chore(helm): release v0.1.3

chore(kustomize): release v0.1.3
test: preventing serviceaccount privilege escalation
2026-03-02 17:50:17 +00:00 · 2022-12-02 15:43:41 +01:00 · 2022-12-02 15:43:41 +01:00 · 2022-12-02 15:19:06 +01:00 · 2022-12-02 15:19:06 +01:00 · 2022-11-21 18:56:44 +01:00
356 changed files with 50584 additions and 7535 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -9,10 +9,7 @@ assignees: ''

 <!--
 Thanks for taking time reporting a Capsule bug!
-
-We do our best to keep it reliable and working, so don't hesitate adding
-as many information as you can and keep in mind you can reach us on our
-Clastix Slack workspace: https://clastix.slack.com, #capsule channel.   
+  
 -->

 # Bug description
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Chat on Slack
+    url: https://kubernetes.slack.com/archives/C03GETTJQRL
+    about: Maybe chatting with the community can help
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -14,8 +14,6 @@ We're trying to build a community drive Open Source project, so don't
 hesitate proposing your enhancement ideas: keep in mind, since we would like
 to keep it as agnostic as possible, to motivate all your assumptions.

-If you need to reach the maintainers, please join the Clastix Slack workspace:
-https://clastix.slack.com, #capsule channel.   
 -->

 # Describe the feature
--- a/.github/configs/ct.yaml
+++ b/.github/configs/ct.yaml
@@ -0,0 +1,10 @@
+remote: origin
+target-branch: master
+chart-dirs:
+  - charts
+helm-extra-args: "--timeout 600s"  
+validate-chart-schema: false
+validate-maintainers: false
+validate-yaml: true
+exclude-deprecated: true
+check-version-increment: false
--- a/.github/configs/lintconf.yaml
+++ b/.github/configs/lintconf.yaml
@@ -0,0 +1,43 @@
+
+---
+rules:
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: -1
+    max-spaces-inside-empty: -1
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: -1
+    max-spaces-inside-empty: -1
+  colons:
+    max-spaces-before: 0
+    max-spaces-after: 1
+  commas:
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  comments:
+    require-starting-space: true
+    min-spaces-from-content: 1
+  document-end: disable
+  document-start: disable # No --- to start a file
+  empty-lines:
+    max: 2
+    max-start: 0
+    max-end: 0
+  hyphens:
+    max-spaces-after: 1
+  indentation:
+    spaces: consistent
+    indent-sequences: whatever # - list indentation will handle both indentation and without
+    check-multi-line-strings: false
+  key-duplicates: enable
+  line-length: disable # Lines can be any length
+  new-line-at-end-of-file: enable
+  new-lines:
+    type: unix
+  trailing-spaces: enable
+  truthy:
+    level: warning
--- a/.github/maintainers.yaml
+++ b/.github/maintainers.yaml
@@ -0,0 +1,23 @@
+- name: Adriano Pezzuto
+  github: https://github.com/bsctl
+  company: Clastix
+  projects:
+    - https://github.com/clastix/capsule
+    - https://github.com/clastix/capsule-proxy
+- name: Dario Tranchitella
+  github: https://github.com/prometherion
+  company: Clastix
+  projects:
+    - https://github.com/clastix/capsule
+    - https://github.com/clastix/capsule-proxy
+- name: Maksim Fedotov
+  github: https://github.com/MaxFedotov
+  company: wargaming.net
+  projects:
+    - https://github.com/clastix/capsule
+    - https://github.com/clastix/capsule-proxy
+- name: Oliver Bähler
+  github: https://github.com/oliverbaehler
+  company: Bedag Informatik AG
+  projects:
+    - https://github.com/clastix/capsule
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,15 @@ on:
    branches: [ "*" ]

 jobs:
+  commit_lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - uses: wagoid/commitlint-github-action@v2
+        with:
+          firstParent: true
  golangci:
    name: lint
    runs-on: ubuntu-latest
@@ -15,7 +24,7 @@ jobs:
      - name: Run golangci-lint
        uses: golangci/golangci-lint-action@v2.3.0
        with:
-          version: latest
+          version: v1.45.2
          only-new-issues: false
          args: --timeout 2m --config .golangci.yml
  diff:
@@ -23,22 +32,18 @@ jobs:
    runs-on: ubuntu-18.04
    steps:
      - uses: actions/checkout@v2
-      - name: Cache Go modules
-        uses: actions/cache@v1
-        env:
-          cache-name: go-mod
        with:
-          path: |
-            ~/go/pkg/mod
-            /home/runner/work/capsule/capsule
-          key: ${{ runner.os }}-build-${{ env.cache-name }}
-          restore-keys: |
-            ${{ runner.os }}-build-
-            ${{ runner.os }}-
-      - run: make manifests
-      - name: Checking if manifests are disaligned
+          fetch-depth: 0
+      - uses: actions/setup-go@v2
+        with:
+          go-version: '1.18'
+      - run: make installer
+      - name: Checking if YAML installer file is not aligned
        run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> Untracked generated files have not been committed" && git --no-pager diff && exit 1; fi
-      - name: Checking if manifests generated untracked files
+      - run: make apidoc
+      - name: Checking if the CRDs documentation is not aligned
+        run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> CRDs generated documentation have not been committed" && git --no-pager diff && exit 1; fi
+      - name: Checking if YAML installer generated untracked files
        run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
      - name: Checking if source code is not formatted
        run: test -z "$(git diff 2> /dev/null)"
--- a/.github/workflows/docker-ci.yml
+++ b/.github/workflows/docker-ci.yml
@@ -10,38 +10,51 @@ jobs:
    runs-on: ubuntu-20.04
    steps:

-      -
-        name: Checkout
+      - name: Checkout
        uses: actions/checkout@v2

-      -
-        name: Docker meta
+      - name: Generate build-args
+        id: build-args
+        run: |
+          # Declare vars for internal use
+          VERSION=$(git describe --abbrev=0 --tags)
+          GIT_HEAD_COMMIT=$(git rev-parse --short HEAD)
+          GIT_TAG_COMMIT=$(git rev-parse --short $VERSION)
+          GIT_MODIFIED_1=$(git diff $GIT_HEAD_COMMIT $GIT_TAG_COMMIT --quiet && echo "" || echo ".dev")
+          GIT_MODIFIED_2=$(git diff --quiet && echo "" || echo ".dirty")
+          # Export to GH_ENV
+          echo "GIT_LAST_TAG=$VERSION" >> $GITHUB_ENV
+          echo "GIT_HEAD_COMMIT=$GIT_HEAD_COMMIT" >> $GITHUB_ENV
+          echo "GIT_TAG_COMMIT=$GIT_TAG_COMMIT" >> $GITHUB_ENV
+          echo "GIT_MODIFIED=$(echo "$GIT_MODIFIED_1""$GIT_MODIFIED_2")" >> $GITHUB_ENV
+          echo "GIT_REPO=$(git config --get remote.origin.url)" >> $GITHUB_ENV
+          echo "BUILD_DATE=$(git log -1 --format="%at" | xargs -I{} date -d @{} +%Y-%m-%dT%H:%M:%S)" >> $GITHUB_ENV
+
+      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v3
        with:
          images: |
             quay.io/${{ github.repository }}
+             docker.io/${{ github.repository }}
          tags: |
            type=semver,pattern={{raw}}
          flavor: |
            latest=false

-      -
-        name: Set up QEMU
+      - name: Set up QEMU
        id: qemu
        uses: docker/setup-qemu-action@v1
        with:
          platforms: arm64,arm

-      -
-        name: Set up Docker Buildx
+      - name: Set up Docker Buildx
        id: buildx
+        uses: docker/setup-buildx-action@v1
        with:
          install: true
-        uses: docker/setup-buildx-action@v1

-      -
-        name: Inspect builder
+      - name: Inspect builder
        run: |
          echo "Name:      ${{ steps.buildx.outputs.name }}"
          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
@@ -49,16 +62,21 @@ jobs:
          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"

-      -
-        name: Login to quay.io Container Registry
+      - name: Login to quay.io Container Registry
        uses: docker/login-action@v1 
        with:
          registry: quay.io
          username: ${{ github.repository_owner }}+github
          password: ${{ secrets.BOT_QUAY_IO }}

-      -
-        name: Build and push
+      - name: Login to docker.io Container Registry
+        uses: docker/login-action@v1 
+        with:
+          registry: docker.io
+          username: ${{ secrets.USER_DOCKER_IO }}
+          password: ${{ secrets.BOT_DOCKER_IO }}
+
+      - name: Build and push
        id: build-release
        uses: docker/build-push-action@v2
        with:
@@ -67,7 +85,13 @@ jobs:
          platforms: linux/amd64,linux/arm64,linux/arm
          push: true
          tags: ${{ steps.meta.outputs.tags }}
+          build-args: |
+            GIT_HEAD_COMMIT=${{ env.GIT_HEAD_COMMIT }}
+            GIT_TAG_COMMIT=${{ env.GIT_TAG_COMMIT }}
+            GIT_REPO=${{ env.GIT_REPO }}
+            GIT_LAST_TAG=${{ env.GIT_LAST_TAG }}
+            GIT_MODIFIED=${{ env.GIT_MODIFIED }}
+            BUILD_DATE=${{ env.BUILD_DATE }}

-      -
-        name: Image digest
+      - name: Image digest
        run: echo ${{ steps.build-release.outputs.digest }}
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -3,46 +3,53 @@ name: e2e
 on:
  push:
    branches: [ "*" ]
+    paths:
+      - '.github/workflows/e2e.yml'
+      - 'api/**'
+      - 'controllers/**'
+      - 'pkg/**'
+      - 'e2e/*'
+      - 'Dockerfile'
+      - 'go.*'
+      - 'main.go'
+      - 'Makefile'
  pull_request:
    branches: [ "*" ]
+    paths:
+      - '.github/workflows/e2e.yml'
+      - 'api/**'
+      - 'controllers/**'
+      - 'pkg/**'
+      - 'e2e/*'
+      - 'Dockerfile'
+      - 'go.*'
+      - 'main.go'
+      - 'Makefile'

 jobs:
  kind:
    name: Kubernetes
    strategy:
+      fail-fast: false
      matrix:
-        k8s-version: ['v1.16.15', 'v1.17.11', 'v1.18.8', 'v1.19.4', 'v1.20.0']
+        k8s-version: ['v1.16.15', 'v1.17.11', 'v1.18.8', 'v1.19.4', 'v1.20.7', 'v1.21.2', 'v1.22.4', 'v1.23.6', 'v1.24.1']
    runs-on: ubuntu-18.04
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0
-      - name: Cache Go modules and Docker images
-        uses: actions/cache@v1
-        env:
-          cache-name: gomod-docker
+      - uses: actions/setup-go@v2
        with:
-          path: |
-            ~/go/pkg/mod
-            /var/lib/docker
-            /home/runner/work/capsule/capsule
-          key: ${{ matrix.k8s-version }}-build-${{ env.cache-name }}
-          restore-keys: |
-            ${{ matrix.k8s-version }}-build-
-            ${{ matrix.k8s-version }}-
+          go-version: '1.18'
      - run: make manifests
      - name: Checking if manifests are disaligned
        run: test -z "$(git diff 2> /dev/null)"
      - name: Checking if manifests generated untracked files
        run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
-      - name: Installing Ginkgo
-        run: go get github.com/onsi/ginkgo/ginkgo
-      - uses: actions/setup-go@v2
-        with:
-          go-version: '^1.13.8'
      - uses: engineerd/setup-kind@v0.5.0
        with:
          skipClusterCreation: true
+          version: v0.14.0
      - uses: azure/setup-helm@v1
        with:
          version: 3.3.4
--- a/.github/workflows/gosec.yml
+++ b/.github/workflows/gosec.yml
@@ -0,0 +1,18 @@
+name: CI gosec
+on:
+  push:
+    branches: [ "*" ]
+  pull_request:
+    branches: [ "*" ]
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v2
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: ./...
--- a/.github/workflows/helm.yml
+++ b/.github/workflows/helm.yml
@@ -3,6 +3,7 @@ name: Helm Chart
 on:
  push:
    branches: [ "*" ]
+    tags: [ "helm-v*" ]
  pull_request:
    branches: [ "*" ]

@@ -11,11 +12,53 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
      - uses: azure/setup-helm@v1
        with:
          version: 3.3.4
      - name: Linting Chart
        run: helm lint ./charts/capsule
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@v2.3.0
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --config ./.github/configs/ct.yaml)
+          if [[ -n "$changed" ]]; then
+            echo "::set-output name=changed::true"
+          fi
+      - name: Run chart-testing (lint)
+        run: ct lint --debug --config ./.github/configs/ct.yaml --lint-conf ./.github/configs/lintconf.yaml
+      - name: Run docs-testing (helm-docs)
+        id: helm-docs
+        run: |
+          make helm-docs
+          if [[ $(git diff --stat) != '' ]]; then
+            echo -e '\033[0;31mDocumentation outdated! (Run make helm-docs locally and commit)\033[0m ❌'
+            git diff --color
+            exit 1
+          else
+            echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
+          fi
+      # Create KIND Cluster
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.2.0
+        if: steps.list-changed.outputs.changed == 'true'
+      # Install Required Operators/CRDs
+      - name: Prepare Cluster Operators/CRDs
+        run: |
+          # Cert-Manager CRDs
+          kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
+          
+          # Prometheus CRDs
+          kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
+        if: steps.list-changed.outputs.changed == 'true'
+      # Install Charts
+      - name: Run chart-testing (install)
+        run: ct install --debug --config ./.github/configs/ct.yaml
+        if: steps.list-changed.outputs.changed == 'true'
  release:
    if: startsWith(github.ref, 'refs/tags/helm-v')
    runs-on: ubuntu-latest
--- a/.gitignore
+++ b/.gitignore
@@ -22,9 +22,13 @@ bin
 *.swp
 *.swo
 *~
+.vscode

 **/*.kubeconfig
 **/*.crt
 **/*.key
 .DS_Store
+*.tgz
+
+capsule

--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,51 +1,39 @@
 linters-settings:
  govet:
    check-shadowing: true
-  golint:
-    min-confidence: 0
-  maligned:
-    suggest-new: true
-  goimports:
-    local-prefixes: github.com/clastix/capsule
  dupl:
    threshold: 100
  goconst:
    min-len: 2
    min-occurrences: 2
+  cyclop:
+    max-complexity: 27
+  gocognit:
+    min-complexity: 50
+  gci:
+    sections:
+      - standard
+      - default
+      - prefix(github.com/clastix/capsule)
 linters:
-  disable-all: true
-  enable:
-    - bodyclose
-    - deadcode
-    - depguard
-    - dogsled
-    - dupl
-    - errcheck
-    - goconst
-    - gocritic
-    - gofmt
-    - goimports
-    - golint
-    - goprintffuncname
-    - gosec
-    - gosimple
-    - govet
-    - ineffassign
-    - interfacer
-    - misspell
-    - nolintlint
-    - rowserrcheck
-    - scopelint
-    - staticcheck
-    - structcheck
-    - stylecheck
-    - typecheck
-    - unconvert
-    - unparam
-    - unused
-    - varcheck
-    - whitespace
+  enable-all: true
+  disable:
+    - funlen
+    - gochecknoinits
+    - lll
+    - exhaustivestruct
    - maligned
+    - interfacer
+    - scopelint
+    - golint
+    - gochecknoglobals
+    - goerr113
+    - gomnd
+    - paralleltest
+    - ireturn
+    - testpackage
+    - varnamelen
+    - wrapcheck

 issues:
  exclude:
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -0,0 +1,8 @@
+# Adopters
+
+This is a list of companies that have adopted Capsule, feel free to open a Pull-Request to get yours listed.
+
+## Adopters list (alphabetically)
+
+### [Bedag Informatik AG](https://www.bedag.ch/)
+![Bedag](https://www.bedag.ch/wGlobal/wGlobal/layout/images/logo.svg)
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,128 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement by contacting
+one of the [maintainers](https://raw.githubusercontent.com/clastix/capsule/master/.github/maintainers.yaml).
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.
--- a/2
+++ b/2
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.16 as builder
+FROM golang:1.18 as builder

 ARG TARGETARCH
 ARG GIT_HEAD_COMMIT
--- a/149
+++ b/149
@@ -1,8 +1,8 @@
 # Current Operator version
-VERSION ?= $$(git describe --abbrev=0 --tags)
+VERSION ?= $$(git describe --abbrev=0 --tags --match "v*")

 # Default bundle image tag
-BUNDLE_IMG ?= quay.io/clastix/capsule:$(VERSION)-bundle
+BUNDLE_IMG ?= clastix/capsule:$(VERSION)-bundle
 # Options for 'bundle-build'
 ifneq ($(origin CHANNELS), undefined)
 BUNDLE_CHANNELS := --channels=$(CHANNELS)
@@ -13,7 +13,7 @@ endif
 BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)

 # Image URL to use all building/pushing image targets
-IMG ?= quay.io/clastix/capsule:$(VERSION)
+IMG ?= clastix/capsule:$(VERSION)
 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
 CRD_OPTIONS ?= "crd:preserveUnknownFields=false"

@@ -40,29 +40,33 @@ test: generate manifests
 	go test ./... -coverprofile cover.out

 # Build manager binary
-manager: generate fmt vet
-	go build -o bin/manager main.go
+manager: generate golint
+	go build -o bin/manager

 # Run against the configured Kubernetes cluster in ~/.kube/config
 run: generate manifests
-	go run ./main.go
+	go run .
+
+# Creates the single file to install Capsule without any external dependency
+installer: manifests kustomize
+	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
+	$(KUSTOMIZE) build config/default > config/install.yaml

 # Install CRDs into a cluster
-install: manifests kustomize
+install: installer
 	$(KUSTOMIZE) build config/crd | kubectl apply -f -

 # Uninstall CRDs from a cluster
-uninstall: manifests kustomize
+uninstall: installer
 	$(KUSTOMIZE) build config/crd | kubectl delete -f -

 # Deploy controller in the configured Kubernetes cluster in ~/.kube/config
-deploy: manifests kustomize
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	$(KUSTOMIZE) build config/default | kubectl apply -f -
+deploy: installer
+	kubectl apply -f config/install.yaml

 # Remove controller in the configured Kubernetes cluster in ~/.kube/config
-remove: manifests kustomize
-	$(KUSTOMIZE) build config/default | kubectl delete -f -
+remove: installer
+	kubectl delete -f config/install.yaml
 	kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
 	kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found

@@ -74,6 +78,77 @@ manifests: controller-gen
 generate: controller-gen
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."

+apidoc: apidocs-gen
+	$(APIDOCS_GEN) crdoc --resources config/crd/bases --output docs/content/general/tenant-crd.md --template docs/template/reference-cr.tmpl
+
+# Helm
+SRC_ROOT = $(shell git rev-parse --show-toplevel)
+
+helm-docs: HELMDOCS_VERSION := v1.11.0
+helm-docs: docker
+	@docker run -v "$(SRC_ROOT):/helm-docs" jnorwood/helm-docs:$(HELMDOCS_VERSION) --chart-search-root /helm-docs
+
+helm-lint: docker
+	@docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:v3.3.1 -c "cd /workdir && ct lint --config .github/configs/ct.yaml --lint-conf .github/configs/lintconf.yaml --all --debug"
+
+docker:
+	@hash docker 2>/dev/null || {\
+		echo "You need docker" &&\
+		exit 1;\
+	}
+
+# Setup development env
+# Usage: 
+# 	LAPTOP_HOST_IP=<YOUR_LAPTOP_IP> make dev-setup
+# For example:
+#	LAPTOP_HOST_IP=192.168.10.101 make dev-setup
+define TLS_CNF
+[ req ]
+default_bits       = 4096
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+[ req_distinguished_name ]
+countryName                = SG
+stateOrProvinceName        = SG
+localityName               = SG
+organizationName           = CAPSULE
+commonName                 = CAPSULE
+[ req_ext ]
+subjectAltName = @alt_names
+[alt_names]
+IP.1   = $(LAPTOP_HOST_IP)
+endef
+export TLS_CNF
+dev-setup:
+	kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0
+	mkdir -p /tmp/k8s-webhook-server/serving-certs
+	echo "$${TLS_CNF}" > _tls.cnf
+	openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
+		-subj "/C=SG/ST=SG/L=SG/O=CAPSULE/CN=CAPSULE" \
+		-extensions req_ext \
+		-config _tls.cnf \
+		-keyout /tmp/k8s-webhook-server/serving-certs/tls.key \
+		-out /tmp/k8s-webhook-server/serving-certs/tls.crt
+	rm -f _tls.cnf 
+	export WEBHOOK_URL="https://$${LAPTOP_HOST_IP}:9443"; \
+	export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`; \
+	kubectl patch MutatingWebhookConfiguration capsule-mutating-webhook-configuration \
+		--type='json' -p="[\
+			{'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/namespace-owner-reference\",'caBundle':\"$${CA_BUNDLE}\"}}\
+		]" && \
+	kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \
+		--type='json' -p="[\
+			{'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/cordoning\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/ingresses\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/namespaces\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/networkpolicies\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/4/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/nodes\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/5/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/pods\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/6/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/persistentvolumeclaims\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/7/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/services\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/8/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/tenants\",'caBundle':\"$${CA_BUNDLE}\"}}\
+		]";
+
 # Build the docker image
 docker-build: test
 	docker build . -t ${IMG} --build-arg GIT_HEAD_COMMIT=$(GIT_HEAD_COMMIT) \
@@ -89,23 +164,37 @@ docker-push:

 CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
 controller-gen: ## Download controller-gen locally if necessary.
-	$(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.5.0)
+	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.5.0)
+
+APIDOCS_GEN = $(shell pwd)/bin/crdoc
+apidocs-gen: ## Download crdoc locally if necessary.
+	$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@latest)
+
+GINKGO = $(shell pwd)/bin/ginkgo
+ginkgo: ## Download ginkgo locally if necessary.
+	$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/ginkgo@v1.16.5)

 KUSTOMIZE = $(shell pwd)/bin/kustomize
 kustomize: ## Download kustomize locally if necessary.
-	$(call go-get-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v3@v3.8.7)
+	$(call install-kustomize,$(KUSTOMIZE),3.8.7)

-# go-get-tool will 'go get' any package $2 and install it to $1.
-PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
-define go-get-tool
+define install-kustomize
@[ -f $(1) ] || { \
 set -e ;\
-TMP_DIR=$$(mktemp -d) ;\
-cd $$TMP_DIR ;\
-go mod init tmp ;\
-echo "Downloading $(2)" ;\
-GOBIN=$(PROJECT_DIR)/bin go get $(2) ;\
-rm -rf $$TMP_DIR ;\
+echo "Installing v$(2)" ;\
+cd bin ;\
+wget "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" ;\
+bash ./install_kustomize.sh $(2) ;\
+}
+endef
+
+# go-install-tool will 'go install' any package $2 and install it to $1.
+PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
+define go-install-tool
+@[ -f $(1) ] || { \
+set -e ;\
+echo "Installing $(2)" ;\
+GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
 }
 endef

@@ -131,7 +220,10 @@ golint:

 # Running e2e tests in a KinD instance
 .PHONY: e2e
-e2e/%:
+e2e/%: ginkgo
+	$(MAKE) e2e-build/$* && $(MAKE) e2e-exec || $(MAKE) e2e-destroy
+
+e2e-build/%:
 	kind create cluster --name capsule --image=kindest/node:$*
 	make docker-build
 	kind load docker-image --nodes capsule-control-plane --name capsule $(IMG)
@@ -147,5 +239,10 @@ e2e/%:
 		--set 'manager.readinessProbe.failureThreshold=10' \
 		capsule \
 		./charts/capsule
-	ginkgo -v -tags e2e ./e2e
+
+e2e-exec:
+	$(GINKGO) -v -tags e2e ./e2e
+
+e2e-destroy:
 	kind delete cluster --name capsule
+
--- a/README.md
+++ b/README.md
@@ -5,6 +5,9 @@
  <a href="https://github.com/clastix/capsule/releases">
    <img src="https://img.shields.io/github/v/release/clastix/capsule"/>
  </a>
+  <a href="https://charmhub.io/capsule-k8s">
+    <img src="https://charmhub.io/capsule-k8s/badge.svg"/>
+  </a>
 </p>

 <p align="center">
@@ -13,169 +16,100 @@

 ---

-# Kubernetes multi-tenancy made simple
-**Capsule** helps to implement a multi-tenancy and policy-based environment in your Kubernetes cluster. It is not intended to be yet another _PaaS_, instead, it has been designed as a micro-services-based ecosystem with the minimalist approach, leveraging only on upstream Kubernetes.
+**Join the community** on the [#capsule](https://kubernetes.slack.com/archives/C03GETTJQRL) channel in the [Kubernetes Slack](https://slack.k8s.io/).
+
+# Kubernetes multi-tenancy made easy
+
+**Capsule** implements a multi-tenant and policy-based environment in your Kubernetes cluster. It is designed as a micro-services-based ecosystem with the minimalist approach, leveraging only on upstream Kubernetes.

 # What's the problem with the current status?

-Kubernetes introduces the _Namespace_ object type to create logical partitions of the cluster as isolated *slices*. However, implementing advanced multi-tenancy scenarios, it soon becomes complicated because of the flat structure of Kubernetes namespaces and the impossibility to share resources among namespaces belonging to the same tenant. To overcome this, cluster admins tend to provision a dedicated cluster for each groups of users, teams, or departments. As an organization grows, the number of clusters to manage and keep aligned becomes an operational nightmare, described as the well know phenomena of the _clusters sprawl_.
-
+Kubernetes introduces the _Namespace_ object type to create logical partitions of the cluster as isolated *slices*. However, implementing advanced multi-tenancy scenarios, it soon becomes complicated because of the flat structure of Kubernetes namespaces and the impossibility to share resources among namespaces belonging to the same tenant. To overcome this, cluster admins tend to provision a dedicated cluster for each groups of users, teams, or departments. As an organization grows, the number of clusters to manage and keep aligned becomes an operational nightmare, described as the well known phenomena of the _clusters sprawl_.

 # Entering Capsule
-Capsule takes a different approach. In a single cluster, the Capsule Controller aggregates multiple namespaces in a lightweight abstraction called _Tenant_, basically a grouping of Kubernetes Namespaces. Within each tenant, users are free to create their namespaces and share all the assigned resources while the Capsule Policy Engine keeps the different tenants isolated from each other.

-The _Network and Security Policies_, _Resource Quota_, _Limit Ranges_, _RBAC_, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator. Take a look at following diagram:
+Capsule takes a different approach. In a single cluster, the Capsule Controller aggregates multiple namespaces in a lightweight abstraction called _Tenant_, basically a grouping of Kubernetes Namespaces. Within each tenant, users are free to create their namespaces and share all the assigned resources. 

-<p align="center" style="padding: 60px 20px">
-  <img src="assets/capsule-operator.svg" />
-</p>
+On the other side, the Capsule Policy Engine keeps the different tenants isolated from each other. _Network and Security Policies_, _Resource Quota_, _Limit Ranges_, _RBAC_, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator. 

 # Features
+
 ## Self-Service
-Leave to developers the freedom to self-provision their cluster resources according to the assigned boundaries.
+
+Leave developers the freedom to self-provision their cluster resources according to the assigned boundaries.

 ## Preventing Clusters Sprawl
+
 Share a single cluster with multiple teams, groups of users, or departments by saving operational and management efforts.

 ## Governance
-Leverage Kubernetes Admission Controllers to enforce the industry security best practices and meet legal requirements.
+
+Leverage Kubernetes Admission Controllers to enforce the industry security best practices and meet policy requirements.

 ## Resources Control
+
 Take control of the resources consumed by users while preventing them to overtake.

 ## Native Experience
+
 Provide multi-tenancy with a native Kubernetes experience without introducing additional management layers, plugins, or customized binaries.

 ## GitOps ready
+
 Capsule is completely declarative and GitOps ready.

 ## Bring your own device (BYOD)
+
 Assign to tenants a dedicated set of compute, storage, and network resources and avoid the noisy neighbors' effect.

