build(helm): support cert-manager for generating tls and ca

Signed-off-by: Massimiliano Giovagnoli <me@maxgio.it>

.github/workflows/ci.yml

@@ -7,6 +7,15 @@ on:
     branches: [ "*" ]
 
 jobs:
+  commit_lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - uses: wagoid/commitlint-github-action@v2
+        with:
+          firstParent: true
   golangci:
     name: lint
     runs-on: ubuntu-latest
@@ -15,7 +24,7 @@ jobs:
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@v2.3.0
         with:
-          version: latest
+          version: v1.45.2
           only-new-issues: false
           args: --timeout 2m --config .golangci.yml
   diff:
@@ -25,18 +34,9 @@ jobs:
       - uses: actions/checkout@v2
         with:
           fetch-depth: 0
-      - name: Cache Go modules
-        uses: actions/cache@v1
-        env:
-          cache-name: go-mod
+      - uses: actions/setup-go@v2
         with:
-          path: |
-            ~/go/pkg/mod
-            /home/runner/work/capsule/capsule
-          key: ${{ runner.os }}-build-${{ env.cache-name }}
-          restore-keys: |
-            ${{ runner.os }}-build-
-            ${{ runner.os }}-
+          go-version: '1.18'
       - run: make installer
       - name: Checking if YAML installer file is not aligned
         run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> Untracked generated files have not been committed" && git --no-pager diff && exit 1; fi

.github/workflows/docker-ci.yml

@@ -10,12 +10,27 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
 
-      -
-        name: Checkout
+      - name: Checkout
         uses: actions/checkout@v2
 
-      -
-        name: Docker meta
+      - name: Generate build-args
+        id: build-args
+        run: |
+          # Declare vars for internal use
+          VERSION=$(git describe --abbrev=0 --tags)
+          GIT_HEAD_COMMIT=$(git rev-parse --short HEAD)
+          GIT_TAG_COMMIT=$(git rev-parse --short $VERSION)
+          GIT_MODIFIED_1=$(git diff $GIT_HEAD_COMMIT $GIT_TAG_COMMIT --quiet && echo "" || echo ".dev")
+          GIT_MODIFIED_2=$(git diff --quiet && echo "" || echo ".dirty")
+          # Export to GH_ENV
+          echo "GIT_LAST_TAG=$VERSION" >> $GITHUB_ENV
+          echo "GIT_HEAD_COMMIT=$GIT_HEAD_COMMIT" >> $GITHUB_ENV
+          echo "GIT_TAG_COMMIT=$GIT_TAG_COMMIT" >> $GITHUB_ENV
+          echo "GIT_MODIFIED=$(echo "$GIT_MODIFIED_1""$GIT_MODIFIED_2")" >> $GITHUB_ENV
+          echo "GIT_REPO=$(git config --get remote.origin.url)" >> $GITHUB_ENV
+          echo "BUILD_DATE=$(git log -1 --format="%at" | xargs -I{} date -d @{} +%Y-%m-%dT%H:%M:%S)" >> $GITHUB_ENV
+
+      - name: Docker meta
         id: meta
         uses: docker/metadata-action@v3
         with:
@@ -26,22 +41,19 @@ jobs:
           flavor: |
             latest=false
 
-      -
-        name: Set up QEMU
+      - name: Set up QEMU
         id: qemu
         uses: docker/setup-qemu-action@v1
         with:
           platforms: arm64,arm
 
-      -
-        name: Set up Docker Buildx
+      - name: Set up Docker Buildx
         id: buildx
+        uses: docker/setup-buildx-action@v1
         with:
           install: true
-        uses: docker/setup-buildx-action@v1
 
-      -
-        name: Inspect builder
+      - name: Inspect builder
         run: |
           echo "Name:      ${{ steps.buildx.outputs.name }}"
           echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
@@ -49,16 +61,14 @@ jobs:
           echo "Flags:     ${{ steps.buildx.outputs.flags }}"
           echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
 
-      -
-        name: Login to quay.io Container Registry
+      - name: Login to quay.io Container Registry
         uses: docker/login-action@v1 
         with:
           registry: quay.io
           username: ${{ github.repository_owner }}+github
           password: ${{ secrets.BOT_QUAY_IO }}
 
-      -
-        name: Build and push
+      - name: Build and push
         id: build-release
         uses: docker/build-push-action@v2
         with:
@@ -67,7 +77,13 @@ jobs:
           platforms: linux/amd64,linux/arm64,linux/arm
           push: true
           tags: ${{ steps.meta.outputs.tags }}
+          build-args: |
+            GIT_HEAD_COMMIT=${{ env.GIT_HEAD_COMMIT }}
+            GIT_TAG_COMMIT=${{ env.GIT_TAG_COMMIT }}
+            GIT_REPO=${{ env.GIT_REPO }}
+            GIT_LAST_TAG=${{ env.GIT_LAST_TAG }}
+            GIT_MODIFIED=${{ env.GIT_MODIFIED }}
+            BUILD_DATE=${{ env.BUILD_DATE }}
 
-      -
-        name: Image digest
+      - name: Image digest
         run: echo ${{ steps.build-release.outputs.digest }}

.github/workflows/e2e.yml

@@ -3,46 +3,50 @@ name: e2e
 on:
   push:
     branches: [ "*" ]
+    paths:
+      - '.github/workflows/e2e.yml'
+      - 'api/**'
+      - 'controllers/**'
+      - 'e2e/*'
+      - 'Dockerfile'
+      - 'go.*'
+      - 'main.go'
+      - 'Makefile'
   pull_request:
     branches: [ "*" ]
+    paths:
+      - '.github/workflows/e2e.yml'
+      - 'api/**'
+      - 'controllers/**'
+      - 'e2e/*'
+      - 'Dockerfile'
+      - 'go.*'
+      - 'main.go'
+      - 'Makefile'
 
 jobs:
   kind:
     name: Kubernetes
     strategy:
       matrix:
-        k8s-version: ['v1.16.15', 'v1.17.11', 'v1.18.8', 'v1.19.4', 'v1.20.0']
+        k8s-version: ['v1.16.15', 'v1.17.11', 'v1.18.8', 'v1.19.4', 'v1.20.7', 'v1.21.2', 'v1.22.4', 'v1.23.0']
     runs-on: ubuntu-18.04
     steps:
       - uses: actions/checkout@v2
         with:
           fetch-depth: 0
-      - name: Cache Go modules and Docker images
-        uses: actions/cache@v1
-        env:
-          cache-name: gomod-docker
+      - uses: actions/setup-go@v2
         with:
-          path: |
-            ~/go/pkg/mod
-            /var/lib/docker
-            /home/runner/work/capsule/capsule
-          key: ${{ matrix.k8s-version }}-build-${{ env.cache-name }}
-          restore-keys: |
-            ${{ matrix.k8s-version }}-build-
-            ${{ matrix.k8s-version }}-
+          go-version: '1.18'
       - run: make manifests
       - name: Checking if manifests are disaligned
         run: test -z "$(git diff 2> /dev/null)"
       - name: Checking if manifests generated untracked files
         run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
-      - name: Installing Ginkgo
-        run: go get github.com/onsi/ginkgo/ginkgo
-      - uses: actions/setup-go@v2
-        with:
-          go-version: '^1.13.8'
       - uses: engineerd/setup-kind@v0.5.0
         with:
           skipClusterCreation: true
+          version: v0.11.1
       - uses: azure/setup-helm@v1
         with:
           version: 3.3.4

.github/workflows/helm.yml

@@ -3,6 +3,7 @@ name: Helm Chart
 on:
   push:
     branches: [ "*" ]
+    tags: [ "helm-v*" ]
   pull_request:
     branches: [ "*" ]
 

.gitignore

@@ -22,6 +22,7 @@ bin
 *.swp
 *.swo
 *~
+.vscode
 
 **/*.kubeconfig
 **/*.crt

.golangci.yml

@@ -1,51 +1,39 @@
 linters-settings:
   govet:
     check-shadowing: true
-  golint:
-    min-confidence: 0
-  maligned:
-    suggest-new: true
-  goimports:
-    local-prefixes: github.com/clastix/capsule
   dupl:
     threshold: 100
   goconst:
     min-len: 2
     min-occurrences: 2
+  cyclop:
+    max-complexity: 27
+  gocognit:
+    min-complexity: 50
+  gci:
+    sections:
+      - standard
+      - default
+      - prefix(github.com/clastix/capsule)
 linters:
-  disable-all: true
-  enable:
-    - bodyclose
-    - deadcode
-    - depguard
-    - dogsled
-    - dupl
-    - errcheck
-    - goconst
-    - gocritic
-    - gofmt
-    - goimports
-    - golint
-    - goprintffuncname
-    - gosec
-    - gosimple
-    - govet
-    - ineffassign
-    - interfacer
-    - misspell
-    - nolintlint
-    - rowserrcheck
-    - scopelint
-    - staticcheck
-    - structcheck
-    - stylecheck
-    - typecheck
-    - unconvert
-    - unparam
-    - unused
-    - varcheck
-    - whitespace
+  enable-all: true
+  disable:
+    - funlen
+    - gochecknoinits
+    - lll
+    - exhaustivestruct
     - maligned
+    - interfacer
+    - scopelint
+    - golint
+    - gochecknoglobals
+    - goerr113
+    - gomnd
+    - paralleltest
+    - ireturn
+    - testpackage
+    - varnamelen
+    - wrapcheck
 
 issues:
   exclude:

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.16 as builder
+FROM golang:1.18 as builder
 
 ARG TARGETARCH
 ARG GIT_HEAD_COMMIT

Makefile

@@ -1,5 +1,5 @@
 # Current Operator version
-VERSION ?= $$(git describe --abbrev=0 --tags)
+VERSION ?= $$(git describe --abbrev=0 --tags --match "v*")
 
 # Default bundle image tag
 BUNDLE_IMG ?= quay.io/clastix/capsule:$(VERSION)-bundle
@@ -40,12 +40,12 @@ test: generate manifests
 	go test ./... -coverprofile cover.out
 
 # Build manager binary
-manager: generate fmt vet
-	go build -o bin/manager main.go
+manager: generate golint
+	go build -o bin/manager
 
 # Run against the configured Kubernetes cluster in ~/.kube/config
 run: generate manifests
-	go run ./main.go
+	go run .
 
 # Creates the single file to install Capsule without any external dependency
 installer: manifests kustomize
@@ -78,6 +78,58 @@ manifests: controller-gen
 generate: controller-gen
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
 
+# Setup development env
+# Usage: 
+# 	LAPTOP_HOST_IP=<YOUR_LAPTOP_IP> make dev-setup
+# For example:
+#	LAPTOP_HOST_IP=192.168.10.101 make dev-setup
+define TLS_CNF
+[ req ]
+default_bits       = 4096
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+[ req_distinguished_name ]
+countryName                = SG
+stateOrProvinceName        = SG
+localityName               = SG
+organizationName           = CAPSULE
+commonName                 = CAPSULE
+[ req_ext ]
+subjectAltName = @alt_names
+[alt_names]
+IP.1   = $(LAPTOP_HOST_IP)
+endef
+export TLS_CNF
+dev-setup:
+	kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0
+	mkdir -p /tmp/k8s-webhook-server/serving-certs
+	echo "$${TLS_CNF}" > _tls.cnf
+	openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
+		-subj "/C=SG/ST=SG/L=SG/O=CAPSULE/CN=CAPSULE" \
+		-extensions req_ext \
+		-config _tls.cnf \
+		-keyout /tmp/k8s-webhook-server/serving-certs/tls.key \
+		-out /tmp/k8s-webhook-server/serving-certs/tls.crt
+	rm -f _tls.cnf 
+	export WEBHOOK_URL="https://$${LAPTOP_HOST_IP}:9443"; \
+	export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`; \
+	kubectl patch MutatingWebhookConfiguration capsule-mutating-webhook-configuration \
+		--type='json' -p="[\
+			{'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/mutate-v1-namespace-owner-reference\",'caBundle':\"$${CA_BUNDLE}\"}}\
+		]" && \
+	kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \
+		--type='json' -p="[\
+			{'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/cordoning\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/ingresses\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/namespaces\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/networkpolicies\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/4/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/pods\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/5/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/persistentvolumeclaims\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/6/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/services\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/7/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/tenants\",'caBundle':\"$${CA_BUNDLE}\"}},\
+			{'op': 'replace', 'path': '/webhooks/8/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/nodes\",'caBundle':\"$${CA_BUNDLE}\"}}\
+		]";
+
 # Build the docker image
 docker-build: test
 	docker build . -t ${IMG} --build-arg GIT_HEAD_COMMIT=$(GIT_HEAD_COMMIT) \
@@ -93,23 +145,33 @@ docker-push:
 
 CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
 controller-gen: ## Download controller-gen locally if necessary.
-	$(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.5.0)
+	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.5.0)
+
+GINKGO = $(shell pwd)/bin/ginkgo
+ginkgo: ## Download ginkgo locally if necessary.
+	$(call go-install-tool,$(KUSTOMIZE),github.com/onsi/ginkgo/ginkgo@v1.16.5)
 
 KUSTOMIZE = $(shell pwd)/bin/kustomize
 kustomize: ## Download kustomize locally if necessary.
-	$(call go-get-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v3@v3.8.7)
+	$(call install-kustomize,$(KUSTOMIZE),3.8.7)
 
-# go-get-tool will 'go get' any package $2 and install it to $1.
-PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
-define go-get-tool
+define install-kustomize
 @[ -f $(1) ] || { \
 set -e ;\
-TMP_DIR=$$(mktemp -d) ;\
-cd $$TMP_DIR ;\
-go mod init tmp ;\
-echo "Downloading $(2)" ;\
-GOBIN=$(PROJECT_DIR)/bin go get $(2) ;\
-rm -rf $$TMP_DIR ;\
+echo "Installing v$(2)" ;\
+cd bin ;\
+wget "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" ;\
+bash ./install_kustomize.sh $(2) ;\
+}
+endef
+
+# go-install-tool will 'go install' any package $2 and install it to $1.
+PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
+define go-install-tool
+@[ -f $(1) ] || { \
+set -e ;\
+echo "Installing $(2)" ;\
+GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
 }
 endef
 
@@ -135,7 +197,7 @@ golint:
 
 # Running e2e tests in a KinD instance
 .PHONY: e2e
-e2e/%:
+e2e/%: ginkgo
 	kind create cluster --name capsule --image=kindest/node:$*
 	make docker-build
 	kind load docker-image --nodes capsule-control-plane --name capsule $(IMG)
@@ -151,5 +213,5 @@ e2e/%:
 		--set 'manager.readinessProbe.failureThreshold=10' \
 		capsule \
 		./charts/capsule
-	ginkgo -v -tags e2e ./e2e
+	$(GINKGO) -v -tags e2e ./e2e
 	kind delete cluster --name capsule

README.md

@@ -13,180 +13,72 @@
 
 ---
 
-# Kubernetes multi-tenancy made simple
-**Capsule** helps to implement a multi-tenancy and policy-based environment in your Kubernetes cluster. It is not intended to be yet another _PaaS_, instead, it has been designed as a micro-services-based ecosystem with the minimalist approach, leveraging only on upstream Kubernetes.
+# Kubernetes multi-tenancy made easy
+
+**Capsule** implements a multi-tenant and policy-based environment in your Kubernetes cluster. It is designed as a micro-services-based ecosystem with the minimalist approach, leveraging only on upstream Kubernetes.
 
