UpdateOperation,
-		enablePriorityClassDeletionAnnotation: capsulev1beta1.DeleteOperation,
-	}
-	annotationToOwnerKindMap := map[string]capsulev1beta1.OwnerKind{
-		ownerUsersAnnotation:          capsulev1beta1.UserOwner,
-		ownerGroupsAnnotation:         capsulev1beta1.GroupOwner,
-		ownerServiceAccountAnnotation: capsulev1beta1.ServiceAccountOwner,
-	}
-
-	annotations := in.GetAnnotations()
-
-	operations := make(map[string]map[capsulev1beta1.ProxyServiceKind][]capsulev1beta1.ProxyOperation)
-
-	for serviceKind, operationAnnotations := range serviceKindToAnnotationMap {
-		for _, operationAnnotation := range operationAnnotations {
-			val, ok := annotations[operationAnnotation]
-			if ok {
-				for _, owner := range strings.Split(val, ",") {
-					if _, exists := operations[owner]; !exists {
-						operations[owner] = make(map[capsulev1beta1.ProxyServiceKind][]capsulev1beta1.ProxyOperation)
-					}
-
-					operations[owner][serviceKind] = append(operations[owner][serviceKind], annotationToOperationMap[operationAnnotation])
-				}
-			}
-		}
-	}
-
-	var owners capsulev1beta1.OwnerListSpec
-
-	getProxySettingsForOwner := func(ownerName string) (settings []capsulev1beta1.ProxySettings) {
-		ownerOperations, ok := operations[ownerName]
-		if ok {
-			for k, v := range ownerOperations {
-				settings = append(settings, capsulev1beta1.ProxySettings{
-					Kind:       k,
-					Operations: v,
-				})
-			}
-		}
-
-		return
-	}
-
-	owners = append(owners, capsulev1beta1.OwnerSpec{
-		Kind:            capsulev1beta1.OwnerKind(in.Spec.Owner.Kind),
-		Name:            in.Spec.Owner.Name,
-		ProxyOperations: getProxySettingsForOwner(in.Spec.Owner.Name),
-	})
-
-	for ownerAnnotation, ownerKind := range annotationToOwnerKindMap {
-		val, ok := annotations[ownerAnnotation]
-		if ok {
-			for _, owner := range strings.Split(val, ",") {
-				owners = append(owners, capsulev1beta1.OwnerSpec{
-					Kind:            ownerKind,
-					Name:            owner,
-					ProxyOperations: getProxySettingsForOwner(owner),
-				})
-			}
-		}
-	}
-
-	return owners
-}
-
-//nolint:gocognit,gocyclo,cyclop,maintidx
-func (in *Tenant) ConvertTo(dstRaw conversion.Hub) error {
-	dst, ok := dstRaw.(*capsulev1beta1.Tenant)
-	if !ok {
-		return fmt.Errorf("expected type *capsulev1beta1.Tenant, got %T", dst)
-	}
-
-	annotations := in.GetAnnotations()
-
-	// ObjectMeta
-	dst.ObjectMeta = in.ObjectMeta
-
-	// Spec
-	if in.Spec.NamespaceQuota != nil {
-		if dst.Spec.NamespaceOptions == nil {
-			dst.Spec.NamespaceOptions = &capsulev1beta1.NamespaceOptions{}
-		}
-
-		dst.Spec.NamespaceOptions.Quota = in.Spec.NamespaceQuota
-	}
-
-	dst.Spec.NodeSelector = in.Spec.NodeSelector
-
-	dst.Spec.Owners = in.convertV1Alpha1OwnerToV1Beta1()
-
-	if in.Spec.NamespacesMetadata != nil {
-		if dst.Spec.NamespaceOptions == nil {
-			dst.Spec.NamespaceOptions = &capsulev1beta1.NamespaceOptions{}
-		}
-
-		dst.Spec.NamespaceOptions.AdditionalMetadata = &api.AdditionalMetadataSpec{
-			Labels:      in.Spec.NamespacesMetadata.Labels,
-			Annotations: in.Spec.NamespacesMetadata.Annotations,
-		}
-	}
-
-	if in.Spec.ServicesMetadata != nil {
-		if dst.Spec.ServiceOptions == nil {
-			dst.Spec.ServiceOptions = &api.ServiceOptions{}
-		}
-
-		dst.Spec.ServiceOptions.AdditionalMetadata = &api.AdditionalMetadataSpec{
-			Labels:      in.Spec.ServicesMetadata.Labels,
-			Annotations: in.Spec.ServicesMetadata.Annotations,
-		}
-	}
-
-	if in.Spec.StorageClasses != nil {
-		dst.Spec.StorageClasses = in.Spec.StorageClasses
-	}
-
-	if v, annotationOk := in.Annotations[ingressHostnameCollisionScope]; annotationOk {
-		switch v {
-		case string(api.HostnameCollisionScopeCluster), string(api.HostnameCollisionScopeTenant), string(api.HostnameCollisionScopeNamespace):
-			dst.Spec.IngressOptions.HostnameCollisionScope = api.HostnameCollisionScope(v)
-		default:
-			dst.Spec.IngressOptions.HostnameCollisionScope = api.HostnameCollisionScopeDisabled
-		}
-	}
-
-	if in.Spec.IngressClasses != nil {
-		dst.Spec.IngressOptions.AllowedClasses = &api.AllowedListSpec{
-			Exact: in.Spec.IngressClasses.Exact,
-			Regex: in.Spec.IngressClasses.Regex,
-		}
-	}
-
-	if in.Spec.IngressHostnames != nil {
-		dst.Spec.IngressOptions.AllowedHostnames = &api.AllowedListSpec{
-			Exact: in.Spec.IngressHostnames.Exact,
-			Regex: in.Spec.IngressHostnames.Regex,
-		}
-	}
-
-	if in.Spec.ContainerRegistries != nil {
-		dst.Spec.ContainerRegistries = &api.AllowedListSpec{
-			Exact: in.Spec.ContainerRegistries.Exact,
-			Regex: in.Spec.ContainerRegistries.Regex,
-		}
-	}
-
-	if len(in.Spec.NetworkPolicies) > 0 {
-		dst.Spec.NetworkPolicies = api.NetworkPolicySpec{
-			Items: in.Spec.NetworkPolicies,
-		}
-	}
-
-	if len(in.Spec.LimitRanges) > 0 {
-		dst.Spec.LimitRanges = api.LimitRangesSpec{
-			Items: in.Spec.LimitRanges,
-		}
-	}
-
-	if len(in.Spec.ResourceQuota) > 0 {
-		dst.Spec.ResourceQuota = api.ResourceQuotaSpec{
-			Scope: func() api.ResourceQuotaScope {
-				if v, annotationOk := in.GetAnnotations()[resourceQuotaScopeAnnotation]; annotationOk {
-					switch v {
-					case string(api.ResourceQuotaScopeNamespace):
-						return api.ResourceQuotaScopeNamespace
-					case string(api.ResourceQuotaScopeTenant):
-						return api.ResourceQuotaScopeTenant
-					}
-				}
-
-				return api.ResourceQuotaScopeTenant
-			}(),
-			Items: in.Spec.ResourceQuota,
-		}
-	}
-
-	dst.Spec.AdditionalRoleBindings = in.Spec.AdditionalRoleBindings
-
-	if in.Spec.ExternalServiceIPs != nil {
-		if dst.Spec.ServiceOptions == nil {
-			dst.Spec.ServiceOptions = &api.ServiceOptions{}
-		}
-
-		dst.Spec.ServiceOptions.ExternalServiceIPs = in.Spec.ExternalServiceIPs
-	}
-
-	pullPolicies, ok := annotations[podAllowedImagePullPolicyAnnotation]
-	if ok {
-		for _, policy := range strings.Split(pullPolicies, ",") {
-			dst.Spec.ImagePullPolicies = append(dst.Spec.ImagePullPolicies, api.ImagePullPolicySpec(policy))
-		}
-	}
-
-	priorityClasses := api.AllowedListSpec{}
-
-	priorityClassAllowed, ok := annotations[podPriorityAllowedAnnotation]
-
-	if ok {
-		priorityClasses.Exact = strings.Split(priorityClassAllowed, ",")
-	}
-
-	priorityClassesRegexp, ok := annotations[podPriorityAllowedRegexAnnotation]
-
-	if ok {
-		priorityClasses.Regex = priorityClassesRegexp
-	}
-
-	if !reflect.ValueOf(priorityClasses).IsZero() {
-		dst.Spec.PriorityClasses = &priorityClasses
-	}
-
-	enableNodePorts, ok := annotations[enableNodePortsAnnotation]
-	if ok {
-		val, err := strconv.ParseBool(enableNodePorts)
-		if err != nil {
-			return errors.Wrap(err, fmt.Sprintf("unable to parse %s annotation on tenant %s", enableNodePortsAnnotation, in.GetName()))
-		}
-
-		if dst.Spec.ServiceOptions == nil {
-			dst.Spec.ServiceOptions = &api.ServiceOptions{}
-		}
-
-		if dst.Spec.ServiceOptions.AllowedServices == nil {
-			dst.Spec.ServiceOptions.AllowedServices = &api.AllowedServices{}
-		}
-
-		dst.Spec.ServiceOptions.AllowedServices.NodePort = pointer.Bool(val)
-	}
-
-	enableExternalName, ok := annotations[enableExternalNameAnnotation]
-	if ok {
-		val, err := strconv.ParseBool(enableExternalName)
-		if err != nil {
-			return errors.Wrap(err, fmt.Sprintf("unable to parse %s annotation on tenant %s", enableExternalNameAnnotation, in.GetName()))
-		}
-
-		if dst.Spec.ServiceOptions == nil {
-			dst.Spec.ServiceOptions = &api.ServiceOptions{}
-		}
-
-		if dst.Spec.ServiceOptions.AllowedServices == nil {
-			dst.Spec.ServiceOptions.AllowedServices = &api.AllowedServices{}
-		}
-
-		dst.Spec.ServiceOptions.AllowedServices.ExternalName = pointer.Bool(val)
-	}
-
-	loadBalancerService, ok := annotations[enableLoadBalancerAnnotation]
-	if ok {
-		val, err := strconv.ParseBool(loadBalancerService)
-		if err != nil {
-			return errors.Wrap(err, fmt.Sprintf("unable to parse %s annotation on tenant %s", enableLoadBalancerAnnotation, in.GetName()))
-		}
-
-		if dst.Spec.ServiceOptions == nil {
-			dst.Spec.ServiceOptions = &api.ServiceOptions{}
-		}
-
-		if dst.Spec.ServiceOptions.AllowedServices == nil {
-			dst.Spec.ServiceOptions.AllowedServices = &api.AllowedServices{}
-		}
-
-		dst.Spec.ServiceOptions.AllowedServices.LoadBalancer = pointer.Bool(val)
-	}
-	// Status
-	dst.Status = capsulev1beta1.TenantStatus{
-		Size:       in.Status.Size,
-		Namespaces: in.Status.Namespaces,
-	}
-	// Remove unneeded annotations
-	delete(dst.ObjectMeta.Annotations, podAllowedImagePullPolicyAnnotation)
-	delete(dst.ObjectMeta.Annotations, podPriorityAllowedAnnotation)
-	delete(dst.ObjectMeta.Annotations, podPriorityAllowedRegexAnnotation)
-	delete(dst.ObjectMeta.Annotations, enableNodePortsAnnotation)
-	delete(dst.ObjectMeta.Annotations, enableExternalNameAnnotation)
-	delete(dst.ObjectMeta.Annotations, enableLoadBalancerAnnotation)
-	delete(dst.ObjectMeta.Annotations, ownerGroupsAnnotation)
-	delete(dst.ObjectMeta.Annotations, ownerUsersAnnotation)
-	delete(dst.ObjectMeta.Annotations, ownerServiceAccountAnnotation)
-	delete(dst.ObjectMeta.Annotations, enableNodeListingAnnotation)
-	delete(dst.ObjectMeta.Annotations, enableNodeUpdateAnnotation)
-	delete(dst.ObjectMeta.Annotations, enableNodeDeletionAnnotation)
-	delete(dst.ObjectMeta.Annotations, enableStorageClassListingAnnotation)
-	delete(dst.ObjectMeta.Annotations, enableStorageClassUpdateAnnotation)
-	delete(dst.ObjectMeta.Annotations, enableStorageClassDeletionAnnotation)
-	delete(dst.ObjectMeta.Annotations, enableIngressClassListingAnnotation)
-	delete(dst.ObjectMeta.Annotations, enableIngressClassUpdateAnnotation)
-	delete(dst.ObjectMeta.Annotations, enableIngressClassDeletionAnnotation)
-	delete(dst.ObjectMeta.Annotations, enablePriorityClassListingAnnotation)
-	delete(dst.ObjectMeta.Annotations, enablePriorityClassUpdateAnnotation)
-	delete(dst.ObjectMeta.Annotations, enablePriorityClassDeletionAnnotation)
-	delete(dst.ObjectMeta.Annotations, resourceQuotaScopeAnnotation)
-	delete(dst.ObjectMeta.Annotations, ingressHostnameCollisionScope)
-
-	return nil
-}
-
-//nolint:gocognit,gocyclo,cyclop
-func (in *Tenant) convertV1Beta1OwnerToV1Alpha1(src *capsulev1beta1.Tenant) {
-	ownersAnnotations := map[string][]string{
-		ownerGroupsAnnotation:         nil,
-		ownerUsersAnnotation:          nil,
-		ownerServiceAccountAnnotation: nil,
-	}
-
-	proxyAnnotations := map[string][]string{
-		enableNodeListingAnnotation:          nil,
-		enableNodeUpdateAnnotation:           nil,
-		enableNodeDeletionAnnotation:         nil,
-		enableStorageClassListingAnnotation:  nil,
-		enableStorageClassUpdateAnnotation:   nil,
-		enableStorageClassDeletionAnnotation: nil,
-		enableIngressClassListingAnnotation:  nil,
-		enableIngressClassUpdateAnnotation:   nil,
-		enableIngressClassDeletionAnnotation: nil,
-	}
-
-	for i, owner := range src.Spec.Owners {
-		if i == 0 {
-			in.Spec.Owner = OwnerSpec{
-				Name: owner.Name,
-				Kind: Kind(owner.Kind),
-			}
-		} else {
-			switch owner.Kind {
-			case capsulev1beta1.UserOwner:
-				ownersAnnotations[ownerUsersAnnotation] = append(ownersAnnotations[ownerUsersAnnotation], owner.Name)
-			case capsulev1beta1.GroupOwner:
-				ownersAnnotations[ownerGroupsAnnotation] = append(ownersAnnotations[ownerGroupsAnnotation], owner.Name)
-			case capsulev1beta1.ServiceAccountOwner:
-				ownersAnnotations[ownerServiceAccountAnnotation] = append(ownersAnnotations[ownerServiceAccountAnnotation], owner.Name)
-			}
-		}
-
-		for _, setting := range owner.ProxyOperations {
-			switch setting.Kind {
-			case capsulev1beta1.NodesProxy:
-				for _, operation := range setting.Operations {
-					switch operation {
-					case capsulev1beta1.ListOperation:
-						proxyAnnotations[enableNodeListingAnnotation] = append(proxyAnnotations[enableNodeListingAnnotation], owner.Name)
-					case capsulev1beta1.UpdateOperation:
-						proxyAnnotations[enableNodeUpdateAnnotation] = append(proxyAnnotations[enableNodeUpdateAnnotation], owner.Name)
-					case capsulev1beta1.DeleteOperation:
-						proxyAnnotations[enableNodeDeletionAnnotation] = append(proxyAnnotations[enableNodeDeletionAnnotation], owner.Name)
-					}
-				}
-			case capsulev1beta1.PriorityClassesProxy:
-				for _, operation := range setting.Operations {
-					switch operation {
-					case capsulev1beta1.ListOperation:
-						proxyAnnotations[enablePriorityClassListingAnnotation] = append(proxyAnnotations[enablePriorityClassListingAnnotation], owner.Name)
-					case capsulev1beta1.UpdateOperation:
-						proxyAnnotations[enablePriorityClassUpdateAnnotation] = append(proxyAnnotations[enablePriorityClassUpdateAnnotation], owner.Name)
-					case capsulev1beta1.DeleteOperation:
-						proxyAnnotations[enablePriorityClassDeletionAnnotation] = append(proxyAnnotations[enablePriorityClassDeletionAnnotation], owner.Name)
-					}
-				}
-			case capsulev1beta1.StorageClassesProxy:
-				for _, operation := range setting.Operations {
-					switch operation {
-					case capsulev1beta1.ListOperation:
-						proxyAnnotations[enableStorageClassListingAnnotation] = append(proxyAnnotations[enableStorageClassListingAnnotation], owner.Name)
-					case capsulev1beta1.UpdateOperation:
-						proxyAnnotations[enableStorageClassUpdateAnnotation] = append(proxyAnnotations[enableStorageClassUpdateAnnotation], owner.Name)
-					case capsulev1beta1.DeleteOperation:
-						proxyAnnotations[enableStorageClassDeletionAnnotation] = append(proxyAnnotations[enableStorageClassDeletionAnnotation], owner.Name)
-					}
-				}
-			case capsulev1beta1.IngressClassesProxy:
-				for _, operation := range setting.Operations {
-					switch operation {
-					case capsulev1beta1.ListOperation:
-						proxyAnnotations[enableIngressClassListingAnnotation] = append(proxyAnnotations[enableIngressClassListingAnnotation], owner.Name)
-					case capsulev1beta1.UpdateOperation:
-						proxyAnnotations[enableIngressClassUpdateAnnotation] = append(proxyAnnotations[enableIngressClassUpdateAnnotation], owner.Name)
-					case capsulev1beta1.DeleteOperation:
-						proxyAnnotations[enableIngressClassDeletionAnnotation] = append(proxyAnnotations[enableIngressClassDeletionAnnotation], owner.Name)
-					}
-				}
-			}
-		}
-	}
-
-	for k, v := range ownersAnnotations {
-		if len(v) > 0 {
-			in.Annotations[k] = strings.Join(v, ",")
-		}
-	}
-
-	for k, v := range proxyAnnotations {
-		if len(v) > 0 {
-			in.Annotations[k] = strings.Join(v, ",")
-		}
-	}
-}
-
-//nolint:cyclop
-func (in *Tenant) ConvertFrom(srcRaw conversion.Hub) error {
-	src, ok := srcRaw.(*capsulev1beta1.Tenant)
-	if !ok {
-		return fmt.Errorf("expected *capsulev1beta1.Tenant, got %T", srcRaw)
-	}
-
-	// ObjectMeta
-	in.ObjectMeta = src.ObjectMeta
-
-	// Spec
-	if src.Spec.NamespaceOptions != nil && src.Spec.NamespaceOptions.Quota != nil {
-		in.Spec.NamespaceQuota = src.Spec.NamespaceOptions.Quota
-	}
-
-	in.Spec.NodeSelector = src.Spec.NodeSelector
-
-	if in.Annotations == nil {
-		in.Annotations = make(map[string]string)
-	}
-
-	in.convertV1Beta1OwnerToV1Alpha1(src)
-
-	if src.Spec.NamespaceOptions != nil && src.Spec.NamespaceOptions.AdditionalMetadata != nil {
-		in.Spec.NamespacesMetadata = &AdditionalMetadata{
-			Labels:      src.Spec.NamespaceOptions.AdditionalMetadata.Labels,
-			Annotations: src.Spec.NamespaceOptions.AdditionalMetadata.Annotations,
-		}
-	}
-
-	if src.Spec.ServiceOptions != nil && src.Spec.ServiceOptions.AdditionalMetadata != nil {
-		in.Spec.ServicesMetadata = &AdditionalMetadata{
-			Labels:      src.Spec.ServiceOptions.AdditionalMetadata.Labels,
-			Annotations: src.Spec.ServiceOptions.AdditionalMetadata.Annotations,
-		}
-	}
-
-	if src.Spec.StorageClasses != nil {
-		in.Spec.StorageClasses = src.Spec.StorageClasses
-	}
-
-	in.Annotations[ingressHostnameCollisionScope] = string(src.Spec.IngressOptions.HostnameCollisionScope)
-
-	if src.Spec.IngressOptions.AllowedClasses != nil {
-		in.Spec.IngressClasses = src.Spec.IngressOptions.AllowedClasses
-	}
-
-	if src.Spec.IngressOptions.AllowedHostnames != nil {
-		in.Spec.IngressHostnames = src.Spec.IngressOptions.AllowedHostnames
-	}
-
-	if src.Spec.ContainerRegistries != nil {
-		in.Spec.ContainerRegistries = src.Spec.ContainerRegistries
-	}
-
-	if len(src.Spec.NetworkPolicies.Items) > 0 {
-		in.Spec.NetworkPolicies = src.Spec.NetworkPolicies.Items
-	}
-
-	if len(src.Spec.LimitRanges.Items) > 0 {
-		in.Spec.LimitRanges = src.Spec.LimitRanges.Items
-	}
-
-	if len(src.Spec.ResourceQuota.Items) > 0 {
-		in.Annotations[resourceQuotaScopeAnnotation] = string(src.Spec.ResourceQuota.Scope)
-		in.Spec.ResourceQuota = src.Spec.ResourceQuota.Items
-	}
-
-	in.Spec.AdditionalRoleBindings = src.Spec.AdditionalRoleBindings
-
-	if src.Spec.ServiceOptions != nil && src.Spec.ServiceOptions.ExternalServiceIPs != nil {
-		in.Spec.ExternalServiceIPs = src.Spec.ServiceOptions.ExternalServiceIPs
-	}
-
-	if len(src.Spec.ImagePullPolicies) != 0 {
-		var pullPolicies []string
-
-		for _, policy := range src.Spec.ImagePullPolicies {
-			pullPolicies = append(pullPolicies, string(policy))
-		}
-
-		in.Annotations[podAllowedImagePullPolicyAnnotation] = strings.Join(pullPolicies, ",")
-	}
-
-	if src.Spec.PriorityClasses != nil {
-		if len(src.Spec.PriorityClasses.Exact) != 0 {
-			in.Annotations[podPriorityAllowedAnnotation] = strings.Join(src.Spec.PriorityClasses.Exact, ",")
-		}
-
-		if src.Spec.PriorityClasses.Regex != "" {
-			in.Annotations[podPriorityAllowedRegexAnnotation] = src.Spec.PriorityClasses.Regex
-		}
-	}
-
-	if src.Spec.ServiceOptions != nil && src.Spec.ServiceOptions.AllowedServices != nil {
-		if src.Spec.ServiceOptions.AllowedServices.NodePort != nil {
-			in.Annotations[enableNodePortsAnnotation] = strconv.FormatBool(*src.Spec.ServiceOptions.AllowedServices.NodePort)
-		}
-
-		if src.Spec.ServiceOptions.AllowedServices.ExternalName != nil {
-			in.Annotations[enableExternalNameAnnotation] = strconv.FormatBool(*src.Spec.ServiceOptions.AllowedServices.ExternalName)
-		}
-
-		if src.Spec.ServiceOptions.AllowedServices.LoadBalancer != nil {
-			in.Annotations[enableLoadBalancerAnnotation] = strconv.FormatBool(*src.Spec.ServiceOptions.AllowedServices.LoadBalancer)
-		}
-	}
-
-	// Status
-	in.Status = TenantStatus{
-		Size:       src.Status.Size,
-		Namespaces: src.Status.Namespaces,
-	}
-
-	return nil
-}