-# Common use cases for Capsule
-Please, refer to the corresponding [section](./docs/operator/use-cases/overview.md) in the project documentation for a detailed list of common use cases that Capsule can address.
-
-# Installation
-Make sure you have access to a Kubernetes cluster as administrator.
-
-There are two ways to install Capsule:
-
-* Use the Helm Chart available [here](./charts/capsule/README.md)
-* Use [`kustomize`](https://github.com/kubernetes-sigs/kustomize)
-
-## Install with kustomize
-Ensure you have `kubectl` and `kustomize` installed in your `PATH`. 
-
-Clone this repository and move to the repo folder:
-
-```
-$ git clone https://github.com/clastix/capsule
-$ cd capsule
-$ make deploy
-```
-
-It will install the Capsule controller in a dedicated namespace `capsule-system`.
-
-## How to create Tenants
-Use the scaffold [Tenant](config/samples/capsule_v1alpha1_tenant.yaml) and simply apply as cluster admin.
-
-```
-$ kubectl apply -f config/samples/capsule_v1alpha1_tenant.yaml
-tenant.capsule.clastix.io/oil created
-```
-
-You can check the tenant just created as
-
-```
-$ kubectl get tenants
-NAME      NAMESPACE QUOTA   NAMESPACE COUNT   OWNER NAME   OWNER KIND   NODE SELECTOR    AGE
-oil       3                 0                 alice        User                          1m
-```
-
-## Tenant owners
-Each tenant comes with a delegated user or group of users acting as the tenant admin. In the Capsule jargon, this is called the _Tenant Owner_. Other users can operate inside a tenant with different levels of permissions and authorizations assigned directly by the Tenant Owner.
-
-Capsule does not care about the authentication strategy used in the cluster and all the Kubernetes methods of [authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/) are supported. The only requirement to use Capsule is to assign tenant users to the the group defined by `--capsule-user-group` option, which defaults to `capsule.clastix.io`.
-
-Assignment to a group depends on the authentication strategy in your cluster.
-
-For example, if you are using `capsule.clastix.io`, users authenticated through a _X.509_ certificate must have `capsule.clastix.io` as _Organization_: `-subj "/CN=${USER}/O=capsule.clastix.io"`
-
-Users authenticated through an _OIDC token_ must have
-
-```json
-...
-"users_groups": [
-    "capsule.clastix.io",
-    "other_group"
-]
-```
-
-in their token.
-
-The [hack/create-user.sh](hack/create-user.sh) can help you set up a dummy `kubeconfig` for the `alice` user acting as owner of a tenant called `oil`
-
-```bash
-./hack/create-user.sh alice oil
-creating certs in TMPDIR /tmp/tmp.4CLgpuime3 
-Generating RSA private key, 2048 bit long modulus (2 primes)
-............+++++
-........................+++++
-e is 65537 (0x010001)
-certificatesigningrequest.certificates.k8s.io/alice-oil created
-certificatesigningrequest.certificates.k8s.io/alice-oil approved
-kubeconfig file is: alice-oil.kubeconfig
-to use it as alice export KUBECONFIG=alice-oil.kubeconfig
-```
-
-## Working with Tenants
-Log in to the Kubernetes cluster as `alice` tenant owner
-
-```
-$ export KUBECONFIG=alice-oil.kubeconfig
-```
-
-and create a couple of new namespaces
-
-```
-$ kubectl create namespace oil-production
-$ kubectl create namespace oil-development
-```
-
-As user `alice` you can operate with fully admin permissions:
-
-```
-$ kubectl -n oil-development run nginx --image=docker.io/nginx 
-$ kubectl -n oil-development get pods
-```
-
-but limited to only your own namespaces:
-
-```
-$ kubectl -n kube-system get pods
-Error from server (Forbidden): pods is forbidden:
-User "alice" cannot list resource "pods" in API group "" in the namespace "kube-system"
-```
-
 # Documentation
-Please, check the project [documentation](./docs/index.md) for more cool things you can do with Capsule.

-# Removal
-Similar to `deploy`, you can get rid of Capsule using the `remove` target.
+Please, check the project [documentation](https://capsule.clastix.io) for the cool things you can do with Capsule.
+
+# Contributions
+
+Capsule is Open Source with Apache 2 license and any contribution is welcome.
+
+## Chart Development
+
+### Chart Linting
+
+The chart is linted with [ct](https://github.com/helm/chart-testing). You can run the linter locally with this command:

 ```
-$ make remove
+make helm-lint
 ```

+### Chart Documentation
+
+The documentation for each chart is done with [helm-docs](https://github.com/norwoodj/helm-docs). This way we can ensure that values are consistent with the chart documentation. Run this anytime you make changes to a `values.yaml` file:
+
+```
+make helm-docs
+```
+
+## Community
+
+Join the community, share and learn from it. You can find all the resources to how to contribute code and docs, connect with people in the [community repository](https://github.com/clastix/capsule-community).
+
+## Adopters
+
+See the [ADOPTERS.md](ADOPTERS.md) file for a list of companies that are using Capsule.
+
+# Governance
+
+You can find how the Capsule project is governed [here](https://capsule.clastix.io/docs/contributing/governance).
+
+## Maintainers
+
+Please, refer to the maintainers file available [here](.github/maintainers.yaml).
+
 # FAQ
+
 - Q. How to pronounce Capsule?

  A. It should be pronounced as `/ˈkæpsjuːl/`.

- Q. Can I contribute?
-
-  A. Absolutely! Capsule is Open Source with Apache 2 license and any contribution is welcome. Please refer to the corresponding [section](./docs/operator/contributing.md) in the documentation.
-
 - Q. Is it production grade?

  A. Although under frequent development and improvements, Capsule is ready to be used in production environments as currently, people are using it in public and private deployments. Check out the [release](https://github.com/clastix/capsule/releases) page for a detailed list of available versions.
--- a/api/v1alpha1/allowed_list.go
+++ b/api/v1alpha1/allowed_list.go
@@ -19,9 +19,12 @@ func (in *AllowedListSpec) ExactMatch(value string) (ok bool) {
 		sort.SliceStable(in.Exact, func(i, j int) bool {
 			return strings.ToLower(in.Exact[i]) < strings.ToLower(in.Exact[j])
 		})
+
 		i := sort.SearchStrings(in.Exact, value)
+
 		ok = i < len(in.Exact) && in.Exact[i] == value
 	}
+
 	return
 }

@@ -29,5 +32,6 @@ func (in AllowedListSpec) RegexMatch(value string) (ok bool) {
 	if len(in.Regex) > 0 {
 		ok = regexp.MustCompile(in.Regex).MatchString(value)
 	}
+
 	return
 }
--- a/api/v1alpha1/allowed_list_test.go
+++ b/api/v1alpha1/allowed_list_test.go
@@ -15,6 +15,7 @@ func TestAllowedListSpec_ExactMatch(t *testing.T) {
 		True  []string
 		False []string
 	}
+
 	for _, tc := range []tc{
 		{
 			[]string{"foo", "bar", "bizz", "buzz"},
@@ -35,9 +36,11 @@ func TestAllowedListSpec_ExactMatch(t *testing.T) {
 		a := AllowedListSpec{
 			Exact: tc.In,
 		}
+
 		for _, ok := range tc.True {
 			assert.True(t, a.ExactMatch(ok))
 		}
+
 		for _, ko := range tc.False {
 			assert.False(t, a.ExactMatch(ko))
 		}
@@ -50,6 +53,7 @@ func TestAllowedListSpec_RegexMatch(t *testing.T) {
 		True  []string
 		False []string
 	}
+
 	for _, tc := range []tc{
 		{`first-\w+-pattern`, []string{"first-date-pattern", "first-year-pattern"}, []string{"broken", "first-year", "second-date-pattern"}},
 		{``, nil, []string{"any", "value"}},
@@ -57,9 +61,11 @@ func TestAllowedListSpec_RegexMatch(t *testing.T) {
 		a := AllowedListSpec{
 			Regex: tc.Regex,
 		}
+
 		for _, ok := range tc.True {
 			assert.True(t, a.RegexMatch(ok))
 		}
+
 		for _, ko := range tc.False {
 			assert.False(t, a.RegexMatch(ko))
 		}
--- a/api/v1alpha1/capsuleconfiguration_annotations.go
+++ b/api/v1alpha1/capsuleconfiguration_annotations.go
@@ -0,0 +1,12 @@
+package v1alpha1
+
+const (
+	ForbiddenNodeLabelsAnnotation            = "capsule.clastix.io/forbidden-node-labels"
+	ForbiddenNodeLabelsRegexpAnnotation      = "capsule.clastix.io/forbidden-node-labels-regexp"
+	ForbiddenNodeAnnotationsAnnotation       = "capsule.clastix.io/forbidden-node-annotations"
+	ForbiddenNodeAnnotationsRegexpAnnotation = "capsule.clastix.io/forbidden-node-annotations-regexp"
+	TLSSecretNameAnnotation                  = "capsule.clastix.io/tls-secret-name"
+	MutatingWebhookConfigurationName         = "capsule.clastix.io/mutating-webhook-configuration-name"
+	ValidatingWebhookConfigurationName       = "capsule.clastix.io/validating-webhook-configuration-name"
+	EnableTLSConfigurationAnnotationName     = "capsule.clastix.io/enable-tls-configuration"
+)
--- a/api/v1alpha1/capsuleconfiguration_types.go
+++ b/api/v1alpha1/capsuleconfiguration_types.go
@@ -7,8 +7,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

-// CapsuleConfigurationSpec defines the Capsule configuration
-// nolint:maligned
+// CapsuleConfigurationSpec defines the Capsule configuration.
 type CapsuleConfigurationSpec struct {
 	// Names of the groups for Capsule users.
 	// +kubebuilder:default={capsule.clastix.io}
@@ -19,21 +18,12 @@ type CapsuleConfigurationSpec struct {
 	ForceTenantPrefix bool `json:"forceTenantPrefix,omitempty"`
 	// Disallow creation of namespaces, whose name matches this regexp
 	ProtectedNamespaceRegexpString string `json:"protectedNamespaceRegex,omitempty"`
-	// When defining the exact match for allowed Ingress hostnames at Tenant level, a collision is not allowed.
-	// Toggling this, Capsule will not check if a hostname collision is in place, allowing the creation of
-	// two or more Tenant resources although sharing the same allowed hostname(s).
-	//
-	// The JSON path of the resource is: /spec/ingressHostnames/allowed
-	AllowTenantIngressHostnamesCollision bool `json:"allowTenantIngressHostnamesCollision,omitempty"`
-	// Allow the collision of Ingress resource hostnames across all the Tenants.
-	// +kubebuilder:default=true
-	AllowIngressHostnameCollision bool `json:"allowIngressHostnameCollision,omitempty"`
 }

 // +kubebuilder:object:root=true
 // +kubebuilder:resource:scope=Cluster

-// CapsuleConfiguration is the Schema for the Capsule configuration API
+// CapsuleConfiguration is the Schema for the Capsule configuration API.
 type CapsuleConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -43,7 +33,7 @@ type CapsuleConfiguration struct {

 // +kubebuilder:object:root=true

-// CapsuleConfigurationList contains a list of CapsuleConfiguration
+// CapsuleConfigurationList contains a list of CapsuleConfiguration.
 type CapsuleConfigurationList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
--- a/api/v1alpha1/conversion_hub.go
+++ b/api/v1alpha1/conversion_hub.go
@@ -10,67 +10,74 @@ import (
 	"strings"

 	"github.com/pkg/errors"
+	"k8s.io/utils/pointer"
 	"sigs.k8s.io/controller-runtime/pkg/conversion"

 	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
 )

 const (
+	resourceQuotaScopeAnnotation = "capsule.clastix.io/resource-quota-scope"
+
 	podAllowedImagePullPolicyAnnotation = "capsule.clastix.io/allowed-image-pull-policy"

 	podPriorityAllowedAnnotation      = "priorityclass.capsule.clastix.io/allowed"
 	podPriorityAllowedRegexAnnotation = "priorityclass.capsule.clastix.io/allowed-regex"

-	enableNodePortsAnnotation = "capsule.clastix.io/enable-node-ports"
+	enableNodePortsAnnotation    = "capsule.clastix.io/enable-node-ports"
+	enableExternalNameAnnotation = "capsule.clastix.io/enable-external-name"
+	enableLoadBalancerAnnotation = "capsule.clastix.io/enable-loadbalancer-service"

 	ownerGroupsAnnotation         = "owners.capsule.clastix.io/group"
 	ownerUsersAnnotation          = "owners.capsule.clastix.io/user"
 	ownerServiceAccountAnnotation = "owners.capsule.clastix.io/serviceaccount"

-	enableNodeListingAnnotation          = "capsule.clastix.io/enable-node-listing"
-	enableNodeUpdateAnnotation           = "capsule.clastix.io/enable-node-update"
-	enableNodeDeletionAnnotation         = "capsule.clastix.io/enable-node-deletion"
-	enableStorageClassListingAnnotation  = "capsule.clastix.io/enable-storageclass-listing"
-	enableStorageClassUpdateAnnotation   = "capsule.clastix.io/enable-storageclass-update"
-	enableStorageClassDeletionAnnotation = "capsule.clastix.io/enable-storageclass-deletion"
-	enableIngressClassListingAnnotation  = "capsule.clastix.io/enable-ingressclass-listing"
-	enableIngressClassUpdateAnnotation   = "capsule.clastix.io/enable-ingressclass-update"
-	enableIngressClassDeletionAnnotation = "capsule.clastix.io/enable-ingressclass-deletion"
+	enableNodeListingAnnotation           = "capsule.clastix.io/enable-node-listing"
+	enableNodeUpdateAnnotation            = "capsule.clastix.io/enable-node-update"
+	enableNodeDeletionAnnotation          = "capsule.clastix.io/enable-node-deletion"
+	enableStorageClassListingAnnotation   = "capsule.clastix.io/enable-storageclass-listing"
+	enableStorageClassUpdateAnnotation    = "capsule.clastix.io/enable-storageclass-update"
+	enableStorageClassDeletionAnnotation  = "capsule.clastix.io/enable-storageclass-deletion"
+	enableIngressClassListingAnnotation   = "capsule.clastix.io/enable-ingressclass-listing"
+	enableIngressClassUpdateAnnotation    = "capsule.clastix.io/enable-ingressclass-update"
+	enableIngressClassDeletionAnnotation  = "capsule.clastix.io/enable-ingressclass-deletion"
+	enablePriorityClassListingAnnotation  = "capsule.clastix.io/enable-priorityclass-listing"
+	enablePriorityClassUpdateAnnotation   = "capsule.clastix.io/enable-priorityclass-update"
+	enablePriorityClassDeletionAnnotation = "capsule.clastix.io/enable-priorityclass-deletion"

-	listOperation   = "List"
-	updateOperation = "Update"
-	deleteOperation = "Delete"
-
-	nodesServiceKind          = "Nodes"
-	storageClassesServiceKind = "StorageClasses"
-	ingressClassesServiceKind = "IngressClasses"
+	ingressHostnameCollisionScope = "ingress.capsule.clastix.io/hostname-collision-scope"
 )

-func (t *Tenant) convertV1Alpha1OwnerToV1Beta1() []capsulev1beta1.OwnerSpec {
-	var serviceKindToAnnotationMap = map[capsulev1beta1.ProxyServiceKind][]string{
-		nodesServiceKind:          {enableNodeListingAnnotation, enableNodeUpdateAnnotation, enableNodeDeletionAnnotation},
-		storageClassesServiceKind: {enableStorageClassListingAnnotation, enableStorageClassUpdateAnnotation, enableStorageClassDeletionAnnotation},
-		ingressClassesServiceKind: {enableIngressClassListingAnnotation, enableIngressClassUpdateAnnotation, enableIngressClassDeletionAnnotation},
+func (t *Tenant) convertV1Alpha1OwnerToV1Beta1() capsulev1beta1.OwnerListSpec {
+	serviceKindToAnnotationMap := map[capsulev1beta1.ProxyServiceKind][]string{
+		capsulev1beta1.NodesProxy:           {enableNodeListingAnnotation, enableNodeUpdateAnnotation, enableNodeDeletionAnnotation},
+		capsulev1beta1.StorageClassesProxy:  {enableStorageClassListingAnnotation, enableStorageClassUpdateAnnotation, enableStorageClassDeletionAnnotation},
+		capsulev1beta1.IngressClassesProxy:  {enableIngressClassListingAnnotation, enableIngressClassUpdateAnnotation, enableIngressClassDeletionAnnotation},
+		capsulev1beta1.PriorityClassesProxy: {enablePriorityClassListingAnnotation, enablePriorityClassUpdateAnnotation, enablePriorityClassDeletionAnnotation},
 	}
-	var annotationToOperationMap = map[string]capsulev1beta1.ProxyOperation{
-		enableNodeListingAnnotation:          listOperation,
-		enableNodeUpdateAnnotation:           updateOperation,
-		enableNodeDeletionAnnotation:         deleteOperation,
-		enableStorageClassListingAnnotation:  listOperation,
-		enableStorageClassUpdateAnnotation:   updateOperation,
-		enableStorageClassDeletionAnnotation: deleteOperation,
-		enableIngressClassListingAnnotation:  listOperation,
-		enableIngressClassUpdateAnnotation:   updateOperation,
-		enableIngressClassDeletionAnnotation: deleteOperation,
+	annotationToOperationMap := map[string]capsulev1beta1.ProxyOperation{
+		enableNodeListingAnnotation:           capsulev1beta1.ListOperation,
+		enableNodeUpdateAnnotation:            capsulev1beta1.UpdateOperation,
+		enableNodeDeletionAnnotation:          capsulev1beta1.DeleteOperation,
+		enableStorageClassListingAnnotation:   capsulev1beta1.ListOperation,
+		enableStorageClassUpdateAnnotation:    capsulev1beta1.UpdateOperation,
+		enableStorageClassDeletionAnnotation:  capsulev1beta1.DeleteOperation,
+		enableIngressClassListingAnnotation:   capsulev1beta1.ListOperation,
+		enableIngressClassUpdateAnnotation:    capsulev1beta1.UpdateOperation,
+		enableIngressClassDeletionAnnotation:  capsulev1beta1.DeleteOperation,
+		enablePriorityClassListingAnnotation:  capsulev1beta1.ListOperation,
+		enablePriorityClassUpdateAnnotation:   capsulev1beta1.UpdateOperation,
+		enablePriorityClassDeletionAnnotation: capsulev1beta1.DeleteOperation,
 	}
-	var annotationToOwnerKindMap = map[string]capsulev1beta1.OwnerKind{
-		ownerUsersAnnotation:          "User",
-		ownerGroupsAnnotation:         "Group",
-		ownerServiceAccountAnnotation: "ServiceAccount",
+	annotationToOwnerKindMap := map[string]capsulev1beta1.OwnerKind{
+		ownerUsersAnnotation:          capsulev1beta1.UserOwner,
+		ownerGroupsAnnotation:         capsulev1beta1.GroupOwner,
+		ownerServiceAccountAnnotation: capsulev1beta1.ServiceAccountOwner,
 	}
+
 	annotations := t.GetAnnotations()

-	var operations = make(map[string]map[capsulev1beta1.ProxyServiceKind][]capsulev1beta1.ProxyOperation)
+	operations := make(map[string]map[capsulev1beta1.ProxyServiceKind][]capsulev1beta1.ProxyOperation)

 	for serviceKind, operationAnnotations := range serviceKindToAnnotationMap {
 		for _, operationAnnotation := range operationAnnotations {
@@ -80,15 +87,16 @@ func (t *Tenant) convertV1Alpha1OwnerToV1Beta1() []capsulev1beta1.OwnerSpec {
 					if _, exists := operations[owner]; !exists {
 						operations[owner] = make(map[capsulev1beta1.ProxyServiceKind][]capsulev1beta1.ProxyOperation)
 					}
+
 					operations[owner][serviceKind] = append(operations[owner][serviceKind], annotationToOperationMap[operationAnnotation])
 				}
 			}
 		}
 	}

-	var owners []capsulev1beta1.OwnerSpec
+	var owners capsulev1beta1.OwnerListSpec

-	var getProxySettingsForOwner = func(ownerName string) (settings []capsulev1beta1.ProxySettings) {
+	getProxySettingsForOwner := func(ownerName string) (settings []capsulev1beta1.ProxySettings) {
 		ownerOperations, ok := operations[ownerName]
 		if ok {
 			for k, v := range ownerOperations {
@@ -98,6 +106,7 @@ func (t *Tenant) convertV1Alpha1OwnerToV1Beta1() []capsulev1beta1.OwnerSpec {
 				})
 			}
 		}
+
 		return
 	}

@@ -123,70 +132,120 @@ func (t *Tenant) convertV1Alpha1OwnerToV1Beta1() []capsulev1beta1.OwnerSpec {
 	return owners
 }

+// nolint:gocognit,gocyclo,cyclop,maintidx
 func (t *Tenant) ConvertTo(dstRaw conversion.Hub) error {
-	dst := dstRaw.(*capsulev1beta1.Tenant)
+	dst, ok := dstRaw.(*capsulev1beta1.Tenant)
+	if !ok {
+		return fmt.Errorf("expected type *capsulev1beta1.Tenant, got %T", dst)
+	}
+
 	annotations := t.GetAnnotations()

 	// ObjectMeta
 	dst.ObjectMeta = t.ObjectMeta

 	// Spec
-	dst.Spec.NamespaceQuota = t.Spec.NamespaceQuota
+	if t.Spec.NamespaceQuota != nil {
+		if dst.Spec.NamespaceOptions == nil {
+			dst.Spec.NamespaceOptions = &capsulev1beta1.NamespaceOptions{}
+		}
+
+		dst.Spec.NamespaceOptions.Quota = t.Spec.NamespaceQuota
+	}
+
 	dst.Spec.NodeSelector = t.Spec.NodeSelector

 	dst.Spec.Owners = t.convertV1Alpha1OwnerToV1Beta1()

 	if t.Spec.NamespacesMetadata != nil {
-		dst.Spec.NamespacesMetadata = &capsulev1beta1.AdditionalMetadataSpec{
-			AdditionalLabels:      t.Spec.NamespacesMetadata.AdditionalLabels,
-			AdditionalAnnotations: t.Spec.NamespacesMetadata.AdditionalAnnotations,
+		if dst.Spec.NamespaceOptions == nil {
+			dst.Spec.NamespaceOptions = &capsulev1beta1.NamespaceOptions{}
+		}
+
+		dst.Spec.NamespaceOptions.AdditionalMetadata = &capsulev1beta1.AdditionalMetadataSpec{
+			Labels:      t.Spec.NamespacesMetadata.AdditionalLabels,
+			Annotations: t.Spec.NamespacesMetadata.AdditionalAnnotations,
 		}
 	}
+
 	if t.Spec.ServicesMetadata != nil {
-		dst.Spec.ServicesMetadata = &capsulev1beta1.AdditionalMetadataSpec{
-			AdditionalLabels:      t.Spec.ServicesMetadata.AdditionalLabels,
-			AdditionalAnnotations: t.Spec.ServicesMetadata.AdditionalAnnotations,
+		if dst.Spec.ServiceOptions == nil {
+			dst.Spec.ServiceOptions = &capsulev1beta1.ServiceOptions{
+				AdditionalMetadata: &capsulev1beta1.AdditionalMetadataSpec{
+					Labels:      t.Spec.ServicesMetadata.AdditionalLabels,
+					Annotations: t.Spec.ServicesMetadata.AdditionalAnnotations,
+				},
+			}
 		}
 	}
+
 	if t.Spec.StorageClasses != nil {
 		dst.Spec.StorageClasses = &capsulev1beta1.AllowedListSpec{
 			Exact: t.Spec.StorageClasses.Exact,
 			Regex: t.Spec.StorageClasses.Regex,
 		}
 	}
+
+	if v, annotationOk := t.Annotations[ingressHostnameCollisionScope]; annotationOk {
+		switch v {
+		case string(capsulev1beta1.HostnameCollisionScopeCluster), string(capsulev1beta1.HostnameCollisionScopeTenant), string(capsulev1beta1.HostnameCollisionScopeNamespace):
+			dst.Spec.IngressOptions.HostnameCollisionScope = capsulev1beta1.HostnameCollisionScope(v)
+		default:
+			dst.Spec.IngressOptions.HostnameCollisionScope = capsulev1beta1.HostnameCollisionScopeDisabled
+		}
+	}
+
 	if t.Spec.IngressClasses != nil {
-		dst.Spec.IngressClasses = &capsulev1beta1.AllowedListSpec{
+		dst.Spec.IngressOptions.AllowedClasses = &capsulev1beta1.AllowedListSpec{
 			Exact: t.Spec.IngressClasses.Exact,
 			Regex: t.Spec.IngressClasses.Regex,
 		}
 	}
+
 	if t.Spec.IngressHostnames != nil {
-		dst.Spec.IngressHostnames = &capsulev1beta1.AllowedListSpec{
+		dst.Spec.IngressOptions.AllowedHostnames = &capsulev1beta1.AllowedListSpec{
 			Exact: t.Spec.IngressHostnames.Exact,
 			Regex: t.Spec.IngressHostnames.Regex,
 		}
 	}
+
 	if t.Spec.ContainerRegistries != nil {
 		dst.Spec.ContainerRegistries = &capsulev1beta1.AllowedListSpec{
 			Exact: t.Spec.ContainerRegistries.Exact,
 			Regex: t.Spec.ContainerRegistries.Regex,
 		}
 	}
+
 	if len(t.Spec.NetworkPolicies) > 0 {
-		dst.Spec.NetworkPolicies = &capsulev1beta1.NetworkPolicySpec{
+		dst.Spec.NetworkPolicies = capsulev1beta1.NetworkPolicySpec{
 			Items: t.Spec.NetworkPolicies,
 		}
 	}
+
 	if len(t.Spec.LimitRanges) > 0 {
-		dst.Spec.LimitRanges = &capsulev1beta1.LimitRangesSpec{
+		dst.Spec.LimitRanges = capsulev1beta1.LimitRangesSpec{
 			Items: t.Spec.LimitRanges,
 		}
 	}
+
 	if len(t.Spec.ResourceQuota) > 0 {
-		dst.Spec.ResourceQuota = &capsulev1beta1.ResourceQuotaSpec{
+		dst.Spec.ResourceQuota = capsulev1beta1.ResourceQuotaSpec{
+			Scope: func() capsulev1beta1.ResourceQuotaScope {
+				if v, annotationOk := t.GetAnnotations()[resourceQuotaScopeAnnotation]; annotationOk {
+					switch v {
+					case string(capsulev1beta1.ResourceQuotaScopeNamespace):
+						return capsulev1beta1.ResourceQuotaScopeNamespace
+					case string(capsulev1beta1.ResourceQuotaScopeTenant):
+						return capsulev1beta1.ResourceQuotaScopeTenant
+					}
+				}
+
+				return capsulev1beta1.ResourceQuotaScopeTenant
+			}(),
 			Items: t.Spec.ResourceQuota,
 		}
 	}
+
 	if len(t.Spec.AdditionalRoleBindings) > 0 {
 		for _, rb := range t.Spec.AdditionalRoleBindings {
 			dst.Spec.AdditionalRoleBindings = append(dst.Spec.AdditionalRoleBindings, capsulev1beta1.AdditionalRoleBindingsSpec{
@@ -195,14 +254,18 @@ func (t *Tenant) ConvertTo(dstRaw conversion.Hub) error {
 			})
 		}
 	}
+
 	if t.Spec.ExternalServiceIPs != nil {
-		var allowedIPs []capsulev1beta1.AllowedIP
-		for _, IP := range t.Spec.ExternalServiceIPs.Allowed {
-			allowedIPs = append(allowedIPs, capsulev1beta1.AllowedIP(IP))
+		if dst.Spec.ServiceOptions == nil {
+			dst.Spec.ServiceOptions = &capsulev1beta1.ServiceOptions{}
 		}

-		dst.Spec.ExternalServiceIPs = &capsulev1beta1.ExternalServiceIPsSpec{
-			Allowed: allowedIPs,
+		dst.Spec.ServiceOptions.ExternalServiceIPs = &capsulev1beta1.ExternalServiceIPsSpec{
+			Allowed: make([]capsulev1beta1.AllowedIP, len(t.Spec.ExternalServiceIPs.Allowed)),
+		}
+
+		for i, IP := range t.Spec.ExternalServiceIPs.Allowed {
+			dst.Spec.ServiceOptions.ExternalServiceIPs.Allowed[i] = capsulev1beta1.AllowedIP(IP)
 		}
 	}