 # What's the problem with the current status?
 
 Kubernetes introduces the _Namespace_ object type to create logical partitions of the cluster as isolated *slices*. However, implementing advanced multi-tenancy scenarios, it soon becomes complicated because of the flat structure of Kubernetes namespaces and the impossibility to share resources among namespaces belonging to the same tenant. To overcome this, cluster admins tend to provision a dedicated cluster for each groups of users, teams, or departments. As an organization grows, the number of clusters to manage and keep aligned becomes an operational nightmare, described as the well know phenomena of the _clusters sprawl_.
 
-
 # Entering Capsule
-Capsule takes a different approach. In a single cluster, the Capsule Controller aggregates multiple namespaces in a lightweight abstraction called _Tenant_, basically a grouping of Kubernetes Namespaces. Within each tenant, users are free to create their namespaces and share all the assigned resources while the Capsule Policy Engine keeps the different tenants isolated from each other.
 
-The _Network and Security Policies_, _Resource Quota_, _Limit Ranges_, _RBAC_, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator. Take a look at following diagram:
+Capsule takes a different approach. In a single cluster, the Capsule Controller aggregates multiple namespaces in a lightweight abstraction called _Tenant_, basically a grouping of Kubernetes Namespaces. Within each tenant, users are free to create their namespaces and share all the assigned resources. 
 
-<p align="center" style="padding: 60px 20px">
-  <img src="assets/capsule-operator.svg" />
-</p>
+On the other side, the Capsule Policy Engine keeps the different tenants isolated from each other. _Network and Security Policies_, _Resource Quota_, _Limit Ranges_, _RBAC_, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator. 
 
 # Features
+
 ## Self-Service
-Leave to developers the freedom to self-provision their cluster resources according to the assigned boundaries.
+
+Leave developers the freedom to self-provision their cluster resources according to the assigned boundaries.
 
 ## Preventing Clusters Sprawl
+
 Share a single cluster with multiple teams, groups of users, or departments by saving operational and management efforts.
 
 ## Governance
-Leverage Kubernetes Admission Controllers to enforce the industry security best practices and meet legal requirements.
+
+Leverage Kubernetes Admission Controllers to enforce the industry security best practices and meet policy requirements.
 
 ## Resources Control
+
 Take control of the resources consumed by users while preventing them to overtake.
 
 ## Native Experience
+
 Provide multi-tenancy with a native Kubernetes experience without introducing additional management layers, plugins, or customized binaries.
 
 ## GitOps ready
+
 Capsule is completely declarative and GitOps ready.
 
 ## Bring your own device (BYOD)
+
 Assign to tenants a dedicated set of compute, storage, and network resources and avoid the noisy neighbors' effect.
 
-# Common use cases for Capsule
-Please, refer to the corresponding [section](./docs/operator/use-cases/overview.md) in the project documentation for a detailed list of common use cases that Capsule can address.
-
-# Installation
-Make sure you have access to a Kubernetes cluster as administrator.
-
-There are two ways to install Capsule:
-
-* Use the Helm Chart available [here](./charts/capsule/README.md)
-* Use the [single YAML file installer](./config/install.yaml)
-
-## Install with the single YAML file installer
-
-Ensure you have `kubectl` installed in your `PATH`. 
-
-Clone this repository and move to the repo folder:
-
-```
-$ kubectl apply -f https://raw.githubusercontent.com/clastix/capsule/master/config/install.yaml
-namespace/capsule-system created
-customresourcedefinition.apiextensions.k8s.io/capsuleconfigurations.capsule.clastix.io created
-customresourcedefinition.apiextensions.k8s.io/tenants.capsule.clastix.io created
-clusterrolebinding.rbac.authorization.k8s.io/capsule-manager-rolebinding created
-secret/capsule-ca created
-secret/capsule-tls created
-service/capsule-controller-manager-metrics-service created
-service/capsule-webhook-service created
-deployment.apps/capsule-controller-manager created
-capsuleconfiguration.capsule.clastix.io/capsule-default created
-mutatingwebhookconfiguration.admissionregistration.k8s.io/capsule-mutating-webhook-configuration created
-validatingwebhookconfiguration.admissionregistration.k8s.io/capsule-validating-webhook-configuration created
-```
-
-It will install the Capsule controller in a dedicated namespace `capsule-system`.
-
-## How to create Tenants
-Use the scaffold [Tenant](config/samples/capsule_v1alpha1_tenant.yaml) and simply apply as cluster admin.
-
-```
-$ kubectl apply -f config/samples/capsule_v1alpha1_tenant.yaml
-tenant.capsule.clastix.io/oil created
-```
-
-You can check the tenant just created as
-
-```
-$ kubectl get tenants
-NAME      NAMESPACE QUOTA   NAMESPACE COUNT   OWNER NAME   OWNER KIND   NODE SELECTOR    AGE
-oil       3                 0                 alice        User                          1m
-```
-
-## Tenant owners
-Each tenant comes with a delegated user or group of users acting as the tenant admin. In the Capsule jargon, this is called the _Tenant Owner_. Other users can operate inside a tenant with different levels of permissions and authorizations assigned directly by the Tenant Owner.
-
-Capsule does not care about the authentication strategy used in the cluster and all the Kubernetes methods of [authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/) are supported. The only requirement to use Capsule is to assign tenant users to the the group defined by `--capsule-user-group` option, which defaults to `capsule.clastix.io`.
-
-Assignment to a group depends on the authentication strategy in your cluster.
-
-For example, if you are using `capsule.clastix.io`, users authenticated through a _X.509_ certificate must have `capsule.clastix.io` as _Organization_: `-subj "/CN=${USER}/O=capsule.clastix.io"`
-
-Users authenticated through an _OIDC token_ must have
-
-```json
-...
-"users_groups": [
-    "capsule.clastix.io",
-    "other_group"
-]
-```
-
-in their token.
-
-The [hack/create-user.sh](hack/create-user.sh) can help you set up a dummy `kubeconfig` for the `alice` user acting as owner of a tenant called `oil`
-
-```bash
-./hack/create-user.sh alice oil
-creating certs in TMPDIR /tmp/tmp.4CLgpuime3 
-Generating RSA private key, 2048 bit long modulus (2 primes)
-............+++++
-........................+++++
-e is 65537 (0x010001)
-certificatesigningrequest.certificates.k8s.io/alice-oil created
-certificatesigningrequest.certificates.k8s.io/alice-oil approved
-kubeconfig file is: alice-oil.kubeconfig
-to use it as alice export KUBECONFIG=alice-oil.kubeconfig
-```
-
-## Working with Tenants
-Log in to the Kubernetes cluster as `alice` tenant owner
-
-```
-$ export KUBECONFIG=alice-oil.kubeconfig
-```
-
-and create a couple of new namespaces
-
-```
-$ kubectl create namespace oil-production
-$ kubectl create namespace oil-development
-```
-
-As user `alice` you can operate with fully admin permissions:
-
-```
-$ kubectl -n oil-development run nginx --image=docker.io/nginx 
-$ kubectl -n oil-development get pods
-```
-
-but limited to only your own namespaces:
-
-```
-$ kubectl -n kube-system get pods
-Error from server (Forbidden): pods is forbidden:
-User "alice" cannot list resource "pods" in API group "" in the namespace "kube-system"
-```
-
 # Documentation
-Please, check the project [documentation](./docs/index.md) for more cool things you can do with Capsule.
 
-# Removal
-Similar to `deploy`, you can get rid of Capsule using the `remove` target.
+Please, check the project [documentation](https://capsule.clastix.io) for the cool things you can do with Capsule.
 
-```
-$ make remove
-```
+# Contributions
+
+Capsule is Open Source with Apache 2 license and any contribution is welcome.
+
+## Community
+
+Join the community, share and learn from it. You can find all the resources to how to contribute code and docs, connect with people in the [community repository](https://github.com/clastix/capsule-community).
+
+# Governance
+
+You can find how the Capsule project is governed [here](https://capsule.clastix.io/docs/contributing/governance).
 
 # FAQ
+
 - Q. How to pronounce Capsule?
 
   A. It should be pronounced as `/ˈkæpsjuːl/`.
 
-- Q. Can I contribute?
-
-  A. Absolutely! Capsule is Open Source with Apache 2 license and any contribution is welcome. Please refer to the corresponding [section](./docs/operator/contributing.md) in the documentation.
-
 - Q. Is it production grade?
 
   A. Although under frequent development and improvements, Capsule is ready to be used in production environments as currently, people are using it in public and private deployments. Check out the [release](https://github.com/clastix/capsule/releases) page for a detailed list of available versions.

api/v1alpha1/allowed_list.go

@@ -19,9 +19,12 @@ func (in *AllowedListSpec) ExactMatch(value string) (ok bool) {
 		sort.SliceStable(in.Exact, func(i, j int) bool {
 			return strings.ToLower(in.Exact[i]) < strings.ToLower(in.Exact[j])
 		})
+
 		i := sort.SearchStrings(in.Exact, value)
+
 		ok = i < len(in.Exact) && in.Exact[i] == value
 	}
+
 	return
 }
 
@@ -29,5 +32,6 @@ func (in AllowedListSpec) RegexMatch(value string) (ok bool) {
 	if len(in.Regex) > 0 {
 		ok = regexp.MustCompile(in.Regex).MatchString(value)
 	}
+
 	return
 }

api/v1alpha1/allowed_list_test.go

@@ -15,6 +15,7 @@ func TestAllowedListSpec_ExactMatch(t *testing.T) {
 		True  []string
 		False []string
 	}
+
 	for _, tc := range []tc{
 		{
 			[]string{"foo", "bar", "bizz", "buzz"},
@@ -35,9 +36,11 @@ func TestAllowedListSpec_ExactMatch(t *testing.T) {
 		a := AllowedListSpec{
 			Exact: tc.In,
 		}
+
 		for _, ok := range tc.True {
 			assert.True(t, a.ExactMatch(ok))
 		}
+
 		for _, ko := range tc.False {
 			assert.False(t, a.ExactMatch(ko))
 		}
@@ -50,6 +53,7 @@ func TestAllowedListSpec_RegexMatch(t *testing.T) {
 		True  []string
 		False []string
 	}
+
 	for _, tc := range []tc{
 		{`first-\w+-pattern`, []string{"first-date-pattern", "first-year-pattern"}, []string{"broken", "first-year", "second-date-pattern"}},
 		{``, nil, []string{"any", "value"}},
@@ -57,9 +61,11 @@ func TestAllowedListSpec_RegexMatch(t *testing.T) {
 		a := AllowedListSpec{
 			Regex: tc.Regex,
 		}
+
 		for _, ok := range tc.True {
 			assert.True(t, a.RegexMatch(ok))
 		}
+
 		for _, ko := range tc.False {
 			assert.False(t, a.RegexMatch(ko))
 		}

api/v1alpha1/capsuleconfiguration_annotations.go

@@ -0,0 +1,12 @@
+package v1alpha1
+
+const (
+	ForbiddenNodeLabelsAnnotation            = "capsule.clastix.io/forbidden-node-labels"
+	ForbiddenNodeLabelsRegexpAnnotation      = "capsule.clastix.io/forbidden-node-labels-regexp"
+	ForbiddenNodeAnnotationsAnnotation       = "capsule.clastix.io/forbidden-node-annotations"
+	ForbiddenNodeAnnotationsRegexpAnnotation = "capsule.clastix.io/forbidden-node-annotations-regexp"
+	CASecretNameAnnotation                   = "capsule.clastix.io/ca-secret-name"
+	TLSSecretNameAnnotation                  = "capsule.clastix.io/tls-secret-name"
+	MutatingWebhookConfigurationName         = "capsule.clastix.io/mutating-webhook-configuration-name"
+	ValidatingWebhookConfigurationName       = "capsule.clastix.io/validating-webhook-configuration-name"
+)

api/v1alpha1/capsuleconfiguration_types.go

@@ -7,8 +7,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-// CapsuleConfigurationSpec defines the Capsule configuration
-// nolint:maligned
+// CapsuleConfigurationSpec defines the Capsule configuration.
 type CapsuleConfigurationSpec struct {
 	// Names of the groups for Capsule users.
 	// +kubebuilder:default={capsule.clastix.io}
@@ -19,21 +18,12 @@ type CapsuleConfigurationSpec struct {
 	ForceTenantPrefix bool `json:"forceTenantPrefix,omitempty"`
 	// Disallow creation of namespaces, whose name matches this regexp
 	ProtectedNamespaceRegexpString string `json:"protectedNamespaceRegex,omitempty"`
-	// When defining the exact match for allowed Ingress hostnames at Tenant level, a collision is not allowed.
-	// Toggling this, Capsule will not check if a hostname collision is in place, allowing the creation of
-	// two or more Tenant resources although sharing the same allowed hostname(s).
-	//
-	// The JSON path of the resource is: /spec/ingressHostnames/allowed
-	AllowTenantIngressHostnamesCollision bool `json:"allowTenantIngressHostnamesCollision,omitempty"`
-	// Allow the collision of Ingress resource hostnames across all the Tenants.
-	// +kubebuilder:default=true
-	AllowIngressHostnameCollision bool `json:"allowIngressHostnameCollision,omitempty"`
 }
 