api/v1alpha1/conversion_hub_test.go

@@ -1,393 +0,0 @@
-// Copyright 2020-2023 Project Capsule Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package v1alpha1
-
-import (
-	"sort"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	corev1 "k8s.io/api/core/v1"
-	networkingv1 "k8s.io/api/networking/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
-	"k8s.io/apimachinery/pkg/api/resource"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/utils/pointer"
-
-	capsulev1beta1 "github.com/projectcapsule/capsule/api/v1beta1"
-	"github.com/projectcapsule/capsule/pkg/api"
-)
-
-//nolint:maintidx
-func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
-	var namespaceQuota int32 = 5
-
-	nodeSelector := map[string]string{
-		"foo": "bar",
-	}
-	v1alpha1AdditionalMetadataSpec := &AdditionalMetadata{
-		Labels: map[string]string{
-			"foo": "bar",
-		},
-		Annotations: map[string]string{
-			"foo": "bar",
-		},
-	}
-	v1alpha1AllowedListSpec := &api.AllowedListSpec{
-		Exact: []string{"foo", "bar"},
-		Regex: "^foo*",
-	}
-	v1beta1AdditionalMetadataSpec := &api.AdditionalMetadataSpec{
-		Labels: map[string]string{
-			"foo": "bar",
-		},
-		Annotations: map[string]string{
-			"foo": "bar",
-		},
-	}
-	v1beta1NamespaceOptions := &capsulev1beta1.NamespaceOptions{
-		Quota:              &namespaceQuota,
-		AdditionalMetadata: v1beta1AdditionalMetadataSpec,
-	}
-	v1beta1ServiceOptions := &api.ServiceOptions{
-		AdditionalMetadata: v1beta1AdditionalMetadataSpec,
-		AllowedServices: &api.AllowedServices{
-			NodePort:     pointer.Bool(false),
-			ExternalName: pointer.Bool(false),
-			LoadBalancer: pointer.Bool(false),
-		},
-		ExternalServiceIPs: &api.ExternalServiceIPsSpec{
-			Allowed: []api.AllowedIP{"192.168.0.1"},
-		},
-	}
-	v1beta2AllowedListSpec := &api.SelectorAllowedListSpec{
-		AllowedListSpec: api.AllowedListSpec{
-			Exact: []string{"foo", "bar"},
-			Regex: "^foo*",
-		},
-	}
-	networkPolicies := []networkingv1.NetworkPolicySpec{
-		{
-			Ingress: []networkingv1.NetworkPolicyIngressRule{
-				{
-					From: []networkingv1.NetworkPolicyPeer{
-						{
-							NamespaceSelector: &metav1.LabelSelector{
-								MatchLabels: map[string]string{
-									"foo": "tenant-resources",
-								},
-							},
-						},
-						{
-							PodSelector: &metav1.LabelSelector{},
-						},
-						{
-							IPBlock: &networkingv1.IPBlock{
-								CIDR: "192.168.0.0/12",
-							},
-						},
-					},
-				},
-			},
-		},
-	}
-	limitRanges := []corev1.LimitRangeSpec{
-		{
-			Limits: []corev1.LimitRangeItem{
-				{
-					Type: corev1.LimitTypePod,
-					Min: map[corev1.ResourceName]resource.Quantity{
-						corev1.ResourceCPU:    resource.MustParse("50m"),
-						corev1.ResourceMemory: resource.MustParse("5Mi"),
-					},
-					Max: map[corev1.ResourceName]resource.Quantity{
-						corev1.ResourceCPU:    resource.MustParse("1"),
-						corev1.ResourceMemory: resource.MustParse("1Gi"),
-					},
-				},
-			},
-		},
-	}
-	resourceQuotas := []corev1.ResourceQuotaSpec{
-		{
-			Hard: map[corev1.ResourceName]resource.Quantity{
-				corev1.ResourceLimitsCPU:      resource.MustParse("8"),
-				corev1.ResourceLimitsMemory:   resource.MustParse("16Gi"),
-				corev1.ResourceRequestsCPU:    resource.MustParse("8"),
-				corev1.ResourceRequestsMemory: resource.MustParse("16Gi"),
-			},
-			Scopes: []corev1.ResourceQuotaScope{
-				corev1.ResourceQuotaScopeNotTerminating,
-			},
-		},
-	}
-
-	v1beta1Tnt := capsulev1beta1.Tenant{
-		TypeMeta: metav1.TypeMeta{},
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "alice",
-			Labels: map[string]string{
-				"foo": "bar",
-			},
-			Annotations: map[string]string{
-				"foo": "bar",
-			},
-		},
-		Spec: capsulev1beta1.TenantSpec{
-			Owners: capsulev1beta1.OwnerListSpec{
-				{
-					Kind: "User",
-					Name: "alice",
-					ProxyOperations: []capsulev1beta1.ProxySettings{
-						{
-							Kind:       "IngressClasses",
-							Operations: []capsulev1beta1.ProxyOperation{"List", "Update", "Delete"},
-						},
-						{
-							Kind:       "Nodes",
-							Operations: []capsulev1beta1.ProxyOperation{"Update", "Delete"},
-						},
-						{
-							Kind:       "StorageClasses",
-							Operations: []capsulev1beta1.ProxyOperation{"Update", "Delete"},
-						},
-					},
-				},
-				{
-					Kind: "User",
-					Name: "bob",
-					ProxyOperations: []capsulev1beta1.ProxySettings{
-						{
-							Kind:       "IngressClasses",
-							Operations: []capsulev1beta1.ProxyOperation{"Update"},
-						},
-						{
-							Kind:       "StorageClasses",
-							Operations: []capsulev1beta1.ProxyOperation{"List"},
-						},
-					},
-				},
-				{
-					Kind: "User",
-					Name: "jack",
-					ProxyOperations: []capsulev1beta1.ProxySettings{
-						{
-							Kind:       "IngressClasses",
-							Operations: []capsulev1beta1.ProxyOperation{"Delete"},
-						},
-						{
-							Kind:       "Nodes",
-							Operations: []capsulev1beta1.ProxyOperation{"Delete"},
-						},
-						{
-							Kind:       "StorageClasses",
-							Operations: []capsulev1beta1.ProxyOperation{"List"},
-						},
-						{
-							Kind:       "PriorityClasses",
-							Operations: []capsulev1beta1.ProxyOperation{"List"},
-						},
-					},
-				},
-				{
-					Kind: "Group",
-					Name: "owner-foo",
-					ProxyOperations: []capsulev1beta1.ProxySettings{
-						{
-							Kind:       "IngressClasses",
-							Operations: []capsulev1beta1.ProxyOperation{"List"},
-						},
-					},
-				},
-				{
-					Kind: "Group",
-					Name: "owner-bar",
-					ProxyOperations: []capsulev1beta1.ProxySettings{
-						{
-							Kind:       "IngressClasses",
-							Operations: []capsulev1beta1.ProxyOperation{"List"},
-						},
-						{
-							Kind:       "StorageClasses",
-							Operations: []capsulev1beta1.ProxyOperation{"Delete"},
-						},
-					},
-				},
-				{
-					Kind: "ServiceAccount",
-					Name: "system:serviceaccount:oil-production:default",
-					ProxyOperations: []capsulev1beta1.ProxySettings{
-						{
-							Kind:       "Nodes",
-							Operations: []capsulev1beta1.ProxyOperation{"Update"},
-						},
-					},
-				},
-				{
-					Kind: "ServiceAccount",
-					Name: "system:serviceaccount:gas-production:gas",
-					ProxyOperations: []capsulev1beta1.ProxySettings{
-						{
-							Kind:       "StorageClasses",
-							Operations: []capsulev1beta1.ProxyOperation{"Update"},
-						},
-					},
-				},
-			},
-			NamespaceOptions: v1beta1NamespaceOptions,
-			ServiceOptions:   v1beta1ServiceOptions,
-			StorageClasses:   &v1beta2AllowedListSpec.AllowedListSpec,
-			IngressOptions: capsulev1beta1.IngressOptions{
-				HostnameCollisionScope: api.HostnameCollisionScopeDisabled,
-				AllowedClasses:         &v1beta2AllowedListSpec.AllowedListSpec,
-				AllowedHostnames:       &v1beta2AllowedListSpec.AllowedListSpec,
-			},
-			ContainerRegistries: &v1beta2AllowedListSpec.AllowedListSpec,
-			NodeSelector:        nodeSelector,
-			NetworkPolicies: api.NetworkPolicySpec{
-				Items: networkPolicies,
-			},
-			LimitRanges: api.LimitRangesSpec{
-				Items: limitRanges,
-			},
-			ResourceQuota: api.ResourceQuotaSpec{
-				Scope: api.ResourceQuotaScopeNamespace,
-				Items: resourceQuotas,
-			},
-			AdditionalRoleBindings: []api.AdditionalRoleBindingsSpec{
-				{
-					ClusterRoleName: "crds-rolebinding",
-					Subjects: []rbacv1.Subject{
-						{
-							Kind:     "Group",
-							APIGroup: rbacv1.GroupName,
-							Name:     "system:authenticated",
-						},
-					},
-				},
-			},
-			ImagePullPolicies: []api.ImagePullPolicySpec{"Always", "IfNotPresent"},
-			PriorityClasses: &api.AllowedListSpec{
-				Exact: []string{"default"},
-				Regex: "^tier-.*$",
-			},
-		},
-		Status: capsulev1beta1.TenantStatus{
-			Size:       1,
-			Namespaces: []string{"foo", "bar"},
-		},
-	}
-
-	v1alpha1Tnt := Tenant{
-		TypeMeta: metav1.TypeMeta{},
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "alice",
-			Labels: map[string]string{
-				"foo": "bar",
-			},
-			Annotations: map[string]string{
-				"foo":                                "bar",
-				podAllowedImagePullPolicyAnnotation:  "Always,IfNotPresent",
-				enableExternalNameAnnotation:         "false",
-				enableNodePortsAnnotation:            "false",
-				enableLoadBalancerAnnotation:         "false",
-				podPriorityAllowedAnnotation:         "default",
-				podPriorityAllowedRegexAnnotation:    "^tier-.*$",
-				ownerGroupsAnnotation:                "owner-foo,owner-bar",
-				ownerUsersAnnotation:                 "bob,jack",
-				ownerServiceAccountAnnotation:        "system:serviceaccount:oil-production:default,system:serviceaccount:gas-production:gas",
-				enableNodeUpdateAnnotation:           "alice,system:serviceaccount:oil-production:default",
-				enableNodeDeletionAnnotation:         "alice,jack",
-				enableStorageClassListingAnnotation:  "bob,jack",
-				enableStorageClassUpdateAnnotation:   "alice,system:serviceaccount:gas-production:gas",
-				enableStorageClassDeletionAnnotation: "alice,owner-bar",
-				enableIngressClassListingAnnotation:  "alice,owner-foo,owner-bar",
-				enableIngressClassUpdateAnnotation:   "alice,bob",
-				enableIngressClassDeletionAnnotation: "alice,jack",
-				enablePriorityClassListingAnnotation: "jack",
-				resourceQuotaScopeAnnotation:         "Namespace",
-				ingressHostnameCollisionScope:        "Disabled",
-			},
-		},
-		Spec: TenantSpec{
-			Owner: OwnerSpec{
-				Name: "alice",
-				Kind: "User",
-			},
-			NamespaceQuota:      &namespaceQuota,
-			NamespacesMetadata:  v1alpha1AdditionalMetadataSpec,
-			ServicesMetadata:    v1alpha1AdditionalMetadataSpec,
-			StorageClasses:      v1alpha1AllowedListSpec,
-			IngressClasses:      v1alpha1AllowedListSpec,
-			IngressHostnames:    v1alpha1AllowedListSpec,
-			ContainerRegistries: v1alpha1AllowedListSpec,
-			NodeSelector:        nodeSelector,
-			NetworkPolicies:     networkPolicies,
-			LimitRanges:         limitRanges,
-			ResourceQuota:       resourceQuotas,
-			AdditionalRoleBindings: []api.AdditionalRoleBindingsSpec{
-				{
-					ClusterRoleName: "crds-rolebinding",
-					Subjects: []rbacv1.Subject{
-						{
-							Kind:     "Group",
-							APIGroup: rbacv1.GroupName,
-							Name:     "system:authenticated",
-						},
-					},
-				},
-			},
-			ExternalServiceIPs: &api.ExternalServiceIPsSpec{
-				Allowed: []api.AllowedIP{"192.168.0.1"},
-			},
-		},
-		Status: TenantStatus{
-			Size:       1,
-			Namespaces: []string{"foo", "bar"},
-		},
-	}
-
-	return v1alpha1Tnt, v1beta1Tnt
-}
-
-func TestConversionHub_ConvertTo(t *testing.T) {
-	v1beta1ConvertedTnt := capsulev1beta1.Tenant{}
-
-	v1alpha1Tnt, v1beta1tnt := generateTenantsSpecs()
-	err := v1alpha1Tnt.ConvertTo(&v1beta1ConvertedTnt)
-
-	if assert.NoError(t, err) {
-		sort.Slice(v1beta1tnt.Spec.Owners, func(i, j int) bool {
-			return v1beta1tnt.Spec.Owners[i].Name < v1beta1tnt.Spec.Owners[j].Name
-		})
-		sort.Slice(v1beta1ConvertedTnt.Spec.Owners, func(i, j int) bool {
-			return v1beta1ConvertedTnt.Spec.Owners[i].Name < v1beta1ConvertedTnt.Spec.Owners[j].Name
-		})
-
-		for _, owner := range v1beta1tnt.Spec.Owners {
-			sort.Slice(owner.ProxyOperations, func(i, j int) bool {
-				return owner.ProxyOperations[i].Kind < owner.ProxyOperations[j].Kind
-			})
-		}
-
-		for _, owner := range v1beta1ConvertedTnt.Spec.Owners {
-			sort.Slice(owner.ProxyOperations, func(i, j int) bool {
-				return owner.ProxyOperations[i].Kind < owner.ProxyOperations[j].Kind
-			})
-		}
-
-		assert.Equal(t, v1beta1tnt, v1beta1ConvertedTnt)
-	}
-}
-
-func TestConversionHub_ConvertFrom(t *testing.T) {
-	v1alpha1ConvertedTnt := Tenant{}
-
-	v1alpha1Tnt, v1beta1tnt := generateTenantsSpecs()
-
-	err := v1alpha1ConvertedTnt.ConvertFrom(&v1beta1tnt)
-	if assert.NoError(t, err) {
-		assert.EqualValues(t, v1alpha1Tnt, v1alpha1ConvertedTnt)
-	}
-}

