github/capsule
1
0
Fork 0
mirror of https://github.com/projectcapsule/capsule.git synced 2026-03-01 09:10:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github:helm-v0.5.0
Branches Tags
github:main github:renovate/major-all-ci-updates github:renovate/sigs.k8s.io-gateway-api-1.x github:renovate/github.com-onsi-ginkgo-v2-2.x github:renovate/all-ci-updates github:renovate/kubernetes-go github:renovate/github-codeql-action-digest github:renovate/sigs.k8s.io-controller-runtime-0.x github:renovate/sigs.k8s.io-cluster-api-1.x github:renovate/github.com-onsi-gomega-1.x github:renovate/k8s.io-utils-digest github:renovate/grafana-grafana-operator-5.x github:renovate/capsule-proxy-0.x github:renovate/anchore-sbom-action-digest github:renovate/golangci-golangci-lint-2.x github:renovate/kubernetes-sigs-controller-tools-0.x github:renovate/norwoodj-helm-docs-1.x github:renovate/prometheus-operator-prometheus-operator-0.x github:renovate/norwoodj-helm-docs-0.x github:fix/remove-harpoon github:backports/v0.2.2 github:maxgio92/feat/gitops-ready-rbac github:issues/451
github:v0.12.4 github:v0.12.3 github:v0.12.2 github:v0.12.1 github:v0.12.0 github:v0.11.1 github:v0.11.2 github:v0.11.0 github:v0.10.9 github:v0.10.8 github:v0.10.7 github:v0.10.6 github:v0.10.5 github:v0.10.4 github:v0.10.3 github:v0.10.2 github:v0.10.1 github:v0.10.0 github:v0.9.0 github:v0.8.1 github:v0.8.0 github:v0.7.4 github:v0.7.3 github:v0.7.2 github:v0.7.1 github:v0.7.0 github:v0.7.0-rc.1 github:v0.6.2 github:v0.6.1 github:v0.6.0 github:v0.6.0-rc0 github:helm-v0.6.0 github:v0.5.0 github:v0.4.2 github:helm-v0.5.3 github:helm-v0.5.2 github:v0.4.1 github:helm-v0.5.1 github:helm-v0.4.7 github:v0.4.0 github:v0.4.0-rc.3 github:helm-v0.5.0 github:v0.4.0-rc.2 github:v0.4.0-rc.1 github:helm-v0.4.8 github:helm-v0.4.6 github:v0.3.3 github:helm-v0.4.5 github:helm-v0.4.4 github:helm-v0.4.3 github:v0.3.2 github:helm-v0.4.2 github:helm-v0.4.1 github:v0.3.1 github:helm-v0.4.0 github:v0.3.0 github:helm-v0.3.6 github:v0.2.2 github:helm-v0.3.5 github:helm-v0.3.4 github:helm-v0.3.3 github:helm-v0.3.2 github:v0.2.1 github:helm-v0.3.1 github:v0.2.0 github:helm-v0.3.0 github:helm-v0.2.0 github:v0.1.3 github:helm-v0.1.12 github:helm-v0.1.11 github:v0.1.2 github:helm-v0.1.10 github:v0.1.2-rc1 github:v0.1.2-rc0 github:helm-v0.1.8 github:helm-v0.1.7 github:helm-v0.1.6 github:v0.1.1 github:helm-v0.1.5 github:helm-v0.1.4 github:v0.1.1-rc1 github:helm-v0.1.3 github:helm-v0.1.2 github:helm-v0.1.1 github:helm-v0.1.1-rc0 github:v0.1.1-rc0 github:v0.1.0 github:helm-v0.1.0 github:v0.1.0-rc6 github:v0.1.0-rc5 github:v0.1.0-rc4 github:v0.1.0-rc3 github:v0.1.0-rc2 github:v0.1.0-rc1 github:v0.0.5 github:v0.0.5-rc2 github:v0.0.5-rc1 github:v0.0.4 github:v0.0.3 github:0.2.0-rc1 github:v0.0.2 github:0.0.1 github:v0.0.1
..
compare: github:helm-v0.4.5
Branches Tags
github:renovate/major-all-ci-updates github:renovate/sigs.k8s.io-gateway-api-1.x github:renovate/github.com-onsi-ginkgo-v2-2.x github:renovate/all-ci-updates github:renovate/kubernetes-go github:renovate/github-codeql-action-digest github:renovate/sigs.k8s.io-controller-runtime-0.x github:renovate/sigs.k8s.io-cluster-api-1.x github:renovate/github.com-onsi-gomega-1.x github:renovate/k8s.io-utils-digest github:renovate/grafana-grafana-operator-5.x github:renovate/capsule-proxy-0.x github:renovate/anchore-sbom-action-digest github:main github:renovate/golangci-golangci-lint-2.x github:renovate/kubernetes-sigs-controller-tools-0.x github:renovate/norwoodj-helm-docs-1.x github:renovate/prometheus-operator-prometheus-operator-0.x github:renovate/norwoodj-helm-docs-0.x github:fix/remove-harpoon github:backports/v0.2.2 github:maxgio92/feat/gitops-ready-rbac github:issues/451
github:v0.12.4 github:v0.12.3 github:v0.12.2 github:v0.12.1 github:v0.12.0 github:v0.11.1 github:v0.11.2 github:v0.11.0 github:v0.10.9 github:v0.10.8 github:v0.10.7 github:v0.10.6 github:v0.10.5 github:v0.10.4 github:v0.10.3 github:v0.10.2 github:v0.10.1 github:v0.10.0 github:v0.9.0 github:v0.8.1 github:v0.8.0 github:v0.7.4 github:v0.7.3 github:v0.7.2 github:v0.7.1 github:v0.7.0 github:v0.7.0-rc.1 github:v0.6.2 github:v0.6.1 github:v0.6.0 github:v0.6.0-rc0 github:helm-v0.6.0 github:v0.5.0 github:v0.4.2 github:helm-v0.5.3 github:helm-v0.5.2 github:v0.4.1 github:helm-v0.5.1 github:helm-v0.4.7 github:v0.4.0 github:v0.4.0-rc.3 github:helm-v0.5.0 github:v0.4.0-rc.2 github:v0.4.0-rc.1 github:helm-v0.4.8 github:helm-v0.4.6 github:v0.3.3 github:helm-v0.4.5 github:helm-v0.4.4 github:helm-v0.4.3 github:v0.3.2 github:helm-v0.4.2 github:helm-v0.4.1 github:v0.3.1 github:helm-v0.4.0 github:v0.3.0 github:helm-v0.3.6 github:v0.2.2 github:helm-v0.3.5 github:helm-v0.3.4 github:helm-v0.3.3 github:helm-v0.3.2 github:v0.2.1 github:helm-v0.3.1 github:v0.2.0 github:helm-v0.3.0 github:helm-v0.2.0 github:v0.1.3 github:helm-v0.1.12 github:helm-v0.1.11 github:v0.1.2 github:helm-v0.1.10 github:v0.1.2-rc1 github:v0.1.2-rc0 github:helm-v0.1.8 github:helm-v0.1.7 github:helm-v0.1.6 github:v0.1.1 github:helm-v0.1.5 github:helm-v0.1.4 github:v0.1.1-rc1 github:helm-v0.1.3 github:helm-v0.1.2 github:helm-v0.1.1 github:helm-v0.1.1-rc0 github:v0.1.1-rc0 github:v0.1.0 github:helm-v0.1.0 github:v0.1.0-rc6 github:v0.1.0-rc5 github:v0.1.0-rc4 github:v0.1.0-rc3 github:v0.1.0-rc2 github:v0.1.0-rc1 github:v0.0.5 github:v0.0.5-rc2 github:v0.0.5-rc1 github:v0.0.4 github:v0.0.3 github:0.2.0-rc1 github:v0.0.2 github:0.0.1 github:v0.0.1

2 Commits
helm-v0.5. ... helm-v0.4.

Author SHA1 Message Date
Dario Tranchitella
87e5d9b9c7 chore(helm): releasing v0.3.3 2023-06-27 19:12:50 +02:00
Dario Tranchitella
024a41dbf1 chore(kustomize): releasing v0.3.3 2023-06-27 19:12:15 +02:00
316 changed files with 1337 additions and 3260 deletions
Expand all files Collapse all files

19
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@@ -1,7 +1,20 @@
<!--
Read the contribution guidelines before creating a pull request.
https://github.com/projectcapsule/capsule/blob/main/CONTRIBUTING.md
# General contribution criteria
Thanks for spending some time for improving and fixing Capsule!
We're still working on the outline of the contribution guidelines but we're
following ourselves these points:
- reference a previously opened issue: https://docs.github.com/en/github/writing-on-github/autolinked-references-and-urls#issues-and-pull-requests
- including a sentence or two in the commit description for the
changelog/release notes
- splitting changes into several and documented small commits
- limit the git subject to 50 characters and write as the continuation of the
sentence "If applied, this commit will ..."
- explain what and why in the body, if more than a trivial change, wrapping at
72 characters
If you have any issue or question, reach out us!
https://clastix.slack.com >>> #capsule channel
-->

21
.github/actions/exists/action.yaml vendored
View File

@@ -1,21 +0,0 @@
name: Checks if an input is defined
description: Checks if an input is defined and outputs 'true' or 'false'.
inputs:
value:
description: value to test
required: true
outputs:
result:
description: outputs 'true' or 'false' if input value is defined or not
value: ${{ steps.check.outputs.result }}
runs:
using: composite
steps:
- shell: bash
id: check
run: |
echo "result=${{ inputs.value != '' }}" >> $GITHUB_OUTPUT

20
.github/actions/setup-caches/action.yaml vendored
View File

@@ -1,20 +0,0 @@
name: Setup caches
description: Setup caches for go modules and build cache.
inputs:
build-cache-key:
description: build cache prefix
runs:
using: composite
steps:
- uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-pkg-mod-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
- uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
if: ${{ inputs.build-cache-key }}
with:
path: ~/.cache/go-build
key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}

2
.github/configs/ct.yaml vendored
View File

@@ -1,5 +1,5 @@
remote: origin
target-branch: main
target-branch: master
chart-dirs:
- charts
helm-extra-args: "--timeout 600s"

16
.github/dependabot.yml vendored
View File

@@ -1,16 +0,0 @@
version: 2
updates:
- package-ecosystem: gomod
directory: /
schedule:
interval: daily
rebase-strategy: disabled
commit-message:
prefix: "feat(deps)"
- package-ecosystem: github-actions
directory: /
schedule:
interval: daily
rebase-strategy: disabled
commit-message:
prefix: "ci(deps)"

