build(helm): CRD update for PriorityClass enum

feat(v1beta1): remove unused structs and functions from v1beta1. Rename v1alpha1 structs to follow new naming. Move v1alpha1 structs to separate files

.github/FUNDING.yml

@@ -1,12 +0,0 @@
-# These are supported funding model platforms
-
-github: [prometherion]
-patreon: # Replace with a single Patreon username
-open_collective: # Replace with a single Open Collective username
-ko_fi: # Replace with a single Ko-fi username
-tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
-community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
-liberapay: # Replace with a single Liberapay username
-issuehunt: # Replace with a single IssueHunt username
-otechie: # Replace with a single Otechie username
-custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']

.github/workflows/ci.yml

@@ -23,6 +23,8 @@ jobs:
     runs-on: ubuntu-18.04
     steps:
       - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
       - name: Cache Go modules
         uses: actions/cache@v1
         env:
@@ -35,11 +37,10 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-build-
             ${{ runner.os }}-
-      - run: make manifests
-      - name: Checking if manifests are disaligned
-        run: test -z "$(git diff 2> /dev/null)"
-      - name: Checking if manifests generated untracked files
+      - run: make installer
+      - name: Checking if YAML installer file is not aligned
+        run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> Untracked generated files have not been committed" && git --no-pager diff && exit 1; fi
+      - name: Checking if YAML installer generated untracked files
         run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
-      - run: make fmt vet
       - name: Checking if source code is not formatted
         run: test -z "$(git diff 2> /dev/null)"

.github/workflows/docker-ci.yml

@@ -0,0 +1,73 @@
+name: docker-ci
+
+on:
+  push:
+    tags:        
+      - "v*"
+
+jobs:
+  docker-ci:
+    runs-on: ubuntu-20.04
+    steps:
+
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: |
+             quay.io/${{ github.repository }}
+          tags: |
+            type=semver,pattern={{raw}}
+          flavor: |
+            latest=false
+
+      -
+        name: Set up QEMU
+        id: qemu
+        uses: docker/setup-qemu-action@v1
+        with:
+          platforms: arm64,arm
+
+      -
+        name: Set up Docker Buildx
+        id: buildx
+        with:
+          install: true
+        uses: docker/setup-buildx-action@v1
+
+      -
+        name: Inspect builder
+        run: |
+          echo "Name:      ${{ steps.buildx.outputs.name }}"
+          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
+          echo "Status:    ${{ steps.buildx.outputs.status }}"
+          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
+          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
+
+      -
+        name: Login to quay.io Container Registry
+        uses: docker/login-action@v1 
+        with:
+          registry: quay.io
+          username: ${{ github.repository_owner }}+github
+          password: ${{ secrets.BOT_QUAY_IO }}
+
+      -
+        name: Build and push
+        id: build-release
+        uses: docker/build-push-action@v2
+        with:
+          file: Dockerfile
+          context: .
+          platforms: linux/amd64,linux/arm64,linux/arm
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+
+      -
+        name: Image digest
+        run: echo ${{ steps.build-release.outputs.digest }}

.github/workflows/helm.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Linting Chart
         run: helm lint ./charts/capsule
   release:
-    if: github.ref == 'refs/heads/master'
+    if: startsWith(github.ref, 'refs/tags/helm-v')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2

.gitignore

@@ -24,5 +24,7 @@ bin
 *~
 
 **/*.kubeconfig
+**/*.crt
+**/*.key
 .DS_Store
 

Dockerfile

@@ -1,5 +1,13 @@
 # Build the manager binary
-FROM golang:1.13 as builder
+FROM golang:1.16 as builder
+
+ARG TARGETARCH
+ARG GIT_HEAD_COMMIT
+ARG GIT_TAG_COMMIT
+ARG GIT_LAST_TAG
+ARG GIT_MODIFIED
+ARG GIT_REPO
+ARG BUILD_DATE
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -15,20 +23,11 @@ COPY version.go version.go
 COPY api/ api/
 COPY controllers/ controllers/
 COPY pkg/ pkg/
-COPY .git .git
 
 # Build
-RUN git config --get remote.origin.url > /tmp/GIT_REPO && \
-    git rev-parse --short HEAD > /tmp/GIT_HEAD_COMMIT && \
-    git describe --abbrev=0 --tags > /tmp/GIT_LAST_TAG && \
-    git rev-parse --short $(cat /tmp/GIT_LAST_TAG) > /tmp/GIT_TAG_COMMIT && \
-    git diff $(cat /tmp/GIT_HEAD_COMMIT) $(cat /tmp/GIT_TAG_COMMIT) --quiet > /tmp/GIT_MODIFIED1 || echo '.dev' > /tmp/GIT_MODIFIED1 && \
-    git diff --quiet > /tmp/GIT_MODIFIED2 || echo '.dirty' > /tmp/GIT_MODIFIED2 && \
-    cat /tmp/GIT_MODIFIED1 /tmp/GIT_MODIFIED2 | tr -d '\n' > /tmp/GIT_MODIFIED && \
-    date '+%Y-%m-%dT%H:%M:%S' > /tmp/BUILD_DATE &&\
-    CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build \
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on go build \
         -gcflags "-N -l" \
-        -ldflags "-X main.GitRepo=$(cat /tmp/GIT_REPO) -X main.GitTag=$(cat /tmp/GIT_LAST_TAG) -X main.GitCommit=$(cat /tmp/GIT_HEAD_COMMIT) -X main.GitDirty=$(cat /tmp/GIT_MODIFIED) -X main.BuildTime=$(cat /tmp/BUILD_DATE)" \
+        -ldflags "-X main.GitRepo=$GIT_REPO -X main.GitTag=$GIT_LAST_TAG -X main.GitCommit=$GIT_HEAD_COMMIT -X main.GitDirty=$GIT_MODIFIED -X main.BuildTime=$BUILD_DATE" \
         -o manager
 
 # Use distroless as minimal base image to package the manager binary

Makefile

@@ -15,7 +15,7 @@ BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)
 # Image URL to use all building/pushing image targets
 IMG ?= quay.io/clastix/capsule:$(VERSION)
 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
-CRD_OPTIONS ?= "crd:trivialVersions=true,preserveUnknownFields=false"
+CRD_OPTIONS ?= "crd:preserveUnknownFields=false"
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -24,10 +24,19 @@ else
 GOBIN=$(shell go env GOBIN)
 endif
 
+# Get information about git current status
+GIT_HEAD_COMMIT ?= $$(git rev-parse --short HEAD)
+GIT_TAG_COMMIT  ?= $$(git rev-parse --short $(VERSION))
+GIT_MODIFIED_1  ?= $$(git diff $(GIT_HEAD_COMMIT) $(GIT_TAG_COMMIT) --quiet && echo "" || echo ".dev")
+GIT_MODIFIED_2  ?= $$(git diff --quiet && echo "" || echo ".dirty")
+GIT_MODIFIED    ?= $$(echo "$(GIT_MODIFIED_1)$(GIT_MODIFIED_2)")
+GIT_REPO        ?= $$(git config --get remote.origin.url)
+BUILD_DATE      ?= $$(git log -1 --format="%at" | xargs -I{} date -d @{} +%Y-%m-%dT%H:%M:%S)
+
 all: manager
 
 # Run tests
-test: generate fmt vet manifests
+test: generate manifests
 	go test ./... -coverprofile cover.out
 
 # Build manager binary
@@ -35,83 +44,74 @@ manager: generate fmt vet
 	go build -o bin/manager main.go
 
 # Run against the configured Kubernetes cluster in ~/.kube/config
-run: generate fmt vet manifests
+run: generate manifests
 	go run ./main.go
 
+# Creates the single file to install Capsule without any external dependency
+installer: manifests kustomize
+	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
+	$(KUSTOMIZE) build config/default > config/install.yaml
+
 # Install CRDs into a cluster
-install: manifests kustomize
+install: installer
 	$(KUSTOMIZE) build config/crd | kubectl apply -f -
 
 # Uninstall CRDs from a cluster
-uninstall: manifests kustomize
+uninstall: installer
 	$(KUSTOMIZE) build config/crd | kubectl delete -f -
 
 # Deploy controller in the configured Kubernetes cluster in ~/.kube/config
-deploy: manifests kustomize
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	$(KUSTOMIZE) build config/default | kubectl apply -f -
+deploy: installer
+	kubectl apply -f config/install.yaml
 
 # Remove controller in the configured Kubernetes cluster in ~/.kube/config
-remove: manifests kustomize
-	$(KUSTOMIZE) build config/default | kubectl delete -f -
+remove: installer
+	kubectl delete -f config/install.yaml
 	kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
-	kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-provisioner --ignore-not-found
+	kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
 
 # Generate manifests e.g. CRD, RBAC etc.
 manifests: controller-gen
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 
-# Run go fmt against code
-fmt:
-	go fmt ./...
-
-# Run go vet against code
-vet:
-	go vet ./...
-
 # Generate code
 generate: controller-gen
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
 
 # Build the docker image
 docker-build: test
-	docker build . -t ${IMG}
+	docker build . -t ${IMG} --build-arg GIT_HEAD_COMMIT=$(GIT_HEAD_COMMIT) \
+ 							 --build-arg GIT_TAG_COMMIT=$(GIT_TAG_COMMIT) \
+ 							 --build-arg GIT_MODIFIED=$(GIT_MODIFIED) \
+ 							 --build-arg GIT_REPO=$(GIT_REPO) \
+ 							 --build-arg GIT_LAST_TAG=$(VERSION) \
+ 							 --build-arg BUILD_DATE=$(BUILD_DATE)
 
 # Push the docker image
 docker-push:
 	docker push ${IMG}
 
-# find or download controller-gen
-# download controller-gen if necessary
-controller-gen:
-ifeq (, $(shell which controller-gen))
-	@{ \
-	set -e ;\
-	CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
-	cd $$CONTROLLER_GEN_TMP_DIR ;\
-	go mod init tmp ;\
-	go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.3.0 ;\
-	rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
-	}
-CONTROLLER_GEN=$(GOBIN)/controller-gen
-else
-CONTROLLER_GEN=$(shell which controller-gen)
-endif
+CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
+controller-gen: ## Download controller-gen locally if necessary.
+	$(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.5.0)
 
-kustomize:
-ifeq (, $(shell which kustomize))
-	@{ \
-	set -e ;\
-	KUSTOMIZE_GEN_TMP_DIR=$$(mktemp -d) ;\
-	cd $$KUSTOMIZE_GEN_TMP_DIR ;\
-	go mod init tmp ;\
-	go get sigs.k8s.io/kustomize/kustomize/v3@v3.5.4 ;\
-	rm -rf $$KUSTOMIZE_GEN_TMP_DIR ;\
-	}
-KUSTOMIZE=$(GOBIN)/kustomize
-else
-KUSTOMIZE=$(shell which kustomize)
-endif
+KUSTOMIZE = $(shell pwd)/bin/kustomize
+kustomize: ## Download kustomize locally if necessary.
+	$(call go-get-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v3@v3.8.7)
+
+# go-get-tool will 'go get' any package $2 and install it to $1.
+PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
+define go-get-tool
+@[ -f $(1) ] || { \
+set -e ;\
+TMP_DIR=$$(mktemp -d) ;\
+cd $$TMP_DIR ;\
+go mod init tmp ;\
+echo "Downloading $(2)" ;\
+GOBIN=$(PROJECT_DIR)/bin go get $(2) ;\
+rm -rf $$TMP_DIR ;\
+}
+endef
 
 # Generate bundle manifests and metadata, then validate generated files.
 bundle: manifests
@@ -139,7 +139,17 @@ e2e/%:
 	kind create cluster --name capsule --image=kindest/node:$*
 	make docker-build
 	kind load docker-image --nodes capsule-control-plane --name capsule $(IMG)
-	kubectl create namespace capsule-system
-	helm upgrade --install --namespace capsule-system capsule ./charts/capsule --set 'manager.image.pullPolicy=Never' --set 'manager.resources=null'
+	helm upgrade \
+		--debug \
+		--install \
+		--namespace capsule-system \
+		--create-namespace \
+		--set 'manager.image.pullPolicy=Never' \
+		--set 'manager.resources=null'\
+		--set "manager.image.tag=$(VERSION)" \
+		--set 'manager.livenessProbe.failureThreshold=10' \
+		--set 'manager.readinessProbe.failureThreshold=10' \
+		capsule \
+		./charts/capsule
 	ginkgo -v -tags e2e ./e2e
 	kind delete cluster --name capsule

PROJECT

@@ -1,10 +1,39 @@
-domain: github.com/clastix/capsule
-layout: go.kubebuilder.io/v2
+domain: clastix.io
+layout:
+- go.kubebuilder.io/v3
+plugins:
+  manifests.sdk.operatorframework.io/v2: {}
+  scorecard.sdk.operatorframework.io/v2: {}
+projectName: capsule
 repo: github.com/clastix/capsule
 resources:
-- group: capsule.clastix.io
+- api:
+    crdVersion: v1
+    namespaced: false
+  controller: true
+  domain: clastix.io
+  group: capsule
   kind: Tenant
+  path: github.com/clastix/capsule/api/v1alpha1
   version: v1alpha1
-version: 3-alpha
-plugins:
-  go.operator-sdk.io/v2-alpha: {}
+  webhooks:
+    conversion: true
+    webhookVersion: v1
+- api:
+    crdVersion: v1
+    namespaced: false
+  controller: true
+  domain: clastix.io
+  group: capsule
+  kind: CapsuleConfiguration
+  path: github.com/clastix/capsule/api/v1alpha1
+  version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: false
+  domain: clastix.io
+  group: capsule
+  kind: Tenant
+  path: github.com/clastix/capsule/api/v1beta1
+  version: v1beta1
+version: "3"

README.md

@@ -14,15 +14,17 @@
 ---
 
 # Kubernetes multi-tenancy made simple
-**Capsule** helps to implement a multi-tenancy and policy-based environment in your Kubernetes cluster. It is not intended to be yet another _PaaS_, instead, it has been designed as a micro-services based ecosystem with minimalist approach, leveraging only on upstream Kubernetes. 
+**Capsule** helps to implement a multi-tenancy and policy-based environment in your Kubernetes cluster. It is not intended to be yet another _PaaS_, instead, it has been designed as a micro-services-based ecosystem with the minimalist approach, leveraging only on upstream Kubernetes.
 
 # What's the problem with the current status?
-Kubernetes introduces the _Namespace_ object type to create logical partitions of the cluster as isolated *slices*. However, implementing advanced multi-tenancy scenarios, it becomes soon complicated because of the flat structure of Kubernetes namespaces and the impossibility to share resources among namespaces belonging to the same tenant. To overcome this, cluster admins tend to provision a dedicated cluster for each groups of users, teams, or departments. As an organization grows, the number of clusters to manage and keep aligned becomes an operational nightmare, described as the well know phenomena of the _clusters sprawl_.
 
-# Entering Caspule
-Capsule takes a different approach. In a single cluster, the Capsule Controller aggregates multiple namespaces in a lightweight abstraction called _Tenant_. Within each tenant, users are free to create their namespaces and share all the assigned resources while the Capsule Policy Engine keeps the different tenants isolated from each other.
+Kubernetes introduces the _Namespace_ object type to create logical partitions of the cluster as isolated *slices*. However, implementing advanced multi-tenancy scenarios, it soon becomes complicated because of the flat structure of Kubernetes namespaces and the impossibility to share resources among namespaces belonging to the same tenant. To overcome this, cluster admins tend to provision a dedicated cluster for each groups of users, teams, or departments. As an organization grows, the number of clusters to manage and keep aligned becomes an operational nightmare, described as the well know phenomena of the _clusters sprawl_.
 
-The _Network and Security Policies_, _Resource Quota_, _Limit Ranges_, _RBAC_, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. And users are free to operate their tenants in authonomy, without the intervention of the cluster administrator. Take a look at following diagram:
+
+# Entering Capsule
+Capsule takes a different approach. In a single cluster, the Capsule Controller aggregates multiple namespaces in a lightweight abstraction called _Tenant_, basically a grouping of Kubernetes Namespaces. Within each tenant, users are free to create their namespaces and share all the assigned resources while the Capsule Policy Engine keeps the different tenants isolated from each other.
+
+The _Network and Security Policies_, _Resource Quota_, _Limit Ranges_, _RBAC_, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator. Take a look at following diagram:
 
 <p align="center" style="padding: 60px 20px">
   <img src="assets/capsule-operator.svg" />
@@ -42,7 +44,7 @@ Leverage Kubernetes Admission Controllers to enforce the industry security best
 Take control of the resources consumed by users while preventing them to overtake.
 
 ## Native Experience
-Provide multi-tenancy with a native Kubernetes experience without introducing additional management layers, plugins, or customised binaries.
+Provide multi-tenancy with a native Kubernetes experience without introducing additional management layers, plugins, or customized binaries.
 
 ## GitOps ready
 Capsule is completely declarative and GitOps ready.
@@ -59,17 +61,28 @@ Make sure you have access to a Kubernetes cluster as administrator.
 There are two ways to install Capsule:
 
 * Use the Helm Chart available [here](./charts/capsule/README.md)
-* Use [`kustomize`](https://github.com/kubernetes-sigs/kustomize)
+* Use the [single YAML file installer](./config/install.yaml)
 
-## Install with kustomize
-Ensure you have `kubectl` and `kustomize` installed in your `PATH`. 
+## Install with the single YAML file installer
+
+Ensure you have `kubectl` installed in your `PATH`. 
 
 Clone this repository and move to the repo folder:
 
 ```
-$ git clone https://github.com/clastix/capsule
-$ cd capsule
-$ make deploy
+$ kubectl apply -f https://raw.githubusercontent.com/clastix/capsule/master/config/install.yaml
+namespace/capsule-system created
+customresourcedefinition.apiextensions.k8s.io/capsuleconfigurations.capsule.clastix.io created
+customresourcedefinition.apiextensions.k8s.io/tenants.capsule.clastix.io created
+clusterrolebinding.rbac.authorization.k8s.io/capsule-manager-rolebinding created
+secret/capsule-ca created
+secret/capsule-tls created
+service/capsule-controller-manager-metrics-service created
+service/capsule-webhook-service created
+deployment.apps/capsule-controller-manager created
+capsuleconfiguration.capsule.clastix.io/capsule-default created
+mutatingwebhookconfiguration.admissionregistration.k8s.io/capsule-mutating-webhook-configuration created
+validatingwebhookconfiguration.admissionregistration.k8s.io/capsule-validating-webhook-configuration created
 ```
 