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:scope=Cluster
 
-// CapsuleConfiguration is the Schema for the Capsule configuration API
+// CapsuleConfiguration is the Schema for the Capsule configuration API.
 type CapsuleConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -43,7 +33,7 @@ type CapsuleConfiguration struct {
 
 // +kubebuilder:object:root=true
 
-// CapsuleConfigurationList contains a list of CapsuleConfiguration
+// CapsuleConfigurationList contains a list of CapsuleConfiguration.
 type CapsuleConfigurationList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`

api/v1alpha1/conversion_hub.go

@@ -17,53 +17,67 @@ import (
 )
 
 const (
+	resourceQuotaScopeAnnotation = "capsule.clastix.io/resource-quota-scope"
+
 	podAllowedImagePullPolicyAnnotation = "capsule.clastix.io/allowed-image-pull-policy"
 
 	podPriorityAllowedAnnotation      = "priorityclass.capsule.clastix.io/allowed"
 	podPriorityAllowedRegexAnnotation = "priorityclass.capsule.clastix.io/allowed-regex"
 
-	enableNodePortsAnnotation = "capsule.clastix.io/enable-node-ports"
+	enableNodePortsAnnotation    = "capsule.clastix.io/enable-node-ports"
+	enableExternalNameAnnotation = "capsule.clastix.io/enable-external-name"
+	enableLoadBalancerAnnotation = "capsule.clastix.io/enable-loadbalancer-service"
 
 	ownerGroupsAnnotation         = "owners.capsule.clastix.io/group"
 	ownerUsersAnnotation          = "owners.capsule.clastix.io/user"
 	ownerServiceAccountAnnotation = "owners.capsule.clastix.io/serviceaccount"
 
-	enableNodeListingAnnotation          = "capsule.clastix.io/enable-node-listing"
-	enableNodeUpdateAnnotation           = "capsule.clastix.io/enable-node-update"
-	enableNodeDeletionAnnotation         = "capsule.clastix.io/enable-node-deletion"
-	enableStorageClassListingAnnotation  = "capsule.clastix.io/enable-storageclass-listing"
-	enableStorageClassUpdateAnnotation   = "capsule.clastix.io/enable-storageclass-update"
-	enableStorageClassDeletionAnnotation = "capsule.clastix.io/enable-storageclass-deletion"
-	enableIngressClassListingAnnotation  = "capsule.clastix.io/enable-ingressclass-listing"
-	enableIngressClassUpdateAnnotation   = "capsule.clastix.io/enable-ingressclass-update"
-	enableIngressClassDeletionAnnotation = "capsule.clastix.io/enable-ingressclass-deletion"
+	enableNodeListingAnnotation           = "capsule.clastix.io/enable-node-listing"
+	enableNodeUpdateAnnotation            = "capsule.clastix.io/enable-node-update"
+	enableNodeDeletionAnnotation          = "capsule.clastix.io/enable-node-deletion"
+	enableStorageClassListingAnnotation   = "capsule.clastix.io/enable-storageclass-listing"
+	enableStorageClassUpdateAnnotation    = "capsule.clastix.io/enable-storageclass-update"
+	enableStorageClassDeletionAnnotation  = "capsule.clastix.io/enable-storageclass-deletion"
+	enableIngressClassListingAnnotation   = "capsule.clastix.io/enable-ingressclass-listing"
+	enableIngressClassUpdateAnnotation    = "capsule.clastix.io/enable-ingressclass-update"
+	enableIngressClassDeletionAnnotation  = "capsule.clastix.io/enable-ingressclass-deletion"
+	enablePriorityClassListingAnnotation  = "capsule.clastix.io/enable-priorityclass-listing"
+	enablePriorityClassUpdateAnnotation   = "capsule.clastix.io/enable-priorityclass-update"
+	enablePriorityClassDeletionAnnotation = "capsule.clastix.io/enable-priorityclass-deletion"
+
+	ingressHostnameCollisionScope = "ingress.capsule.clastix.io/hostname-collision-scope"
 )
 
 func (t *Tenant) convertV1Alpha1OwnerToV1Beta1() capsulev1beta1.OwnerListSpec {
-	var serviceKindToAnnotationMap = map[capsulev1beta1.ProxyServiceKind][]string{
-		capsulev1beta1.NodesProxy:          {enableNodeListingAnnotation, enableNodeUpdateAnnotation, enableNodeDeletionAnnotation},
-		capsulev1beta1.StorageClassesProxy: {enableStorageClassListingAnnotation, enableStorageClassUpdateAnnotation, enableStorageClassDeletionAnnotation},
-		capsulev1beta1.IngressClassesProxy: {enableIngressClassListingAnnotation, enableIngressClassUpdateAnnotation, enableIngressClassDeletionAnnotation},
+	serviceKindToAnnotationMap := map[capsulev1beta1.ProxyServiceKind][]string{
+		capsulev1beta1.NodesProxy:           {enableNodeListingAnnotation, enableNodeUpdateAnnotation, enableNodeDeletionAnnotation},
+		capsulev1beta1.StorageClassesProxy:  {enableStorageClassListingAnnotation, enableStorageClassUpdateAnnotation, enableStorageClassDeletionAnnotation},
+		capsulev1beta1.IngressClassesProxy:  {enableIngressClassListingAnnotation, enableIngressClassUpdateAnnotation, enableIngressClassDeletionAnnotation},
+		capsulev1beta1.PriorityClassesProxy: {enablePriorityClassListingAnnotation, enablePriorityClassUpdateAnnotation, enablePriorityClassDeletionAnnotation},
 	}
-	var annotationToOperationMap = map[string]capsulev1beta1.ProxyOperation{
-		enableNodeListingAnnotation:          capsulev1beta1.ListOperation,
-		enableNodeUpdateAnnotation:           capsulev1beta1.UpdateOperation,
-		enableNodeDeletionAnnotation:         capsulev1beta1.DeleteOperation,
-		enableStorageClassListingAnnotation:  capsulev1beta1.ListOperation,
-		enableStorageClassUpdateAnnotation:   capsulev1beta1.UpdateOperation,
-		enableStorageClassDeletionAnnotation: capsulev1beta1.DeleteOperation,
-		enableIngressClassListingAnnotation:  capsulev1beta1.ListOperation,
-		enableIngressClassUpdateAnnotation:   capsulev1beta1.UpdateOperation,
-		enableIngressClassDeletionAnnotation: capsulev1beta1.DeleteOperation,
+	annotationToOperationMap := map[string]capsulev1beta1.ProxyOperation{
+		enableNodeListingAnnotation:           capsulev1beta1.ListOperation,
+		enableNodeUpdateAnnotation:            capsulev1beta1.UpdateOperation,
+		enableNodeDeletionAnnotation:          capsulev1beta1.DeleteOperation,
+		enableStorageClassListingAnnotation:   capsulev1beta1.ListOperation,
+		enableStorageClassUpdateAnnotation:    capsulev1beta1.UpdateOperation,
+		enableStorageClassDeletionAnnotation:  capsulev1beta1.DeleteOperation,
+		enableIngressClassListingAnnotation:   capsulev1beta1.ListOperation,
+		enableIngressClassUpdateAnnotation:    capsulev1beta1.UpdateOperation,
+		enableIngressClassDeletionAnnotation:  capsulev1beta1.DeleteOperation,
+		enablePriorityClassListingAnnotation:  capsulev1beta1.ListOperation,
+		enablePriorityClassUpdateAnnotation:   capsulev1beta1.UpdateOperation,
+		enablePriorityClassDeletionAnnotation: capsulev1beta1.DeleteOperation,
 	}
-	var annotationToOwnerKindMap = map[string]capsulev1beta1.OwnerKind{
+	annotationToOwnerKindMap := map[string]capsulev1beta1.OwnerKind{
 		ownerUsersAnnotation:          capsulev1beta1.UserOwner,
 		ownerGroupsAnnotation:         capsulev1beta1.GroupOwner,
 		ownerServiceAccountAnnotation: capsulev1beta1.ServiceAccountOwner,
 	}
+
 	annotations := t.GetAnnotations()
 
-	var operations = make(map[string]map[capsulev1beta1.ProxyServiceKind][]capsulev1beta1.ProxyOperation)
+	operations := make(map[string]map[capsulev1beta1.ProxyServiceKind][]capsulev1beta1.ProxyOperation)
 
 	for serviceKind, operationAnnotations := range serviceKindToAnnotationMap {
 		for _, operationAnnotation := range operationAnnotations {
@@ -73,6 +87,7 @@ func (t *Tenant) convertV1Alpha1OwnerToV1Beta1() capsulev1beta1.OwnerListSpec {
 					if _, exists := operations[owner]; !exists {
 						operations[owner] = make(map[capsulev1beta1.ProxyServiceKind][]capsulev1beta1.ProxyOperation)
 					}
+
 					operations[owner][serviceKind] = append(operations[owner][serviceKind], annotationToOperationMap[operationAnnotation])
 				}
 			}
@@ -81,7 +96,7 @@ func (t *Tenant) convertV1Alpha1OwnerToV1Beta1() capsulev1beta1.OwnerListSpec {
 
 	var owners capsulev1beta1.OwnerListSpec
 
-	var getProxySettingsForOwner = func(ownerName string) (settings []capsulev1beta1.ProxySettings) {
+	getProxySettingsForOwner := func(ownerName string) (settings []capsulev1beta1.ProxySettings) {
 		ownerOperations, ok := operations[ownerName]
 		if ok {
 			for k, v := range ownerOperations {
@@ -91,6 +106,7 @@ func (t *Tenant) convertV1Alpha1OwnerToV1Beta1() capsulev1beta1.OwnerListSpec {
 				})
 			}
 		}
+
 		return
 	}
 
@@ -116,70 +132,120 @@ func (t *Tenant) convertV1Alpha1OwnerToV1Beta1() capsulev1beta1.OwnerListSpec {
 	return owners
 }
 
+// nolint:gocognit,gocyclo,cyclop,maintidx
 func (t *Tenant) ConvertTo(dstRaw conversion.Hub) error {
-	dst := dstRaw.(*capsulev1beta1.Tenant)
+	dst, ok := dstRaw.(*capsulev1beta1.Tenant)
+	if !ok {
+		return fmt.Errorf("expected type *capsulev1beta1.Tenant, got %T", dst)
+	}
+
 	annotations := t.GetAnnotations()
 
 	// ObjectMeta
 	dst.ObjectMeta = t.ObjectMeta
 
 	// Spec
-	dst.Spec.NamespaceQuota = t.Spec.NamespaceQuota
+	if t.Spec.NamespaceQuota != nil {
+		if dst.Spec.NamespaceOptions == nil {
+			dst.Spec.NamespaceOptions = &capsulev1beta1.NamespaceOptions{}
+		}
+
+		dst.Spec.NamespaceOptions.Quota = t.Spec.NamespaceQuota
+	}
+
 	dst.Spec.NodeSelector = t.Spec.NodeSelector
 
 	dst.Spec.Owners = t.convertV1Alpha1OwnerToV1Beta1()
 