8
.github/maintainers.yaml vendored
View File

@@ -2,22 +2,22 @@
github: https://github.com/bsctl
company: Clastix
projects:
- https://github.com/projectcapsule/capsule
- https://github.com/clastix/capsule
- https://github.com/clastix/capsule-proxy
- name: Dario Tranchitella
github: https://github.com/prometherion
company: Clastix
projects:
- https://github.com/projectcapsule/capsule
- https://github.com/clastix/capsule
- https://github.com/clastix/capsule-proxy
- name: Maksim Fedotov
github: https://github.com/MaxFedotov
company: wargaming.net
projects:
- https://github.com/projectcapsule/capsule
- https://github.com/clastix/capsule
- https://github.com/clastix/capsule-proxy
- name: Oliver Bähler
github: https://github.com/oliverbaehler
company: Bedag Informatik AG
projects:
- https://github.com/projectcapsule/capsule
- https://github.com/clastix/capsule

24
.github/workflows/check-actions.yml vendored
View File

@@ -1,24 +0,0 @@
name: Check actions
permissions: {}
on:
pull_request:
branches: [ "main" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
check:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Ensure SHA pinned actions
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1 # v2.1.4
with:
# slsa-github-generator requires using a semver tag for reusable workflows.
# See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
allowlist: |
slsa-framework/slsa-github-generator

23
.github/workflows/check-commit.yml vendored
View File

@@ -1,23 +0,0 @@
name: Check Commit
permissions: {}
on:
push:
branches: [ "*" ]
pull_request:
branches: [ "*" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
commit_lint:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- uses: wagoid/commitlint-github-action@6319f54d83768b60acd6fd60e61007ccc583e62f #v5.4.3
with:
firstParent: true

37
.github/workflows/check-pr.yml vendored
View File

@@ -1,37 +0,0 @@
name: "Check Pull Request"
on:
pull_request_target:
types:
- opened
- edited
- synchronize
permissions:
pull-requests: write
jobs:
main:
name: Validate PR title
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@47b15d52c5c30e94a17ec87eb8dd51ff5221fed9
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
types: |
chore
ci
docs
feat
fix
test
sec
requireScope: false
wip: false
# If the PR only contains a single commit, the action will validate that
# it matches the configured pattern.
validateSingleCommit: true
# Related to `validateSingleCommit` you can opt-in to validate that the PR
# title matches a single commit to avoid confusion.
validateSingleCommitMatchesPrTitle: true

33
.github/workflows/diff.yml → .github/workflows/ci.yml vendored
View File

@@ -1,5 +1,4 @@
name: Diff checks
permissions: {}
name: CI
on:
push:
@@ -7,21 +6,37 @@ on:
pull_request:
branches: [ "*" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
commit_lint:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- uses: wagoid/commitlint-github-action@v2
with:
firstParent: true
golangci:
name: lint
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v2
- name: Run golangci-lint
uses: golangci/golangci-lint-action@v2.3.0
with:
version: v1.51.2
only-new-issues: false
args: --timeout 5m --config .golangci.yml
diff:
name: diff
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@v2
with:
fetch-depth: 0
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
- uses: actions/setup-go@v2
with:
go-version: '1.20'
go-version: '1.19'
- run: make installer
- name: Checking if YAML installer file is not aligned
run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> Untracked generated files have not been committed" && git --no-pager diff && exit 1; fi

38
.github/workflows/codecov.yml vendored
View File

@@ -1,38 +0,0 @@
name: Codecov
permissions: {}
on:
pull_request:
branches: [ "main" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
codecov:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup caches
uses: ./.github/actions/setup-caches
timeout-minutes: 5
continue-on-error: true
with:
build-cache-key: codecov
- name: Check secret
id: checksecret
uses: ./.github/actions/exists
with:
value: ${{ secrets.CODECOV_TOKEN }}
- name: Generate Code Coverage Report
if: steps.checksecret.outputs.result == 'true'
run: make test
- name: Upload Report to Codecov
if: steps.checksecret.outputs.result == 'true'
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
with:
file: ./coverage.out
fail_ci_if_error: true
verbose: true

97
.github/workflows/docker-ci.yml vendored Normal file
View File

@@ -0,0 +1,97 @@
name: docker-ci
on:
push:
tags:
- "v*"
jobs:
docker-ci:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Generate build-args
id: build-args
run: |
# Declare vars for internal use
VERSION=$(git describe --abbrev=0 --tags)
GIT_HEAD_COMMIT=$(git rev-parse --short HEAD)
GIT_TAG_COMMIT=$(git rev-parse --short $VERSION)
GIT_MODIFIED_1=$(git diff $GIT_HEAD_COMMIT $GIT_TAG_COMMIT --quiet && echo "" || echo ".dev")
GIT_MODIFIED_2=$(git diff --quiet && echo "" || echo ".dirty")
# Export to GH_ENV
echo "GIT_LAST_TAG=$VERSION" >> $GITHUB_ENV
echo "GIT_HEAD_COMMIT=$GIT_HEAD_COMMIT" >> $GITHUB_ENV
echo "GIT_TAG_COMMIT=$GIT_TAG_COMMIT" >> $GITHUB_ENV
echo "GIT_MODIFIED=$(echo "$GIT_MODIFIED_1""$GIT_MODIFIED_2")" >> $GITHUB_ENV
echo "GIT_REPO=$(git config --get remote.origin.url)" >> $GITHUB_ENV
echo "BUILD_DATE=$(git log -1 --format="%at" | xargs -I{} date -d @{} +%Y-%m-%dT%H:%M:%S)" >> $GITHUB_ENV
- name: Docker meta
id: meta
uses: docker/metadata-action@v3
with:
images: |
quay.io/${{ github.repository }}
docker.io/${{ github.repository }}
tags: |
type=semver,pattern={{raw}}
flavor: |
latest=false
- name: Set up QEMU
id: qemu
uses: docker/setup-qemu-action@v1
with:
platforms: arm64,arm
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v1
with:
install: true
- name: Inspect builder
run: |
echo "Name: ${{ steps.buildx.outputs.name }}"
echo "Endpoint: ${{ steps.buildx.outputs.endpoint }}"
echo "Status: ${{ steps.buildx.outputs.status }}"
echo "Flags: ${{ steps.buildx.outputs.flags }}"
echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
- name: Login to quay.io Container Registry
uses: docker/login-action@v1
with:
registry: quay.io
username: ${{ github.repository_owner }}+github
password: ${{ secrets.BOT_QUAY_IO }}
- name: Login to docker.io Container Registry
uses: docker/login-action@v1
with:
registry: docker.io
username: ${{ secrets.USER_DOCKER_IO }}
password: ${{ secrets.BOT_DOCKER_IO }}
- name: Build and push
id: build-release
uses: docker/build-push-action@v2
with:
file: Dockerfile
context: .
platforms: linux/amd64,linux/arm64,linux/arm
push: true
tags: ${{ steps.meta.outputs.tags }}
build-args: |
GIT_HEAD_COMMIT=${{ env.GIT_HEAD_COMMIT }}
GIT_TAG_COMMIT=${{ env.GIT_TAG_COMMIT }}
GIT_REPO=${{ env.GIT_REPO }}
GIT_LAST_TAG=${{ env.GIT_LAST_TAG }}
GIT_MODIFIED=${{ env.GIT_MODIFIED }}
BUILD_DATE=${{ env.BUILD_DATE }}
- name: Image digest
run: echo ${{ steps.build-release.outputs.digest }}

69
.github/workflows/docker-publish.yml vendored
View File

@@ -1,69 +0,0 @@
name: Publish images
permissions: {}
on:
push:
tags:
- "v*"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
publish-images:
runs-on: ubuntu-latest
permissions:
packages: write
id-token: write
outputs:
capsule-digest: ${{ steps.publish-capsule.outputs.digest }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup caches
uses: ./.github/actions/setup-caches
timeout-minutes: 5
continue-on-error: true
with:
build-cache-key: publish-images
- name: Run Trivy vulnerability (Repo)
uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Install Cosign
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: Publish Capsule
id: publish-capsule
uses: oliverbaehler/github-actions/ko-publish-image@979018716f7d0cbe8d2711f572b350afad4ef211 # v0.1.1
with:
makefile-target: ko-publish-capsule
registry: ghcr.io
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ github.repository_owner }}
version: ${{ github.ref_name }}
sign-image: true
sbom-name: capsule
sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
main-path: ./
env:
REPOSITORY: ${{ github.repository }}
generate-capsule-provenance:
needs: publish-images
permissions:
id-token: write # To sign the provenance.
packages: write # To upload assets to release.
actions: read # To read the workflow path.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
with:
image: ghcr.io/${{ github.repository_owner }}/capsule
digest: "${{ needs.publish-images.outputs.capsule-digest }}"
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}

31
.github/workflows/docs-lint.yml vendored
View File

@@ -1,31 +0,0 @@
name: docs-lint
permissions: {}
on:
push:
branches: [ "*" ]
paths:
- '.github/workflows/docs-lint.yml'
- 'docs/content/**'
pull_request:
branches: [ "*" ]
paths:
- '.github/workflows/docs-lint.yml'
- 'docs/content/**'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
spelling:
name: Spell Check
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
with:
node-version: 18
- run: make docs-lint

15
.github/workflows/e2e.yml vendored
View File

@@ -1,5 +1,4 @@
name: e2e
permissions: {}
on:
push:
@@ -27,10 +26,6 @@ on:
- 'main.go'
- 'Makefile'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
kind:
name: Kubernetes
@@ -40,22 +35,22 @@ jobs:
k8s-version: ['v1.20.7', 'v1.21.2', 'v1.22.4', 'v1.23.6', 'v1.24.7', 'v1.25.3', 'v1.26.3', 'v1.27.2']
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@v2
with:
fetch-depth: 0
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
- uses: actions/setup-go@v2
with:
go-version: '1.20'
go-version: '1.19'
- run: make manifests
- name: Checking if manifests are disaligned
run: test -z "$(git diff 2> /dev/null)"
- name: Checking if manifests generated untracked files
run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
- uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
- uses: engineerd/setup-kind@v0.5.0
with:
skipClusterCreation: true
version: v0.14.0
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
- uses: azure/setup-helm@v1
with:
version: 3.3.4
- name: e2e testing

35
.github/workflows/fossa.yml vendored
View File

@@ -1,35 +0,0 @@
name: FOSSA
permissions: {}
on:
push:
branches: [ "*" ]
pull_request:
branches: [ "*" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
fossa-scan:
runs-on: ubuntu-20.04
steps:
- name: "Checkout Code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Check secret
id: checksecret
uses: ./.github/actions/exists
with:
value: ${{ secrets.FOSSA_API_KEY }}
- name: "Run FOSSA Scan"
if: steps.checksecret.outputs.result == 'true'
uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
with:
api-key: ${{ secrets.FOSSA_API_KEY }}
- name: "Run FOSSA Test"
if: steps.checksecret.outputs.result == 'true'
uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
with:
api-key: ${{ secrets.FOSSA_API_KEY }}
run-tests: true

10
.github/workflows/gosec.yml vendored
View File

@@ -1,15 +1,9 @@
name: CI gosec
permissions: {}
on:
push:
branches: [ "*" ]
pull_request:
branches: [ "*" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
tests:
runs-on: ubuntu-20.04
@@ -17,8 +11,8 @@ jobs:
GO111MODULE: on
steps:
- name: Checkout Source
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@v2
- name: Run Gosec Security Scanner
uses: securego/gosec@55d79496019a560e16e73e1948dee20a1fad631a # v2.18.2
uses: securego/gosec@master
with:
args: ./...