 It will install the Capsule controller in a dedicated namespace `capsule-system`.
@@ -166,7 +179,7 @@ $ make remove
 ```
 
 # FAQ
-- Q. How to pronunce Capsule?
+- Q. How to pronounce Capsule?
 
   A. It should be pronounced as `/ˈkæpsjuːl/`.
 
@@ -178,9 +191,9 @@ $ make remove
 
   A. Although under frequent development and improvements, Capsule is ready to be used in production environments as currently, people are using it in public and private deployments. Check out the [release](https://github.com/clastix/capsule/releases) page for a detailed list of available versions.
 
-- Q. Does it work with my Kuberentes XYZ distribution?
+- Q. Does it work with my Kubernetes XYZ distribution?
 
-  A. We tested Capsule with vanilla Kubernetes 1.16+ on private envirnments and public clouds. We expect it works smootly on any other distribution. Please, let us know if you find it doesn't.
+  A. We tested Capsule with vanilla Kubernetes 1.16+ on private environments and public clouds. We expect it to work smoothly on any other Kubernetes distribution. Please, let us know if you find it doesn't.
 
 - Q. Do you provide commercial support?
 

api/v1alpha1/additional_metadata.go

@@ -0,0 +1,9 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+type AdditionalMetadataSpec struct {
+	AdditionalLabels      map[string]string `json:"additionalLabels,omitempty"`
+	AdditionalAnnotations map[string]string `json:"additionalAnnotations,omitempty"`
+}

api/v1alpha1/additional_role_bindings.go

@@ -0,0 +1,12 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import rbacv1 "k8s.io/api/rbac/v1"
+
+type AdditionalRoleBindingsSpec struct {
+	ClusterRoleName string `json:"clusterRoleName"`
+	// kubebuilder:validation:Minimum=1
+	Subjects []rbacv1.Subject `json:"subjects"`
+}

api/v1alpha1/allowed_list.go

@@ -1,18 +1,5 @@
-/*
-Copyright 2020 Clastix Labs.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
 

api/v1alpha1/allowed_list_test.go

@@ -1,18 +1,5 @@
-/*
-Copyright 2020 Clastix Labs.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
 

api/v1alpha1/capsuleconfiguration_types.go

@@ -0,0 +1,55 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// CapsuleConfigurationSpec defines the Capsule configuration
+// nolint:maligned
+type CapsuleConfigurationSpec struct {
+	// Names of the groups for Capsule users.
+	// +kubebuilder:default={capsule.clastix.io}
+	UserGroups []string `json:"userGroups,omitempty"`
+	// Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,
+	// separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
+	// +kubebuilder:default=false
+	ForceTenantPrefix bool `json:"forceTenantPrefix,omitempty"`
+	// Disallow creation of namespaces, whose name matches this regexp
+	ProtectedNamespaceRegexpString string `json:"protectedNamespaceRegex,omitempty"`
+	// When defining the exact match for allowed Ingress hostnames at Tenant level, a collision is not allowed.
+	// Toggling this, Capsule will not check if a hostname collision is in place, allowing the creation of
+	// two or more Tenant resources although sharing the same allowed hostname(s).
+	//
+	// The JSON path of the resource is: /spec/ingressHostnames/allowed
+	AllowTenantIngressHostnamesCollision bool `json:"allowTenantIngressHostnamesCollision,omitempty"`
+	// Allow the collision of Ingress resource hostnames across all the Tenants.
+	// +kubebuilder:default=true
+	AllowIngressHostnameCollision bool `json:"allowIngressHostnameCollision,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope=Cluster
+
+// CapsuleConfiguration is the Schema for the Capsule configuration API
+type CapsuleConfiguration struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec CapsuleConfigurationSpec `json:"spec,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// CapsuleConfigurationList contains a list of CapsuleConfiguration
+type CapsuleConfigurationList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []CapsuleConfiguration `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&CapsuleConfiguration{}, &CapsuleConfigurationList{})
+}

api/v1alpha1/conversion_hub.go

@@ -0,0 +1,500 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"fmt"
+	"reflect"
+	"strconv"
+	"strings"
+
+	"github.com/pkg/errors"
+	"k8s.io/utils/pointer"
+	"sigs.k8s.io/controller-runtime/pkg/conversion"
+
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+)
+
+const (
+	podAllowedImagePullPolicyAnnotation = "capsule.clastix.io/allowed-image-pull-policy"
+
+	podPriorityAllowedAnnotation      = "priorityclass.capsule.clastix.io/allowed"
+	podPriorityAllowedRegexAnnotation = "priorityclass.capsule.clastix.io/allowed-regex"
+
+	enableNodePortsAnnotation    = "capsule.clastix.io/enable-node-ports"
+	enableExternalNameAnnotation = "capsule.clastix.io/enable-external-name"
+
+	ownerGroupsAnnotation         = "owners.capsule.clastix.io/group"
+	ownerUsersAnnotation          = "owners.capsule.clastix.io/user"
+	ownerServiceAccountAnnotation = "owners.capsule.clastix.io/serviceaccount"
+
+	enableNodeListingAnnotation           = "capsule.clastix.io/enable-node-listing"
+	enableNodeUpdateAnnotation            = "capsule.clastix.io/enable-node-update"
+	enableNodeDeletionAnnotation          = "capsule.clastix.io/enable-node-deletion"
+	enableStorageClassListingAnnotation   = "capsule.clastix.io/enable-storageclass-listing"
+	enableStorageClassUpdateAnnotation    = "capsule.clastix.io/enable-storageclass-update"
+	enableStorageClassDeletionAnnotation  = "capsule.clastix.io/enable-storageclass-deletion"
+	enableIngressClassListingAnnotation   = "capsule.clastix.io/enable-ingressclass-listing"
+	enableIngressClassUpdateAnnotation    = "capsule.clastix.io/enable-ingressclass-update"
+	enableIngressClassDeletionAnnotation  = "capsule.clastix.io/enable-ingressclass-deletion"
+	enablePriorityClassListingAnnotation  = "capsule.clastix.io/enable-priorityclass-listing"
+	enablePriorityClassUpdateAnnotation   = "capsule.clastix.io/enable-priorityclass-update"
+	enablePriorityClassDeletionAnnotation = "capsule.clastix.io/enable-priorityclass-deletion"
+)
+
+func (t *Tenant) convertV1Alpha1OwnerToV1Beta1() capsulev1beta1.OwnerListSpec {
+	var serviceKindToAnnotationMap = map[capsulev1beta1.ProxyServiceKind][]string{
+		capsulev1beta1.NodesProxy:           {enableNodeListingAnnotation, enableNodeUpdateAnnotation, enableNodeDeletionAnnotation},
+		capsulev1beta1.StorageClassesProxy:  {enableStorageClassListingAnnotation, enableStorageClassUpdateAnnotation, enableStorageClassDeletionAnnotation},
+		capsulev1beta1.IngressClassesProxy:  {enableIngressClassListingAnnotation, enableIngressClassUpdateAnnotation, enableIngressClassDeletionAnnotation},
+		capsulev1beta1.PriorityClassesProxy: {enablePriorityClassListingAnnotation, enablePriorityClassUpdateAnnotation, enablePriorityClassDeletionAnnotation},
+	}
+	var annotationToOperationMap = map[string]capsulev1beta1.ProxyOperation{
+		enableNodeListingAnnotation:           capsulev1beta1.ListOperation,
+		enableNodeUpdateAnnotation:            capsulev1beta1.UpdateOperation,
+		enableNodeDeletionAnnotation:          capsulev1beta1.DeleteOperation,
+		enableStorageClassListingAnnotation:   capsulev1beta1.ListOperation,
+		enableStorageClassUpdateAnnotation:    capsulev1beta1.UpdateOperation,
+		enableStorageClassDeletionAnnotation:  capsulev1beta1.DeleteOperation,
+		enableIngressClassListingAnnotation:   capsulev1beta1.ListOperation,
+		enableIngressClassUpdateAnnotation:    capsulev1beta1.UpdateOperation,
+		enableIngressClassDeletionAnnotation:  capsulev1beta1.DeleteOperation,
+		enablePriorityClassListingAnnotation:  capsulev1beta1.ListOperation,
+		enablePriorityClassUpdateAnnotation:   capsulev1beta1.UpdateOperation,
+		enablePriorityClassDeletionAnnotation: capsulev1beta1.DeleteOperation,
+	}
+	var annotationToOwnerKindMap = map[string]capsulev1beta1.OwnerKind{
+		ownerUsersAnnotation:          capsulev1beta1.UserOwner,
+		ownerGroupsAnnotation:         capsulev1beta1.GroupOwner,
+		ownerServiceAccountAnnotation: capsulev1beta1.ServiceAccountOwner,
+	}
+	annotations := t.GetAnnotations()
+
+	var operations = make(map[string]map[capsulev1beta1.ProxyServiceKind][]capsulev1beta1.ProxyOperation)
+
+	for serviceKind, operationAnnotations := range serviceKindToAnnotationMap {
+		for _, operationAnnotation := range operationAnnotations {
+			val, ok := annotations[operationAnnotation]
+			if ok {
+				for _, owner := range strings.Split(val, ",") {
+					if _, exists := operations[owner]; !exists {
+						operations[owner] = make(map[capsulev1beta1.ProxyServiceKind][]capsulev1beta1.ProxyOperation)
+					}
+					operations[owner][serviceKind] = append(operations[owner][serviceKind], annotationToOperationMap[operationAnnotation])
+				}
+			}
+		}
+	}
+
+	var owners capsulev1beta1.OwnerListSpec
+
+	var getProxySettingsForOwner = func(ownerName string) (settings []capsulev1beta1.ProxySettings) {
+		ownerOperations, ok := operations[ownerName]
+		if ok {
+			for k, v := range ownerOperations {
+				settings = append(settings, capsulev1beta1.ProxySettings{
+					Kind:       k,
+					Operations: v,
+				})
+			}
+		}
+		return
+	}
+
+	owners = append(owners, capsulev1beta1.OwnerSpec{
+		Kind:            capsulev1beta1.OwnerKind(t.Spec.Owner.Kind),
+		Name:            t.Spec.Owner.Name,
+		ProxyOperations: getProxySettingsForOwner(t.Spec.Owner.Name),
+	})
+
+	for ownerAnnotation, ownerKind := range annotationToOwnerKindMap {
+		val, ok := annotations[ownerAnnotation]
+		if ok {
+			for _, owner := range strings.Split(val, ",") {
+				owners = append(owners, capsulev1beta1.OwnerSpec{
+					Kind:            ownerKind,
+					Name:            owner,
+					ProxyOperations: getProxySettingsForOwner(owner),
+				})
+			}
+		}
+	}
+
+	return owners
+}
+
+func (t *Tenant) ConvertTo(dstRaw conversion.Hub) error {
+	dst := dstRaw.(*capsulev1beta1.Tenant)
+	annotations := t.GetAnnotations()
+
+	// ObjectMeta
+	dst.ObjectMeta = t.ObjectMeta
+
+	// Spec
+	dst.Spec.NamespaceQuota = t.Spec.NamespaceQuota
+	dst.Spec.NodeSelector = t.Spec.NodeSelector
+
+	dst.Spec.Owners = t.convertV1Alpha1OwnerToV1Beta1()
+
+	if t.Spec.NamespacesMetadata != nil {
+		dst.Spec.NamespacesMetadata = &capsulev1beta1.AdditionalMetadataSpec{
+			AdditionalLabels:      t.Spec.NamespacesMetadata.AdditionalLabels,
+			AdditionalAnnotations: t.Spec.NamespacesMetadata.AdditionalAnnotations,
+		}
+	}
+	if t.Spec.ServicesMetadata != nil {
+		if dst.Spec.ServiceOptions == nil {
+			dst.Spec.ServiceOptions = &capsulev1beta1.ServiceOptions{
+				AdditionalMetadata: &capsulev1beta1.AdditionalMetadataSpec{
+					AdditionalLabels:      t.Spec.ServicesMetadata.AdditionalLabels,
+					AdditionalAnnotations: t.Spec.ServicesMetadata.AdditionalAnnotations,
+				},
+			}
+		}
+	}
+	if t.Spec.StorageClasses != nil {
+		dst.Spec.StorageClasses = &capsulev1beta1.AllowedListSpec{
+			Exact: t.Spec.StorageClasses.Exact,
+			Regex: t.Spec.StorageClasses.Regex,
+		}
+	}
+	if t.Spec.IngressClasses != nil {
+		dst.Spec.IngressClasses = &capsulev1beta1.AllowedListSpec{
+			Exact: t.Spec.IngressClasses.Exact,
+			Regex: t.Spec.IngressClasses.Regex,
+		}
+	}
+	if t.Spec.IngressHostnames != nil {
+		dst.Spec.IngressHostnames = &capsulev1beta1.AllowedListSpec{
+			Exact: t.Spec.IngressHostnames.Exact,
+			Regex: t.Spec.IngressHostnames.Regex,
+		}
+	}
+	if t.Spec.ContainerRegistries != nil {
+		dst.Spec.ContainerRegistries = &capsulev1beta1.AllowedListSpec{
+			Exact: t.Spec.ContainerRegistries.Exact,
+			Regex: t.Spec.ContainerRegistries.Regex,
+		}
+	}
+	if len(t.Spec.NetworkPolicies) > 0 {
+		dst.Spec.NetworkPolicies = &capsulev1beta1.NetworkPolicySpec{
+			Items: t.Spec.NetworkPolicies,
+		}
+	}
+	if len(t.Spec.LimitRanges) > 0 {
+		dst.Spec.LimitRanges = &capsulev1beta1.LimitRangesSpec{
+			Items: t.Spec.LimitRanges,
+		}
+	}
+	if len(t.Spec.ResourceQuota) > 0 {
+		dst.Spec.ResourceQuota = &capsulev1beta1.ResourceQuotaSpec{
+			Items: t.Spec.ResourceQuota,
+		}
+	}
+	if len(t.Spec.AdditionalRoleBindings) > 0 {
+		for _, rb := range t.Spec.AdditionalRoleBindings {
+			dst.Spec.AdditionalRoleBindings = append(dst.Spec.AdditionalRoleBindings, capsulev1beta1.AdditionalRoleBindingsSpec{
+				ClusterRoleName: rb.ClusterRoleName,
+				Subjects:        rb.Subjects,
+			})
+		}
+	}
+	if t.Spec.ExternalServiceIPs != nil {
+		dst.Spec.ExternalServiceIPs = &capsulev1beta1.ExternalServiceIPsSpec{
+			Allowed: make([]capsulev1beta1.AllowedIP, len(t.Spec.ExternalServiceIPs.Allowed)),
+		}
+
+		for i, IP := range t.Spec.ExternalServiceIPs.Allowed {
+			dst.Spec.ExternalServiceIPs.Allowed[i] = capsulev1beta1.AllowedIP(IP)
+		}
+	}
+
+	pullPolicies, ok := annotations[podAllowedImagePullPolicyAnnotation]
+	if ok {
+		for _, policy := range strings.Split(pullPolicies, ",") {
+			dst.Spec.ImagePullPolicies = append(dst.Spec.ImagePullPolicies, capsulev1beta1.ImagePullPolicySpec(policy))
+		}
+	}
+
+	priorityClasses := capsulev1beta1.AllowedListSpec{}
+
+	priorityClassAllowed, ok := annotations[podPriorityAllowedAnnotation]
+	if ok {
+		priorityClasses.Exact = strings.Split(priorityClassAllowed, ",")
+	}
+	priorityClassesRegexp, ok := annotations[podPriorityAllowedRegexAnnotation]
+	if ok {
+		priorityClasses.Regex = priorityClassesRegexp
+	}
+
+	if !reflect.ValueOf(priorityClasses).IsZero() {
+		dst.Spec.PriorityClasses = &priorityClasses
+	}
+
+	enableNodePorts, ok := annotations[enableNodePortsAnnotation]
+	if ok {
+		val, err := strconv.ParseBool(enableNodePorts)
+		if err != nil {
+			return errors.Wrap(err, fmt.Sprintf("unable to parse %s annotation on tenant %s", enableNodePortsAnnotation, t.GetName()))
+		}
+		if dst.Spec.ServiceOptions == nil {
+			dst.Spec.ServiceOptions = &capsulev1beta1.ServiceOptions{}
+		}
+		if dst.Spec.ServiceOptions.AllowedServices == nil {
+			dst.Spec.ServiceOptions.AllowedServices = &capsulev1beta1.AllowedServices{}
+		}
+		dst.Spec.ServiceOptions.AllowedServices.NodePort = pointer.BoolPtr(val)
+	}
+
+	enableExternalName, ok := annotations[enableExternalNameAnnotation]
+	if ok {
+		val, err := strconv.ParseBool(enableExternalName)
+		if err != nil {
+			return errors.Wrap(err, fmt.Sprintf("unable to parse %s annotation on tenant %s", enableExternalNameAnnotation, t.GetName()))
+		}
+		if dst.Spec.ServiceOptions == nil {
+			dst.Spec.ServiceOptions = &capsulev1beta1.ServiceOptions{}
+		}
+		if dst.Spec.ServiceOptions.AllowedServices == nil {
+			dst.Spec.ServiceOptions.AllowedServices = &capsulev1beta1.AllowedServices{}
+		}
+		dst.Spec.ServiceOptions.AllowedServices.ExternalName = pointer.BoolPtr(val)
+	}
+
+	// Status
+	dst.Status = capsulev1beta1.TenantStatus{
+		Size:       t.Status.Size,
+		Namespaces: t.Status.Namespaces,
+	}
+
+	// Remove unneeded annotations
+	delete(dst.ObjectMeta.Annotations, podAllowedImagePullPolicyAnnotation)
+	delete(dst.ObjectMeta.Annotations, podPriorityAllowedAnnotation)
+	delete(dst.ObjectMeta.Annotations, podPriorityAllowedRegexAnnotation)
+	delete(dst.ObjectMeta.Annotations, enableNodePortsAnnotation)
+	delete(dst.ObjectMeta.Annotations, enableExternalNameAnnotation)
+	delete(dst.ObjectMeta.Annotations, ownerGroupsAnnotation)
+	delete(dst.ObjectMeta.Annotations, ownerUsersAnnotation)
+	delete(dst.ObjectMeta.Annotations, ownerServiceAccountAnnotation)
+	delete(dst.ObjectMeta.Annotations, enableNodeListingAnnotation)
+	delete(dst.ObjectMeta.Annotations, enableNodeUpdateAnnotation)
+	delete(dst.ObjectMeta.Annotations, enableNodeDeletionAnnotation)
+	delete(dst.ObjectMeta.Annotations, enableStorageClassListingAnnotation)
+	delete(dst.ObjectMeta.Annotations, enableStorageClassUpdateAnnotation)
+	delete(dst.ObjectMeta.Annotations, enableStorageClassDeletionAnnotation)
+	delete(dst.ObjectMeta.Annotations, enableIngressClassListingAnnotation)
+	delete(dst.ObjectMeta.Annotations, enableIngressClassUpdateAnnotation)
+	delete(dst.ObjectMeta.Annotations, enableIngressClassDeletionAnnotation)
+	delete(dst.ObjectMeta.Annotations, enablePriorityClassListingAnnotation)
+	delete(dst.ObjectMeta.Annotations, enablePriorityClassUpdateAnnotation)
+	delete(dst.ObjectMeta.Annotations, enablePriorityClassDeletionAnnotation)
+
+	return nil
+}
+
+func (t *Tenant) convertV1Beta1OwnerToV1Alpha1(src *capsulev1beta1.Tenant) {
+	var ownersAnnotations = map[string][]string{
+		ownerGroupsAnnotation:         nil,
+		ownerUsersAnnotation:          nil,
+		ownerServiceAccountAnnotation: nil,
+	}
+
+	var proxyAnnotations = map[string][]string{
+		enableNodeListingAnnotation:          nil,
+		enableNodeUpdateAnnotation:           nil,
+		enableNodeDeletionAnnotation:         nil,
+		enableStorageClassListingAnnotation:  nil,
+		enableStorageClassUpdateAnnotation:   nil,
+		enableStorageClassDeletionAnnotation: nil,
+		enableIngressClassListingAnnotation:  nil,
+		enableIngressClassUpdateAnnotation:   nil,
+		enableIngressClassDeletionAnnotation: nil,
+	}
+
+	for i, owner := range src.Spec.Owners {
+		if i == 0 {
+			t.Spec.Owner = OwnerSpec{
+				Name: owner.Name,
+				Kind: Kind(owner.Kind),
+			}
+		} else {
+			switch owner.Kind {
+			case capsulev1beta1.UserOwner:
+				ownersAnnotations[ownerUsersAnnotation] = append(ownersAnnotations[ownerUsersAnnotation], owner.Name)
+			case capsulev1beta1.GroupOwner:
+				ownersAnnotations[ownerGroupsAnnotation] = append(ownersAnnotations[ownerGroupsAnnotation], owner.Name)
+			case capsulev1beta1.ServiceAccountOwner:
+				ownersAnnotations[ownerServiceAccountAnnotation] = append(ownersAnnotations[ownerServiceAccountAnnotation], owner.Name)
+			}
+		}
+		for _, setting := range owner.ProxyOperations {
+			switch setting.Kind {
+			case capsulev1beta1.NodesProxy:
+				for _, operation := range setting.Operations {
+					switch operation {
+					case capsulev1beta1.ListOperation:
+						proxyAnnotations[enableNodeListingAnnotation] = append(proxyAnnotations[enableNodeListingAnnotation], owner.Name)
+					case capsulev1beta1.UpdateOperation:
+						proxyAnnotations[enableNodeUpdateAnnotation] = append(proxyAnnotations[enableNodeUpdateAnnotation], owner.Name)
+					case capsulev1beta1.DeleteOperation:
+						proxyAnnotations[enableNodeDeletionAnnotation] = append(proxyAnnotations[enableNodeDeletionAnnotation], owner.Name)
+					}
+				}
+			case capsulev1beta1.PriorityClassesProxy:
+				for _, operation := range setting.Operations {
+					switch operation {
+					case capsulev1beta1.ListOperation:
+						proxyAnnotations[enablePriorityClassListingAnnotation] = append(proxyAnnotations[enablePriorityClassListingAnnotation], owner.Name)
+					case capsulev1beta1.UpdateOperation:
+						proxyAnnotations[enablePriorityClassUpdateAnnotation] = append(proxyAnnotations[enablePriorityClassUpdateAnnotation], owner.Name)
+					case capsulev1beta1.DeleteOperation:
+						proxyAnnotations[enablePriorityClassDeletionAnnotation] = append(proxyAnnotations[enablePriorityClassDeletionAnnotation], owner.Name)
+					}
+				}
+			case capsulev1beta1.StorageClassesProxy:
+				for _, operation := range setting.Operations {
+					switch operation {
+					case capsulev1beta1.ListOperation:
+						proxyAnnotations[enableStorageClassListingAnnotation] = append(proxyAnnotations[enableStorageClassListingAnnotation], owner.Name)
+					case capsulev1beta1.UpdateOperation:
+						proxyAnnotations[enableStorageClassUpdateAnnotation] = append(proxyAnnotations[enableStorageClassUpdateAnnotation], owner.Name)
+					case capsulev1beta1.DeleteOperation:
+						proxyAnnotations[enableStorageClassDeletionAnnotation] = append(proxyAnnotations[enableStorageClassDeletionAnnotation], owner.Name)
+					}
+				}
+			case capsulev1beta1.IngressClassesProxy:
+				for _, operation := range setting.Operations {
+					switch operation {
+					case capsulev1beta1.ListOperation:
+						proxyAnnotations[enableIngressClassListingAnnotation] = append(proxyAnnotations[enableIngressClassListingAnnotation], owner.Name)
+					case capsulev1beta1.UpdateOperation:
+						proxyAnnotations[enableIngressClassUpdateAnnotation] = append(proxyAnnotations[enableIngressClassUpdateAnnotation], owner.Name)
+					case capsulev1beta1.DeleteOperation:
+						proxyAnnotations[enableIngressClassDeletionAnnotation] = append(proxyAnnotations[enableIngressClassDeletionAnnotation], owner.Name)
+					}
+				}
+			}
+		}
+	}
+
+	for k, v := range ownersAnnotations {
+		if len(v) > 0 {
+			t.Annotations[k] = strings.Join(v, ",")
+		}
+	}
+	for k, v := range proxyAnnotations {
+		if len(v) > 0 {
+			t.Annotations[k] = strings.Join(v, ",")
+		}
+	}
+}
+
+func (t *Tenant) ConvertFrom(srcRaw conversion.Hub) error {
+	src := srcRaw.(*capsulev1beta1.Tenant)
+
+	// ObjectMeta
+	t.ObjectMeta = src.ObjectMeta
+
+	// Spec
+	t.Spec.NamespaceQuota = src.Spec.NamespaceQuota
+	t.Spec.NodeSelector = src.Spec.NodeSelector
+
+	if t.Annotations == nil {
+		t.Annotations = make(map[string]string)
+	}
+
+	t.convertV1Beta1OwnerToV1Alpha1(src)
+
+	if src.Spec.NamespacesMetadata != nil {
+		t.Spec.NamespacesMetadata = &AdditionalMetadataSpec{
+			AdditionalLabels:      src.Spec.NamespacesMetadata.AdditionalLabels,
+			AdditionalAnnotations: src.Spec.NamespacesMetadata.AdditionalAnnotations,
+		}
+	}
+	if src.Spec.ServiceOptions != nil && src.Spec.ServiceOptions.AdditionalMetadata != nil {
+		t.Spec.ServicesMetadata = &AdditionalMetadataSpec{
+			AdditionalLabels:      src.Spec.ServiceOptions.AdditionalMetadata.AdditionalLabels,
+			AdditionalAnnotations: src.Spec.ServiceOptions.AdditionalMetadata.AdditionalAnnotations,
+		}
+	}
+	if src.Spec.StorageClasses != nil {
+		t.Spec.StorageClasses = &AllowedListSpec{
+			Exact: src.Spec.StorageClasses.Exact,
+			Regex: src.Spec.StorageClasses.Regex,
+		}
+	}
+	if src.Spec.IngressClasses != nil {
+		t.Spec.IngressClasses = &AllowedListSpec{
+			Exact: src.Spec.IngressClasses.Exact,
+			Regex: src.Spec.IngressClasses.Regex,
+		}
+	}
+	if src.Spec.IngressHostnames != nil {
+		t.Spec.IngressHostnames = &AllowedListSpec{
+			Exact: src.Spec.IngressHostnames.Exact,
+			Regex: src.Spec.IngressHostnames.Regex,
+		}
+	}
+	if src.Spec.ContainerRegistries != nil {
+		t.Spec.ContainerRegistries = &AllowedListSpec{
+			Exact: src.Spec.ContainerRegistries.Exact,
+			Regex: src.Spec.ContainerRegistries.Regex,
+		}
+	}
+	if src.Spec.NetworkPolicies != nil {
+		t.Spec.NetworkPolicies = src.Spec.NetworkPolicies.Items
+	}
+	if src.Spec.LimitRanges != nil {
+		t.Spec.LimitRanges = src.Spec.LimitRanges.Items
+	}
+	if src.Spec.ResourceQuota != nil {
+		t.Spec.ResourceQuota = src.Spec.ResourceQuota.Items