 	if t.Spec.NamespacesMetadata != nil {
-		dst.Spec.NamespacesMetadata = &capsulev1beta1.AdditionalMetadataSpec{
-			AdditionalLabels:      t.Spec.NamespacesMetadata.AdditionalLabels,
-			AdditionalAnnotations: t.Spec.NamespacesMetadata.AdditionalAnnotations,
+		if dst.Spec.NamespaceOptions == nil {
+			dst.Spec.NamespaceOptions = &capsulev1beta1.NamespaceOptions{}
+		}
+
+		dst.Spec.NamespaceOptions.AdditionalMetadata = &capsulev1beta1.AdditionalMetadataSpec{
+			Labels:      t.Spec.NamespacesMetadata.AdditionalLabels,
+			Annotations: t.Spec.NamespacesMetadata.AdditionalAnnotations,
 		}
 	}
+
 	if t.Spec.ServicesMetadata != nil {
-		dst.Spec.ServicesMetadata = &capsulev1beta1.AdditionalMetadataSpec{
-			AdditionalLabels:      t.Spec.ServicesMetadata.AdditionalLabels,
-			AdditionalAnnotations: t.Spec.ServicesMetadata.AdditionalAnnotations,
+		if dst.Spec.ServiceOptions == nil {
+			dst.Spec.ServiceOptions = &capsulev1beta1.ServiceOptions{
+				AdditionalMetadata: &capsulev1beta1.AdditionalMetadataSpec{
+					Labels:      t.Spec.ServicesMetadata.AdditionalLabels,
+					Annotations: t.Spec.ServicesMetadata.AdditionalAnnotations,
+				},
+			}
 		}
 	}
+
 	if t.Spec.StorageClasses != nil {
 		dst.Spec.StorageClasses = &capsulev1beta1.AllowedListSpec{
 			Exact: t.Spec.StorageClasses.Exact,
 			Regex: t.Spec.StorageClasses.Regex,
 		}
 	}
+
+	if v, annotationOk := t.Annotations[ingressHostnameCollisionScope]; annotationOk {
+		switch v {
+		case string(capsulev1beta1.HostnameCollisionScopeCluster), string(capsulev1beta1.HostnameCollisionScopeTenant), string(capsulev1beta1.HostnameCollisionScopeNamespace):
+			dst.Spec.IngressOptions.HostnameCollisionScope = capsulev1beta1.HostnameCollisionScope(v)
+		default:
+			dst.Spec.IngressOptions.HostnameCollisionScope = capsulev1beta1.HostnameCollisionScopeDisabled
+		}
+	}
+
 	if t.Spec.IngressClasses != nil {
-		dst.Spec.IngressClasses = &capsulev1beta1.AllowedListSpec{
+		dst.Spec.IngressOptions.AllowedClasses = &capsulev1beta1.AllowedListSpec{
 			Exact: t.Spec.IngressClasses.Exact,
 			Regex: t.Spec.IngressClasses.Regex,
 		}
 	}
+
 	if t.Spec.IngressHostnames != nil {
-		dst.Spec.IngressHostnames = &capsulev1beta1.AllowedListSpec{
+		dst.Spec.IngressOptions.AllowedHostnames = &capsulev1beta1.AllowedListSpec{
 			Exact: t.Spec.IngressHostnames.Exact,
 			Regex: t.Spec.IngressHostnames.Regex,
 		}
 	}
+
 	if t.Spec.ContainerRegistries != nil {
 		dst.Spec.ContainerRegistries = &capsulev1beta1.AllowedListSpec{
 			Exact: t.Spec.ContainerRegistries.Exact,
 			Regex: t.Spec.ContainerRegistries.Regex,
 		}
 	}
+
 	if len(t.Spec.NetworkPolicies) > 0 {
-		dst.Spec.NetworkPolicies = &capsulev1beta1.NetworkPolicySpec{
+		dst.Spec.NetworkPolicies = capsulev1beta1.NetworkPolicySpec{
 			Items: t.Spec.NetworkPolicies,
 		}
 	}
+
 	if len(t.Spec.LimitRanges) > 0 {
-		dst.Spec.LimitRanges = &capsulev1beta1.LimitRangesSpec{
+		dst.Spec.LimitRanges = capsulev1beta1.LimitRangesSpec{
 			Items: t.Spec.LimitRanges,
 		}
 	}
+
 	if len(t.Spec.ResourceQuota) > 0 {
-		dst.Spec.ResourceQuota = &capsulev1beta1.ResourceQuotaSpec{
+		dst.Spec.ResourceQuota = capsulev1beta1.ResourceQuotaSpec{
+			Scope: func() capsulev1beta1.ResourceQuotaScope {
+				if v, annotationOk := t.GetAnnotations()[resourceQuotaScopeAnnotation]; annotationOk {
+					switch v {
+					case string(capsulev1beta1.ResourceQuotaScopeNamespace):
+						return capsulev1beta1.ResourceQuotaScopeNamespace
+					case string(capsulev1beta1.ResourceQuotaScopeTenant):
+						return capsulev1beta1.ResourceQuotaScopeTenant
+					}
+				}
+
+				return capsulev1beta1.ResourceQuotaScopeTenant
+			}(),
 			Items: t.Spec.ResourceQuota,
 		}
 	}
+
 	if len(t.Spec.AdditionalRoleBindings) > 0 {
 		for _, rb := range t.Spec.AdditionalRoleBindings {
 			dst.Spec.AdditionalRoleBindings = append(dst.Spec.AdditionalRoleBindings, capsulev1beta1.AdditionalRoleBindingsSpec{
@@ -188,13 +254,18 @@ func (t *Tenant) ConvertTo(dstRaw conversion.Hub) error {
 			})
 		}
 	}
+
 	if t.Spec.ExternalServiceIPs != nil {
-		dst.Spec.ExternalServiceIPs = &capsulev1beta1.ExternalServiceIPsSpec{
+		if dst.Spec.ServiceOptions == nil {
+			dst.Spec.ServiceOptions = &capsulev1beta1.ServiceOptions{}
+		}
+
+		dst.Spec.ServiceOptions.ExternalServiceIPs = &capsulev1beta1.ExternalServiceIPsSpec{
 			Allowed: make([]capsulev1beta1.AllowedIP, len(t.Spec.ExternalServiceIPs.Allowed)),
 		}
 
 		for i, IP := range t.Spec.ExternalServiceIPs.Allowed {
-			dst.Spec.ExternalServiceIPs.Allowed[i] = capsulev1beta1.AllowedIP(IP)
+			dst.Spec.ServiceOptions.ExternalServiceIPs.Allowed[i] = capsulev1beta1.AllowedIP(IP)
 		}
 	}
 
@@ -208,10 +279,13 @@ func (t *Tenant) ConvertTo(dstRaw conversion.Hub) error {
 	priorityClasses := capsulev1beta1.AllowedListSpec{}
 
 	priorityClassAllowed, ok := annotations[podPriorityAllowedAnnotation]
+
 	if ok {
 		priorityClasses.Exact = strings.Split(priorityClassAllowed, ",")
 	}
+
 	priorityClassesRegexp, ok := annotations[podPriorityAllowedRegexAnnotation]
+
 	if ok {
 		priorityClasses.Regex = priorityClassesRegexp
 	}
@@ -226,20 +300,65 @@ func (t *Tenant) ConvertTo(dstRaw conversion.Hub) error {
 		if err != nil {
 			return errors.Wrap(err, fmt.Sprintf("unable to parse %s annotation on tenant %s", enableNodePortsAnnotation, t.GetName()))
 		}
-		dst.Spec.EnableNodePorts = pointer.BoolPtr(val)
+
+		if dst.Spec.ServiceOptions == nil {
+			dst.Spec.ServiceOptions = &capsulev1beta1.ServiceOptions{}
+		}
+
+		if dst.Spec.ServiceOptions.AllowedServices == nil {
+			dst.Spec.ServiceOptions.AllowedServices = &capsulev1beta1.AllowedServices{}
+		}
+
+		dst.Spec.ServiceOptions.AllowedServices.NodePort = pointer.BoolPtr(val)
 	}
 
+	enableExternalName, ok := annotations[enableExternalNameAnnotation]
+	if ok {
+		val, err := strconv.ParseBool(enableExternalName)
+		if err != nil {
+			return errors.Wrap(err, fmt.Sprintf("unable to parse %s annotation on tenant %s", enableExternalNameAnnotation, t.GetName()))
+		}
+
+		if dst.Spec.ServiceOptions == nil {
+			dst.Spec.ServiceOptions = &capsulev1beta1.ServiceOptions{}
+		}
+
+		if dst.Spec.ServiceOptions.AllowedServices == nil {
+			dst.Spec.ServiceOptions.AllowedServices = &capsulev1beta1.AllowedServices{}
+		}
+
+		dst.Spec.ServiceOptions.AllowedServices.ExternalName = pointer.BoolPtr(val)
+	}
+
+	loadBalancerService, ok := annotations[enableLoadBalancerAnnotation]
+	if ok {
+		val, err := strconv.ParseBool(loadBalancerService)
+		if err != nil {
+			return errors.Wrap(err, fmt.Sprintf("unable to parse %s annotation on tenant %s", enableLoadBalancerAnnotation, t.GetName()))
+		}
+
+		if dst.Spec.ServiceOptions == nil {
+			dst.Spec.ServiceOptions = &capsulev1beta1.ServiceOptions{}
+		}
+
+		if dst.Spec.ServiceOptions.AllowedServices == nil {
+			dst.Spec.ServiceOptions.AllowedServices = &capsulev1beta1.AllowedServices{}
+		}
+
+		dst.Spec.ServiceOptions.AllowedServices.LoadBalancer = pointer.BoolPtr(val)
+	}
 	// Status
 	dst.Status = capsulev1beta1.TenantStatus{
 		Size:       t.Status.Size,
 		Namespaces: t.Status.Namespaces,
 	}
-
 	// Remove unneeded annotations
 	delete(dst.ObjectMeta.Annotations, podAllowedImagePullPolicyAnnotation)
 	delete(dst.ObjectMeta.Annotations, podPriorityAllowedAnnotation)
 	delete(dst.ObjectMeta.Annotations, podPriorityAllowedRegexAnnotation)
 	delete(dst.ObjectMeta.Annotations, enableNodePortsAnnotation)
+	delete(dst.ObjectMeta.Annotations, enableExternalNameAnnotation)
+	delete(dst.ObjectMeta.Annotations, enableLoadBalancerAnnotation)
 	delete(dst.ObjectMeta.Annotations, ownerGroupsAnnotation)
 	delete(dst.ObjectMeta.Annotations, ownerUsersAnnotation)
 	delete(dst.ObjectMeta.Annotations, ownerServiceAccountAnnotation)
@@ -252,18 +371,24 @@ func (t *Tenant) ConvertTo(dstRaw conversion.Hub) error {
 	delete(dst.ObjectMeta.Annotations, enableIngressClassListingAnnotation)
 	delete(dst.ObjectMeta.Annotations, enableIngressClassUpdateAnnotation)
 	delete(dst.ObjectMeta.Annotations, enableIngressClassDeletionAnnotation)
+	delete(dst.ObjectMeta.Annotations, enablePriorityClassListingAnnotation)
+	delete(dst.ObjectMeta.Annotations, enablePriorityClassUpdateAnnotation)
+	delete(dst.ObjectMeta.Annotations, enablePriorityClassDeletionAnnotation)
+	delete(dst.ObjectMeta.Annotations, resourceQuotaScopeAnnotation)
+	delete(dst.ObjectMeta.Annotations, ingressHostnameCollisionScope)
 
 	return nil
 }
 
+// nolint:gocognit,gocyclo,cyclop
 func (t *Tenant) convertV1Beta1OwnerToV1Alpha1(src *capsulev1beta1.Tenant) {
-	var ownersAnnotations = map[string][]string{
+	ownersAnnotations := map[string][]string{
 		ownerGroupsAnnotation:         nil,
 		ownerUsersAnnotation:          nil,
 		ownerServiceAccountAnnotation: nil,
 	}
 
-	var proxyAnnotations = map[string][]string{
+	proxyAnnotations := map[string][]string{
 		enableNodeListingAnnotation:          nil,
 		enableNodeUpdateAnnotation:           nil,
 		enableNodeDeletionAnnotation:         nil,
@@ -291,6 +416,7 @@ func (t *Tenant) convertV1Beta1OwnerToV1Alpha1(src *capsulev1beta1.Tenant) {
 				ownersAnnotations[ownerServiceAccountAnnotation] = append(ownersAnnotations[ownerServiceAccountAnnotation], owner.Name)
 			}
 		}
+
 		for _, setting := range owner.ProxyOperations {
 			switch setting.Kind {
 			case capsulev1beta1.NodesProxy:
@@ -304,6 +430,17 @@ func (t *Tenant) convertV1Beta1OwnerToV1Alpha1(src *capsulev1beta1.Tenant) {
 						proxyAnnotations[enableNodeDeletionAnnotation] = append(proxyAnnotations[enableNodeDeletionAnnotation], owner.Name)
 					}
 				}
+			case capsulev1beta1.PriorityClassesProxy:
+				for _, operation := range setting.Operations {
+					switch operation {
+					case capsulev1beta1.ListOperation:
+						proxyAnnotations[enablePriorityClassListingAnnotation] = append(proxyAnnotations[enablePriorityClassListingAnnotation], owner.Name)
+					case capsulev1beta1.UpdateOperation:
+						proxyAnnotations[enablePriorityClassUpdateAnnotation] = append(proxyAnnotations[enablePriorityClassUpdateAnnotation], owner.Name)
+					case capsulev1beta1.DeleteOperation:
+						proxyAnnotations[enablePriorityClassDeletionAnnotation] = append(proxyAnnotations[enablePriorityClassDeletionAnnotation], owner.Name)
+					}
+				}
 			case capsulev1beta1.StorageClassesProxy:
 				for _, operation := range setting.Operations {
 					switch operation {
@@ -335,6 +472,7 @@ func (t *Tenant) convertV1Beta1OwnerToV1Alpha1(src *capsulev1beta1.Tenant) {
 			t.Annotations[k] = strings.Join(v, ",")
 		}
 	}
+
 	for k, v := range proxyAnnotations {
 		if len(v) > 0 {
 			t.Annotations[k] = strings.Join(v, ",")
@@ -342,14 +480,21 @@ func (t *Tenant) convertV1Beta1OwnerToV1Alpha1(src *capsulev1beta1.Tenant) {
 	}
 }
 
+// nolint:gocyclo,cyclop
 func (t *Tenant) ConvertFrom(srcRaw conversion.Hub) error {
-	src := srcRaw.(*capsulev1beta1.Tenant)
+	src, ok := srcRaw.(*capsulev1beta1.Tenant)
+	if !ok {
+		return fmt.Errorf("expected *capsulev1beta1.Tenant, got %T", srcRaw)
+	}
 
 	// ObjectMeta
 	t.ObjectMeta = src.ObjectMeta
 
 	// Spec
-	t.Spec.NamespaceQuota = src.Spec.NamespaceQuota
+	if src.Spec.NamespaceOptions != nil && src.Spec.NamespaceOptions.Quota != nil {
+		t.Spec.NamespaceQuota = src.Spec.NamespaceOptions.Quota
+	}
+
 	t.Spec.NodeSelector = src.Spec.NodeSelector
 
 	if t.Annotations == nil {
@@ -358,51 +503,63 @@ func (t *Tenant) ConvertFrom(srcRaw conversion.Hub) error {
 
 	t.convertV1Beta1OwnerToV1Alpha1(src)
 