api/v1alpha1/groupversion_info.go

@@ -1,23 +0,0 @@
-// Copyright 2020-2023 Project Capsule Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-// Package v1alpha1 contains API Schema definitions for the capsule.clastix.io v1alpha1 API group
-// +kubebuilder:object:generate=true
-// +groupName=capsule.clastix.io
-package v1alpha1
-
-import (
-	"k8s.io/apimachinery/pkg/runtime/schema"
-	"sigs.k8s.io/controller-runtime/pkg/scheme"
-)
-
-var (
-	// GroupVersion is group version used to register these objects.
-	GroupVersion = schema.GroupVersion{Group: "capsule.clastix.io", Version: "v1alpha1"}
-
-	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
-	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
-
-	// AddToScheme adds the types in this group-version to the given scheme.
-	AddToScheme = SchemeBuilder.AddToScheme
-)

api/v1alpha1/owner.go

@@ -1,17 +0,0 @@
-// Copyright 2020-2023 Project Capsule Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package v1alpha1
-
-// OwnerSpec defines tenant owner name and kind.
-type OwnerSpec struct {
-	Name string `json:"name"`
-	Kind Kind   `json:"kind"`
-}
-
-// +kubebuilder:validation:Enum=User;Group
-type Kind string
-
-func (k Kind) String() string {
-	return string(k)
-}

api/v1alpha1/tenant_func.go

@@ -1,34 +0,0 @@
-// Copyright 2020-2023 Project Capsule Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package v1alpha1
-
-import (
-	"sort"
-
-	corev1 "k8s.io/api/core/v1"
-)
-
-func (in *Tenant) IsFull() bool {
-	// we don't have limits on assigned Namespaces
-	if in.Spec.NamespaceQuota == nil {
-		return false
-	}
-
-	return len(in.Status.Namespaces) >= int(*in.Spec.NamespaceQuota)
-}
-
-func (in *Tenant) AssignNamespaces(namespaces []corev1.Namespace) {
-	var l []string
-
-	for _, ns := range namespaces {
-		if ns.Status.Phase == corev1.NamespaceActive {
-			l = append(l, ns.GetName())
-		}
-	}
-
-	sort.Strings(l)
-
-	in.Status.Namespaces = l
-	in.Status.Size = uint(len(l))
-}

api/v1alpha1/tenant_types.go

@@ -1,71 +0,0 @@
-// Copyright 2020-2023 Project Capsule Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package v1alpha1
-
-import (
-	corev1 "k8s.io/api/core/v1"
-	networkingv1 "k8s.io/api/networking/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-	"github.com/projectcapsule/capsule/pkg/api"
-)
-
-// TenantSpec defines the desired state of Tenant.
-type TenantSpec struct {
-	Owner OwnerSpec `json:"owner"`
-
-	// +kubebuilder:validation:Minimum=1
-	NamespaceQuota         *int32                           `json:"namespaceQuota,omitempty"`
-	NamespacesMetadata     *AdditionalMetadata              `json:"namespacesMetadata,omitempty"`
-	ServicesMetadata       *AdditionalMetadata              `json:"servicesMetadata,omitempty"`
-	StorageClasses         *api.AllowedListSpec             `json:"storageClasses,omitempty"`
-	IngressClasses         *api.AllowedListSpec             `json:"ingressClasses,omitempty"`
-	IngressHostnames       *api.AllowedListSpec             `json:"ingressHostnames,omitempty"`
-	ContainerRegistries    *api.AllowedListSpec             `json:"containerRegistries,omitempty"`
-	NodeSelector           map[string]string                `json:"nodeSelector,omitempty"`
-	NetworkPolicies        []networkingv1.NetworkPolicySpec `json:"networkPolicies,omitempty"`
-	LimitRanges            []corev1.LimitRangeSpec          `json:"limitRanges,omitempty"`
-	ResourceQuota          []corev1.ResourceQuotaSpec       `json:"resourceQuotas,omitempty"`
-	AdditionalRoleBindings []api.AdditionalRoleBindingsSpec `json:"additionalRoleBindings,omitempty"`
-	ExternalServiceIPs     *api.ExternalServiceIPsSpec      `json:"externalServiceIPs,omitempty"`
-}
-
-// TenantStatus defines the observed state of Tenant.
-type TenantStatus struct {
-	Size       uint     `json:"size"`
-	Namespaces []string `json:"namespaces,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-// +kubebuilder:subresource:status
-// +kubebuilder:resource:scope=Cluster,shortName=tnt
-// +kubebuilder:printcolumn:name="Namespace quota",type="integer",JSONPath=".spec.namespaceQuota",description="The max amount of Namespaces can be created"
-// +kubebuilder:printcolumn:name="Namespace count",type="integer",JSONPath=".status.size",description="The total amount of Namespaces in use"
-// +kubebuilder:printcolumn:name="Owner name",type="string",JSONPath=".spec.owner.name",description="The assigned Tenant owner"
-// +kubebuilder:printcolumn:name="Owner kind",type="string",JSONPath=".spec.owner.kind",description="The assigned Tenant owner kind"
-// +kubebuilder:printcolumn:name="Node selector",type="string",JSONPath=".spec.nodeSelector",description="Node Selector applied to Pods"
-// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"
-// +kubebuilder:deprecatedversion:warning="This version is going to be dropped in the upcoming version of Capsule; please, migrate to v1beta2 version."
-
-// Tenant is the Schema for the tenants API.
-type Tenant struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   TenantSpec   `json:"spec,omitempty"`
-	Status TenantStatus `json:"status,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// TenantList contains a list of Tenant.
-type TenantList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []Tenant `json:"items"`
-}
-
-func init() {
-	SchemeBuilder.Register(&Tenant{}, &TenantList{})
-}

api/v1alpha1/tenant_webhook.go

@@ -1,21 +0,0 @@
-// Copyright 2020-2023 Project Capsule Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package v1alpha1
-
-import (
-	"os"
-
-	ctrl "sigs.k8s.io/controller-runtime"
-)
-
-func (in *Tenant) SetupWebhookWithManager(mgr ctrl.Manager) error {
-	certData, _ := os.ReadFile("/tmp/k8s-webhook-server/serving-certs/tls.crt")
-	if len(certData) == 0 {
-		return nil
-	}
-
-	return ctrl.NewWebhookManagedBy(mgr).
-		For(in).
-		Complete()
-}

api/v1alpha1/zz_generated.deepcopy.go

@@ -1,308 +0,0 @@
-//go:build !ignore_autogenerated
-// +build !ignore_autogenerated
-
-// Copyright 2020-2023 Project Capsule Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-// Code generated by controller-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	"github.com/projectcapsule/capsule/pkg/api"
-	corev1 "k8s.io/api/core/v1"
-	"k8s.io/api/networking/v1"
-	runtime "k8s.io/apimachinery/pkg/runtime"
-)
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AdditionalMetadata) DeepCopyInto(out *AdditionalMetadata) {
-	*out = *in
-	if in.Labels != nil {
-		in, out := &in.Labels, &out.Labels
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-	if in.Annotations != nil {
-		in, out := &in.Annotations, &out.Annotations
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdditionalMetadata.
-func (in *AdditionalMetadata) DeepCopy() *AdditionalMetadata {
-	if in == nil {
-		return nil
-	}
-	out := new(AdditionalMetadata)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CapsuleConfiguration) DeepCopyInto(out *CapsuleConfiguration) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapsuleConfiguration.
-func (in *CapsuleConfiguration) DeepCopy() *CapsuleConfiguration {
-	if in == nil {
-		return nil
-	}
-	out := new(CapsuleConfiguration)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *CapsuleConfiguration) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CapsuleConfigurationList) DeepCopyInto(out *CapsuleConfigurationList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]CapsuleConfiguration, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapsuleConfigurationList.
-func (in *CapsuleConfigurationList) DeepCopy() *CapsuleConfigurationList {
-	if in == nil {
-		return nil
-	}
-	out := new(CapsuleConfigurationList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *CapsuleConfigurationList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CapsuleConfigurationSpec) DeepCopyInto(out *CapsuleConfigurationSpec) {
-	*out = *in
-	if in.UserGroups != nil {
-		in, out := &in.UserGroups, &out.UserGroups
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapsuleConfigurationSpec.
-func (in *CapsuleConfigurationSpec) DeepCopy() *CapsuleConfigurationSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(CapsuleConfigurationSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OwnerSpec) DeepCopyInto(out *OwnerSpec) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OwnerSpec.
-func (in *OwnerSpec) DeepCopy() *OwnerSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(OwnerSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Tenant) DeepCopyInto(out *Tenant) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Tenant.
-func (in *Tenant) DeepCopy() *Tenant {
-	if in == nil {
-		return nil
-	}
-	out := new(Tenant)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *Tenant) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TenantList) DeepCopyInto(out *TenantList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]Tenant, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantList.
-func (in *TenantList) DeepCopy() *TenantList {
-	if in == nil {
-		return nil
-	}
-	out := new(TenantList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *TenantList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
-	*out = *in
-	out.Owner = in.Owner
-	if in.NamespaceQuota != nil {
-		in, out := &in.NamespaceQuota, &out.NamespaceQuota
-		*out = new(int32)
-		**out = **in
-	}
-	if in.NamespacesMetadata != nil {
-		in, out := &in.NamespacesMetadata, &out.NamespacesMetadata
-		*out = new(AdditionalMetadata)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ServicesMetadata != nil {
-		in, out := &in.ServicesMetadata, &out.ServicesMetadata
-		*out = new(AdditionalMetadata)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.StorageClasses != nil {
-		in, out := &in.StorageClasses, &out.StorageClasses
-		*out = new(api.AllowedListSpec)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.IngressClasses != nil {
-		in, out := &in.IngressClasses, &out.IngressClasses
-		*out = new(api.AllowedListSpec)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.IngressHostnames != nil {
-		in, out := &in.IngressHostnames, &out.IngressHostnames
-		*out = new(api.AllowedListSpec)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ContainerRegistries != nil {
-		in, out := &in.ContainerRegistries, &out.ContainerRegistries
-		*out = new(api.AllowedListSpec)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.NodeSelector != nil {
-		in, out := &in.NodeSelector, &out.NodeSelector
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-	if in.NetworkPolicies != nil {
-		in, out := &in.NetworkPolicies, &out.NetworkPolicies
-		*out = make([]v1.NetworkPolicySpec, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.LimitRanges != nil {
-		in, out := &in.LimitRanges, &out.LimitRanges
-		*out = make([]corev1.LimitRangeSpec, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.ResourceQuota != nil {
-		in, out := &in.ResourceQuota, &out.ResourceQuota
-		*out = make([]corev1.ResourceQuotaSpec, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.AdditionalRoleBindings != nil {
-		in, out := &in.AdditionalRoleBindings, &out.AdditionalRoleBindings
-		*out = make([]api.AdditionalRoleBindingsSpec, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.ExternalServiceIPs != nil {
-		in, out := &in.ExternalServiceIPs, &out.ExternalServiceIPs
-		*out = new(api.ExternalServiceIPsSpec)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantSpec.
-func (in *TenantSpec) DeepCopy() *TenantSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(TenantSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TenantStatus) DeepCopyInto(out *TenantStatus) {
-	*out = *in
-	if in.Namespaces != nil {
-		in, out := &in.Namespaces, &out.Namespaces
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantStatus.
-func (in *TenantStatus) DeepCopy() *TenantStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(TenantStatus)
-	in.DeepCopyInto(out)
-	return out
-}