+	}
+	if len(src.Spec.AdditionalRoleBindings) > 0 {
+		for _, rb := range src.Spec.AdditionalRoleBindings {
+			t.Spec.AdditionalRoleBindings = append(t.Spec.AdditionalRoleBindings, AdditionalRoleBindingsSpec{
+				ClusterRoleName: rb.ClusterRoleName,
+				Subjects:        rb.Subjects,
+			})
+		}
+	}
+	if src.Spec.ExternalServiceIPs != nil {
+		t.Spec.ExternalServiceIPs = &ExternalServiceIPsSpec{
+			Allowed: make([]AllowedIP, len(src.Spec.ExternalServiceIPs.Allowed)),
+		}
+
+		for i, IP := range src.Spec.ExternalServiceIPs.Allowed {
+			t.Spec.ExternalServiceIPs.Allowed[i] = AllowedIP(IP)
+		}
+	}
+	if len(src.Spec.ImagePullPolicies) != 0 {
+		var pullPolicies []string
+		for _, policy := range src.Spec.ImagePullPolicies {
+			pullPolicies = append(pullPolicies, string(policy))
+		}
+		t.Annotations[podAllowedImagePullPolicyAnnotation] = strings.Join(pullPolicies, ",")
+	}
+
+	if src.Spec.PriorityClasses != nil {
+		if len(src.Spec.PriorityClasses.Exact) != 0 {
+			t.Annotations[podPriorityAllowedAnnotation] = strings.Join(src.Spec.PriorityClasses.Exact, ",")
+		}
+		if src.Spec.PriorityClasses.Regex != "" {
+			t.Annotations[podPriorityAllowedRegexAnnotation] = src.Spec.PriorityClasses.Regex
+		}
+	}
+
+	if src.Spec.ServiceOptions != nil && src.Spec.ServiceOptions.AllowedServices != nil {
+		t.Annotations[enableNodePortsAnnotation] = strconv.FormatBool(*src.Spec.ServiceOptions.AllowedServices.NodePort)
+		t.Annotations[enableExternalNameAnnotation] = strconv.FormatBool(*src.Spec.ServiceOptions.AllowedServices.ExternalName)
+	}
+
+	// Status
+	t.Status = TenantStatus{
+		Size:       src.Status.Size,
+		Namespaces: src.Status.Namespaces,
+	}
+
+	return nil
+}

api/v1alpha1/conversion_hub_test.go

@@ -0,0 +1,373 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"sort"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/pointer"
+
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+)
+
+func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
+	var namespaceQuota int32 = 5
+	var nodeSelector = map[string]string{
+		"foo": "bar",
+	}
+	var v1alpha1AdditionalMetadataSpec = &AdditionalMetadataSpec{
+		AdditionalLabels: map[string]string{
+			"foo": "bar",
+		},
+		AdditionalAnnotations: map[string]string{
+			"foo": "bar",
+		},
+	}
+	var v1alpha1AllowedListSpec = &AllowedListSpec{
+		Exact: []string{"foo", "bar"},
+		Regex: "^foo*",
+	}
+	var v1beta1AdditionalMetadataSpec = &capsulev1beta1.AdditionalMetadataSpec{
+		AdditionalLabels: map[string]string{
+			"foo": "bar",
+		},
+		AdditionalAnnotations: map[string]string{
+			"foo": "bar",
+		},
+	}
+	var v1beta1ServiceOptions = &capsulev1beta1.ServiceOptions{
+		AdditionalMetadata: v1beta1AdditionalMetadataSpec,
+		AllowedServices: &capsulev1beta1.AllowedServices{
+			NodePort:     pointer.BoolPtr(false),
+			ExternalName: pointer.BoolPtr(false),
+		},
+	}
+	var v1beta1AllowedListSpec = &capsulev1beta1.AllowedListSpec{
+		Exact: []string{"foo", "bar"},
+		Regex: "^foo*",
+	}
+	var networkPolicies = []networkingv1.NetworkPolicySpec{
+		{
+			Ingress: []networkingv1.NetworkPolicyIngressRule{
+				{
+					From: []networkingv1.NetworkPolicyPeer{
+						{
+							NamespaceSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"foo": "tenant-resources",
+								},
+							},
+						},
+						{
+							PodSelector: &metav1.LabelSelector{},
+						},
+						{
+							IPBlock: &networkingv1.IPBlock{
+								CIDR: "192.168.0.0/12",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	var limitRanges = []corev1.LimitRangeSpec{
+		{
+			Limits: []corev1.LimitRangeItem{
+				{
+					Type: corev1.LimitTypePod,
+					Min: map[corev1.ResourceName]resource.Quantity{
+						corev1.ResourceCPU:    resource.MustParse("50m"),
+						corev1.ResourceMemory: resource.MustParse("5Mi"),
+					},
+					Max: map[corev1.ResourceName]resource.Quantity{
+						corev1.ResourceCPU:    resource.MustParse("1"),
+						corev1.ResourceMemory: resource.MustParse("1Gi"),
+					},
+				},
+			},
+		},
+	}
+	var resourceQuotas = []corev1.ResourceQuotaSpec{
+		{
+			Hard: map[corev1.ResourceName]resource.Quantity{
+				corev1.ResourceLimitsCPU:      resource.MustParse("8"),
+				corev1.ResourceLimitsMemory:   resource.MustParse("16Gi"),
+				corev1.ResourceRequestsCPU:    resource.MustParse("8"),
+				corev1.ResourceRequestsMemory: resource.MustParse("16Gi"),
+			},
+			Scopes: []corev1.ResourceQuotaScope{
+				corev1.ResourceQuotaScopeNotTerminating,
+			},
+		},
+	}
+
+	var v1beta1Tnt = capsulev1beta1.Tenant{
+		TypeMeta: metav1.TypeMeta{},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "alice",
+			Labels: map[string]string{
+				"foo": "bar",
+			},
+			Annotations: map[string]string{
+				"foo": "bar",
+			},
+		},
+		Spec: capsulev1beta1.TenantSpec{
+			Owners: capsulev1beta1.OwnerListSpec{
+				{
+					Kind: "User",
+					Name: "alice",
+					ProxyOperations: []capsulev1beta1.ProxySettings{
+						{
+							Kind:       "IngressClasses",
+							Operations: []capsulev1beta1.ProxyOperation{"List", "Update", "Delete"},
+						},
+						{
+							Kind:       "Nodes",
+							Operations: []capsulev1beta1.ProxyOperation{"Update", "Delete"},
+						},
+						{
+							Kind:       "StorageClasses",
+							Operations: []capsulev1beta1.ProxyOperation{"Update", "Delete"},
+						},
+					},
+				},
+				{
+					Kind: "User",
+					Name: "bob",
+					ProxyOperations: []capsulev1beta1.ProxySettings{
+						{
+							Kind:       "IngressClasses",
+							Operations: []capsulev1beta1.ProxyOperation{"Update"},
+						},
+						{
+							Kind:       "StorageClasses",
+							Operations: []capsulev1beta1.ProxyOperation{"List"},
+						},
+					},
+				},
+				{
+					Kind: "User",
+					Name: "jack",
+					ProxyOperations: []capsulev1beta1.ProxySettings{
+						{
+							Kind:       "IngressClasses",
+							Operations: []capsulev1beta1.ProxyOperation{"Delete"},
+						},
+						{
+							Kind:       "Nodes",
+							Operations: []capsulev1beta1.ProxyOperation{"Delete"},
+						},
+						{
+							Kind:       "StorageClasses",
+							Operations: []capsulev1beta1.ProxyOperation{"List"},
+						},
+						{
+							Kind:       "PriorityClasses",
+							Operations: []capsulev1beta1.ProxyOperation{"List"},
+						},
+					},
+				},
+				{
+					Kind: "Group",
+					Name: "owner-foo",
+					ProxyOperations: []capsulev1beta1.ProxySettings{
+						{
+							Kind:       "IngressClasses",
+							Operations: []capsulev1beta1.ProxyOperation{"List"},
+						},
+					},
+				},
+				{
+					Kind: "Group",
+					Name: "owner-bar",
+					ProxyOperations: []capsulev1beta1.ProxySettings{
+						{
+							Kind:       "IngressClasses",
+							Operations: []capsulev1beta1.ProxyOperation{"List"},
+						},
+						{
+							Kind:       "StorageClasses",
+							Operations: []capsulev1beta1.ProxyOperation{"Delete"},
+						},
+					},
+				},
+				{
+					Kind: "ServiceAccount",
+					Name: "system:serviceaccount:oil-production:default",
+					ProxyOperations: []capsulev1beta1.ProxySettings{
+						{
+							Kind:       "Nodes",
+							Operations: []capsulev1beta1.ProxyOperation{"Update"},
+						},
+					},
+				},
+				{
+					Kind: "ServiceAccount",
+					Name: "system:serviceaccount:gas-production:gas",
+					ProxyOperations: []capsulev1beta1.ProxySettings{
+						{
+							Kind:       "StorageClasses",
+							Operations: []capsulev1beta1.ProxyOperation{"Update"},
+						},
+					},
+				},
+			},
+			NamespaceQuota:      &namespaceQuota,
+			NamespacesMetadata:  v1beta1AdditionalMetadataSpec,
+			ServiceOptions:      v1beta1ServiceOptions,
+			StorageClasses:      v1beta1AllowedListSpec,
+			IngressClasses:      v1beta1AllowedListSpec,
+			IngressHostnames:    v1beta1AllowedListSpec,
+			ContainerRegistries: v1beta1AllowedListSpec,
+			NodeSelector:        nodeSelector,
+			NetworkPolicies: &capsulev1beta1.NetworkPolicySpec{
+				Items: networkPolicies,
+			},
+			LimitRanges: &capsulev1beta1.LimitRangesSpec{
+				Items: limitRanges,
+			},
+			ResourceQuota: &capsulev1beta1.ResourceQuotaSpec{
+				Items: resourceQuotas,
+			},
+			AdditionalRoleBindings: []capsulev1beta1.AdditionalRoleBindingsSpec{
+				{
+					ClusterRoleName: "crds-rolebinding",
+					Subjects: []rbacv1.Subject{
+						{
+							Kind:     "Group",
+							APIGroup: "rbac.authorization.k8s.io",
+							Name:     "system:authenticated",
+						},
+					},
+				},
+			},
+			ExternalServiceIPs: &capsulev1beta1.ExternalServiceIPsSpec{
+				Allowed: []capsulev1beta1.AllowedIP{"192.168.0.1"},
+			},
+			ImagePullPolicies: []capsulev1beta1.ImagePullPolicySpec{"Always", "IfNotPresent"},
+			PriorityClasses: &capsulev1beta1.AllowedListSpec{
+				Exact: []string{"default"},
+				Regex: "^tier-.*$",
+			},
+		},
+		Status: capsulev1beta1.TenantStatus{
+			Size:       1,
+			Namespaces: []string{"foo", "bar"},
+		},
+	}
+
+	var v1alpha1Tnt = Tenant{
+		TypeMeta: metav1.TypeMeta{},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "alice",
+			Labels: map[string]string{
+				"foo": "bar",
+			},
+			Annotations: map[string]string{
+				"foo":                                "bar",
+				podAllowedImagePullPolicyAnnotation:  "Always,IfNotPresent",
+				enableExternalNameAnnotation:         "false",
+				enableNodePortsAnnotation:            "false",
+				podPriorityAllowedAnnotation:         "default",
+				podPriorityAllowedRegexAnnotation:    "^tier-.*$",
+				ownerGroupsAnnotation:                "owner-foo,owner-bar",
+				ownerUsersAnnotation:                 "bob,jack",
+				ownerServiceAccountAnnotation:        "system:serviceaccount:oil-production:default,system:serviceaccount:gas-production:gas",
+				enableNodeUpdateAnnotation:           "alice,system:serviceaccount:oil-production:default",
+				enableNodeDeletionAnnotation:         "alice,jack",
+				enableStorageClassListingAnnotation:  "bob,jack",
+				enableStorageClassUpdateAnnotation:   "alice,system:serviceaccount:gas-production:gas",
+				enableStorageClassDeletionAnnotation: "alice,owner-bar",
+				enableIngressClassListingAnnotation:  "alice,owner-foo,owner-bar",
+				enableIngressClassUpdateAnnotation:   "alice,bob",
+				enableIngressClassDeletionAnnotation: "alice,jack",
+				enablePriorityClassListingAnnotation: "jack",
+			},
+		},
+		Spec: TenantSpec{
+			Owner: OwnerSpec{
+				Name: "alice",
+				Kind: "User",
+			},
+			NamespaceQuota:      &namespaceQuota,
+			NamespacesMetadata:  v1alpha1AdditionalMetadataSpec,
+			ServicesMetadata:    v1alpha1AdditionalMetadataSpec,
+			StorageClasses:      v1alpha1AllowedListSpec,
+			IngressClasses:      v1alpha1AllowedListSpec,
+			IngressHostnames:    v1alpha1AllowedListSpec,
+			ContainerRegistries: v1alpha1AllowedListSpec,
+			NodeSelector:        nodeSelector,
+			NetworkPolicies:     networkPolicies,
+			LimitRanges:         limitRanges,
+			ResourceQuota:       resourceQuotas,
+			AdditionalRoleBindings: []AdditionalRoleBindingsSpec{
+				{
+					ClusterRoleName: "crds-rolebinding",
+					Subjects: []rbacv1.Subject{
+						{
+							Kind:     "Group",
+							APIGroup: "rbac.authorization.k8s.io",
+							Name:     "system:authenticated",
+						},
+					},
+				},
+			},
+			ExternalServiceIPs: &ExternalServiceIPsSpec{
+				Allowed: []AllowedIP{"192.168.0.1"},
+			},
+		},
+		Status: TenantStatus{
+			Size:       1,
+			Namespaces: []string{"foo", "bar"},
+		},
+	}
+
+	return v1alpha1Tnt, v1beta1Tnt
+}
+
+func TestConversionHub_ConvertTo(t *testing.T) {
+	var v1beta1ConvertedTnt = capsulev1beta1.Tenant{}
+
+	v1alpha1Tnt, v1beta1tnt := generateTenantsSpecs()
+	err := v1alpha1Tnt.ConvertTo(&v1beta1ConvertedTnt)
+	if assert.NoError(t, err) {
+		sort.Slice(v1beta1tnt.Spec.Owners, func(i, j int) bool {
+			return v1beta1tnt.Spec.Owners[i].Name < v1beta1tnt.Spec.Owners[j].Name
+		})
+		sort.Slice(v1beta1ConvertedTnt.Spec.Owners, func(i, j int) bool {
+			return v1beta1ConvertedTnt.Spec.Owners[i].Name < v1beta1ConvertedTnt.Spec.Owners[j].Name
+		})
+
+		for _, owner := range v1beta1tnt.Spec.Owners {
+			sort.Slice(owner.ProxyOperations, func(i, j int) bool {
+				return owner.ProxyOperations[i].Kind < owner.ProxyOperations[j].Kind
+			})
+		}
+		for _, owner := range v1beta1ConvertedTnt.Spec.Owners {
+			sort.Slice(owner.ProxyOperations, func(i, j int) bool {
+				return owner.ProxyOperations[i].Kind < owner.ProxyOperations[j].Kind
+			})
+		}
+		assert.Equal(t, v1beta1tnt, v1beta1ConvertedTnt)
+	}
+}
+
+func TestConversionHub_ConvertFrom(t *testing.T) {
+	var v1alpha1ConvertedTnt = Tenant{}
+	v1alpha1Tnt, v1beta1tnt := generateTenantsSpecs()
+
+	err := v1alpha1ConvertedTnt.ConvertFrom(&v1beta1tnt)
+	if assert.NoError(t, err) {
+		assert.EqualValues(t, v1alpha1Tnt, v1alpha1ConvertedTnt)
+	}
+}

api/v1alpha1/domain/allowed.go

@@ -1,22 +0,0 @@
-/*
-Copyright 2020 Clastix Labs.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package domain
-
-type AllowedList interface {
-	ExactMatch(value string) bool
-	RegexMatch(value string) bool
-}

api/v1alpha1/domain/registry_test.go

@@ -1,78 +0,0 @@
-/*
-Copyright 2020 Clastix Labs.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package domain
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestNewRegistry(t *testing.T) {
-	type tc struct {
-		registry string
-		repo     string
-		image    string
-		tag      string
-	}
-	for name, tc := range map[string]tc{
-		"docker.io/my-org/my-repo:v0.0.1": {
-			registry: "docker.io",
-			repo:     "my-org",
-			image:    "my-repo",
-			tag:      "v0.0.1",
-		},
-		"unnamed/repository:1.2.3": {
-			registry: "docker.io",
-			repo:     "unnamed",
-			image:    "repository",
-			tag:      "1.2.3",
-		},
-		"quay.io/clastix/capsule:v1.0.0": {
-			registry: "quay.io",
-			repo:     "clastix",
-			image:    "capsule",
-			tag:      "v1.0.0",
-		},
-		"docker.io/redis:alpine": {
-			registry: "docker.io",
-			repo:     "",
-			image:    "redis",
-			tag:      "alpine",
-		},
-		"nginx:alpine": {
-			registry: "docker.io",
-			repo:     "",
-			image:    "nginx",
-			tag:      "alpine",
-		},
-		"nginx": {
-			registry: "docker.io",
-			repo:     "",
-			image:    "nginx",
-			tag:      "latest",
-		},
-	} {
-		t.Run(name, func(t *testing.T) {
-			r := NewRegistry(name)
-			assert.Equal(t, tc.registry, r.Registry())
-			assert.Equal(t, tc.repo, r.Repository())
-			assert.Equal(t, tc.image, r.Image())
-			assert.Equal(t, tc.tag, r.Tag())
-		})
-	}
-}

api/v1alpha1/external_service_ips.go

@@ -0,0 +1,11 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+// +kubebuilder:validation:Pattern="^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$"
+type AllowedIP string
+
+type ExternalServiceIPsSpec struct {
+	Allowed []AllowedIP `json:"allowed"`
+}

api/v1alpha1/groupversion_info.go

@@ -1,18 +1,5 @@
-/*
-Copyright 2020 Clastix Labs.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
 
 // Package v1alpha1 contains API Schema definitions for the capsule.clastix.io v1alpha1 API group
 // +kubebuilder:object:generate=true

api/v1alpha1/ingress_hostnames_list.go

@@ -1,42 +0,0 @@
-/*
-Copyright 2020 Clastix Labs.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	"sort"
-)
-
-type IngressHostnamesList []string
-
-func (hostnames IngressHostnamesList) Len() int {
-	return len(hostnames)
-}
-
-func (hostnames IngressHostnamesList) Swap(i, j int) {
-	hostnames[i], hostnames[j] = hostnames[j], hostnames[i]
-}
-
-func (hostnames IngressHostnamesList) Less(i, j int) bool {
-	return hostnames[i] < hostnames[j]
-}
-
-func (hostnames IngressHostnamesList) IsStringInList(value string) (ok bool) {
-	sort.Sort(hostnames)
-	i := sort.SearchStrings(hostnames, value)
-	ok = i < hostnames.Len() && hostnames[i] == value
-	return
-}

api/v1alpha1/owner.go

@@ -0,0 +1,17 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+// OwnerSpec defines tenant owner name and kind
+type OwnerSpec struct {
+	Name string `json:"name"`
+	Kind Kind   `json:"kind"`
+}
+
+// +kubebuilder:validation:Enum=User;Group
+type Kind string
+
+func (k Kind) String() string {
+	return string(k)
+}

api/v1alpha1/tenant_annotations.go

@@ -1,18 +1,5 @@
-/*
-Copyright 2020 Clastix Labs.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
 

api/v1alpha1/tenant_func.go

@@ -1,18 +1,5 @@
-/*
-Copyright 2020 Clastix Labs.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
 
@@ -22,6 +9,13 @@ import (
 	corev1 "k8s.io/api/core/v1"
 )
 
+func (t *Tenant) IsCordoned() bool {
+	if v, ok := t.Labels["capsule.clastix.io/cordon"]; ok && v == "enabled" {
+		return true
+	}
+	return false
+}
+
 func (t *Tenant) IsFull() bool {
 	// we don't have limits on assigned Namespaces
 	if t.Spec.NamespaceQuota == nil {

api/v1alpha1/tenant_labels.go

@@ -1,18 +1,5 @@
-/*
-Copyright 2020 Clastix Labs.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
 

api/v1alpha1/tenant_types.go

@@ -1,53 +1,22 @@
-/*
-Copyright 2020 Clastix Labs.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
 
 package v1alpha1
 
 import (
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-type AdditionalMetadata struct {
-	AdditionalLabels      map[string]string `json:"additionalLabels,omitempty"`
-	AdditionalAnnotations map[string]string `json:"additionalAnnotations,omitempty"`
-}
-
-type IngressHostnamesSpec struct {
-	Allowed      IngressHostnamesList `json:"allowed"`
-	AllowedRegex string               `json:"allowedRegex"`
-}
-
-// +kubebuilder:validation:Pattern="^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$"
-type AllowedIP string
-
-type ExternalServiceIPs struct {
-	Allowed []AllowedIP `json:"allowed"`
-}
-
 // TenantSpec defines the desired state of Tenant
 type TenantSpec struct {
 	Owner OwnerSpec `json:"owner"`
 
 	//+kubebuilder:validation:Minimum=1
 	NamespaceQuota         *int32                           `json:"namespaceQuota,omitempty"`
-	NamespacesMetadata     AdditionalMetadata               `json:"namespacesMetadata,omitempty"`
-	ServicesMetadata       AdditionalMetadata               `json:"servicesMetadata,omitempty"`
+	NamespacesMetadata     *AdditionalMetadataSpec          `json:"namespacesMetadata,omitempty"`
+	ServicesMetadata       *AdditionalMetadataSpec          `json:"servicesMetadata,omitempty"`
 	StorageClasses         *AllowedListSpec                 `json:"storageClasses,omitempty"`
 	IngressClasses         *AllowedListSpec                 `json:"ingressClasses,omitempty"`
 	IngressHostnames       *AllowedListSpec                 `json:"ingressHostnames,omitempty"`
@@ -56,27 +25,8 @@ type TenantSpec struct {
 	NetworkPolicies        []networkingv1.NetworkPolicySpec `json:"networkPolicies,omitempty"`
 	LimitRanges            []corev1.LimitRangeSpec          `json:"limitRanges,omitempty"`
 	ResourceQuota          []corev1.ResourceQuotaSpec       `json:"resourceQuotas,omitempty"`
-	AdditionalRoleBindings []AdditionalRoleBindings         `json:"additionalRoleBindings,omitempty"`
-	ExternalServiceIPs     *ExternalServiceIPs              `json:"externalServiceIPs,omitempty"`
-}
-
-type AdditionalRoleBindings struct {
-	ClusterRoleName string `json:"clusterRoleName"`
-	// kubebuilder:validation:Minimum=1
-	Subjects []rbacv1.Subject `json:"subjects"`
-}
-
-// OwnerSpec defines tenant owner name and kind
-type OwnerSpec struct {
-	Name string `json:"name"`
-	Kind Kind   `json:"kind"`
-}
-
-// +kubebuilder:validation:Enum=User;Group
-type Kind string
-
-func (k Kind) String() string {
-	return string(k)
+	AdditionalRoleBindings []AdditionalRoleBindingsSpec     `json:"additionalRoleBindings,omitempty"`
+	ExternalServiceIPs     *ExternalServiceIPsSpec          `json:"externalServiceIPs,omitempty"`
 }
 
 // TenantStatus defines the observed state of Tenant

api/v1alpha1/tenant_webhook.go

@@ -0,0 +1,21 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"io/ioutil"
+
+	ctrl "sigs.k8s.io/controller-runtime"
+)
+
+func (t *Tenant) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	certData, _ := ioutil.ReadFile("/tmp/k8s-webhook-server/serving-certs/tls.crt")
+	if len(certData) == 0 {
+		return nil
+	}
+
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(t).
+		Complete()
+}

api/v1alpha1/zz_generated.deepcopy.go

@@ -1,20 +1,7 @@
 // +build !ignore_autogenerated
 
-/*
-Copyright 2020 Clastix Labs.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
 
 // Code generated by controller-gen. DO NOT EDIT.
 
@@ -22,13 +9,13 @@ package v1alpha1
 
 import (
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/api/networking/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	"k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AdditionalMetadata) DeepCopyInto(out *AdditionalMetadata) {
+func (in *AdditionalMetadataSpec) DeepCopyInto(out *AdditionalMetadataSpec) {
 	*out = *in
 	if in.AdditionalLabels != nil {
 		in, out := &in.AdditionalLabels, &out.AdditionalLabels
@@ -46,32 +33,32 @@ func (in *AdditionalMetadata) DeepCopyInto(out *AdditionalMetadata) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdditionalMetadata.
-func (in *AdditionalMetadata) DeepCopy() *AdditionalMetadata {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdditionalMetadataSpec.
+func (in *AdditionalMetadataSpec) DeepCopy() *AdditionalMetadataSpec {
 	if in == nil {
 		return nil
 	}
-	out := new(AdditionalMetadata)
+	out := new(AdditionalMetadataSpec)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AdditionalRoleBindings) DeepCopyInto(out *AdditionalRoleBindings) {
+func (in *AdditionalRoleBindingsSpec) DeepCopyInto(out *AdditionalRoleBindingsSpec) {
 	*out = *in
 	if in.Subjects != nil {
 		in, out := &in.Subjects, &out.Subjects
-		*out = make([]rbacv1.Subject, len(*in))
+		*out = make([]v1.Subject, len(*in))
 		copy(*out, *in)
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdditionalRoleBindings.
-func (in *AdditionalRoleBindings) DeepCopy() *AdditionalRoleBindings {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdditionalRoleBindingsSpec.
+func (in *AdditionalRoleBindingsSpec) DeepCopy() *AdditionalRoleBindingsSpec {
 	if in == nil {
 		return nil
 	}
-	out := new(AdditionalRoleBindings)
+	out := new(AdditionalRoleBindingsSpec)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -97,7 +84,85 @@ func (in *AllowedListSpec) DeepCopy() *AllowedListSpec {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalServiceIPs) DeepCopyInto(out *ExternalServiceIPs) {
+func (in *CapsuleConfiguration) DeepCopyInto(out *CapsuleConfiguration) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapsuleConfiguration.