-	if src.Spec.NamespacesMetadata != nil {
+	if src.Spec.NamespaceOptions != nil && src.Spec.NamespaceOptions.AdditionalMetadata != nil {
 		t.Spec.NamespacesMetadata = &AdditionalMetadataSpec{
-			AdditionalLabels:      src.Spec.NamespacesMetadata.AdditionalLabels,
-			AdditionalAnnotations: src.Spec.NamespacesMetadata.AdditionalAnnotations,
+			AdditionalLabels:      src.Spec.NamespaceOptions.AdditionalMetadata.Labels,
+			AdditionalAnnotations: src.Spec.NamespaceOptions.AdditionalMetadata.Annotations,
 		}
 	}
-	if src.Spec.ServicesMetadata != nil {
+
+	if src.Spec.ServiceOptions != nil && src.Spec.ServiceOptions.AdditionalMetadata != nil {
 		t.Spec.ServicesMetadata = &AdditionalMetadataSpec{
-			AdditionalLabels:      src.Spec.ServicesMetadata.AdditionalLabels,
-			AdditionalAnnotations: src.Spec.ServicesMetadata.AdditionalAnnotations,
+			AdditionalLabels:      src.Spec.ServiceOptions.AdditionalMetadata.Labels,
+			AdditionalAnnotations: src.Spec.ServiceOptions.AdditionalMetadata.Annotations,
 		}
 	}
+
 	if src.Spec.StorageClasses != nil {
 		t.Spec.StorageClasses = &AllowedListSpec{
 			Exact: src.Spec.StorageClasses.Exact,
 			Regex: src.Spec.StorageClasses.Regex,
 		}
 	}
-	if src.Spec.IngressClasses != nil {
+
+	t.Annotations[ingressHostnameCollisionScope] = string(src.Spec.IngressOptions.HostnameCollisionScope)
+
+	if src.Spec.IngressOptions.AllowedClasses != nil {
 		t.Spec.IngressClasses = &AllowedListSpec{
-			Exact: src.Spec.IngressClasses.Exact,
-			Regex: src.Spec.IngressClasses.Regex,
+			Exact: src.Spec.IngressOptions.AllowedClasses.Exact,
+			Regex: src.Spec.IngressOptions.AllowedClasses.Regex,
 		}
 	}
-	if src.Spec.IngressHostnames != nil {
+
+	if src.Spec.IngressOptions.AllowedHostnames != nil {
 		t.Spec.IngressHostnames = &AllowedListSpec{
-			Exact: src.Spec.IngressHostnames.Exact,
-			Regex: src.Spec.IngressHostnames.Regex,
+			Exact: src.Spec.IngressOptions.AllowedHostnames.Exact,
+			Regex: src.Spec.IngressOptions.AllowedHostnames.Regex,
 		}
 	}
+
 	if src.Spec.ContainerRegistries != nil {
 		t.Spec.ContainerRegistries = &AllowedListSpec{
 			Exact: src.Spec.ContainerRegistries.Exact,
 			Regex: src.Spec.ContainerRegistries.Regex,
 		}
 	}
-	if src.Spec.NetworkPolicies != nil {
+
+	if len(src.Spec.NetworkPolicies.Items) > 0 {
 		t.Spec.NetworkPolicies = src.Spec.NetworkPolicies.Items
 	}
-	if src.Spec.LimitRanges != nil {
+
+	if len(src.Spec.LimitRanges.Items) > 0 {
 		t.Spec.LimitRanges = src.Spec.LimitRanges.Items
 	}
-	if src.Spec.ResourceQuota != nil {
+
+	if len(src.Spec.ResourceQuota.Items) > 0 {
+		t.Annotations[resourceQuotaScopeAnnotation] = string(src.Spec.ResourceQuota.Scope)
 		t.Spec.ResourceQuota = src.Spec.ResourceQuota.Items
 	}
+
 	if len(src.Spec.AdditionalRoleBindings) > 0 {
 		for _, rb := range src.Spec.AdditionalRoleBindings {
 			t.Spec.AdditionalRoleBindings = append(t.Spec.AdditionalRoleBindings, AdditionalRoleBindingsSpec{
@@ -411,20 +568,24 @@ func (t *Tenant) ConvertFrom(srcRaw conversion.Hub) error {
 			})
 		}
 	}
-	if src.Spec.ExternalServiceIPs != nil {
+
+	if src.Spec.ServiceOptions != nil && src.Spec.ServiceOptions.ExternalServiceIPs != nil {
 		t.Spec.ExternalServiceIPs = &ExternalServiceIPsSpec{
-			Allowed: make([]AllowedIP, len(src.Spec.ExternalServiceIPs.Allowed)),
+			Allowed: make([]AllowedIP, len(src.Spec.ServiceOptions.ExternalServiceIPs.Allowed)),
 		}
 
-		for i, IP := range src.Spec.ExternalServiceIPs.Allowed {
+		for i, IP := range src.Spec.ServiceOptions.ExternalServiceIPs.Allowed {
 			t.Spec.ExternalServiceIPs.Allowed[i] = AllowedIP(IP)
 		}
 	}
+
 	if len(src.Spec.ImagePullPolicies) != 0 {
 		var pullPolicies []string
+
 		for _, policy := range src.Spec.ImagePullPolicies {
 			pullPolicies = append(pullPolicies, string(policy))
 		}
+
 		t.Annotations[podAllowedImagePullPolicyAnnotation] = strings.Join(pullPolicies, ",")
 	}
 
@@ -432,12 +593,25 @@ func (t *Tenant) ConvertFrom(srcRaw conversion.Hub) error {
 		if len(src.Spec.PriorityClasses.Exact) != 0 {
 			t.Annotations[podPriorityAllowedAnnotation] = strings.Join(src.Spec.PriorityClasses.Exact, ",")
 		}
+
 		if src.Spec.PriorityClasses.Regex != "" {
 			t.Annotations[podPriorityAllowedRegexAnnotation] = src.Spec.PriorityClasses.Regex
 		}
 	}
 
-	t.Annotations[enableNodePortsAnnotation] = strconv.FormatBool(*src.Spec.EnableNodePorts)
+	if src.Spec.ServiceOptions != nil && src.Spec.ServiceOptions.AllowedServices != nil {
+		if src.Spec.ServiceOptions.AllowedServices.NodePort != nil {
+			t.Annotations[enableNodePortsAnnotation] = strconv.FormatBool(*src.Spec.ServiceOptions.AllowedServices.NodePort)
+		}
+
+		if src.Spec.ServiceOptions.AllowedServices.ExternalName != nil {
+			t.Annotations[enableExternalNameAnnotation] = strconv.FormatBool(*src.Spec.ServiceOptions.AllowedServices.ExternalName)
+		}
+
+		if src.Spec.ServiceOptions.AllowedServices.LoadBalancer != nil {
+			t.Annotations[enableLoadBalancerAnnotation] = strconv.FormatBool(*src.Spec.ServiceOptions.AllowedServices.LoadBalancer)
+		}
+	}
 
 	// Status
 	t.Status = TenantStatus{

api/v1alpha1/conversion_hub_test.go

@@ -18,12 +18,14 @@ import (
 	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
 )
 
+// nolint:maintidx
 func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 	var namespaceQuota int32 = 5
-	var nodeSelector = map[string]string{
+
+	nodeSelector := map[string]string{
 		"foo": "bar",
 	}
-	var v1alpha1AdditionalMetadataSpec = &AdditionalMetadataSpec{
+	v1alpha1AdditionalMetadataSpec := &AdditionalMetadataSpec{
 		AdditionalLabels: map[string]string{
 			"foo": "bar",
 		},
@@ -31,23 +33,38 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 			"foo": "bar",
 		},
 	}
-	var v1alpha1AllowedListSpec = &AllowedListSpec{
+	v1alpha1AllowedListSpec := &AllowedListSpec{
 		Exact: []string{"foo", "bar"},
 		Regex: "^foo*",
 	}
-	var v1beta1AdditionalMetadataSpec = &capsulev1beta1.AdditionalMetadataSpec{
-		AdditionalLabels: map[string]string{
+	v1beta1AdditionalMetadataSpec := &capsulev1beta1.AdditionalMetadataSpec{
+		Labels: map[string]string{
 			"foo": "bar",
 		},
-		AdditionalAnnotations: map[string]string{
+		Annotations: map[string]string{
 			"foo": "bar",
 		},
 	}
-	var v1beta1AllowedListSpec = &capsulev1beta1.AllowedListSpec{
+	v1beta1NamespaceOptions := &capsulev1beta1.NamespaceOptions{
+		Quota:              &namespaceQuota,
+		AdditionalMetadata: v1beta1AdditionalMetadataSpec,
+	}
+	v1beta1ServiceOptions := &capsulev1beta1.ServiceOptions{
+		AdditionalMetadata: v1beta1AdditionalMetadataSpec,
+		AllowedServices: &capsulev1beta1.AllowedServices{
+			NodePort:     pointer.BoolPtr(false),
+			ExternalName: pointer.BoolPtr(false),
+			LoadBalancer: pointer.BoolPtr(false),
+		},
+		ExternalServiceIPs: &capsulev1beta1.ExternalServiceIPsSpec{
+			Allowed: []capsulev1beta1.AllowedIP{"192.168.0.1"},
+		},
+	}
+	v1beta1AllowedListSpec := &capsulev1beta1.AllowedListSpec{
 		Exact: []string{"foo", "bar"},
 		Regex: "^foo*",
 	}
-	var networkPolicies = []networkingv1.NetworkPolicySpec{
+	networkPolicies := []networkingv1.NetworkPolicySpec{
 		{
 			Ingress: []networkingv1.NetworkPolicyIngressRule{
 				{
@@ -72,7 +89,7 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 			},
 		},
 	}
-	var limitRanges = []corev1.LimitRangeSpec{
+	limitRanges := []corev1.LimitRangeSpec{
 		{
 			Limits: []corev1.LimitRangeItem{
 				{
@@ -89,7 +106,7 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 			},
 		},
 	}
-	var resourceQuotas = []corev1.ResourceQuotaSpec{
+	resourceQuotas := []corev1.ResourceQuotaSpec{
 		{
 			Hard: map[corev1.ResourceName]resource.Quantity{
 				corev1.ResourceLimitsCPU:      resource.MustParse("8"),
@@ -103,7 +120,7 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 		},
 	}
 
-	var v1beta1Tnt = capsulev1beta1.Tenant{
+	v1beta1Tnt := capsulev1beta1.Tenant{
 		TypeMeta: metav1.TypeMeta{},
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "alice",
@@ -164,6 +181,10 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 							Kind:       "StorageClasses",
 							Operations: []capsulev1beta1.ProxyOperation{"List"},
 						},
+						{
+							Kind:       "PriorityClasses",
+							Operations: []capsulev1beta1.ProxyOperation{"List"},
+						},
 					},
 				},
 				{
@@ -211,21 +232,24 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 					},
 				},
 			},
-			NamespaceQuota:      &namespaceQuota,
-			NamespacesMetadata:  v1beta1AdditionalMetadataSpec,
-			ServicesMetadata:    v1beta1AdditionalMetadataSpec,
-			StorageClasses:      v1beta1AllowedListSpec,
-			IngressClasses:      v1beta1AllowedListSpec,
-			IngressHostnames:    v1beta1AllowedListSpec,
+			NamespaceOptions: v1beta1NamespaceOptions,
+			ServiceOptions:   v1beta1ServiceOptions,
+			StorageClasses:   v1beta1AllowedListSpec,
+			IngressOptions: capsulev1beta1.IngressOptions{
+				HostnameCollisionScope: capsulev1beta1.HostnameCollisionScopeDisabled,
+				AllowedClasses:         v1beta1AllowedListSpec,
+				AllowedHostnames:       v1beta1AllowedListSpec,
+			},
 			ContainerRegistries: v1beta1AllowedListSpec,
 			NodeSelector:        nodeSelector,
-			NetworkPolicies: &capsulev1beta1.NetworkPolicySpec{
+			NetworkPolicies: capsulev1beta1.NetworkPolicySpec{
 				Items: networkPolicies,
 			},
-			LimitRanges: &capsulev1beta1.LimitRangesSpec{
+			LimitRanges: capsulev1beta1.LimitRangesSpec{
 				Items: limitRanges,
 			},
-			ResourceQuota: &capsulev1beta1.ResourceQuotaSpec{
+			ResourceQuota: capsulev1beta1.ResourceQuotaSpec{
+				Scope: capsulev1beta1.ResourceQuotaScopeNamespace,
 				Items: resourceQuotas,
 			},
 			AdditionalRoleBindings: []capsulev1beta1.AdditionalRoleBindingsSpec{
@@ -234,21 +258,17 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 					Subjects: []rbacv1.Subject{
 						{
 							Kind:     "Group",
-							APIGroup: "rbac.authorization.k8s.io",
+							APIGroup: rbacv1.GroupName,
 							Name:     "system:authenticated",
 						},
 					},
 				},
 			},
-			ExternalServiceIPs: &capsulev1beta1.ExternalServiceIPsSpec{
-				Allowed: []capsulev1beta1.AllowedIP{"192.168.0.1"},
-			},
 			ImagePullPolicies: []capsulev1beta1.ImagePullPolicySpec{"Always", "IfNotPresent"},
 			PriorityClasses: &capsulev1beta1.AllowedListSpec{
 				Exact: []string{"default"},
 				Regex: "^tier-.*$",
 			},
-			EnableNodePorts: pointer.BoolPtr(false),
 		},
 		Status: capsulev1beta1.TenantStatus{
 			Size:       1,
@@ -256,7 +276,7 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 		},
 	}
 