78
.github/workflows/helm-publish.yml vendored
View File

@@ -1,78 +0,0 @@
name: Publish charts
permissions: read-all
on:
push:
tags: [ "helm-v*" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
publish-helm:
# Skip this Release on forks
if: github.repository_owner == 'projectcapsule'
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: "Extract Version"
id: extract_version
run: |
GIT_TAG=${GITHUB_REF##*/}
VERSION=${GIT_TAG##*v}
echo "version=$(echo $VERSION)" >> $GITHUB_OUTPUT
- name: Publish Helm chart
uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
with:
token: "${{ secrets.HELM_CHARTS_PUSH_TOKEN }}"
linting: off
chart_version: ${{ steps.extract_version.outputs.version }}
charts_dir: charts
charts_url: https://${{ github.repository_owner }}.github.io/charts
owner: ${{ github.repository_owner }}
repository: charts
branch: gh-pages
commit_username: ${{ github.actor }}
publish-helm-oci:
runs-on: ubuntu-20.04
permissions:
contents: write
id-token: write
packages: write
outputs:
chart-digest: ${{ steps.helm_publish.outputs.digest }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: "Extract Version"
id: extract_version
run: |
GIT_TAG=${GITHUB_REF##*/}
VERSION=${GIT_TAG##*v}
echo "version=$(echo $VERSION)" >> $GITHUB_OUTPUT
- name: Helm | Publish
id: helm_publish
uses: oliverbaehler/github-actions/helm-oci-chart@979018716f7d0cbe8d2711f572b350afad4ef211 # v0.1.1
with:
registry: ghcr.io
repository: ${{ github.repository_owner }}/charts
name: "capsule"
version: ${{ steps.extract_version.outputs.version }}
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.GITHUB_TOKEN }}
update-dependencies: 'true' # Defaults to false
sign-image: 'true'
signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
helm-provenance:
needs: publish-helm-oci
permissions:
id-token: write # To sign the provenance.
packages: write # To upload assets to release.
actions: read # To read the workflow path.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
with:
image: ghcr.io/${{ github.repository_owner }}/charts/capsule
digest: "${{ needs.publish-helm-oci.outputs.chart-digest }}"
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}

48
.github/workflows/helm-test.yml vendored
View File

@@ -1,48 +0,0 @@
name: Test charts
permissions: {}
on:
pull_request:
branches: [ "main" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
lint:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
- name: Linting Chart
run: helm lint ./charts/capsule
- name: Setup Chart Linting
id: lint
uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76 # v2.4.0
- name: Run chart-testing (list-changed)
id: list-changed
run: |
changed=$(ct list-changed --config ./.github/configs/ct.yaml)
if [[ -n "$changed" ]]; then
echo "::set-output name=changed::true"
fi
- name: Run chart-testing (lint)
run: ct lint --debug --config ./.github/configs/ct.yaml --lint-conf ./.github/configs/lintconf.yaml
- name: Run docs-testing (helm-docs)
id: helm-docs
run: |
make helm-docs
if [[ $(git diff --stat) != '' ]]; then
echo -e '\033[0;31mDocumentation outdated! (Run make helm-docs locally and commit)\033[0m ❌'
git diff --color
exit 1
else
echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
fi
- name: Run chart-testing (install)
run: make helm-test
if: steps.list-changed.outputs.changed == 'true'

86
.github/workflows/helm.yml vendored Normal file
View File

@@ -0,0 +1,86 @@
name: Helm Chart
on:
push:
branches: [ "*" ]
tags: [ "helm-v*" ]
pull_request:
branches: [ "*" ]
jobs:
lint:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- uses: azure/setup-helm@v1
with:
version: 3.3.4
- name: Linting Chart
run: helm lint ./charts/capsule
- name: Setup Chart Linting
id: lint
uses: helm/chart-testing-action@v2.3.0
- name: Run chart-testing (list-changed)
id: list-changed
run: |
changed=$(ct list-changed --config ./.github/configs/ct.yaml)
if [[ -n "$changed" ]]; then
echo "::set-output name=changed::true"
fi
- name: Run chart-testing (lint)
run: ct lint --debug --config ./.github/configs/ct.yaml --lint-conf ./.github/configs/lintconf.yaml
- name: Run docs-testing (helm-docs)
id: helm-docs
run: |
make helm-docs
if [[ $(git diff --stat) != '' ]]; then
echo -e '\033[0;31mDocumentation outdated! (Run make helm-docs locally and commit)\033[0m ❌'
git diff --color
exit 1
else
echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
fi
# ATTENTION: This is a workaround for the upcoming ApiVersion Conversions for the capsule CRDs
# With this workflow the current docker image is build and loaded into kind, otherwise the install fails
# In the future this must be removed and the chart-testing-action must be used
- name: Run chart-testing (install)
run: make helm-test
if: steps.list-changed.outputs.changed == 'true'
## Create KIND Cluster
#- name: Create kind cluster
# uses: helm/kind-action@v1.2.0
# if: steps.list-changed.outputs.changed == 'true'
## Install Required Operators/CRDs
#- name: Prepare Cluster Operators/CRDs
# run: |
# # Cert-Manager CRDs
# kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
#
# # Prometheus CRDs
# kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
# if: steps.list-changed.outputs.changed == 'true'
## Install Charts
#- name: Run chart-testing (install)
# run: ct install --debug --config ./.github/configs/ct.yaml
# if: steps.list-changed.outputs.changed == 'true'
release:
if: startsWith(github.ref, 'refs/tags/helm-v')
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v2
- name: Publish Helm chart
uses: stefanprodan/helm-gh-pages@master
with:
token: ${{ secrets.BOT_GITHUB_TOKEN }}
charts_dir: charts
charts_url: https://clastix.github.io/charts
owner: clastix
repository: charts
branch: gh-pages
target_dir: .
commit_username: prometherion
commit_email: dario@tranchitella.eu

25
.github/workflows/lint.yml vendored
View File

@@ -1,25 +0,0 @@
name: Linting
permissions: {}
on:
push:
branches: [ "*" ]
pull_request:
branches: [ "*" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
golangci:
name: lint
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run golangci-lint
uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
with:
version: v1.51.2
only-new-issues: false
args: --timeout 5m --config .golangci.yml

38
.github/workflows/releaser.yml vendored
View File

@@ -1,38 +0,0 @@
name: Go Release
permissions: {}
on:
push:
tags:
- 'v*'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
create-release:
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Setup caches
uses: ./.github/actions/setup-caches
timeout-minutes: 5
continue-on-error: true
- uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
- uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1
- name: Install Cosign
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
with:
version: latest
args: release --clean --timeout 90m --debug
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

42
.github/workflows/scorecard.yml vendored
View File

@@ -1,42 +0,0 @@
name: Scorecards supply-chain security
permissions: {}
on:
schedule:
- cron: '0 0 * * 5'
push:
branches:
- main
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
analysis:
runs-on: ubuntu-latest
permissions:
security-events: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
- name: Run analysis
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
with:
results_file: results.sarif
results_format: sarif
repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
publish_results: true
- name: Upload artifact
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: SARIF file
path: results.sarif
retention-days: 5
- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
with:
sarif_file: results.sarif

1
.gitignore vendored
View File

@@ -6,7 +6,6 @@
*.so
*.dylib
bin
dist/
# Test binary, build with `go test -c`
*.test

4
.golangci.yml
View File

@@ -14,10 +14,10 @@ linters-settings:
sections:
- standard
- default
- prefix(github.com/projectcapsule/capsule)
- prefix(github.com/clastix/capsule)
goheader:
template: |-
Copyright 2020-2023 Project Capsule Authors.
Copyright 2020-2021 Clastix Labs
SPDX-License-Identifier: Apache-2.0
linters:

86
.goreleaser.yml
View File

@@ -1,86 +0,0 @@
project_name: capsule
env:
- COSIGN_EXPERIMENTAL=true
- GO111MODULE=on
before:
hooks:
- go mod download
gomod:
proxy: false
builds:
- main: .
binary: "{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}"
env:
- CGO_ENABLED=0
goarch:
- amd64
- arm64
goos:
- linux
flags:
- -trimpath
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags:
- >-
-X main.Version={{ .Tag }}
-X main.GitCommit={{ .Commit }}
-X main.GitTag={{ .Tag }}
-X main.GitTreeState={{ .Date }}
-X main.BuildDate={{ .Date }}
-X main.GitRepo={{ .ProjectName }}
release:
prerelease: auto
footer: |
Thanks to all the contributors!
**Full Changelog**: https://github.com/projectcapsule/{{ .ProjectName }}/compare/{{ .PreviousTag }}...{{ .Tag }}
**Docker Images**
- `ghcr.io/projectcapsule/{{ .ProjectName }}:{{ .Tag }}`
- `ghcr.io/projectcapsule/{{ .ProjectName }}:latest`
checksum:
name_template: 'checksums.txt'
changelog:
sort: asc
use: github
filters:
exclude:
- '^test:'
- '^chore'
- '^rebase:'
- 'merge conflict'
- Merge pull request
- Merge remote-tracking branch
- Merge branch
groups:
# https://github.com/conventional-changelog/commitlint/tree/master/%40commitlint/config-conventional
- title: '🛠 Dependency updates'
regexp: '^.*?(feat|fix)\(deps\)!?:.+$'
order: 300
- title: '✨ New Features'
regexp: '^.*?feat(\([[:word:]]+\))??!?:.+$'
order: 100
- title: '🐛 Bug fixes'
regexp: '^.*?fix(\([[:word:]]+\))??!?:.+$'
order: 200
- title: '📖 Documentation updates'
regexp: ^.*?docs(\([[:word:]]+\))??!?:.+$
order: 400
- title: '🛡️ Security updates'
regexp: ^.*?(sec)(\([[:word:]]+\))??!?:.+$
order: 500
- title: '🚀 Build process updates'
regexp: ^.*?(build|ci)(\([[:word:]]+\))??!?:.+$
order: 600
- title: '📦 Other work'
order: 9999
sboms:
- artifacts: archive
signs:
- cmd: cosign
args:
- "sign-blob"
- "--output-signature=${signature}"
- "${artifact}"
- "--yes"
artifacts: all

9
.ko.yaml
View File

@@ -1,9 +0,0 @@
defaultPlatforms:
- linux/arm64
- linux/amd64
- linux/arm
builds:
- id: capsule
main: ./
ldflags:
- '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}'

10
CHANGELOG.md
View File

@@ -1,10 +0,0 @@
# Changelog
Changes are published with their type and scope for each release in the release description. Changes are assigned based on their commit description. Read more on how commits should be formatted in the [Contributing](CONTRIBUTING.md#commits) guide.
See the [Releases](https://github.com/projectcapsule/capsule/releases)
## Helm Chart
For the helm chart, a dedicated changelog is created based on the chart's annotations ([See](./DEVELOPMENT.md#helm-changelog)).