api/v1beta1/zz_generated.deepcopy.go

@@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated
 
 // Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0

api/v1beta2/capsuleconfiguration_convertion_hub.go

@@ -1,142 +0,0 @@
-// Copyright 2020-2023 Project Capsule Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package v1beta2
-
-import (
-	"fmt"
-	"strconv"
-	"strings"
-
-	"sigs.k8s.io/controller-runtime/pkg/conversion"
-
-	capsulev1alpha1 "github.com/projectcapsule/capsule/api/v1alpha1"
-)
-
-func (in *CapsuleConfiguration) ConvertTo(raw conversion.Hub) error {
-	dst, ok := raw.(*capsulev1alpha1.CapsuleConfiguration)
-	if !ok {
-		return fmt.Errorf("expected type *capsulev1alpha1.CapsuleConfiguration, got %T", dst)
-	}
-
-	dst.ObjectMeta = in.ObjectMeta
-	dst.Spec.ProtectedNamespaceRegexpString = in.Spec.ProtectedNamespaceRegexpString
-	dst.Spec.UserGroups = in.Spec.UserGroups
-	dst.Spec.ProtectedNamespaceRegexpString = in.Spec.ProtectedNamespaceRegexpString
-
-	annotations := dst.GetAnnotations()
-	if annotations == nil {
-		annotations = make(map[string]string)
-	}
-
-	if in.Spec.NodeMetadata != nil {
-		if len(in.Spec.NodeMetadata.ForbiddenLabels.Exact) > 0 {
-			annotations[capsulev1alpha1.ForbiddenNodeLabelsAnnotation] = strings.Join(in.Spec.NodeMetadata.ForbiddenLabels.Exact, ",")
-		}
-
-		if len(in.Spec.NodeMetadata.ForbiddenLabels.Regex) > 0 {
-			annotations[capsulev1alpha1.ForbiddenNodeLabelsRegexpAnnotation] = in.Spec.NodeMetadata.ForbiddenLabels.Regex
-		}
-
-		if len(in.Spec.NodeMetadata.ForbiddenAnnotations.Exact) > 0 {
-			annotations[capsulev1alpha1.ForbiddenNodeAnnotationsAnnotation] = strings.Join(in.Spec.NodeMetadata.ForbiddenAnnotations.Exact, ",")
-		}
-
-		if len(in.Spec.NodeMetadata.ForbiddenAnnotations.Regex) > 0 {
-			annotations[capsulev1alpha1.ForbiddenNodeAnnotationsRegexpAnnotation] = in.Spec.NodeMetadata.ForbiddenAnnotations.Regex
-		}
-	}
-
-	annotations[capsulev1alpha1.EnableTLSConfigurationAnnotationName] = fmt.Sprintf("%t", in.Spec.EnableTLSReconciler)
-	annotations[capsulev1alpha1.TLSSecretNameAnnotation] = in.Spec.CapsuleResources.TLSSecretName
-	annotations[capsulev1alpha1.MutatingWebhookConfigurationName] = in.Spec.CapsuleResources.MutatingWebhookConfigurationName
-	annotations[capsulev1alpha1.ValidatingWebhookConfigurationName] = in.Spec.CapsuleResources.ValidatingWebhookConfigurationName
-
-	dst.SetAnnotations(annotations)
-
-	return nil
-}
-
-func (in *CapsuleConfiguration) ConvertFrom(raw conversion.Hub) error {
-	src, ok := raw.(*capsulev1alpha1.CapsuleConfiguration)
-	if !ok {
-		return fmt.Errorf("expected type *capsulev1alpha1.CapsuleConfiguration, got %T", src)
-	}
-
-	in.ObjectMeta = src.ObjectMeta
-	in.Spec.ProtectedNamespaceRegexpString = src.Spec.ProtectedNamespaceRegexpString
-	in.Spec.UserGroups = src.Spec.UserGroups
-	in.Spec.ProtectedNamespaceRegexpString = src.Spec.ProtectedNamespaceRegexpString
-
-	annotations := src.GetAnnotations()
-
-	if value, found := annotations[capsulev1alpha1.ForbiddenNodeLabelsAnnotation]; found {
-		if in.Spec.NodeMetadata == nil {
-			in.Spec.NodeMetadata = &NodeMetadata{}
-		}
-
-		in.Spec.NodeMetadata.ForbiddenLabels.Exact = strings.Split(value, ",")
-
-		delete(annotations, capsulev1alpha1.ForbiddenNodeLabelsAnnotation)
-	}
-
-	if value, found := annotations[capsulev1alpha1.ForbiddenNodeLabelsRegexpAnnotation]; found {
-		if in.Spec.NodeMetadata == nil {
-			in.Spec.NodeMetadata = &NodeMetadata{}
-		}
-
-		in.Spec.NodeMetadata.ForbiddenLabels.Regex = value
-
-		delete(annotations, capsulev1alpha1.ForbiddenNodeLabelsRegexpAnnotation)
-	}
-
-	if value, found := annotations[capsulev1alpha1.ForbiddenNodeAnnotationsAnnotation]; found {
-		if in.Spec.NodeMetadata == nil {
-			in.Spec.NodeMetadata = &NodeMetadata{}
-		}
-
-		in.Spec.NodeMetadata.ForbiddenAnnotations.Exact = strings.Split(value, ",")
-
-		delete(annotations, capsulev1alpha1.ForbiddenNodeAnnotationsAnnotation)
-	}
-
-	if value, found := annotations[capsulev1alpha1.ForbiddenNodeAnnotationsRegexpAnnotation]; found {
-		if in.Spec.NodeMetadata == nil {
-			in.Spec.NodeMetadata = &NodeMetadata{}
-		}
-
-		in.Spec.NodeMetadata.ForbiddenAnnotations.Regex = value
-
-		delete(annotations, capsulev1alpha1.ForbiddenNodeAnnotationsRegexpAnnotation)
-	}
-
-	if value, found := annotations[capsulev1alpha1.EnableTLSConfigurationAnnotationName]; found {
-		v, _ := strconv.ParseBool(value)
-
-		in.Spec.EnableTLSReconciler = v
-
-		delete(annotations, capsulev1alpha1.EnableTLSConfigurationAnnotationName)
-	}
-
-	if value, found := annotations[capsulev1alpha1.TLSSecretNameAnnotation]; found {
-		in.Spec.CapsuleResources.TLSSecretName = value
-
-		delete(annotations, capsulev1alpha1.TLSSecretNameAnnotation)
-	}
-
-	if value, found := annotations[capsulev1alpha1.MutatingWebhookConfigurationName]; found {
-		in.Spec.CapsuleResources.MutatingWebhookConfigurationName = value
-
-		delete(annotations, capsulev1alpha1.MutatingWebhookConfigurationName)
-	}
-
-	if value, found := annotations[capsulev1alpha1.ValidatingWebhookConfigurationName]; found {
-		in.Spec.CapsuleResources.ValidatingWebhookConfigurationName = value
-
-		delete(annotations, capsulev1alpha1.ValidatingWebhookConfigurationName)
-	}
-
-	in.SetAnnotations(annotations)
-
-	return nil
-}

api/v1beta2/owner.go

@@ -48,6 +48,7 @@ const (
 	PriorityClassesProxy   ProxyServiceKind = "PriorityClasses"
 	RuntimeClassesProxy    ProxyServiceKind = "RuntimeClasses"
 	PersistentVolumesProxy ProxyServiceKind = "PersistentVolumes"
+	TenantProxy            ProxyServiceKind = "Tenant"
 
 	ListOperation   ProxyOperation = "List"
 	UpdateOperation ProxyOperation = "Update"

api/v1beta2/tenant_annotations.go

@@ -7,21 +7,25 @@ import (
 	"crypto/md5" //#nosec
 	"encoding/hex"
 	"fmt"
+	"strings"
 )
 
 const (
 	// Annotation name part must be no more than 63 characters.
 	maxAnnotationLength = 63
+
+	HardCapsuleQuotaAnnotation = "quota.capsule.clastix.io/hard-"
+	UsedCapsuleQuotaAnnotation = "quota.capsule.clastix.io/used-"
 )
 
 func createAnnotation(format string, resource fmt.Stringer) (string, error) {
-	suffix := resource.String()
+	resourceStr := strings.ReplaceAll(resource.String(), "/", "_")
 
-	hash := md5.Sum([]byte(resource.String())) //#nosec
+	hash := md5.Sum([]byte(resourceStr)) //#nosec
 
 	hashed := hex.EncodeToString(hash[:])
 	capsuleHashed := format + hashed
-	capsuleAnnotation := format + suffix
+	capsuleAnnotation := format + resourceStr
 
 	switch {
 	case len(capsuleAnnotation) <= maxAnnotationLength:
@@ -36,9 +40,9 @@ func createAnnotation(format string, resource fmt.Stringer) (string, error) {
 }
 
 func UsedQuotaFor(resource fmt.Stringer) (string, error) {
-	return createAnnotation("quota.capsule.clastix.io/used-", resource)
+	return createAnnotation(UsedCapsuleQuotaAnnotation, resource)
 }
 
 func HardQuotaFor(resource fmt.Stringer) (string, error) {
-	return createAnnotation("quota.capsule.clastix.io/hard-", resource)
+	return createAnnotation(HardCapsuleQuotaAnnotation, resource)
 }

api/v1beta2/tenant_func.go

@@ -4,9 +4,13 @@
 package v1beta2
 
 import (
+	"slices"
 	"sort"
 
 	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+
+	"github.com/projectcapsule/capsule/pkg/api"
 )
 
 func (in *Tenant) IsFull() bool {
@@ -36,3 +40,128 @@ func (in *Tenant) AssignNamespaces(namespaces []corev1.Namespace) {
 func (in *Tenant) GetOwnerProxySettings(name string, kind OwnerKind) []ProxySettings {
 	return in.Spec.Owners.FindOwner(name, kind).ProxyOperations
 }
+
+// GetClusterRolePermissions returns a map where the clusterRole is the key
+// and the value is a list of permission subjects (kind and name) that reference that role.
+// These mappings are gathered from the owners and additionalRolebindings spec.
+func (in *Tenant) GetSubjectsByClusterRoles(ignoreOwnerKind []OwnerKind) (rolePerms map[string][]rbacv1.Subject) {
+	rolePerms = make(map[string][]rbacv1.Subject)
+
+	// Helper to add permissions for a given clusterRole
+	addPermission := func(clusterRole string, permission rbacv1.Subject) {
+		if _, exists := rolePerms[clusterRole]; !exists {
+			rolePerms[clusterRole] = []rbacv1.Subject{}
+		}
+
+		rolePerms[clusterRole] = append(rolePerms[clusterRole], permission)
+	}
+
+	// Helper to check if a kind is in the ignoreOwnerKind list
+	isIgnoredKind := func(kind string) bool {
+		for _, ignored := range ignoreOwnerKind {
+			if kind == ignored.String() {
+				return true
+			}
+		}
+
+		return false
+	}
+
+	// Process owners
+	for _, owner := range in.Spec.Owners {
+		if !isIgnoredKind(owner.Kind.String()) {
+			for _, clusterRole := range owner.ClusterRoles {
+				perm := rbacv1.Subject{
+					Name: owner.Name,
+					Kind: owner.Kind.String(),
+				}
+				addPermission(clusterRole, perm)
+			}
+		}
+	}
+
+	// Process additional role bindings
+	for _, role := range in.Spec.AdditionalRoleBindings {
+		for _, subject := range role.Subjects {
+			if !isIgnoredKind(subject.Kind) {
+				perm := rbacv1.Subject{
+					Name: subject.Name,
+					Kind: subject.Kind,
+				}
+				addPermission(role.ClusterRoleName, perm)
+			}
+		}
+	}
+
+	return
+}
+
+// Get the permissions for a tenant ordered by groups and users.
+func (in *Tenant) GetClusterRolesBySubject(ignoreOwnerKind []OwnerKind) (maps map[string]map[string]api.TenantSubjectRoles) {
+	maps = make(map[string]map[string]api.TenantSubjectRoles)
+
+	// Initialize a nested map for kind ("User", "Group") and name
+	initNestedMap := func(kind string) {
+		if _, exists := maps[kind]; !exists {
+			maps[kind] = make(map[string]api.TenantSubjectRoles)
+		}
+	}
+	// Helper to check if a kind is in the ignoreOwnerKind list
+	isIgnoredKind := func(kind string) bool {
+		for _, ignored := range ignoreOwnerKind {
+			if kind == ignored.String() {
+				return true
+			}
+		}
+
+		return false
+	}
+
+	// Process owners
+	for _, owner := range in.Spec.Owners {
+		if !isIgnoredKind(owner.Kind.String()) {
+			initNestedMap(owner.Kind.String())
+
+			if perm, exists := maps[owner.Kind.String()][owner.Name]; exists {
+				// If the permission entry already exists, append cluster roles
+				perm.ClusterRoles = append(perm.ClusterRoles, owner.ClusterRoles...)
+				maps[owner.Kind.String()][owner.Name] = perm
+			} else {
+				// Create a new permission entry
+				maps[owner.Kind.String()][owner.Name] = api.TenantSubjectRoles{
+					ClusterRoles: owner.ClusterRoles,
+				}
+			}
+		}
+	}
+
+	// Process additional role bindings
+	for _, role := range in.Spec.AdditionalRoleBindings {
+		for _, subject := range role.Subjects {
+			if !isIgnoredKind(subject.Kind) {
+				initNestedMap(subject.Kind)
+
+				if perm, exists := maps[subject.Kind][subject.Name]; exists {
+					// If the permission entry already exists, append cluster roles
+					perm.ClusterRoles = append(perm.ClusterRoles, role.ClusterRoleName)
+					maps[subject.Kind][subject.Name] = perm
+				} else {
+					// Create a new permission entry
+					maps[subject.Kind][subject.Name] = api.TenantSubjectRoles{
+						ClusterRoles: []string{role.ClusterRoleName},
+					}
+				}
+			}
+		}
+	}
+
+	// Remove duplicates from cluster roles in both maps
+	for kind, nameMap := range maps {
+		for name, perm := range nameMap {
+			perm.ClusterRoles = slices.Compact(perm.ClusterRoles)
+			maps[kind][name] = perm
+		}
+	}
+
+	return maps
+}

api/v1beta2/tenant_func_test.go

@@ -0,0 +1,192 @@
+// Copyright 2020-2023 Project Capsule Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/projectcapsule/capsule/pkg/api"
+	rbacv1 "k8s.io/api/rbac/v1"
+)
+
+var tenant = &Tenant{
+	Spec: TenantSpec{
+		Owners: []OwnerSpec{
+			{
+				Kind:         "User",
+				Name:         "user1",
+				ClusterRoles: []string{"cluster-admin", "read-only"},
+			},
+			{
+				Kind:         "Group",
+				Name:         "group1",
+				ClusterRoles: []string{"edit"},
+			},
+			{
+				Kind:         ServiceAccountOwner,
+				Name:         "service",
+				ClusterRoles: []string{"read-only"},
+			},
+		},
+		AdditionalRoleBindings: []api.AdditionalRoleBindingsSpec{
+			{
+				ClusterRoleName: "developer",
+				Subjects: []rbacv1.Subject{
+					{Kind: "User", Name: "user2"},
+					{Kind: "Group", Name: "group1"},
+				},
+			},
+			{
+				ClusterRoleName: "cluster-admin",
+				Subjects: []rbacv1.Subject{
+					{
+						Kind: "User",
+						Name: "user3",
+					},
+					{
+						Kind: "Group",
+						Name: "group1",
+					},
+				},
+			},
+			{
+				ClusterRoleName: "deployer",
+				Subjects: []rbacv1.Subject{
+					{
+						Kind: "ServiceAccount",
+						Name: "system:serviceaccount:argocd:argo-operator",
+					},
+				},
+			},
+		},
+	},
+}
+
+// TestGetClusterRolePermissions tests the GetClusterRolePermissions function
+func TestGetSubjectsByClusterRoles(t *testing.T) {
+	expected := map[string][]rbacv1.Subject{
+		"cluster-admin": {
+			{Kind: "User", Name: "user1"},
+			{Kind: "User", Name: "user3"},
+			{Kind: "Group", Name: "group1"},
+		},
+		"read-only": {
+			{Kind: "User", Name: "user1"},
+			{Kind: "ServiceAccount", Name: "service"},
+		},
+		"edit": {
+			{Kind: "Group", Name: "group1"},
+		},
+		"developer": {
+			{Kind: "User", Name: "user2"},
+			{Kind: "Group", Name: "group1"},
+		},
+		"deployer": {
+			{Kind: "ServiceAccount", Name: "system:serviceaccount:argocd:argo-operator"},
+		},
+	}
+
+	// Call the function to test
+	permissions := tenant.GetSubjectsByClusterRoles(nil)
+
+	if !reflect.DeepEqual(permissions, expected) {
+		t.Errorf("Expected %v, but got %v", expected, permissions)
+	}
+
+	// Ignore SubjectTypes (Ignores ServiceAccounts)
+	ignored := tenant.GetSubjectsByClusterRoles([]OwnerKind{"ServiceAccount"})
+	expectedIgnored := map[string][]rbacv1.Subject{
+		"cluster-admin": {
+			{Kind: "User", Name: "user1"},
+			{Kind: "User", Name: "user3"},
+			{Kind: "Group", Name: "group1"},
+		},
+		"read-only": {
+			{Kind: "User", Name: "user1"},
+		},
+		"edit": {
+			{Kind: "Group", Name: "group1"},
+		},
+		"developer": {
+			{Kind: "User", Name: "user2"},
+			{Kind: "Group", Name: "group1"},
+		},
+	}
+
+	if !reflect.DeepEqual(ignored, expectedIgnored) {
+		t.Errorf("Expected %v, but got %v", expectedIgnored, ignored)
+	}
+
+}
+
+func TestGetClusterRolesBySubject(t *testing.T) {
+
+	expected := map[string]map[string]api.TenantSubjectRoles{
+		"User": {
+			"user1": {
+				ClusterRoles: []string{"cluster-admin", "read-only"},
+			},
+			"user2": {
+				ClusterRoles: []string{"developer"},
+			},
+			"user3": {
+				ClusterRoles: []string{"cluster-admin"},
+			},
+		},
+		"Group": {
+			"group1": {
+				ClusterRoles: []string{"edit", "developer", "cluster-admin"},
+			},
+		},
+		"ServiceAccount": {
+			"service": {
+				ClusterRoles: []string{"read-only"},
+			},
+			"system:serviceaccount:argocd:argo-operator": {
+				ClusterRoles: []string{"deployer"},
+			},
+		},
+	}
+
+	permissions := tenant.GetClusterRolesBySubject(nil)
+	if !reflect.DeepEqual(permissions, expected) {
+		t.Errorf("Expected %v, but got %v", expected, permissions)
+	}
+
+	delete(expected, "ServiceAccount")
+	ignored := tenant.GetClusterRolesBySubject([]OwnerKind{"ServiceAccount"})
+
+	if !reflect.DeepEqual(ignored, expected) {
+		t.Errorf("Expected %v, but got %v", expected, ignored)
+	}
+}
+
+// Helper function to run tests
+func TestMain(t *testing.M) {
+	t.Run()
+}
+
+// permissionsEqual checks the equality of two TenantPermission structs.
+func permissionsEqual(a, b api.TenantSubjectRoles) bool {
+	if a.Kind != b.Kind {
+		return false
+	}
+	if len(a.ClusterRoles) != len(b.ClusterRoles) {
+		return false
+	}
+
+	// Create a map to count occurrences of cluster roles
+	counts := make(map[string]int)
+	for _, role := range a.ClusterRoles {
+		counts[role]++
+	}
+	for _, role := range b.ClusterRoles {
+		counts[role]--
+		if counts[role] < 0 {
+			return false // More occurrences in b than in a
+		}
+	}
+	return true
+}

api/v1beta2/tenant_types.go

@@ -17,6 +17,8 @@ type TenantSpec struct {
 	NamespaceOptions *NamespaceOptions `json:"namespaceOptions,omitempty"`
 	// Specifies options for the Service, such as additional metadata or block of certain type of Services. Optional.
 	ServiceOptions *api.ServiceOptions `json:"serviceOptions,omitempty"`
+	// Specifies options for the Pods deployed in the Tenant namespaces, such as additional metadata.
+	PodOptions *api.PodOptions `json:"podOptions,omitempty"`
 	// Specifies the allowed StorageClasses assigned to the Tenant.
 	// Capsule assures that all PersistentVolumeClaim resources created in the Tenant can use only one of the allowed StorageClasses.
 	// A default value can be specified, and all the PersistentVolumeClaim resources created will inherit the declared class.
@@ -41,16 +43,18 @@ type TenantSpec struct {
 	// Specifies the allowed RuntimeClasses assigned to the Tenant.
 	// Capsule assures that all Pods resources created in the Tenant can use only one of the allowed RuntimeClasses.
 	// Optional.
-	RuntimeClasses *api.SelectorAllowedListSpec `json:"runtimeClasses,omitempty"`
+	RuntimeClasses *api.DefaultAllowedListSpec `json:"runtimeClasses,omitempty"`
 	// Specifies the allowed priorityClasses assigned to the Tenant.
 	// Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses.
 	// A default value can be specified, and all the Pod resources created will inherit the declared class.
 	// Optional.
 	PriorityClasses *api.DefaultAllowedListSpec `json:"priorityClasses,omitempty"`
 	// Toggling the Tenant resources cordoning, when enable resources cannot be deleted.
+	//+kubebuilder:default:=false
 	Cordoned bool `json:"cordoned,omitempty"`
 	// Prevent accidental deletion of the Tenant.
 	// When enabled, the deletion request will be declined.
+	//+kubebuilder:default:=false
 	PreventDeletion bool `json:"preventDeletion,omitempty"`
 }
 