-	var v1alpha1Tnt = Tenant{
+	v1alpha1Tnt := Tenant{
 		TypeMeta: metav1.TypeMeta{},
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "alice",
@@ -266,7 +286,9 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 			Annotations: map[string]string{
 				"foo":                                "bar",
 				podAllowedImagePullPolicyAnnotation:  "Always,IfNotPresent",
+				enableExternalNameAnnotation:         "false",
 				enableNodePortsAnnotation:            "false",
+				enableLoadBalancerAnnotation:         "false",
 				podPriorityAllowedAnnotation:         "default",
 				podPriorityAllowedRegexAnnotation:    "^tier-.*$",
 				ownerGroupsAnnotation:                "owner-foo,owner-bar",
@@ -280,6 +302,9 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 				enableIngressClassListingAnnotation:  "alice,owner-foo,owner-bar",
 				enableIngressClassUpdateAnnotation:   "alice,bob",
 				enableIngressClassDeletionAnnotation: "alice,jack",
+				enablePriorityClassListingAnnotation: "jack",
+				resourceQuotaScopeAnnotation:         "Namespace",
+				ingressHostnameCollisionScope:        "Disabled",
 			},
 		},
 		Spec: TenantSpec{
@@ -304,7 +329,7 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 					Subjects: []rbacv1.Subject{
 						{
 							Kind:     "Group",
-							APIGroup: "rbac.authorization.k8s.io",
+							APIGroup: rbacv1.GroupName,
 							Name:     "system:authenticated",
 						},
 					},
@@ -324,10 +349,11 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
 }
 
 func TestConversionHub_ConvertTo(t *testing.T) {
-	var v1beta1ConvertedTnt = capsulev1beta1.Tenant{}
+	v1beta1ConvertedTnt := capsulev1beta1.Tenant{}
 
 	v1alpha1Tnt, v1beta1tnt := generateTenantsSpecs()
 	err := v1alpha1Tnt.ConvertTo(&v1beta1ConvertedTnt)
+
 	if assert.NoError(t, err) {
 		sort.Slice(v1beta1tnt.Spec.Owners, func(i, j int) bool {
 			return v1beta1tnt.Spec.Owners[i].Name < v1beta1tnt.Spec.Owners[j].Name
@@ -341,17 +367,20 @@ func TestConversionHub_ConvertTo(t *testing.T) {
 				return owner.ProxyOperations[i].Kind < owner.ProxyOperations[j].Kind
 			})
 		}
+
 		for _, owner := range v1beta1ConvertedTnt.Spec.Owners {
 			sort.Slice(owner.ProxyOperations, func(i, j int) bool {
 				return owner.ProxyOperations[i].Kind < owner.ProxyOperations[j].Kind
 			})
 		}
+
 		assert.Equal(t, v1beta1tnt, v1beta1ConvertedTnt)
 	}
 }
 
 func TestConversionHub_ConvertFrom(t *testing.T) {
-	var v1alpha1ConvertedTnt = Tenant{}
+	v1alpha1ConvertedTnt := Tenant{}
+
 	v1alpha1Tnt, v1beta1tnt := generateTenantsSpecs()
 
 	err := v1alpha1ConvertedTnt.ConvertFrom(&v1beta1tnt)

api/v1alpha1/groupversion_info.go

@@ -12,10 +12,10 @@ import (
 )
 
 var (
-	// GroupVersion is group version used to register these objects
+	// GroupVersion is group version used to register these objects.
 	GroupVersion = schema.GroupVersion{Group: "capsule.clastix.io", Version: "v1alpha1"}
 
-	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
 
 	// AddToScheme adds the types in this group-version to the given scheme.

api/v1alpha1/owner.go

@@ -3,7 +3,7 @@
 
 package v1alpha1
 
-// OwnerSpec defines tenant owner name and kind
+// OwnerSpec defines tenant owner name and kind.
 type OwnerSpec struct {
 	Name string `json:"name"`
 	Kind Kind   `json:"kind"`

api/v1alpha1/tenant_func.go

@@ -13,6 +13,7 @@ func (t *Tenant) IsCordoned() bool {
 	if v, ok := t.Labels["capsule.clastix.io/cordon"]; ok && v == "enabled" {
 		return true
 	}
+
 	return false
 }
 
@@ -21,16 +22,19 @@ func (t *Tenant) IsFull() bool {
 	if t.Spec.NamespaceQuota == nil {
 		return false
 	}
+
 	return len(t.Status.Namespaces) >= int(*t.Spec.NamespaceQuota)
 }
 
 func (t *Tenant) AssignNamespaces(namespaces []corev1.Namespace) {
 	var l []string
+
 	for _, ns := range namespaces {
 		if ns.Status.Phase == corev1.NamespaceActive {
 			l = append(l, ns.GetName())
 		}
 	}
+
 	sort.Strings(l)
 
 	t.Status.Namespaces = l

api/v1alpha1/tenant_labels.go

@@ -27,5 +27,6 @@ func GetTypeLabel(t runtime.Object) (label string, err error) {
 	default:
 		err = fmt.Errorf("type %T is not mapped as Capsule label recognized", v)
 	}
+
 	return
 }

api/v1alpha1/tenant_types.go

@@ -9,7 +9,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-// TenantSpec defines the desired state of Tenant
+// TenantSpec defines the desired state of Tenant.
 type TenantSpec struct {
 	Owner OwnerSpec `json:"owner"`
 
@@ -29,7 +29,7 @@ type TenantSpec struct {
 	ExternalServiceIPs     *ExternalServiceIPsSpec          `json:"externalServiceIPs,omitempty"`
 }
 
-// TenantStatus defines the observed state of Tenant
+// TenantStatus defines the observed state of Tenant.
 type TenantStatus struct {
 	Size       uint     `json:"size"`
 	Namespaces []string `json:"namespaces,omitempty"`
@@ -45,7 +45,7 @@ type TenantStatus struct {
 // +kubebuilder:printcolumn:name="Node selector",type="string",JSONPath=".spec.nodeSelector",description="Node Selector applied to Pods"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"
 
-// Tenant is the Schema for the tenants API
+// Tenant is the Schema for the tenants API.
 type Tenant struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -56,7 +56,7 @@ type Tenant struct {
 
 // +kubebuilder:object:root=true
 
-// TenantList contains a list of Tenant
+// TenantList contains a list of Tenant.
 type TenantList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`

api/v1alpha1/zz_generated.deepcopy.go

@@ -1,3 +1,4 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
 // Copyright 2020-2021 Clastix Labs

api/v1beta1/additional_metadata.go

@@ -4,6 +4,6 @@
 package v1beta1
 
 type AdditionalMetadataSpec struct {
-	AdditionalLabels      map[string]string `json:"additionalLabels,omitempty"`
-	AdditionalAnnotations map[string]string `json:"additionalAnnotations,omitempty"`
+	Labels      map[string]string `json:"labels,omitempty"`
+	Annotations map[string]string `json:"annotations,omitempty"`
 }

api/v1beta1/allowed_list.go

@@ -1,6 +1,6 @@
 // Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0
-
+//nolint:dupl
 package v1beta1
 
 import (
@@ -19,9 +19,12 @@ func (in *AllowedListSpec) ExactMatch(value string) (ok bool) {
 		sort.SliceStable(in.Exact, func(i, j int) bool {
 			return strings.ToLower(in.Exact[i]) < strings.ToLower(in.Exact[j])
 		})
+
 		i := sort.SearchStrings(in.Exact, value)
+
 		ok = i < len(in.Exact) && in.Exact[i] == value
 	}
+
 	return
 }
 
@@ -29,5 +32,6 @@ func (in AllowedListSpec) RegexMatch(value string) (ok bool) {
 	if len(in.Regex) > 0 {
 		ok = regexp.MustCompile(in.Regex).MatchString(value)
 	}
+
 	return
 }

api/v1beta1/allowed_list_test.go

@@ -1,6 +1,6 @@
 // Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0
-
+//nolint:dupl
 package v1beta1
 
 import (
@@ -15,6 +15,7 @@ func TestAllowedListSpec_ExactMatch(t *testing.T) {
 		True  []string
 		False []string
 	}
+
 	for _, tc := range []tc{
 		{
 			[]string{"foo", "bar", "bizz", "buzz"},
@@ -35,9 +36,11 @@ func TestAllowedListSpec_ExactMatch(t *testing.T) {
 		a := AllowedListSpec{
 			Exact: tc.In,
 		}
+
 		for _, ok := range tc.True {
 			assert.True(t, a.ExactMatch(ok))
 		}
+
 		for _, ko := range tc.False {
 			assert.False(t, a.ExactMatch(ko))
 		}
@@ -50,6 +53,7 @@ func TestAllowedListSpec_RegexMatch(t *testing.T) {
 		True  []string
 		False []string
 	}
+
 	for _, tc := range []tc{
 		{`first-\w+-pattern`, []string{"first-date-pattern", "first-year-pattern"}, []string{"broken", "first-year", "second-date-pattern"}},
 		{``, nil, []string{"any", "value"}},
@@ -57,9 +61,11 @@ func TestAllowedListSpec_RegexMatch(t *testing.T) {
 		a := AllowedListSpec{
 			Regex: tc.Regex,
 		}
+
 		for _, ok := range tc.True {
 			assert.True(t, a.RegexMatch(ok))
 		}
+
 		for _, ko := range tc.False {
 			assert.False(t, a.RegexMatch(ko))
 		}

api/v1beta1/custom_resource_quota.go

@@ -0,0 +1,59 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import (
+	"fmt"
+	"strconv"
+)
+
+const (
+	ResourceQuotaAnnotationPrefix = "quota.resources.capsule.clastix.io"
+	ResourceUsedAnnotationPrefix  = "used.resources.capsule.clastix.io"
+)
+
+func UsedAnnotationForResource(kindGroup string) string {
+	return fmt.Sprintf("%s/%s", ResourceUsedAnnotationPrefix, kindGroup)
+}
+
+func LimitAnnotationForResource(kindGroup string) string {
+	return fmt.Sprintf("%s/%s", ResourceQuotaAnnotationPrefix, kindGroup)
+}
+
+func GetUsedResourceFromTenant(tenant Tenant, kindGroup string) (int64, error) {
+	usedStr, ok := tenant.GetAnnotations()[UsedAnnotationForResource(kindGroup)]
+	if !ok {
+		usedStr = "0"
+	}
+
+	used, _ := strconv.ParseInt(usedStr, 10, 10)
+
+	return used, nil
+}
+
+type NonLimitedResourceError struct {
+	kindGroup string
+}
+
+func NewNonLimitedResourceError(kindGroup string) *NonLimitedResourceError {
+	return &NonLimitedResourceError{kindGroup: kindGroup}
+}
+
+func (n NonLimitedResourceError) Error() string {
+	return fmt.Sprintf("resource %s is not limited for the current tenant", n.kindGroup)
+}
+
+func GetLimitResourceFromTenant(tenant Tenant, kindGroup string) (int64, error) {
+	limitStr, ok := tenant.GetAnnotations()[LimitAnnotationForResource(kindGroup)]
+	if !ok {
+		return 0, NewNonLimitedResourceError(kindGroup)
+	}
+
+	limit, err := strconv.ParseInt(limitStr, 10, 10)
+	if err != nil {
+		return 0, fmt.Errorf("resource %s limit cannot be parsed, %w", kindGroup, err)
+	}
+
+	return limit, nil
+}

api/v1beta1/deny_wildcard.go

@@ -0,0 +1,16 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+const (
+	denyWildcard = "capsule.clastix.io/deny-wildcard"
+)
+
+func (t *Tenant) IsWildcardDenied() bool {
+	if v, ok := t.Annotations[denyWildcard]; ok && v == "true" {
+		return true
+	}
+
+	return false
+}

api/v1beta1/forbidden_list.go

@@ -0,0 +1,37 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+//nolint:dupl
+package v1beta1
+
+import (
+	"regexp"
+	"sort"
+	"strings"
+)
+
+type ForbiddenListSpec struct {
+	Exact []string `json:"denied,omitempty"`
+	Regex string   `json:"deniedRegex,omitempty"`
+}
+
+func (in *ForbiddenListSpec) ExactMatch(value string) (ok bool) {
+	if len(in.Exact) > 0 {
+		sort.SliceStable(in.Exact, func(i, j int) bool {
+			return strings.ToLower(in.Exact[i]) < strings.ToLower(in.Exact[j])
+		})
+
+		i := sort.SearchStrings(in.Exact, value)
+
+		ok = i < len(in.Exact) && in.Exact[i] == value
+	}
+
+	return
+}
+
+func (in ForbiddenListSpec) RegexMatch(value string) (ok bool) {
+	if len(in.Regex) > 0 {
+		ok = regexp.MustCompile(in.Regex).MatchString(value)
+	}
+
+	return
+}

api/v1beta1/forbidden_list_test.go

@@ -0,0 +1,73 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+//nolint:dupl
+package v1beta1
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestForbiddenListSpec_ExactMatch(t *testing.T) {
+	type tc struct {
+		In    []string
+		True  []string
+		False []string
+	}
+
+	for _, tc := range []tc{
+		{
+			[]string{"foo", "bar", "bizz", "buzz"},
+			[]string{"foo", "bar", "bizz", "buzz"},
+			[]string{"bing", "bong"},
+		},
+		{
+			[]string{"one", "two", "three"},
+			[]string{"one", "two", "three"},
+			[]string{"a", "b", "c"},
+		},
+		{
+			nil,
+			nil,
+			[]string{"any", "value"},
+		},
+	} {
+		a := ForbiddenListSpec{
+			Exact: tc.In,
+		}
+
+		for _, ok := range tc.True {
+			assert.True(t, a.ExactMatch(ok))
+		}
+
+		for _, ko := range tc.False {
+			assert.False(t, a.ExactMatch(ko))
+		}
+	}
+}
+
+func TestForbiddenListSpec_RegexMatch(t *testing.T) {
+	type tc struct {
+		Regex string
+		True  []string
+		False []string
+	}
+
+	for _, tc := range []tc{
+		{`first-\w+-pattern`, []string{"first-date-pattern", "first-year-pattern"}, []string{"broken", "first-year", "second-date-pattern"}},
+		{``, nil, []string{"any", "value"}},
+	} {
+		a := ForbiddenListSpec{
+			Regex: tc.Regex,
+		}
+
+		for _, ok := range tc.True {
+			assert.True(t, a.RegexMatch(ok))
+		}
+
+		for _, ko := range tc.False {
+			assert.False(t, a.RegexMatch(ko))
+		}
+	}
+}

api/v1beta1/groupversion_info.go

@@ -12,10 +12,10 @@ import (
 )
 
 var (
-	// GroupVersion is group version used to register these objects
+	// GroupVersion is group version used to register these objects.
 	GroupVersion = schema.GroupVersion{Group: "capsule.clastix.io", Version: "v1beta1"}
 
-	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
 
 	// AddToScheme adds the types in this group-version to the given scheme.