@@ -216,10 +279,13 @@ func (t *Tenant) ConvertTo(dstRaw conversion.Hub) error {
 	priorityClasses := capsulev1beta1.AllowedListSpec{}

 	priorityClassAllowed, ok := annotations[podPriorityAllowedAnnotation]
+
 	if ok {
 		priorityClasses.Exact = strings.Split(priorityClassAllowed, ",")
 	}
+
 	priorityClassesRegexp, ok := annotations[podPriorityAllowedRegexAnnotation]
+
 	if ok {
 		priorityClasses.Regex = priorityClassesRegexp
 	}
@@ -234,20 +300,65 @@ func (t *Tenant) ConvertTo(dstRaw conversion.Hub) error {
 		if err != nil {
 			return errors.Wrap(err, fmt.Sprintf("unable to parse %s annotation on tenant %s", enableNodePortsAnnotation, t.GetName()))
 		}
-		dst.Spec.EnableNodePorts = val
+
+		if dst.Spec.ServiceOptions == nil {
+			dst.Spec.ServiceOptions = &capsulev1beta1.ServiceOptions{}
+		}
+
+		if dst.Spec.ServiceOptions.AllowedServices == nil {
+			dst.Spec.ServiceOptions.AllowedServices = &capsulev1beta1.AllowedServices{}
+		}
+
+		dst.Spec.ServiceOptions.AllowedServices.NodePort = pointer.BoolPtr(val)
 	}

+	enableExternalName, ok := annotations[enableExternalNameAnnotation]
+	if ok {
+		val, err := strconv.ParseBool(enableExternalName)
+		if err != nil {
+			return errors.Wrap(err, fmt.Sprintf("unable to parse %s annotation on tenant %s", enableExternalNameAnnotation, t.GetName()))
+		}
+
+		if dst.Spec.ServiceOptions == nil {
+			dst.Spec.ServiceOptions = &capsulev1beta1.ServiceOptions{}
+		}
+
+		if dst.Spec.ServiceOptions.AllowedServices == nil {
+			dst.Spec.ServiceOptions.AllowedServices = &capsulev1beta1.AllowedServices{}
+		}
+
+		dst.Spec.ServiceOptions.AllowedServices.ExternalName = pointer.BoolPtr(val)
+	}
+
+	loadBalancerService, ok := annotations[enableLoadBalancerAnnotation]
+	if ok {
+		val, err := strconv.ParseBool(loadBalancerService)
+		if err != nil {
+			return errors.Wrap(err, fmt.Sprintf("unable to parse %s annotation on tenant %s", enableLoadBalancerAnnotation, t.GetName()))
+		}
+
+		if dst.Spec.ServiceOptions == nil {
+			dst.Spec.ServiceOptions = &capsulev1beta1.ServiceOptions{}
+		}
+
+		if dst.Spec.ServiceOptions.AllowedServices == nil {
+			dst.Spec.ServiceOptions.AllowedServices = &capsulev1beta1.AllowedServices{}
+		}
+
+		dst.Spec.ServiceOptions.AllowedServices.LoadBalancer = pointer.BoolPtr(val)
+	}
 	// Status
 	dst.Status = capsulev1beta1.TenantStatus{
 		Size:       t.Status.Size,
 		Namespaces: t.Status.Namespaces,
 	}
-
 	// Remove unneeded annotations
 	delete(dst.ObjectMeta.Annotations, podAllowedImagePullPolicyAnnotation)
 	delete(dst.ObjectMeta.Annotations, podPriorityAllowedAnnotation)
 	delete(dst.ObjectMeta.Annotations, podPriorityAllowedRegexAnnotation)
 	delete(dst.ObjectMeta.Annotations, enableNodePortsAnnotation)
+	delete(dst.ObjectMeta.Annotations, enableExternalNameAnnotation)
+	delete(dst.ObjectMeta.Annotations, enableLoadBalancerAnnotation)
 	delete(dst.ObjectMeta.Annotations, ownerGroupsAnnotation)
 	delete(dst.ObjectMeta.Annotations, ownerUsersAnnotation)
 	delete(dst.ObjectMeta.Annotations, ownerServiceAccountAnnotation)
@@ -260,18 +371,24 @@ func (t *Tenant) ConvertTo(dstRaw conversion.Hub) error {
 	delete(dst.ObjectMeta.Annotations, enableIngressClassListingAnnotation)
 	delete(dst.ObjectMeta.Annotations, enableIngressClassUpdateAnnotation)
 	delete(dst.ObjectMeta.Annotations, enableIngressClassDeletionAnnotation)
+	delete(dst.ObjectMeta.Annotations, enablePriorityClassListingAnnotation)
+	delete(dst.ObjectMeta.Annotations, enablePriorityClassUpdateAnnotation)
+	delete(dst.ObjectMeta.Annotations, enablePriorityClassDeletionAnnotation)
+	delete(dst.ObjectMeta.Annotations, resourceQuotaScopeAnnotation)
+	delete(dst.ObjectMeta.Annotations, ingressHostnameCollisionScope)

 	return nil
 }

+// nolint:gocognit,gocyclo,cyclop
 func (t *Tenant) convertV1Beta1OwnerToV1Alpha1(src *capsulev1beta1.Tenant) {
-	var ownersAnnotations = map[string][]string{
+	ownersAnnotations := map[string][]string{
 		ownerGroupsAnnotation:         nil,
 		ownerUsersAnnotation:          nil,
 		ownerServiceAccountAnnotation: nil,
 	}

-	var proxyAnnotations = map[string][]string{
+	proxyAnnotations := map[string][]string{
 		enableNodeListingAnnotation:          nil,
 		enableNodeUpdateAnnotation:           nil,
 		enableNodeDeletionAnnotation:         nil,
@@ -291,46 +408,58 @@ func (t *Tenant) convertV1Beta1OwnerToV1Alpha1(src *capsulev1beta1.Tenant) {
 			}
 		} else {
 			switch owner.Kind {
-			case "User":
+			case capsulev1beta1.UserOwner:
 				ownersAnnotations[ownerUsersAnnotation] = append(ownersAnnotations[ownerUsersAnnotation], owner.Name)
-			case "Group":
+			case capsulev1beta1.GroupOwner:
 				ownersAnnotations[ownerGroupsAnnotation] = append(ownersAnnotations[ownerGroupsAnnotation], owner.Name)
-			case "ServiceAccount":
+			case capsulev1beta1.ServiceAccountOwner:
 				ownersAnnotations[ownerServiceAccountAnnotation] = append(ownersAnnotations[ownerServiceAccountAnnotation], owner.Name)
 			}
 		}
+
 		for _, setting := range owner.ProxyOperations {
 			switch setting.Kind {
-			case nodesServiceKind:
+			case capsulev1beta1.NodesProxy:
 				for _, operation := range setting.Operations {
 					switch operation {
-					case listOperation:
+					case capsulev1beta1.ListOperation:
 						proxyAnnotations[enableNodeListingAnnotation] = append(proxyAnnotations[enableNodeListingAnnotation], owner.Name)
-					case updateOperation:
+					case capsulev1beta1.UpdateOperation:
 						proxyAnnotations[enableNodeUpdateAnnotation] = append(proxyAnnotations[enableNodeUpdateAnnotation], owner.Name)
-					case deleteOperation:
+					case capsulev1beta1.DeleteOperation:
 						proxyAnnotations[enableNodeDeletionAnnotation] = append(proxyAnnotations[enableNodeDeletionAnnotation], owner.Name)
 					}
 				}
-			case storageClassesServiceKind:
+			case capsulev1beta1.PriorityClassesProxy:
 				for _, operation := range setting.Operations {
 					switch operation {
-					case listOperation:
+					case capsulev1beta1.ListOperation:
+						proxyAnnotations[enablePriorityClassListingAnnotation] = append(proxyAnnotations[enablePriorityClassListingAnnotation], owner.Name)
+					case capsulev1beta1.UpdateOperation:
+						proxyAnnotations[enablePriorityClassUpdateAnnotation] = append(proxyAnnotations[enablePriorityClassUpdateAnnotation], owner.Name)
+					case capsulev1beta1.DeleteOperation:
+						proxyAnnotations[enablePriorityClassDeletionAnnotation] = append(proxyAnnotations[enablePriorityClassDeletionAnnotation], owner.Name)
+					}
+				}
+			case capsulev1beta1.StorageClassesProxy:
+				for _, operation := range setting.Operations {
+					switch operation {
+					case capsulev1beta1.ListOperation:
 						proxyAnnotations[enableStorageClassListingAnnotation] = append(proxyAnnotations[enableStorageClassListingAnnotation], owner.Name)
-					case updateOperation:
+					case capsulev1beta1.UpdateOperation:
 						proxyAnnotations[enableStorageClassUpdateAnnotation] = append(proxyAnnotations[enableStorageClassUpdateAnnotation], owner.Name)
-					case deleteOperation:
+					case capsulev1beta1.DeleteOperation:
 						proxyAnnotations[enableStorageClassDeletionAnnotation] = append(proxyAnnotations[enableStorageClassDeletionAnnotation], owner.Name)
 					}
 				}
-			case ingressClassesServiceKind:
+			case capsulev1beta1.IngressClassesProxy:
 				for _, operation := range setting.Operations {
 					switch operation {
-					case listOperation:
+					case capsulev1beta1.ListOperation:
 						proxyAnnotations[enableIngressClassListingAnnotation] = append(proxyAnnotations[enableIngressClassListingAnnotation], owner.Name)
-					case updateOperation:
+					case capsulev1beta1.UpdateOperation:
 						proxyAnnotations[enableIngressClassUpdateAnnotation] = append(proxyAnnotations[enableIngressClassUpdateAnnotation], owner.Name)
-					case deleteOperation:
+					case capsulev1beta1.DeleteOperation:
 						proxyAnnotations[enableIngressClassDeletionAnnotation] = append(proxyAnnotations[enableIngressClassDeletionAnnotation], owner.Name)
 					}
 				}
@@ -343,6 +472,7 @@ func (t *Tenant) convertV1Beta1OwnerToV1Alpha1(src *capsulev1beta1.Tenant) {
 			t.Annotations[k] = strings.Join(v, ",")
 		}
 	}
+
 	for k, v := range proxyAnnotations {
 		if len(v) > 0 {
 			t.Annotations[k] = strings.Join(v, ",")
@@ -350,14 +480,21 @@ func (t *Tenant) convertV1Beta1OwnerToV1Alpha1(src *capsulev1beta1.Tenant) {
 	}
 }

+// nolint:gocyclo,cyclop
 func (t *Tenant) ConvertFrom(srcRaw conversion.Hub) error {
-	src := srcRaw.(*capsulev1beta1.Tenant)
+	src, ok := srcRaw.(*capsulev1beta1.Tenant)
+	if !ok {
+		return fmt.Errorf("expected *capsulev1beta1.Tenant, got %T", srcRaw)
+	}

 	// ObjectMeta
 	t.ObjectMeta = src.ObjectMeta

 	// Spec
-	t.Spec.NamespaceQuota = src.Spec.NamespaceQuota
+	if src.Spec.NamespaceOptions != nil && src.Spec.NamespaceOptions.Quota != nil {
+		t.Spec.NamespaceQuota = src.Spec.NamespaceOptions.Quota
+	}
+
 	t.Spec.NodeSelector = src.Spec.NodeSelector

 	if t.Annotations == nil {
@@ -366,51 +503,63 @@ func (t *Tenant) ConvertFrom(srcRaw conversion.Hub) error {

 	t.convertV1Beta1OwnerToV1Alpha1(src)

-	if src.Spec.NamespacesMetadata != nil {
+	if src.Spec.NamespaceOptions != nil && src.Spec.NamespaceOptions.AdditionalMetadata != nil {
 		t.Spec.NamespacesMetadata = &AdditionalMetadataSpec{
-			AdditionalLabels:      src.Spec.NamespacesMetadata.AdditionalLabels,
-			AdditionalAnnotations: src.Spec.NamespacesMetadata.AdditionalAnnotations,
+			AdditionalLabels:      src.Spec.NamespaceOptions.AdditionalMetadata.Labels,
+			AdditionalAnnotations: src.Spec.NamespaceOptions.AdditionalMetadata.Annotations,
 		}
 	}
-	if src.Spec.ServicesMetadata != nil {
+
+	if src.Spec.ServiceOptions != nil && src.Spec.ServiceOptions.AdditionalMetadata != nil {
 		t.Spec.ServicesMetadata = &AdditionalMetadataSpec{
-			AdditionalLabels:      src.Spec.ServicesMetadata.AdditionalLabels,
-			AdditionalAnnotations: src.Spec.ServicesMetadata.AdditionalAnnotations,
+			AdditionalLabels:      src.Spec.ServiceOptions.AdditionalMetadata.Labels,
+			AdditionalAnnotations: src.Spec.ServiceOptions.AdditionalMetadata.Annotations,
 		}
 	}
+
 	if src.Spec.StorageClasses != nil {
 		t.Spec.StorageClasses = &AllowedListSpec{
 			Exact: src.Spec.StorageClasses.Exact,
 			Regex: src.Spec.StorageClasses.Regex,
 		}
 	}
-	if src.Spec.IngressClasses != nil {
+
+	t.Annotations[ingressHostnameCollisionScope] = string(src.Spec.IngressOptions.HostnameCollisionScope)
+
+	if src.Spec.IngressOptions.AllowedClasses != nil {
 		t.Spec.IngressClasses = &AllowedListSpec{
-			Exact: src.Spec.IngressClasses.Exact,
-			Regex: src.Spec.IngressClasses.Regex,
+			Exact: src.Spec.IngressOptions.AllowedClasses.Exact,
+			Regex: src.Spec.IngressOptions.AllowedClasses.Regex,
 		}
 	}
-	if src.Spec.IngressHostnames != nil {
+
+	if src.Spec.IngressOptions.AllowedHostnames != nil {
 		t.Spec.IngressHostnames = &AllowedListSpec{
-			Exact: src.Spec.IngressHostnames.Exact,
-			Regex: src.Spec.IngressHostnames.Regex,
+			Exact: src.Spec.IngressOptions.AllowedHostnames.Exact,
+			Regex: src.Spec.IngressOptions.AllowedHostnames.Regex,
 		}
 	}
+
 	if src.Spec.ContainerRegistries != nil {
 		t.Spec.ContainerRegistries = &AllowedListSpec{
 			Exact: src.Spec.ContainerRegistries.Exact,
 			Regex: src.Spec.ContainerRegistries.Regex,
 		}
 	}
-	if src.Spec.NetworkPolicies != nil {
+
+	if len(src.Spec.NetworkPolicies.Items) > 0 {
 		t.Spec.NetworkPolicies = src.Spec.NetworkPolicies.Items
 	}
-	if src.Spec.LimitRanges != nil {
+
+	if len(src.Spec.LimitRanges.Items) > 0 {
 		t.Spec.LimitRanges = src.Spec.LimitRanges.Items
 	}
-	if src.Spec.ResourceQuota != nil {
+
+	if len(src.Spec.ResourceQuota.Items) > 0 {
+		t.Annotations[resourceQuotaScopeAnnotation] = string(src.Spec.ResourceQuota.Scope)
 		t.Spec.ResourceQuota = src.Spec.ResourceQuota.Items
 	}
+
 	if len(src.Spec.AdditionalRoleBindings) > 0 {
 		for _, rb := range src.Spec.AdditionalRoleBindings {
 			t.Spec.AdditionalRoleBindings = append(t.Spec.AdditionalRoleBindings, AdditionalRoleBindingsSpec{
@@ -419,21 +568,24 @@ func (t *Tenant) ConvertFrom(srcRaw conversion.Hub) error {
 			})
 		}
 	}
-	if src.Spec.ExternalServiceIPs != nil {
-		var allowedIPs []AllowedIP
-		for _, IP := range src.Spec.ExternalServiceIPs.Allowed {
-			allowedIPs = append(allowedIPs, AllowedIP(IP))
+
+	if src.Spec.ServiceOptions != nil && src.Spec.ServiceOptions.ExternalServiceIPs != nil {
+		t.Spec.ExternalServiceIPs = &ExternalServiceIPsSpec{
+			Allowed: make([]AllowedIP, len(src.Spec.ServiceOptions.ExternalServiceIPs.Allowed)),
 		}

-		t.Spec.ExternalServiceIPs = &ExternalServiceIPsSpec{
-			Allowed: allowedIPs,
+		for i, IP := range src.Spec.ServiceOptions.ExternalServiceIPs.Allowed {
+			t.Spec.ExternalServiceIPs.Allowed[i] = AllowedIP(IP)
 		}
 	}
+
 	if len(src.Spec.ImagePullPolicies) != 0 {
 		var pullPolicies []string
+
 		for _, policy := range src.Spec.ImagePullPolicies {
 			pullPolicies = append(pullPolicies, string(policy))
 		}
+
 		t.Annotations[podAllowedImagePullPolicyAnnotation] = strings.Join(pullPolicies, ",")
 	}

@@ -441,12 +593,25 @@ func (t *Tenant) ConvertFrom(srcRaw conversion.Hub) error {
 		if len(src.Spec.PriorityClasses.Exact) != 0 {
 			t.Annotations[podPriorityAllowedAnnotation] = strings.Join(src.Spec.PriorityClasses.Exact, ",")
 		}
+
 		if src.Spec.PriorityClasses.Regex != "" {
 			t.Annotations[podPriorityAllowedRegexAnnotation] = src.Spec.PriorityClasses.Regex
 		}
 	}

-	t.Annotations[enableNodePortsAnnotation] = strconv.FormatBool(src.Spec.EnableNodePorts)
+	if src.Spec.ServiceOptions != nil && src.Spec.ServiceOptions.AllowedServices != nil {
+		if src.Spec.ServiceOptions.AllowedServices.NodePort != nil {
+			t.Annotations[enableNodePortsAnnotation] = strconv.FormatBool(*src.Spec.ServiceOptions.AllowedServices.NodePort)
+		}
+
+		if src.Spec.ServiceOptions.AllowedServices.ExternalName != nil {
+			t.Annotations[enableExternalNameAnnotation] = strconv.FormatBool(*src.Spec.ServiceOptions.AllowedServices.ExternalName)
+		}
+
+		if src.Spec.ServiceOptions.AllowedServices.LoadBalancer != nil {
+			t.Annotations[enableLoadBalancerAnnotation] = strconv.FormatBool(*src.Spec.ServiceOptions.AllowedServices.LoadBalancer)
+		}
+	}

 	// Status
 	t.Status = TenantStatus{
--- a/api/v1alpha1/conversion_hub_test.go
+++ b/api/v1alpha1/conversion_hub_test.go
@@ -13,16 +13,19 @@ import (
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/pointer"

 	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
 )

+// nolint:maintidx
 func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 	var namespaceQuota int32 = 5
-	var nodeSelector = map[string]string{
+
+	nodeSelector := map[string]string{
 		"foo": "bar",
 	}
-	var v1alpha1AdditionalMetadataSpec = &AdditionalMetadataSpec{
+	v1alpha1AdditionalMetadataSpec := &AdditionalMetadataSpec{
 		AdditionalLabels: map[string]string{
 			"foo": "bar",
 		},
@@ -30,23 +33,38 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 			"foo": "bar",
 		},
 	}
-	var v1alpha1AllowedListSpec = &AllowedListSpec{
+	v1alpha1AllowedListSpec := &AllowedListSpec{
 		Exact: []string{"foo", "bar"},
 		Regex: "^foo*",
 	}
-	var v1beta1AdditionalMetadataSpec = &capsulev1beta1.AdditionalMetadataSpec{
-		AdditionalLabels: map[string]string{
+	v1beta1AdditionalMetadataSpec := &capsulev1beta1.AdditionalMetadataSpec{
+		Labels: map[string]string{
 			"foo": "bar",
 		},
-		AdditionalAnnotations: map[string]string{
+		Annotations: map[string]string{
 			"foo": "bar",
 		},
 	}
-	var v1beta1AllowedListSpec = &capsulev1beta1.AllowedListSpec{
+	v1beta1NamespaceOptions := &capsulev1beta1.NamespaceOptions{
+		Quota:              &namespaceQuota,
+		AdditionalMetadata: v1beta1AdditionalMetadataSpec,
+	}
+	v1beta1ServiceOptions := &capsulev1beta1.ServiceOptions{
+		AdditionalMetadata: v1beta1AdditionalMetadataSpec,
+		AllowedServices: &capsulev1beta1.AllowedServices{
+			NodePort:     pointer.BoolPtr(false),
+			ExternalName: pointer.BoolPtr(false),
+			LoadBalancer: pointer.BoolPtr(false),
+		},
+		ExternalServiceIPs: &capsulev1beta1.ExternalServiceIPsSpec{
+			Allowed: []capsulev1beta1.AllowedIP{"192.168.0.1"},
+		},
+	}
+	v1beta1AllowedListSpec := &capsulev1beta1.AllowedListSpec{
 		Exact: []string{"foo", "bar"},
 		Regex: "^foo*",
 	}
-	var networkPolicies = []networkingv1.NetworkPolicySpec{
+	networkPolicies := []networkingv1.NetworkPolicySpec{
 		{
 			Ingress: []networkingv1.NetworkPolicyIngressRule{
 				{
@@ -71,7 +89,7 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 			},
 		},
 	}
-	var limitRanges = []corev1.LimitRangeSpec{
+	limitRanges := []corev1.LimitRangeSpec{
 		{
 			Limits: []corev1.LimitRangeItem{
 				{
@@ -88,7 +106,7 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 			},
 		},
 	}
-	var resourceQuotas = []corev1.ResourceQuotaSpec{
+	resourceQuotas := []corev1.ResourceQuotaSpec{
 		{
 			Hard: map[corev1.ResourceName]resource.Quantity{
 				corev1.ResourceLimitsCPU:      resource.MustParse("8"),
@@ -102,7 +120,7 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 		},
 	}

-	var v1beta1Tnt = capsulev1beta1.Tenant{
+	v1beta1Tnt := capsulev1beta1.Tenant{
 		TypeMeta: metav1.TypeMeta{},
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "alice",
@@ -114,7 +132,7 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 			},
 		},
 		Spec: capsulev1beta1.TenantSpec{
-			Owners: []capsulev1beta1.OwnerSpec{
+			Owners: capsulev1beta1.OwnerListSpec{
 				{
 					Kind: "User",
 					Name: "alice",
@@ -163,6 +181,10 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 							Kind:       "StorageClasses",
 							Operations: []capsulev1beta1.ProxyOperation{"List"},
 						},
+						{
+							Kind:       "PriorityClasses",
+							Operations: []capsulev1beta1.ProxyOperation{"List"},
+						},
 					},
 				},
 				{
@@ -210,21 +232,24 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 					},
 				},
 			},
-			NamespaceQuota:      &namespaceQuota,
-			NamespacesMetadata:  v1beta1AdditionalMetadataSpec,
-			ServicesMetadata:    v1beta1AdditionalMetadataSpec,
-			StorageClasses:      v1beta1AllowedListSpec,
-			IngressClasses:      v1beta1AllowedListSpec,
-			IngressHostnames:    v1beta1AllowedListSpec,
+			NamespaceOptions: v1beta1NamespaceOptions,
+			ServiceOptions:   v1beta1ServiceOptions,
+			StorageClasses:   v1beta1AllowedListSpec,
+			IngressOptions: capsulev1beta1.IngressOptions{
+				HostnameCollisionScope: capsulev1beta1.HostnameCollisionScopeDisabled,
+				AllowedClasses:         v1beta1AllowedListSpec,
+				AllowedHostnames:       v1beta1AllowedListSpec,
+			},
 			ContainerRegistries: v1beta1AllowedListSpec,
 			NodeSelector:        nodeSelector,
-			NetworkPolicies: &capsulev1beta1.NetworkPolicySpec{
+			NetworkPolicies: capsulev1beta1.NetworkPolicySpec{
 				Items: networkPolicies,
 			},
-			LimitRanges: &capsulev1beta1.LimitRangesSpec{
+			LimitRanges: capsulev1beta1.LimitRangesSpec{
 				Items: limitRanges,
 			},
-			ResourceQuota: &capsulev1beta1.ResourceQuotaSpec{
+			ResourceQuota: capsulev1beta1.ResourceQuotaSpec{
+				Scope: capsulev1beta1.ResourceQuotaScopeNamespace,
 				Items: resourceQuotas,
 			},
 			AdditionalRoleBindings: []capsulev1beta1.AdditionalRoleBindingsSpec{
@@ -233,21 +258,17 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 					Subjects: []rbacv1.Subject{
 						{
 							Kind:     "Group",
-							APIGroup: "rbac.authorization.k8s.io",
+							APIGroup: rbacv1.GroupName,
 							Name:     "system:authenticated",
 						},
 					},
 				},
 			},
-			ExternalServiceIPs: &capsulev1beta1.ExternalServiceIPsSpec{
-				Allowed: []capsulev1beta1.AllowedIP{"192.168.0.1"},
-			},
 			ImagePullPolicies: []capsulev1beta1.ImagePullPolicySpec{"Always", "IfNotPresent"},
 			PriorityClasses: &capsulev1beta1.AllowedListSpec{
 				Exact: []string{"default"},
 				Regex: "^tier-.*$",
 			},
-			EnableNodePorts: false,
 		},
 		Status: capsulev1beta1.TenantStatus{
 			Size:       1,
@@ -255,7 +276,7 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 		},
 	}

-	var v1alpha1Tnt = Tenant{
+	v1alpha1Tnt := Tenant{
 		TypeMeta: metav1.TypeMeta{},
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "alice",
@@ -265,7 +286,9 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 			Annotations: map[string]string{
 				"foo":                                "bar",
 				podAllowedImagePullPolicyAnnotation:  "Always,IfNotPresent",
+				enableExternalNameAnnotation:         "false",
 				enableNodePortsAnnotation:            "false",
+				enableLoadBalancerAnnotation:         "false",
 				podPriorityAllowedAnnotation:         "default",
 				podPriorityAllowedRegexAnnotation:    "^tier-.*$",
 				ownerGroupsAnnotation:                "owner-foo,owner-bar",
@@ -279,6 +302,9 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 				enableIngressClassListingAnnotation:  "alice,owner-foo,owner-bar",
 				enableIngressClassUpdateAnnotation:   "alice,bob",
 				enableIngressClassDeletionAnnotation: "alice,jack",
+				enablePriorityClassListingAnnotation: "jack",
+				resourceQuotaScopeAnnotation:         "Namespace",
+				ingressHostnameCollisionScope:        "Disabled",
 			},
 		},
 		Spec: TenantSpec{
@@ -303,7 +329,7 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 					Subjects: []rbacv1.Subject{
 						{
 							Kind:     "Group",
-							APIGroup: "rbac.authorization.k8s.io",
+							APIGroup: rbacv1.GroupName,
 							Name:     "system:authenticated",
 						},
 					},
@@ -323,10 +349,11 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 }

 func TestConversionHub_ConvertTo(t *testing.T) {
-	var v1beta1ConvertedTnt = capsulev1beta1.Tenant{}
+	v1beta1ConvertedTnt := capsulev1beta1.Tenant{}

 	v1alpha1Tnt, v1beta1tnt := generateTenantsSpecs()
 	err := v1alpha1Tnt.ConvertTo(&v1beta1ConvertedTnt)
+
 	if assert.NoError(t, err) {
 		sort.Slice(v1beta1tnt.Spec.Owners, func(i, j int) bool {
 			return v1beta1tnt.Spec.Owners[i].Name < v1beta1tnt.Spec.Owners[j].Name
@@ -340,17 +367,20 @@ func TestConversionHub_ConvertTo(t *testing.T) {
 				return owner.ProxyOperations[i].Kind < owner.ProxyOperations[j].Kind
 			})
 		}
+
 		for _, owner := range v1beta1ConvertedTnt.Spec.Owners {
 			sort.Slice(owner.ProxyOperations, func(i, j int) bool {
 				return owner.ProxyOperations[i].Kind < owner.ProxyOperations[j].Kind
 			})
 		}
+
 		assert.Equal(t, v1beta1tnt, v1beta1ConvertedTnt)
 	}
 }

 func TestConversionHub_ConvertFrom(t *testing.T) {
-	var v1alpha1ConvertedTnt = Tenant{}
+	v1alpha1ConvertedTnt := Tenant{}
+
 	v1alpha1Tnt, v1beta1tnt := generateTenantsSpecs()

 	err := v1alpha1ConvertedTnt.ConvertFrom(&v1beta1tnt)
--- a/api/v1alpha1/groupversion_info.go
+++ b/api/v1alpha1/groupversion_info.go
@@ -12,10 +12,10 @@ import (
 )

 var (
-	// GroupVersion is group version used to register these objects
+	// GroupVersion is group version used to register these objects.
 	GroupVersion = schema.GroupVersion{Group: "capsule.clastix.io", Version: "v1alpha1"}