api/v1beta2/zz_generated.deepcopy.go

@@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated
 
 // Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
@@ -716,6 +715,11 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 		*out = new(api.ServiceOptions)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.PodOptions != nil {
+		in, out := &in.PodOptions, &out.PodOptions
+		*out = new(api.PodOptions)
+		(*in).DeepCopyInto(*out)
+	}
 	if in.StorageClasses != nil {
 		in, out := &in.StorageClasses, &out.StorageClasses
 		*out = new(api.DefaultAllowedListSpec)
@@ -751,7 +755,7 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 	}
 	if in.RuntimeClasses != nil {
 		in, out := &in.RuntimeClasses, &out.RuntimeClasses
-		*out = new(api.SelectorAllowedListSpec)
+		*out = new(api.DefaultAllowedListSpec)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.PriorityClasses != nil {

charts/capsule/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: capsule-proxy
+  repository: oci://ghcr.io/projectcapsule/charts
+  version: 0.6.0
+digest: sha256:4cf05b352f1c38a821081cc01ac5f2a84ed7d68514a5b98e63edba5ab1c7b19e
+generated: "2024-03-05T17:09:58.383699+01:00"

charts/capsule/Chart.yaml

@@ -3,7 +3,13 @@ type: application
 description: A Helm chart to deploy the Capsule Operator for easily implementing,
   managing, and maintaining mutitenancy and access control in Kubernetes.
 home: https://github.com/projectcapsule/capsule
-icon: https://github.com/projectcapsule/capsule/raw/master/assets/logo/capsule_small.png
+icon: https://github.com/projectcapsule/capsule/raw/main/assets/logo/capsule_small.png
+dependencies:
+  - name: capsule-proxy
+    version: 0.6.0
+    repository: "oci://ghcr.io/projectcapsule/charts"
+    condition: proxy.enabled
+    alias: proxy
 keywords:
 - kubernetes
 - operator
@@ -13,16 +19,28 @@ keywords:
 - multitenant
 - namespace
 maintainers:
-- email: hello@clastix.io
-  name: Clastix Labs Team
+  - name: capsule-maintainers
+    email: cncf-capsule-maintainers@lists.cncf.io
 name: capsule
 sources:
 - https://github.com/projectcapsule/capsule
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-version: 0.4.6
-
-# This is the version number of the application being deployed.
-# This version number should be incremented each time you make changes to the application.
-appVersion: 0.3.3
+# Note: The version is overwritten by the release workflow.
+version: 0.6.0
+# Note: The version is overwritten by the release workflow.
+appVersion: 0.5.0
+annotations:
+  artifacthub.io/operator: "true"
+  artifacthub.io/prerelease: "false"
+  artifacthub.io/category: security
+  artifacthub.io/license: Apache-2.0
+  artifacthub.io/maintainers: |
+    - name: capsule-maintainers
+      email: cncf-capsule-maintainers@lists.cncf.io
+  artifacthub.io/links: |
+    - name: Documentation
+      url: https://projectcapsule.dev/
+  artifacthub.io/changes: |
+    - kind: added
+      description: bundled crd lifecycle
+    - kind: changed
+      description: removed PodSecurityPolicy support

charts/capsule/README.md

@@ -16,21 +16,39 @@ Use the Capsule Operator for easily implementing, managing, and maintaining mult
 
 * A [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file accessing the Kubernetes cluster with cluster admin permissions.
 
-## Quick Start
+## Major Changes
 
+In the following sections you see actions which are required when you are upgrading to a specific version.
+
+### Upgrading to 0.7.x
+
+Introduces a new methode to manage all capsule CRDs and their lifecycle. We are no longer relying on the [native CRD hook with the Helm Chart](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). The hook only allows to manage CRDs on install and uninstall but we can't deliver updates to the CRDs.
+When you newly install the chart we recommend to set  `crds.install` to `true`. This will manage the CRDs with the Helm Chart. This behavior is the new default.
+
+#### Changed Values
+
+The following Values have changed key or Value:
+
+  * All values from previous releases under `webhooks` have moved to `webhooks.hooks`.
+  * `mutatingWebhooksTimeoutSeconds` has moved to `webhooks.mutatingWebhooksTimeoutSeconds`
+  * `validatingWebhooksTimeoutSeconds` has moved to `webhooks.validatingWebhooksTimeoutSeconds`
+
+## Installation
+
+The Capsule Operator requires it's CRDs to be installed before the operator itself. Since the Helm CRD lifecycle has limitations, we recommend to install the CRDs separately. Our chart supports the installation of crds via a dedicated Release.
 The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster.
 
 1. Add this repository:
 
         $ helm repo add projectcapsule https://projectcapsule.github.io/charts
 
-2. Install the Chart:
+2. Install Capsule:
 
-        $ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace
+        $ helm install capsule projectcapsule/capsule --version 0.7.0 -n capsule-system --create-namespace
 
         or
 
-        $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6  -n capsule-system --create-namespace
+        $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.7.0  -n capsule-system --create-namespace
 
 3. Show the status:
 
@@ -58,7 +76,7 @@ Specify your overrides file when you install the chart:
 
         $ helm install capsule capsule-helm-chart --values myvalues.yaml -n capsule-system
 
-The values in your overrides file `myvalues.yaml` will override their counterparts in the chart’s values.yaml file. Any values in `values.yaml` that weren’t overridden will keep their defaults.
+The values in your overrides file `myvalues.yaml` will override their counterparts in the chart's values.yaml file. Any values in `values.yaml` that weren’t overridden will keep their defaults.
 
 If you only need to make minor customizations, you can specify them on the command line by using the `--set` option. For example:
 
@@ -66,6 +84,15 @@ If you only need to make minor customizations, you can specify them on the comma
 
 Here the values you can override:
 
+### CustomResourceDefinition Lifecycle
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| crds.annnotations | object | `{}` | Extra Annotations for CRDs |
+| crds.exclusive | bool | `false` | Only install the CRDs, no other primitives |
+| crds.install | bool | `true` | Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations) |
+| crds.labels | object | `{}` | Extra Labels for CRDs |
+
 ### General Parameters
 
 | Key | Type | Default | Description |
@@ -75,27 +102,36 @@ Here the values you can override:
 | customAnnotations | object | `{}` | Additional annotations which will be added to all resources created by Capsule helm chart |
 | customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart |
 | imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. |
+| jobs.affinity | object | `{}` | Set affinity rules |
+| jobs.annotations | object | `{"helm.sh/hook-delete-policy":"before-hook-creation,hook-succeeded"}` | Annotations to add to the certgen job. |
 | jobs.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job |
 | jobs.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job |
 | jobs.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job |
 | jobs.image.tag | string | `""` | Set the image tag of the helm chart job |
-| mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks |
+| jobs.nodeSelector | object | `{}` | Set the node selector |
+| jobs.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the job pods. |
+| jobs.priorityClassName | string | `""` | Set a pod priorityClassName |
+| jobs.resources | object | `{}` | Job resources |
+| jobs.restartPolicy | string | `"Never"` | Set the restartPolicy |
+| jobs.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Security context for the job containers. |
+| jobs.tolerations | list | `[]` | Set list of tolerations |
+| jobs.topologySpreadConstraints | list | `[]` | Set Topology Spread Constraints |
+| jobs.ttlSecondsAfterFinished | int | `60` | Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete. |
 | nodeSelector | object | `{}` | Set the node selector for the Capsule pod |
 | podAnnotations | object | `{}` | Annotations to add to the capsule pod. |
 | podSecurityContext | object | `{"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002,"seccompProfile":{"type":"RuntimeDefault"}}` | Set the securityContext for the Capsule pod |
-| podSecurityPolicy.enabled | bool | `false` | Specify if a Pod Security Policy must be created |
 | priorityClassName | string | `""` | Set the priority class name of the Capsule pod |
+| proxy.enabled | bool | `false` | Enable Installation of Capsule Proxy |
 | replicaCount | int | `1` | Set the replica count for capsule pod |
 | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | Set the securityContext for the Capsule container |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
-| serviceAccount.name | string | `"capsule"` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
+| serviceAccount.name | string | `""` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
 | tls.create | bool | `true` | When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion. |
 | tls.enableController | bool | `true` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. |
 | tls.name | string | `""` | Override name of the Capsule TLS Secret name when externally managed. |
 | tolerations | list | `[]` | Set list of tolerations for the Capsule pod |
 | topologySpreadConstraints | list | `[]` | Set topology spread constraints for the Capsule pod |
-| validatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for validating webhooks |
 
 ### Manager Parameters
 
@@ -108,17 +144,18 @@ Here the values you can override:
 | manager.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
 | manager.kind | string | `"Deployment"` | Set the controller deployment mode as `Deployment` or `DaemonSet`. |
 | manager.livenessProbe | object | `{"httpGet":{"path":"/healthz","port":10080}}` | Configure the liveness probe using Deployment probe spec |
-| manager.options.capsuleUserGroups | list | `["capsule.clastix.io"]` | Override the Capsule user groups |
+| manager.options.capsuleConfiguration | string | `"default"` | Change the default name of the capsule configuration name |
+| manager.options.capsuleUserGroups | list | `["projectcapsule.dev"]` | Override the Capsule user groups |
 | manager.options.forceTenantPrefix | bool | `false` | Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash |
 | manager.options.generateCertificates | bool | `true` | Specifies whether capsule webhooks certificates should be generated by capsule operator |
 | manager.options.logLevel | string | `"4"` | Set the log verbosity of the capsule with a value from 1 to 10 |
 | manager.options.nodeMetadata | object | `{"forbiddenAnnotations":{"denied":[],"deniedRegex":""},"forbiddenLabels":{"denied":[],"deniedRegex":""}}` | Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant |
 | manager.options.protectedNamespaceRegex | string | `""` | If specified, disallows creation of namespaces matching the passed regexp |
+| manager.rbac.create | bool | `true` | Specifies whether RBAC resources should be created. |
+| manager.rbac.existingClusterRoles | list | `[]` | Specifies further cluster roles to be added to the Capsule manager service account. |
+| manager.rbac.existingRoles | list | `[]` | Specifies further cluster roles to be added to the Capsule manager service account. |
 | manager.readinessProbe | object | `{"httpGet":{"path":"/readyz","port":10080}}` | Configure the readiness probe using Deployment probe spec |
-| manager.resources.limits.cpu | string | `"200m"` |  |
-| manager.resources.limits.memory | string | `"128Mi"` |  |
-| manager.resources.requests.cpu | string | `"200m"` |  |
-| manager.resources.requests.memory | string | `"128Mi"` |  |
+| manager.resources | object | `{}` | Set the resource requests/limits for the Capsule manager container |
 | manager.webhookPort | int | `9443` | Set an alternative to the default container port.  Useful for use in some kubernetes clusters (such as GKE Private) with aggregator routing turned on, because pod ports have to be opened manually on the firewall side |
 
 ### ServiceMonitor Parameters
@@ -136,42 +173,50 @@ Here the values you can override:
 | serviceMonitor.namespace | string | `""` | Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one) |
 | serviceMonitor.targetLabels | list | `[]` | Set targetLabels for the serviceMonitor |
 
-### Webhook Parameters
+### Webhooks Parameters
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| webhooks.cordoning.failurePolicy | string | `"Fail"` |  |
-| webhooks.cordoning.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
-| webhooks.cordoning.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.defaults.ingress.failurePolicy | string | `"Fail"` |  |
-| webhooks.defaults.ingress.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
-| webhooks.defaults.ingress.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.defaults.pods.failurePolicy | string | `"Fail"` |  |
-| webhooks.defaults.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
-| webhooks.defaults.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.defaults.pvc.failurePolicy | string | `"Fail"` |  |
-| webhooks.defaults.pvc.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
-| webhooks.defaults.pvc.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.ingresses.failurePolicy | string | `"Fail"` |  |
-| webhooks.ingresses.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
-| webhooks.ingresses.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.namespaceOwnerReference.failurePolicy | string | `"Fail"` |  |
-| webhooks.namespaces.failurePolicy | string | `"Fail"` |  |
-| webhooks.networkpolicies.failurePolicy | string | `"Fail"` |  |
-| webhooks.networkpolicies.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
-| webhooks.networkpolicies.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.nodes.failurePolicy | string | `"Fail"` |  |
-| webhooks.persistentvolumeclaims.failurePolicy | string | `"Fail"` |  |
-| webhooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
-| webhooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.pods.failurePolicy | string | `"Fail"` |  |
-| webhooks.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
-| webhooks.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.services.failurePolicy | string | `"Fail"` |  |
-| webhooks.services.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
-| webhooks.services.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.tenantResourceObjects.failurePolicy | string | `"Fail"` |  |
-| webhooks.tenants.failurePolicy | string | `"Fail"` |  |
+| webhooks.exclusive | bool | `false` | When `crds.exclusive` is `true` the webhooks will be installed |
+| webhooks.hooks.cordoning.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.cordoning.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.cordoning.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.defaults.ingress.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.defaults.ingress.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.defaults.ingress.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.defaults.pods.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.defaults.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.defaults.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.defaults.pvc.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.defaults.pvc.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.defaults.pvc.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.ingresses.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.ingresses.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.ingresses.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.namespaceOwnerReference.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.namespaces.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.networkpolicies.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.networkpolicies.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.networkpolicies.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.nodes.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.persistentvolumeclaims.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.pods.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.services.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.services.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.services.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.tenantResourceObjects.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.tenants.failurePolicy | string | `"Fail"` |  |
+| webhooks.mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks |
+| webhooks.service.caBundle | string | `""` | CABundle for the webhook service |
+| webhooks.service.name | string | `""` | Custom service name for the webhook service |
+| webhooks.service.namespace | string | `""` | Custom service namespace for the webhook service |
+| webhooks.service.port | string | `nil` | Custom service port for the webhook service |
+| webhooks.service.url | string | `""` | The URL where the capsule webhook services are running (Overwrites cluster scoped service definition) |
+| webhooks.validatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for validating webhooks |
 
 ## Created resources
 

charts/capsule/README.md.gotmpl

@@ -16,21 +16,40 @@ Use the Capsule Operator for easily implementing, managing, and maintaining mult
 
 * A [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file accessing the Kubernetes cluster with cluster admin permissions.
 
-## Quick Start
+## Major Changes 
 
+In the following sections you see actions which are required when you are upgrading to a specific version.
+
+### Upgrading to 0.7.x
+
+Introduces a new methode to manage all capsule CRDs and their lifecycle. We are no longer relying on the [native CRD hook with the Helm Chart](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). The hook only allows to manage CRDs on install and uninstall but we can't deliver updates to the CRDs.
+When you newly install the chart we recommend to set  `crds.install` to `true`. This will manage the CRDs with the Helm Chart. This behavior is the new default.
+
+#### Changed Values 
+
+The following Values have changed key or Value:
+
+  * All values from previous releases under `webhooks` have moved to `webhooks.hooks`.
+  * `mutatingWebhooksTimeoutSeconds` has moved to `webhooks.mutatingWebhooksTimeoutSeconds`
+  * `validatingWebhooksTimeoutSeconds` has moved to `webhooks.validatingWebhooksTimeoutSeconds`
+
+
+## Installation
+
+The Capsule Operator requires it's CRDs to be installed before the operator itself. Since the Helm CRD lifecycle has limitations, we recommend to install the CRDs separately. Our chart supports the installation of crds via a dedicated Release.
 The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster.
 
 1. Add this repository:
 
         $ helm repo add projectcapsule https://projectcapsule.github.io/charts
 
-2. Install the Chart:
+2. Install Capsule:
 
-        $ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace
+        $ helm install capsule projectcapsule/capsule --version 0.7.0 -n capsule-system --create-namespace
 
         or
 
-        $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6  -n capsule-system --create-namespace
+        $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.7.0  -n capsule-system --create-namespace
 
 3. Show the status:
 
@@ -58,7 +77,7 @@ Specify your overrides file when you install the chart:
 
         $ helm install capsule capsule-helm-chart --values myvalues.yaml -n capsule-system
 
-The values in your overrides file `myvalues.yaml` will override their counterparts in the chart’s values.yaml file. Any values in `values.yaml` that weren’t overridden will keep their defaults.
+The values in your overrides file `myvalues.yaml` will override their counterparts in the chart's values.yaml file. Any values in `values.yaml` that weren’t overridden will keep their defaults.
 