4
CODE_OF_CONDUCT.md
View File

@@ -1,7 +1,5 @@
# Contributor Covenant Code of Conduct
Capsule follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
## Our Pledge
We as members, contributors, and leaders pledge to make participation in our
@@ -116,7 +114,7 @@ the community.
## Attribution
This Code of Conduct follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md) and is adapted from the [Contributor Covenant][homepage],
This Code of Conduct is adapted from the [Contributor Covenant][homepage],
version 2.0, available at
https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.

189
CONTRIBUTING.md
View File

@@ -1,189 +0,0 @@
# Contributing
All contributions are welcome! If you find a bug or have a feature request, please open an issue or submit a pull request.
## Ways to contribute
### 1. Report Issues
Issues to Capsule help improve the project in multiple ways including the following:
* Report potential bugs
* Request a feature
* Request a sample policy
### 2. Engagement
Engage with the community on [Slack](https://kubernetes.slack.com/archives/C03GETTJQRL) and help new users with questions or issues they may have.
### 3. Submit changes
Submit technical changes via pull requests. New contributors may easily view all open issues labeled as [good first issues](https://github.com/projectcapsule/capsule/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) allowing you to get started in an approachable manner.
Once you wish to get started contributing to the code base, please refer to our [development guide](DEVELOPMENT.md) for a how-to. **[We accept pull requests from forks only](#create-a-pull-request)**.
Before creating a pull request, please ensure that your changes are tested and that the documentation is updated accordingly.
When creating a pull request, please visit:
* [commits](#commits)
## Guidelines
The following guidelines outline the semantics and processes which apply to technical contributions to the project.
## Supported Versions
Versions follow [Semantic Versioning](https://semver.org/) terminology and are expressed as `x.y.z`:
- where x is the major version
- y is the minor version
- and z is the patch version
Security fixes, may be backported to the three most recent minor releases, depending on severity and feasibility.
Prereleases are marked as `-rc.x` (release candidate) and may refere to any type of version bump.
## Pull Requests
The pull request title is checked according to the described [semantics](#semantics) (pull requests don't require a scope). However pull requests are currently not used to generate the changelog. Check if your pull requests body meets the following criteria:
- reference a previously opened issue: https://docs.github.com/en/github/writing-on-github/autolinked-references-and-urls#issues-and-pull-requests
- splitting changes into several and documented small commits
- limit the git subject to 50 characters and write as the continuation of the
sentence "If applied, this commit will ..."
- explain what and why in the body, if more than a trivial change, wrapping at
72 characters
If your pull request in a draft state and not ready yet for review, you can prefix the title with `[WIP]`. This will indicate that work is still ongoing:
[WIP] feat(controller): new cool feature
### Create a Pull Request
Head over to the project repository on GitHub and click the **"Fork"** button. With the forked copy, you can try new ideas and implement changes to the project.
1. **Clone the repository to your device:**
Get the link of your forked repository, paste it in your device terminal and clone it using the command.
```sh
git clone https://hostname/YOUR-USERNAME/YOUR-REPOSITORY
```
2. **Create a branch:**
Create a new brach and navigate to the branch using this command.
```sh
git checkout -b <new-branch>
```
3. **Stage, Commit, and Push changes:**
Now that we have implemented the required changes, use the command below to stage the changes and commit them.
```sh
git add .
```
```sh
git commit -s -m "Commit message"
```
Go ahead and push your changes to GitHub using this command.
```sh
git push
```
## Commits
The commit message is checked according to the described [semantics](#semantics). Commits are used to generate the changelog and their author will be referenced in the changelog.
### Reorganising commits
To reorganise your commits, do the following (or use your way of doing it):
1. Pull upstream changes
```bash
git remote add upstream git@github.com:projectcapsule/capsule.git
git pull upstream main
```
2. Pick the current upstream HEAD (the commit is marked with `(remote/main, main)`)
```bash
git log
....
commit 10bbf39ac1ac3ad4f8485422e54faa9aadf03315 (remote/main, main)
Author: Oliver Bähler <oliverbaehler@hotmail.com>
Date: Mon Oct 23 10:24:44 2023 +0200
docs(repo): add sbom reference
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
```
3. Soft reset to the commit of the upstream HEAD
```bash
git reset --soft 10bbf39ac1ac3ad4f8485422e54faa9aadf03315
```
4. Remove staged files (if any)
```bash
git restore --staged .
```
5. Add files manually and create new [commits](#commits), until all files are included
```bash
git add charts/capsule/
git commit -s -m "feat(chart): add nodeselector value"
...
```
6. Force push the changes to your fork
```bash
git push origin main -f
```
### Sign-Off
Developer Certificate of Origin (DCO) Sign off
For contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project, we are requiring everyone to acknowledge this by signing their work which indicates you agree to the DCO found here.
To sign your work, just add a line like this at the end of your commit message:
Signed-off-by: Random J Developer <random@developer.example.org>
This can easily be done with the -s command line option to append this automatically to your commit message.
git commit -s -m 'This is my commit message'
## Semantics
The semantics should indicate the change and it's impact. The general format for commit messages and pull requests is the following:
feat(ui): Add `Button` component
^ ^ ^
| | |__ Subject
| |_______ Scope
|____________ Type
The commits are checked on pull-request. If the commit message does not follow the format, the workflow will fail. See the [Types](#types) for the supported types. The scope is not required but helps to provide more context for your changes. Try to use a scope if possible.
### Types
The following types are allowed for commits and pull requests:
* `chore`: housekeeping changes, no production code change
* `ci`: changes to buillding process/workflows
* `docs`: changes to documentation
* `feat`: new features
* `fix`: bug fixes
* `test`: test related changes
* `sec`: security related changes

46
DEVELOPMENT.md
View File

@@ -1,46 +0,0 @@
# Development
In Progress!
## Helm Chart
### Testing
You can test your changes made to the helm chart locally. They are almost identical to the checks executed in the github workflows.
Run chart linting (ct lint):
```bash
make helm-lint
```
Run chart tests (ct install):
```bash
make helm-test
```
### Documentation
Documentation of the chart is done with [helm-docs](https://github.com/norwoodj/helm-docs). Therefor all documentation relevant changes for the chart must be done in the [README.md.gotmpl](./charts/capsule/README.md.gotmpl) file. You can run this locally with this command (requires running docker daemon):
```bash
make helm-docs
...
time="2023-10-23T13:45:08Z" level=info msg="Found Chart directories [charts/capsule]"
time="2023-10-23T13:45:08Z" level=info msg="Generating README Documentation for chart /helm-docs/charts/capsule"
```
This will update the documentation for the chart in the `README.md` file.
### Helm Changelog
The `version` of the chart does not require a bump, since it's driven by our release process. The `appVersion` of the chart is the version of the Capsule project. This is the version that should be bumped when a new Capsule version is released. This will be done by the maintainers.
To create the proper changelog for the helm chart, all changes which affect the helm chart must be documented as chart annotation. See all the available [chart annotations](https://artifacthub.io/docs/topics/annotations/helm/).
This annotation can be provided using two different formats: using a plain list of strings with the description of the change or using a list of objects with some extra structured information (see example below). Please feel free to use the one that better suits your needs. The UI experience will be slightly different depending on the choice. When using the list of objects option the valid supported kinds are `added`, `changed`, `deprecated`, `removed`, `fixed` and `security`.

2
Dockerfile
View File

@@ -1,5 +1,5 @@
# Build the manager binary
FROM golang:1.20.10 as builder
FROM golang:1.19.10 as builder
WORKDIR /workspace
# Copy the Go Modules manifests