-	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

 	// AddToScheme adds the types in this group-version to the given scheme.
--- a/api/v1alpha1/owner.go
+++ b/api/v1alpha1/owner.go
@@ -3,7 +3,7 @@

 package v1alpha1

-// OwnerSpec defines tenant owner name and kind
+// OwnerSpec defines tenant owner name and kind.
 type OwnerSpec struct {
 	Name string `json:"name"`
 	Kind Kind   `json:"kind"`
--- a/api/v1alpha1/tenant_func.go
+++ b/api/v1alpha1/tenant_func.go
@@ -13,6 +13,7 @@ func (t *Tenant) IsCordoned() bool {
 	if v, ok := t.Labels["capsule.clastix.io/cordon"]; ok && v == "enabled" {
 		return true
 	}
+
 	return false
 }

@@ -21,16 +22,19 @@ func (t *Tenant) IsFull() bool {
 	if t.Spec.NamespaceQuota == nil {
 		return false
 	}
+
 	return len(t.Status.Namespaces) >= int(*t.Spec.NamespaceQuota)
 }

 func (t *Tenant) AssignNamespaces(namespaces []corev1.Namespace) {
 	var l []string
+
 	for _, ns := range namespaces {
 		if ns.Status.Phase == corev1.NamespaceActive {
 			l = append(l, ns.GetName())
 		}
 	}
+
 	sort.Strings(l)

 	t.Status.Namespaces = l
--- a/api/v1alpha1/tenant_labels.go
+++ b/api/v1alpha1/tenant_labels.go
@@ -27,5 +27,6 @@ func GetTypeLabel(t runtime.Object) (label string, err error) {
 	default:
 		err = fmt.Errorf("type %T is not mapped as Capsule label recognized", v)
 	}
+
 	return
 }
--- a/api/v1alpha1/tenant_types.go
+++ b/api/v1alpha1/tenant_types.go
@@ -9,7 +9,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

-// TenantSpec defines the desired state of Tenant
+// TenantSpec defines the desired state of Tenant.
 type TenantSpec struct {
 	Owner OwnerSpec `json:"owner"`

@@ -29,7 +29,7 @@ type TenantSpec struct {
 	ExternalServiceIPs     *ExternalServiceIPsSpec          `json:"externalServiceIPs,omitempty"`
 }

-// TenantStatus defines the observed state of Tenant
+// TenantStatus defines the observed state of Tenant.
 type TenantStatus struct {
 	Size       uint     `json:"size"`
 	Namespaces []string `json:"namespaces,omitempty"`
@@ -45,7 +45,7 @@ type TenantStatus struct {
 // +kubebuilder:printcolumn:name="Node selector",type="string",JSONPath=".spec.nodeSelector",description="Node Selector applied to Pods"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"

-// Tenant is the Schema for the tenants API
+// Tenant is the Schema for the tenants API.
 type Tenant struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -56,7 +56,7 @@ type Tenant struct {

 // +kubebuilder:object:root=true

-// TenantList contains a list of Tenant
+// TenantList contains a list of Tenant.
 type TenantList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -1,3 +1,4 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated

 // Copyright 2020-2021 Clastix Labs
--- a/api/v1beta1/additional_metadata.go
+++ b/api/v1beta1/additional_metadata.go
@@ -4,6 +4,6 @@
 package v1beta1

 type AdditionalMetadataSpec struct {
-	AdditionalLabels      map[string]string `json:"additionalLabels,omitempty"`
-	AdditionalAnnotations map[string]string `json:"additionalAnnotations,omitempty"`
+	Labels      map[string]string `json:"labels,omitempty"`
+	Annotations map[string]string `json:"annotations,omitempty"`
 }
--- a/api/v1beta1/allowed_list.go
+++ b/api/v1beta1/allowed_list.go
@@ -1,6 +1,6 @@
 // Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0
-
+//nolint:dupl
 package v1beta1

 import (
@@ -19,9 +19,12 @@ func (in *AllowedListSpec) ExactMatch(value string) (ok bool) {
 		sort.SliceStable(in.Exact, func(i, j int) bool {
 			return strings.ToLower(in.Exact[i]) < strings.ToLower(in.Exact[j])
 		})
+
 		i := sort.SearchStrings(in.Exact, value)
+
 		ok = i < len(in.Exact) && in.Exact[i] == value
 	}
+
 	return
 }

@@ -29,5 +32,6 @@ func (in AllowedListSpec) RegexMatch(value string) (ok bool) {
 	if len(in.Regex) > 0 {
 		ok = regexp.MustCompile(in.Regex).MatchString(value)
 	}
+
 	return
 }
--- a/api/v1beta1/allowed_list_test.go
+++ b/api/v1beta1/allowed_list_test.go
@@ -1,6 +1,6 @@
 // Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0
-
+//nolint:dupl
 package v1beta1

 import (
@@ -15,6 +15,7 @@ func TestAllowedListSpec_ExactMatch(t *testing.T) {
 		True  []string
 		False []string
 	}
+
 	for _, tc := range []tc{
 		{
 			[]string{"foo", "bar", "bizz", "buzz"},
@@ -35,9 +36,11 @@ func TestAllowedListSpec_ExactMatch(t *testing.T) {
 		a := AllowedListSpec{
 			Exact: tc.In,
 		}
+
 		for _, ok := range tc.True {
 			assert.True(t, a.ExactMatch(ok))
 		}
+
 		for _, ko := range tc.False {
 			assert.False(t, a.ExactMatch(ko))
 		}
@@ -50,6 +53,7 @@ func TestAllowedListSpec_RegexMatch(t *testing.T) {
 		True  []string
 		False []string
 	}
+
 	for _, tc := range []tc{
 		{`first-\w+-pattern`, []string{"first-date-pattern", "first-year-pattern"}, []string{"broken", "first-year", "second-date-pattern"}},
 		{``, nil, []string{"any", "value"}},
@@ -57,9 +61,11 @@ func TestAllowedListSpec_RegexMatch(t *testing.T) {
 		a := AllowedListSpec{
 			Regex: tc.Regex,
 		}
+
 		for _, ok := range tc.True {
 			assert.True(t, a.RegexMatch(ok))
 		}
+
 		for _, ko := range tc.False {
 			assert.False(t, a.RegexMatch(ko))
 		}
--- a/api/v1beta1/custom_resource_quota.go
+++ b/api/v1beta1/custom_resource_quota.go
@@ -0,0 +1,59 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import (
+	"fmt"
+	"strconv"
+)
+
+const (
+	ResourceQuotaAnnotationPrefix = "quota.resources.capsule.clastix.io"
+	ResourceUsedAnnotationPrefix  = "used.resources.capsule.clastix.io"
+)
+
+func UsedAnnotationForResource(kindGroup string) string {
+	return fmt.Sprintf("%s/%s", ResourceUsedAnnotationPrefix, kindGroup)
+}
+
+func LimitAnnotationForResource(kindGroup string) string {
+	return fmt.Sprintf("%s/%s", ResourceQuotaAnnotationPrefix, kindGroup)
+}
+
+func GetUsedResourceFromTenant(tenant Tenant, kindGroup string) (int64, error) {
+	usedStr, ok := tenant.GetAnnotations()[UsedAnnotationForResource(kindGroup)]
+	if !ok {
+		usedStr = "0"
+	}
+
+	used, _ := strconv.ParseInt(usedStr, 10, 10)
+
+	return used, nil
+}
+
+type NonLimitedResourceError struct {
+	kindGroup string
+}
+
+func NewNonLimitedResourceError(kindGroup string) *NonLimitedResourceError {
+	return &NonLimitedResourceError{kindGroup: kindGroup}
+}
+
+func (n NonLimitedResourceError) Error() string {
+	return fmt.Sprintf("resource %s is not limited for the current tenant", n.kindGroup)
+}
+
+func GetLimitResourceFromTenant(tenant Tenant, kindGroup string) (int64, error) {
+	limitStr, ok := tenant.GetAnnotations()[LimitAnnotationForResource(kindGroup)]
+	if !ok {
+		return 0, NewNonLimitedResourceError(kindGroup)
+	}
+
+	limit, err := strconv.ParseInt(limitStr, 10, 10)
+	if err != nil {
+		return 0, fmt.Errorf("resource %s limit cannot be parsed, %w", kindGroup, err)
+	}
+
+	return limit, nil
+}
--- a/api/v1beta1/deny_wildcard.go
+++ b/api/v1beta1/deny_wildcard.go
@@ -0,0 +1,16 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+const (
+	denyWildcard = "capsule.clastix.io/deny-wildcard"
+)
+
+func (t *Tenant) IsWildcardDenied() bool {
+	if v, ok := t.Annotations[denyWildcard]; ok && v == "true" {
+		return true
+	}
+
+	return false
+}
--- a/api/v1beta1/forbidden_list.go
+++ b/api/v1beta1/forbidden_list.go
@@ -0,0 +1,37 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+//nolint:dupl
+package v1beta1
+
+import (
+	"regexp"
+	"sort"
+	"strings"
+)
+
+type ForbiddenListSpec struct {
+	Exact []string `json:"denied,omitempty"`
+	Regex string   `json:"deniedRegex,omitempty"`
+}
+
+func (in *ForbiddenListSpec) ExactMatch(value string) (ok bool) {
+	if len(in.Exact) > 0 {
+		sort.SliceStable(in.Exact, func(i, j int) bool {
+			return strings.ToLower(in.Exact[i]) < strings.ToLower(in.Exact[j])
+		})
+
+		i := sort.SearchStrings(in.Exact, value)
+
+		ok = i < len(in.Exact) && in.Exact[i] == value
+	}
+
+	return
+}
+
+func (in ForbiddenListSpec) RegexMatch(value string) (ok bool) {
+	if len(in.Regex) > 0 {
+		ok = regexp.MustCompile(in.Regex).MatchString(value)
+	}
+
+	return
+}
--- a/api/v1beta1/forbidden_list_test.go
+++ b/api/v1beta1/forbidden_list_test.go
@@ -0,0 +1,73 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+//nolint:dupl
+package v1beta1
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestForbiddenListSpec_ExactMatch(t *testing.T) {
+	type tc struct {
+		In    []string
+		True  []string
+		False []string
+	}
+
+	for _, tc := range []tc{
+		{
+			[]string{"foo", "bar", "bizz", "buzz"},
+			[]string{"foo", "bar", "bizz", "buzz"},
+			[]string{"bing", "bong"},
+		},
+		{
+			[]string{"one", "two", "three"},
+			[]string{"one", "two", "three"},
+			[]string{"a", "b", "c"},
+		},
+		{
+			nil,
+			nil,
+			[]string{"any", "value"},
+		},
+	} {
+		a := ForbiddenListSpec{
+			Exact: tc.In,
+		}
+
+		for _, ok := range tc.True {
+			assert.True(t, a.ExactMatch(ok))
+		}
+
+		for _, ko := range tc.False {
+			assert.False(t, a.ExactMatch(ko))
+		}
+	}
+}
+
+func TestForbiddenListSpec_RegexMatch(t *testing.T) {
+	type tc struct {
+		Regex string
+		True  []string
+		False []string
+	}
+
+	for _, tc := range []tc{
+		{`first-\w+-pattern`, []string{"first-date-pattern", "first-year-pattern"}, []string{"broken", "first-year", "second-date-pattern"}},
+		{``, nil, []string{"any", "value"}},
+	} {
+		a := ForbiddenListSpec{
+			Regex: tc.Regex,
+		}
+
+		for _, ok := range tc.True {
+			assert.True(t, a.RegexMatch(ok))
+		}
+
+		for _, ko := range tc.False {
+			assert.False(t, a.RegexMatch(ko))
+		}
+	}
+}
--- a/api/v1beta1/groupversion_info.go
+++ b/api/v1beta1/groupversion_info.go
@@ -12,10 +12,10 @@ import (
 )

 var (
-	// GroupVersion is group version used to register these objects
+	// GroupVersion is group version used to register these objects.
 	GroupVersion = schema.GroupVersion{Group: "capsule.clastix.io", Version: "v1beta1"}

-	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

 	// AddToScheme adds the types in this group-version to the given scheme.
--- a/api/v1beta1/hostname_collision_scope.go
+++ b/api/v1beta1/hostname_collision_scope.go
@@ -0,0 +1,14 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+const (
+	HostnameCollisionScopeCluster   HostnameCollisionScope = "Cluster"
+	HostnameCollisionScopeTenant    HostnameCollisionScope = "Tenant"
+	HostnameCollisionScopeNamespace HostnameCollisionScope = "Namespace"
+	HostnameCollisionScopeDisabled  HostnameCollisionScope = "Disabled"
+)
+
+// +kubebuilder:validation:Enum=Cluster;Tenant;Namespace;Disabled
+type HostnameCollisionScope string
--- a/api/v1beta1/ingress_options.go
+++ b/api/v1beta1/ingress_options.go
@@ -0,0 +1,24 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+type IngressOptions struct {
+	// Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+	AllowedClasses *AllowedListSpec `json:"allowedClasses,omitempty"`
+	// Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames.
+	//
+	//
+	// - Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule.
+	//
+	// - Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant.
+	//
+	// - Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace.
+	//
+	//
+	// Optional.
+	// +kubebuilder:default=Disabled
+	HostnameCollisionScope HostnameCollisionScope `json:"hostnameCollisionScope,omitempty"`
+	// Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional.
+	AllowedHostnames *AllowedListSpec `json:"allowedHostnames,omitempty"`
+}
--- a/api/v1beta1/namespace_options.go
+++ b/api/v1beta1/namespace_options.go
@@ -0,0 +1,57 @@
+package v1beta1
+
+import "strings"
+
+type NamespaceOptions struct {
+	//+kubebuilder:validation:Minimum=1
+	// Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
+	Quota *int32 `json:"quota,omitempty"`
+	// Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
+	AdditionalMetadata *AdditionalMetadataSpec `json:"additionalMetadata,omitempty"`
+}
+
+func (t *Tenant) hasForbiddenNamespaceLabelsAnnotations() bool {
+	if _, ok := t.Annotations[ForbiddenNamespaceLabelsAnnotation]; ok {
+		return true
+	}
+
+	if _, ok := t.Annotations[ForbiddenNamespaceLabelsRegexpAnnotation]; ok {
+		return true
+	}
+
+	return false
+}
+
+func (t *Tenant) hasForbiddenNamespaceAnnotationsAnnotations() bool {
+	if _, ok := t.Annotations[ForbiddenNamespaceAnnotationsAnnotation]; ok {
+		return true
+	}
+
+	if _, ok := t.Annotations[ForbiddenNamespaceAnnotationsRegexpAnnotation]; ok {
+		return true
+	}
+
+	return false
+}
+
+func (t *Tenant) ForbiddenUserNamespaceLabels() *ForbiddenListSpec {
+	if !t.hasForbiddenNamespaceLabelsAnnotations() {
+		return nil
+	}
+
+	return &ForbiddenListSpec{
+		Exact: strings.Split(t.Annotations[ForbiddenNamespaceLabelsAnnotation], ","),
+		Regex: t.Annotations[ForbiddenNamespaceLabelsRegexpAnnotation],
+	}
+}
+
+func (t *Tenant) ForbiddenUserNamespaceAnnotations() *ForbiddenListSpec {
+	if !t.hasForbiddenNamespaceAnnotationsAnnotations() {
+		return nil
+	}
+
+	return &ForbiddenListSpec{
+		Exact: strings.Split(t.Annotations[ForbiddenNamespaceAnnotationsAnnotation], ","),
+		Regex: t.Annotations[ForbiddenNamespaceAnnotationsRegexpAnnotation],
+	}
+}
--- a/api/v1beta1/owner.go
+++ b/api/v1beta1/owner.go
@@ -3,10 +3,12 @@

 package v1beta1

-// OwnerSpec defines tenant owner name and kind
 type OwnerSpec struct {
-	Kind            OwnerKind       `json:"kind"`
-	Name            string          `json:"name"`
+	// Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount"
+	Kind OwnerKind `json:"kind"`
+	// Name of tenant owner.
+	Name string `json:"name"`
+	// Proxy settings for tenant owner.
 	ProxyOperations []ProxySettings `json:"proxySettings,omitempty"`
 }

@@ -29,9 +31,24 @@ func (p ProxyOperation) String() string {
 	return string(p)
 }

-// +kubebuilder:validation:Enum=Nodes;StorageClasses;IngressClasses
+// +kubebuilder:validation:Enum=Nodes;StorageClasses;IngressClasses;PriorityClasses
 type ProxyServiceKind string

 func (p ProxyServiceKind) String() string {
 	return string(p)
 }
+
+const (
+	NodesProxy           ProxyServiceKind = "Nodes"
+	StorageClassesProxy  ProxyServiceKind = "StorageClasses"
+	IngressClassesProxy  ProxyServiceKind = "IngressClasses"
+	PriorityClassesProxy ProxyServiceKind = "PriorityClasses"
+
+	ListOperation   ProxyOperation = "List"
+	UpdateOperation ProxyOperation = "Update"
+	DeleteOperation ProxyOperation = "Delete"
+
+	UserOwner           OwnerKind = "User"
+	GroupOwner          OwnerKind = "Group"
+	ServiceAccountOwner OwnerKind = "ServiceAccount"
+)
--- a/api/v1beta1/owner_list.go
+++ b/api/v1beta1/owner_list.go
@@ -0,0 +1,38 @@
+package v1beta1
+
+import (
+	"sort"
+)
+
+type OwnerListSpec []OwnerSpec
+
+func (o OwnerListSpec) FindOwner(name string, kind OwnerKind) (owner OwnerSpec) {
+	sort.Sort(ByKindAndName(o))
+	i := sort.Search(len(o), func(i int) bool {
+		return o[i].Kind >= kind && o[i].Name >= name
+	})
+
+	if i < len(o) && o[i].Kind == kind && o[i].Name == name {
+		return o[i]
+	}
+
+	return
+}
+
+type ByKindAndName OwnerListSpec
+
+func (b ByKindAndName) Len() int {
+	return len(b)
+}
+
+func (b ByKindAndName) Less(i, j int) bool {
+	if b[i].Kind.String() != b[j].Kind.String() {
+		return b[i].Kind.String() < b[j].Kind.String()
+	}
+
+	return b[i].Name < b[j].Name
+}
+
+func (b ByKindAndName) Swap(i, j int) {
+	b[i], b[j] = b[j], b[i]
+}
--- a/api/v1beta1/owner_list_test.go
+++ b/api/v1beta1/owner_list_test.go
@@ -0,0 +1,83 @@
+package v1beta1
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestOwnerListSpec_FindOwner(t *testing.T) {
+	bla := OwnerSpec{
+		Kind: UserOwner,
+		Name: "bla",
+		ProxyOperations: []ProxySettings{
+			{
+				Kind:       IngressClassesProxy,
+				Operations: []ProxyOperation{"Delete"},
+			},
+		},
+	}
+	bar := OwnerSpec{
+		Kind: GroupOwner,
+		Name: "bar",
+		ProxyOperations: []ProxySettings{
+			{
+				Kind:       StorageClassesProxy,
+				Operations: []ProxyOperation{"Delete"},
+			},
+		},
+	}
+	baz := OwnerSpec{
+		Kind: UserOwner,
+		Name: "baz",
+		ProxyOperations: []ProxySettings{
+			{
+				Kind:       StorageClassesProxy,
+				Operations: []ProxyOperation{"Update"},
+			},
+		},
+	}
+	fim := OwnerSpec{
+		Kind: ServiceAccountOwner,
+		Name: "fim",
+		ProxyOperations: []ProxySettings{
+			{
+				Kind:       NodesProxy,
+				Operations: []ProxyOperation{"List"},
+			},
+		},
+	}
+	bom := OwnerSpec{
+		Kind: GroupOwner,
+		Name: "bom",
+		ProxyOperations: []ProxySettings{
+			{
+				Kind:       StorageClassesProxy,
+				Operations: []ProxyOperation{"Delete"},
+			},
+			{
+				Kind:       NodesProxy,
+				Operations: []ProxyOperation{"Delete"},
+			},
+		},
+	}
+	qip := OwnerSpec{
+		Kind: ServiceAccountOwner,
+		Name: "qip",
+		ProxyOperations: []ProxySettings{
+			{
+				Kind:       StorageClassesProxy,
+				Operations: []ProxyOperation{"List", "Delete"},
+			},
+		},
+	}
+	owners := OwnerListSpec{bom, qip, bla, bar, baz, fim}
+
+	assert.Equal(t, owners.FindOwner("bom", GroupOwner), bom)
+	assert.Equal(t, owners.FindOwner("qip", ServiceAccountOwner), qip)
+	assert.Equal(t, owners.FindOwner("bla", UserOwner), bla)
+	assert.Equal(t, owners.FindOwner("bar", GroupOwner), bar)
+	assert.Equal(t, owners.FindOwner("baz", UserOwner), baz)
+	assert.Equal(t, owners.FindOwner("fim", ServiceAccountOwner), fim)
+	assert.Equal(t, owners.FindOwner("notfound", ServiceAccountOwner), OwnerSpec{})
+}
--- a/api/v1beta1/owner_role.go
+++ b/api/v1beta1/owner_role.go
@@ -0,0 +1,48 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import (
+	"fmt"
+	"strings"
+)
+
+const (
+	ClusterRoleNamesAnnotation = "clusterrolenames.capsule.clastix.io"
+)
+
+// GetRoles read the annotation available in the Tenant specification and if it matches the pattern
+// clusterrolenames.capsule.clastix.io/${KIND}.${NAME} returns the associated roles.
+// Kubernetes annotations and labels must respect RFC 1123 about DNS names and this could be cumbersome in two cases:
+// 1. identifying users based on their email address
+// 2. the overall length of the annotation key that is exceeding 63 characters
+// For emails, the symbol @ can be replaced with the placeholder __AT__.
+// For the latter one, the index of the owner can be used to force the retrieval.
+func (in OwnerSpec) GetRoles(tenant Tenant, index int) []string {
+	for key, value := range tenant.GetAnnotations() {
+		if !strings.HasPrefix(key, fmt.Sprintf("%s/", ClusterRoleNamesAnnotation)) {
+			continue
+		}
+
+		for symbol, replace := range in.convertMap() {
+			key = strings.ReplaceAll(key, symbol, replace)
+		}
+
+		nameBased := key == fmt.Sprintf("%s/%s.%s", ClusterRoleNamesAnnotation, strings.ToLower(in.Kind.String()), strings.ToLower(in.Name))
+
+		indexBased := key == fmt.Sprintf("%s/%d", ClusterRoleNamesAnnotation, index)
+
+		if nameBased || indexBased {
+			return strings.Split(value, ",")
+		}
+	}
+
+	return []string{"admin", "capsule-namespace-deleter"}
+}
+
+func (in OwnerSpec) convertMap() map[string]string {
+	return map[string]string{
+		"__AT__": "@",
+	}
+}
--- a/api/v1beta1/resource_quota.go
+++ b/api/v1beta1/resource_quota.go
@@ -5,6 +5,17 @@ package v1beta1

 import corev1 "k8s.io/api/core/v1"

+// +kubebuilder:validation:Enum=Tenant;Namespace
+type ResourceQuotaScope string
+
+const (
+	ResourceQuotaScopeTenant    ResourceQuotaScope = "Tenant"
+	ResourceQuotaScopeNamespace ResourceQuotaScope = "Namespace"
+)
+
 type ResourceQuotaSpec struct {
+	// +kubebuilder:default=Tenant
+	// Define if the Resource Budget should compute resource across all Namespaces in the Tenant or individually per cluster. Default is Tenant
+	Scope ResourceQuotaScope         `json:"scope,omitempty"`
 	Items []corev1.ResourceQuotaSpec `json:"items,omitempty"`
 }
--- a/api/v1beta1/external_service_ips.go
+++ b/api/v1beta1/external_service_ips.go
--- a/api/v1beta1/service_allowed_types.go
+++ b/api/v1beta1/service_allowed_types.go
@@ -0,0 +1,16 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+type AllowedServices struct {
+	//+kubebuilder:default=true
+	// Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.
+	NodePort *bool `json:"nodePort,omitempty"`
+	//+kubebuilder:default=true
+	// Specifies if ExternalName service type resources are allowed for the Tenant. Default is true. Optional.
+	ExternalName *bool `json:"externalName,omitempty"`
+	//+kubebuilder:default=true
+	// Specifies if LoadBalancer service type resources are allowed for the Tenant. Default is true. Optional.
+	LoadBalancer *bool `json:"loadBalancer,omitempty"`
+}
--- a/api/v1beta1/service_options.go
+++ b/api/v1beta1/service_options.go
@@ -0,0 +1,13 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+type ServiceOptions struct {
+	// Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional.
+	AdditionalMetadata *AdditionalMetadataSpec `json:"additionalMetadata,omitempty"`
+	// Block or deny certain type of Services. Optional.
+	AllowedServices *AllowedServices `json:"allowedServices,omitempty"`
+	// Specifies the external IPs that can be used in Services with type ClusterIP. An empty list means no IPs are allowed. Optional.
+	ExternalServiceIPs *ExternalServiceIPsSpec `json:"externalIPs,omitempty"`
+}
--- a/api/v1beta1/tenant_annotations.go
+++ b/api/v1beta1/tenant_annotations.go
@@ -5,21 +5,27 @@ package v1beta1

 import (
 	"fmt"
+	"strings"
 )

 const (
-	AvailableIngressClassesAnnotation       = "capsule.clastix.io/ingress-classes"
-	AvailableIngressClassesRegexpAnnotation = "capsule.clastix.io/ingress-classes-regexp"
-	AvailableStorageClassesAnnotation       = "capsule.clastix.io/storage-classes"
-	AvailableStorageClassesRegexpAnnotation = "capsule.clastix.io/storage-classes-regexp"
-	AllowedRegistriesAnnotation             = "capsule.clastix.io/allowed-registries"
-	AllowedRegistriesRegexpAnnotation       = "capsule.clastix.io/allowed-registries-regexp"
+	AvailableIngressClassesAnnotation             = "capsule.clastix.io/ingress-classes"
+	AvailableIngressClassesRegexpAnnotation       = "capsule.clastix.io/ingress-classes-regexp"
+	AvailableStorageClassesAnnotation             = "capsule.clastix.io/storage-classes"
+	AvailableStorageClassesRegexpAnnotation       = "capsule.clastix.io/storage-classes-regexp"
+	AllowedRegistriesAnnotation                   = "capsule.clastix.io/allowed-registries"
+	AllowedRegistriesRegexpAnnotation             = "capsule.clastix.io/allowed-registries-regexp"
+	ForbiddenNamespaceLabelsAnnotation            = "capsule.clastix.io/forbidden-namespace-labels"
+	ForbiddenNamespaceLabelsRegexpAnnotation      = "capsule.clastix.io/forbidden-namespace-labels-regexp"
+	ForbiddenNamespaceAnnotationsAnnotation       = "capsule.clastix.io/forbidden-namespace-annotations"
+	ForbiddenNamespaceAnnotationsRegexpAnnotation = "capsule.clastix.io/forbidden-namespace-annotations-regexp"
+	ProtectedTenantAnnotation                     = "capsule.clastix.io/protected"
 )

 func UsedQuotaFor(resource fmt.Stringer) string {
-	return "quota.capsule.clastix.io/used-" + resource.String()
+	return "quota.capsule.clastix.io/used-" + strings.ReplaceAll(resource.String(), "/", "_")
 }

 func HardQuotaFor(resource fmt.Stringer) string {
-	return "quota.capsule.clastix.io/hard-" + resource.String()
+	return "quota.capsule.clastix.io/hard-" + strings.ReplaceAll(resource.String(), "/", "_")
 }
--- a/api/v1beta1/tenant_func.go
+++ b/api/v1beta1/tenant_func.go
@@ -13,26 +13,34 @@ func (t *Tenant) IsCordoned() bool {
 	if v, ok := t.Labels["capsule.clastix.io/cordon"]; ok && v == "enabled" {
 		return true
 	}
+
 	return false
 }

 func (t *Tenant) IsFull() bool {
 	// we don't have limits on assigned Namespaces
-	if t.Spec.NamespaceQuota == nil {
+	if t.Spec.NamespaceOptions == nil || t.Spec.NamespaceOptions.Quota == nil {
 		return false
 	}
-	return len(t.Status.Namespaces) >= int(*t.Spec.NamespaceQuota)
+
+	return len(t.Status.Namespaces) >= int(*t.Spec.NamespaceOptions.Quota)
 }

 func (t *Tenant) AssignNamespaces(namespaces []corev1.Namespace) {
 	var l []string
+
 	for _, ns := range namespaces {
 		if ns.Status.Phase == corev1.NamespaceActive {
 			l = append(l, ns.GetName())
 		}
 	}
+
 	sort.Strings(l)

 	t.Status.Namespaces = l
 	t.Status.Size = uint(len(l))
 }
+
+func (t *Tenant) GetOwnerProxySettings(name string, kind OwnerKind) []ProxySettings {
+	return t.Spec.Owners.FindOwner(name, kind).ProxyOperations
+}
--- a/api/v1beta1/tenant_labels.go
+++ b/api/v1beta1/tenant_labels.go
@@ -27,5 +27,6 @@ func GetTypeLabel(t runtime.Object) (label string, err error) {
 	default:
 		err = fmt.Errorf("type %T is not mapped as Capsule label recognized", v)
 	}
+
 	return
 }
--- a/api/v1beta1/tenant_status.go
+++ b/api/v1beta1/tenant_status.go
@@ -3,18 +3,21 @@

 package v1beta1

-// +kubebuilder:validation:Enum=cordoned;active
+// +kubebuilder:validation:Enum=Cordoned;Active
 type tenantState string

 const (
-	TenantStateActive   tenantState = "active"
-	TenantStateCordoned tenantState = "cordoned"
+	TenantStateActive   tenantState = "Active"
+	TenantStateCordoned tenantState = "Cordoned"
 )