 If you only need to make minor customizations, you can specify them on the command line by using the `--set` option. For example:
 
@@ -66,13 +85,23 @@ If you only need to make minor customizations, you can specify them on the comma
 
 Here the values you can override:
 
+### CustomResourceDefinition Lifecycle
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+{{- range .Values }}
+  {{- if (hasPrefix "crds" .Key)  }}
+| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
+  {{- end }}
+{{- end }}
+
 
 ### General Parameters
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 {{- range .Values }}
-  {{- if not (or (hasPrefix "manager" .Key) (hasPrefix "serviceMonitor" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) )  }}
+  {{- if not (or (hasPrefix "manager" .Key) (hasPrefix "crds" .Key) (hasPrefix "serviceMonitor" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) )  }}
 | {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
   {{- end }}
 {{- end }}
@@ -97,7 +126,7 @@ Here the values you can override:
   {{- end }}
 {{- end }}
 
-### Webhook Parameters
+### Webhooks Parameters
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|

charts/capsule/ci/proxy-values.yaml

@@ -0,0 +1,7 @@
+proxy:
+  enabled: true
+manager:
+  resources:
+    requests:
+      cpu: 200m
+      memory: 128Mi

charts/capsule/ci/test-values.yaml

@@ -1,9 +1,12 @@
 fullnameOverride: capsule
 manager:
   resources:
-    limits:
-      cpu: 500m
-      memory: 512Mi
     requests:
       cpu: 200m
       memory: 128Mi
+  rbac:
+    create: true
+    existingClusterRoles:
+    - "view"
+    existingRoles:
+    - "some-role"

charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.patch

@@ -0,0 +1,14 @@
+metadata:
+  annotations:
+  {{- if $.Values.certManager.generateCertificates }}
+    cert-manager.io/inject-ca-from: {{ $.Release.Namespace }}/{{ include "capsule.fullname" $ }}-webhook-cert
+  {{-  end }}
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        {{- include "capsule.webhooks.service" (dict "path" "/convert" "ctx" $) | nindent 8 }}
+      conversionReviewVersions:
+        - v1beta1
+        - v1beta2

charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.yaml

@@ -0,0 +1,132 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: capsuleconfigurations.capsule.clastix.io
+spec:
+  group: capsule.clastix.io
+  names:
+    kind: CapsuleConfiguration
+    listKind: CapsuleConfigurationList
+    plural: capsuleconfigurations
+    singular: capsuleconfiguration
+  scope: Cluster
+  versions:
+  - name: v1beta2
+    schema:
+      openAPIV3Schema:
+        description: CapsuleConfiguration is the Schema for the Capsule configuration
+          API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: CapsuleConfigurationSpec defines the Capsule configuration.
+            properties:
+              enableTLSReconciler:
+                default: true
+                description: |-
+                  Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks
+                  when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
+                type: boolean
+              forceTenantPrefix:
+                default: false
+                description: |-
+                  Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,
+                  separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
+                type: boolean
+              nodeMetadata:
+                description: |-
+                  Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.
+                  This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
+                properties:
+                  forbiddenAnnotations:
+                    description: Define the annotations that a Tenant Owner cannot
+                      set for their nodes.
+                    properties:
+                      denied:
+                        items:
+                          type: string
+                        type: array
+                      deniedRegex:
+                        type: string
+                    type: object
+                  forbiddenLabels:
+                    description: Define the labels that a Tenant Owner cannot set
+                      for their nodes.
+                    properties:
+                      denied:
+                        items:
+                          type: string
+                        type: array
+                      deniedRegex:
+                        type: string
+                    type: object
+                required:
+                - forbiddenAnnotations
+                - forbiddenLabels
+                type: object
+              overrides:
+                default:
+                  TLSSecretName: capsule-tls
+                  mutatingWebhookConfigurationName: capsule-mutating-webhook-configuration
+                  validatingWebhookConfigurationName: capsule-validating-webhook-configuration
+                description: |-
+                  Allows to set different name rather than the canonical one for the Capsule configuration objects,
+                  such as webhook secret or configurations.
+                properties:
+                  TLSSecretName:
+                    default: capsule-tls
+                    description: |-
+                      Defines the Secret name used for the webhook server.
+                      Must be in the same Namespace where the Capsule Deployment is deployed.
+                    type: string
+                  mutatingWebhookConfigurationName:
+                    default: capsule-mutating-webhook-configuration
+                    description: Name of the MutatingWebhookConfiguration which contains
+                      the dynamic admission controller paths and resources.
+                    type: string
+                  validatingWebhookConfigurationName:
+                    default: capsule-validating-webhook-configuration
+                    description: Name of the ValidatingWebhookConfiguration which
+                      contains the dynamic admission controller paths and resources.
+                    type: string
+                required:
+                - TLSSecretName
+                - mutatingWebhookConfigurationName
+                - validatingWebhookConfigurationName
+                type: object
+              protectedNamespaceRegex:
+                description: Disallow creation of namespaces, whose name matches this
+                  regexp
+                type: string
+              userGroups:
+                default:
+                - capsule.clastix.io
+                description: Names of the groups for Capsule users.
+                items:
+                  type: string
+                type: array
+            required:
+            - enableTLSReconciler
+            type: object
+        type: object
+    served: true
+    storage: true

charts/capsule/crds/capsule.clastix.io_globaltenantresources.yaml

@@ -0,0 +1,298 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: globaltenantresources.capsule.clastix.io
+spec:
+  group: capsule.clastix.io
+  names:
+    kind: GlobalTenantResource
+    listKind: GlobalTenantResourceList
+    plural: globaltenantresources
+    singular: globaltenantresource
+  scope: Cluster
+  versions:
+  - name: v1beta2
+    schema:
+      openAPIV3Schema:
+        description: GlobalTenantResource allows to propagate resource replications
+          to a specific subset of Tenant resources.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: GlobalTenantResourceSpec defines the desired state of GlobalTenantResource.
+            properties:
+              pruningOnDelete:
+                default: true
+                description: |-
+                  When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
+                  Disable this to keep replicated resources although the deletion of the replication manifest.
+                type: boolean
+              resources:
+                description: Defines the rules to select targeting Namespace, along
+                  with the objects that must be replicated.
+                items:
+                  properties:
+                    additionalMetadata:
+                      description: |-
+                        Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
+                        added to the replicated resources.
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        labels:
+                          additionalProperties:
+                            type: string
+                          type: object
+                      type: object
+                    namespaceSelector:
+                      description: |-
+                        Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
+                        In case of nil value, all the Tenant Namespaces are targeted.
+                      properties:
+                        matchExpressions:
+                          description: matchExpressions is a list of label selector
+                            requirements. The requirements are ANDed.
+                          items:
+                            description: |-
+                              A label selector requirement is a selector that contains values, a key, and an operator that
+                              relates the key and values.
+                            properties:
+                              key:
+                                description: key is the label key that the selector
+                                  applies to.
+                                type: string
+                              operator:
+                                description: |-
+                                  operator represents a key's relationship to a set of values.
+                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                type: string
+                              values:
+                                description: |-
+                                  values is an array of string values. If the operator is In or NotIn,
+                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                  the values array must be empty. This array is replaced during a strategic
+                                  merge patch.
+                                items:
+                                  type: string
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            required:
+                            - key
+                            - operator
+                            type: object
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: |-
+                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                      x-kubernetes-map-type: atomic
+                    namespacedItems:
+                      description: List of the resources already existing in other
+                        Namespaces that must be replicated.
+                      items:
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          kind:
+                            description: |-
+                              Kind of the referent.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                            type: string
+                          namespace:
+                            description: |-
+                              Namespace of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                            type: string
+                          selector:
+                            description: Label selector used to select the given resources
+                              in the given Namespace.
+                            properties:
+                              matchExpressions:
+                                description: matchExpressions is a list of label selector
+                                  requirements. The requirements are ANDed.
+                                items:
+                                  description: |-
+                                    A label selector requirement is a selector that contains values, a key, and an operator that
+                                    relates the key and values.
+                                  properties:
+                                    key:
+                                      description: key is the label key that the selector
+                                        applies to.
+                                      type: string
+                                    operator:
+                                      description: |-
+                                        operator represents a key's relationship to a set of values.
+                                        Valid operators are In, NotIn, Exists and DoesNotExist.
+                                      type: string
+                                    values:
+                                      description: |-
+                                        values is an array of string values. If the operator is In or NotIn,
+                                        the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                        the values array must be empty. This array is replaced during a strategic
+                                        merge patch.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                  required:
+                                  - key
+                                  - operator
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              matchLabels:
+                                additionalProperties:
+                                  type: string
+                                description: |-
+                                  matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                  map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                  operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                type: object
+                            type: object
+                            x-kubernetes-map-type: atomic
+                        required:
+                        - kind
+                        - namespace
+                        - selector
+                        type: object
+                      type: array
+                    rawItems:
+                      description: List of raw resources that must be replicated.
+                      items:
+                        type: object
+                        x-kubernetes-embedded-resource: true
+                        x-kubernetes-preserve-unknown-fields: true
+                      type: array
+                  type: object
+                type: array
+              resyncPeriod:
+                default: 60s
+                description: |-
+                  Define the period of time upon a second reconciliation must be invoked.
+                  Keep in mind that any change to the manifests will trigger a new reconciliation.
+                type: string
+              tenantSelector:
+                description: Defines the Tenant selector used target the tenants on
+                  which resources must be propagated.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: |-
+                        A label selector requirement is a selector that contains values, a key, and an operator that
+                        relates the key and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: |-
+                            operator represents a key's relationship to a set of values.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
+                          type: string
+                        values:
+                          description: |-
+                            values is an array of string values. If the operator is In or NotIn,
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                            the values array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
+            required:
+            - resources
+            - resyncPeriod
+            type: object
+          status:
+            description: GlobalTenantResourceStatus defines the observed state of
+              GlobalTenantResource.
+            properties:
+              processedItems:
+                description: List of the replicated resources for the given TenantResource.
+                items:
+                  properties:
+                    apiVersion:
+                      description: API version of the referent.
+                      type: string
+                    kind:
+                      description: |-
+                        Kind of the referent.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                      type: string
+                    name:
+                      description: |-
+                        Name of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      type: string
+                    namespace:
+                      description: |-
+                        Namespace of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                      type: string
+                  required:
+                  - kind
+                  - name
+                  - namespace
+                  type: object
+                type: array
+              selectedTenants:
+                description: List of Tenants addressed by the GlobalTenantResource.
+                items:
+                  type: string
+                type: array
+            required:
+            - processedItems
+            - selectedTenants
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

charts/capsule/crds/capsule.clastix.io_tenantresources.yaml

@@ -0,0 +1,246 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: tenantresources.capsule.clastix.io
+spec:
+  group: capsule.clastix.io
+  names:
+    kind: TenantResource
+    listKind: TenantResourceList
+    plural: tenantresources
+    singular: tenantresource
+  scope: Namespaced
+  versions:
+  - name: v1beta2
+    schema:
+      openAPIV3Schema:
+        description: |-
+          TenantResource allows a Tenant Owner, if enabled with proper RBAC, to propagate resources in its Namespace.
+          The object must be deployed in a Tenant Namespace, and cannot reference object living in non-Tenant namespaces.
+          For such cases, the GlobalTenantResource must be used.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TenantResourceSpec defines the desired state of TenantResource.
+            properties:
+              pruningOnDelete:
+                default: true
+                description: |-
+                  When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
+                  Disable this to keep replicated resources although the deletion of the replication manifest.
+                type: boolean
+              resources:
+                description: Defines the rules to select targeting Namespace, along
+                  with the objects that must be replicated.
+                items:
+                  properties:
+                    additionalMetadata:
+                      description: |-
+                        Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
+                        added to the replicated resources.
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        labels:
+                          additionalProperties:
+                            type: string
+                          type: object
+                      type: object
+                    namespaceSelector:
+                      description: |-
+                        Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
+                        In case of nil value, all the Tenant Namespaces are targeted.
+                      properties:
+                        matchExpressions:
+                          description: matchExpressions is a list of label selector
+                            requirements. The requirements are ANDed.
+                          items:
+                            description: |-
+                              A label selector requirement is a selector that contains values, a key, and an operator that
+                              relates the key and values.
+                            properties:
+                              key:
+                                description: key is the label key that the selector
+                                  applies to.
+                                type: string
+                              operator:
+                                description: |-
+                                  operator represents a key's relationship to a set of values.
+                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                type: string
+                              values:
+                                description: |-
+                                  values is an array of string values. If the operator is In or NotIn,
+                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                  the values array must be empty. This array is replaced during a strategic
+                                  merge patch.
+                                items:
+                                  type: string
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            required:
+                            - key
+                            - operator
+                            type: object
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: |-
+                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                      x-kubernetes-map-type: atomic
+                    namespacedItems:
+                      description: List of the resources already existing in other
+                        Namespaces that must be replicated.
+                      items:
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          kind:
+                            description: |-
+                              Kind of the referent.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                            type: string
+                          namespace:
+                            description: |-
+                              Namespace of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                            type: string
+                          selector:
+                            description: Label selector used to select the given resources
+                              in the given Namespace.
+                            properties:
+                              matchExpressions:
+                                description: matchExpressions is a list of label selector
+                                  requirements. The requirements are ANDed.
+                                items:
+                                  description: |-
+                                    A label selector requirement is a selector that contains values, a key, and an operator that
+                                    relates the key and values.
+                                  properties:
+                                    key:
+                                      description: key is the label key that the selector
+                                        applies to.
+                                      type: string
+                                    operator:
+                                      description: |-
+                                        operator represents a key's relationship to a set of values.
+                                        Valid operators are In, NotIn, Exists and DoesNotExist.
+                                      type: string
+                                    values:
+                                      description: |-
+                                        values is an array of string values. If the operator is In or NotIn,
+                                        the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                        the values array must be empty. This array is replaced during a strategic
+                                        merge patch.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                  required:
+                                  - key
+                                  - operator
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              matchLabels:
+                                additionalProperties:
+                                  type: string
+                                description: |-
+                                  matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                  map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                  operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                type: object
+                            type: object
+                            x-kubernetes-map-type: atomic
+                        required:
+                        - kind
+                        - namespace
+                        - selector
+                        type: object
+                      type: array
+                    rawItems:
+                      description: List of raw resources that must be replicated.
+                      items:
+                        type: object
+                        x-kubernetes-embedded-resource: true
+                        x-kubernetes-preserve-unknown-fields: true
+                      type: array
+                  type: object
+                type: array
+              resyncPeriod:
+                default: 60s
+                description: |-
+                  Define the period of time upon a second reconciliation must be invoked.
+                  Keep in mind that any change to the manifests will trigger a new reconciliation.
+                type: string
+            required:
+            - resources
+            - resyncPeriod
+            type: object
+          status:
+            description: TenantResourceStatus defines the observed state of TenantResource.
+            properties:
+              processedItems:
+                description: List of the replicated resources for the given TenantResource.
+                items:
+                  properties:
+                    apiVersion:
+                      description: API version of the referent.
+                      type: string
+                    kind:
+                      description: |-
+                        Kind of the referent.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                      type: string
+                    name:
+                      description: |-
+                        Name of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      type: string
+                    namespace:
+                      description: |-
+                        Namespace of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                      type: string
+                  required:
+                  - kind
+                  - name
+                  - namespace
+                  type: object
+                type: array
+            required:
+            - processedItems
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

charts/capsule/crds/capsule.clastix.io_tenants.patch

@@ -0,0 +1,14 @@
+metadata:
+  annotations:
+  {{- if $.Values.certManager.generateCertificates }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "capsule.fullname" . }}-webhook-cert
+  {{-  end }}
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        {{- include "capsule.webhooks.service" (dict "path" "/convert" "ctx" $) | nindent 8 }}
+      conversionReviewVersions:
+        - v1beta1
+        - v1beta2

charts/capsule/crds/capsuleconfiguration-crd.yaml

@@ -1,154 +0,0 @@
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  name: capsuleconfigurations.capsule.clastix.io
-spec:
-  conversion:
-    strategy: Webhook
-    webhook:
-      clientConfig:
-        service:
-          name: capsule-webhook-service
-          namespace: capsule-system
-          path: /convert
-      conversionReviewVersions:
-        - v1alpha1
-        - v1beta1
-        - v1beta2
-  group: capsule.clastix.io
-  names:
-    kind: CapsuleConfiguration
-    listKind: CapsuleConfigurationList
-    plural: capsuleconfigurations
-    singular: capsuleconfiguration
-  scope: Cluster
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: CapsuleConfiguration is the Schema for the Capsule configuration API.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: CapsuleConfigurationSpec defines the Capsule configuration.
-              properties:
-                forceTenantPrefix:
-                  default: false
-                  description: Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
-                  type: boolean
-                protectedNamespaceRegex:
-                  description: Disallow creation of namespaces, whose name matches this regexp
-                  type: string
-                userGroups:
-                  default:
-                    - capsule.clastix.io
-                  description: Names of the groups for Capsule users.
-                  items:
-                    type: string
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-    - name: v1beta2
-      schema:
-        openAPIV3Schema:
-          description: CapsuleConfiguration is the Schema for the Capsule configuration API.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: CapsuleConfigurationSpec defines the Capsule configuration.
-              properties:
-                enableTLSReconciler:
-                  default: true
-                  description: Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
-                  type: boolean
-                forceTenantPrefix:
-                  default: false
-                  description: Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
-                  type: boolean
-                nodeMetadata:
-                  description: Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant. This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
-                  properties:
-                    forbiddenAnnotations:
-                      description: Define the annotations that a Tenant Owner cannot set for their nodes.
-                      properties:
-                        denied:
-                          items:
-                            type: string
-                          type: array
-                        deniedRegex:
-                          type: string
-                      type: object
-                    forbiddenLabels:
-                      description: Define the labels that a Tenant Owner cannot set for their nodes.
-                      properties:
-                        denied:
-                          items:
-                            type: string
-                          type: array
-                        deniedRegex:
-                          type: string
-                      type: object
-                  required:
-                    - forbiddenAnnotations
-                    - forbiddenLabels
-                  type: object
-                overrides:
-                  default:
-                    TLSSecretName: capsule-tls
-                    mutatingWebhookConfigurationName: capsule-mutating-webhook-configuration
-                    validatingWebhookConfigurationName: capsule-validating-webhook-configuration
-                  description: Allows to set different name rather than the canonical one for the Capsule configuration objects, such as webhook secret or configurations.
-                  properties:
-                    TLSSecretName:
-                      default: capsule-tls
-                      description: Defines the Secret name used for the webhook server. Must be in the same Namespace where the Capsule Deployment is deployed.
-                      type: string
-                    mutatingWebhookConfigurationName:
-                      default: capsule-mutating-webhook-configuration
-                      description: Name of the MutatingWebhookConfiguration which contains the dynamic admission controller paths and resources.
-                      type: string
-                    validatingWebhookConfigurationName:
-                      default: capsule-validating-webhook-configuration
-                      description: Name of the ValidatingWebhookConfiguration which contains the dynamic admission controller paths and resources.
-                      type: string
-                  required:
-                    - TLSSecretName
-                    - mutatingWebhookConfigurationName
-                    - validatingWebhookConfigurationName
-                  type: object
-                protectedNamespaceRegex:
-                  description: Disallow creation of namespaces, whose name matches this regexp
-                  type: string
-                userGroups:
-                  default:
-                    - capsule.clastix.io
-                  description: Names of the groups for Capsule users.
-                  items:
-                    type: string
-                  type: array
-              required:
-                - enableTLSReconciler
-              type: object
-          type: object
-      served: true
-      storage: true