api/v1beta1/hostname_collision_scope.go

@@ -0,0 +1,14 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+const (
+	HostnameCollisionScopeCluster   HostnameCollisionScope = "Cluster"
+	HostnameCollisionScopeTenant    HostnameCollisionScope = "Tenant"
+	HostnameCollisionScopeNamespace HostnameCollisionScope = "Namespace"
+	HostnameCollisionScopeDisabled  HostnameCollisionScope = "Disabled"
+)
+
+// +kubebuilder:validation:Enum=Cluster;Tenant;Namespace;Disabled
+type HostnameCollisionScope string

api/v1beta1/ingress_options.go

@@ -0,0 +1,24 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+type IngressOptions struct {
+	// Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+	AllowedClasses *AllowedListSpec `json:"allowedClasses,omitempty"`
+	// Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames.
+	//
+	//
+	// - Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule.
+	//
+	// - Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant.
+	//
+	// - Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace.
+	//
+	//
+	// Optional.
+	// +kubebuilder:default=Disabled
+	HostnameCollisionScope HostnameCollisionScope `json:"hostnameCollisionScope,omitempty"`
+	// Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional.
+	AllowedHostnames *AllowedListSpec `json:"allowedHostnames,omitempty"`
+}

api/v1beta1/namespace_options.go

@@ -0,0 +1,57 @@
+package v1beta1
+
+import "strings"
+
+type NamespaceOptions struct {
+	//+kubebuilder:validation:Minimum=1
+	// Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
+	Quota *int32 `json:"quota,omitempty"`
+	// Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
+	AdditionalMetadata *AdditionalMetadataSpec `json:"additionalMetadata,omitempty"`
+}
+
+func (t *Tenant) hasForbiddenNamespaceLabelsAnnotations() bool {
+	if _, ok := t.Annotations[ForbiddenNamespaceLabelsAnnotation]; ok {
+		return true
+	}
+
+	if _, ok := t.Annotations[ForbiddenNamespaceLabelsRegexpAnnotation]; ok {
+		return true
+	}
+
+	return false
+}
+
+func (t *Tenant) hasForbiddenNamespaceAnnotationsAnnotations() bool {
+	if _, ok := t.Annotations[ForbiddenNamespaceAnnotationsAnnotation]; ok {
+		return true
+	}
+
+	if _, ok := t.Annotations[ForbiddenNamespaceAnnotationsRegexpAnnotation]; ok {
+		return true
+	}
+
+	return false
+}
+
+func (t *Tenant) ForbiddenUserNamespaceLabels() *ForbiddenListSpec {
+	if !t.hasForbiddenNamespaceLabelsAnnotations() {
+		return nil
+	}
+
+	return &ForbiddenListSpec{
+		Exact: strings.Split(t.Annotations[ForbiddenNamespaceLabelsAnnotation], ","),
+		Regex: t.Annotations[ForbiddenNamespaceLabelsRegexpAnnotation],
+	}
+}
+
+func (t *Tenant) ForbiddenUserNamespaceAnnotations() *ForbiddenListSpec {
+	if !t.hasForbiddenNamespaceAnnotationsAnnotations() {
+		return nil
+	}
+
+	return &ForbiddenListSpec{
+		Exact: strings.Split(t.Annotations[ForbiddenNamespaceAnnotationsAnnotation], ","),
+		Regex: t.Annotations[ForbiddenNamespaceAnnotationsRegexpAnnotation],
+	}
+}

api/v1beta1/owner.go

@@ -31,7 +31,7 @@ func (p ProxyOperation) String() string {
 	return string(p)
 }
 
-// +kubebuilder:validation:Enum=Nodes;StorageClasses;IngressClasses
+// +kubebuilder:validation:Enum=Nodes;StorageClasses;IngressClasses;PriorityClasses
 type ProxyServiceKind string
 
 func (p ProxyServiceKind) String() string {
@@ -39,9 +39,10 @@ func (p ProxyServiceKind) String() string {
 }
 
 const (
-	NodesProxy          ProxyServiceKind = "Nodes"
-	StorageClassesProxy ProxyServiceKind = "StorageClasses"
-	IngressClassesProxy ProxyServiceKind = "IngressClasses"
+	NodesProxy           ProxyServiceKind = "Nodes"
+	StorageClassesProxy  ProxyServiceKind = "StorageClasses"
+	IngressClassesProxy  ProxyServiceKind = "IngressClasses"
+	PriorityClassesProxy ProxyServiceKind = "PriorityClasses"
 
 	ListOperation   ProxyOperation = "List"
 	UpdateOperation ProxyOperation = "Update"

api/v1beta1/owner_list.go

@@ -15,6 +15,7 @@ func (o OwnerListSpec) FindOwner(name string, kind OwnerKind) (owner OwnerSpec)
 	if i < len(o) && o[i].Kind == kind && o[i].Name == name {
 		return o[i]
 	}
+
 	return
 }
 
@@ -23,12 +24,15 @@ type ByKindAndName OwnerListSpec
 func (b ByKindAndName) Len() int {
 	return len(b)
 }
+
 func (b ByKindAndName) Less(i, j int) bool {
 	if b[i].Kind.String() != b[j].Kind.String() {
 		return b[i].Kind.String() < b[j].Kind.String()
 	}
+
 	return b[i].Name < b[j].Name
 }
+
 func (b ByKindAndName) Swap(i, j int) {
 	b[i], b[j] = b[j], b[i]
 }

api/v1beta1/owner_list_test.go

@@ -7,7 +7,7 @@ import (
 )
 
 func TestOwnerListSpec_FindOwner(t *testing.T) {
-	var bla = OwnerSpec{
+	bla := OwnerSpec{
 		Kind: UserOwner,
 		Name: "bla",
 		ProxyOperations: []ProxySettings{
@@ -17,7 +17,7 @@ func TestOwnerListSpec_FindOwner(t *testing.T) {
 			},
 		},
 	}
-	var bar = OwnerSpec{
+	bar := OwnerSpec{
 		Kind: GroupOwner,
 		Name: "bar",
 		ProxyOperations: []ProxySettings{
@@ -27,7 +27,7 @@ func TestOwnerListSpec_FindOwner(t *testing.T) {
 			},
 		},
 	}
-	var baz = OwnerSpec{
+	baz := OwnerSpec{
 		Kind: UserOwner,
 		Name: "baz",
 		ProxyOperations: []ProxySettings{
@@ -37,7 +37,7 @@ func TestOwnerListSpec_FindOwner(t *testing.T) {
 			},
 		},
 	}
-	var fim = OwnerSpec{
+	fim := OwnerSpec{
 		Kind: ServiceAccountOwner,
 		Name: "fim",
 		ProxyOperations: []ProxySettings{
@@ -47,7 +47,7 @@ func TestOwnerListSpec_FindOwner(t *testing.T) {
 			},
 		},
 	}
-	var bom = OwnerSpec{
+	bom := OwnerSpec{
 		Kind: GroupOwner,
 		Name: "bom",
 		ProxyOperations: []ProxySettings{
@@ -61,7 +61,7 @@ func TestOwnerListSpec_FindOwner(t *testing.T) {
 			},
 		},
 	}
-	var qip = OwnerSpec{
+	qip := OwnerSpec{
 		Kind: ServiceAccountOwner,
 		Name: "qip",
 		ProxyOperations: []ProxySettings{
@@ -71,7 +71,7 @@ func TestOwnerListSpec_FindOwner(t *testing.T) {
 			},
 		},
 	}
-	var owners = OwnerListSpec{bom, qip, bla, bar, baz, fim}
+	owners := OwnerListSpec{bom, qip, bla, bar, baz, fim}
 
 	assert.Equal(t, owners.FindOwner("bom", GroupOwner), bom)
 	assert.Equal(t, owners.FindOwner("qip", ServiceAccountOwner), qip)

api/v1beta1/owner_role.go

@@ -0,0 +1,23 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import (
+	"fmt"
+	"strings"
+)
+
+const (
+	ClusterRoleNamesAnnotation = "clusterrolenames.capsule.clastix.io"
+)
+
+func (in OwnerSpec) GetRoles(tenant Tenant) []string {
+	for key, value := range tenant.GetAnnotations() {
+		if key == fmt.Sprintf("%s/%s.%s", ClusterRoleNamesAnnotation, strings.ToLower(in.Kind.String()), strings.ToLower(in.Name)) {
+			return strings.Split(value, ",")
+		}
+	}
+
+	return []string{"admin", "capsule-namespace-deleter"}
+}

api/v1beta1/resource_quota.go

@@ -5,6 +5,17 @@ package v1beta1
 
 import corev1 "k8s.io/api/core/v1"
 
+// +kubebuilder:validation:Enum=Tenant;Namespace
+type ResourceQuotaScope string
+
+const (
+	ResourceQuotaScopeTenant    ResourceQuotaScope = "Tenant"
+	ResourceQuotaScopeNamespace ResourceQuotaScope = "Namespace"
+)
+
 type ResourceQuotaSpec struct {
+	// +kubebuilder:default=Tenant
+	// Define if the Resource Budget should compute resource across all Namespaces in the Tenant or individually per cluster. Default is Tenant
+	Scope ResourceQuotaScope         `json:"scope,omitempty"`
 	Items []corev1.ResourceQuotaSpec `json:"items,omitempty"`
 }

api/v1beta1/service_allowed_types.go

@@ -0,0 +1,16 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+type AllowedServices struct {
+	//+kubebuilder:default=true
+	// Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.
+	NodePort *bool `json:"nodePort,omitempty"`
+	//+kubebuilder:default=true
+	// Specifies if ExternalName service type resources are allowed for the Tenant. Default is true. Optional.
+	ExternalName *bool `json:"externalName,omitempty"`
+	//+kubebuilder:default=true
+	// Specifies if LoadBalancer service type resources are allowed for the Tenant. Default is true. Optional.
+	LoadBalancer *bool `json:"loadBalancer,omitempty"`
+}

api/v1beta1/service_options.go

@@ -0,0 +1,13 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+type ServiceOptions struct {
+	// Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional.
+	AdditionalMetadata *AdditionalMetadataSpec `json:"additionalMetadata,omitempty"`
+	// Block or deny certain type of Services. Optional.
+	AllowedServices *AllowedServices `json:"allowedServices,omitempty"`
+	// Specifies the external IPs that can be used in Services with type ClusterIP. An empty list means no IPs are allowed. Optional.
+	ExternalServiceIPs *ExternalServiceIPsSpec `json:"externalIPs,omitempty"`
+}

api/v1beta1/tenant_annotations.go

@@ -5,21 +5,27 @@ package v1beta1
 
 import (
 	"fmt"
+	"strings"
 )
 
 const (
-	AvailableIngressClassesAnnotation       = "capsule.clastix.io/ingress-classes"
-	AvailableIngressClassesRegexpAnnotation = "capsule.clastix.io/ingress-classes-regexp"
-	AvailableStorageClassesAnnotation       = "capsule.clastix.io/storage-classes"
-	AvailableStorageClassesRegexpAnnotation = "capsule.clastix.io/storage-classes-regexp"
-	AllowedRegistriesAnnotation             = "capsule.clastix.io/allowed-registries"
-	AllowedRegistriesRegexpAnnotation       = "capsule.clastix.io/allowed-registries-regexp"
+	AvailableIngressClassesAnnotation             = "capsule.clastix.io/ingress-classes"
+	AvailableIngressClassesRegexpAnnotation       = "capsule.clastix.io/ingress-classes-regexp"
+	AvailableStorageClassesAnnotation             = "capsule.clastix.io/storage-classes"
+	AvailableStorageClassesRegexpAnnotation       = "capsule.clastix.io/storage-classes-regexp"
+	AllowedRegistriesAnnotation                   = "capsule.clastix.io/allowed-registries"
+	AllowedRegistriesRegexpAnnotation             = "capsule.clastix.io/allowed-registries-regexp"
+	ForbiddenNamespaceLabelsAnnotation            = "capsule.clastix.io/forbidden-namespace-labels"
+	ForbiddenNamespaceLabelsRegexpAnnotation      = "capsule.clastix.io/forbidden-namespace-labels-regexp"
+	ForbiddenNamespaceAnnotationsAnnotation       = "capsule.clastix.io/forbidden-namespace-annotations"
+	ForbiddenNamespaceAnnotationsRegexpAnnotation = "capsule.clastix.io/forbidden-namespace-annotations-regexp"
+	ProtectedTenantAnnotation                     = "capsule.clastix.io/protected"
 )
 
 func UsedQuotaFor(resource fmt.Stringer) string {
-	return "quota.capsule.clastix.io/used-" + resource.String()
+	return "quota.capsule.clastix.io/used-" + strings.ReplaceAll(resource.String(), "/", "_")
 }
 
 func HardQuotaFor(resource fmt.Stringer) string {
-	return "quota.capsule.clastix.io/hard-" + resource.String()
+	return "quota.capsule.clastix.io/hard-" + strings.ReplaceAll(resource.String(), "/", "_")
 }

api/v1beta1/tenant_func.go

@@ -13,24 +13,28 @@ func (t *Tenant) IsCordoned() bool {
 	if v, ok := t.Labels["capsule.clastix.io/cordon"]; ok && v == "enabled" {
 		return true
 	}
+
 	return false
 }
 
 func (t *Tenant) IsFull() bool {
 	// we don't have limits on assigned Namespaces
-	if t.Spec.NamespaceQuota == nil {
+	if t.Spec.NamespaceOptions == nil || t.Spec.NamespaceOptions.Quota == nil {
 		return false
 	}
-	return len(t.Status.Namespaces) >= int(*t.Spec.NamespaceQuota)
+
+	return len(t.Status.Namespaces) >= int(*t.Spec.NamespaceOptions.Quota)
 }
 
 func (t *Tenant) AssignNamespaces(namespaces []corev1.Namespace) {
 	var l []string
+
 	for _, ns := range namespaces {
 		if ns.Status.Phase == corev1.NamespaceActive {
 			l = append(l, ns.GetName())
 		}
 	}
+
 	sort.Strings(l)
 
 	t.Status.Namespaces = l

api/v1beta1/tenant_labels.go

@@ -27,5 +27,6 @@ func GetTypeLabel(t runtime.Object) (label string, err error) {
 	default:
 		err = fmt.Errorf("type %T is not mapped as Capsule label recognized", v)
 	}
+
 	return
 }

api/v1beta1/tenant_status.go

@@ -3,18 +3,18 @@
 
 package v1beta1
 
-// +kubebuilder:validation:Enum=cordoned;active
+// +kubebuilder:validation:Enum=Cordoned;Active
 type tenantState string
 
 const (
-	TenantStateActive   tenantState = "active"
-	TenantStateCordoned tenantState = "cordoned"
+	TenantStateActive   tenantState = "Active"
+	TenantStateCordoned tenantState = "Cordoned"
 )
 