+func (in *CapsuleConfiguration) DeepCopy() *CapsuleConfiguration {
+	if in == nil {
+		return nil
+	}
+	out := new(CapsuleConfiguration)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CapsuleConfiguration) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CapsuleConfigurationList) DeepCopyInto(out *CapsuleConfigurationList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CapsuleConfiguration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapsuleConfigurationList.
+func (in *CapsuleConfigurationList) DeepCopy() *CapsuleConfigurationList {
+	if in == nil {
+		return nil
+	}
+	out := new(CapsuleConfigurationList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CapsuleConfigurationList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CapsuleConfigurationSpec) DeepCopyInto(out *CapsuleConfigurationSpec) {
+	*out = *in
+	if in.UserGroups != nil {
+		in, out := &in.UserGroups, &out.UserGroups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapsuleConfigurationSpec.
+func (in *CapsuleConfigurationSpec) DeepCopy() *CapsuleConfigurationSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CapsuleConfigurationSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalServiceIPsSpec) DeepCopyInto(out *ExternalServiceIPsSpec) {
 	*out = *in
 	if in.Allowed != nil {
 		in, out := &in.Allowed, &out.Allowed
@@ -106,51 +171,12 @@ func (in *ExternalServiceIPs) DeepCopyInto(out *ExternalServiceIPs) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalServiceIPs.
-func (in *ExternalServiceIPs) DeepCopy() *ExternalServiceIPs {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalServiceIPsSpec.
+func (in *ExternalServiceIPsSpec) DeepCopy() *ExternalServiceIPsSpec {
 	if in == nil {
 		return nil
 	}
-	out := new(ExternalServiceIPs)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in IngressHostnamesList) DeepCopyInto(out *IngressHostnamesList) {
-	{
-		in := &in
-		*out = make(IngressHostnamesList, len(*in))
-		copy(*out, *in)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressHostnamesList.
-func (in IngressHostnamesList) DeepCopy() IngressHostnamesList {
-	if in == nil {
-		return nil
-	}
-	out := new(IngressHostnamesList)
-	in.DeepCopyInto(out)
-	return *out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *IngressHostnamesSpec) DeepCopyInto(out *IngressHostnamesSpec) {
-	*out = *in
-	if in.Allowed != nil {
-		in, out := &in.Allowed, &out.Allowed
-		*out = make(IngressHostnamesList, len(*in))
-		copy(*out, *in)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressHostnamesSpec.
-func (in *IngressHostnamesSpec) DeepCopy() *IngressHostnamesSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(IngressHostnamesSpec)
+	out := new(ExternalServiceIPsSpec)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -238,8 +264,16 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 		*out = new(int32)
 		**out = **in
 	}
-	in.NamespacesMetadata.DeepCopyInto(&out.NamespacesMetadata)
-	in.ServicesMetadata.DeepCopyInto(&out.ServicesMetadata)
+	if in.NamespacesMetadata != nil {
+		in, out := &in.NamespacesMetadata, &out.NamespacesMetadata
+		*out = new(AdditionalMetadataSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ServicesMetadata != nil {
+		in, out := &in.ServicesMetadata, &out.ServicesMetadata
+		*out = new(AdditionalMetadataSpec)
+		(*in).DeepCopyInto(*out)
+	}
 	if in.StorageClasses != nil {
 		in, out := &in.StorageClasses, &out.StorageClasses
 		*out = new(AllowedListSpec)
@@ -269,7 +303,7 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 	}
 	if in.NetworkPolicies != nil {
 		in, out := &in.NetworkPolicies, &out.NetworkPolicies
-		*out = make([]v1.NetworkPolicySpec, len(*in))
+		*out = make([]networkingv1.NetworkPolicySpec, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -290,14 +324,14 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 	}
 	if in.AdditionalRoleBindings != nil {
 		in, out := &in.AdditionalRoleBindings, &out.AdditionalRoleBindings
-		*out = make([]AdditionalRoleBindings, len(*in))
+		*out = make([]AdditionalRoleBindingsSpec, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ExternalServiceIPs != nil {
 		in, out := &in.ExternalServiceIPs, &out.ExternalServiceIPs
-		*out = new(ExternalServiceIPs)
+		*out = new(ExternalServiceIPsSpec)
 		(*in).DeepCopyInto(*out)
 	}
 }

api/v1beta1/additional_metadata.go

@@ -0,0 +1,9 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+type AdditionalMetadataSpec struct {
+	AdditionalLabels      map[string]string `json:"additionalLabels,omitempty"`
+	AdditionalAnnotations map[string]string `json:"additionalAnnotations,omitempty"`
+}

api/v1beta1/additional_role_bindings.go

@@ -0,0 +1,12 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import rbacv1 "k8s.io/api/rbac/v1"
+
+type AdditionalRoleBindingsSpec struct {
+	ClusterRoleName string `json:"clusterRoleName"`
+	// kubebuilder:validation:Minimum=1
+	Subjects []rbacv1.Subject `json:"subjects"`
+}

api/v1beta1/allowed_list.go

@@ -0,0 +1,33 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import (
+	"regexp"
+	"sort"
+	"strings"
+)
+
+type AllowedListSpec struct {
+	Exact []string `json:"allowed,omitempty"`
+	Regex string   `json:"allowedRegex,omitempty"`
+}
+
+func (in *AllowedListSpec) ExactMatch(value string) (ok bool) {
+	if len(in.Exact) > 0 {
+		sort.SliceStable(in.Exact, func(i, j int) bool {
+			return strings.ToLower(in.Exact[i]) < strings.ToLower(in.Exact[j])
+		})
+		i := sort.SearchStrings(in.Exact, value)
+		ok = i < len(in.Exact) && in.Exact[i] == value
+	}
+	return
+}
+
+func (in AllowedListSpec) RegexMatch(value string) (ok bool) {
+	if len(in.Regex) > 0 {
+		ok = regexp.MustCompile(in.Regex).MatchString(value)
+	}
+	return
+}

api/v1beta1/allowed_list_test.go

@@ -0,0 +1,67 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAllowedListSpec_ExactMatch(t *testing.T) {
+	type tc struct {
+		In    []string
+		True  []string
+		False []string
+	}
+	for _, tc := range []tc{
+		{
+			[]string{"foo", "bar", "bizz", "buzz"},
+			[]string{"foo", "bar", "bizz", "buzz"},
+			[]string{"bing", "bong"},
+		},
+		{
+			[]string{"one", "two", "three"},
+			[]string{"one", "two", "three"},
+			[]string{"a", "b", "c"},
+		},
+		{
+			nil,
+			nil,
+			[]string{"any", "value"},
+		},
+	} {
+		a := AllowedListSpec{
+			Exact: tc.In,
+		}
+		for _, ok := range tc.True {
+			assert.True(t, a.ExactMatch(ok))
+		}
+		for _, ko := range tc.False {
+			assert.False(t, a.ExactMatch(ko))
+		}
+	}
+}
+
+func TestAllowedListSpec_RegexMatch(t *testing.T) {
+	type tc struct {
+		Regex string
+		True  []string
+		False []string
+	}
+	for _, tc := range []tc{
+		{`first-\w+-pattern`, []string{"first-date-pattern", "first-year-pattern"}, []string{"broken", "first-year", "second-date-pattern"}},
+		{``, nil, []string{"any", "value"}},
+	} {
+		a := AllowedListSpec{
+			Regex: tc.Regex,
+		}
+		for _, ok := range tc.True {
+			assert.True(t, a.RegexMatch(ok))
+		}
+		for _, ko := range tc.False {
+			assert.False(t, a.RegexMatch(ko))
+		}
+	}
+}

api/v1beta1/external_service_ips.go

@@ -0,0 +1,11 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+// +kubebuilder:validation:Pattern="^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$"
+type AllowedIP string
+
+type ExternalServiceIPsSpec struct {
+	Allowed []AllowedIP `json:"allowed"`
+}

api/v1beta1/groupversion_info.go

@@ -0,0 +1,23 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+// Package v1beta1 contains API Schema definitions for the capsule v1beta1 API group
+//+kubebuilder:object:generate=true
+//+groupName=capsule.clastix.io
+package v1beta1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects
+	GroupVersion = schema.GroupVersion{Group: "capsule.clastix.io", Version: "v1beta1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)

api/v1beta1/image_pull_policy.go

@@ -0,0 +1,11 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+// +kubebuilder:validation:Enum=Always;Never;IfNotPresent
+type ImagePullPolicySpec string
+
+func (i ImagePullPolicySpec) String() string {
+	return string(i)
+}

api/v1beta1/limit_ranges.go

@@ -0,0 +1,10 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import corev1 "k8s.io/api/core/v1"
+
+type LimitRangesSpec struct {
+	Items []corev1.LimitRangeSpec `json:"items,omitempty"`
+}

api/v1beta1/network_policy.go

@@ -0,0 +1,12 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import (
+	networkingv1 "k8s.io/api/networking/v1"
+)
+
+type NetworkPolicySpec struct {
+	Items []networkingv1.NetworkPolicySpec `json:"items,omitempty"`
+}

api/v1beta1/owner.go

@@ -0,0 +1,54 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+type OwnerSpec struct {
+	// Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount"
+	Kind OwnerKind `json:"kind"`
+	// Name of tenant owner.
+	Name string `json:"name"`
+	// Proxy settings for tenant owner.
+	ProxyOperations []ProxySettings `json:"proxySettings,omitempty"`
+}
+
+// +kubebuilder:validation:Enum=User;Group;ServiceAccount
+type OwnerKind string
+
+func (k OwnerKind) String() string {
+	return string(k)
+}
+
+type ProxySettings struct {
+	Kind       ProxyServiceKind `json:"kind"`
+	Operations []ProxyOperation `json:"operations"`
+}
+
+// +kubebuilder:validation:Enum=List;Update;Delete
+type ProxyOperation string
+
+func (p ProxyOperation) String() string {
+	return string(p)
+}
+
+// +kubebuilder:validation:Enum=Nodes;StorageClasses;IngressClasses;PriorityClasses
+type ProxyServiceKind string
+
+func (p ProxyServiceKind) String() string {
+	return string(p)
+}
+
+const (
+	NodesProxy           ProxyServiceKind = "Nodes"
+	StorageClassesProxy  ProxyServiceKind = "StorageClasses"
+	IngressClassesProxy  ProxyServiceKind = "IngressClasses"
+	PriorityClassesProxy ProxyServiceKind = "PriorityClasses"
+
+	ListOperation   ProxyOperation = "List"
+	UpdateOperation ProxyOperation = "Update"
+	DeleteOperation ProxyOperation = "Delete"
+
+	UserOwner           OwnerKind = "User"
+	GroupOwner          OwnerKind = "Group"
+	ServiceAccountOwner OwnerKind = "ServiceAccount"
+)

api/v1beta1/owner_list.go

@@ -0,0 +1,34 @@
+package v1beta1
+
+import (
+	"sort"
+)
+
+type OwnerListSpec []OwnerSpec
+
+func (o OwnerListSpec) FindOwner(name string, kind OwnerKind) (owner OwnerSpec) {
+	sort.Sort(ByKindAndName(o))
+	i := sort.Search(len(o), func(i int) bool {
+		return o[i].Kind >= kind && o[i].Name >= name
+	})
+
+	if i < len(o) && o[i].Kind == kind && o[i].Name == name {
+		return o[i]
+	}
+	return
+}
+
+type ByKindAndName OwnerListSpec
+
+func (b ByKindAndName) Len() int {
+	return len(b)
+}
+func (b ByKindAndName) Less(i, j int) bool {
+	if b[i].Kind.String() != b[j].Kind.String() {
+		return b[i].Kind.String() < b[j].Kind.String()
+	}
+	return b[i].Name < b[j].Name
+}
+func (b ByKindAndName) Swap(i, j int) {
+	b[i], b[j] = b[j], b[i]
+}

api/v1beta1/owner_list_test.go

@@ -0,0 +1,83 @@
+package v1beta1
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestOwnerListSpec_FindOwner(t *testing.T) {
+	var bla = OwnerSpec{
+		Kind: UserOwner,
+		Name: "bla",
+		ProxyOperations: []ProxySettings{
+			{
+				Kind:       IngressClassesProxy,
+				Operations: []ProxyOperation{"Delete"},
+			},
+		},
+	}
+	var bar = OwnerSpec{
+		Kind: GroupOwner,
+		Name: "bar",
+		ProxyOperations: []ProxySettings{
+			{
+				Kind:       StorageClassesProxy,
+				Operations: []ProxyOperation{"Delete"},
+			},
+		},
+	}
+	var baz = OwnerSpec{
+		Kind: UserOwner,
+		Name: "baz",
+		ProxyOperations: []ProxySettings{
+			{
+				Kind:       StorageClassesProxy,
+				Operations: []ProxyOperation{"Update"},
+			},
+		},
+	}
+	var fim = OwnerSpec{
+		Kind: ServiceAccountOwner,
+		Name: "fim",
+		ProxyOperations: []ProxySettings{
+			{
+				Kind:       NodesProxy,
+				Operations: []ProxyOperation{"List"},
+			},
+		},
+	}
+	var bom = OwnerSpec{
+		Kind: GroupOwner,
+		Name: "bom",
+		ProxyOperations: []ProxySettings{
+			{
+				Kind:       StorageClassesProxy,
+				Operations: []ProxyOperation{"Delete"},
+			},
+			{
+				Kind:       NodesProxy,
+				Operations: []ProxyOperation{"Delete"},
+			},
+		},
+	}
+	var qip = OwnerSpec{
+		Kind: ServiceAccountOwner,
+		Name: "qip",
+		ProxyOperations: []ProxySettings{
+			{
+				Kind:       StorageClassesProxy,
+				Operations: []ProxyOperation{"List", "Delete"},
+			},
+		},
+	}
+	var owners = OwnerListSpec{bom, qip, bla, bar, baz, fim}
+
+	assert.Equal(t, owners.FindOwner("bom", GroupOwner), bom)
+	assert.Equal(t, owners.FindOwner("qip", ServiceAccountOwner), qip)
+	assert.Equal(t, owners.FindOwner("bla", UserOwner), bla)
+	assert.Equal(t, owners.FindOwner("bar", GroupOwner), bar)
+	assert.Equal(t, owners.FindOwner("baz", UserOwner), baz)
+	assert.Equal(t, owners.FindOwner("fim", ServiceAccountOwner), fim)
+	assert.Equal(t, owners.FindOwner("notfound", ServiceAccountOwner), OwnerSpec{})
+}

api/v1beta1/resource_quota.go

@@ -0,0 +1,10 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import corev1 "k8s.io/api/core/v1"
+
+type ResourceQuotaSpec struct {
+	Items []corev1.ResourceQuotaSpec `json:"items,omitempty"`
+}

api/v1beta1/service_options.go

@@ -0,0 +1,20 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+type ServiceOptions struct {
+	// Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional.
+	AdditionalMetadata *AdditionalMetadataSpec `json:"additionalMetadata,omitempty"`
+	// Block or deny certain type of Services. Optional.
+	AllowedServices *AllowedServices `json:"allowedServices,omitempty"`
+}
+
+type AllowedServices struct {
+	//+kubebuilder:default=true
+	// Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.
+	NodePort *bool `json:"nodePort,omitempty"`
+	//+kubebuilder:default=true
+	// Specifies if ExternalName service type resources are allowed for the Tenant. Default is true. Optional.
+	ExternalName *bool `json:"externalName,omitempty"`
+}

api/v1beta1/tenant_annotations.go

@@ -0,0 +1,25 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import (
+	"fmt"
+)
+
+const (
+	AvailableIngressClassesAnnotation       = "capsule.clastix.io/ingress-classes"
+	AvailableIngressClassesRegexpAnnotation = "capsule.clastix.io/ingress-classes-regexp"
+	AvailableStorageClassesAnnotation       = "capsule.clastix.io/storage-classes"
+	AvailableStorageClassesRegexpAnnotation = "capsule.clastix.io/storage-classes-regexp"
+	AllowedRegistriesAnnotation             = "capsule.clastix.io/allowed-registries"
+	AllowedRegistriesRegexpAnnotation       = "capsule.clastix.io/allowed-registries-regexp"
+)
+
+func UsedQuotaFor(resource fmt.Stringer) string {
+	return "quota.capsule.clastix.io/used-" + resource.String()
+}
+
+func HardQuotaFor(resource fmt.Stringer) string {
+	return "quota.capsule.clastix.io/hard-" + resource.String()
+}

api/v1beta1/tenant_func.go

@@ -0,0 +1,42 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import (
+	"sort"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+func (t *Tenant) IsCordoned() bool {
+	if v, ok := t.Labels["capsule.clastix.io/cordon"]; ok && v == "enabled" {
+		return true
+	}
+	return false
+}
+
+func (t *Tenant) IsFull() bool {
+	// we don't have limits on assigned Namespaces
+	if t.Spec.NamespaceQuota == nil {
+		return false
+	}
+	return len(t.Status.Namespaces) >= int(*t.Spec.NamespaceQuota)
+}
+
+func (t *Tenant) AssignNamespaces(namespaces []corev1.Namespace) {
+	var l []string
+	for _, ns := range namespaces {
+		if ns.Status.Phase == corev1.NamespaceActive {
+			l = append(l, ns.GetName())
+		}
+	}
+	sort.Strings(l)
+
+	t.Status.Namespaces = l
+	t.Status.Size = uint(len(l))
+}
+
+func (t *Tenant) GetOwnerProxySettings(name string, kind OwnerKind) []ProxySettings {
+	return t.Spec.Owners.FindOwner(name, kind).ProxyOperations
+}

api/v1beta1/tenant_labels.go

@@ -0,0 +1,31 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import (
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func GetTypeLabel(t runtime.Object) (label string, err error) {
+	switch v := t.(type) {
+	case *Tenant:
+		return "capsule.clastix.io/tenant", nil
+	case *corev1.LimitRange:
+		return "capsule.clastix.io/limit-range", nil
+	case *networkingv1.NetworkPolicy:
+		return "capsule.clastix.io/network-policy", nil
+	case *corev1.ResourceQuota:
+		return "capsule.clastix.io/resource-quota", nil
+	case *rbacv1.RoleBinding:
+		return "capsule.clastix.io/role-binding", nil
+	default:
+		err = fmt.Errorf("type %T is not mapped as Capsule label recognized", v)
+	}
+	return
+}

api/v1beta1/tenant_status.go

@@ -0,0 +1,23 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+// +kubebuilder:validation:Enum=cordoned;active
+type tenantState string
+
+const (
+	TenantStateActive   tenantState = "active"
+	TenantStateCordoned tenantState = "cordoned"
+)
+
+// Returns the observed state of the Tenant
+type TenantStatus struct {
+	//+kubebuilder:default=active
+	// The operational state of the Tenant. Possible values are "active", "cordoned".
+	State tenantState `json:"state"`
+	// How many namespaces are assigned to the Tenant.
+	Size uint `json:"size"`
+	// List of namespaces assigned to the Tenant.
+	Namespaces []string `json:"namespaces,omitempty"`
+}

api/v1beta1/tenant_types.go

@@ -0,0 +1,80 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// TenantSpec defines the desired state of Tenant
+type TenantSpec struct {
+	// Specifies the owners of the Tenant. Mandatory.
+	Owners OwnerListSpec `json:"owners"`
+
+	//+kubebuilder:validation:Minimum=1
+	// Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
+	NamespaceQuota *int32 `json:"namespaceQuota,omitempty"`
+	// Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
+	NamespacesMetadata *AdditionalMetadataSpec `json:"namespacesMetadata,omitempty"`
+	// Specifies options for the Service, such as additional metadata or block of certain type of Services. Optional.
+	ServiceOptions *ServiceOptions `json:"serviceOptions,omitempty"`
+	// Specifies the allowed StorageClasses assigned to the Tenant. Capsule assures that all PersistentVolumeClaim resources created in the Tenant can use only one of the allowed StorageClasses. Optional.
+	StorageClasses *AllowedListSpec `json:"storageClasses,omitempty"`
+	// Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+	IngressClasses *AllowedListSpec `json:"ingressClasses,omitempty"`
+	// Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional.
+	IngressHostnames *AllowedListSpec `json:"ingressHostnames,omitempty"`
+	// Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.
+	ContainerRegistries *AllowedListSpec `json:"containerRegistries,omitempty"`
+	// Specifies the label to control the placement of pods on a given pool of worker nodes. All namesapces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
+	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+	// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
+	NetworkPolicies *NetworkPolicySpec `json:"networkPolicies,omitempty"`
+	// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
+	LimitRanges *LimitRangesSpec `json:"limitRanges,omitempty"`
+	// Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional.
+	ResourceQuota *ResourceQuotaSpec `json:"resourceQuotas,omitempty"`
+	// Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional.
+	AdditionalRoleBindings []AdditionalRoleBindingsSpec `json:"additionalRoleBindings,omitempty"`
+	// Specifies the external IPs that can be used in Services with type ClusterIP. An empty list means all the IPs are allowed. Optional.
+	ExternalServiceIPs *ExternalServiceIPsSpec `json:"externalServiceIPs,omitempty"`
+	// Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
+	ImagePullPolicies []ImagePullPolicySpec `json:"imagePullPolicies,omitempty"`
+	// Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+	PriorityClasses *AllowedListSpec `json:"priorityClasses,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+//+kubebuilder:storageversion
+// +kubebuilder:resource:scope=Cluster,shortName=tnt
+// +kubebuilder:printcolumn:name="State",type="string",JSONPath=".status.state",description="The actual state of the Tenant"
+// +kubebuilder:printcolumn:name="Namespace quota",type="integer",JSONPath=".spec.namespaceQuota",description="The max amount of Namespaces can be created"
+// +kubebuilder:printcolumn:name="Namespace count",type="integer",JSONPath=".status.size",description="The total amount of Namespaces in use"
+// +kubebuilder:printcolumn:name="Node selector",type="string",JSONPath=".spec.nodeSelector",description="Node Selector applied to Pods"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"
+
+// Tenant is the Schema for the tenants API
+type Tenant struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   TenantSpec   `json:"spec,omitempty"`
+	Status TenantStatus `json:"status,omitempty"`
+}
+
+func (t *Tenant) Hub() {}
+
+//+kubebuilder:object:root=true
+
+// TenantList contains a list of Tenant
+type TenantList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Tenant `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Tenant{}, &TenantList{})
+}

api/v1beta1/zz_generated.deepcopy.go

@@ -0,0 +1,484 @@
+// +build !ignore_autogenerated
+
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	"k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdditionalMetadataSpec) DeepCopyInto(out *AdditionalMetadataSpec) {
+	*out = *in
+	if in.AdditionalLabels != nil {
+		in, out := &in.AdditionalLabels, &out.AdditionalLabels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.AdditionalAnnotations != nil {
+		in, out := &in.AdditionalAnnotations, &out.AdditionalAnnotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdditionalMetadataSpec.
+func (in *AdditionalMetadataSpec) DeepCopy() *AdditionalMetadataSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(AdditionalMetadataSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdditionalRoleBindingsSpec) DeepCopyInto(out *AdditionalRoleBindingsSpec) {
+	*out = *in
+	if in.Subjects != nil {
+		in, out := &in.Subjects, &out.Subjects
+		*out = make([]v1.Subject, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdditionalRoleBindingsSpec.
+func (in *AdditionalRoleBindingsSpec) DeepCopy() *AdditionalRoleBindingsSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(AdditionalRoleBindingsSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AllowedListSpec) DeepCopyInto(out *AllowedListSpec) {
+	*out = *in
+	if in.Exact != nil {
+		in, out := &in.Exact, &out.Exact
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedListSpec.