charts/capsule/crds/globaltenantresources-crd.yaml

@@ -1,222 +0,0 @@
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  creationTimestamp: null
-  name: globaltenantresources.capsule.clastix.io
-spec:
-  group: capsule.clastix.io
-  names:
-    kind: GlobalTenantResource
-    listKind: GlobalTenantResourceList
-    plural: globaltenantresources
-    singular: globaltenantresource
-  scope: Cluster
-  versions:
-    - name: v1beta2
-      schema:
-        openAPIV3Schema:
-          description: GlobalTenantResource allows to propagate resource replications to a specific subset of Tenant resources.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: GlobalTenantResourceSpec defines the desired state of GlobalTenantResource.
-              properties:
-                pruningOnDelete:
-                  default: true
-                  description: When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted. Disable this to keep replicated resources although the deletion of the replication manifest.
-                  type: boolean
-                resources:
-                  description: Defines the rules to select targeting Namespace, along with the objects that must be replicated.
-                  items:
-                    properties:
-                      additionalMetadata:
-                        description: Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be added to the replicated resources.
-                        properties:
-                          annotations:
-                            additionalProperties:
-                              type: string
-                            type: object
-                          labels:
-                            additionalProperties:
-                              type: string
-                            type: object
-                        type: object
-                      namespaceSelector:
-                        description: Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated. In case of nil value, all the Tenant Namespaces are targeted.
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespacedItems:
-                        description: List of the resources already existing in other Namespaces that must be replicated.
-                        items:
-                          properties:
-                            apiVersion:
-                              description: API version of the referent.
-                              type: string
-                            kind:
-                              description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                              type: string
-                            namespace:
-                              description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                              type: string
-                            selector:
-                              description: Label selector used to select the given resources in the given Namespace.
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                      - key
-                                      - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          required:
-                            - kind
-                            - namespace
-                            - selector
-                          type: object
-                        type: array
-                      rawItems:
-                        description: List of raw resources that must be replicated.
-                        items:
-                          type: object
-                          x-kubernetes-embedded-resource: true
-                          x-kubernetes-preserve-unknown-fields: true
-                        type: array
-                    type: object
-                  type: array
-                resyncPeriod:
-                  default: 60s
-                  description: Define the period of time upon a second reconciliation must be invoked. Keep in mind that any change to the manifests will trigger a new reconciliation.
-                  type: string
-                tenantSelector:
-                  description: Defines the Tenant selector used target the tenants on which resources must be propagated.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                      items:
-                        description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies to.
-                            type: string
-                          operator:
-                            description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                            type: string
-                          values:
-                            description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                            items:
-                              type: string
-                            type: array
-                        required:
-                          - key
-                          - operator
-                        type: object
-                      type: array
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                      type: object
-                  type: object
-                  x-kubernetes-map-type: atomic
-              required:
-                - resources
-                - resyncPeriod
-              type: object
-            status:
-              description: GlobalTenantResourceStatus defines the observed state of GlobalTenantResource.
-              properties:
-                processedItems:
-                  description: List of the replicated resources for the given TenantResource.
-                  items:
-                    properties:
-                      apiVersion:
-                        description: API version of the referent.
-                        type: string
-                      kind:
-                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                        type: string
-                      name:
-                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                        type: string
-                      namespace:
-                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                        type: string
-                    required:
-                      - kind
-                      - name
-                      - namespace
-                    type: object
-                  type: array
-                selectedTenants:
-                  description: List of Tenants addressed by the GlobalTenantResource.
-                  items:
-                    type: string
-                  type: array
-              required:
-                - processedItems
-                - selectedTenants
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}

charts/capsule/crds/tenantresources-crd.yaml

@@ -1,185 +0,0 @@
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  creationTimestamp: null
-  name: tenantresources.capsule.clastix.io
-spec:
-  group: capsule.clastix.io
-  names:
-    kind: TenantResource
-    listKind: TenantResourceList
-    plural: tenantresources
-    singular: tenantresource
-  scope: Namespaced
-  versions:
-    - name: v1beta2
-      schema:
-        openAPIV3Schema:
-          description: TenantResource allows a Tenant Owner, if enabled with proper RBAC, to propagate resources in its Namespace. The object must be deployed in a Tenant Namespace, and cannot reference object living in non-Tenant namespaces. For such cases, the GlobalTenantResource must be used.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: TenantResourceSpec defines the desired state of TenantResource.
-              properties:
-                pruningOnDelete:
-                  default: true
-                  description: When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted. Disable this to keep replicated resources although the deletion of the replication manifest.
-                  type: boolean
-                resources:
-                  description: Defines the rules to select targeting Namespace, along with the objects that must be replicated.
-                  items:
-                    properties:
-                      additionalMetadata:
-                        description: Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be added to the replicated resources.
-                        properties:
-                          annotations:
-                            additionalProperties:
-                              type: string
-                            type: object
-                          labels:
-                            additionalProperties:
-                              type: string
-                            type: object
-                        type: object
-                      namespaceSelector:
-                        description: Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated. In case of nil value, all the Tenant Namespaces are targeted.
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespacedItems:
-                        description: List of the resources already existing in other Namespaces that must be replicated.
-                        items:
-                          properties:
-                            apiVersion:
-                              description: API version of the referent.
-                              type: string
-                            kind:
-                              description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                              type: string
-                            namespace:
-                              description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                              type: string
-                            selector:
-                              description: Label selector used to select the given resources in the given Namespace.
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                      - key
-                                      - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          required:
-                            - kind
-                            - namespace
-                            - selector
-                          type: object
-                        type: array
-                      rawItems:
-                        description: List of raw resources that must be replicated.
-                        items:
-                          type: object
-                          x-kubernetes-embedded-resource: true
-                          x-kubernetes-preserve-unknown-fields: true
-                        type: array
-                    type: object
-                  type: array
-                resyncPeriod:
-                  default: 60s
-                  description: Define the period of time upon a second reconciliation must be invoked. Keep in mind that any change to the manifests will trigger a new reconciliation.
-                  type: string
-              required:
-                - resources
-                - resyncPeriod
-              type: object
-            status:
-              description: TenantResourceStatus defines the observed state of TenantResource.
-              properties:
-                processedItems:
-                  description: List of the replicated resources for the given TenantResource.
-                  items:
-                    properties:
-                      apiVersion:
-                        description: API version of the referent.
-                        type: string
-                      kind:
-                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                        type: string
-                      name:
-                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                        type: string
-                      namespace:
-                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                        type: string
-                    required:
-                      - kind
-                      - name
-                      - namespace
-                    type: object
-                  type: array
-              required:
-                - processedItems
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}

charts/capsule/templates/_helpers.tpl

@@ -125,3 +125,32 @@ Create the Capsule TLS Secret name to use
 {{- define "capsule.secretTlsName" -}}
 {{ default ( printf "%s-tls" ( include "capsule.fullname" . ) ) .Values.tls.name }}
 {{- end }}
+
+
+{{/*
+Capsule Webhook service (Called with $.Path)
+
+*/}}
+{{- define "capsule.webhooks.service" -}}
+  {{- include "capsule.webhooks.cabundle" $.ctx | nindent 0 }}
+  {{- if $.ctx.Values.webhooks.service.url }}
+url: {{ printf "%s/%s" (trimSuffix "/" $.ctx.Values.webhooks.service.url ) (trimPrefix "/" (required "Path is required for the function" $.path)) }}
+  {{- else }}
+service:
+  name: {{ default (printf "%s-webhook-service" (include "capsule.fullname" $.ctx)) $.ctx.Values.webhooks.service.name }}
+  namespace: {{ default $.ctx.Release.Namespace $.ctx.Values.webhooks.service.namespace }}
+  port: {{ default 443 $.ctx.Values.webhooks.service.port }}
+  path: {{ required "Path is required for the function" $.path }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Capsule Webhook endpoint CA Bundle
+*/}}
+{{- define "capsule.webhooks.cabundle" -}}
+  {{- if $.Values.webhooks.service.caBundle -}}
+caBundle: {{ $.Values.webhooks.service.caBundle -}}
+  {{- end -}}
+{{- end -}}
+
+

charts/capsule/templates/certificate.yaml

@@ -1,4 +1,5 @@
-{{- if .Values.certManager.generateCertificates }}
+{{- if not $.Values.crds.exclusive }}
+  {{- if .Values.certManager.generateCertificates }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -33,4 +34,5 @@ spec:
   subject:
     organizations:
       - clastix.io
+  {{- end }}
 {{- end }}

charts/capsule/templates/certs.yaml

@@ -1,12 +1,14 @@
-{{- if or (not .Values.certManager.generateCertificates) (.Values.tls.create) }}
+{{- if not $.Values.crds.exclusive }}
+  {{- if or (not .Values.certManager.generateCertificates) (.Values.tls.create) }}
 apiVersion: v1
 kind: Secret
 metadata:
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
-  {{- with .Values.customAnnotations }}
+    {{- with .Values.customAnnotations }}
   annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "capsule.secretTlsName" . }}
+  {{- end }}
 {{- end }}

charts/capsule/templates/configuration-default.yaml

@@ -1,3 +1,4 @@
+{{- if not $.Values.crds.exclusive }}
 apiVersion: capsule.clastix.io/v1beta2
 kind: CapsuleConfiguration
 metadata:
@@ -24,3 +25,5 @@ spec:
   nodeMetadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+{{- end }}
+

charts/capsule/templates/crd-lifecycle/_helpers.tpl

@@ -0,0 +1,20 @@
+{{- define "capsule.crds.name" -}}
+{{- printf "%s-crds" (include "capsule.name" $) -}}
+{{- end }}
+
+{{- define "capsule.crds.annotations" -}}
+"helm.sh/hook": "pre-install,pre-upgrade"
+  {{- with $.Values.jobs.annotations }}
+    {{- . | toYaml | nindent 0 }}
+  {{- end }}
+{{- end }}
+
+{{- define "capsule.crds.component" -}}
+crd-install-hook
+{{- end }}
+
+{{- define "capsule.crds.regexReplace" -}}
+{{- printf "%s" ($ | base | trimSuffix ".yaml" | regexReplaceAll "[_.]" "-") -}}
+{{- end }}
+
+

charts/capsule/templates/crd-lifecycle/crds.tpl

@@ -0,0 +1,56 @@
+{{/* CustomResources Lifecycle */}}
+{{- if $.Values.crds.install }}
+  {{ range $path, $_ :=  .Files.Glob "crds/**.yaml" }}
+    {{- with $ }}
+      {{- $content := (tpl (.Files.Get $path) $) -}}
+      {{- $p := (fromYaml $content) -}}
+      {{- if $p.Error }}
+        {{- fail (printf "found YAML error in file %s - %s - raw:\n\n%s" $path $p.Error $content) -}}
+      {{- end -}}
+
+
+      {{/* Add Common Lables */}}
+      {{- $_ := set $p.metadata "labels" (mergeOverwrite (default dict (get $p.metadata "labels")) (default dict $.Values.crds.labels) (fromYaml (include "capsule.labels" $))) -}}
+
+
+      {{/* Add Common Lables */}}
+      {{- $_ := set $p.metadata "annotations" (mergeOverwrite (default dict (get $p.metadata "annotations")) (default dict $.Values.crds.annotations)) -}}
+
+      {{/* Add Keep annotation to CRDs */}}
+      {{- if $.Values.crds.keep }}
+        {{- $_ := set $p.metadata.annotations "helm.sh/resource-policy" "keep" -}}
+      {{- end }}
+
+      {{/* Add Spec Patches for the CRD */}}
+      {{- $patchFile := $path | replace ".yaml" ".patch" }}
+      {{- $patchRawContent := (tpl (.Files.Get $patchFile) $) -}}
+      {{- if $patchRawContent -}}
+        {{- $patchContent := (fromYaml $patchRawContent) -}}
+        {{- if $patchContent.Error }}
+          {{- fail (printf "found YAML error in patch file %s - %s - raw:\n\n%s" $patchFile $patchContent.Error $patchRawContent) -}}
+        {{- end -}}
+        {{- $tmp := deepCopy $p | mergeOverwrite $patchContent -}}
+        {{- $p = $tmp -}}
+      {{- end -}}
+      {{- if $p }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "capsule.crds.name" . }}-{{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$"  }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-5"
+    {{- include "capsule.crds.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+data:
+  content: |
+    {{- printf "---\n%s" (toYaml $p) | nindent 4 }}
+
+      {{- end }}
+    {{ end }}
+  {{- end }}
+{{- end }}

charts/capsule/templates/crd-lifecycle/job.yaml

@@ -0,0 +1,95 @@
+{{- if .Values.crds.install }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "capsule.crds.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-1"
+    {{- include "capsule.crds.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+spec:
+  {{- if ge .Values.jobs.ttlSecondsAfterFinished 0.0 }}
+  ttlSecondsAfterFinished: {{ .Values.jobs.ttlSecondsAfterFinished }}
+  {{- end }}
+  template:
+    metadata:
+      name: "{{ include "capsule.crds.name" . }}"
+      labels:
+        app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
+        {{- include "capsule.selectorLabels" . | nindent 8 }}
+    spec:
+      restartPolicy: {{ $.Values.jobs.restartPolicy }}
+      {{- with $.Values.jobs.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.topologySpreadConstraints }}
+      topologySpreadConstraints: 
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}  
+      serviceAccountName: {{ include "capsule.crds.name" . }}
+      containers:
+      - name: crds-hook
+        image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
+        imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
+        {{- with $.Values.jobs.securityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        command:
+        - sh
+        - -c
+        - |
+          set -o errexit ; set -o xtrace ; set -o nounset
+
+          # piping stderr to stdout means kubectl's errors are surfaced
+          # in the pod's logs.
+
+          kubectl apply --server-side=true --overwrite=true --force-conflicts=true -f /data/ 2>&1
+        volumeMounts:
+{{- range $path, $_ := .Files.Glob "crds/**.yaml" }}
+        - name: {{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }}
+          mountPath: /data/{{ $path | base }}
+          subPath: {{ $path | base }}
+{{- end }}
+        {{- with .Values.jobs.resources }}
+        resources:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+      volumes:
+{{ $currentScope := . }}
+{{- range $path, $_ := .Files.Glob "crds/**.yaml" }}
+    {{- with $currentScope }}
+      - name: {{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }}
+        configMap:
+          name: {{ include "capsule.crds.name" $ }}-{{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }}
+          items:
+          - key: content
+            path: {{ $path | base }}
+{{- end }}
+{{- end }}
+  backoffLimit: 4
+{{- end }}

charts/capsule/templates/crd-lifecycle/rbac.yaml

@@ -0,0 +1,52 @@
+{{- if .Values.crds.install }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "capsule.crds.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-3"
+    {{- include "capsule.crds.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+  - delete
+  - get
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "capsule.crds.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-2"
+    {{- include "capsule.crds.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "capsule.crds.name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "capsule.crds.name" . }}
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}

charts/capsule/templates/crd-lifecycle/serviceaccount.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.crds.install }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "capsule.crds.name" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-4"
+    {{- include "capsule.crds.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+{{- end }}

charts/capsule/templates/daemonset.yaml

@@ -1,4 +1,5 @@
-{{- if eq .Values.manager.kind "DaemonSet" }}
+{{- if not $.Values.crds.exclusive }}
+  {{- if eq .Values.manager.kind "DaemonSet" }}
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -63,7 +64,7 @@ spec:
           - --webhook-port={{ .Values.manager.webhookPort }}
           - --enable-leader-election
           - --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
-          - --configuration-name=default
+          - --configuration-name={{ .Values.manager.options.capsuleConfiguration }}
           image: {{ include "capsule.managerFullyQualifiedDockerImage" . }}
           imagePullPolicy: {{ .Values.manager.image.pullPolicy }}
           env:
@@ -90,4 +91,5 @@ spec:
             {{- toYaml .Values.manager.resources | nindent 12 }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
+  {{- end }}
 {{- end }}