-// TenantStatus defines the observed state of Tenant
+// Returns the observed state of the Tenant.
 type TenantStatus struct {
-	//+kubebuilder:default=active
-	State      tenantState `json:"state"`
-	Size       uint        `json:"size"`
-	Namespaces []string    `json:"namespaces,omitempty"`
+	//+kubebuilder:default=Active
+	// The operational state of the Tenant. Possible values are "Active", "Cordoned".
+	State tenantState `json:"state"`
+	// How many namespaces are assigned to the Tenant.
+	Size uint `json:"size"`
+	// List of namespaces assigned to the Tenant.
+	Namespaces []string `json:"namespaces,omitempty"`
 }
--- a/api/v1beta1/tenant_types.go
+++ b/api/v1beta1/tenant_types.go
@@ -7,29 +7,34 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

-// TenantSpec defines the desired state of Tenant
+// TenantSpec defines the desired state of Tenant.
 type TenantSpec struct {
-	Owners []OwnerSpec `json:"owners"`
-
-	//+kubebuilder:validation:Minimum=1
-	NamespaceQuota         *int32                       `json:"namespaceQuota,omitempty"`
-	NamespacesMetadata     *AdditionalMetadataSpec      `json:"namespacesMetadata,omitempty"`
-	ServicesMetadata       *AdditionalMetadataSpec      `json:"servicesMetadata,omitempty"`
-	StorageClasses         *AllowedListSpec             `json:"storageClasses,omitempty"`
-	IngressClasses         *AllowedListSpec             `json:"ingressClasses,omitempty"`
-	IngressHostnames       *AllowedListSpec             `json:"ingressHostnames,omitempty"`
-	ContainerRegistries    *AllowedListSpec             `json:"containerRegistries,omitempty"`
-	NodeSelector           map[string]string            `json:"nodeSelector,omitempty"`
-	NetworkPolicies        *NetworkPolicySpec           `json:"networkPolicies,omitempty"`
-	LimitRanges            *LimitRangesSpec             `json:"limitRanges,omitempty"`
-	ResourceQuota          *ResourceQuotaSpec           `json:"resourceQuotas,omitempty"`
+	// Specifies the owners of the Tenant. Mandatory.
+	Owners OwnerListSpec `json:"owners"`
+	// Specifies options for the Namespaces, such as additional metadata or maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
+	NamespaceOptions *NamespaceOptions `json:"namespaceOptions,omitempty"`
+	// Specifies options for the Service, such as additional metadata or block of certain type of Services. Optional.
+	ServiceOptions *ServiceOptions `json:"serviceOptions,omitempty"`
+	// Specifies the allowed StorageClasses assigned to the Tenant. Capsule assures that all PersistentVolumeClaim resources created in the Tenant can use only one of the allowed StorageClasses. Optional.
+	StorageClasses *AllowedListSpec `json:"storageClasses,omitempty"`
+	// Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional.
+	IngressOptions IngressOptions `json:"ingressOptions,omitempty"`
+	// Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.
+	ContainerRegistries *AllowedListSpec `json:"containerRegistries,omitempty"`
+	// Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
+	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+	// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
+	NetworkPolicies NetworkPolicySpec `json:"networkPolicies,omitempty"`
+	// Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
+	LimitRanges LimitRangesSpec `json:"limitRanges,omitempty"`
+	// Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional.
+	ResourceQuota ResourceQuotaSpec `json:"resourceQuotas,omitempty"`
+	// Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional.
 	AdditionalRoleBindings []AdditionalRoleBindingsSpec `json:"additionalRoleBindings,omitempty"`
-	ExternalServiceIPs     *ExternalServiceIPsSpec      `json:"externalServiceIPs,omitempty"`
-	ImagePullPolicies      []ImagePullPolicySpec        `json:"imagePullPolicies,omitempty"`
-	PriorityClasses        *AllowedListSpec             `json:"priorityClasses,omitempty"`
-
-	//+kubebuilder:default=true
-	EnableNodePorts bool `json:"enableNodePorts,omitempty"`
+	// Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
+	ImagePullPolicies []ImagePullPolicySpec `json:"imagePullPolicies,omitempty"`
+	// Specifies the allowed priorityClasses assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses. Optional.
+	PriorityClasses *AllowedListSpec `json:"priorityClasses,omitempty"`
 }

 //+kubebuilder:object:root=true
@@ -37,12 +42,12 @@ type TenantSpec struct {
 //+kubebuilder:storageversion
 // +kubebuilder:resource:scope=Cluster,shortName=tnt
 // +kubebuilder:printcolumn:name="State",type="string",JSONPath=".status.state",description="The actual state of the Tenant"
-// +kubebuilder:printcolumn:name="Namespace quota",type="integer",JSONPath=".spec.namespaceQuota",description="The max amount of Namespaces can be created"
+// +kubebuilder:printcolumn:name="Namespace quota",type="integer",JSONPath=".spec.namespaceOptions.quota",description="The max amount of Namespaces can be created"
 // +kubebuilder:printcolumn:name="Namespace count",type="integer",JSONPath=".status.size",description="The total amount of Namespaces in use"
 // +kubebuilder:printcolumn:name="Node selector",type="string",JSONPath=".spec.nodeSelector",description="Node Selector applied to Pods"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"

-// Tenant is the Schema for the tenants API
+// Tenant is the Schema for the tenants API.
 type Tenant struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -55,7 +60,7 @@ func (t *Tenant) Hub() {}

 //+kubebuilder:object:root=true

-// TenantList contains a list of Tenant
+// TenantList contains a list of Tenant.
 type TenantList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
--- a/api/v1beta1/zz_generated.deepcopy.go
+++ b/api/v1beta1/zz_generated.deepcopy.go
@@ -1,3 +1,4 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated

 // Copyright 2020-2021 Clastix Labs
@@ -17,15 +18,15 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AdditionalMetadataSpec) DeepCopyInto(out *AdditionalMetadataSpec) {
 	*out = *in
-	if in.AdditionalLabels != nil {
-		in, out := &in.AdditionalLabels, &out.AdditionalLabels
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
 		*out = make(map[string]string, len(*in))
 		for key, val := range *in {
 			(*out)[key] = val
 		}
 	}
-	if in.AdditionalAnnotations != nil {
-		in, out := &in.AdditionalAnnotations, &out.AdditionalAnnotations
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
 		*out = make(map[string]string, len(*in))
 		for key, val := range *in {
 			(*out)[key] = val
@@ -83,6 +84,57 @@ func (in *AllowedListSpec) DeepCopy() *AllowedListSpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AllowedServices) DeepCopyInto(out *AllowedServices) {
+	*out = *in
+	if in.NodePort != nil {
+		in, out := &in.NodePort, &out.NodePort
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ExternalName != nil {
+		in, out := &in.ExternalName, &out.ExternalName
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LoadBalancer != nil {
+		in, out := &in.LoadBalancer, &out.LoadBalancer
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedServices.
+func (in *AllowedServices) DeepCopy() *AllowedServices {
+	if in == nil {
+		return nil
+	}
+	out := new(AllowedServices)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in ByKindAndName) DeepCopyInto(out *ByKindAndName) {
+	{
+		in := &in
+		*out = make(ByKindAndName, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ByKindAndName.
+func (in ByKindAndName) DeepCopy() ByKindAndName {
+	if in == nil {
+		return nil
+	}
+	out := new(ByKindAndName)
+	in.DeepCopyInto(out)
+	return *out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExternalServiceIPsSpec) DeepCopyInto(out *ExternalServiceIPsSpec) {
 	*out = *in
@@ -103,6 +155,51 @@ func (in *ExternalServiceIPsSpec) DeepCopy() *ExternalServiceIPsSpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ForbiddenListSpec) DeepCopyInto(out *ForbiddenListSpec) {
+	*out = *in
+	if in.Exact != nil {
+		in, out := &in.Exact, &out.Exact
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ForbiddenListSpec.
+func (in *ForbiddenListSpec) DeepCopy() *ForbiddenListSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ForbiddenListSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IngressOptions) DeepCopyInto(out *IngressOptions) {
+	*out = *in
+	if in.AllowedClasses != nil {
+		in, out := &in.AllowedClasses, &out.AllowedClasses
+		*out = new(AllowedListSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.AllowedHostnames != nil {
+		in, out := &in.AllowedHostnames, &out.AllowedHostnames
+		*out = new(AllowedListSpec)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressOptions.
+func (in *IngressOptions) DeepCopy() *IngressOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(IngressOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LimitRangesSpec) DeepCopyInto(out *LimitRangesSpec) {
 	*out = *in
@@ -125,6 +222,31 @@ func (in *LimitRangesSpec) DeepCopy() *LimitRangesSpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespaceOptions) DeepCopyInto(out *NamespaceOptions) {
+	*out = *in
+	if in.Quota != nil {
+		in, out := &in.Quota, &out.Quota
+		*out = new(int32)
+		**out = **in
+	}
+	if in.AdditionalMetadata != nil {
+		in, out := &in.AdditionalMetadata, &out.AdditionalMetadata
+		*out = new(AdditionalMetadataSpec)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceOptions.
+func (in *NamespaceOptions) DeepCopy() *NamespaceOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespaceOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkPolicySpec) DeepCopyInto(out *NetworkPolicySpec) {
 	*out = *in
@@ -147,6 +269,42 @@ func (in *NetworkPolicySpec) DeepCopy() *NetworkPolicySpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NonLimitedResourceError) DeepCopyInto(out *NonLimitedResourceError) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NonLimitedResourceError.
+func (in *NonLimitedResourceError) DeepCopy() *NonLimitedResourceError {
+	if in == nil {
+		return nil
+	}
+	out := new(NonLimitedResourceError)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in OwnerListSpec) DeepCopyInto(out *OwnerListSpec) {
+	{
+		in := &in
+		*out = make(OwnerListSpec, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OwnerListSpec.
+func (in OwnerListSpec) DeepCopy() OwnerListSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OwnerListSpec)
+	in.DeepCopyInto(out)
+	return *out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OwnerSpec) DeepCopyInto(out *OwnerSpec) {
 	*out = *in
@@ -211,6 +369,36 @@ func (in *ResourceQuotaSpec) DeepCopy() *ResourceQuotaSpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceOptions) DeepCopyInto(out *ServiceOptions) {
+	*out = *in
+	if in.AdditionalMetadata != nil {
+		in, out := &in.AdditionalMetadata, &out.AdditionalMetadata
+		*out = new(AdditionalMetadataSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.AllowedServices != nil {
+		in, out := &in.AllowedServices, &out.AllowedServices
+		*out = new(AllowedServices)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ExternalServiceIPs != nil {
+		in, out := &in.ExternalServiceIPs, &out.ExternalServiceIPs
+		*out = new(ExternalServiceIPsSpec)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceOptions.
+func (in *ServiceOptions) DeepCopy() *ServiceOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Tenant) DeepCopyInto(out *Tenant) {
 	*out = *in
@@ -275,24 +463,19 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 	*out = *in
 	if in.Owners != nil {
 		in, out := &in.Owners, &out.Owners
-		*out = make([]OwnerSpec, len(*in))
+		*out = make(OwnerListSpec, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.NamespaceQuota != nil {
-		in, out := &in.NamespaceQuota, &out.NamespaceQuota
-		*out = new(int32)
-		**out = **in
-	}
-	if in.NamespacesMetadata != nil {
-		in, out := &in.NamespacesMetadata, &out.NamespacesMetadata
-		*out = new(AdditionalMetadataSpec)
+	if in.NamespaceOptions != nil {
+		in, out := &in.NamespaceOptions, &out.NamespaceOptions
+		*out = new(NamespaceOptions)
 		(*in).DeepCopyInto(*out)
 	}
-	if in.ServicesMetadata != nil {
-		in, out := &in.ServicesMetadata, &out.ServicesMetadata
-		*out = new(AdditionalMetadataSpec)
+	if in.ServiceOptions != nil {
+		in, out := &in.ServiceOptions, &out.ServiceOptions
+		*out = new(ServiceOptions)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.StorageClasses != nil {
@@ -300,16 +483,7 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 		*out = new(AllowedListSpec)
 		(*in).DeepCopyInto(*out)
 	}
-	if in.IngressClasses != nil {
-		in, out := &in.IngressClasses, &out.IngressClasses
-		*out = new(AllowedListSpec)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.IngressHostnames != nil {
-		in, out := &in.IngressHostnames, &out.IngressHostnames
-		*out = new(AllowedListSpec)
-		(*in).DeepCopyInto(*out)
-	}
+	in.IngressOptions.DeepCopyInto(&out.IngressOptions)
 	if in.ContainerRegistries != nil {
 		in, out := &in.ContainerRegistries, &out.ContainerRegistries
 		*out = new(AllowedListSpec)
@@ -322,21 +496,9 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 			(*out)[key] = val
 		}
 	}
-	if in.NetworkPolicies != nil {
-		in, out := &in.NetworkPolicies, &out.NetworkPolicies
-		*out = new(NetworkPolicySpec)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.LimitRanges != nil {
-		in, out := &in.LimitRanges, &out.LimitRanges
-		*out = new(LimitRangesSpec)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ResourceQuota != nil {
-		in, out := &in.ResourceQuota, &out.ResourceQuota
-		*out = new(ResourceQuotaSpec)
-		(*in).DeepCopyInto(*out)
-	}
+	in.NetworkPolicies.DeepCopyInto(&out.NetworkPolicies)
+	in.LimitRanges.DeepCopyInto(&out.LimitRanges)
+	in.ResourceQuota.DeepCopyInto(&out.ResourceQuota)
 	if in.AdditionalRoleBindings != nil {
 		in, out := &in.AdditionalRoleBindings, &out.AdditionalRoleBindings
 		*out = make([]AdditionalRoleBindingsSpec, len(*in))
@@ -344,11 +506,6 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.ExternalServiceIPs != nil {
-		in, out := &in.ExternalServiceIPs, &out.ExternalServiceIPs
-		*out = new(ExternalServiceIPsSpec)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.ImagePullPolicies != nil {
 		in, out := &in.ImagePullPolicies, &out.ImagePullPolicies
 		*out = make([]ImagePullPolicySpec, len(*in))
--- a/charts/capsule/.helmignore
+++ b/charts/capsule/.helmignore
@@ -21,3 +21,4 @@
 .idea/
 *.tmproj
 .vscode/
+README.md.gotmpl
--- a/charts/capsule/Chart.yaml
+++ b/charts/capsule/Chart.yaml
@@ -21,8 +21,8 @@ sources:

 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.0.19
+version: 0.1.12

 # This is the version number of the application being deployed.
 # This version number should be incremented each time you make changes to the application.
-appVersion: 0.0.5
+appVersion: 0.1.3
--- a/charts/capsule/README.md
+++ b/charts/capsule/README.md
@@ -1,6 +1,6 @@
 # Deploying the Capsule Operator

-Use the Capsule Operator for easily implementing, managing, and maintaining mutitenancy and access control in Kubernetes.
+Use the Capsule Operator for easily implementing, managing, and maintaining multitenancy and access control in Kubernetes.

 ## Requirements

@@ -26,7 +26,7 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator

 2. Install the Chart:

-        $ helm install capsule clastix/capsule -n capsule-system
+        $ helm install capsule clastix/capsule -n capsule-system --create-namespace

 3. Show the status:

@@ -54,55 +54,113 @@ The values in your overrides file `myvalues.yaml` will override their counterpar

 If you only need to make minor customizations, you can specify them on the command line by using the `--set` option. For example:

-        $ helm install capsule capsule-helm-chart --set force_tenant_prefix=false -n capsule-system
+        $ helm install capsule capsule-helm-chart --set manager.options.forceTenantPrefix=false -n capsule-system

 Here the values you can override:

-Parameter | Description | Default
--- | --- | ---
-`manager.hostNetwork` | Specifies if the container should be started in `hostNetwork` mode. | `false` 
-`manager.options.logLevel` | Set the log verbosity of the controller with a value from 1 to 10.| `4`
-`manager.options.forceTenantPrefix` | Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash | `false`
-`manager.options.capsuleUserGroup` | Override the Capsule user group | `capsule.clastix.io`
-`manager.options.protectedNamespaceRegex` | If specified, disallows creation of namespaces matching the passed regexp | `null`
-`manager.options.allowIngressHostnameCollision` | Allow the Ingress hostname collision at Ingress resource level across all the Tenants | `true`
-`manager.options.allowTenantIngressHostnamesCollision` | Skip the validation check at Tenant level for colliding Ingress hostnames | `false`
-`manager.image.repository` | Set the image repository of the controller. | `quay.io/clastix/capsule`
-`manager.image.tag` | Overrides the image tag whose default is the chart. `appVersion` | `null`
-`manager.image.pullPolicy` | Set the image pull policy. | `IfNotPresent`
-`manager.livenessProbe` | Configure the liveness probe using Deployment probe spec | `GET :10080/healthz`
-`manager.readinessProbe` | Configure the readiness probe using Deployment probe spec | `GET :10080/readyz`
-`manager.resources.requests/cpu` | Set the CPU requests assigned to the controller. | `200m`
-`manager.resources.requests/memory` | Set the memory requests assigned to the controller. | `128Mi`
-`manager.resources.limits/cpu` | Set the CPU limits assigned to the controller. | `200m`
-`manager.resources.limits/cpu` | Set the memory limits assigned to the controller. | `128Mi`
-`mutatingWebhooksTimeoutSeconds` | Timeout in seconds for mutating webhooks. | `30`
-`validatingWebhooksTimeoutSeconds` | Timeout in seconds for validating webhooks. | `30`
-`imagePullSecrets` | Configuration for `imagePullSecrets` so that you can use a private images registry. | `[]`
-`serviceAccount.create` | Specifies whether a service account should be created. | `true`
-`serviceAccount.annotations` | Annotations to add to the service account. | `{}`
-`serviceAccount.name` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template | `capsule`
-`podAnnotations` | Annotations to add to the Capsule pod. | `{}`
-`priorityClassName` | Set the priority class name of the Capsule pod. | `null`
-`nodeSelector` | Set the node selector for the Capsule pod. | `{}`
-`tolerations` | Set list of tolerations for the Capsule pod. | `[]`
-`replicaCount` | Set the replica count for Capsule pod. | `1`
-`affinity` | Set affinity rules for the Capsule pod. | `{}`
-`podSecurityPolicy.enabled` | Specify if a Pod Security Policy must be created. | `false`
-`serviceMonitor.enabled` | Specify if a Service Monitor must be created. | `false`
-`serviceMonitor.serviceAccount.name` | Specify Service Account name for metrics scrape. | `capsule`
-`serviceMonitor.serviceAccount.namespace` | Specify Service Account namespace for metrics scrape. | `capsule-system`
+### General Parameters
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` | Set affinity rules for the Capsule pod |
+| certManager.generateCertificates | bool | `false` | Specifies whether capsule webhooks certificates should be generated using cert-manager |
+| customAnnotations | object | `{}` | Additional annotations which will be added to all resources created by Capsule helm chart |
+| customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart |
+| jobs.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job |
+| jobs.image.repository | string | `"quay.io/clastix/kubectl"` | Set the image repository of the helm chart job |
+| jobs.image.tag | string | `""` | Set the image tag of the helm chart job |
+| mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks |
+| nodeSelector | object | `{}` | Set the node selector for the Capsule pod |
+| podAnnotations | object | `{}` | Annotations to add to the capsule pod. |
+| podSecurityPolicy.enabled | bool | `false` | Specify if a Pod Security Policy must be created |
+| priorityClassName | string | `""` | Set the priority class name of the Capsule pod |
+| replicaCount | int | `1` | Set the replica count for capsule pod |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
+| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
+| serviceAccount.name | string | `"capsule"` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
+| tls.create | bool | `true` | When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion. |
+| tls.enableController | bool | `true` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. |
+| tls.name | string | `""` | Override name of the Capsule TLS Secret name when externally managed. |
+| tolerations | list | `[]` | Set list of tolerations for the Capsule pod |
+| validatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for validating webhooks |
+
+### Manager Parameters
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| manager.hostNetwork | bool | `false` | Specifies if the container should be started in hostNetwork mode.  Required for use in some managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working |
+| manager.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy. |
+| manager.image.repository | string | `"clastix/capsule"` | Set the image repository of the capsule. |
+| manager.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
+| manager.imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. |
+| manager.kind | string | `"Deployment"` | Set the controller deployment mode as `Deployment` or `DaemonSet`. |
+| manager.livenessProbe | object | `{"httpGet":{"path":"/healthz","port":10080}}` | Configure the liveness probe using Deployment probe spec |
+| manager.options.capsuleUserGroups | list | `["capsule.clastix.io"]` | Override the Capsule user groups |
+| manager.options.forceTenantPrefix | bool | `false` | Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash |
+| manager.options.generateCertificates | bool | `true` | Specifies whether capsule webhooks certificates should be generated by capsule operator |
+| manager.options.logLevel | string | `"4"` | Set the log verbosity of the capsule with a value from 1 to 10 |
+| manager.options.protectedNamespaceRegex | string | `""` | If specified, disallows creation of namespaces matching the passed regexp |
+| manager.readinessProbe | object | `{"httpGet":{"path":"/readyz","port":10080}}` | Configure the readiness probe using Deployment probe spec |
+| manager.resources.limits.cpu | string | `"200m"` |  |
+| manager.resources.limits.memory | string | `"128Mi"` |  |
+| manager.resources.requests.cpu | string | `"200m"` |  |
+| manager.resources.requests.memory | string | `"128Mi"` |  |
+
+### ServiceMonitor Parameters
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| serviceMonitor.annotations | object | `{}` | Assign additional Annotations |
+| serviceMonitor.enabled | bool | `false` | Enable ServiceMonitor |
+| serviceMonitor.endpoint.interval | string | `"15s"` | Set the scrape interval for the endpoint of the serviceMonitor |
+| serviceMonitor.endpoint.metricRelabelings | list | `[]` | Set metricRelabelings for the endpoint of the serviceMonitor |
+| serviceMonitor.endpoint.relabelings | list | `[]` | Set relabelings for the endpoint of the serviceMonitor |
+| serviceMonitor.endpoint.scrapeTimeout | string | `""` | Set the scrape timeout for the endpoint of the serviceMonitor |
+| serviceMonitor.labels | object | `{}` | Assign additional labels according to Prometheus' serviceMonitorSelector matching labels |
+| serviceMonitor.matchLabels | object | `{}` | Change matching labels |
+| serviceMonitor.namespace | string | `""` | Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one) |
+| serviceMonitor.serviceAccount.name | string | `"capsule"` | ServiceAccount for Metrics RBAC |
+| serviceMonitor.serviceAccount.namespace | string | `"capsule-system"` | ServiceAccount Namespace for Metrics RBAC |
+| serviceMonitor.targetLabels | list | `[]` | Set targetLabels for the serviceMonitor |
+
+### Webhook Parameters
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| webhooks.cordoning.failurePolicy | string | `"Fail"` |  |
+| webhooks.cordoning.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.cordoning.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.ingresses.failurePolicy | string | `"Fail"` |  |
+| webhooks.ingresses.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.ingresses.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.namespaceOwnerReference.failurePolicy | string | `"Fail"` |  |
+| webhooks.namespaces.failurePolicy | string | `"Fail"` |  |
+| webhooks.networkpolicies.failurePolicy | string | `"Fail"` |  |
+| webhooks.networkpolicies.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.networkpolicies.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.nodes.failurePolicy | string | `"Fail"` |  |
+| webhooks.persistentvolumeclaims.failurePolicy | string | `"Fail"` |  |
+| webhooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.pods.failurePolicy | string | `"Fail"` |  |
+| webhooks.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.services.failurePolicy | string | `"Fail"` |  |
+| webhooks.services.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.services.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.tenants.failurePolicy | string | `"Fail"` |  |

 ## Created resources

-This Helm Chart cretes the following Kubernetes resources in the release namespace:
+This Helm Chart creates the following Kubernetes resources in the release namespace:

 * Capsule Namespace
 * Capsule Operator Deployment
 * Capsule Service
 * CA Secret
-* Certfificate Secret
+* Certificate Secret
 * Tenant Custom Resource Definition
+* CapsuleConfiguration Custom Resource Definition
 * MutatingWebHookConfiguration
 * ValidatingWebHookConfiguration
 * RBAC Cluster Roles
@@ -120,6 +178,34 @@ And optionally, depending on the values set:

 Capsule, as many other add-ons, defines its own set of Custom Resource Definitions (CRDs). Helm3 removed the old CRDs installation method for a more simple methodology. In the Helm Chart, there is now a special directory called `crds` to hold the CRDs. These CRDs are not templated, but will be installed by default when running a `helm install` for the chart. If the CRDs already exist (for example, you already executed `helm install`), it will be skipped with a warning. When you wish to skip the CRDs installation, and do not see the warning, you can pass the `--skip-crds` flag to the `helm install` command.