+func (in *AllowedListSpec) DeepCopy() *AllowedListSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(AllowedListSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AllowedServices) DeepCopyInto(out *AllowedServices) {
+	*out = *in
+	if in.NodePort != nil {
+		in, out := &in.NodePort, &out.NodePort
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ExternalName != nil {
+		in, out := &in.ExternalName, &out.ExternalName
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedServices.
+func (in *AllowedServices) DeepCopy() *AllowedServices {
+	if in == nil {
+		return nil
+	}
+	out := new(AllowedServices)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in ByKindAndName) DeepCopyInto(out *ByKindAndName) {
+	{
+		in := &in
+		*out = make(ByKindAndName, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ByKindAndName.
+func (in ByKindAndName) DeepCopy() ByKindAndName {
+	if in == nil {
+		return nil
+	}
+	out := new(ByKindAndName)
+	in.DeepCopyInto(out)
+	return *out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalServiceIPsSpec) DeepCopyInto(out *ExternalServiceIPsSpec) {
+	*out = *in
+	if in.Allowed != nil {
+		in, out := &in.Allowed, &out.Allowed
+		*out = make([]AllowedIP, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalServiceIPsSpec.
+func (in *ExternalServiceIPsSpec) DeepCopy() *ExternalServiceIPsSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalServiceIPsSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LimitRangesSpec) DeepCopyInto(out *LimitRangesSpec) {
+	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]corev1.LimitRangeSpec, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LimitRangesSpec.
+func (in *LimitRangesSpec) DeepCopy() *LimitRangesSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(LimitRangesSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicySpec) DeepCopyInto(out *NetworkPolicySpec) {
+	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]networkingv1.NetworkPolicySpec, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicySpec.
+func (in *NetworkPolicySpec) DeepCopy() *NetworkPolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in OwnerListSpec) DeepCopyInto(out *OwnerListSpec) {
+	{
+		in := &in
+		*out = make(OwnerListSpec, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OwnerListSpec.
+func (in OwnerListSpec) DeepCopy() OwnerListSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OwnerListSpec)
+	in.DeepCopyInto(out)
+	return *out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OwnerSpec) DeepCopyInto(out *OwnerSpec) {
+	*out = *in
+	if in.ProxyOperations != nil {
+		in, out := &in.ProxyOperations, &out.ProxyOperations
+		*out = make([]ProxySettings, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OwnerSpec.
+func (in *OwnerSpec) DeepCopy() *OwnerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OwnerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProxySettings) DeepCopyInto(out *ProxySettings) {
+	*out = *in
+	if in.Operations != nil {
+		in, out := &in.Operations, &out.Operations
+		*out = make([]ProxyOperation, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxySettings.
+func (in *ProxySettings) DeepCopy() *ProxySettings {
+	if in == nil {
+		return nil
+	}
+	out := new(ProxySettings)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceQuotaSpec) DeepCopyInto(out *ResourceQuotaSpec) {
+	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]corev1.ResourceQuotaSpec, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceQuotaSpec.
+func (in *ResourceQuotaSpec) DeepCopy() *ResourceQuotaSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceQuotaSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceOptions) DeepCopyInto(out *ServiceOptions) {
+	*out = *in
+	if in.AdditionalMetadata != nil {
+		in, out := &in.AdditionalMetadata, &out.AdditionalMetadata
+		*out = new(AdditionalMetadataSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.AllowedServices != nil {
+		in, out := &in.AllowedServices, &out.AllowedServices
+		*out = new(AllowedServices)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceOptions.
+func (in *ServiceOptions) DeepCopy() *ServiceOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Tenant) DeepCopyInto(out *Tenant) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Tenant.
+func (in *Tenant) DeepCopy() *Tenant {
+	if in == nil {
+		return nil
+	}
+	out := new(Tenant)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Tenant) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TenantList) DeepCopyInto(out *TenantList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Tenant, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantList.
+func (in *TenantList) DeepCopy() *TenantList {
+	if in == nil {
+		return nil
+	}
+	out := new(TenantList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TenantList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
+	*out = *in
+	if in.Owners != nil {
+		in, out := &in.Owners, &out.Owners
+		*out = make(OwnerListSpec, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NamespaceQuota != nil {
+		in, out := &in.NamespaceQuota, &out.NamespaceQuota
+		*out = new(int32)
+		**out = **in
+	}
+	if in.NamespacesMetadata != nil {
+		in, out := &in.NamespacesMetadata, &out.NamespacesMetadata
+		*out = new(AdditionalMetadataSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ServiceOptions != nil {
+		in, out := &in.ServiceOptions, &out.ServiceOptions
+		*out = new(ServiceOptions)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.StorageClasses != nil {
+		in, out := &in.StorageClasses, &out.StorageClasses
+		*out = new(AllowedListSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.IngressClasses != nil {
+		in, out := &in.IngressClasses, &out.IngressClasses
+		*out = new(AllowedListSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.IngressHostnames != nil {
+		in, out := &in.IngressHostnames, &out.IngressHostnames
+		*out = new(AllowedListSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ContainerRegistries != nil {
+		in, out := &in.ContainerRegistries, &out.ContainerRegistries
+		*out = new(AllowedListSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.NodeSelector != nil {
+		in, out := &in.NodeSelector, &out.NodeSelector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.NetworkPolicies != nil {
+		in, out := &in.NetworkPolicies, &out.NetworkPolicies
+		*out = new(NetworkPolicySpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.LimitRanges != nil {
+		in, out := &in.LimitRanges, &out.LimitRanges
+		*out = new(LimitRangesSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ResourceQuota != nil {
+		in, out := &in.ResourceQuota, &out.ResourceQuota
+		*out = new(ResourceQuotaSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.AdditionalRoleBindings != nil {
+		in, out := &in.AdditionalRoleBindings, &out.AdditionalRoleBindings
+		*out = make([]AdditionalRoleBindingsSpec, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ExternalServiceIPs != nil {
+		in, out := &in.ExternalServiceIPs, &out.ExternalServiceIPs
+		*out = new(ExternalServiceIPsSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ImagePullPolicies != nil {
+		in, out := &in.ImagePullPolicies, &out.ImagePullPolicies
+		*out = make([]ImagePullPolicySpec, len(*in))
+		copy(*out, *in)
+	}
+	if in.PriorityClasses != nil {
+		in, out := &in.PriorityClasses, &out.PriorityClasses
+		*out = new(AllowedListSpec)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantSpec.
+func (in *TenantSpec) DeepCopy() *TenantSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TenantSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TenantStatus) DeepCopyInto(out *TenantStatus) {
+	*out = *in
+	if in.Namespaces != nil {
+		in, out := &in.Namespaces, &out.Namespaces
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantStatus.
+func (in *TenantStatus) DeepCopy() *TenantStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(TenantStatus)
+	in.DeepCopyInto(out)
+	return out
+}

charts/capsule/Chart.yaml

@@ -21,8 +21,8 @@ sources:
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.0.10
+version: 0.0.19
 
 # This is the version number of the application being deployed.
 # This version number should be incremented each time you make changes to the application.
-appVersion: 0.0.4
+appVersion: 0.0.5

charts/capsule/README.md

@@ -37,7 +37,7 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator
         $ helm upgrade capsule clastix/capsule -n capsule-system
 
 5. Uninstall the Chart
-   
+
         $ helm uninstall capsule -n capsule-system
 
 ## Customize the installation
@@ -48,7 +48,7 @@ The `--values` option is the preferred method because it allows you to keep your
 
 Specify your overrides file when you install the chart:
 
-        $ helm install capsule capsule-helm-chart --values myvalues.yaml -n capsule-system   
+        $ helm install capsule capsule-helm-chart --values myvalues.yaml -n capsule-system
 
 The values in your overrides file `myvalues.yaml` will override their counterparts in the chart’s values.yaml file. Any values in `values.yaml` that weren’t overridden will keep their defaults.
 
@@ -60,24 +60,22 @@ Here the values you can override:
 
 Parameter | Description | Default
 --- | --- | ---
+`manager.hostNetwork` | Specifies if the container should be started in `hostNetwork` mode. | `false` 
 `manager.options.logLevel` | Set the log verbosity of the controller with a value from 1 to 10.| `4`
 `manager.options.forceTenantPrefix` | Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash | `false`
 `manager.options.capsuleUserGroup` | Override the Capsule user group | `capsule.clastix.io`
 `manager.options.protectedNamespaceRegex` | If specified, disallows creation of namespaces matching the passed regexp | `null`
+`manager.options.allowIngressHostnameCollision` | Allow the Ingress hostname collision at Ingress resource level across all the Tenants | `true`
+`manager.options.allowTenantIngressHostnamesCollision` | Skip the validation check at Tenant level for colliding Ingress hostnames | `false`
 `manager.image.repository` | Set the image repository of the controller. | `quay.io/clastix/capsule`
 `manager.image.tag` | Overrides the image tag whose default is the chart. `appVersion` | `null`
 `manager.image.pullPolicy` | Set the image pull policy. | `IfNotPresent`
+`manager.livenessProbe` | Configure the liveness probe using Deployment probe spec | `GET :10080/healthz`
+`manager.readinessProbe` | Configure the readiness probe using Deployment probe spec | `GET :10080/readyz`
 `manager.resources.requests/cpu` | Set the CPU requests assigned to the controller. | `200m`
 `manager.resources.requests/memory` | Set the memory requests assigned to the controller. | `128Mi`
 `manager.resources.limits/cpu` | Set the CPU limits assigned to the controller. | `200m`
 `manager.resources.limits/cpu` | Set the memory limits assigned to the controller. | `128Mi`
-`proxy.image.repository` | Set the image repository of the rbac proxy. | `gcr.io/kubebuilder/kube-rbac-proxy`
-`proxy.image.tag` | Set the image tag of the rbac proxy. | `v0.5.0`
-`proxy.image.pullPolicy` | Set the image pull policy. | `IfNotPresent`
-`proxy.resources.requests/cpu` | Set the CPU requests assigned to the rbac proxy. | `10m`
-`proxy.resources.requests/memory` | Set the memory requests assigned to the rbac proxy. | `64Mi`
-`proxy.resources.limits/cpu` | Set the CPU limits assigned to the rbac proxy. | `100m`
-`proxy.resources.limits/cpu` | Set the memory limits assigned to the rbac proxy. | `128Mi`
 `mutatingWebhooksTimeoutSeconds` | Timeout in seconds for mutating webhooks. | `30`
 `validatingWebhooksTimeoutSeconds` | Timeout in seconds for validating webhooks. | `30`
 `imagePullSecrets` | Configuration for `imagePullSecrets` so that you can use a private images registry. | `[]`
@@ -91,6 +89,9 @@ Parameter | Description | Default
 `replicaCount` | Set the replica count for Capsule pod. | `1`
 `affinity` | Set affinity rules for the Capsule pod. | `{}`
 `podSecurityPolicy.enabled` | Specify if a Pod Security Policy must be created. | `false`
+`serviceMonitor.enabled` | Specify if a Service Monitor must be created. | `false`
+`serviceMonitor.serviceAccount.name` | Specify Service Account name for metrics scrape. | `capsule`
+`serviceMonitor.serviceAccount.namespace` | Specify Service Account namespace for metrics scrape. | `capsule-system`
 
 ## Created resources
 
@@ -110,8 +111,10 @@ This Helm Chart cretes the following Kubernetes resources in the release namespa
 And optionally, depending on the values set:
 
 * Capsule ServiceAccount
+* Capsule Service Monitor
 * PodSecurityPolicy
 * RBAC ClusterRole and RoleBinding for pod security policy
+* RBAC Role and Rolebinding for metrics scrape
 
 ## Notes on installing Custom Resource Definitions with Helm3
 

charts/capsule/crds/capsuleconfiguration-crd.yaml

@@ -0,0 +1,62 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.5.0
+  creationTimestamp: null
+  name: capsuleconfigurations.capsule.clastix.io
+spec:
+  group: capsule.clastix.io
+  names:
+    kind: CapsuleConfiguration
+    listKind: CapsuleConfigurationList
+    plural: capsuleconfigurations
+    singular: capsuleconfiguration
+  scope: Cluster
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: CapsuleConfiguration is the Schema for the Capsule configuration API
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: CapsuleConfigurationSpec defines the Capsule configuration
+              properties:
+                allowIngressHostnameCollision:
+                  default: true
+                  description: Allow the collision of Ingress resource hostnames across all the Tenants.
+                  type: boolean
+                allowTenantIngressHostnamesCollision:
+                  description: "When defining the exact match for allowed Ingress hostnames at Tenant level, a collision is not allowed. Toggling this, Capsule will not check if a hostname collision is in place, allowing the creation of two or more Tenant resources although sharing the same allowed hostname(s). \n The JSON path of the resource is: /spec/ingressHostnames/allowed"
+                  type: boolean
+                forceTenantPrefix:
+                  description: Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
+                  type: boolean
+                protectedNamespaceRegex:
+                  description: Disallow creation of namespaces, whose name matches this regexp
+                  type: string
+                userGroups:
+                  default:
+                    - capsule.clastix.io
+                  description: Names of the groups for Capsule users.
+                  items:
+                    type: string
+                  type: array
+              type: object
+          type: object
+      served: true
+      storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/capsule/templates/_helpers.tpl

@@ -62,12 +62,26 @@ Create the name of the service account to use
 {{- end }}
 
 {{/*
-Create the fully-qualified Docker image to use
+Create the manager fully-qualified Docker image to use
 */}}
-{{- define "capsule.fullyQualifiedDockerImage" -}}
+{{- define "capsule.managerFullyQualifiedDockerImage" -}}
 {{- printf "%s:%s" .Values.manager.image.repository ( .Values.manager.image.tag | default (printf "v%s" .Chart.AppVersion) ) -}}
 {{- end }}
 
+{{/*
+Create the proxy fully-qualified Docker image to use
+*/}}
+{{- define "capsule.proxyFullyQualifiedDockerImage" -}}
+{{- printf "%s:%s" .Values.proxy.image.repository .Values.proxy.image.tag -}}
+{{- end }}
+
+{{/*
+Create the jobs fully-qualified Docker image to use
+*/}}
+{{- define "capsule.jobsFullyQualifiedDockerImage" -}}
+{{- printf "%s:%s" .Values.jobs.image.repository .Values.jobs.image.tag -}}
+{{- end }}
+
 {{/*
 Create the Capsule Deployment name to use
 */}}

charts/capsule/templates/ca.yaml

@@ -1,9 +1,6 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  annotations:
-    "helm.sh/hook": "pre-install"
-    "helm.sh/hook-delete-policy": "before-hook-creation"
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
   name: {{ include "capsule.secretCaName" . }}

charts/capsule/templates/certs.yaml

@@ -1,9 +1,6 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  annotations:
-    "helm.sh/hook": "pre-install"
-    "helm.sh/hook-delete-policy": "before-hook-creation"
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
   name: {{ include "capsule.secretTlsName" . }}

charts/capsule/templates/configuration-default.yaml

@@ -0,0 +1,13 @@
+apiVersion: capsule.clastix.io/v1alpha1
+kind: CapsuleConfiguration
+metadata:
+  name: default
+spec:
+  forceTenantPrefix: {{ .Values.manager.options.forceTenantPrefix }}
+  userGroups:
+{{- range .Values.manager.options.capsuleUserGroups }}
+    - {{ . }}
+{{- end}}
+  protectedNamespaceRegex: {{ .Values.manager.options.protectedNamespaceRegex | quote }}
+  allowTenantIngressHostnamesCollision: {{ .Values.manager.options.allowTenantIngressHostnamesCollision }}
+  allowIngressHostnameCollision: {{ .Values.manager.options.allowIngressHostnameCollision }}

charts/capsule/templates/deployment.yaml

@@ -23,6 +23,9 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "capsule.serviceAccountName" . }}
+      {{- if .Values.manager.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
       priorityClassName: {{ .Values.priorityClassName }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
@@ -46,13 +49,10 @@ spec:
           command:
           - /manager
           args:
-          - --metrics-addr=127.0.0.1:8080
           - --enable-leader-election
           - --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
-          {{ if .Values.manager.options.forceTenantPrefix }}- --force-tenant-prefix={{ .Values.manager.options.forceTenantPrefix }}{{ end }}
-          {{ if .Values.manager.options.capsuleUserGroup }}- --capsule-user-group={{ .Values.manager.options.capsuleUserGroup }}{{ end }}
-          {{ if .Values.manager.options.protectedNamespaceRegex }}- --protected-namespace-regex={{ .Values.manager.options.protectedNamespaceRegex }}{{ end }}
-          image: {{ include "capsule.fullyQualifiedDockerImage" . }}
+          - --configuration-name=default
+          image: {{ include "capsule.managerFullyQualifiedDockerImage" . }}
           imagePullPolicy: {{ .Values.manager.image.pullPolicy }}
           env:
           - name: NAMESPACE
@@ -63,14 +63,13 @@ spec:
             - name: webhook-server
               containerPort: 9443
               protocol: TCP
+            - name: metrics
+              containerPort: 8080
+              protocol: TCP
           livenessProbe:
-            httpGet:
-              path: /healthz
-              port: 10080
+            {{- toYaml .Values.manager.livenessProbe | nindent 12}}
           readinessProbe:
-            httpGet:
-              path: /readyz
-              port: 10080
+            {{- toYaml .Values.manager.readinessProbe | nindent 12}}
           volumeMounts:
           - mountPath: /tmp/k8s-webhook-server/serving-certs
             name: cert
@@ -79,19 +78,3 @@ spec:
             {{- toYaml .Values.manager.resources | nindent 12 }}
           securityContext:
             allowPrivilegeEscalation: false
-        - name: kube-rbac-proxy
-          image: {{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}
-          imagePullPolicy: IfNotPresent
-          args:
-          - --secure-listen-address=0.0.0.0:8443
-          - --upstream=http://127.0.0.1:8080/
-          - --logtostderr=true
-          - --v=10
-          ports:
-          - containerPort: 8443
-            name: https
-            protocol: TCP
-          resources:
-            {{- toYaml .Values.proxy.resources | nindent 12 }}
-          securityContext:
-            allowPrivilegeEscalation: false

charts/capsule/templates/metrics-rbac.yaml

@@ -0,0 +1,42 @@
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    {{- include "capsule.labels" . | nindent 4 }}
+    {{- if .Values.serviceMonitor.labels }}
+    {{- toYaml .Values.serviceMonitor.labels | nindent 4 }}
+    {{- end }}
+  name: {{ include "capsule.fullname" . }}-metrics-role
+  namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - endpoints
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    {{- include "capsule.labels" . | nindent 4 }}
+    {{- if .Values.serviceMonitor.labels }}
+    {{- toYaml .Values.serviceMonitor.labels | nindent 4 }}
+    {{- end }}
+  name: {{ include "capsule.fullname" . }}-metrics-rolebinding
+  namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "capsule.fullname" . }}-metrics-role
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.serviceMonitor.serviceAccount.name }}
+  namespace: {{ .Values.serviceMonitor.serviceAccount.namespace | default .Release.Namespace }}
+{{- end }}

charts/capsule/templates/metrics-service.yaml

@@ -6,10 +6,10 @@ metadata:
     {{- include "capsule.labels" . | nindent 4 }}
 spec:
   ports:
-  - port: 8443
-    name: https
+  - port: 8080
+    name: metrics
     protocol: TCP
-    targetPort: https
+    targetPort: 8080
   selector:
     {{- include "capsule.selectorLabels" . | nindent 4 }}
   sessionAffinity: None

charts/capsule/templates/mutatingwebhookconfiguration.yaml

@@ -6,29 +6,30 @@ metadata:
     {{- include "capsule.labels" . | nindent 4 }}
 webhooks:
 - admissionReviewVersions:
-  - v1beta1
+    - v1
+    - v1beta1
   clientConfig:
     caBundle: Cg==
     service:
       name: {{ include "capsule.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
-      path: /mutate-v1-namespace-owner-reference
+      path: /namespace-owner-reference
       port: 443
   failurePolicy: Fail
-  matchPolicy: Exact
+  matchPolicy: Equivalent
   name: owner.namespace.capsule.clastix.io
   namespaceSelector: {}
   objectSelector: {}
   reinvocationPolicy: Never
   rules:
-  - apiGroups:
-    - ""
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    resources:
-    - namespaces
-    scope: '*'
+    - apiGroups:
+      - ""
+      apiVersions:
+      - v1
+      operations:
+      - CREATE
+      resources:
+      - namespaces
+      scope: '*'
   sideEffects: NoneOnDryRun
   timeoutSeconds: {{ .Values.mutatingWebhooksTimeoutSeconds }}

charts/capsule/templates/post-install-job.yaml

@@ -4,7 +4,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: "{{ .Release.Name }}"
+  name: "{{ .Release.Name }}-waiting-certs"
   labels:
     app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