186
Makefile
View File

@@ -1,20 +1,8 @@
# Version
GIT_HEAD_COMMIT ?= $(shell git rev-parse --short HEAD)
VERSION ?= $(or $(shell git describe --abbrev=0 --tags --match "v*" 2>/dev/null),$(GIT_HEAD_COMMIT))
# Defaults
REGISTRY ?= ghcr.io
REPOSITORY ?= projectcapsule/capsule
GIT_TAG_COMMIT ?= $(shell git rev-parse --short $(VERSION))
GIT_MODIFIED_1 ?= $(shell git diff $(GIT_HEAD_COMMIT) $(GIT_TAG_COMMIT) --quiet && echo "" || echo ".dev")
GIT_MODIFIED_2 ?= $(shell git diff --quiet && echo "" || echo ".dirty")
GIT_MODIFIED ?= $(shell echo "$(GIT_MODIFIED_1)$(GIT_MODIFIED_2)")
GIT_REPO ?= $(shell git config --get remote.origin.url)
BUILD_DATE ?= $(shell git log -1 --format="%at" | xargs -I{} sh -c 'if [ "$(shell uname)" = "Darwin" ]; then date -r {} +%Y-%m-%dT%H:%M:%S; else date -d @{} +%Y-%m-%dT%H:%M:%S; fi')
IMG_BASE ?= $(REPOSITORY)
IMG ?= $(IMG_BASE):$(VERSION)
CAPSULE_IMG ?= $(REGISTRY)/$(IMG_BASE)
# Current Operator version
VERSION ?= $$(git describe --abbrev=0 --tags --match "v*")
# Default bundle image tag
BUNDLE_IMG ?= clastix/capsule:$(VERSION)-bundle
# Options for 'bundle-build'
ifneq ($(origin CHANNELS), undefined)
BUNDLE_CHANNELS := --channels=$(CHANNELS)
@@ -24,6 +12,9 @@ BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL)
endif
BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)
# Image URL to use all building/pushing image targets
IMG ?= clastix/capsule:$(VERSION)
# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
ifeq (,$(shell go env GOBIN))
GOBIN=$(shell go env GOPATH)/bin
@@ -31,16 +22,20 @@ else
GOBIN=$(shell go env GOBIN)
endif
# Get information about git current status
GIT_HEAD_COMMIT ?= $$(git rev-parse --short HEAD)
GIT_TAG_COMMIT ?= $$(git rev-parse --short $(VERSION))
GIT_MODIFIED_1 ?= $$(git diff $(GIT_HEAD_COMMIT) $(GIT_TAG_COMMIT) --quiet && echo "" || echo ".dev")
GIT_MODIFIED_2 ?= $$(git diff --quiet && echo "" || echo ".dirty")
GIT_MODIFIED ?= $$(echo "$(GIT_MODIFIED_1)$(GIT_MODIFIED_2)")
GIT_REPO ?= $$(git config --get remote.origin.url)
BUILD_DATE ?= $$(git log -1 --format="%at" | xargs -I{} date -d @{} +%Y-%m-%dT%H:%M:%S)
all: manager
# Run tests
.PHONY: test
test: test-clean generate manifests test-clean
@GO111MODULE=on go test -v ./... -coverprofile coverage.out
.PHONY: test-clean
test-clean: ## Clean tests cache
@go clean -testcache
test: generate manifests
go test ./... -coverprofile cover.out
# Build manager binary
manager: generate golint
@@ -52,7 +47,7 @@ run: generate manifests
# Creates the single file to install Capsule without any external dependency
installer: manifests kustomize
cd config/manager && $(KUSTOMIZE) edit set image controller=${CAPSULE_IMG}
cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
$(KUSTOMIZE) build config/default > config/install.yaml
# Install CRDs into a cluster
@@ -87,24 +82,17 @@ apidoc: apidocs-gen
# Helm
SRC_ROOT = $(shell git rev-parse --show-toplevel)
helm-controller-version:
$(eval VERSION := $(shell grep 'appVersion:' charts/capsule/Chart.yaml | awk '{print "v"$$2}'))
$(eval KO_TAGS := $(shell grep 'appVersion:' charts/capsule/Chart.yaml | awk '{print "v"$$2}'))
helm-docs: HELMDOCS_VERSION := v1.11.0
helm-docs: docker
@docker run -v "$(SRC_ROOT):/helm-docs" jnorwood/helm-docs:$(HELMDOCS_VERSION) --chart-search-root /helm-docs
helm-lint: CT_VERSION := v3.3.1
helm-lint: docker
@docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:$(CT_VERSION) -c "cd /workdir; ct lint --config .github/configs/ct.yaml --lint-conf .github/configs/lintconf.yaml --all --debug"
helm-lint: ct
@ct lint --config $(SRC_ROOT)/.github/configs/ct.yaml --lint-conf $(SRC_ROOT)/.github/configs/lintconf.yaml --all --debug
helm-test: helm-controller-version kind ct ko-build-all
helm-test: kind ct docker-build
@kind create cluster --wait=60s --name capsule-charts
@kind load docker-image --name capsule-charts $(CAPSULE_IMG):$(VERSION)
@kind load docker-image --name capsule-charts ${IMG}
@kubectl create ns capsule-system
@kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
@kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
@ct install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
@kind delete cluster --name capsule-charts
@@ -178,99 +166,42 @@ dev-setup:
]";
####################
# -- Docker
####################
# Build the docker image
docker-build: test
docker build . -t ${IMG} --build-arg GIT_HEAD_COMMIT=$(GIT_HEAD_COMMIT) \
--build-arg GIT_TAG_COMMIT=$(GIT_TAG_COMMIT) \
--build-arg GIT_MODIFIED=$(GIT_MODIFIED) \
--build-arg GIT_REPO=$(GIT_REPO) \
--build-arg GIT_LAST_TAG=$(VERSION) \
--build-arg BUILD_DATE=$(BUILD_DATE)
KOCACHE ?= /tmp/ko-cache
KO_REGISTRY := ko.local
KO_TAGS ?= "latest"
ifdef VERSION
KO_TAGS := $(KO_TAGS),$(VERSION)
endif
# Push the docker image
docker-push:
docker push ${IMG}
LD_FLAGS := "-X main.Version=$(VERSION) \
-X main.GitCommit=$(GIT_HEAD_COMMIT) \
-X main.GitTag=$(VERSION) \
-X main.GitTreeState=$(GIT_MODIFIED) \
-X main.BuildDate=$(BUILD_DATE) \
-X main.GitRepo=$(GIT_REPO)"
# Docker Image Build
# ------------------
.PHONY: ko-build-capsule
ko-build-capsule: ko
@echo Building Capsule $(KO_TAGS) >&2
@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(CAPSULE_IMG) \
$(KO) build ./ --bare --tags=$(KO_TAGS) --push=false --local
.PHONY: ko-build-all
ko-build-all: ko-build-capsule
# Docker Image Publish
# ------------------
REGISTRY_PASSWORD ?= dummy
REGISTRY_USERNAME ?= dummy
.PHONY: ko-login
ko-login: ko
@$(KO) login $(REGISTRY) --username $(REGISTRY_USERNAME) --password $(REGISTRY_PASSWORD)
.PHONY: ko-publish-capsule
ko-publish-capsule: ko-login ## Build and publish kyvernopre image (with ko)
@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(CAPSULE_IMG) \
$(KO) build ./ --bare --tags=$(KO_TAGS)
.PHONY: ko-publish-all
ko-publish-all: ko-publish-capsule
####################
# -- Binaries
####################
CONTROLLER_GEN := $(shell pwd)/bin/controller-gen
CONTROLLER_GEN_VERSION := v0.10.0
CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
controller-gen: ## Download controller-gen locally if necessary.
$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.10.0)
APIDOCS_GEN := $(shell pwd)/bin/crdoc
APIDOCS_GEN_VERSION := latest
APIDOCS_GEN = $(shell pwd)/bin/crdoc
apidocs-gen: ## Download crdoc locally if necessary.
$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@$(APIDOCS_GEN_VERSION))
$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@latest)
GINKGO := $(shell pwd)/bin/ginkgo
GINGKO_VERSION := v2.9.5
GINKGO = $(shell pwd)/bin/ginkgo
ginkgo: ## Download ginkgo locally if necessary.
$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo@$(GINGKO_VERSION))
$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo@v2.9.5)
CT := $(shell pwd)/bin/ct
CT_VERSION := v3.7.1
CT = $(shell pwd)/bin/ct
ct: ## Download ct locally if necessary.
$(call go-install-tool,$(CT),github.com/helm/chart-testing/v3/ct@$(CT_VERSION))
$(call go-install-tool,$(CT),github.com/helm/chart-testing/v3/ct@v3.7.1)
KIND := $(shell pwd)/bin/kind
KIND_VERSION := v0.17.0
KIND = $(shell pwd)/bin/kind
kind: ## Download kind locally if necessary.
$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@$(KIND_VERSION))
$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@v0.17.0)
KUSTOMIZE := $(shell pwd)/bin/kustomize
KUSTOMIZE_VERSION := 3.8.7
KUSTOMIZE = $(shell pwd)/bin/kustomize
kustomize: ## Download kustomize locally if necessary.
$(call install-kustomize,$(KUSTOMIZE),$(KUSTOMIZE_VERSION))
KO = $(shell pwd)/bin/ko
KO_VERSION = v0.14.1
ko:
$(call go-install-tool,$(KO),github.com/google/ko@$(KO_VERSION))
####################
# -- Helpers
####################
pull-upstream:
git remote add upstream https://github.com/capsuleproject/capsule.git
git fetch --all && git pull upstream
$(call install-kustomize,$(KUSTOMIZE),3.8.7)
define install-kustomize
@[ -f $(1) ] || { \
@@ -287,6 +218,7 @@ PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
define go-install-tool
@[ -f $(1) ] || { \
set -e ;\
echo "Installing $(2)" ;\
GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
}
endef
@@ -297,10 +229,14 @@ bundle: manifests
kustomize build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
operator-sdk bundle validate ./bundle
# Build the bundle image.
bundle-build:
docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) .
# Sorting imports
.PHONY: goimports
goimports:
goimports -w -l -local "github.com/projectcapsule/capsule" .
goimports -w -l -local "github.com/clastix/capsule" .
GOLANGCI_LINT = $(shell pwd)/bin/golangci-lint
golangci-lint: ## Download golangci-lint locally if necessary.
@@ -318,11 +254,8 @@ e2e/%: ginkgo
e2e-build/%:
kind create cluster --wait=60s --name capsule --image=kindest/node:$*
make e2e-load-image
make e2e-install
.PHONY: e2e-install
e2e-install:
make docker-build
kind load docker-image --nodes capsule-control-plane --name capsule $(IMG)
helm upgrade \
--debug \
--install \
@@ -337,19 +270,8 @@ e2e-install:
capsule \
./charts/capsule
.PHONY: e2e-load-image
e2e-load-image: ko-build-all
kind load docker-image --nodes capsule-control-plane --name capsule $(CAPSULE_IMG):$(VERSION)
.PHONY: e2e-exec
e2e-exec: ginkgo
$(GINKGO) -v -tags e2e ./e2e
.PHONY: e2e-destroy
e2e-destroy:
kind delete cluster --name capsule
SPELL_CHECKER = npx spellchecker-cli
docs-lint:
cd docs/content && $(SPELL_CHECKER) -f "*.md" "*/*.md" -d dictionary.txt