+## Cert-Manager integration
+
+You can enable the generation of certificates using `cert-manager` as follows.
+
+```
+helm upgrade --install capsule clastix/capsule --namespace capsule-system --create-namespace \
+  --set "certManager.generateCertificates=true" \
+  --set "tls.create=false" \
+  --set "tls.enableController=false"
+```
+
+With the usage of `tls.enableController=false` value, you're delegating the injection of the Validating and Mutating Webhooks' CA to `cert-manager`.
+Since Helm3 doesn't allow to template _CRDs_, you have to patch manually the Custom Resource Definition `tenants.capsule.clastix.io` adding the proper annotation (YMMV).
+
+```yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.5.0
+    cert-manager.io/inject-ca-from: capsule-system/capsule-webhook-cert
+  creationTimestamp: "2022-07-22T08:32:51Z"
+  generation: 45
+  name: tenants.capsule.clastix.io
+  resourceVersion: "9832"
+  uid: 61e287df-319b-476d-88d5-bdb8dc14d4a6
+```
+
 ## More

-See Capsule [use cases](https://github.com/clastix/capsule/blob/master/use_cases.md) for more information about how to use Capsule.
+See Capsule [tutorial](https://github.com/clastix/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.
--- a/charts/capsule/README.md.gotmpl
+++ b/charts/capsule/README.md.gotmpl
@@ -0,0 +1,160 @@
+# Deploying the Capsule Operator
+
+Use the Capsule Operator for easily implementing, managing, and maintaining multitenancy and access control in Kubernetes.
+
+## Requirements
+
+* [Helm 3](https://github.com/helm/helm/releases) is required when installing the Capsule Operator chart. Follow Helm’s official [steps](https://helm.sh/docs/intro/install/) for installing helm on your particular operating system.
+
+* A Kubernetes cluster 1.16+ with following [Admission Controllers](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) enabled:
+
+    * PodNodeSelector
+    * LimitRanger
+    * ResourceQuota
+    * MutatingAdmissionWebhook
+    * ValidatingAdmissionWebhook
+
+* A [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file accessing the Kubernetes cluster with cluster admin permissions.
+
+## Quick Start
+
+The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster.
+
+1. Add this repository:
+
+        $ helm repo add clastix https://clastix.github.io/charts
+
+2. Install the Chart:
+
+        $ helm install capsule clastix/capsule -n capsule-system --create-namespace
+
+3. Show the status:
+
+        $ helm status capsule -n capsule-system
+
+4. Upgrade the Chart
+
+        $ helm upgrade capsule clastix/capsule -n capsule-system
+
+5. Uninstall the Chart
+
+        $ helm uninstall capsule -n capsule-system
+
+## Customize the installation
+
+There are two methods for specifying overrides of values during chart installation: `--values` and `--set`.
+
+The `--values` option is the preferred method because it allows you to keep your overrides in a YAML file, rather than specifying them all on the command line. Create a copy of the YAML file `values.yaml` and add your overrides to it.
+
+Specify your overrides file when you install the chart:
+
+        $ helm install capsule capsule-helm-chart --values myvalues.yaml -n capsule-system
+
+The values in your overrides file `myvalues.yaml` will override their counterparts in the chart’s values.yaml file. Any values in `values.yaml` that weren’t overridden will keep their defaults.
+
+If you only need to make minor customizations, you can specify them on the command line by using the `--set` option. For example:
+
+        $ helm install capsule capsule-helm-chart --set manager.options.forceTenantPrefix=false -n capsule-system
+
+Here the values you can override:
+
+
+### General Parameters
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+{{- range .Values }}
+  {{- if not (or (hasPrefix "manager" .Key) (hasPrefix "serviceMonitor" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) )  }}
+| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
+  {{- end }}
+{{- end }}
+
+### Manager Parameters
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+{{- range .Values }}
+  {{- if hasPrefix "manager" .Key }}
+| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
+  {{- end }}
+{{- end }}
+
+### ServiceMonitor Parameters
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+{{- range .Values }}
+  {{- if hasPrefix "serviceMonitor" .Key }}
+| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
+  {{- end }}
+{{- end }}
+
+### Webhook Parameters
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+{{- range .Values }}
+  {{- if hasPrefix "webhook" .Key }}
+| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
+  {{- end }}
+{{- end }}
+
+## Created resources
+
+This Helm Chart creates the following Kubernetes resources in the release namespace:
+
+* Capsule Namespace
+* Capsule Operator Deployment
+* Capsule Service
+* CA Secret
+* Certificate Secret
+* Tenant Custom Resource Definition
+* CapsuleConfiguration Custom Resource Definition
+* MutatingWebHookConfiguration
+* ValidatingWebHookConfiguration
+* RBAC Cluster Roles
+* Metrics Service
+
+And optionally, depending on the values set:
+
+* Capsule ServiceAccount
+* Capsule Service Monitor
+* PodSecurityPolicy
+* RBAC ClusterRole and RoleBinding for pod security policy
+* RBAC Role and Rolebinding for metrics scrape
+
+## Notes on installing Custom Resource Definitions with Helm3
+
+Capsule, as many other add-ons, defines its own set of Custom Resource Definitions (CRDs). Helm3 removed the old CRDs installation method for a more simple methodology. In the Helm Chart, there is now a special directory called `crds` to hold the CRDs. These CRDs are not templated, but will be installed by default when running a `helm install` for the chart. If the CRDs already exist (for example, you already executed `helm install`), it will be skipped with a warning. When you wish to skip the CRDs installation, and do not see the warning, you can pass the `--skip-crds` flag to the `helm install` command.
+
+## Cert-Manager integration
+
+You can enable the generation of certificates using `cert-manager` as follows.
+
+```
+helm upgrade --install capsule clastix/capsule --namespace capsule-system --create-namespace \
+  --set "certManager.generateCertificates=true" \
+  --set "tls.create=false" \
+  --set "tls.enableController=false"
+```
+
+With the usage of `tls.enableController=false` value, you're delegating the injection of the Validating and Mutating Webhooks' CA to `cert-manager`.
+Since Helm3 doesn't allow to template _CRDs_, you have to patch manually the Custom Resource Definition `tenants.capsule.clastix.io` adding the proper annotation (YMMV).
+
+```yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.5.0
+    cert-manager.io/inject-ca-from: capsule-system/capsule-webhook-cert
+  creationTimestamp: "2022-07-22T08:32:51Z"
+  generation: 45
+  name: tenants.capsule.clastix.io
+  resourceVersion: "9832"
+  uid: 61e287df-319b-476d-88d5-bdb8dc14d4a6
+```
+
+## More
+
+See Capsule [tutorial](https://github.com/clastix/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.
--- a/charts/capsule/crds/capsuleconfiguration-crd.yaml
+++ b/charts/capsule/crds/capsuleconfiguration-crd.yaml
@@ -17,7 +17,7 @@ spec:
    - name: v1alpha1
      schema:
        openAPIV3Schema:
-          description: CapsuleConfiguration is the Schema for the Capsule configuration API
+          description: CapsuleConfiguration is the Schema for the Capsule configuration API.
          properties:
            apiVersion:
              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -28,16 +28,10 @@ spec:
            metadata:
              type: object
            spec:
-              description: CapsuleConfigurationSpec defines the Capsule configuration
+              description: CapsuleConfigurationSpec defines the Capsule configuration.
              properties:
-                allowIngressHostnameCollision:
-                  default: true
-                  description: Allow the collision of Ingress resource hostnames across all the Tenants.
-                  type: boolean
-                allowTenantIngressHostnamesCollision:
-                  description: "When defining the exact match for allowed Ingress hostnames at Tenant level, a collision is not allowed. Toggling this, Capsule will not check if a hostname collision is in place, allowing the creation of two or more Tenant resources although sharing the same allowed hostname(s). \n The JSON path of the resource is: /spec/ingressHostnames/allowed"
-                  type: boolean
                forceTenantPrefix:
+                  default: false
                  description: Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
                  type: boolean
                protectedNamespaceRegex:
--- a/charts/capsule/crds/tenant-crd.yaml
+++ b/charts/capsule/crds/tenant-crd.yaml
@@ -3,10 +3,21 @@ kind: CustomResourceDefinition
 metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.5.0
+  creationTimestamp: null
  name: tenants.capsule.clastix.io
 spec:
  conversion:
-    strategy: None
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: capsule-webhook-service
+          namespace: capsule-system
+          path: /convert
+          port: 443
+      conversionReviewVersions:
+        - v1alpha1
+        - v1beta1
  group: capsule.clastix.io
  names:
    kind: Tenant
@@ -45,7 +56,7 @@ spec:
      name: v1alpha1
      schema:
        openAPIV3Schema:
-          description: Tenant is the Schema for the tenants API
+          description: Tenant is the Schema for the tenants API.
          properties:
            apiVersion:
              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -56,7 +67,7 @@ spec:
            metadata:
              type: object
            spec:
-              description: TenantSpec defines the desired state of Tenant
+              description: TenantSpec defines the desired state of Tenant.
              properties:
                additionalRoleBindings:
                  items:
@@ -221,11 +232,15 @@ spec:
                              items:
                                description: NetworkPolicyPort describes a port to allow traffic on
                                properties:
+                                  endPort:
+                                    description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                    format: int32
+                                    type: integer
                                  port:
                                    anyOf:
                                      - type: integer
                                      - type: string
-                                    description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                    description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                    x-kubernetes-int-or-string: true
                                  protocol:
                                    default: TCP
@@ -407,11 +422,15 @@ spec:
                              items:
                                description: NetworkPolicyPort describes a port to allow traffic on
                                properties:
+                                  endPort:
+                                    description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                    format: int32
+                                    type: integer
                                  port:
                                    anyOf:
                                      - type: integer
                                      - type: string
-                                    description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                    description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                    x-kubernetes-int-or-string: true
                                  protocol:
                                    default: TCP
@@ -452,9 +471,9 @@ spec:
                            type: object
                        type: object
                      policyTypes:
-                        description: List of rule types that the NetworkPolicy relates to. Valid options are "Ingress", "Egress", or "Ingress,Egress". If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
+                        description: List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
                        items:
-                          description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8
+                          description: PolicyType string describes the NetworkPolicy type This type is beta-level in 1.8
                          type: string
                        type: array
                    required:
@@ -466,7 +485,7 @@ spec:
                    type: string
                  type: object
                owner:
-                  description: OwnerSpec defines tenant owner name and kind
+                  description: OwnerSpec defines tenant owner name and kind.
                  properties:
                    kind:
                      enum:
@@ -549,7 +568,7 @@ spec:
                - owner
              type: object
            status:
-              description: TenantStatus defines the observed state of Tenant
+              description: TenantStatus defines the observed state of Tenant.
              properties:
                namespaces:
                  items:
@@ -564,14 +583,14 @@ spec:
      served: true
      storage: false
      subresources:
-        status: { }
+        status: {}
    - additionalPrinterColumns:
        - description: The actual state of the Tenant
          jsonPath: .status.state
          name: State
          type: string
        - description: The max amount of Namespaces can be created
-          jsonPath: .spec.namespaceQuota
+          jsonPath: .spec.namespaceOptions.quota
          name: Namespace quota
          type: integer
        - description: The total amount of Namespaces in use
@@ -589,7 +608,7 @@ spec:
      name: v1beta1
      schema:
        openAPIV3Schema:
-          description: Tenant is the Schema for the tenants API
+          description: Tenant is the Schema for the tenants API.
          properties:
            apiVersion:
              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -600,9 +619,10 @@ spec:
            metadata:
              type: object
            spec:
-              description: TenantSpec defines the desired state of Tenant
+              description: TenantSpec defines the desired state of Tenant.
              properties:
                additionalRoleBindings:
+                  description: Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional.
                  items:
                    properties:
                      clusterRoleName:
@@ -635,6 +655,7 @@ spec:
                    type: object
                  type: array
                containerRegistries:
+                  description: Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.
                  properties:
                    allowed:
                      items:
@@ -643,20 +664,8 @@ spec:
                    allowedRegex:
                      type: string
                  type: object
-                enableNodePorts:
-                  default: true
-                  type: boolean
-                externalServiceIPs:
-                  properties:
-                    allowed:
-                      items:
-                        pattern: ^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$
-                        type: string
-                      type: array
-                  required:
-                    - allowed
-                  type: object
                imagePullPolicies:
+                  description: Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
                  items:
                    enum:
                      - Always
@@ -664,25 +673,41 @@ spec:
                      - IfNotPresent
                    type: string
                  type: array
-                ingressClasses:
+                ingressOptions:
+                  description: Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional.
                  properties:
-                    allowed:
-                      items:
-                        type: string
-                      type: array
-                    allowedRegex:
-                      type: string
-                  type: object
-                ingressHostnames:
-                  properties:
-                    allowed:
-                      items:
-                        type: string
-                      type: array
-                    allowedRegex:
+                    allowedClasses:
+                      description: Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+                      properties:
+                        allowed:
+                          items:
+                            type: string
+                          type: array
+                        allowedRegex:
+                          type: string
+                      type: object
+                    allowedHostnames:
+                      description: Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional.
+                      properties:
+                        allowed:
+                          items:
+                            type: string
+                          type: array
+                        allowedRegex:
+                          type: string
+                      type: object
+                    hostnameCollisionScope:
+                      default: Disabled
+                      description: "Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames. \n - Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule. \n - Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant. \n - Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace. \n Optional."
+                      enum:
+                        - Cluster
+                        - Tenant
+                        - Namespace
+                        - Disabled
                      type: string
                  type: object
                limitRanges:
+                  description: Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
                  properties:
                    items:
                      items:
@@ -750,22 +775,29 @@ spec:
                        type: object
                      type: array
                  type: object
-                namespaceQuota:
-                  format: int32
-                  minimum: 1
-                  type: integer
-                namespacesMetadata:
+                namespaceOptions:
+                  description: Specifies options for the Namespaces, such as additional metadata or maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
                  properties:
-                    additionalAnnotations:
-                      additionalProperties:
-                        type: string
-                      type: object
-                    additionalLabels:
-                      additionalProperties:
-                        type: string
+                    additionalMetadata:
+                      description: Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        labels:
+                          additionalProperties:
+                            type: string
+                          type: object
                      type: object
+                    quota:
+                      description: Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
+                      format: int32
+                      minimum: 1
+                      type: integer
                  type: object
                networkPolicies:
+                  description: Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
                  properties:
                    items:
                      items:
@@ -781,11 +813,15 @@ spec:
                                  items:
                                    description: NetworkPolicyPort describes a port to allow traffic on
                                    properties:
+                                      endPort:
+                                        description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                        format: int32
+                                        type: integer
                                      port:
                                        anyOf:
                                          - type: integer
                                          - type: string
-                                        description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                        description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                        x-kubernetes-int-or-string: true
                                      protocol:
                                        default: TCP
@@ -967,11 +1003,15 @@ spec:
                                  items:
                                    description: NetworkPolicyPort describes a port to allow traffic on
                                    properties:
+                                      endPort:
+                                        description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                        format: int32
+                                        type: integer
                                      port:
                                        anyOf:
                                          - type: integer
                                          - type: string
-                                        description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                        description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                        x-kubernetes-int-or-string: true
                                      protocol:
                                        default: TCP
@@ -1012,9 +1052,9 @@ spec:
                                type: object
                            type: object
                          policyTypes:
-                            description: List of rule types that the NetworkPolicy relates to. Valid options are "Ingress", "Egress", or "Ingress,Egress". If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
+                            description: List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
                            items:
-                              description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8
+                              description: PolicyType string describes the NetworkPolicy type This type is beta-level in 1.8
                              type: string
                            type: array
                        required:
@@ -1025,20 +1065,24 @@ spec:
                nodeSelector:
                  additionalProperties:
                    type: string
+                  description: Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
                  type: object
                owners:
+                  description: Specifies the owners of the Tenant. Mandatory.
                  items:
-                    description: OwnerSpec defines tenant owner name and kind
                    properties:
                      kind:
+                        description: Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount"
                        enum:
                          - User
                          - Group
                          - ServiceAccount
                        type: string
                      name:
+                        description: Name of tenant owner.
                        type: string
                      proxySettings:
+                        description: Proxy settings for tenant owner.
                        items:
                          properties:
                            kind:
@@ -1046,6 +1090,7 @@ spec:
                                - Nodes
                                - StorageClasses
                                - IngressClasses
+                                - PriorityClasses
                              type: string
                            operations:
                              items:
@@ -1066,6 +1111,7 @@ spec:
                    type: object
                  type: array
                priorityClasses:
+                  description: Specifies the allowed priorityClasses assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses. Optional.
                  properties:
                    allowed:
                      items:
@@ -1075,6 +1121,7 @@ spec:
                      type: string
                  type: object
                resourceQuotas:
+                  description: Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional.
                  properties:
                    items:
                      items:
@@ -1122,19 +1169,59 @@ spec:
                            type: array
                        type: object
                      type: array
+                    scope:
+                      default: Tenant
+                      description: Define if the Resource Budget should compute resource across all Namespaces in the Tenant or individually per cluster. Default is Tenant
+                      enum:
+                        - Tenant
+                        - Namespace
+                      type: string
                  type: object
-                servicesMetadata:
+                serviceOptions:
+                  description: Specifies options for the Service, such as additional metadata or block of certain type of Services. Optional.
                  properties:
-                    additionalAnnotations:
-                      additionalProperties:
-                        type: string
+                    additionalMetadata:
+                      description: Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional.
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        labels:
+                          additionalProperties:
+                            type: string
+                          type: object
                      type: object
-                    additionalLabels:
-                      additionalProperties:
-                        type: string
+                    allowedServices:
+                      description: Block or deny certain type of Services. Optional.
+                      properties:
+                        externalName:
+                          default: true
+                          description: Specifies if ExternalName service type resources are allowed for the Tenant. Default is true. Optional.
+                          type: boolean
+                        loadBalancer:
+                          default: true
+                          description: Specifies if LoadBalancer service type resources are allowed for the Tenant. Default is true. Optional.
+                          type: boolean
+                        nodePort:
+                          default: true
+                          description: Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.
+                          type: boolean
+                      type: object
+                    externalIPs:
+                      description: Specifies the external IPs that can be used in Services with type ClusterIP. An empty list means no IPs are allowed. Optional.
+                      properties:
+                        allowed:
+                          items:
+                            pattern: ^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$
+                            type: string
+                          type: array
+                      required:
+                        - allowed
                      type: object
                  type: object
                storageClasses:
+                  description: Specifies the allowed StorageClasses assigned to the Tenant. Capsule assures that all PersistentVolumeClaim resources created in the Tenant can use only one of the allowed StorageClasses. Optional.
                  properties:
                    allowed:
                      items:
@@ -1147,19 +1234,22 @@ spec:
                - owners
              type: object
            status:
-              description: TenantStatus defines the observed state of Tenant
+              description: Returns the observed state of the Tenant.
              properties:
                namespaces:
+                  description: List of namespaces assigned to the Tenant.
                  items:
                    type: string
                  type: array
                size:
+                  description: How many namespaces are assigned to the Tenant.
                  type: integer
                state:
-                  default: active
+                  default: Active
+                  description: The operational state of the Tenant. Possible values are "Active", "Cordoned".
                  enum:
-                    - cordoned
-                    - active
+                    - Cordoned
+                    - Active
                  type: string
              required:
                - size
@@ -1169,7 +1259,7 @@ spec:
      served: true
      storage: true
      subresources:
-        status: { }
+        status: {}
 status:
  acceptedNames:
    kind: ""
--- a/charts/capsule/templates/NOTES.txt
+++ b/charts/capsule/templates/NOTES.txt
@@ -5,7 +5,7 @@


   # Check the capsule logs
-   $ kubectl logs -f deployment/{{ template "capsule.fullname" . }}-controller-manager -c manager -n{{ .Release.Namespace }}
+   $ kubectl logs -f deployment/{{ template "capsule.fullname" . }}-controller-manager -c manager -n {{ .Release.Namespace }}

 - Manage this chart:

--- a/charts/capsule/templates/_helpers.tpl
+++ b/charts/capsule/templates/_helpers.tpl
@@ -40,6 +40,9 @@ helm.sh/chart: {{ include "capsule.chart" . }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.customLabels }}
+{{ toYaml .Values.customLabels }}
+{{- end }}
 {{- end }}

 {{/*
@@ -50,6 +53,18 @@ app.kubernetes.io/name: {{ include "capsule.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}

+{{/*
+ServiceAccount annotations
+*/}}
+{{- define "capsule.serviceAccountAnnotations" -}}
+{{- if .Values.serviceAccount.annotations }}
+{{- toYaml .Values.serviceAccount.annotations }}
+{{- end }}
+{{- if .Values.customAnnotations }}
+{{ toYaml .Values.customAnnotations }}
+{{- end }}
+{{- end }}
+
 {{/*
 Create the name of the service account to use
 */}}
@@ -75,30 +90,38 @@ Create the proxy fully-qualified Docker image to use
 {{- printf "%s:%s" .Values.proxy.image.repository .Values.proxy.image.tag -}}
 {{- end }}

+{{/*
+Determine the Kubernetes version to use for jobsFullyQualifiedDockerImage tag
+*/}}
+{{- define "capsule.jobsTagKubeVersion" -}}
+{{- if contains "-eks-" .Capabilities.KubeVersion.GitVersion }}
+{{- print "v" .Capabilities.KubeVersion.Major "." (.Capabilities.KubeVersion.Minor | replace "+" "") -}}
+{{- else }}
+{{- print "v" .Capabilities.KubeVersion.Major "." .Capabilities.KubeVersion.Minor -}}
+{{- end }}
+{{- end }}
+
 {{/*
 Create the jobs fully-qualified Docker image to use
 */}}
 {{- define "capsule.jobsFullyQualifiedDockerImage" -}}
+{{- if .Values.jobs.image.tag }}
 {{- printf "%s:%s" .Values.jobs.image.repository .Values.jobs.image.tag -}}
+{{- else }}
+{{- printf "%s:%s" .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
+{{- end }}
 {{- end }}

 {{/*
-Create the Capsule Deployment name to use
+Create the Capsule controller name to use
 */}}
-{{- define "capsule.deploymentName" -}}
+{{- define "capsule.controllerName" -}}
 {{- printf "%s-controller-manager" (include "capsule.fullname" .) -}}
 {{- end }}