     app.kubernetes.io/instance: {{ .Release.Name | quote }}
@@ -28,7 +28,8 @@ spec:
       restartPolicy: Never
       containers:
       - name: post-install-job
-        image: "bitnami/kubectl:1.18"
+        image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
+        imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
         command: ["sh", "-c", "{{ $cmd }}"]
         env:
         - name: NAMESPACE

charts/capsule/templates/pre-delete-job.yaml

@@ -1,11 +1,11 @@
 {{- $cmd := printf "kubectl scale deployment -n $NAMESPACE %s --replicas 0 &&" (include "capsule.deploymentName" .) -}}
 {{- $cmd = printf "%s kubectl delete secret -n $NAMESPACE %s %s --ignore-not-found &&" $cmd (include "capsule.secretTlsName" .) (include "capsule.secretCaName" .) -}}
 {{- $cmd = printf "%s kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found &&" $cmd -}}
-{{- $cmd = printf "%s kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-provisioner --ignore-not-found" $cmd -}}
+{{- $cmd = printf "%s kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found" $cmd -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: "{{ .Release.Name }}"
+  name: "{{ .Release.Name }}-rbac-cleaner"
   labels:
     app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
     app.kubernetes.io/instance: {{ .Release.Name | quote }}
@@ -29,7 +29,8 @@ spec:
       restartPolicy: Never
       containers:
         - name: pre-delete-job
-          image: "bitnami/kubectl:1.18"
+          image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
+          imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
           command: [ "sh", "-c",  "{{ $cmd }}"]
           env:
             - name: NAMESPACE

charts/capsule/templates/servicemonitor.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "capsule.fullname" . }}-monitor
+  namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "capsule.labels" . | nindent 4 }}
+    {{- if .Values.serviceMonitor.labels }}
+    {{- toYaml .Values.serviceMonitor.labels | nindent 4 }}
+    {{- end }}
+spec:
+  endpoints:
+  - interval: 15s
+    port: metrics
+    path: /metrics
+  jobLabel: app.kubernetes.io/name
+  selector:
+    matchLabels: {{ include "capsule.labels" . | nindent 6 }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+{{- end }}

charts/capsule/templates/validatingwebhookconfiguration.yaml

@@ -6,261 +6,245 @@ metadata:
     {{- include "capsule.labels" . | nindent 4 }}
 webhooks:
 - admissionReviewVersions:
-  - v1beta1
-  clientConfig:
-    caBundle: Cg==
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /validating-ingress
-      port: 443
-  failurePolicy: Fail
-  matchPolicy: Exact
-  name: ingress-v1beta1.capsule.clastix.io
-  namespaceSelector:
-    matchExpressions:
-    - key: capsule.clastix.io/tenant
-      operator: Exists
-  objectSelector: {}
-  rules:
-  - apiGroups:
-    - networking.k8s.io
-    - extensions
-    apiVersions:
-    - v1beta1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - ingresses
-    scope: '*'
-  sideEffects: NoneOnDryRun
-  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
-- admissionReviewVersions:
-  - v1beta1
-  clientConfig:
-    caBundle: Cg==
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /validating-ingress
-      port: 443
-  failurePolicy: Fail
-  matchPolicy: Exact
-  name: ingress-v1.capsule.clastix.io
-  namespaceSelector:
-    matchExpressions:
-    - key: capsule.clastix.io/tenant
-      operator: Exists
-  objectSelector: {}
-  rules:
-  - apiGroups:
-    - networking.k8s.io
-    apiVersions:
     - v1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - ingresses
-    scope: '*'
-  sideEffects: NoneOnDryRun
-  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
-- admissionReviewVersions:
-  - v1beta1
-  clientConfig:
-    caBundle: Cg==
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /validate-v1-namespace-quota
-      port: 443
-  failurePolicy: Fail
-  matchPolicy: Exact
-  name: quota.namespace.capsule.clastix.io
-  namespaceSelector: {}
-  objectSelector: {}
-  rules:
-  - apiGroups:
-    - ""
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    resources:
-    - namespaces
-    scope: '*'
-  sideEffects: NoneOnDryRun
-  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
-- admissionReviewVersions:
-  - v1beta1
-  clientConfig:
-    caBundle: Cg==
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /validating-v1-network-policy
-      port: 443
-  failurePolicy: Fail
-  matchPolicy: Exact
-  name: validating.network-policy.capsule.clastix.io
-  namespaceSelector:
-    matchExpressions:
-    - key: capsule.clastix.io/tenant
-      operator: Exists
-  objectSelector: {}
-  rules:
-  - apiGroups:
-    - networking.k8s.io
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    - UPDATE
-    - DELETE
-    resources:
-    - networkpolicies
-    scope: '*'
-  sideEffects: NoneOnDryRun
-  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
-- admissionReviewVersions:
-  - v1beta1
-  clientConfig:
-    caBundle: Cg==
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /validating-v1-pvc
-      port: 443
-  failurePolicy: Fail
-  matchPolicy: Exact
-  name: pvc.capsule.clastix.io
-  namespaceSelector:
-    matchExpressions:
-    - key: capsule.clastix.io/tenant
-      operator: Exists
-  objectSelector: {}
-  rules:
-  - apiGroups:
-    - ""
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    resources:
-    - persistentvolumeclaims
-    scope: '*'
-  sideEffects: NoneOnDryRun
-  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
-- admissionReviewVersions:
-  - v1beta1
-  clientConfig:
-    caBundle: Cg==
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /validating-v1-tenant
-      port: 443
-  failurePolicy: Fail
-  matchPolicy: Exact
-  name: tenant.capsule.clastix.io
-  namespaceSelector: {}
-  objectSelector: {}
-  rules:
-  - apiGroups:
-    - capsule.clastix.io
-    apiVersions:
-    - v1alpha1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - tenants
-    scope: '*'
-  sideEffects: NoneOnDryRun
-  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
-- admissionReviewVersions:
-  - v1beta1
-  clientConfig:
-    caBundle: Cg==
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /validating-v1-namespace-tenant-prefix
-      port: 443
-  failurePolicy: Fail
-  matchPolicy: Exact
-  name: prefix.namespace.capsule.clastix.io
-  namespaceSelector: {}
-  objectSelector: {}
-  rules:
-  - apiGroups:
-    - ""
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    resources:
-    - namespaces
-    scope: '*'
-  sideEffects: NoneOnDryRun
-  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
-- admissionReviewVersions:
-  - v1beta1
-  clientConfig:
-    caBundle: Cg==
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /validating-v1-registry
-      port: 443
-  failurePolicy: Ignore
-  matchPolicy: Exact
-  name: pod.capsule.clastix.io
-  namespaceSelector:
-    matchExpressions:
-    - key: capsule.clastix.io/tenant
-      operator: Exists
-  objectSelector: {}
-  rules:
-  - apiGroups:
-    - ""
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    resources:
-    - pods
-    scope: '*'
-  sideEffects: NoneOnDryRun
-  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
-- admissionReviewVersions:
     - v1beta1
   clientConfig:
     caBundle: Cg==
     service:
       name: {{ include "capsule.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
-      path: /validating-external-service-ips
+      path: /cordoning
       port: 443
   failurePolicy: Fail
-  matchPolicy: Exact
-  name: validating-external-service-ips.capsule.clastix.io
+  matchPolicy: Equivalent
+  name: cordoning.tenant.capsule.clastix.io
   namespaceSelector:
     matchExpressions:
       - key: capsule.clastix.io/tenant
         operator: Exists
   objectSelector: {}
   rules:
-  - apiGroups:
-    - ""
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - services
-    scope: '*'
-  sideEffects: NoneOnDryRun
+    - apiGroups:
+        - '*'
+      apiVersions:
+        - '*'
+      operations:
+        - CREATE
+        - UPDATE
+        - DELETE
+      resources:
+        - '*'
+      scope: Namespaced
+  sideEffects: None
+  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+- admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+    caBundle: Cg==
+    service:
+      name: {{ include "capsule.fullname" . }}-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /ingresses
+      port: 443
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: ingress.capsule.clastix.io
+  namespaceSelector:
+    matchExpressions:
+      - key: capsule.clastix.io/tenant
+        operator: Exists
+  objectSelector: {}
+  rules:
+    - apiGroups:
+        - networking.k8s.io
+        - extensions
+      apiVersions:
+        - v1
+        - v1beta1
+      operations:
+        - CREATE
+        - UPDATE
+      resources:
+        - ingresses
+      scope: Namespaced
+  sideEffects: None
+  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+- admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+    caBundle: Cg==
+    service:
+      name: {{ include "capsule.fullname" . }}-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /namespaces
+      port: 443
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: namespaces.capsule.clastix.io
+  namespaceSelector: {}
+  objectSelector: {}
+  rules:
+    - apiGroups:
+        - ""
+      apiVersions:
+        - v1
+      operations:
+        - CREATE
+        - UPDATE
+        - DELETE
+      resources:
+        - namespaces
+      scope: '*'
+  sideEffects: None
+  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+- admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+    caBundle: Cg==
+    service:
+      name: {{ include "capsule.fullname" . }}-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /networkpolicies
+      port: 443
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: networkpolicies.capsule.clastix.io
+  namespaceSelector:
+    matchExpressions:
+      - key: capsule.clastix.io/tenant
+        operator: Exists
+  objectSelector: {}
+  rules:
+    - apiGroups:
+        - networking.k8s.io
+      apiVersions:
+        - v1
+      operations:
+        - UPDATE
+        - DELETE
+      resources:
+        - networkpolicies
+      scope: Namespaced
+  sideEffects: None
+  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+- admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+    caBundle: Cg==
+    service:
+      name: {{ include "capsule.fullname" . }}-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /pods
+      port: 443
+  failurePolicy: Fail
+  matchPolicy: Exact
+  name: pods.capsule.clastix.io
+  namespaceSelector:
+    matchExpressions:
+      - key: capsule.clastix.io/tenant
+        operator: Exists
+  objectSelector: {}
+  rules:
+    - apiGroups:
+        - ""
+      apiVersions:
+        - v1
+      operations:
+        - CREATE
+      resources:
+        - pods
+      scope: Namespaced
+  sideEffects: None
+  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+- admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+    caBundle: Cg==
+    service:
+      name: {{ include "capsule.fullname" . }}-webhook-service
+      namespace: capsule-system
+      path: /persistentvolumeclaims
+  failurePolicy: Fail
+  name: pvc.capsule.clastix.io
+  namespaceSelector:
+    matchExpressions:
+      - key: capsule.clastix.io/tenant
+        operator: Exists
+  objectSelector: {}
+  rules:
+    - apiGroups:
+        - ""
+      apiVersions:
+        - v1
+      operations:
+        - CREATE
+      resources:
+        - persistentvolumeclaims
+      scope: Namespaced
+  sideEffects: None
+  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+- admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+    caBundle: Cg==
+    service:
+      name: {{ include "capsule.fullname" . }}-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /services
+      port: 443
+  failurePolicy: Fail
+  matchPolicy: Exact
+  name: services.capsule.clastix.io
+  namespaceSelector:
+    matchExpressions:
+      - key: capsule.clastix.io/tenant
+        operator: Exists
+  objectSelector: {}
+  rules:
+    - apiGroups:
+        - ""
+      apiVersions:
+        - v1
+      operations:
+        - CREATE
+        - UPDATE
+      resources:
+        - services
+      scope: Namespaced
+  sideEffects: None
+  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+- admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+    caBundle: Cg==
+    service:
+      name: {{ include "capsule.fullname" . }}-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /tenants
+      port: 443
+  failurePolicy: Fail
+  matchPolicy: Exact
+  name: tenants.capsule.clastix.io
+  namespaceSelector: {}
+  objectSelector: {}
+  rules:
+    - apiGroups:
+        - capsule.clastix.io
+      apiVersions:
+        - v1beta1
+      operations:
+        - CREATE
+        - UPDATE
+        - DELETE
+      resources:
+        - tenants
+      scope: '*'
+  sideEffects: None
   timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}

charts/capsule/values.yaml

@@ -7,12 +7,31 @@ manager:
     repository: quay.io/clastix/capsule
     pullPolicy: IfNotPresent
     tag: ''
+
+  # Specifies if the container should be started in hostNetwork mode.
+  #
+  # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
+  # CNI (such as calico), because control-plane managed by AWS cannot communicate
+  # with pods' IP CIDR and admission webhooks are not working
+  hostNetwork: false
+
   # Additional Capsule options
   options:
     logLevel: '4'
-    forceTenantPrefix:
-    capsuleUserGroup:
-    protectedNamespaceRegex:
+    forceTenantPrefix: false
+    capsuleUserGroups: ["capsule.clastix.io"]
+    protectedNamespaceRegex: ""
+    allowIngressHostnameCollision: true
+    allowTenantIngressHostnamesCollision: false
+  livenessProbe:
+    httpGet:
+      path: /healthz
+      port: 10080
+  readinessProbe:
+    httpGet:
+      path: /readyz
+      port: 10080
+
   resources:
     limits:
       cpu: 200m
@@ -20,18 +39,11 @@ manager:
     requests:
       cpu: 200m
       memory: 128Mi
-proxy:
+jobs:
   image:
-    repository: gcr.io/kubebuilder/kube-rbac-proxy
+    repository: quay.io/clastix/kubectl
     pullPolicy: IfNotPresent
-    tag: "v0.5.0"
-  resources:
-    limits:
-      cpu: 100m
-      memory: 128Mi
-    requests:
-      cpu: 10m
-      memory: 64Mi
+    tag: "v1.20.7"
 mutatingWebhooksTimeoutSeconds: 30
 validatingWebhooksTimeoutSeconds: 30
 imagePullSecrets: []
@@ -52,3 +64,15 @@ replicaCount: 1
 affinity: {}
 podSecurityPolicy:
   enabled: false
+
+serviceMonitor:
+  enabled: false
+  # Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one)
+  namespace:
+  # Assign additional labels according to Prometheus' serviceMonitorSelector matching labels
+  labels: {}
+  annotations: {}
+  matchLabels: {}
+  serviceAccount:
+    name: capsule
+    namespace: capsule-system

config/crd/bases/capsule.clastix.io_capsuleconfigurations.yaml

@@ -0,0 +1,65 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.5.0
+  creationTimestamp: null
+  name: capsuleconfigurations.capsule.clastix.io
+spec:
+  group: capsule.clastix.io
+  names:
+    kind: CapsuleConfiguration
+    listKind: CapsuleConfigurationList
+    plural: capsuleconfigurations
+    singular: capsuleconfiguration
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: CapsuleConfiguration is the Schema for the Capsule configuration API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: CapsuleConfigurationSpec defines the Capsule configuration nolint:maligned
+            properties:
+              allowIngressHostnameCollision:
+                default: true
+                description: Allow the collision of Ingress resource hostnames across all the Tenants.
+                type: boolean
+              allowTenantIngressHostnamesCollision:
+                description: "When defining the exact match for allowed Ingress hostnames at Tenant level, a collision is not allowed. Toggling this, Capsule will not check if a hostname collision is in place, allowing the creation of two or more Tenant resources although sharing the same allowed hostname(s). \n The JSON path of the resource is: /spec/ingressHostnames/allowed"
+                type: boolean
+              forceTenantPrefix:
+                default: false
+                description: Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
+                type: boolean
+              protectedNamespaceRegex:
+                description: Disallow creation of namespaces, whose name matches this regexp
+                type: string
+              userGroups:
+                default:
+                - capsule.clastix.io
+                description: Names of the groups for Capsule users.
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/kustomization.yaml

@@ -3,8 +3,12 @@
 # It should be run by config/default
 resources:
 - bases/capsule.clastix.io_tenants.yaml
+- bases/capsule.clastix.io_capsuleconfigurations.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 configurations:
 - kustomizeconfig.yaml
+
+patchesStrategicMerge:
+- patches/webhook_in_tenants.yaml

config/crd/kustomizeconfig.yaml

@@ -4,13 +4,15 @@ nameReference:
   version: v1
   fieldSpecs:
   - kind: CustomResourceDefinition
+    version: v1
     group: apiextensions.k8s.io
-    path: spec/conversion/webhookClientConfig/service/name
+    path: spec/conversion/webhook/clientConfig/service/name
 
 namespace:
 - kind: CustomResourceDefinition
+  version: v1
   group: apiextensions.k8s.io
-  path: spec/conversion/webhookClientConfig/service/namespace
+  path: spec/conversion/webhook/clientConfig/service/namespace
   create: false
 
 varReference:

config/crd/patches/webhook_in_tenants.yaml

@@ -0,0 +1,17 @@
+# The following patch enables a conversion webhook for the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: tenants.capsule.clastix.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          namespace: system
+          name: webhook-service
+          path: /convert
+      conversionReviewVersions:
+        - v1alpha1
+        - v1beta1

config/default/kustomization.yaml

@@ -22,8 +22,4 @@ bases:
 #- ../prometheus
 
 patchesStrategicMerge:
-  # Protect the /metrics endpoint by putting it behind auth.
-  # If you want your controller-manager to expose the /metrics
-  # endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
 - manager_webhook_patch.yaml

config/default/manager_auth_proxy_patch.yaml

@@ -1,25 +0,0 @@
-# This patch inject a sidecar container which is a HTTP proxy for the 
-# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: controller-manager
-  namespace: system
-spec:
-  template:
-    spec:
-      containers:
-      - name: kube-rbac-proxy
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
-        args:
-        - "--secure-listen-address=0.0.0.0:8443"
-        - "--upstream=http://127.0.0.1:8080/"
-        - "--logtostderr=true"
-        - "--v=10"
-        ports:
-        - containerPort: 8443
-          name: https
-      - name: manager
-        args:
-        - "--metrics-addr=127.0.0.1:8080"
-        - "--enable-leader-election"

config/default/manager_webhook_patch.yaml

@@ -12,6 +12,9 @@ spec:
         - containerPort: 9443
           name: webhook-server
           protocol: TCP
+        - containerPort: 8080
+          name: metrics
+          protocol: TCP
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: cert

config/grafana/dashboard.json

@@ -0,0 +1,921 @@
+{
+    "__inputs": [
+      {
+        "name": "DS_PROMETHEUS",
+        "label": "prometheus",
+        "description": "",
+        "type": "datasource",
+        "pluginId": "prometheus",
+        "pluginName": "Prometheus"
+      }
+    ],
+    "__requires": [
+      {
+        "type": "grafana",
+        "id": "grafana",
+        "name": "Grafana",
+        "version": "8.0.1"
+      },
+      {
+        "type": "panel",
+        "id": "heatmap",
+        "name": "Heatmap",
+        "version": ""
+      },
+      {
+        "type": "datasource",
+        "id": "prometheus",
+        "name": "Prometheus",
+        "version": "1.0.0"
+      },
+      {
+        "type": "panel",
+        "id": "stat",
+        "name": "Stat",
+        "version": ""
+      },
+      {
+        "type": "panel",
+        "id": "timeseries",
+        "name": "Time series",
+        "version": ""
+      }
+    ],
+    "annotations": {
+      "list": [
+        {
+          "builtIn": 1,
+          "datasource": "-- Grafana --",
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations & Alerts",
+          "type": "dashboard"
+        }
+      ]
+    },
+    "editable": true,
+    "gnetId": null,
+    "graphTooltip": 0,
+    "id": null,
+    "iteration": 1624217784640,
+    "links": [],
+    "panels": [
+      {
+        "cards": {
+          "cardPadding": null,
+          "cardRound": null
+        },
+        "color": {
+          "cardColor": "#b4ff00",
+          "colorScale": "sqrt",
+          "colorScheme": "interpolateOranges",
+          "exponent": 0.5,
+          "mode": "spectrum"
+        },
+        "dataFormat": "timeseries",
+        "datasource": "${DS_PROMETHEUS}",
+        "description": "",
+        "gridPos": {
+          "h": 8,
+          "w": 24,
+          "x": 0,
+          "y": 0
+        },
+        "heatmap": {},
+        "hideZeroBuckets": false,
+        "highlightCards": true,
+        "id": 21,
+        "legend": {
+          "show": false
+        },
+        "maxPerRow": 2,
+        "pluginVersion": "8.0.1",
+        "repeat": "controller_name",
+        "repeatDirection": "h",
+        "reverseYBuckets": false,
+        "targets": [
+          {
+            "exemplar": false,
+            "expr": "sum by (le) (increase(workqueue_work_duration_seconds_bucket{service=\"capsule-controller-manager-metrics-service\",name=\"$controller_name\"}[1m]))",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "",
+            "queryType": "randomWalk",
+            "refId": "A"
+          }
+        ],
+        "title": "$controller_name reconcile latency",
+        "tooltip": {
+          "show": true,
+          "showHistogram": false
+        },
+        "type": "heatmap",
+        "xAxis": {
+          "show": true
+        },
+        "xBucketNumber": null,