16
PROJECT
View File

@@ -5,7 +5,7 @@ plugins:
manifests.sdk.operatorframework.io/v2: {}
scorecard.sdk.operatorframework.io/v2: {}
projectName: capsule
repo: github.com/projectcapsule/capsule
repo: github.com/clastix/capsule
resources:
- api:
crdVersion: v1
@@ -13,7 +13,7 @@ resources:
domain: clastix.io
group: capsule
kind: Tenant
path: github.com/projectcapsule/capsule/api/v1alpha1
path: github.com/clastix/capsule/api/v1alpha1
version: v1alpha1
webhooks:
conversion: true
@@ -24,21 +24,21 @@ resources:
domain: clastix.io
group: capsule
kind: CapsuleConfiguration
path: github.com/projectcapsule/capsule/api/v1alpha1
path: github.com/clastix/capsule/api/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
domain: clastix.io
group: capsule
kind: Tenant
path: github.com/projectcapsule/capsule/api/v1beta1
path: github.com/clastix/capsule/api/v1beta1
version: v1beta1
- api:
crdVersion: v1
domain: clastix.io
group: capsule
kind: Tenant
path: github.com/projectcapsule/capsule/api/v1beta2
path: github.com/clastix/capsule/api/v1beta2
version: v1beta2
- api:
crdVersion: v1
@@ -46,7 +46,7 @@ resources:
domain: clastix.io
group: capsule
kind: CapsuleConfiguration
path: github.com/projectcapsule/capsule/api/v1beta2
path: github.com/clastix/capsule/api/v1beta2
version: v1beta2
- api:
crdVersion: v1
@@ -54,13 +54,13 @@ resources:
domain: clastix.io
group: capsule
kind: TenantResource
path: github.com/projectcapsule/capsule/api/v1beta2
path: github.com/clastix/capsule/api/v1beta2
version: v1beta2
- api:
crdVersion: v1
domain: clastix.io
group: capsule
kind: GlobalTenantResource
path: github.com/projectcapsule/capsule/api/v1beta2
path: github.com/clastix/capsule/api/v1beta2
version: v1beta2
version: "3"