-{{/*
-Create the Capsule CA Secret name to use
-*/}}
-{{- define "capsule.secretCaName" -}}
-{{- printf "%s-ca" (include "capsule.fullname" .) -}}
-{{- end }}
-
 {{/*
 Create the Capsule TLS Secret name to use
 */}}
 {{- define "capsule.secretTlsName" -}}
-{{- printf "%s-tls" (include "capsule.fullname" .) -}}
+{{ default ( printf "%s-tls" ( include "capsule.fullname" . ) ) .Values.tls.name }}
 {{- end }}
--- a/charts/capsule/templates/ca.yaml
+++ b/charts/capsule/templates/ca.yaml
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  labels:
-    {{- include "capsule.labels" . | nindent 4 }}
-  name: {{ include "capsule.secretCaName" . }}
-data:
--- a/charts/capsule/templates/certificate.yaml
+++ b/charts/capsule/templates/certificate.yaml
@@ -0,0 +1,36 @@
+{{- if .Values.certManager.generateCertificates }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "capsule.fullname" . }}-webhook-selfsigned
+  labels:
+    {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "capsule.fullname" . }}-webhook-cert
+  labels:
+    {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  dnsNames:
+  - {{ include "capsule.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc
+  - {{ include "capsule.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: {{ include "capsule.fullname" . }}-webhook-selfsigned
+  secretName: {{ include "capsule.secretTlsName" . }}
+  subject:
+    organizations:
+      - clastix.io
+{{- end }}
--- a/charts/capsule/templates/certs.yaml
+++ b/charts/capsule/templates/certs.yaml
@@ -1,7 +1,12 @@
+{{- if or (not .Values.certManager.generateCertificates) (.Values.tls.create) }}
 apiVersion: v1
 kind: Secret
 metadata:
  labels:
    {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
  name: {{ include "capsule.secretTlsName" . }}
-data:
+{{- end }}
--- a/charts/capsule/templates/configuration-default.yaml
+++ b/charts/capsule/templates/configuration-default.yaml
@@ -2,6 +2,16 @@ apiVersion: capsule.clastix.io/v1alpha1
 kind: CapsuleConfiguration
 metadata:
  name: default
+  labels:
+  {{- include "capsule.labels" . | nindent 4 }}
+  annotations:
+    capsule.clastix.io/mutating-webhook-configuration-name: {{ include "capsule.fullname" . }}-mutating-webhook-configuration
+    capsule.clastix.io/tls-secret-name: {{ include "capsule.secretTlsName" . }}
+    capsule.clastix.io/validating-webhook-configuration-name: {{ include "capsule.fullname" . }}-validating-webhook-configuration
+    capsule.clastix.io/enable-tls-configuration: "{{ .Values.tls.enableController }}"
+  {{- with .Values.customAnnotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
  forceTenantPrefix: {{ .Values.manager.options.forceTenantPrefix }}
  userGroups:
@@ -9,5 +19,3 @@ spec:
    - {{ . }}
 {{- end}}
  protectedNamespaceRegex: {{ .Values.manager.options.protectedNamespaceRegex | quote }}
-  allowTenantIngressHostnamesCollision: {{ .Values.manager.options.allowTenantIngressHostnamesCollision }}
-  allowIngressHostnameCollision: {{ .Values.manager.options.allowIngressHostnameCollision }}
--- a/charts/capsule/templates/daemonset.yaml
+++ b/charts/capsule/templates/daemonset.yaml
@@ -0,0 +1,88 @@
+{{- if eq .Values.manager.kind "DaemonSet" }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "capsule.controllerName" . }}
+  labels:
+    {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  updateStrategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      {{- include "capsule.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "capsule.labels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "capsule.serviceAccountName" . }}
+      {{- if .Values.manager.hostNetwork }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      {{- end }}
+      priorityClassName: {{ .Values.priorityClassName }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: cert
+          secret:
+            defaultMode: 420
+            secretName: {{ include "capsule.secretTlsName" . }}
+      containers:
+        - name: manager
+          command:
+          - /manager
+          args:
+          - --enable-leader-election
+          - --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
+          - --configuration-name=default
+          image: {{ include "capsule.managerFullyQualifiedDockerImage" . }}
+          imagePullPolicy: {{ .Values.manager.image.pullPolicy }}
+          env:
+          - name: NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          ports:
+            - name: webhook-server
+              containerPort: 9443
+              protocol: TCP
+            - name: metrics
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            {{- toYaml .Values.manager.livenessProbe | nindent 12}}
+          readinessProbe:
+            {{- toYaml .Values.manager.readinessProbe | nindent 12}}
+          volumeMounts:
+          - mountPath: /tmp/k8s-webhook-server/serving-certs
+            name: cert
+            readOnly: true
+          resources:
+            {{- toYaml .Values.manager.resources | nindent 12 }}
+          securityContext:
+            allowPrivilegeEscalation: false
+{{- end }}
--- a/charts/capsule/templates/deployment.yaml
+++ b/charts/capsule/templates/deployment.yaml
@@ -1,9 +1,14 @@
+{{- if eq .Values.manager.kind "Deployment" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "capsule.deploymentName" . }}
+  name: {{ include "capsule.controllerName" . }}
  labels:
    {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
  replicas: {{ .Values.replicaCount }}
  selector:
@@ -11,12 +16,12 @@ spec:
      {{- include "capsule.selectorLabels" . | nindent 6 }}
  template:
    metadata:
-    {{- with .Values.podAnnotations }}
+      {{- with .Values.podAnnotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
      labels:
-        {{- include "capsule.selectorLabels" . | nindent 8 }}
+        {{- include "capsule.labels" . | nindent 8 }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
@@ -25,6 +30,7 @@ spec:
      serviceAccountName: {{ include "capsule.serviceAccountName" . }}
      {{- if .Values.manager.hostNetwork }}
      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
      {{- end }}
      priorityClassName: {{ .Values.priorityClassName }}
      {{- with .Values.nodeSelector }}
@@ -43,7 +49,7 @@ spec:
        - name: cert
          secret:
            defaultMode: 420
-            secretName: {{ include "capsule.fullname" . }}-tls
+            secretName: {{ include "capsule.secretTlsName" . }}
      containers:
        - name: manager
          command:
@@ -78,3 +84,4 @@ spec:
            {{- toYaml .Values.manager.resources | nindent 12 }}
          securityContext:
            allowPrivilegeEscalation: false
+{{- end }}
--- a/charts/capsule/templates/metrics-rbac.yaml
+++ b/charts/capsule/templates/metrics-rbac.yaml
@@ -4,9 +4,13 @@ kind: Role
 metadata:
  labels:
    {{- include "capsule.labels" . | nindent 4 }}
-    {{- if .Values.serviceMonitor.labels }}
+  {{- if .Values.serviceMonitor.labels }}
    {{- toYaml .Values.serviceMonitor.labels | nindent 4 }}
-    {{- end }}
+  {{- end }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
  name: {{ include "capsule.fullname" . }}-metrics-role
  namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace }}
 rules:
--- a/charts/capsule/templates/metrics-service.yaml
+++ b/charts/capsule/templates/metrics-service.yaml
@@ -4,6 +4,10 @@ metadata:
  name: {{ include "capsule.fullname" . }}-controller-manager-metrics-service
  labels:
    {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
  ports:
  - port: 8080
--- a/charts/capsule/templates/mutatingwebhookconfiguration.yaml
+++ b/charts/capsule/templates/mutatingwebhookconfiguration.yaml
@@ -4,18 +4,27 @@ metadata:
  name: {{ include "capsule.fullname" . }}-mutating-webhook-configuration
  labels:
    {{- include "capsule.labels" . | nindent 4 }}
+  annotations:
+  {{- if .Values.certManager.generateCertificates }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "capsule.fullname" . }}-webhook-cert
+  {{-  end }}
+  {{- with .Values.customAnnotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 webhooks:
 - admissionReviewVersions:
    - v1
    - v1beta1
  clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
    caBundle: Cg==
+{{- end }}
    service:
      name: {{ include "capsule.fullname" . }}-webhook-service
      namespace: {{ .Release.Namespace }}
      path: /namespace-owner-reference
      port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.namespaceOwnerReference.failurePolicy }}
  matchPolicy: Equivalent
  name: owner.namespace.capsule.clastix.io
  namespaceSelector: {}
@@ -28,6 +37,7 @@ webhooks:
      - v1
      operations:
      - CREATE
+      - UPDATE
      resources:
      - namespaces
      scope: '*'
--- a/charts/capsule/templates/podsecuritypolicy.yaml
+++ b/charts/capsule/templates/podsecuritypolicy.yaml
@@ -5,6 +5,10 @@ metadata:
  name: {{ include "capsule.fullname" . }}
  labels:
    {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
  fsGroup:
    rule: RunAsAny
--- a/charts/capsule/templates/post-install-job.yaml
+++ b/charts/capsule/templates/post-install-job.yaml
@@ -1,4 +1,5 @@
-{{- $cmd := "while [ -z $$(kubectl -n $NAMESPACE get secret capsule-tls -o jsonpath='{.data.tls\\\\.crt}') ];" -}}
+{{- if .Values.tls.create }}
+{{- $cmd := printf "while [ -z $$(kubectl -n $NAMESPACE get secret %s -o jsonpath='{.data.tls\\\\.crt}') ];" (include "capsule.secretTlsName" .) -}}
 {{- $cmd = printf "%s do echo 'waiting Capsule to be up and running...' && sleep 5;" $cmd -}}
 {{- $cmd = printf "%s done" $cmd -}}
 apiVersion: batch/v1
@@ -6,16 +7,16 @@ kind: Job
 metadata:
  name: "{{ .Release.Name }}-waiting-certs"
  labels:
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/instance: {{ .Release.Name | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion }}
-    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    {{- include "capsule.labels" . | nindent 4 }}
  annotations:
    # This is what defines this resource as a hook. Without this line, the
    # job is considered part of the release.
    "helm.sh/hook": post-install
    "helm.sh/hook-weight": "-5"
    "helm.sh/hook-delete-policy": hook-succeeded
+  {{- with .Values.customAnnotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
  template:
    metadata:
@@ -25,6 +26,14 @@ spec:
        app.kubernetes.io/instance: {{ .Release.Name | quote }}
        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
      restartPolicy: Never
      containers:
      - name: post-install-job
@@ -36,4 +45,5 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-      serviceAccountName: {{ include "capsule.serviceAccountName" . }}
+      serviceAccountName: {{ include "capsule.serviceAccountName" . }}
+{{- end }}
--- a/charts/capsule/templates/pre-delete-job.yaml
+++ b/charts/capsule/templates/pre-delete-job.yaml
@@ -1,5 +1,7 @@
-{{- $cmd := printf "kubectl scale deployment -n $NAMESPACE %s --replicas 0 &&" (include "capsule.deploymentName" .) -}}
-{{- $cmd = printf "%s kubectl delete secret -n $NAMESPACE %s %s --ignore-not-found &&" $cmd (include "capsule.secretTlsName" .) (include "capsule.secretCaName" .) -}}
+{{- $cmd := ""}}
+{{- if or (.Values.tls.create) (.Values.certManager.generateCertificates) }}
+{{- $cmd = printf "%s kubectl delete secret -n $NAMESPACE %s --ignore-not-found &&" $cmd (include "capsule.secretTlsName" .) -}}
+{{- end }}
 {{- $cmd = printf "%s kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found &&" $cmd -}}
 {{- $cmd = printf "%s kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found" $cmd -}}
 apiVersion: batch/v1
@@ -7,16 +9,16 @@ kind: Job
 metadata:
  name: "{{ .Release.Name }}-rbac-cleaner"
  labels:
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/instance: {{ .Release.Name | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion }}
-    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    {{- include "capsule.labels" . | nindent 4 }}
  annotations:
    # This is what defines this resource as a hook. Without this line, the
    # job is considered part of the release.
    "helm.sh/hook": pre-delete
    "helm.sh/hook-weight": "-5"
    "helm.sh/hook-delete-policy": hook-succeeded
+  {{- with .Values.customAnnotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
  template:
    metadata:
@@ -26,6 +28,14 @@ spec:
        app.kubernetes.io/instance: {{ .Release.Name | quote }}
        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
      restartPolicy: Never
      containers:
        - name: pre-delete-job
--- a/charts/capsule/templates/rbac.yaml
+++ b/charts/capsule/templates/rbac.yaml
@@ -4,6 +4,10 @@ metadata:
  name: {{ include "capsule.fullname" . }}-proxy-role
  labels:
    {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 rules:
 - apiGroups:
  - authentication.k8s.io
@@ -24,6 +28,10 @@ metadata:
  name: {{ include "capsule.fullname" . }}-metrics-reader
  labels:
    {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 rules:
 - nonResourceURLs:
  - /metrics
@@ -36,6 +44,10 @@ metadata:
  name: {{ include "capsule.fullname" . }}-proxy-rolebinding
  labels:
    {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
@@ -51,6 +63,10 @@ metadata:
  name: {{ include "capsule.fullname" . }}-manager-rolebinding
  labels:
    {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
--- a/charts/capsule/templates/serviceaccount.yaml
+++ b/charts/capsule/templates/serviceaccount.yaml
@@ -5,8 +5,8 @@ metadata:
  name: {{ include "capsule.serviceAccountName" . }}
  labels:
    {{- include "capsule.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
+  {{- if or (.Values.serviceAccount.annotations) (.Values.customAnnotations)  }}
  annotations:
-    {{- toYaml . | nindent 4 }}
+    {{- include "capsule.serviceAccountAnnotations" . | nindent 4 }}
  {{- end }}
 {{- end }}
--- a/charts/capsule/templates/servicemonitor.yaml
+++ b/charts/capsule/templates/servicemonitor.yaml
@@ -6,18 +6,42 @@ metadata:
  namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace }}
  labels:
    {{- include "capsule.labels" . | nindent 4 }}
-    {{- if .Values.serviceMonitor.labels }}
-    {{- toYaml .Values.serviceMonitor.labels | nindent 4 }}
+    {{- with .Values.serviceMonitor.labels }}
+    {{- toYaml . | nindent 4 }}
    {{- end }}
+  {{- with .Values.serviceMonitor.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
  endpoints:
-  - interval: 15s
+  {{- with .Values.serviceMonitor.endpoint }}
+  - interval: {{ .interval }}
    port: metrics
    path: /metrics
+    {{- with .scrapeTimeout }}
+    scrapeTimeout: {{ . }}
+    {{- end }}
+    {{- with .metricRelabelings }}
+    metricRelabelings: {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with .relabelings }}
+    relabelings: {{- toYaml . | nindent 6 }}
+    {{- end }}
+  {{- end }}  
  jobLabel: app.kubernetes.io/name
+  {{- with .Values.serviceMonitor.targetLabels }}
+  targetLabels: {{- toYaml . | nindent 4 }}
+  {{- end }}
  selector:
-    matchLabels: {{ include "capsule.labels" . | nindent 6 }}
+    matchLabels:
+    {{- if .Values.serviceMonitor.matchLabels }}
+      {{- toYaml .Values.serviceMonitor.matchLabels | nindent 6 }}
+    {{- else }}
+      {{- include "capsule.labels" . | nindent 6 }}
+    {{- end }}
  namespaceSelector:
    matchNames:
      - {{ .Release.Namespace }}
 {{- end }}
+
--- a/charts/capsule/templates/validatingwebhookconfiguration.yaml
+++ b/charts/capsule/templates/validatingwebhookconfiguration.yaml
@@ -4,24 +4,31 @@ metadata:
  name: {{ include "capsule.fullname" . }}-validating-webhook-configuration
  labels:
    {{- include "capsule.labels" . | nindent 4 }}
+  annotations:
+  {{- if .Values.certManager.generateCertificates }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "capsule.fullname" . }}-webhook-cert
+  {{-  end }}
+  {{- with .Values.customAnnotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 webhooks:
 - admissionReviewVersions:
    - v1
    - v1beta1
  clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
    caBundle: Cg==
+{{- end }}
    service:
      name: {{ include "capsule.fullname" . }}-webhook-service
      namespace: {{ .Release.Namespace }}
      path: /cordoning
      port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.cordoning.failurePolicy }}
  matchPolicy: Equivalent
  name: cordoning.tenant.capsule.clastix.io
  namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.cordoning.namespaceSelector | nindent 4}}
  objectSelector: {}
  rules:
    - apiGroups:
@@ -41,19 +48,19 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
    caBundle: Cg==
+{{- end }}
    service:
      name: {{ include "capsule.fullname" . }}-webhook-service
      namespace: {{ .Release.Namespace }}
      path: /ingresses
      port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.ingresses.failurePolicy }}
  matchPolicy: Equivalent
  name: ingress.capsule.clastix.io
  namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.ingresses.namespaceSelector | nindent 4}}
  objectSelector: {}
  rules:
    - apiGroups:
@@ -74,13 +81,15 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
    caBundle: Cg==
+{{- end }}
    service:
      name: {{ include "capsule.fullname" . }}-webhook-service
      namespace: {{ .Release.Namespace }}
      path: /namespaces
      port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.namespaces.failurePolicy }}
  matchPolicy: Equivalent
  name: namespaces.capsule.clastix.io
  namespaceSelector: {}
@@ -103,19 +112,19 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
    caBundle: Cg==
+{{- end }}
    service:
      name: {{ include "capsule.fullname" . }}-webhook-service
      namespace: {{ .Release.Namespace }}
      path: /networkpolicies
      port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.networkpolicies.failurePolicy }}
  matchPolicy: Equivalent
  name: networkpolicies.capsule.clastix.io
  namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.networkpolicies.namespaceSelector | nindent 4}}
  objectSelector: {}
  rules:
    - apiGroups:
@@ -134,19 +143,19 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
    caBundle: Cg==
+{{- end }}
    service:
      name: {{ include "capsule.fullname" . }}-webhook-service
      namespace: {{ .Release.Namespace }}
      path: /pods
      port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.pods.failurePolicy }}
  matchPolicy: Exact
  name: pods.capsule.clastix.io
  namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.pods.namespaceSelector | nindent 4}}
  objectSelector: {}
  rules:
    - apiGroups:
@@ -164,17 +173,17 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
    caBundle: Cg==
+{{- end }}
    service:
      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: capsule-system
+      namespace: {{ .Release.Namespace }}
      path: /persistentvolumeclaims
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.persistentvolumeclaims.failurePolicy }}
  name: pvc.capsule.clastix.io
  namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.persistentvolumeclaims.namespaceSelector | nindent 4}}
  objectSelector: {}
  rules:
    - apiGroups:
@@ -192,19 +201,19 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
    caBundle: Cg==
+{{- end }}
    service:
      name: {{ include "capsule.fullname" . }}-webhook-service
      namespace: {{ .Release.Namespace }}
      path: /services
      port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.services.failurePolicy }}
  matchPolicy: Exact
  name: services.capsule.clastix.io
  namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.services.namespaceSelector | nindent 4}}
  objectSelector: {}
  rules:
    - apiGroups:
@@ -223,13 +232,15 @@ webhooks:
    - v1
    - v1beta1
  clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
    caBundle: Cg==
+{{- end }}
    service:
      name: {{ include "capsule.fullname" . }}-webhook-service
      namespace: {{ .Release.Namespace }}
      path: /tenants
      port: 443
-  failurePolicy: Fail
+  failurePolicy:  {{ .Values.webhooks.tenants.failurePolicy }}
  matchPolicy: Exact
  name: tenants.capsule.clastix.io
  namespaceSelector: {}
@@ -248,3 +259,31 @@ webhooks:
      scope: '*'
  sideEffects: None
  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+- admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
+    caBundle: Cg==
+{{- end }}
+    service:
+      name: {{ include "capsule.fullname" . }}-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /nodes
+      port: 443
+  failurePolicy: {{ .Values.webhooks.nodes.failurePolicy }}
+  name: nodes.capsule.clastix.io
+  matchPolicy: Exact
+  namespaceSelector: {}
+  objectSelector: {}
+  rules:
+    - apiGroups:
+        - ""
+      apiVersions:
+        - v1
+      operations:
+        - UPDATE
+      resources:
+        - nodes
+  sideEffects: None
+  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
--- a/charts/capsule/templates/webhook-service.yaml
+++ b/charts/capsule/templates/webhook-service.yaml
@@ -4,6 +4,10 @@ metadata:
  name: {{ include "capsule.fullname" . }}-webhook-service
  labels:
    {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+   {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
  ports:
  - port: 443
--- a/charts/capsule/values.yaml
+++ b/charts/capsule/values.yaml
@@ -2,31 +2,59 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.

+# Secret Options
+tls:
+  # -- Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well.
+  enableController: true
+  # -- When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion.
+  create: true
+  # -- Override name of the Capsule TLS Secret name when externally managed.
+  name: ""
+
+# Manager Options
 manager:
+
+  # -- Set the controller deployment mode as `Deployment` or `DaemonSet`.
+  kind: Deployment
+
  image:
-    repository: quay.io/clastix/capsule
+    # -- Set the image repository of the capsule.
+    repository: clastix/capsule
+    # -- Set the image pull policy.
    pullPolicy: IfNotPresent
+    # -- Overrides the image tag whose default is the chart appVersion.
    tag: ''

-  # Specifies if the container should be started in hostNetwork mode.
+  # -- Configuration for `imagePullSecrets` so that you can use a private images registry.
+  imagePullSecrets: []
+
+  # -- Specifies if the container should be started in hostNetwork mode.
  #
  # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
  # CNI (such as calico), because control-plane managed by AWS cannot communicate
  # with pods' IP CIDR and admission webhooks are not working
  hostNetwork: false

-  # Additional Capsule options
+  # Additional Capsule Controller Options
  options:
+    # -- Set the log verbosity of the capsule with a value from 1 to 10
    logLevel: '4'
+    # -- Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash
    forceTenantPrefix: false
+    # -- Override the Capsule user groups
    capsuleUserGroups: ["capsule.clastix.io"]
+    # -- If specified, disallows creation of namespaces matching the passed regexp
    protectedNamespaceRegex: ""
-    allowIngressHostnameCollision: true
-    allowTenantIngressHostnamesCollision: false
+    # -- Specifies whether capsule webhooks certificates should be generated by capsule operator
+    generateCertificates: true
+
+  # -- Configure the liveness probe using Deployment probe spec
  livenessProbe:
    httpGet:
      path: /healthz
      port: 10080
+
+  # -- Configure the readiness probe using Deployment probe spec
  readinessProbe:
    httpGet:
      path: /readyz
@@ -39,40 +67,142 @@ manager:
    requests:
      cpu: 200m
      memory: 128Mi
-jobs:
-  image:
-    repository: quay.io/clastix/kubectl
-    pullPolicy: IfNotPresent
-    tag: "v1.20.7"
-mutatingWebhooksTimeoutSeconds: 30
-validatingWebhooksTimeoutSeconds: 30
-imagePullSecrets: []
-serviceAccount:
-  create: true
-  annotations: {}
-  name: "capsule"
+
+# -- Annotations to add to the capsule pod.
 podAnnotations: {}
-priorityClassName: '' #system-cluster-critical
+#  The following annotations guarantee scheduling for critical add-on pods
+#  podAnnotations:
+#    scheduler.alpha.kubernetes.io/critical-pod: ''
+
+# -- Set the priority class name of the Capsule pod
+priorityClassName: '' # system-cluster-critical
+
+# -- Set the node selector for the Capsule pod
 nodeSelector: {}
 #  node-role.kubernetes.io/master: ""
+
+# -- Set list of tolerations for the Capsule pod
 tolerations: []
-#- key: CriticalAddonsOnly
-#  operator: Exists
-#- effect: NoSchedule
-#  key: node-role.kubernetes.io/master
+# - key: CriticalAddonsOnly
+#   operator: Exists
+# - effect: NoSchedule
+#   key: node-role.kubernetes.io/master
+
+# -- Set the replica count for capsule pod
 replicaCount: 1
+
+# -- Set affinity rules for the Capsule pod
 affinity: {}
+
 podSecurityPolicy:
+  # -- Specify if a Pod Security Policy must be created
  enabled: false

-serviceMonitor:
-  enabled: false
-  # Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one)
-  namespace:
-  # Assign additional labels according to Prometheus' serviceMonitorSelector matching labels
-  labels: {}
+jobs:
+  image:
+    # -- Set the image repository of the helm chart job
+    repository: quay.io/clastix/kubectl
+    # -- Set the image pull policy of the helm chart job
+    pullPolicy: IfNotPresent
+    # -- Set the image tag of the helm chart job
+    tag: ""
+
+# ServiceAccount
+serviceAccount:
+  # -- Specifies whether a service account should be created.
+  create: true
+  # -- Annotations to add to the service account.
  annotations: {}
+  # -- The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template
+  name: "capsule"
+
+certManager:
+  # -- Specifies whether capsule webhooks certificates should be generated using cert-manager
+  generateCertificates: false
+
+# -- Additional labels which will be added to all resources created by Capsule helm chart
+customLabels: {}
+
+# -- Additional annotations which will be added to all resources created by Capsule helm chart
+customAnnotations: {}
+
+# Webhooks configurations
+webhooks:
+  namespaceOwnerReference:
+    failurePolicy: Fail
+  cordoning:
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: capsule.clastix.io/tenant
+          operator: Exists
+  ingresses:
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: capsule.clastix.io/tenant
+          operator: Exists
+  namespaces:
+    failurePolicy: Fail
+  networkpolicies:
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: capsule.clastix.io/tenant
+          operator: Exists
+  pods:
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: capsule.clastix.io/tenant
+          operator: Exists
+  persistentvolumeclaims:
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: capsule.clastix.io/tenant
+          operator: Exists
+  tenants:
+    failurePolicy: Fail
+  services:
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: capsule.clastix.io/tenant
+          operator: Exists
+  nodes:
+    failurePolicy: Fail
+
+# -- Timeout in seconds for mutating webhooks
+mutatingWebhooksTimeoutSeconds: 30
+# -- Timeout in seconds for validating webhooks
+validatingWebhooksTimeoutSeconds: 30
+
+# ServiceMonitor
+serviceMonitor:
+  # -- Enable ServiceMonitor
+  enabled: false
+  # -- Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one)
+  namespace: ''
+  # -- Assign additional labels according to Prometheus' serviceMonitorSelector matching labels
+  labels: {}
+  # -- Assign additional Annotations
+  annotations: {}
+  # -- Change matching labels
  matchLabels: {}
+  # -- Set targetLabels for the serviceMonitor
+  targetLabels: []
  serviceAccount:
+    # -- ServiceAccount for Metrics RBAC
    name: capsule
+    # -- ServiceAccount Namespace for Metrics RBAC
    namespace: capsule-system
+  endpoint:
+    # -- Set the scrape interval for the endpoint of the serviceMonitor
+    interval: "15s"
+    # -- Set the scrape timeout for the endpoint of the serviceMonitor
+    scrapeTimeout: ""
+    # -- Set metricRelabelings for the endpoint of the serviceMonitor
+    metricRelabelings: []
+    # -- Set relabelings for the endpoint of the serviceMonitor
+    relabelings: []
--- a/config/crd/bases/capsule.clastix.io_capsuleconfigurations.yaml
+++ b/config/crd/bases/capsule.clastix.io_capsuleconfigurations.yaml
@@ -19,7 +19,7 @@ spec:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
-        description: CapsuleConfiguration is the Schema for the Capsule configuration API
+        description: CapsuleConfiguration is the Schema for the Capsule configuration API.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -30,15 +30,8 @@ spec:
          metadata:
            type: object
          spec:
-            description: CapsuleConfigurationSpec defines the Capsule configuration nolint:maligned
+            description: CapsuleConfigurationSpec defines the Capsule configuration.
            properties:
-              allowIngressHostnameCollision:
-                default: true
-                description: Allow the collision of Ingress resource hostnames across all the Tenants.
-                type: boolean
-              allowTenantIngressHostnamesCollision:
-                description: "When defining the exact match for allowed Ingress hostnames at Tenant level, a collision is not allowed. Toggling this, Capsule will not check if a hostname collision is in place, allowing the creation of two or more Tenant resources although sharing the same allowed hostname(s). \n The JSON path of the resource is: /spec/ingressHostnames/allowed"
-                type: boolean
              forceTenantPrefix:
                default: false
                description: Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
--- a/config/crd/bases/capsule.clastix.io_tenants.yaml
+++ b/config/crd/bases/capsule.clastix.io_tenants.yaml
@@ -46,7 +46,7 @@ spec:
    name: v1alpha1
    schema:
      openAPIV3Schema:
-        description: Tenant is the Schema for the tenants API
+        description: Tenant is the Schema for the tenants API.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -57,7 +57,7 @@ spec:
          metadata:
            type: object
          spec:
-            description: TenantSpec defines the desired state of Tenant
+            description: TenantSpec defines the desired state of Tenant.
            properties:
              additionalRoleBindings:
                items:
@@ -222,11 +222,15 @@ spec:
                            items:
                              description: NetworkPolicyPort describes a port to allow traffic on
                              properties:
+                                endPort:
+                                  description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                  format: int32
+                                  type: integer
                                port:
                                  anyOf:
                                  - type: integer
                                  - type: string
-                                  description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                  description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                  x-kubernetes-int-or-string: true
                                protocol:
                                  default: TCP
@@ -408,11 +412,15 @@ spec:
                            items:
                              description: NetworkPolicyPort describes a port to allow traffic on
                              properties:
+                                endPort:
+                                  description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                  format: int32
+                                  type: integer
                                port:
                                  anyOf:
                                  - type: integer
                                  - type: string
-                                  description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                  description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                  x-kubernetes-int-or-string: true
                                protocol:
                                  default: TCP
@@ -453,9 +461,9 @@ spec:
                          type: object
                      type: object
                    policyTypes:
-                      description: List of rule types that the NetworkPolicy relates to. Valid options are "Ingress", "Egress", or "Ingress,Egress". If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
+                      description: List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
                      items:
-                        description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8
+                        description: PolicyType string describes the NetworkPolicy type This type is beta-level in 1.8
                        type: string
                      type: array
                  required:
@@ -467,7 +475,7 @@ spec:
                  type: string
                type: object
              owner:
-                description: OwnerSpec defines tenant owner name and kind
+                description: OwnerSpec defines tenant owner name and kind.
                properties:
                  kind:
                    enum:
@@ -550,7 +558,7 @@ spec:
            - owner
            type: object
          status:
-            description: TenantStatus defines the observed state of Tenant
+            description: TenantStatus defines the observed state of Tenant.
            properties:
              namespaces:
                items:
@@ -572,7 +580,7 @@ spec:
      name: State
      type: string
    - description: The max amount of Namespaces can be created
-      jsonPath: .spec.namespaceQuota
+      jsonPath: .spec.namespaceOptions.quota
      name: Namespace quota
      type: integer
    - description: The total amount of Namespaces in use
@@ -590,7 +598,7 @@ spec:
    name: v1beta1
    schema:
      openAPIV3Schema:
-        description: Tenant is the Schema for the tenants API
+        description: Tenant is the Schema for the tenants API.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -601,9 +609,10 @@ spec:
          metadata:
            type: object
          spec:
-            description: TenantSpec defines the desired state of Tenant
+            description: TenantSpec defines the desired state of Tenant.
            properties:
              additionalRoleBindings:
+                description: Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional.
                items:
                  properties:
                    clusterRoleName:
@@ -636,6 +645,7 @@ spec:
                  type: object
                type: array
              containerRegistries:
+                description: Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.
                properties:
                  allowed:
                    items:
@@ -644,20 +654,8 @@ spec:
                  allowedRegex:
                    type: string
                type: object
-              enableNodePorts:
-                default: true
-                type: boolean
-              externalServiceIPs:
-                properties:
-                  allowed:
-                    items:
-                      pattern: ^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$
-                      type: string
-                    type: array
-                required:
-                - allowed
-                type: object
              imagePullPolicies:
+                description: Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
                items:
                  enum:
                  - Always
@@ -665,25 +663,41 @@ spec:
                  - IfNotPresent
                  type: string
                type: array
-              ingressClasses:
+              ingressOptions:
+                description: Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional.
                properties:
-                  allowed:
-                    items:
-                      type: string
-                    type: array
-                  allowedRegex:
-                    type: string
-                type: object
-              ingressHostnames:
-                properties:
-                  allowed:
-                    items:
-                      type: string
-                    type: array
-                  allowedRegex:
+                  allowedClasses:
+                    description: Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+                    properties:
+                      allowed:
+                        items:
+                          type: string
+                        type: array
+                      allowedRegex:
+                        type: string
+                    type: object
+                  allowedHostnames:
+                    description: Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional.
+                    properties:
+                      allowed:
+                        items:
+                          type: string
+                        type: array
+                      allowedRegex:
+                        type: string
+                    type: object
+                  hostnameCollisionScope:
+                    default: Disabled
+                    description: "Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames. \n - Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule. \n - Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant. \n - Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace. \n Optional."
+                    enum:
+                    - Cluster
+                    - Tenant
+                    - Namespace
+                    - Disabled
                    type: string
                type: object
              limitRanges:
+                description: Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
                properties:
                  items:
                    items:
@@ -751,22 +765,29 @@ spec:
                      type: object
                    type: array
                type: object
-              namespaceQuota:
-                format: int32
-                minimum: 1
-                type: integer
-              namespacesMetadata:
+              namespaceOptions:
+                description: Specifies options for the Namespaces, such as additional metadata or maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
                properties:
-                  additionalAnnotations:
-                    additionalProperties:
-                      type: string
-                    type: object
-                  additionalLabels:
-                    additionalProperties:
-                      type: string
+                  additionalMetadata:
+                    description: Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        type: object
                    type: object
+                  quota:
+                    description: Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
+                    format: int32
+                    minimum: 1
+                    type: integer
                type: object
              networkPolicies:
+                description: Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
                properties:
                  items:
                    items:
@@ -782,11 +803,15 @@ spec:
                                items:
                                  description: NetworkPolicyPort describes a port to allow traffic on
                                  properties:
+                                    endPort:
+                                      description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                      format: int32
+                                      type: integer
                                    port:
                                      anyOf:
                                      - type: integer
                                      - type: string
-                                      description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                      description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                      x-kubernetes-int-or-string: true
                                    protocol:
                                      default: TCP
@@ -968,11 +993,15 @@ spec:
                                items:
                                  description: NetworkPolicyPort describes a port to allow traffic on
                                  properties:
+                                    endPort:
+                                      description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                      format: int32
+                                      type: integer
                                    port:
                                      anyOf:
                                      - type: integer
                                      - type: string
-                                      description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                      description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                      x-kubernetes-int-or-string: true
                                    protocol:
                                      default: TCP
@@ -1013,9 +1042,9 @@ spec:
                              type: object
                          type: object
                        policyTypes:
-                          description: List of rule types that the NetworkPolicy relates to. Valid options are "Ingress", "Egress", or "Ingress,Egress". If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
+                          description: List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
                          items:
-                            description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8
+                            description: PolicyType string describes the NetworkPolicy type This type is beta-level in 1.8
                            type: string
                          type: array
                      required:
@@ -1026,20 +1055,24 @@ spec:
              nodeSelector:
                additionalProperties:
                  type: string
+                description: Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
                type: object
              owners:
+                description: Specifies the owners of the Tenant. Mandatory.
                items:
-                  description: OwnerSpec defines tenant owner name and kind
                  properties:
                    kind:
+                      description: Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount"
                      enum:
                      - User
                      - Group
                      - ServiceAccount
                      type: string
                    name:
+                      description: Name of tenant owner.
                      type: string
                    proxySettings:
+                      description: Proxy settings for tenant owner.
                      items:
                        properties:
                          kind:
@@ -1047,6 +1080,7 @@ spec:
                            - Nodes
                            - StorageClasses
                            - IngressClasses
+                            - PriorityClasses
                            type: string
                          operations:
                            items:
@@ -1067,6 +1101,7 @@ spec:
                  type: object
                type: array
              priorityClasses:
+                description: Specifies the allowed priorityClasses assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses. Optional.
                properties:
                  allowed:
                    items:
@@ -1076,6 +1111,7 @@ spec:
                    type: string
                type: object
              resourceQuotas:
+                description: Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional.
                properties:
                  items:
                    items:
@@ -1123,19 +1159,59 @@ spec:
                          type: array
                      type: object
                    type: array
+                  scope:
+                    default: Tenant
+                    description: Define if the Resource Budget should compute resource across all Namespaces in the Tenant or individually per cluster. Default is Tenant
+                    enum:
+                    - Tenant
+                    - Namespace
+                    type: string
                type: object
-              servicesMetadata:
+              serviceOptions:
+                description: Specifies options for the Service, such as additional metadata or block of certain type of Services. Optional.
                properties:
-                  additionalAnnotations:
-                    additionalProperties:
-                      type: string
+                  additionalMetadata:
+                    description: Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional.
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        type: object
                    type: object
-                  additionalLabels:
-                    additionalProperties:
-                      type: string
+                  allowedServices:
+                    description: Block or deny certain type of Services. Optional.
+                    properties:
+                      externalName:
+                        default: true
+                        description: Specifies if ExternalName service type resources are allowed for the Tenant. Default is true. Optional.
+                        type: boolean
+                      loadBalancer:
+                        default: true
+                        description: Specifies if LoadBalancer service type resources are allowed for the Tenant. Default is true. Optional.
+                        type: boolean
+                      nodePort:
+                        default: true
+                        description: Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.
+                        type: boolean
+                    type: object
+                  externalIPs:
+                    description: Specifies the external IPs that can be used in Services with type ClusterIP. An empty list means no IPs are allowed. Optional.
+                    properties:
+                      allowed:
+                        items:
+                          pattern: ^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$
+                          type: string
+                        type: array
+                    required:
+                    - allowed
                    type: object
                type: object
              storageClasses:
+                description: Specifies the allowed StorageClasses assigned to the Tenant. Capsule assures that all PersistentVolumeClaim resources created in the Tenant can use only one of the allowed StorageClasses. Optional.
                properties:
                  allowed:
                    items:
@@ -1148,19 +1224,22 @@ spec:
            - owners
            type: object
          status:
-            description: TenantStatus defines the observed state of Tenant
+            description: Returns the observed state of the Tenant.
            properties:
              namespaces:
+                description: List of namespaces assigned to the Tenant.
                items:
                  type: string
                type: array
              size:
+                description: How many namespaces are assigned to the Tenant.
                type: integer
              state:
-                default: active
+                default: Active
+                description: The operational state of the Tenant. Possible values are "Active", "Cordoned".
                enum:
-                - cordoned
-                - active
+                - Cordoned
+                - Active
                type: string
            required:
            - size
--- a/config/grafana/dashboard.json
+++ b/config/grafana/dashboard.json
--- a/config/grafana/dashboard.yaml
+++ b/config/grafana/dashboard.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    # label selector used by Grafana to load the dashboards from Config Maps
+    grafana_dashboard: "1"
+  name: capsule-grafana-dashboard
--- a/config/grafana/kustomization.yaml
+++ b/config/grafana/kustomization.yaml
@@ -0,0 +1,8 @@
+configMapGenerator:
+- name: capsule-grafana-dashboard
+  files:
+  - dashboard.json
+generatorOptions:
+  disableNameSuffixHash: true
+patchesStrategicMerge:
+- dashboard.yaml
--- a/config/install.yaml
+++ b/config/install.yaml
--- a/config/manager/configuration.yaml
+++ b/config/manager/configuration.yaml
@@ -6,5 +6,3 @@ spec:
  userGroups: ["capsule.clastix.io"]
  forceTenantPrefix: false
  protectedNamespaceRegex: ""
-  allowTenantIngressHostnamesCollision: false
-  allowIngressHostnameCollision: false
--- a/config/manager/kustomization.yaml
+++ b/config/manager/kustomization.yaml
@@ -6,5 +6,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: quay.io/clastix/capsule
-  newTag: v0.1.0-rc2
+  newName: clastix/capsule
+  newTag: v0.1.3
--- a/config/samples/capsule_v1alpha1_capsuleconfiguration.yaml
+++ b/config/samples/capsule_v1alpha1_capsuleconfiguration.yaml
@@ -7,5 +7,3 @@ spec:
  userGroups: ["capsule.clastix.io"]
  forceTenantPrefix: false
  protectedNamespaceRegex: ""
-  allowTenantIngressHostnamesCollision: false
-  allowIngressHostnameCollision: false
--- a/config/samples/capsule_v1beta1_tenant.yaml
+++ b/config/samples/capsule_v1beta1_tenant.yaml
@@ -1,7 +1,139 @@
+---
 apiVersion: capsule.clastix.io/v1beta1
 kind: Tenant
 metadata:
-  name: tenant-sample
+  name: gas
 spec:
-  # Add fields here
-  foo: bar
+  additionalRoleBindings:
+    -
+      clusterRoleName: tenant-sample-viewer
+      subjects:
+        -
+          kind: User
+          name: bob
+  containerRegistries:
+    allowed:
+      - docker.io
+      - quay.io
+    allowedRegex: ^\w+.gcr.io$
+  serviceOptions:
+    additionalMetadata:
+      annotations:
+        capsule.clastix.io/bgp: "true"
+      labels:
+        capsule.clastix.io/pool: gas
+    allowedServices:
+      nodePort: false
+      externalName: false
+    externalIPs:
+      allowed:
+        - 10.20.0.0/16
+        - "10.96.42.42"
+  imagePullPolicies:
+    - Always
+  ingressOptions:
+    hostnameCollisionScope: Cluster
+    allowedClasses:
+      allowed:
+        - default
+      allowedRegex: ^\w+-lb$
+    allowedHostnames:
+      allowed:
+        - gas.acmecorp.com
+      allowedRegex: ^.*acmecorp.com$
+  limitRanges:
+    items:
+      -
+        limits:
+          -
+            max:
+              cpu: "1"
+              memory: 1Gi
+            min:
+              cpu: 50m
+              memory: 5Mi
+            type: Pod
+          -
+            default:
+              cpu: 200m
+              memory: 100Mi
+            defaultRequest:
+              cpu: 100m
+              memory: 10Mi
+            max:
+              cpu: "1"
+              memory: 1Gi
+            min:
+              cpu: 50m
+              memory: 5Mi
+            type: Container
+          -
+            max:
+              storage: 10Gi
+            min:
+              storage: 1Gi
+            type: PersistentVolumeClaim
+  namespaceOptions:
+    quota: 3
+    additionalMetadata:
+      annotations:
+        capsule.clastix.io/backup: "false"
+      labels:
+        capsule.clastix.io/tenant: gas
+  networkPolicies:
+    items:
+      -
+        egress:
+          -
+            to:
+              -
+                ipBlock:
+                  cidr: 0.0.0.0/0
+                  except:
+                    - 192.168.0.0/12
+        ingress:
+          -
+            from:
+              -
+                namespaceSelector:
+                  matchLabels:
+                    capsule.clastix.io/tenant: gas
+              -
+                podSelector: {}
+              -
+                ipBlock:
+                  cidr: 192.168.0.0/12
+        podSelector: {}
+        policyTypes:
+          - Ingress
+          - Egress
+  nodeSelector:
+    kubernetes.io/os: linux
+  owners:
+    -
+      kind: User
+      name: bob
+  priorityClasses:
+    allowed:
+      - shared-nodes
+    allowedRegex: ^\w-gas$
+  resourceQuotas:
+    items:
+      -
+        hard:
+          limits.cpu: "8"
+          limits.memory: 16Gi
+          requests.cpu: "8"
+          requests.memory: 16Gi
+        scopes:
+          - NotTerminating
+      -
+        hard:
+          pods: "10"
+      -
+        hard:
+          requests.storage: 100Gi
+  storageClasses:
+    allowed:
+      - default
+    allowedRegex: ^\w+fs$
--- a/config/samples/ingress.yaml
+++ b/config/samples/ingress.yaml
--- a/config/samples/kustomization.yaml
+++ b/config/samples/kustomization.yaml
@@ -2,3 +2,4 @@
 resources:
 - capsule_v1alpha1_capsuleconfiguration.yaml
 - capsule_v1alpha1_tenant.yaml
+- capsule_v1beta1_tenant.yaml
--- a/config/webhook/manifests.yaml
+++ b/config/webhook/manifests.yaml
@@ -22,6 +22,7 @@ webhooks:
    - v1
    operations:
    - CREATE
+    - UPDATE
    resources:
    - namespaces
  sideEffects: None
@@ -117,6 +118,25 @@ webhooks:
    resources:
    - networkpolicies
  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /nodes
+  failurePolicy: Fail
+  name: nodes.capsule.clastix.io
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - UPDATE
+    resources:
+    - nodes
+  sideEffects: None
 - admissionReviewVersions:
  - v1
  clientConfig:
--- a/config/webhook/patch_ns_selector.yaml
+++ b/config/webhook/patch_ns_selector.yaml
@@ -34,6 +34,12 @@
    matchExpressions:
      - key: capsule.clastix.io/tenant
        operator: Exists
+- op: add
+  path: /webhooks/7/namespaceSelector
+  value:
+    matchExpressions:
+      - key: capsule.clastix.io/tenant
+        operator: Exists
 - op: add
  path: /webhooks/0/rules/0/scope
  value: Namespaced
@@ -43,12 +49,12 @@
 - op: add
  path: /webhooks/3/rules/0/scope
  value: Namespaced
- op: add
-  path: /webhooks/4/rules/0/scope
-  value: Namespaced
 - op: add
  path: /webhooks/5/rules/0/scope
  value: Namespaced
 - op: add
  path: /webhooks/6/rules/0/scope
  value: Namespaced
+- op: add
+  path: /webhooks/7/rules/0/scope
+  value: Namespaced
--- a/controllers/config/manager.go
+++ b/controllers/config/manager.go
@@ -1,7 +1,7 @@
 // Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0