+        "xBucketSize": null,
+        "yAxis": {
+          "decimals": null,
+          "format": "ms",
+          "logBase": 1,
+          "max": null,
+          "min": null,
+          "show": true,
+          "splitFactor": null
+        },
+        "yBucketBound": "auto",
+        "yBucketNumber": null,
+        "yBucketSize": null
+      },
+      {
+        "collapsed": false,
+        "datasource": null,
+        "gridPos": {
+          "h": 1,
+          "w": 24,
+          "x": 0,
+          "y": 16
+        },
+        "id": 17,
+        "panels": [],
+        "title": "Requests",
+        "type": "row"
+      },
+      {
+        "datasource": "${DS_PROMETHEUS}",
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 0,
+              "drawStyle": "line",
+              "fillOpacity": 0,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "mappings": [],
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": null
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          },
+          "overrides": []
+        },
+        "gridPos": {
+          "h": 11,
+          "w": 12,
+          "x": 0,
+          "y": 17
+        },
+        "id": 22,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom"
+          },
+          "tooltip": {
+            "mode": "single"
+          }
+        },
+        "pluginVersion": "8.0.1",
+        "targets": [
+          {
+            "exemplar": false,
+            "expr": "sum(rate(rest_client_requests_total{service=\"capsule-controller-manager-metrics-service\",code=\"200\"}[30s]))",
+            "format": "time_series",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "200",
+            "queryType": "randomWalk",
+            "refId": "A"
+          },
+          {
+            "exemplar": false,
+            "expr": "sum(rate(rest_client_requests_total{service=\"capsule-controller-manager-metrics-service\",code=\"201\"}[30s]))",
+            "format": "time_series",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "201",
+            "queryType": "randomWalk",
+            "refId": "E"
+          },
+          {
+            "exemplar": true,
+            "expr": "sum(rate(rest_client_requests_total{service=\"capsule-controller-manager-metrics-service\",code=\"403\"}[30s]))",
+            "format": "time_series",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "403",
+            "queryType": "randomWalk",
+            "refId": "B"
+          },
+          {
+            "exemplar": true,
+            "expr": "sum(rate(rest_client_requests_total{service=\"capsule-controller-manager-metrics-service\",code=\"409\"}[30s]))",
+            "format": "time_series",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "409",
+            "queryType": "randomWalk",
+            "refId": "C"
+          },
+          {
+            "exemplar": true,
+            "expr": "sum(rate(rest_client_requests_total{service=\"capsule-controller-manager-metrics-service\",code=\"500\"}[30s]))",
+            "format": "time_series",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "500",
+            "queryType": "randomWalk",
+            "refId": "D"
+          }
+        ],
+        "title": "Rate & Errors",
+        "type": "timeseries"
+      },
+      {
+        "datasource": "${DS_PROMETHEUS}",
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "thresholds"
+            },
+            "mappings": [],
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": null
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          },
+          "overrides": []
+        },
+        "gridPos": {
+          "h": 11,
+          "w": 12,
+          "x": 12,
+          "y": 17
+        },
+        "id": 19,
+        "options": {
+          "colorMode": "value",
+          "graphMode": "area",
+          "justifyMode": "auto",
+          "orientation": "auto",
+          "reduceOptions": {
+            "calcs": [
+              "lastNotNull"
+            ],
+            "fields": "",
+            "values": false
+          },
+          "text": {},
+          "textMode": "auto"
+        },
+        "pluginVersion": "8.0.1",
+        "targets": [
+          {
+            "exemplar": false,
+            "expr": "sum(rate(rest_client_requests_total{service=\"capsule-controller-manager-metrics-service\",code=\"200\"}[30s]))",
+            "format": "time_series",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "200",
+            "queryType": "randomWalk",
+            "refId": "A"
+          },
+          {
+            "exemplar": false,
+            "expr": "sum(rate(rest_client_requests_total{service=\"capsule-controller-manager-metrics-service\",code=\"201\"}[30s]))",
+            "format": "time_series",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "201",
+            "queryType": "randomWalk",
+            "refId": "B"
+          },
+          {
+            "exemplar": true,
+            "expr": "sum(rate(rest_client_requests_total{service=\"capsule-controller-manager-metrics-service\",code=\"403\"}[30s]))",
+            "format": "time_series",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "403",
+            "queryType": "randomWalk",
+            "refId": "C"
+          },
+          {
+            "exemplar": true,
+            "expr": "sum(rate(rest_client_requests_total{service=\"capsule-controller-manager-metrics-service\",code=\"409\"}[30s]))",
+            "format": "time_series",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "409",
+            "queryType": "randomWalk",
+            "refId": "D"
+          },
+          {
+            "exemplar": true,
+            "expr": "sum(rate(rest_client_requests_total{service=\"capsule-controller-manager-metrics-service\",code=\"500\"}[30s]))",
+            "format": "time_series",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "500",
+            "queryType": "randomWalk",
+            "refId": "E"
+          }
+        ],
+        "title": "Rate & Errors",
+        "type": "stat"
+      },
+      {
+        "cards": {
+          "cardPadding": null,
+          "cardRound": null
+        },
+        "color": {
+          "cardColor": "#b4ff00",
+          "colorScale": "sqrt",
+          "colorScheme": "interpolateOranges",
+          "exponent": 0.5,
+          "mode": "spectrum"
+        },
+        "dataFormat": "timeseries",
+        "datasource": "${DS_PROMETHEUS}",
+        "gridPos": {
+          "h": 7,
+          "w": 12,
+          "x": 0,
+          "y": 28
+        },
+        "heatmap": {},
+        "hideZeroBuckets": false,
+        "highlightCards": true,
+        "id": 20,
+        "legend": {
+          "show": false
+        },
+        "pluginVersion": "8.0.1",
+        "reverseYBuckets": false,
+        "targets": [
+          {
+            "exemplar": false,
+            "expr": "sum by (le) (increase(rest_client_request_latency_seconds_bucket{service=\"capsule-controller-manager-metrics-service\"}[1m]))",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "{{le}}",
+            "queryType": "randomWalk",
+            "refId": "A"
+          }
+        ],
+        "title": "Client Operator Latency",
+        "tooltip": {
+          "show": true,
+          "showHistogram": false
+        },
+        "type": "heatmap",
+        "xAxis": {
+          "show": true
+        },
+        "xBucketNumber": null,
+        "xBucketSize": null,
+        "yAxis": {
+          "decimals": null,
+          "format": "ms",
+          "logBase": 1,
+          "max": null,
+          "min": null,
+          "show": true,
+          "splitFactor": null
+        },
+        "yBucketBound": "auto",
+        "yBucketNumber": null,
+        "yBucketSize": null
+      },
+      {
+        "collapsed": false,
+        "datasource": null,
+        "gridPos": {
+          "h": 1,
+          "w": 24,
+          "x": 0,
+          "y": 35
+        },
+        "id": 12,
+        "panels": [],
+        "title": "Saturation",
+        "type": "row"
+      },
+      {
+        "datasource": "${DS_PROMETHEUS}",
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 0,
+              "drawStyle": "line",
+              "fillOpacity": 0,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "mappings": [],
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": null
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          },
+          "overrides": []
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 9,
+          "x": 0,
+          "y": 36
+        },
+        "id": 2,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom"
+          },
+          "tooltip": {
+            "mode": "single"
+          }
+        },
+        "targets": [
+          {
+            "exemplar": true,
+            "expr": "rate(process_cpu_seconds_total{service=\"capsule-controller-manager-metrics-service\"}[1m])",
+            "interval": "",
+            "legendFormat": "{{pod}}",
+            "queryType": "randomWalk",
+            "refId": "A"
+          }
+        ],
+        "title": "CPU Usage",
+        "type": "timeseries"
+      },
+      {
+        "datasource": "${DS_PROMETHEUS}",
+        "description": "",
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 1,
+              "drawStyle": "line",
+              "fillOpacity": 0,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "lineInterpolation": "smooth",
+              "lineStyle": {
+                "fill": "solid"
+              },
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "mappings": [],
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": null
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            },
+            "unit": "decbytes"
+          },
+          "overrides": []
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 9,
+          "x": 9,
+          "y": 36
+        },
+        "id": 24,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom"
+          },
+          "tooltip": {
+            "mode": "single"
+          }
+        },
+        "targets": [
+          {
+            "exemplar": false,
+            "expr": "process_resident_memory_bytes{service=\"capsule-controller-manager-metrics-service\"}",
+            "interval": "",
+            "legendFormat": "{{pod}}",
+            "queryType": "randomWalk",
+            "refId": "A"
+          }
+        ],
+        "title": "Memory Usage",
+        "type": "timeseries"
+      },
+      {
+        "datasource": "${DS_PROMETHEUS}",
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "thresholds"
+            },
+            "mappings": [],
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": null
+                }
+              ]
+            }
+          },
+          "overrides": []
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 3,
+          "x": 18,
+          "y": 36
+        },
+        "id": 5,
+        "options": {
+          "colorMode": "background",
+          "graphMode": "area",
+          "justifyMode": "auto",
+          "orientation": "auto",
+          "reduceOptions": {
+            "calcs": [
+              "lastNotNull"
+            ],
+            "fields": "",
+            "values": false
+          },
+          "text": {
+            "valueSize": 80
+          },
+          "textMode": "value_and_name"
+        },
+        "pluginVersion": "8.0.1",
+        "targets": [
+          {
+            "exemplar": true,
+            "expr": "sum(up{service=\"capsule-controller-manager-metrics-service\"})",
+            "interval": "",
+            "legendFormat": "Active Controllers",
+            "queryType": "randomWalk",
+            "refId": "A"
+          }
+        ],
+        "title": "Stats",
+        "transparent": true,
+        "type": "stat"
+      },
+      {
+        "datasource": null,
+        "gridPos": {
+          "h": 1,
+          "w": 24,
+          "x": 0,
+          "y": 44
+        },
+        "id": 10,
+        "title": "Workqueue",
+        "type": "row"
+      },
+      {
+        "datasource": "${DS_PROMETHEUS}",
+        "description": "service time to complete needed actions",
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "thresholds"
+            },
+            "mappings": [],
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": null
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          },
+          "overrides": []
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 8,
+          "x": 0,
+          "y": 45
+        },
+        "id": 7,
+        "options": {
+          "colorMode": "value",
+          "graphMode": "area",
+          "justifyMode": "auto",
+          "orientation": "auto",
+          "reduceOptions": {
+            "calcs": [
+              "lastNotNull"
+            ],
+            "fields": "",
+            "values": false
+          },
+          "text": {},
+          "textMode": "auto"
+        },
+        "pluginVersion": "8.0.1",
+        "targets": [
+          {
+            "exemplar": true,
+            "expr": "histogram_quantile(0.99, sum(rate(workqueue_queue_duration_seconds_bucket{service=\"capsule-controller-manager-metrics-service\"}[1m])) by (instance, name, le))",
+            "format": "time_series",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "{{name}}",
+            "queryType": "randomWalk",
+            "refId": "A"
+          }
+        ],
+        "title": "Workqueue latency",
+        "type": "stat"
+      },
+      {
+        "datasource": "${DS_PROMETHEUS}",
+        "description": "number of actions per unit time",
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "thresholds"
+            },
+            "mappings": [],
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": null
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          },
+          "overrides": []
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 8,
+          "x": 8,
+          "y": 45
+        },
+        "id": 8,
+        "options": {
+          "colorMode": "value",
+          "graphMode": "area",
+          "justifyMode": "auto",
+          "orientation": "auto",
+          "reduceOptions": {
+            "calcs": [
+              "lastNotNull"
+            ],
+            "fields": "",
+            "values": false
+          },
+          "text": {},
+          "textMode": "auto"
+        },
+        "pluginVersion": "8.0.1",
+        "targets": [
+          {
+            "exemplar": true,
+            "expr": "sum(rate(workqueue_adds_total{service=\"capsule-controller-manager-metrics-service\"}[1m])) by (instance, name)",
+            "format": "time_series",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "{{name}}",
+            "queryType": "randomWalk",
+            "refId": "A"
+          }
+        ],
+        "title": "Workqueue rate",
+        "type": "stat"
+      },
+      {
+        "datasource": "${DS_PROMETHEUS}",
+        "description": "number of actions waiting in the queue to be performed",
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "thresholds"
+            },
+            "mappings": [],
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": null
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          },
+          "overrides": []
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 6,
+          "x": 16,
+          "y": 45
+        },
+        "id": 13,
+        "options": {
+          "colorMode": "value",
+          "graphMode": "area",
+          "justifyMode": "auto",
+          "orientation": "auto",
+          "reduceOptions": {
+            "calcs": [
+              "lastNotNull"
+            ],
+            "fields": "",
+            "values": false
+          },
+          "text": {},
+          "textMode": "auto"
+        },
+        "pluginVersion": "8.0.1",
+        "targets": [
+          {
+            "exemplar": false,
+            "expr": "sum(rate(workqueue_depth{service=\"capsule-controller-manager-metrics-service\"}[1m])) by (instance, name)",
+            "format": "time_series",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "{{name}}",
+            "queryType": "randomWalk",
+            "refId": "A"
+          }
+        ],
+        "title": "Workqueue depth",
+        "type": "stat"
+      }
+    ],
+    "refresh": "1m",
+    "schemaVersion": 30,
+    "style": "dark",
+    "tags": [],
+    "templating": {
+      "list": [
+        {
+          "allValue": null,
+          "current": {},
+          "datasource": "${DS_PROMETHEUS}",
+          "definition": "label_values(workqueue_work_duration_seconds_bucket{service=\"capsule-controller-manager-metrics-service\"},name)",
+          "description": null,
+          "error": null,
+          "hide": 0,
+          "includeAll": true,
+          "label": null,
+          "multi": true,
+          "name": "controller_name",
+          "options": [],
+          "query": {
+            "query": "label_values(workqueue_work_duration_seconds_bucket{service=\"capsule-controller-manager-metrics-service\"},name)",
+            "refId": "StandardVariableQuery"
+          },
+          "refresh": 1,
+          "regex": "",
+          "skipUrlSync": false,
+          "sort": 0,
+          "type": "query"
+        }
+      ]
+    },
+    "time": {
+      "from": "now-3h",
+      "to": "now"
+    },
+    "timepicker": {},
+    "timezone": "",
+    "title": "capsule",
+    "uid": "nEFvaoR7z",
+    "version": 28
+  }

config/manager/configuration.yaml

@@ -0,0 +1,10 @@
+apiVersion: capsule.clastix.io/v1alpha1
+kind: CapsuleConfiguration
+metadata:
+  name: default
+spec:
+  userGroups: ["capsule.clastix.io"]
+  forceTenantPrefix: false
+  protectedNamespaceRegex: ""
+  allowTenantIngressHostnamesCollision: false
+  allowIngressHostnameCollision: false

config/manager/kustomization.yaml

@@ -1,8 +1,10 @@
 resources:
+- configuration.yaml
 - manager.yaml
+- metrics_service.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
   newName: quay.io/clastix/capsule
-  newTag: v0.0.4
+  newTag: v0.1.0-rc4

config/manager/manager.yaml

@@ -29,6 +29,7 @@ spec:
         - --enable-leader-election
         - --zap-encoder=console
         - --zap-log-level=debug
+        - --configuration-name=capsule-default
         env:
         - name: NAMESPACE
           valueFrom:

config/manager/metrics_service.yaml

@@ -7,8 +7,8 @@ metadata:
   namespace: system
 spec:
   ports:
-  - name: https
-    port: 8443
-    targetPort: https
+  - name: metrics
+    port: 8080
+    targetPort: metrics
   selector:
     control-plane: controller-manager

config/prometheus/kustomization.yaml

@@ -1,2 +1,4 @@
 resources:
 - monitor.yaml
+- role.yaml
+- rolebinding.yaml

config/prometheus/monitor.yaml

@@ -1,16 +1,18 @@
-
 # Prometheus Monitor Service (Metrics)
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   labels:
     control-plane: controller-manager
-  name: controller-manager-metrics-monitor
+  name: capsule-monitor
   namespace: system
 spec:
   endpoints:
-    - path: /metrics
-      port: https
+    - interval: 15s
+      path: /metrics
+      port: metrics
+  jobLabel: controller-manager
+  namespaceSelector:
   selector:
     matchLabels:
       control-plane: controller-manager

config/prometheus/role.yaml

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: capsule-metrics-role
+  namespace: capsule-system
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - endpoints
+  - pods
+  verbs:
+  - get
+  - list
+  - watch

config/prometheus/rolebinding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: capsule-metrics-rolebinding
+  namespace: system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: capsule-metrics-role
+subjects:
+- kind: ServiceAccount
+  name: capsule
+  namespace: capsule-system

config/rbac/auth_proxy_client_clusterrole.yaml

@@ -1,7 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
-  name: metrics-reader
-rules:
-- nonResourceURLs: ["/metrics"]
-  verbs: ["get"]

config/rbac/auth_proxy_role.yaml

@@ -1,13 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: proxy-role
-rules:
-- apiGroups: ["authentication.k8s.io"]
-  resources:
-  - tokenreviews
-  verbs: ["create"]
-- apiGroups: ["authorization.k8s.io"]
-  resources:
-  - subjectaccessreviews
-  verbs: ["create"]

config/rbac/auth_proxy_role_binding.yaml

@@ -1,12 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: proxy-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: proxy-role
-subjects:
-- kind: ServiceAccount
-  name: default
-  namespace: system

config/rbac/kustomization.yaml

@@ -1,12 +1,5 @@
 resources:
 - role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
 # Uncomment the following 3 lines if you are running Capsule
 # in a cluster where [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
 # are enabled.

config/samples/capsule_v1alpha1_capsuleconfiguration.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: capsule.clastix.io/v1alpha1
+kind: CapsuleConfiguration
+metadata:
+  name: default
+spec:
+  userGroups: ["capsule.clastix.io"]
+  forceTenantPrefix: false
+  protectedNamespaceRegex: ""
+  allowTenantIngressHostnamesCollision: false
+  allowIngressHostnameCollision: false

config/samples/capsule_v1beta1_tenant.yaml

@@ -0,0 +1,136 @@
+---
+apiVersion: capsule.clastix.io/v1beta1
+kind: Tenant
+metadata:
+  name: gas
+spec:
+  additionalRoleBindings:
+    -
+      clusterRoleName: tenant-sample-viewer
+      subjects:
+        -
+          kind: User
+          name: bob
+  containerRegistries:
+    allowed:
+      - docker.io
+      - quay.io
+    allowedRegex: ^\w+.gcr.io$
+  serviceOptions:
+    additionalMetadata:
+      additionalAnnotations:
+        capsule.clastix.io/bgp: "true"
+      additionalLabels:
+        capsule.clastix.io/pool: gas
+    allowedServices:
+      nodePort: false
+      externalName: false
+  externalServiceIPs:
+    allowed:
+      - 10.20.0.0/16
+      - "10.96.42.42"
+  imagePullPolicies:
+    - Always
+  ingressClasses:
+    allowed:
+      - default
+    allowedRegex: ^\w+-lb$
+  ingressHostnames:
+    allowed:
+      - gas.acmecorp.com
+    allowedRegex: ^.*acmecorp.com$
+  limitRanges:
+    items:
+      -
+        limits:
+          -
+            max:
+              cpu: "1"
+              memory: 1Gi
+            min:
+              cpu: 50m
+              memory: 5Mi
+            type: Pod
+          -
+            default:
+              cpu: 200m
+              memory: 100Mi