charts/capsule/templates/deployment.yaml

@@ -1,4 +1,5 @@
-{{- if eq .Values.manager.kind "Deployment" }}
+{{- if not $.Values.crds.exclusive }}
+  {{- if eq .Values.manager.kind "Deployment" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -64,7 +65,7 @@ spec:
           - --webhook-port={{ .Values.manager.webhookPort }}
           - --enable-leader-election
           - --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
-          - --configuration-name=default
+          - --configuration-name={{ .Values.manager.options.capsuleConfiguration }}
           image: {{ include "capsule.managerFullyQualifiedDockerImage" . }}
           imagePullPolicy: {{ .Values.manager.image.pullPolicy }}
           env:
@@ -91,4 +92,5 @@ spec:
             {{- toYaml .Values.manager.resources | nindent 12 }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
+  {{- end }}
 {{- end }}

charts/capsule/templates/metrics-service.yaml

@@ -1,3 +1,4 @@
+{{- if not $.Values.crds.exclusive }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -18,3 +19,4 @@ spec:
     {{- include "capsule.selectorLabels" . | nindent 4 }}
   sessionAffinity: None
   type: ClusterIP
+{{- end }}

charts/capsule/templates/mutatingwebhookconfiguration.yaml

@@ -1,3 +1,4 @@
+{{- if or (not $.Values.crds.exclusive) ($.Values.webhooks.exclusive) }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
@@ -12,19 +13,13 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 webhooks:
-{{- with .Values.webhooks.defaults.pods }}
+{{- with .Values.webhooks.hooks.defaults.pods }}
 - admissionReviewVersions:
   - v1
   clientConfig:
-  {{- if not $.Values.certManager.generateCertificates }}
-    caBundle: Cg==
-  {{- end }}
-    service:
-      name: {{ include "capsule.fullname" $ }}-webhook-service
-      namespace: {{ $.Release.Namespace }}
-      path: /defaults
+    {{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }}
   failurePolicy: {{ .failurePolicy }}
-  name: pod.defaults.capsule.clastix.io
+  name: pod.defaults.projectcapsule.dev
   rules:
   - apiGroups:
     - ""
@@ -37,20 +32,15 @@ webhooks:
   namespaceSelector:
   {{- toYaml .namespaceSelector | nindent 4}} 
   sideEffects: None
+  timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
 {{- end }}
-{{- with .Values.webhooks.defaults.pvc }}
+{{- with .Values.webhooks.hooks.defaults.pvc }}
 - admissionReviewVersions:
   - v1
   clientConfig:
-  {{- if not $.Values.certManager.generateCertificates }}
-    caBundle: Cg==
-  {{- end }}
-    service:
-      name: {{ include "capsule.fullname" $ }}-webhook-service
-      namespace: {{ $.Release.Namespace }}
-      path: /defaults
+    {{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }}
   failurePolicy: {{ .failurePolicy }}
-  name: storage.defaults.capsule.clastix.io
+  name: storage.defaults.projectcapsule.dev
   rules:
   - apiGroups:
     - ""
@@ -63,20 +53,15 @@ webhooks:
   namespaceSelector:
   {{- toYaml .namespaceSelector | nindent 4}}  
   sideEffects: None
+  timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
 {{- end }}
-{{- with .Values.webhooks.defaults.ingress }}  
+{{- with .Values.webhooks.hooks.defaults.ingress }}  
 - admissionReviewVersions:
   - v1
   clientConfig:
-  {{- if not $.Values.certManager.generateCertificates }}
-    caBundle: Cg==
-  {{- end }}
-    service:
-      name: {{ include "capsule.fullname" $ }}-webhook-service
-      namespace: {{ $.Release.Namespace }}
-      path: /defaults
+    {{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }}
   failurePolicy: {{ .failurePolicy }}
-  name: ingress.defaults.capsule.clastix.io
+  name: ingress.defaults.projectcapsule.dev
   rules:
   - apiGroups:
     - networking.k8s.io
@@ -91,22 +76,17 @@ webhooks:
   namespaceSelector:
   {{- toYaml .namespaceSelector | nindent 4}}
   sideEffects: None
-{{- end }}  
+  timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
+{{- end }}
+{{- with .Values.webhooks.hooks.namespaceOwnerReference }} 
 - admissionReviewVersions:
     - v1
     - v1beta1
   clientConfig:
-{{- if not .Values.certManager.generateCertificates }}
-    caBundle: Cg==
-{{- end }}
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /namespace-owner-reference
-      port: 443
-  failurePolicy: {{ .Values.webhooks.namespaceOwnerReference.failurePolicy }}
+    {{- include "capsule.webhooks.service" (dict "path" "/namespace-owner-reference" "ctx" $) | nindent 4 }}
+  failurePolicy: {{ .failurePolicy }}
   matchPolicy: Equivalent
-  name: owner.namespace.capsule.clastix.io
+  name: owner.namespace.projectcapsule.dev
   namespaceSelector: {}
   objectSelector: {}
   reinvocationPolicy: Never
@@ -122,4 +102,6 @@ webhooks:
       - namespaces
       scope: '*'
   sideEffects: NoneOnDryRun
-  timeoutSeconds: {{ .Values.mutatingWebhooksTimeoutSeconds }}
+  timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
+{{- end }}
+{{- end }}

charts/capsule/templates/podsecuritypolicy.yaml

@@ -1,58 +0,0 @@
-{{- if .Values.podSecurityPolicy.enabled }}
-kind: PodSecurityPolicy
-apiVersion: policy/v1beta1
-metadata:
-  name: {{ include "capsule.fullname" . }}
-  labels:
-    {{- include "capsule.labels" . | nindent 4 }}
-  {{- with .Values.customAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  fsGroup:
-    rule: RunAsAny
-  hostPorts:
-  - max: 0
-    min: 0
-  runAsUser:
-    rule: RunAsAny
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  volumes:
-  - secret
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "capsule.fullname" . }}-use-psp
-  labels:
-    {{- include "capsule.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - extensions
-  resources:
-  - podsecuritypolicies
-  resourceNames:
-  - {{ include "capsule.fullname" . }}
-  verbs:
-  - use
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "capsule.fullname" . }}-use-psp
-  labels:
-    {{- include "capsule.labels" . | nindent 4 }}
-  namespace: {{ .Release.Namespace }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ include "capsule.fullname" . }}-use-psp
-subjects:
-- apiGroup: ""
-  kind: ServiceAccount
-  name: {{ include "capsule.serviceAccountName" . }}
-{{- end }}

charts/capsule/templates/post-install-job.yaml

@@ -1,55 +0,0 @@
-{{- if .Values.tls.create }}
-{{- $cmd := printf "while [ -z $$(kubectl -n $NAMESPACE get secret %s -o jsonpath='{.data.tls\\\\.crt}') ];" (include "capsule.secretTlsName" .) -}}
-{{- $cmd = printf "%s do echo 'waiting Capsule to be up and running...' && sleep 5;" $cmd -}}
-{{- $cmd = printf "%s done" $cmd -}}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: "{{ .Release.Name }}-waiting-certs"
-  labels:
-    {{- include "capsule.labels" . | nindent 4 }}
-  annotations:
-    # This is what defines this resource as a hook. Without this line, the
-    # job is considered part of the release.
-    "helm.sh/hook": post-install
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": hook-succeeded
-  {{- with .Values.customAnnotations }}
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  template:
-    metadata:
-      name: "{{ .Release.Name }}"
-      labels:
-        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-        app.kubernetes.io/instance: {{ .Release.Name | quote }}
-        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      restartPolicy: Never
-      containers:
-      - name: post-install-job
-        image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
-        imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
-        command: ["sh", "-c", "{{ $cmd }}"]
-        env:
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-      serviceAccountName: {{ include "capsule.serviceAccountName" . }}
-      {{- with .Values.podSecurityContext }}
-      securityContext:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

charts/capsule/templates/post-install/_helpers.tpl

@@ -0,0 +1,15 @@
+{{- define "capsule.post-install.name" -}}
+{{- printf "%s-post-install" (include "capsule.name" $) -}}
+{{- end }}
+
+{{- define "capsule.post-install.annotations" -}}
+"helm.sh/hook": post-install
+  {{- with $.Values.jobs.annotations }}
+    {{- . | toYaml | nindent 0 }}
+  {{- end }}
+{{- end }}
+
+{{- define "capsule.post-install.component" -}}
+post-install-hook
+{{- end }}
+

charts/capsule/templates/post-install/job.yaml

@@ -0,0 +1,78 @@
+{{- if .Values.tls.create }}
+  {{- if not $.Values.crds.exclusive }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ include "capsule.post-install.name" . }}"
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook-weight": "-1"
+    {{- include "capsule.post-install.annotations" . | nindent 4 }}
+    {{- with .Values.customAnnotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
+        {{- include "capsule.selectorLabels" . | nindent 8 }}
+    spec:
+      restartPolicy: {{ $.Values.jobs.restartPolicy }}
+      {{- with $.Values.jobs.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.topologySpreadConstraints }}
+      topologySpreadConstraints: 
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "capsule.post-install.name" . }}
+      containers:
+      - name: post-install
+        image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
+        imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
+        command: 
+        - "sh"
+        - "-c"
+        - |
+          set -o errexit ; set -o nounset
+          while [ -z $(kubectl -n $NAMESPACE get secret {{ include "capsule.secretTlsName" $ }} -o jsonpath='{.data.tls\.crt}') ]; do
+            echo 'waiting Capsule to be up and running...' && sleep 5;
+          done
+        env:
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- with $.Values.jobs.securityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.jobs.resources }}
+        resources:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+  {{- end }}
+{{- end }}

charts/capsule/templates/post-install/rbac.yaml

@@ -0,0 +1,44 @@
+{{- if .Values.tls.create }}
+  {{- if not $.Values.crds.exclusive }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "capsule.post-install.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-3"
+    {{- include "capsule.post-install.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "capsule.post-install.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-2"
+    {{- include "capsule.post-install.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "capsule.post-install.name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "capsule.post-install.name" . }}
+    namespace: {{ .Release.Namespace | quote }}
+  {{- end }}
+{{- end }}

charts/capsule/templates/post-install/serviceaccount.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.tls.create }}
+  {{- if not $.Values.crds.exclusive }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "capsule.post-install.name" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook-weight": "-4"
+    {{- include "capsule.post-install.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/capsule/templates/pre-delete-job.yaml

@@ -1,56 +0,0 @@
-{{- $cmd := ""}}
-{{- if or (.Values.tls.create) (.Values.certManager.generateCertificates) }}
-{{- $cmd = printf "%s kubectl delete secret -n $NAMESPACE %s --ignore-not-found &&" $cmd (include "capsule.secretTlsName" .) -}}
-{{- end }}
-{{- $cmd = printf "%s kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found &&" $cmd -}}
-{{- $cmd = printf "%s kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found" $cmd -}}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: "{{ .Release.Name }}-rbac-cleaner"
-  labels:
-    {{- include "capsule.labels" . | nindent 4 }}
-  annotations:
-    # This is what defines this resource as a hook. Without this line, the
-    # job is considered part of the release.
-    "helm.sh/hook": pre-delete
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": hook-succeeded
-  {{- with .Values.customAnnotations }}
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  template:
-    metadata:
-      name: "{{ .Release.Name }}"
-      labels:
-        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-        app.kubernetes.io/instance: {{ .Release.Name | quote }}
-        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      restartPolicy: Never
-      containers:
-        - name: pre-delete-job
-          image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
-          imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
-          command: [ "sh", "-c",  "{{ $cmd }}"]
-          env:
-            - name: NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-      serviceAccountName: {{ include "capsule.serviceAccountName" . }}
-      {{- with .Values.podSecurityContext }}
-      securityContext:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}

charts/capsule/templates/pre-delete/_helpers.tpl

@@ -0,0 +1,15 @@
+{{- define "capsule.pre-delete.name" -}}
+{{- printf "%s-pre-delete" (include "capsule.name" $) -}}
+{{- end }}
+
+{{- define "capsule.pre-delete.annotations" -}}
+"helm.sh/hook": pre-delete
+  {{- with $.Values.jobs.annotations }}
+    {{- . | toYaml | nindent 0 }}
+  {{- end }}
+{{- end }}
+
+{{- define "capsule.pre-delete.component" -}}
+pre-delete-hook
+{{- end }}
+

charts/capsule/templates/pre-delete/job.yaml

@@ -0,0 +1,82 @@
+{{- if not $.Values.crds.exclusive }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ include "capsule.pre-delete.name" $ }}"
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook-weight": "-1"
+    {{- include "capsule.pre-delete.annotations" . | nindent 4 }}
+    {{- with .Values.customAnnotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- if ge .Values.jobs.ttlSecondsAfterFinished 0.0 }}
+  ttlSecondsAfterFinished: {{ .Values.jobs.ttlSecondsAfterFinished }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
+        {{- include "capsule.selectorLabels" . | nindent 8 }}
+    spec:
+      restartPolicy: {{ $.Values.jobs.restartPolicy }}
+      {{- with $.Values.jobs.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.topologySpreadConstraints }}
+      topologySpreadConstraints: 
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "capsule.pre-delete.name" . }}
+      containers:
+        - name: pre-delete-job
+          image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
+          imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
+          command:
+          - "/bin/sh"
+          - "-c"
+          - |
+              set -o errexit ; set -o xtrace ; set -o nounset
+          {{- if or (.Values.tls.create) (.Values.certManager.generateCertificates) }}
+              kubectl delete secret -n $NAMESPACE {{ include "capsule.secretTlsName" $ }} --ignore-not-found
+          {{- end }}
+              kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
+              kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          {{- with $.Values.jobs.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.jobs.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+{{- end }}

charts/capsule/templates/pre-delete/rbac.yaml

@@ -0,0 +1,90 @@
+{{- if not $.Values.crds.exclusive }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "capsule.pre-delete.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-3"
+    {{- include "capsule.pre-delete.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resourceNames:
+  - capsule-namespace-deleter
+  - capsule-namespace-provisioner
+  resources:
+  - clusterroles
+  - clusterrolebindings
+  verbs:
+  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "capsule.pre-delete.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-3"
+    {{- include "capsule.pre-delete.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - delete
+  resourceNames:
+  - {{ include "capsule.secretTlsName" $ }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "capsule.pre-delete.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-2"
+    {{- include "capsule.pre-delete.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "capsule.pre-delete.name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "capsule.pre-delete.name" . }}
+    namespace: {{ .Release.Namespace | quote }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "capsule.pre-delete.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-2"
+    {{- include "capsule.pre-delete.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "capsule.pre-delete.name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "capsule.pre-delete.name" . }}
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}

charts/capsule/templates/pre-delete/serviceaccount.yaml

@@ -0,0 +1,14 @@
+{{- if not $.Values.crds.exclusive }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "capsule.pre-delete.name" . }}
+  namespace: {{ $.Release.Namespace }}
+  annotations:
+    "helm.sh/hook-weight": "-4"
+    {{- include "capsule.pre-delete.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+{{- end }}

charts/capsule/templates/rbac.yaml

@@ -1,61 +1,5 @@
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "capsule.fullname" . }}-proxy-role
-  labels:
-    {{- include "capsule.labels" . | nindent 4 }}
-  {{- with .Values.customAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-rules:
-- apiGroups:
-  - authentication.k8s.io
-  resources:
-  - tokenreviews
-  verbs:
-  - create
-- apiGroups:
-  - authorization.k8s.io
-  resources:
-  - subjectaccessreviews
-  verbs:
-  - create
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "capsule.fullname" . }}-metrics-reader
-  labels:
-    {{- include "capsule.labels" . | nindent 4 }}
-  {{- with .Values.customAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-rules:
-- nonResourceURLs:
-  - /metrics
-  verbs:
-  - get
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "capsule.fullname" . }}-proxy-rolebinding
-  labels:
-    {{- include "capsule.labels" . | nindent 4 }}
-  {{- with .Values.customAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ include "capsule.fullname" . }}-proxy-role
-subjects:
-- kind: ServiceAccount
-  name: {{ include "capsule.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+{{- if not $.Values.crds.exclusive }}
+  {{- if $.Values.manager.rbac.create }}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -74,4 +18,48 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: {{ include "capsule.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  {{- range $_, $cr := $.Values.manager.rbac.existingClusterRoles }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "capsule.fullname" $ }}-{{ $cr }}
+  labels:
+    {{- include "capsule.labels" $ | nindent 4 }}
+  {{- with $.Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ $cr }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "capsule.serviceAccountName" $ }}
+  namespace: {{ $.Release.Namespace }}
+{{- end }}
+{{- range $_, $nr := $.Values.manager.rbac.existingRoles }}
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "capsule.fullname" $ }}-{{ $nr }}
+  labels:
+    {{- include "capsule.labels" $ | nindent 4 }}
+  {{- with $.Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $nr }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "capsule.serviceAccountName" $ }}
+  namespace: {{ $.Release.Namespace }}
+  {{- end }}
+{{- end }}

charts/capsule/templates/serviceaccount.yaml

@@ -1,12 +1,14 @@
-{{- if .Values.serviceAccount.create -}}
+{{- if not $.Values.crds.exclusive }}
+  {{- if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "capsule.serviceAccountName" . }}
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
-  {{- if or (.Values.serviceAccount.annotations) (.Values.customAnnotations)  }}
+    {{- if or (.Values.serviceAccount.annotations) (.Values.customAnnotations)  }}
   annotations:
-    {{- include "capsule.serviceAccountAnnotations" . | nindent 4 }}
+      {{- include "capsule.serviceAccountAnnotations" . | nindent 4 }}
+    {{- end }}
   {{- end }}
 {{- end }}