35
README.md
View File

@@ -1,25 +1,14 @@
<p align="left">
<img src="https://github.com/clastix/capsule/actions/workflows/ci.yml/badge.svg"/>
<img src="https://img.shields.io/github/license/clastix/capsule"/>
<img src="https://img.shields.io/github/go-mod/go-version/clastix/capsule"/>
<a href="https://github.com/projectcapsule/capsule/releases">
<a href="https://github.com/clastix/capsule/releases">
<img src="https://img.shields.io/github/v/release/clastix/capsule"/>
</a>
<a href="https://charmhub.io/capsule-k8s">
<img src="https://charmhub.io/capsule-k8s/badge.svg"/>
</a>
<a href="https://www.bestpractices.dev/projects/5601">
<img src="https://www.bestpractices.dev/projects/5601/badge"/>
</a>
<a href="https://api.securityscorecards.dev/projects/github.com/projectcapsule/capsule/badge">
<img src="https://api.securityscorecards.dev/projects/github.com/projectcapsule/capsule/badge"/>
</a>
<a href="https://artifacthub.io/packages/search?repo=projectcapsule">
<img src="https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/projectcapsule"/>
</a>
<a href="https://app.fossa.com/projects/git%2Bgithub.com%2Fprojectcapsule%2Fcapsule?ref=badge_shield&issueType=license" alt="FOSSA Status">
<img src="https://app.fossa.com/api/projects/git%2Bgithub.com%2Fprojectcapsule%2Fcapsule.svg?type=shield&issueType=license"/>
</a>
</p>
<p align="center">
@@ -100,11 +89,9 @@ The documentation for each chart is done with [helm-docs](https://github.com/nor
make helm-docs
```
## Community meeting
## Community
Join the community, share and learn from it. You can find all the resources to how to contribute code and docs, connect with people in the [community repository](https://github.com/projectcapsule/capsule-community).
Please read the [code of conduct](CODE_OF_CONDUCT.md).
Join the community, share and learn from it. You can find all the resources to how to contribute code and docs, connect with people in the [community repository](https://github.com/clastix/capsule-community).
## Adopters
@@ -118,18 +105,6 @@ You can find how the Capsule project is governed [here](https://capsule.clastix.
Please, refer to the maintainers file available [here](.github/maintainers.yaml).
## Release process
Please, refer to the [documentation page](https://capsule.clastix.io/docs/contributing/release).
### Changelog
Read how we log changes [here](CHANGELOG.md)
### Software Bill of Materials
All OCI release artifacts include a Software Bill of Materials (SBOM) in CycloneDX JSON format. More information on this is available [here](SECURITY.md#software-bill-of-materials-sbom)
# FAQ
- Q. How to pronounce Capsule?
@@ -138,7 +113,7 @@ All OCI release artifacts include a Software Bill of Materials (SBOM) in Cyclone
- Q. Is it production grade?
A. Although under frequent development and improvements, Capsule is ready to be used in production environments as currently, people are using it in public and private deployments. Check out the [release](https://github.com/projectcapsule/capsule/releases) page for a detailed list of available versions.
A. Although under frequent development and improvements, Capsule is ready to be used in production environments as currently, people are using it in public and private deployments. Check out the [release](https://github.com/clastix/capsule/releases) page for a detailed list of available versions.
- Q. Does it work with my Kubernetes XYZ distribution?

3
ROADMAP.md
View File

@@ -1,3 +0,0 @@
# Roadmap
future features and fixes are planned with [release milestones on GitHub](https://github.com/projectcapsule/capsule/milestones?direction=asc&sort=due_date&state=open). You can influence the roadmap by opening issues or joining our community meetings.

56
SECURITY-INSIGHTS.yml
View File

@@ -1,56 +0,0 @@
# Reference https://github.com/ossf/security-insights-spec/blob/v1.0.0/specification.md
header:
schema-version: 1.0.0
expiration-date: '2024-10-24T01:00:00.000Z'
last-updated: '2023-10-24'
last-reviewed: '2023-10-24'
project-url: https://github.com/projectcapsule/capsule
changelog: https://github.com/projectcapsule/capsule/blob/main/CHANGELOG.md
license: https://github.com/projectcapsule/capsule/blob/main/LICENSE
project-lifecycle:
status: active
bug-fixes-only: false
core-maintainers:
- github:prometherion
- github:oliverbaehler
- github:bsctl
- github:MaxFedotov
distribution-points:
- https://github.com/orgs/projectcapsule/packages?repo_name=capsule
contribution-policy:
accepts-pull-requests: true
accepts-automated-pull-requests: true
contributing-policy: https://github.com/projectcapsule/capsule/blob/main/CONTRIBUTING.md
code-of-conduct: https://github.com/projectcapsule/capsule/blob/main/CODE_OF_CONDUCT.md
vulnerability-reporting:
accepts-vulnerability-reports: true
security-policy: https://github.com/projectcapsule/capsule/blob/main/SECURITY.md
email-contact: cncf-capsule-maintainers@lists.cncf.io
comment: |
Report a vulnerability by using private security issues in GitHub.
security-testing:
- tool-type: sca
tool-name: Dependabot
tool-version: latest
integration:
ad-hoc: false
ci: true
before-release: true
comment: |
Dependabot is enabled for this repo.
dependencies:
third-party-packages: true
dependencies-lists:
- https://github.com/projectcapsule/capsule/blob/main/go.mod
sbom:
- sbom-file: https://github.com/projectcapsule/capsule/pkgs/container/sbom
sbom-format: CycloneDX
sbom-url: https://github.com/projectcapsule/capsule/blob/main/SECURITY.md#software-bill-of-materials-sbom
security-artifacts:
self-assessment:
self-assessment-created: false
security-contacts:
- type: email
value: cncf-capsule-maintainers@lists.cncf.io
primary: true

115
SECURITY.md
View File

@@ -1,115 +0,0 @@
# Security Policy
The Capsule community has adopted this security disclosures and response policy to ensure we responsibly handle critical issues.
## Bulletins
For information regarding the security of this project please join our [slack channel](https://kubernetes.slack.com/archives/C03GETTJQRL).
## Covered Repositories and Issues
When we say "a security vulnerability in capsule" we mean a security issue
in any repository under the [projectcapsule GitHub organization](https://github.com/projectcapsule/).
This reporting process is intended only for security issues in the capsule
project itself, and doesn't apply to applications _using_ capsule or to
issues which do not affect security.
Don't use this process if:
* You have issues with your capsule installation or configuration
* Your issue is not security related
### Explicitly Not Covered: Vulnerability Scanner Reports
We do not accept reports which amount to copy and pasted output from a vulnerability
scanning tool **unless** work has specifically been done to confirm that a vulnerability
reported by the tool _actually exists_ in capsule.
## Reporting a Vulnerability
To report a security issue or vulnerability, [submit a private vulnerability report via GitHub](https://github.com/projectcapsule/capsule/security/advisories/new) to the repository maintainers with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
Describe the issue in English, ideally with some example configuration or code which allows the issue to be reproduced. Explain why you believe this to be a security issue in capsule, if that's not obvious. should contain the following:
* description of the problem
* precise and detailed steps (include screenshots)
* the affected version(s). This may also include environment relevant versions.
* any possible mitigations
If the issue is confirmed as a vulnerability, we will open a Security Advisory and acknowledge your contributions as part of it.
## Reponse
Response times could be affected by weekends, holidays, breaks or time zone differences. That said, the security response team will endeavour to reply as soon as possible, ideally within 5 working days.
## Security Contacts
[Maintainers](./github/maintainers.yaml) of this project are responsible for the security of the project as outlined in this policy.
# Release Artifacts
[See all the available artifacts](https://github.com/orgs/projectcapsule/packages?repo_name=capsule)
## Verifing
To verify artifacts you need to have [cosign installed](https://github.com/sigstore/cosign#installation). This guide assumes you are using v2.x of cosign. All of the signatures are created using [keyless signing](https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect). We have a seperate repository for all the signatures for all the artifacts released under the projectcapsule - `ghcr.io/projectcapsule/signatures`. You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
export COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures
To verify the signature of the docker image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/capsule):
COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures cosign verify ghcr.io/projectcapsule/capsule:<release_tag> \
--certificate-identity-regexp="https://github.com/projectcapsule/capsule/.github/workflows/docker-publish.yml@refs/tags/*" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq
To verify the signature of the helm image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/charts%2Fcapsule):
COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures cosign verify ghcr.io/projectcapsule/charts/capsule:<release_tag> \
--certificate-identity-regexp="https://github.com/projectcapsule/capsule/.github/workflows/helm-publish.yml@refs/tags/*" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq
## Verifying Provenance
Capsule creates and attests to the provenance of its builds using the [SLSA standard](https://slsa.dev/spec/v0.2/provenance) and meets the [SLSA Level 3](https://slsa.dev/spec/v0.1/levels) specification. The attested provenance may be verified using the cosign tool.
Verify the provenance of the docker image. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/capsule)
```bash
cosign verify-attestation --type slsaprovenance \
--certificate-identity-regexp="https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/*" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
ghcr.io/projectcapsule/capsule:<release_tag> | jq .payload -r | base64 --decode | jq
```
Verify the provenance of the helm image. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/charts%2Fcapsule)
```bash
cosign verify-attestation --type slsaprovenance \
--certificate-identity-regexp="https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/*" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
ghcr.io/projectcapsule/charts/capsule:<release_tag> | jq .payload -r | base64 --decode | jq
```
## Software Bill of Materials (SBOM)
An SBOM (Software Bill of Materials) in CycloneDX JSON format is published for each Kyverno release, including pre-releases. Like signatures, SBOMs are stored in a separate repository at `ghcr.io/projectcapsule/sbom`. You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
export COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom
To inspect the SBOM of the docker image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/capsule):
COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom cosign download sbom ghcr.io/projectcapsule/capsule:<release_tag>
To inspect the SBOM of the helm image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/charts%2Fcapsule):
COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom cosign download sbom ghcr.io/projectcapsule/charts/capsule:<release_tag>
# Credits
Our Security Policy and Workflows are based on the work of the [Kyverno](https://github.com/kyverno) and [Cert-Manager](https://github.com/cert-manager) community.

2
api/v1alpha1/additional_metadata.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
api/v1alpha1/capsuleconfiguration_annotations.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
api/v1alpha1/capsuleconfiguration_types.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
api/v1alpha1/capsuleconfiguration_webhook.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

6
api/v1alpha1/conversion_hub.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -13,8 +13,8 @@ import (
"k8s.io/utils/pointer"
"sigs.k8s.io/controller-runtime/pkg/conversion"
capsulev1beta1 "github.com/projectcapsule/capsule/api/v1beta1"
"github.com/projectcapsule/capsule/pkg/api"
capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
"github.com/clastix/capsule/pkg/api"
)
const (

6
api/v1alpha1/conversion_hub_test.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -15,8 +15,8 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/utils/pointer"
capsulev1beta1 "github.com/projectcapsule/capsule/api/v1beta1"
"github.com/projectcapsule/capsule/pkg/api"
capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
"github.com/clastix/capsule/pkg/api"
)
//nolint:maintidx

2
api/v1alpha1/groupversion_info.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
// Package v1alpha1 contains API Schema definitions for the capsule.clastix.io v1alpha1 API group

2
api/v1alpha1/owner.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
api/v1alpha1/tenant_func.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

4
api/v1alpha1/tenant_types.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -8,7 +8,7 @@ import (
networkingv1 "k8s.io/api/networking/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/projectcapsule/capsule/pkg/api"
"github.com/clastix/capsule/pkg/api"
)
// TenantSpec defines the desired state of Tenant.

2
api/v1alpha1/tenant_webhook.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

4
api/v1alpha1/zz_generated.deepcopy.go
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
// Code generated by controller-gen. DO NOT EDIT.
@@ -9,7 +9,7 @@
package v1alpha1
import (
"github.com/projectcapsule/capsule/pkg/api"
"github.com/clastix/capsule/pkg/api"
corev1 "k8s.io/api/core/v1"
"k8s.io/api/networking/v1"
runtime "k8s.io/apimachinery/pkg/runtime"

2
api/v1beta1/custom_resource_quota.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta1

2
api/v1beta1/deny_wildcard.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta1

2
api/v1beta1/groupversion_info.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
// Package v1beta1 contains API Schema definitions for the capsule v1beta1 API group

4
api/v1beta1/ingress_options.go
View File

@@ -1,10 +1,10 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta1
import (
"github.com/projectcapsule/capsule/pkg/api"
"github.com/clastix/capsule/pkg/api"
)
type IngressOptions struct {

4
api/v1beta1/namespace_options.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta1
@@ -6,7 +6,7 @@ package v1beta1
import (
"strings"
"github.com/projectcapsule/capsule/pkg/api"
"github.com/clastix/capsule/pkg/api"
)
type NamespaceOptions struct {

2
api/v1beta1/owner.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta1

2
api/v1beta1/owner_list.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta1

2
api/v1beta1/owner_list_test.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta1

2
api/v1beta1/owner_role.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta1

2
api/v1beta1/service_allowed_types.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta1

4
api/v1beta1/service_options.go
View File

@@ -1,10 +1,10 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta1
import (
"github.com/projectcapsule/capsule/pkg/api"
"github.com/clastix/capsule/pkg/api"
)
type ServiceOptions struct {

2
api/v1beta1/tenant_func.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta1

2
api/v1beta1/tenant_status.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta1

4
api/v1beta1/tenant_types.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta1
@@ -6,7 +6,7 @@ package v1beta1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/projectcapsule/capsule/pkg/api"
"github.com/clastix/capsule/pkg/api"
)
// TenantSpec defines the desired state of Tenant.

2
api/v1beta1/tenant_webhook.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta1

4
api/v1beta1/zz_generated.deepcopy.go
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
// Code generated by controller-gen. DO NOT EDIT.
@@ -9,7 +9,7 @@
package v1beta1
import (
"github.com/projectcapsule/capsule/pkg/api"
"github.com/clastix/capsule/pkg/api"
runtime "k8s.io/apimachinery/pkg/runtime"
)

2
api/v1beta2/additional_role_bindings.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta2

4
api/v1beta2/capsuleconfiguration_convertion_hub.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -10,7 +10,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/conversion"
capsulev1alpha1 "github.com/projectcapsule/capsule/api/v1alpha1"
capsulev1alpha1 "github.com/clastix/capsule/api/v1alpha1"
)
func (in *CapsuleConfiguration) ConvertTo(raw conversion.Hub) error {

4
api/v1beta2/capsuleconfiguration_types.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -6,7 +6,7 @@ package v1beta2
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/projectcapsule/capsule/pkg/api"
"github.com/clastix/capsule/pkg/api"
)
// CapsuleConfigurationSpec defines the Capsule configuration.

2
api/v1beta2/custom_resource_quota.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta2

2
api/v1beta2/groupversion_info.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
// Package v1beta2 contains API Schema definitions for the capsule v1beta2 API group

4
api/v1beta2/ingress_options.go
View File

@@ -1,10 +1,10 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
"github.com/projectcapsule/capsule/pkg/api"
"github.com/clastix/capsule/pkg/api"
)
type IngressOptions struct {

4
api/v1beta2/namespace_options.go
View File

@@ -1,10 +1,10 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
"github.com/projectcapsule/capsule/pkg/api"
"github.com/clastix/capsule/pkg/api"
)
type NamespaceOptions struct {

2
api/v1beta2/owner.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta2

2
api/v1beta2/owner_list.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta2

2
api/v1beta2/owner_list_test.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta2

39
api/v1beta2/tenant_annotations.go
View File

@@ -1,44 +1,17 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
"crypto/md5" //#nosec
"encoding/hex"
"fmt"
"strings"
)
const (
// Annotation name part must be no more than 63 characters.
maxAnnotationLength = 63
)
func createAnnotation(format string, resource fmt.Stringer) (string, error) {
suffix := resource.String()
hash := md5.Sum([]byte(resource.String())) //#nosec
hashed := hex.EncodeToString(hash[:])
capsuleHashed := format + hashed
capsuleAnnotation := format + suffix
switch {
case len(capsuleAnnotation) <= maxAnnotationLength:
return capsuleAnnotation, nil
case len(capsuleHashed) <= maxAnnotationLength:
return capsuleHashed, nil
case len(hashed) <= maxAnnotationLength:
return hashed, nil
default:
return "", fmt.Errorf("the annotation name would exceed the maximum supported length (%d), skipping", maxAnnotationLength)
}
func UsedQuotaFor(resource fmt.Stringer) string {
return "quota.capsule.clastix.io/used-" + strings.ReplaceAll(resource.String(), "/", "_")
}
func UsedQuotaFor(resource fmt.Stringer) (string, error) {
return createAnnotation("quota.capsule.clastix.io/used-", resource)
}
func HardQuotaFor(resource fmt.Stringer) (string, error) {
return createAnnotation("quota.capsule.clastix.io/hard-", resource)
func HardQuotaFor(resource fmt.Stringer) string {
return "quota.capsule.clastix.io/hard-" + strings.ReplaceAll(resource.String(), "/", "_")
}

6
api/v1beta2/tenant_conversion_hub.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -10,8 +10,8 @@ import (
"sigs.k8s.io/controller-runtime/pkg/conversion"
capsulev1beta1 "github.com/projectcapsule/capsule/api/v1beta1"
"github.com/projectcapsule/capsule/pkg/api"
capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
"github.com/clastix/capsule/pkg/api"
)
func (in *Tenant) ConvertFrom(raw conversion.Hub) error {

2
api/v1beta2/tenant_func.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta2

2
api/v1beta2/tenant_labels.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta2

2
api/v1beta2/tenant_status.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta2

4
api/v1beta2/tenant_types.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -6,7 +6,7 @@ package v1beta2
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/projectcapsule/capsule/pkg/api"
"github.com/clastix/capsule/pkg/api"
)
// TenantSpec defines the desired state of Tenant.

2
api/v1beta2/tenantresource_global.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta2

4
api/v1beta2/tenantresource_namespaced.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -7,7 +7,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"github.com/projectcapsule/capsule/pkg/api"
"github.com/clastix/capsule/pkg/api"
)
// TenantResourceSpec defines the desired state of TenantResource.

2
api/v1beta2/tenantresource_types.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package v1beta2

4
api/v1beta2/zz_generated.deepcopy.go
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
// Code generated by controller-gen. DO NOT EDIT.
@@ -9,7 +9,7 @@
package v1beta2
import (
"github.com/projectcapsule/capsule/pkg/api"
"github.com/clastix/capsule/pkg/api"
"k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"

35
charts/capsule/Chart.yaml
View File

@@ -2,8 +2,8 @@ apiVersion: v2
type: application
description: A Helm chart to deploy the Capsule Operator for easily implementing,
managing, and maintaining mutitenancy and access control in Kubernetes.
home: https://github.com/projectcapsule/capsule
icon: https://github.com/projectcapsule/capsule/raw/main/assets/logo/capsule_small.png
home: https://github.com/clastix/capsule
icon: https://github.com/clastix/capsule/raw/master/assets/logo/capsule_small.png
keywords:
- kubernetes
- operator
@@ -13,29 +13,16 @@ keywords:
- multitenant
- namespace
maintainers:
- name: capsule-maintainers
email: cncf-capsule-maintainers@lists.cncf.io
- email: hello@clastix.io
name: Clastix Labs Team
name: capsule
sources:
- https://github.com/projectcapsule/capsule
# The version is overwritten by the release workflow.
version: 0.4.6
- https://github.com/clastix/capsule
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
version: 0.4.5
# This is the version number of the application being deployed.
# This version number should be incremented each time you make changes to the application.
appVersion: 0.4.0-rc.3
annotations:
artifacthub.io/operator: "true"
artifacthub.io/prerelease: "false"
artifacthub.io/category: security
artifacthub.io/license: Apache-2.0
artifacthub.io/maintainers: |
- name: capsule-maintainers
email: cncf-capsule-maintainers@lists.cncf.io
artifacthub.io/links: |
- name: Documentation
url: https://capsule.clastix.io/
artifacthub.io/changes: |
- kind: added
description: artifacthub annotations
- kind: changed
description: maintainers contact
appVersion: 0.3.3

23
charts/capsule/README.md
View File

@@ -22,15 +22,11 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator
1. Add this repository:
$ helm repo add projectcapsule https://projectcapsule.github.io/charts
$ helm repo add clastix https://clastix.github.io/charts
2. Install the Chart:
$ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace
or
$ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6 -n capsule-system --create-namespace
$ helm install capsule clastix/capsule -n capsule-system --create-namespace
3. Show the status:
@@ -38,11 +34,7 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator
4. Upgrade the Chart
$ helm upgrade capsule projectcapsule/capsule -n capsule-system
or
$ helm upgrade capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.7
$ helm upgrade capsule clastix/capsule -n capsule-system
5. Uninstall the Chart
@@ -76,7 +68,6 @@ Here the values you can override:
| customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart |
| imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. |
| jobs.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job |
| jobs.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job |
| jobs.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job |
| jobs.image.tag | string | `""` | Set the image tag of the helm chart job |
| mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks |
@@ -94,7 +85,6 @@ Here the values you can override:
| tls.enableController | bool | `true` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. |
| tls.name | string | `""` | Override name of the Capsule TLS Secret name when externally managed. |
| tolerations | list | `[]` | Set list of tolerations for the Capsule pod |
| topologySpreadConstraints | list | `[]` | Set topology spread constraints for the Capsule pod |
| validatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for validating webhooks |
### Manager Parameters
@@ -103,8 +93,7 @@ Here the values you can override:
|-----|------|---------|-------------|
| manager.hostNetwork | bool | `false` | Specifies if the container should be started in hostNetwork mode. Required for use in some managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working |
| manager.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy. |
| manager.image.registry | string | `"ghcr.io"` | Set the image registry of capsule. |
| manager.image.repository | string | `"projectcapsule/capsule"` | Set the image repository of capsule. |
| manager.image.repository | string | `"clastix/capsule"` | Set the image repository of the capsule. |
| manager.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
| manager.kind | string | `"Deployment"` | Set the controller deployment mode as `Deployment` or `DaemonSet`. |
| manager.livenessProbe | object | `{"httpGet":{"path":"/healthz","port":10080}}` | Configure the liveness probe using Deployment probe spec |
@@ -206,7 +195,7 @@ Capsule, as many other add-ons, defines its own set of Custom Resource Definitio
You can enable the generation of certificates using `cert-manager` as follows.
```
helm upgrade --install capsule projectcapsule/capsule --namespace capsule-system --create-namespace \
helm upgrade --install capsule clastix/capsule --namespace capsule-system --create-namespace \
--set "certManager.generateCertificates=true" \
--set "tls.create=false" \
--set "tls.enableController=false"
@@ -231,4 +220,4 @@ metadata:
## More
See Capsule [tutorial](https://github.com/projectcapsule/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.
See Capsule [tutorial](https://github.com/clastix/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.