-package rbac
+package config

 import (
 	"context"
@@ -9,13 +9,11 @@ import (
 	"github.com/go-logr/logr"
 	"github.com/pkg/errors"
 	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/event"
-	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"

 	capsulev1alpha1 "github.com/clastix/capsule/api/v1alpha1"
+	"github.com/clastix/capsule/controllers/utils"
 	"github.com/clastix/capsule/pkg/configuration"
 )

@@ -24,50 +22,29 @@ type Manager struct {
 	Client client.Client
 }

-// InjectClient injects the Client interface, required by the Runnable interface
-func (r *Manager) InjectClient(c client.Client) error {
-	r.Client = c
+// InjectClient injects the Client interface, required by the Runnable interface.
+func (c *Manager) InjectClient(client client.Client) error {
+	c.Client = client

 	return nil
 }

-func filterByName(objName, desired string) bool {
-	return objName == desired
-}
-
-func forOptionPerInstanceName(instanceName string) builder.ForOption {
-	return builder.WithPredicates(predicate.Funcs{
-		CreateFunc: func(event event.CreateEvent) bool {
-			return filterByName(event.Object.GetName(), instanceName)
-		},
-		DeleteFunc: func(deleteEvent event.DeleteEvent) bool {
-			return filterByName(deleteEvent.Object.GetName(), instanceName)
-		},
-		UpdateFunc: func(updateEvent event.UpdateEvent) bool {
-			return filterByName(updateEvent.ObjectNew.GetName(), instanceName)
-		},
-		GenericFunc: func(genericEvent event.GenericEvent) bool {
-			return filterByName(genericEvent.Object.GetName(), instanceName)
-		},
-	})
-}
-
-func (r *Manager) SetupWithManager(mgr ctrl.Manager, configurationName string) error {
+func (c *Manager) SetupWithManager(mgr ctrl.Manager, configurationName string) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&capsulev1alpha1.CapsuleConfiguration{}, forOptionPerInstanceName(configurationName)).
-		Complete(r)
+		For(&capsulev1alpha1.CapsuleConfiguration{}, utils.NamesMatchingPredicate(configurationName)).
+		Complete(c)
 }

-func (r *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res reconcile.Result, err error) {
-	r.Log.Info("CapsuleConfiguration reconciliation started", "request.name", request.Name)
+func (c *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res reconcile.Result, err error) {
+	c.Log.Info("CapsuleConfiguration reconciliation started", "request.name", request.Name)

-	cfg := configuration.NewCapsuleConfiguration(r.Client, request.Name)
+	cfg := configuration.NewCapsuleConfiguration(ctx, c.Client, request.Name)
 	// Validating the Capsule Configuration options
 	if _, err = cfg.ProtectedNamespaceRegexp(); err != nil {
 		panic(errors.Wrap(err, "Invalid configuration for protected Namespace regex"))
 	}

-	r.Log.Info("CapsuleConfiguration reconciliation finished", "request.name", request.Name)
+	c.Log.Info("CapsuleConfiguration reconciliation finished", "request.name", request.Name)

 	return
 }
--- a/controllers/rbac/const.go
+++ b/controllers/rbac/const.go
@@ -23,7 +23,7 @@ var (
 				{
 					APIGroups: []string{""},
 					Resources: []string{"namespaces"},
-					Verbs:     []string{"create"},
+					Verbs:     []string{"create", "patch"},
 				},
 			},
 		},
@@ -48,7 +48,7 @@ var (
 		RoleRef: rbacv1.RoleRef{
 			Kind:     "ClusterRole",
 			Name:     ProvisionerRoleName,
-			APIGroup: "rbac.authorization.k8s.io",
+			APIGroup: rbacv1.GroupName,
 		},
 	}
 )
--- a/controllers/rbac/manager.go
+++ b/controllers/rbac/manager.go
@@ -10,20 +10,19 @@ import (
 	"github.com/go-logr/logr"
 	"github.com/hashicorp/go-multierror"
 	rbacv1 "k8s.io/api/rbac/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/util/workqueue"
 	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
-	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"sigs.k8s.io/controller-runtime/pkg/source"

 	capsulev1alpha1 "github.com/clastix/capsule/api/v1alpha1"
+	"github.com/clastix/capsule/controllers/utils"
 	"github.com/clastix/capsule/pkg/configuration"
 )

@@ -33,65 +32,40 @@ type Manager struct {
 	Configuration configuration.Configuration
 }

-// InjectClient injects the Client interface, required by the Runnable interface
+// InjectClient injects the Client interface, required by the Runnable interface.
 func (r *Manager) InjectClient(c client.Client) error {
 	r.Client = c
+
 	return nil
 }

-func (r *Manager) filterByNames(name string) bool {
-	return name == ProvisionerRoleName || name == DeleterRoleName
-}
+func (r *Manager) SetupWithManager(ctx context.Context, mgr ctrl.Manager, configurationName string) (err error) {
+	namesPredicate := utils.NamesMatchingPredicate(ProvisionerRoleName, DeleterRoleName)

-//nolint:dupl
-func (r *Manager) SetupWithManager(mgr ctrl.Manager, configurationName string) (err error) {
 	crErr := ctrl.NewControllerManagedBy(mgr).
-		For(&rbacv1.ClusterRole{}, builder.WithPredicates(predicate.Funcs{
-			CreateFunc: func(event event.CreateEvent) bool {
-				return r.filterByNames(event.Object.GetName())
-			},
-			DeleteFunc: func(deleteEvent event.DeleteEvent) bool {
-				return r.filterByNames(deleteEvent.Object.GetName())
-			},
-			UpdateFunc: func(updateEvent event.UpdateEvent) bool {
-				return r.filterByNames(updateEvent.ObjectNew.GetName())
-			},
-			GenericFunc: func(genericEvent event.GenericEvent) bool {
-				return r.filterByNames(genericEvent.Object.GetName())
-			},
-		})).
+		For(&rbacv1.ClusterRole{}, namesPredicate).
 		Complete(r)
 	if crErr != nil {
 		err = multierror.Append(err, crErr)
 	}
+
 	crbErr := ctrl.NewControllerManagedBy(mgr).
-		For(&rbacv1.ClusterRoleBinding{}, builder.WithPredicates(predicate.Funcs{
-			CreateFunc: func(event event.CreateEvent) bool {
-				return r.filterByNames(event.Object.GetName())
-			},
-			DeleteFunc: func(deleteEvent event.DeleteEvent) bool {
-				return r.filterByNames(deleteEvent.Object.GetName())
-			},
-			UpdateFunc: func(updateEvent event.UpdateEvent) bool {
-				return r.filterByNames(updateEvent.ObjectNew.GetName())
-			},
-			GenericFunc: func(genericEvent event.GenericEvent) bool {
-				return r.filterByNames(genericEvent.Object.GetName())
-			},
-		})).
+		For(&rbacv1.ClusterRoleBinding{}, namesPredicate).
 		Watches(source.NewKindWithCache(&capsulev1alpha1.CapsuleConfiguration{}, mgr.GetCache()), handler.Funcs{
 			UpdateFunc: func(updateEvent event.UpdateEvent, limitingInterface workqueue.RateLimitingInterface) {
 				if updateEvent.ObjectNew.GetName() == configurationName {
-					if crbErr := r.EnsureClusterRoleBindings(); crbErr != nil {
+					if crbErr := r.EnsureClusterRoleBindings(ctx); crbErr != nil {
 						r.Log.Error(err, "cannot update ClusterRoleBinding upon CapsuleConfiguration update")
 					}
 				}
 			},
 		}).
 		Complete(r)
+
 	if crbErr != nil {
 		err = multierror.Append(err, crbErr)
 	}
+
 	return
 }

@@ -100,18 +74,19 @@ func (r *Manager) SetupWithManager(mgr ctrl.Manager, configurationName string) (
 func (r *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res reconcile.Result, err error) {
 	switch request.Name {
 	case ProvisionerRoleName:
-		if err = r.EnsureClusterRole(ProvisionerRoleName); err != nil {
+		if err = r.EnsureClusterRole(ctx, ProvisionerRoleName); err != nil {
 			r.Log.Error(err, "Reconciliation for ClusterRole failed", "ClusterRole", ProvisionerRoleName)

 			break
 		}
-		if err = r.EnsureClusterRoleBindings(); err != nil {
+
+		if err = r.EnsureClusterRoleBindings(ctx); err != nil {
 			r.Log.Error(err, "Reconciliation for ClusterRoleBindings failed")

 			break
 		}
 	case DeleterRoleName:
-		if err = r.EnsureClusterRole(DeleterRoleName); err != nil {
+		if err = r.EnsureClusterRole(ctx, DeleterRoleName); err != nil {
 			r.Log.Error(err, "Reconciliation for ClusterRole failed", "ClusterRole", DeleterRoleName)
 		}
 	}
@@ -119,14 +94,14 @@ func (r *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res
 	return
 }

-func (r *Manager) EnsureClusterRoleBindings() (err error) {
+func (r *Manager) EnsureClusterRoleBindings(ctx context.Context) (err error) {
 	crb := &rbacv1.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: ProvisionerRoleName,
 		},
 	}

-	_, err = controllerutil.CreateOrUpdate(context.TODO(), r.Client, crb, func() (err error) {
+	_, err = controllerutil.CreateOrUpdate(ctx, r.Client, crb, func() (err error) {
 		crb.RoleRef = provisionerClusterRoleBinding.RoleRef

 		crb.Subjects = []rbacv1.Subject{}
@@ -144,7 +119,7 @@ func (r *Manager) EnsureClusterRoleBindings() (err error) {
 	return
 }

-func (r *Manager) EnsureClusterRole(roleName string) (err error) {
+func (r *Manager) EnsureClusterRole(ctx context.Context, roleName string) (err error) {
 	role, ok := clusterRoles[roleName]
 	if !ok {
 		return fmt.Errorf("clusterRole %s is not mapped", roleName)
@@ -156,8 +131,9 @@ func (r *Manager) EnsureClusterRole(roleName string) (err error) {
 		},
 	}

-	_, err = controllerutil.CreateOrUpdate(context.TODO(), r.Client, clusterRole, func() error {
+	_, err = controllerutil.CreateOrUpdate(ctx, r.Client, clusterRole, func() error {
 		clusterRole.Rules = role.Rules
+
 		return nil
 	})

@@ -170,8 +146,9 @@ func (r *Manager) EnsureClusterRole(roleName string) (err error) {
 func (r *Manager) Start(ctx context.Context) error {
 	for roleName := range clusterRoles {
 		r.Log.Info("setting up ClusterRoles", "ClusterRole", roleName)
-		if err := r.EnsureClusterRole(roleName); err != nil {
-			if errors.IsAlreadyExists(err) {
+
+		if err := r.EnsureClusterRole(ctx, roleName); err != nil {
+			if apierrors.IsAlreadyExists(err) {
 				continue
 			}

@@ -180,8 +157,9 @@ func (r *Manager) Start(ctx context.Context) error {
 	}

 	r.Log.Info("setting up ClusterRoleBindings")
-	if err := r.EnsureClusterRoleBindings(); err != nil {
-		if errors.IsAlreadyExists(err) {
+
+	if err := r.EnsureClusterRoleBindings(ctx); err != nil {
+		if apierrors.IsAlreadyExists(err) {
 			return nil
 		}

--- a/controllers/secret/ca.go
+++ b/controllers/secret/ca.go
@@ -1,212 +0,0 @@
-// Copyright 2020-2021 Clastix Labs
-// SPDX-License-Identifier: Apache-2.0
-
-package secret
-
-import (
-	"bytes"
-	"context"
-	"errors"
-	"time"
-
-	"github.com/go-logr/logr"
-	"golang.org/x/sync/errgroup"
-	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
-	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/util/retry"
-	"k8s.io/utils/pointer"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-
-	"github.com/clastix/capsule/pkg/cert"
-)
-
-type CAReconciler struct {
-	client.Client
-	Log       logr.Logger
-	Scheme    *runtime.Scheme
-	Namespace string
-}
-
-func (r *CAReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	return ctrl.NewControllerManagedBy(mgr).
-		For(&corev1.Secret{}, forOptionPerInstanceName(caSecretName)).
-		Complete(r)
-}
-
-// By default helm doesn't allow to use templates in CRD (https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-1-let-helm-do-it-for-you).
-// In order to overcome this, we are setting conversion strategy in helm chart to None, and then update it with CA and namespace information.
-func (r *CAReconciler) UpdateCustomResourceDefinition(caBundle []byte) error {
-	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
-		crd := &apiextensionsv1.CustomResourceDefinition{}
-		err = r.Get(context.TODO(), types.NamespacedName{Name: "tenants.capsule.clastix.io"}, crd)
-		if err != nil {
-			r.Log.Error(err, "cannot retrieve CustomResourceDefinition")
-			return err
-		}
-
-		_, err = controllerutil.CreateOrUpdate(context.TODO(), r.Client, crd, func() error {
-			crd.Spec.Conversion = &apiextensionsv1.CustomResourceConversion{
-				Strategy: "Webhook",
-				Webhook: &apiextensionsv1.WebhookConversion{
-					ClientConfig: &apiextensionsv1.WebhookClientConfig{
-						Service: &apiextensionsv1.ServiceReference{
-							Namespace: r.Namespace,
-							Name:      "capsule-webhook-service",
-							Path:      pointer.StringPtr("/convert"),
-							Port:      pointer.Int32Ptr(443),
-						},
-						CABundle: caBundle,
-					},
-					ConversionReviewVersions: []string{"v1alpha1", "v1beta1"},
-				},
-			}
-
-			return nil
-		})
-
-		return err
-	})
-}
-
-//nolint:dupl
-func (r CAReconciler) UpdateValidatingWebhookConfiguration(caBundle []byte) error {
-	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
-		vw := &admissionregistrationv1.ValidatingWebhookConfiguration{}
-		err = r.Get(context.TODO(), types.NamespacedName{Name: "capsule-validating-webhook-configuration"}, vw)
-		if err != nil {
-			r.Log.Error(err, "cannot retrieve ValidatingWebhookConfiguration")
-			return err
-		}
-		for i, w := range vw.Webhooks {
-			// Updating CABundle only in case of an internal service reference
-			if w.ClientConfig.Service != nil {
-				vw.Webhooks[i].ClientConfig.CABundle = caBundle
-			}
-		}
-		return r.Update(context.TODO(), vw, &client.UpdateOptions{})
-	})
-}
-
-//nolint:dupl
-func (r CAReconciler) UpdateMutatingWebhookConfiguration(caBundle []byte) error {
-	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
-		mw := &admissionregistrationv1.MutatingWebhookConfiguration{}
-		err = r.Get(context.TODO(), types.NamespacedName{Name: "capsule-mutating-webhook-configuration"}, mw)
-		if err != nil {
-			r.Log.Error(err, "cannot retrieve MutatingWebhookConfiguration")
-			return err
-		}
-		for i, w := range mw.Webhooks {
-			// Updating CABundle only in case of an internal service reference
-			if w.ClientConfig.Service != nil {
-				mw.Webhooks[i].ClientConfig.CABundle = caBundle
-			}
-		}
-		return r.Update(context.TODO(), mw, &client.UpdateOptions{})
-	})
-}
-
-func (r CAReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) {
-	var err error
-
-	r.Log = r.Log.WithValues("Request.Namespace", request.Namespace, "Request.Name", request.Name)
-	r.Log.Info("Reconciling CA Secret")
-
-	// Fetch the CA instance
-	instance := &corev1.Secret{}
-	err = r.Client.Get(context.TODO(), request.NamespacedName, instance)
-	if err != nil {
-		// Error reading the object - requeue the request.
-		return reconcile.Result{}, err
-	}
-
-	var ca cert.CA
-	var rq time.Duration
-	ca, err = getCertificateAuthority(r.Client, r.Namespace)
-	if err != nil && errors.Is(err, MissingCaError{}) {
-		ca, err = cert.GenerateCertificateAuthority()
-		if err != nil {
-			return reconcile.Result{}, err
-		}
-	} else if err != nil {
-		return reconcile.Result{}, err
-	}
-
-	r.Log.Info("Handling CA Secret")
-
-	rq, err = ca.ExpiresIn(time.Now())
-	if err != nil {
-		r.Log.Info("CA is expired, cleaning to obtain a new one")
-		instance.Data = map[string][]byte{}
-	} else {
-		r.Log.Info("Updating CA secret with new PEM and RSA")
-
-		var crt *bytes.Buffer
-		var key *bytes.Buffer
-		crt, _ = ca.CACertificatePem()
-		key, _ = ca.CAPrivateKeyPem()
-
-		instance.Data = map[string][]byte{
-			certSecretKey:       crt.Bytes(),
-			privateKeySecretKey: key.Bytes(),
-		}
-
-		group := errgroup.Group{}
-		group.Go(func() error {
-			return r.UpdateMutatingWebhookConfiguration(crt.Bytes())
-		})
-		group.Go(func() error {
-			return r.UpdateValidatingWebhookConfiguration(crt.Bytes())
-		})
-		group.Go(func() error {
-			return r.UpdateCustomResourceDefinition(crt.Bytes())
-		})
-
-		if err = group.Wait(); err != nil {
-			return reconcile.Result{}, err
-		}
-	}
-
-	var res controllerutil.OperationResult
-	t := &corev1.Secret{ObjectMeta: instance.ObjectMeta}
-	res, err = controllerutil.CreateOrUpdate(context.TODO(), r.Client, t, func() error {
-		t.Data = instance.Data
-		return nil
-	})
-	if err != nil {
-		r.Log.Error(err, "cannot update Capsule TLS")
-		return reconcile.Result{}, err
-	}
-
-	if res == controllerutil.OperationResultUpdated {
-		r.Log.Info("Capsule CA has been updated, we need to trigger TLS update too")
-		tls := &corev1.Secret{}
-		err = r.Get(ctx, types.NamespacedName{
-			Namespace: r.Namespace,
-			Name:      tlsSecretName,
-		}, tls)
-		if err != nil {
-			r.Log.Error(err, "Capsule TLS Secret missing")
-		}
-		err = retry.RetryOnConflict(retry.DefaultBackoff, func() error {
-			_, err = controllerutil.CreateOrUpdate(ctx, r.Client, tls, func() error {
-				tls.Data = map[string][]byte{}
-				return nil
-			})
-			return err
-		})
-		if err != nil {
-			r.Log.Error(err, "Cannot clean Capsule TLS Secret due to CA update")
-			return reconcile.Result{}, err
-		}
-	}
-
-	r.Log.Info("Reconciliation completed, processing back in " + rq.String())
-	return reconcile.Result{Requeue: true, RequeueAfter: rq}, nil
-}
--- a/controllers/secret/const.go
+++ b/controllers/secret/const.go
@@ -1,12 +0,0 @@
-// Copyright 2020-2021 Clastix Labs
-// SPDX-License-Identifier: Apache-2.0
-
-package secret
-
-const (
-	certSecretKey       = "tls.crt"
-	privateKeySecretKey = "tls.key"
-
-	caSecretName  = "capsule-ca"
-	tlsSecretName = "capsule-tls"
-)
--- a/Show More
+++ b/Show More