+            defaultRequest:
+              cpu: 100m
+              memory: 10Mi
+            max:
+              cpu: "1"
+              memory: 1Gi
+            min:
+              cpu: 50m
+              memory: 5Mi
+            type: Container
+          -
+            max:
+              storage: 10Gi
+            min:
+              storage: 1Gi
+            type: PersistentVolumeClaim
+  namespaceQuota: 3
+  namespacesMetadata:
+    additionalAnnotations:
+      capsule.clastix.io/backup: "false"
+    additionalLabels:
+      capsule.clastix.io/tenant: gas
+  networkPolicies:
+    items:
+      -
+        egress:
+          -
+            to:
+              -
+                ipBlock:
+                  cidr: 0.0.0.0/0
+                  except:
+                    - 192.168.0.0/12
+        ingress:
+          -
+            from:
+              -
+                namespaceSelector:
+                  matchLabels:
+                    capsule.clastix.io/tenant: gas
+              -
+                podSelector: {}
+              -
+                ipBlock:
+                  cidr: 192.168.0.0/12
+        podSelector: {}
+        policyTypes:
+          - Ingress
+          - Egress
+  nodeSelector:
+    kubernetes.io/os: linux
+  owners:
+    -
+      kind: User
+      name: bob
+  priorityClasses:
+    allowed:
+      - shared-nodes
+    allowedRegex: ^\w-gas$
+  resourceQuotas:
+    items:
+      -
+        hard:
+          limits.cpu: "8"
+          limits.memory: 16Gi
+          requests.cpu: "8"
+          requests.memory: 16Gi
+        scopes:
+          - NotTerminating
+      -
+        hard:
+          pods: "10"
+      -
+        hard:
+          requests.storage: 100Gi
+  storageClasses:
+    allowed:
+      - default
+    allowedRegex: ^\w+fs$

config/samples/kustomization.yaml

@@ -1,3 +1,5 @@
 ## This file is auto-generated, do not modify ##
 resources:
+- capsule_v1alpha1_capsuleconfiguration.yaml
 - capsule_v1alpha1_tenant.yaml
+- capsule_v1beta1_tenant.yaml

config/webhook/kustomization.yaml

@@ -7,7 +7,7 @@ patchesJson6902:
     group: admissionregistration.k8s.io
     kind: ValidatingWebhookConfiguration
     name: validating-webhook-configuration
-    version: v1beta1
+    version: v1
   path: patch_ns_selector.yaml
 
 configurations:

config/webhook/manifests.yaml

@@ -1,17 +1,18 @@
 
 ---
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   creationTimestamp: null
   name: mutating-webhook-configuration
 webhooks:
-- clientConfig:
-    caBundle: Cg==
+- admissionReviewVersions:
+  - v1
+  clientConfig:
     service:
       name: webhook-service
       namespace: system
-      path: /mutate-v1-namespace-owner-reference
+      path: /namespace-owner-reference
   failurePolicy: Fail
   name: owner.namespace.capsule.clastix.io
   rules:
@@ -23,59 +24,108 @@ webhooks:
     - CREATE
     resources:
     - namespaces
+  sideEffects: None
 
 ---
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   creationTimestamp: null
   name: validating-webhook-configuration
 webhooks:
-- clientConfig:
-    caBundle: Cg==
+- admissionReviewVersions:
+  - v1
+  clientConfig:
     service:
       name: webhook-service
       namespace: system
-      path: /validating-ingress
+      path: /cordoning
   failurePolicy: Fail
-  name: ingress-v1beta1.capsule.clastix.io
+  name: cordoning.tenant.capsule.clastix.io
+  rules:
+  - apiGroups:
+    - '*'
+    apiVersions:
+    - '*'
+    operations:
+    - CREATE
+    - UPDATE
+    - DELETE
+    resources:
+    - '*'
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /ingresses
+  failurePolicy: Fail
+  name: ingress.capsule.clastix.io
   rules:
   - apiGroups:
     - networking.k8s.io
     - extensions
     apiVersions:
     - v1beta1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - ingresses
-- clientConfig:
-    caBundle: Cg==
-    service:
-      name: webhook-service
-      namespace: system
-      path: /validating-ingress
-  failurePolicy: Fail
-  name: ingress-v1.capsule.clastix.io
-  rules:
-  - apiGroups:
-    - networking.k8s.io
-    apiVersions:
     - v1
     operations:
     - CREATE
     - UPDATE
     resources:
     - ingresses
-- clientConfig:
-    caBundle: Cg==
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
     service:
       name: webhook-service
       namespace: system
-      path: /validate-v1-namespace-quota
+      path: /namespaces
   failurePolicy: Fail
-  name: quota.namespace.capsule.clastix.io
+  name: namespaces.capsule.clastix.io
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    - DELETE
+    resources:
+    - namespaces
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /networkpolicies
+  failurePolicy: Fail
+  name: networkpolicies.capsule.clastix.io
+  rules:
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+    - v1
+    operations:
+    - UPDATE
+    - DELETE
+    resources:
+    - networkpolicies
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /pods
+  failurePolicy: Fail
+  name: pods.capsule.clastix.io
   rules:
   - apiGroups:
     - ""
@@ -84,32 +134,15 @@ webhooks:
     operations:
     - CREATE
     resources:
-    - namespaces
-- clientConfig:
-    caBundle: Cg==
+    - pods
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
     service:
       name: webhook-service
       namespace: system
-      path: /validating-v1-network-policy
-  failurePolicy: Fail
-  name: validating.network-policy.capsule.clastix.io
-  rules:
-  - apiGroups:
-    - networking.k8s.io
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    - UPDATE
-    - DELETE
-    resources:
-    - networkpolicies
-- clientConfig:
-    caBundle: Cg==
-    service:
-      name: webhook-service
-      namespace: system
-      path: /validating-v1-pvc
+      path: /persistentvolumeclaims
   failurePolicy: Fail
   name: pvc.capsule.clastix.io
   rules:
@@ -121,31 +154,16 @@ webhooks:
     - CREATE
     resources:
     - persistentvolumeclaims
-- clientConfig:
-    caBundle: Cg==
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
     service:
       name: webhook-service
       namespace: system
-      path: /validating-v1-registry
-  failurePolicy: Ignore
-  name: pod.capsule.clastix.io
-  rules:
-  - apiGroups:
-    - ""
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    resources:
-    - pods
-- clientConfig:
-    caBundle: Cg==
-    service:
-      name: webhook-service
-      namespace: system
-      path: /validating-external-service-ips
+      path: /services
   failurePolicy: Fail
-  name: validating-external-service-ips.capsule.clastix.io
+  name: services.capsule.clastix.io
   rules:
   - apiGroups:
     - ""
@@ -156,38 +174,25 @@ webhooks:
     - UPDATE
     resources:
     - services
-- clientConfig:
-    caBundle: Cg==
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
     service:
       name: webhook-service
       namespace: system
-      path: /validating-v1-tenant
+      path: /tenants
   failurePolicy: Fail
-  name: tenant.capsule.clastix.io
+  name: tenants.capsule.clastix.io
   rules:
   - apiGroups:
     - capsule.clastix.io
     apiVersions:
-    - v1alpha1
+    - v1beta1
     operations:
     - CREATE
     - UPDATE
+    - DELETE
     resources:
     - tenants
-- clientConfig:
-    caBundle: Cg==
-    service:
-      name: webhook-service
-      namespace: system
-      path: /validating-v1-namespace-tenant-prefix
-  failurePolicy: Fail
-  name: prefix.namespace.capsule.clastix.io
-  rules:
-  - apiGroups:
-    - ""
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    resources:
-    - namespaces
+  sideEffects: None

config/webhook/patch_ns_selector.yaml

@@ -34,3 +34,21 @@
     matchExpressions:
       - key: capsule.clastix.io/tenant
         operator: Exists
+- op: add
+  path: /webhooks/0/rules/0/scope
+  value: Namespaced
+- op: add
+  path: /webhooks/1/rules/0/scope
+  value: Namespaced
+- op: add
+  path: /webhooks/3/rules/0/scope
+  value: Namespaced
+- op: add
+  path: /webhooks/4/rules/0/scope
+  value: Namespaced
+- op: add
+  path: /webhooks/5/rules/0/scope
+  value: Namespaced
+- op: add
+  path: /webhooks/6/rules/0/scope
+  value: Namespaced

controllers/config/manager.go

@@ -0,0 +1,73 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package rbac
+
+import (
+	"context"
+
+	"github.com/go-logr/logr"
+	"github.com/pkg/errors"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+
+	capsulev1alpha1 "github.com/clastix/capsule/api/v1alpha1"
+	"github.com/clastix/capsule/pkg/configuration"
+)
+
+type Manager struct {
+	Log    logr.Logger
+	Client client.Client
+}
+
+// InjectClient injects the Client interface, required by the Runnable interface
+func (r *Manager) InjectClient(c client.Client) error {
+	r.Client = c
+
+	return nil
+}
+
+func filterByName(objName, desired string) bool {
+	return objName == desired
+}
+
+func forOptionPerInstanceName(instanceName string) builder.ForOption {
+	return builder.WithPredicates(predicate.Funcs{
+		CreateFunc: func(event event.CreateEvent) bool {
+			return filterByName(event.Object.GetName(), instanceName)
+		},
+		DeleteFunc: func(deleteEvent event.DeleteEvent) bool {
+			return filterByName(deleteEvent.Object.GetName(), instanceName)
+		},
+		UpdateFunc: func(updateEvent event.UpdateEvent) bool {
+			return filterByName(updateEvent.ObjectNew.GetName(), instanceName)
+		},
+		GenericFunc: func(genericEvent event.GenericEvent) bool {
+			return filterByName(genericEvent.Object.GetName(), instanceName)
+		},
+	})
+}
+
+func (r *Manager) SetupWithManager(mgr ctrl.Manager, configurationName string) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&capsulev1alpha1.CapsuleConfiguration{}, forOptionPerInstanceName(configurationName)).
+		Complete(r)
+}
+
+func (r *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res reconcile.Result, err error) {
+	r.Log.Info("CapsuleConfiguration reconciliation started", "request.name", request.Name)
+
+	cfg := configuration.NewCapsuleConfiguration(r.Client, request.Name)
+	// Validating the Capsule Configuration options
+	if _, err = cfg.ProtectedNamespaceRegexp(); err != nil {
+		panic(errors.Wrap(err, "Invalid configuration for protected Namespace regex"))
+	}
+
+	r.Log.Info("CapsuleConfiguration reconciliation finished", "request.name", request.Name)
+
+	return
+}

controllers/rbac/const.go

@@ -1,18 +1,5 @@
-/*
-Copyright 2020 Clastix Labs.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
 
 package rbac
 

controllers/rbac/errors.go

@@ -1,24 +0,0 @@
-/*
-Copyright 2020 Clastix Labs.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package rbac
-
-type ImmutableClusterRoleBindingError struct {
-}
-
-func (i ImmutableClusterRoleBindingError) Error() string {
-	return "The ClusterRoleBinding Role reference is immutable, deletion must be processed first"
-}

controllers/rbac/manager.go

@@ -1,18 +1,5 @@
-/*
-Copyright 2020 Clastix Labs.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
 
 package rbac
 
@@ -23,47 +10,54 @@ import (
 	"github.com/go-logr/logr"
 	"github.com/hashicorp/go-multierror"
 	rbacv1 "k8s.io/api/rbac/v1"
-	"k8s.io/apimachinery/pkg/api/equality"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/util/workqueue"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+
+	capsulev1alpha1 "github.com/clastix/capsule/api/v1alpha1"
+	"github.com/clastix/capsule/pkg/configuration"
 )
 
 type Manager struct {
-	CapsuleGroup string
-	Log          logr.Logger
-	Client       client.Client
+	Log           logr.Logger
+	Client        client.Client
+	Configuration configuration.Configuration
 }
 
-// Using the Client interface, required by the Runnable interface
+// InjectClient injects the Client interface, required by the Runnable interface
 func (r *Manager) InjectClient(c client.Client) error {
 	r.Client = c
 	return nil
 }
 
-func (r *Manager) filterByClusterRolesNames(name string) bool {
+func (r *Manager) filterByNames(name string) bool {
 	return name == ProvisionerRoleName || name == DeleterRoleName
 }
 
-func (r *Manager) SetupWithManager(mgr ctrl.Manager) (err error) {
+//nolint:dupl
+func (r *Manager) SetupWithManager(mgr ctrl.Manager, configurationName string) (err error) {
 	crErr := ctrl.NewControllerManagedBy(mgr).
 		For(&rbacv1.ClusterRole{}, builder.WithPredicates(predicate.Funcs{
 			CreateFunc: func(event event.CreateEvent) bool {
-				return r.filterByClusterRolesNames(event.Object.GetName())
+				return r.filterByNames(event.Object.GetName())
 			},
 			DeleteFunc: func(deleteEvent event.DeleteEvent) bool {
-				return r.filterByClusterRolesNames(deleteEvent.Object.GetName())
+				return r.filterByNames(deleteEvent.Object.GetName())
 			},
 			UpdateFunc: func(updateEvent event.UpdateEvent) bool {
-				return r.filterByClusterRolesNames(updateEvent.ObjectNew.GetName())
+				return r.filterByNames(updateEvent.ObjectNew.GetName())
 			},
 			GenericFunc: func(genericEvent event.GenericEvent) bool {
-				return r.filterByClusterRolesNames(genericEvent.Object.GetName())
+				return r.filterByNames(genericEvent.Object.GetName())
 			},
 		})).
 		Complete(r)
@@ -73,18 +67,27 @@ func (r *Manager) SetupWithManager(mgr ctrl.Manager) (err error) {
 	crbErr := ctrl.NewControllerManagedBy(mgr).
 		For(&rbacv1.ClusterRoleBinding{}, builder.WithPredicates(predicate.Funcs{
 			CreateFunc: func(event event.CreateEvent) bool {
-				return event.Object.GetName() == ProvisionerRoleName
+				return r.filterByNames(event.Object.GetName())
 			},
 			DeleteFunc: func(deleteEvent event.DeleteEvent) bool {
-				return deleteEvent.Object.GetName() == ProvisionerRoleName
+				return r.filterByNames(deleteEvent.Object.GetName())
 			},
 			UpdateFunc: func(updateEvent event.UpdateEvent) bool {
-				return updateEvent.ObjectNew.GetName() == ProvisionerRoleName
+				return r.filterByNames(updateEvent.ObjectNew.GetName())
 			},
 			GenericFunc: func(genericEvent event.GenericEvent) bool {
-				return genericEvent.Object.GetName() == ProvisionerRoleName
+				return r.filterByNames(genericEvent.Object.GetName())
 			},
 		})).
+		Watches(source.NewKindWithCache(&capsulev1alpha1.CapsuleConfiguration{}, mgr.GetCache()), handler.Funcs{
+			UpdateFunc: func(updateEvent event.UpdateEvent, limitingInterface workqueue.RateLimitingInterface) {
+				if updateEvent.ObjectNew.GetName() == configurationName {
+					if crbErr := r.EnsureClusterRoleBindings(); crbErr != nil {
+						r.Log.Error(err, "cannot update ClusterRoleBinding upon CapsuleConfiguration update")
+					}
+				}
+			},
+		}).
 		Complete(r)
 	if crbErr != nil {
 		err = multierror.Append(err, crbErr)
@@ -92,60 +95,52 @@ func (r *Manager) SetupWithManager(mgr ctrl.Manager) (err error) {
 	return
 }
 
-// This reconcile function is serving both ClusterRole and ClusterRoleBinding: that's ok, we're watching for multiple
+// Reconcile serves both required ClusterRole and ClusterRoleBinding resources: that's ok, we're watching for multiple
 // Resource kinds and we're just interested to the ones with the said name since they're bounded together.
 func (r *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res reconcile.Result, err error) {
 	switch request.Name {
 	case ProvisionerRoleName:
 		if err = r.EnsureClusterRole(ProvisionerRoleName); err != nil {
 			r.Log.Error(err, "Reconciliation for ClusterRole failed", "ClusterRole", ProvisionerRoleName)
+
 			break
 		}
-		if err = r.EnsureClusterRoleBinding(); err != nil {
-			r.Log.Error(err, "Reconciliation for ClusterRoleBinding failed", "ClusterRoleBinding", ProvisionerRoleName)
+		if err = r.EnsureClusterRoleBindings(); err != nil {
+			r.Log.Error(err, "Reconciliation for ClusterRoleBindings failed")
+
 			break
 		}
 	case DeleterRoleName:
 		if err = r.EnsureClusterRole(DeleterRoleName); err != nil {
 			r.Log.Error(err, "Reconciliation for ClusterRole failed", "ClusterRole", DeleterRoleName)
-			break
 		}
 	}
-	return reconcile.Result{}, err
+
+	return
 }
 
-func (r *Manager) EnsureClusterRoleBinding() (err error) {
+func (r *Manager) EnsureClusterRoleBindings() (err error) {
 	crb := &rbacv1.ClusterRoleBinding{
-		ObjectMeta: v1.ObjectMeta{
+		ObjectMeta: metav1.ObjectMeta{
 			Name: ProvisionerRoleName,
 		},
 	}
 
-	_, err = controllerutil.CreateOrUpdate(context.TODO(), r.Client, crb, func() error {
-		// RoleRef is immutable, so we need to delete and recreate ClusterRoleBinding if it changed
-		if crb.ResourceVersion != "" && !equality.Semantic.DeepDerivative(provisionerClusterRoleBinding.RoleRef, crb.RoleRef) {
-			return ImmutableClusterRoleBindingError{}
-		}
+	_, err = controllerutil.CreateOrUpdate(context.TODO(), r.Client, crb, func() (err error) {
 		crb.RoleRef = provisionerClusterRoleBinding.RoleRef
-		crb.Subjects = []rbacv1.Subject{
-			{
+
+		crb.Subjects = []rbacv1.Subject{}
+
+		for _, group := range r.Configuration.UserGroups() {
+			crb.Subjects = append(crb.Subjects, rbacv1.Subject{
 				Kind: "Group",
-				Name: r.CapsuleGroup,
-			},
+				Name: group,
+			})
 		}
-		return nil
-	})
-	if err != nil {
-		if _, ok := err.(ImmutableClusterRoleBindingError); ok {
-			if err = r.Client.Delete(context.TODO(), crb); err != nil {
-				r.Log.Error(err, "Cannot delete CRB during reset due to RoleRef change")
-				return
-			}
-			return r.Client.Create(context.TODO(), provisionerClusterRoleBinding, &client.CreateOptions{})
-		}
-		r.Log.Error(err, "Cannot CreateOrUpdate CRB")
+
 		return
-	}
+	})
+
 	return
 }
 
@@ -154,29 +149,44 @@ func (r *Manager) EnsureClusterRole(roleName string) (err error) {
 	if !ok {
 		return fmt.Errorf("clusterRole %s is not mapped", roleName)
 	}
+
 	clusterRole := &rbacv1.ClusterRole{
-		ObjectMeta: v1.ObjectMeta{
+		ObjectMeta: metav1.ObjectMeta{
 			Name: role.GetName(),
 		},
 	}
+
 	_, err = controllerutil.CreateOrUpdate(context.TODO(), r.Client, clusterRole, func() error {
 		clusterRole.Rules = role.Rules
 		return nil
 	})
+
 	return
 }
 
-// This is the Runnable function that is triggered upon Manager start-up to perform the first RBAC reconciliation
+// Start is the Runnable function triggered upon Manager start-up to perform the first RBAC reconciliation
 // since we're not creating empty CR and CRB upon Capsule installation: it's a run-once task, since the reconciliation
 // is handled by the Reconciler implemented interface.
-func (r *Manager) Start(ctx context.Context) (err error) {
+func (r *Manager) Start(ctx context.Context) error {
 	for roleName := range clusterRoles {
 		r.Log.Info("setting up ClusterRoles", "ClusterRole", roleName)
-		if err = r.EnsureClusterRole(roleName); err != nil {
-			return
+		if err := r.EnsureClusterRole(roleName); err != nil {
+			if errors.IsAlreadyExists(err) {
+				continue
+			}
+
+			return err
 		}
 	}
-	r.Log.Info("setting up ClusterRoleBindings", "ClusterRoleBinding", ProvisionerRoleName)
-	err = r.EnsureClusterRoleBinding()
-	return
+
+	r.Log.Info("setting up ClusterRoleBindings")
+	if err := r.EnsureClusterRoleBindings(); err != nil {
+		if errors.IsAlreadyExists(err) {
+			return nil
+		}
+
+		return err
+	}
+
+	return nil
 }

controllers/secret/ca.go

@@ -1,18 +1,5 @@
-/*
-Copyright 2020 Clastix Labs.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
 
 package secret
 
@@ -24,11 +11,13 @@ import (
 
 	"github.com/go-logr/logr"
 	"golang.org/x/sync/errgroup"
-	v1 "k8s.io/api/admissionregistration/v1"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/util/retry"
+	"k8s.io/utils/pointer"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -50,10 +39,45 @@ func (r *CAReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Complete(r)
 }
 
+// By default helm doesn't allow to use templates in CRD (https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-1-let-helm-do-it-for-you).
+// In order to overcome this, we are setting conversion strategy in helm chart to None, and then update it with CA and namespace information.
+func (r *CAReconciler) UpdateCustomResourceDefinition(caBundle []byte) error {
+	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
+		crd := &apiextensionsv1.CustomResourceDefinition{}
+		err = r.Get(context.TODO(), types.NamespacedName{Name: "tenants.capsule.clastix.io"}, crd)
+		if err != nil {
+			r.Log.Error(err, "cannot retrieve CustomResourceDefinition")
+			return err
+		}
+
+		_, err = controllerutil.CreateOrUpdate(context.TODO(), r.Client, crd, func() error {
+			crd.Spec.Conversion = &apiextensionsv1.CustomResourceConversion{
+				Strategy: "Webhook",
+				Webhook: &apiextensionsv1.WebhookConversion{
+					ClientConfig: &apiextensionsv1.WebhookClientConfig{
+						Service: &apiextensionsv1.ServiceReference{
+							Namespace: r.Namespace,
+							Name:      "capsule-webhook-service",
+							Path:      pointer.StringPtr("/convert"),
+							Port:      pointer.Int32Ptr(443),
+						},
+						CABundle: caBundle,
+					},
+					ConversionReviewVersions: []string{"v1alpha1", "v1beta1"},
+				},
+			}
+
+			return nil
+		})
+
+		return err
+	})
+}
+
 //nolint:dupl
 func (r CAReconciler) UpdateValidatingWebhookConfiguration(caBundle []byte) error {
 	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
-		vw := &v1.ValidatingWebhookConfiguration{}
+		vw := &admissionregistrationv1.ValidatingWebhookConfiguration{}
 		err = r.Get(context.TODO(), types.NamespacedName{Name: "capsule-validating-webhook-configuration"}, vw)
 		if err != nil {
 			r.Log.Error(err, "cannot retrieve ValidatingWebhookConfiguration")
@@ -72,7 +96,7 @@ func (r CAReconciler) UpdateValidatingWebhookConfiguration(caBundle []byte) erro
 //nolint:dupl
 func (r CAReconciler) UpdateMutatingWebhookConfiguration(caBundle []byte) error {
 	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
-		mw := &v1.MutatingWebhookConfiguration{}
+		mw := &admissionregistrationv1.MutatingWebhookConfiguration{}
 		err = r.Get(context.TODO(), types.NamespacedName{Name: "capsule-mutating-webhook-configuration"}, mw)
 		if err != nil {
 			r.Log.Error(err, "cannot retrieve MutatingWebhookConfiguration")
@@ -140,6 +164,9 @@ func (r CAReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl
 		group.Go(func() error {
 			return r.UpdateValidatingWebhookConfiguration(crt.Bytes())
 		})
+		group.Go(func() error {
+			return r.UpdateCustomResourceDefinition(crt.Bytes())
+		})
 
 		if err = group.Wait(); err != nil {
 			return reconcile.Result{}, err

controllers/secret/const.go

@@ -1,18 +1,5 @@
-/*
-Copyright 2020 Clastix Labs.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
 
 package secret