18
charts/capsule/README.md.gotmpl
View File

@@ -22,15 +22,11 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator
1. Add this repository:
$ helm repo add projectcapsule https://projectcapsule.github.io/charts
$ helm repo add clastix https://clastix.github.io/charts
2. Install the Chart:
$ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace
or
$ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6 -n capsule-system --create-namespace
$ helm install capsule clastix/capsule -n capsule-system --create-namespace
3. Show the status:
@@ -38,11 +34,7 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator
4. Upgrade the Chart
$ helm upgrade capsule projectcapsule/capsule -n capsule-system
or
$ helm upgrade capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.7
$ helm upgrade capsule clastix/capsule -n capsule-system
5. Uninstall the Chart
@@ -140,7 +132,7 @@ Capsule, as many other add-ons, defines its own set of Custom Resource Definitio
You can enable the generation of certificates using `cert-manager` as follows.
```
helm upgrade --install capsule projectcapsule/capsule --namespace capsule-system --create-namespace \
helm upgrade --install capsule clastix/capsule --namespace capsule-system --create-namespace \
--set "certManager.generateCertificates=true" \
--set "tls.create=false" \
--set "tls.enableController=false"
@@ -165,4 +157,4 @@ metadata:
## More
See Capsule [tutorial](https://github.com/projectcapsule/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.
See Capsule [tutorial](https://github.com/clastix/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.

6
charts/capsule/templates/_helpers.tpl
View File

@@ -80,7 +80,7 @@ Create the name of the service account to use
Create the manager fully-qualified Docker image to use
*/}}
{{- define "capsule.managerFullyQualifiedDockerImage" -}}
{{- printf "%s/%s:%s" .Values.manager.image.registry .Values.manager.image.repository ( .Values.manager.image.tag | default (printf "v%s" .Chart.AppVersion) ) -}}
{{- printf "%s:%s" .Values.manager.image.repository ( .Values.manager.image.tag | default (printf "v%s" .Chart.AppVersion) ) -}}
{{- end }}
{{/*
@@ -106,9 +106,9 @@ Create the jobs fully-qualified Docker image to use
*/}}
{{- define "capsule.jobsFullyQualifiedDockerImage" -}}
{{- if .Values.jobs.image.tag }}
{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository .Values.jobs.image.tag -}}
{{- printf "%s:%s" .Values.jobs.image.repository .Values.jobs.image.tag -}}
{{- else }}
{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
{{- printf "%s:%s" .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
{{- end }}
{{- end }}

6
charts/capsule/templates/deployment.yaml
View File

@@ -49,10 +49,6 @@ spec:
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: cert
secret:
@@ -60,6 +56,8 @@ spec:
secretName: {{ include "capsule.secretTlsName" . }}
containers:
- name: manager
command:
- /manager
args:
- --webhook-port={{ .Values.manager.webhookPort }}
- --enable-leader-election

11
charts/capsule/values.yaml
View File

@@ -18,10 +18,8 @@ manager:
kind: Deployment
image:
# -- Set the image registry of capsule.
registry: ghcr.io
# -- Set the image repository of capsule.
repository: projectcapsule/capsule
# -- Set the image repository of the capsule.
repository: clastix/capsule
# -- Set the image pull policy.
pullPolicy: IfNotPresent
# -- Overrides the image tag whose default is the chart appVersion.
@@ -128,17 +126,12 @@ replicaCount: 1
# -- Set affinity rules for the Capsule pod
affinity: {}
# -- Set topology spread constraints for the Capsule pod
topologySpreadConstraints: []
podSecurityPolicy:
# -- Specify if a Pod Security Policy must be created
enabled: false
jobs:
image:
# -- Set the image repository of the helm chart job
registry: docker.io
# -- Set the image repository of the helm chart job
repository: clastix/kubectl
# -- Set the image pull policy of the helm chart job

19
commitlint.config.js
View File

@@ -1,19 +0,0 @@
const Configuration = {
extends: ['@commitlint/config-conventional'],
plugins: ['commitlint-plugin-function-rules'],
rules: {
'type-enum': [2, 'always', ['chore', 'ci', 'docs', 'feat', 'test', 'fix', 'sec']],
'body-max-line-length': [1, 'always', 500],
},
/*
* Whether commitlint uses the default ignore rules, see the description above.
*/
defaultIgnores: true,
/*
* Custom URL to show upon failure
*/
helpUrl:
'https://github.com/projectcapsule/capsule/blob/main/CONTRIBUTING.md#commits',
};
module.exports = Configuration;

4
config/install.yaml
View File

@@ -2762,12 +2762,14 @@ spec:
- --zap-encoder=console
- --zap-log-level=debug
- --configuration-name=capsule-default
command:
- /manager
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: ghcr.io/projectcapsule/capsule
image: clastix/capsule:v0.3.3
imagePullPolicy: IfNotPresent
name: manager
ports:

3
config/manager/kustomization.yaml
View File

@@ -6,4 +6,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
images:
- name: controller
newName: ghcr.io/projectcapsule/capsule
newName: clastix/capsule
newTag: v0.3.3

4
config/manager/manager.yaml
View File

@@ -23,7 +23,9 @@ spec:
control-plane: controller-manager
spec:
containers:
- args:
- command:
- /manager
args:
- --enable-leader-election
- --zap-encoder=console
- --zap-log-level=debug

8
controllers/config/manager.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package config
@@ -12,9 +12,9 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/reconcile"
capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
"github.com/projectcapsule/capsule/controllers/utils"
"github.com/projectcapsule/capsule/pkg/configuration"
capsulev1beta2 "github.com/clastix/capsule/api/v1beta2"
"github.com/clastix/capsule/controllers/utils"
"github.com/clastix/capsule/pkg/configuration"
)
type Manager struct {

8
controllers/pv/controller.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package pv
@@ -16,9 +16,9 @@ import (
"sigs.k8s.io/controller-runtime/pkg/predicate"
"sigs.k8s.io/controller-runtime/pkg/reconcile"
capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
capsuleutils "github.com/projectcapsule/capsule/pkg/utils"
webhookutils "github.com/projectcapsule/capsule/pkg/webhook/utils"
capsulev1beta2 "github.com/clastix/capsule/api/v1beta2"
capsuleutils "github.com/clastix/capsule/pkg/utils"
webhookutils "github.com/clastix/capsule/pkg/webhook/utils"
)
type Controller struct {

2
controllers/rbac/const.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package rbac

8
controllers/rbac/manager.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 Project Capsule Authors.
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0
package rbac
@@ -20,9 +20,9 @@ import (
"sigs.k8s.io/controller-runtime/pkg/handler"
"sigs.k8s.io/controller-runtime/pkg/reconcile"
capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
"github.com/projectcapsule/capsule/controllers/utils"
"github.com/projectcapsule/capsule/pkg/configuration"
capsulev1beta2 "github.com/clastix/capsule/api/v1beta2"
"github.com/clastix/capsule/controllers/utils"
"github.com/clastix/capsule/pkg/configuration"
)
type Manager struct {

Some files were not shown because too many files have changed in this diff Show More