-// Returns the observed state of the Tenant
+// Returns the observed state of the Tenant.
 type TenantStatus struct {
-	//+kubebuilder:default=active
-	// The operational state of the Tenant. Possible values are "active", "cordoned".
+	//+kubebuilder:default=Active
+	// The operational state of the Tenant. Possible values are "Active", "Cordoned".
 	State tenantState `json:"state"`
 	// How many namespaces are assigned to the Tenant.
 	Size uint `json:"size"`

api/v1beta1/tenant_types.go

@@ -7,46 +7,34 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-// TenantSpec defines the desired state of Tenant
+// TenantSpec defines the desired state of Tenant.
 type TenantSpec struct {
 	// Specifies the owners of the Tenant. Mandatory.
 	Owners OwnerListSpec `json:"owners"`
-
-	//+kubebuilder:validation:Minimum=1
-	// Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
-	NamespaceQuota *int32 `json:"namespaceQuota,omitempty"`
-	// Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
-	NamespacesMetadata *AdditionalMetadataSpec `json:"namespacesMetadata,omitempty"`
-	// Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional.
-	ServicesMetadata *AdditionalMetadataSpec `json:"servicesMetadata,omitempty"`
+	// Specifies options for the Namespaces, such as additional metadata or maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
+	NamespaceOptions *NamespaceOptions `json:"namespaceOptions,omitempty"`
+	// Specifies options for the Service, such as additional metadata or block of certain type of Services. Optional.
+	ServiceOptions *ServiceOptions `json:"serviceOptions,omitempty"`
 	// Specifies the allowed StorageClasses assigned to the Tenant. Capsule assures that all PersistentVolumeClaim resources created in the Tenant can use only one of the allowed StorageClasses. Optional.
 	StorageClasses *AllowedListSpec `json:"storageClasses,omitempty"`
-	// Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
-	IngressClasses *AllowedListSpec `json:"ingressClasses,omitempty"`
-	// Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional.
-	IngressHostnames *AllowedListSpec `json:"ingressHostnames,omitempty"`
+	// Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional.
+	IngressOptions IngressOptions `json:"ingressOptions,omitempty"`
 	// Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.
 	ContainerRegistries *AllowedListSpec `json:"containerRegistries,omitempty"`
-	// Specifies the label to control the placement of pods on a given pool of worker nodes. All namesapces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
+	// Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
 	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
 	// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
-	NetworkPolicies *NetworkPolicySpec `json:"networkPolicies,omitempty"`
-	// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
-	LimitRanges *LimitRangesSpec `json:"limitRanges,omitempty"`
+	NetworkPolicies NetworkPolicySpec `json:"networkPolicies,omitempty"`
+	// Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
+	LimitRanges LimitRangesSpec `json:"limitRanges,omitempty"`
 	// Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional.
-	ResourceQuota *ResourceQuotaSpec `json:"resourceQuotas,omitempty"`
+	ResourceQuota ResourceQuotaSpec `json:"resourceQuotas,omitempty"`
 	// Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional.
 	AdditionalRoleBindings []AdditionalRoleBindingsSpec `json:"additionalRoleBindings,omitempty"`
-	// Specifies the external IPs that can be used in Services with type ClusterIP. An empty list means all the IPs are allowed. Optional.
-	ExternalServiceIPs *ExternalServiceIPsSpec `json:"externalServiceIPs,omitempty"`
 	// Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
 	ImagePullPolicies []ImagePullPolicySpec `json:"imagePullPolicies,omitempty"`
-	// Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+	// Specifies the allowed priorityClasses assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses. Optional.
 	PriorityClasses *AllowedListSpec `json:"priorityClasses,omitempty"`
-
-	//+kubebuilder:default=true
-	// Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.
-	EnableNodePorts *bool `json:"enableNodePorts,omitempty"`
 }
 
 //+kubebuilder:object:root=true
@@ -54,12 +42,12 @@ type TenantSpec struct {
 //+kubebuilder:storageversion
 // +kubebuilder:resource:scope=Cluster,shortName=tnt
 // +kubebuilder:printcolumn:name="State",type="string",JSONPath=".status.state",description="The actual state of the Tenant"
-// +kubebuilder:printcolumn:name="Namespace quota",type="integer",JSONPath=".spec.namespaceQuota",description="The max amount of Namespaces can be created"
+// +kubebuilder:printcolumn:name="Namespace quota",type="integer",JSONPath=".spec.namespaceOptions.quota",description="The max amount of Namespaces can be created"
 // +kubebuilder:printcolumn:name="Namespace count",type="integer",JSONPath=".status.size",description="The total amount of Namespaces in use"
 // +kubebuilder:printcolumn:name="Node selector",type="string",JSONPath=".spec.nodeSelector",description="Node Selector applied to Pods"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"
 
-// Tenant is the Schema for the tenants API
+// Tenant is the Schema for the tenants API.
 type Tenant struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -72,7 +60,7 @@ func (t *Tenant) Hub() {}
 
 //+kubebuilder:object:root=true
 
-// TenantList contains a list of Tenant
+// TenantList contains a list of Tenant.
 type TenantList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`

api/v1beta1/zz_generated.deepcopy.go

@@ -1,3 +1,4 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
 // Copyright 2020-2021 Clastix Labs
@@ -17,15 +18,15 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AdditionalMetadataSpec) DeepCopyInto(out *AdditionalMetadataSpec) {
 	*out = *in
-	if in.AdditionalLabels != nil {
-		in, out := &in.AdditionalLabels, &out.AdditionalLabels
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
 		*out = make(map[string]string, len(*in))
 		for key, val := range *in {
 			(*out)[key] = val
 		}
 	}
-	if in.AdditionalAnnotations != nil {
-		in, out := &in.AdditionalAnnotations, &out.AdditionalAnnotations
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
 		*out = make(map[string]string, len(*in))
 		for key, val := range *in {
 			(*out)[key] = val
@@ -83,6 +84,36 @@ func (in *AllowedListSpec) DeepCopy() *AllowedListSpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AllowedServices) DeepCopyInto(out *AllowedServices) {
+	*out = *in
+	if in.NodePort != nil {
+		in, out := &in.NodePort, &out.NodePort
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ExternalName != nil {
+		in, out := &in.ExternalName, &out.ExternalName
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LoadBalancer != nil {
+		in, out := &in.LoadBalancer, &out.LoadBalancer
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedServices.
+func (in *AllowedServices) DeepCopy() *AllowedServices {
+	if in == nil {
+		return nil
+	}
+	out := new(AllowedServices)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in ByKindAndName) DeepCopyInto(out *ByKindAndName) {
 	{
@@ -124,6 +155,51 @@ func (in *ExternalServiceIPsSpec) DeepCopy() *ExternalServiceIPsSpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ForbiddenListSpec) DeepCopyInto(out *ForbiddenListSpec) {
+	*out = *in
+	if in.Exact != nil {
+		in, out := &in.Exact, &out.Exact
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ForbiddenListSpec.
+func (in *ForbiddenListSpec) DeepCopy() *ForbiddenListSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ForbiddenListSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IngressOptions) DeepCopyInto(out *IngressOptions) {
+	*out = *in
+	if in.AllowedClasses != nil {
+		in, out := &in.AllowedClasses, &out.AllowedClasses
+		*out = new(AllowedListSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.AllowedHostnames != nil {
+		in, out := &in.AllowedHostnames, &out.AllowedHostnames
+		*out = new(AllowedListSpec)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressOptions.
+func (in *IngressOptions) DeepCopy() *IngressOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(IngressOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LimitRangesSpec) DeepCopyInto(out *LimitRangesSpec) {
 	*out = *in
@@ -146,6 +222,31 @@ func (in *LimitRangesSpec) DeepCopy() *LimitRangesSpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespaceOptions) DeepCopyInto(out *NamespaceOptions) {
+	*out = *in
+	if in.Quota != nil {
+		in, out := &in.Quota, &out.Quota
+		*out = new(int32)
+		**out = **in
+	}
+	if in.AdditionalMetadata != nil {
+		in, out := &in.AdditionalMetadata, &out.AdditionalMetadata
+		*out = new(AdditionalMetadataSpec)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceOptions.
+func (in *NamespaceOptions) DeepCopy() *NamespaceOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespaceOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkPolicySpec) DeepCopyInto(out *NetworkPolicySpec) {
 	*out = *in
@@ -253,6 +354,36 @@ func (in *ResourceQuotaSpec) DeepCopy() *ResourceQuotaSpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceOptions) DeepCopyInto(out *ServiceOptions) {
+	*out = *in
+	if in.AdditionalMetadata != nil {
+		in, out := &in.AdditionalMetadata, &out.AdditionalMetadata
+		*out = new(AdditionalMetadataSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.AllowedServices != nil {
+		in, out := &in.AllowedServices, &out.AllowedServices
+		*out = new(AllowedServices)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ExternalServiceIPs != nil {
+		in, out := &in.ExternalServiceIPs, &out.ExternalServiceIPs
+		*out = new(ExternalServiceIPsSpec)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceOptions.
+func (in *ServiceOptions) DeepCopy() *ServiceOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Tenant) DeepCopyInto(out *Tenant) {
 	*out = *in
@@ -322,19 +453,14 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.NamespaceQuota != nil {
-		in, out := &in.NamespaceQuota, &out.NamespaceQuota
-		*out = new(int32)
-		**out = **in
-	}
-	if in.NamespacesMetadata != nil {
-		in, out := &in.NamespacesMetadata, &out.NamespacesMetadata
-		*out = new(AdditionalMetadataSpec)
+	if in.NamespaceOptions != nil {
+		in, out := &in.NamespaceOptions, &out.NamespaceOptions
+		*out = new(NamespaceOptions)
 		(*in).DeepCopyInto(*out)
 	}
-	if in.ServicesMetadata != nil {
-		in, out := &in.ServicesMetadata, &out.ServicesMetadata
-		*out = new(AdditionalMetadataSpec)
+	if in.ServiceOptions != nil {
+		in, out := &in.ServiceOptions, &out.ServiceOptions
+		*out = new(ServiceOptions)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.StorageClasses != nil {
@@ -342,16 +468,7 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 		*out = new(AllowedListSpec)
 		(*in).DeepCopyInto(*out)
 	}
-	if in.IngressClasses != nil {
-		in, out := &in.IngressClasses, &out.IngressClasses
-		*out = new(AllowedListSpec)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.IngressHostnames != nil {
-		in, out := &in.IngressHostnames, &out.IngressHostnames
-		*out = new(AllowedListSpec)
-		(*in).DeepCopyInto(*out)
-	}
+	in.IngressOptions.DeepCopyInto(&out.IngressOptions)
 	if in.ContainerRegistries != nil {
 		in, out := &in.ContainerRegistries, &out.ContainerRegistries
 		*out = new(AllowedListSpec)
@@ -364,21 +481,9 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 			(*out)[key] = val
 		}
 	}
-	if in.NetworkPolicies != nil {
-		in, out := &in.NetworkPolicies, &out.NetworkPolicies
-		*out = new(NetworkPolicySpec)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.LimitRanges != nil {
-		in, out := &in.LimitRanges, &out.LimitRanges
-		*out = new(LimitRangesSpec)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ResourceQuota != nil {
-		in, out := &in.ResourceQuota, &out.ResourceQuota
-		*out = new(ResourceQuotaSpec)
-		(*in).DeepCopyInto(*out)
-	}
+	in.NetworkPolicies.DeepCopyInto(&out.NetworkPolicies)
+	in.LimitRanges.DeepCopyInto(&out.LimitRanges)
+	in.ResourceQuota.DeepCopyInto(&out.ResourceQuota)
 	if in.AdditionalRoleBindings != nil {
 		in, out := &in.AdditionalRoleBindings, &out.AdditionalRoleBindings
 		*out = make([]AdditionalRoleBindingsSpec, len(*in))
@@ -386,11 +491,6 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.ExternalServiceIPs != nil {
-		in, out := &in.ExternalServiceIPs, &out.ExternalServiceIPs
-		*out = new(ExternalServiceIPsSpec)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.ImagePullPolicies != nil {
 		in, out := &in.ImagePullPolicies, &out.ImagePullPolicies
 		*out = make([]ImagePullPolicySpec, len(*in))
@@ -401,11 +501,6 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 		*out = new(AllowedListSpec)
 		(*in).DeepCopyInto(*out)
 	}
-	if in.EnableNodePorts != nil {
-		in, out := &in.EnableNodePorts, &out.EnableNodePorts
-		*out = new(bool)
-		**out = **in
-	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantSpec.

charts/capsule/Chart.yaml

@@ -21,8 +21,8 @@ sources:
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.0.19
+version: 0.1.9
 
 # This is the version number of the application being deployed.
 # This version number should be incremented each time you make changes to the application.
-appVersion: 0.0.5
+appVersion: 0.1.1

charts/capsule/README.md

@@ -1,6 +1,6 @@
 # Deploying the Capsule Operator
 
-Use the Capsule Operator for easily implementing, managing, and maintaining mutitenancy and access control in Kubernetes.
+Use the Capsule Operator for easily implementing, managing, and maintaining multitenancy and access control in Kubernetes.
 
 ## Requirements
 
@@ -26,7 +26,7 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator
 
 2. Install the Chart:
 
-        $ helm install capsule clastix/capsule -n capsule-system
+        $ helm install capsule clastix/capsule -n capsule-system --create-namespace
 
 3. Show the status:
 
@@ -58,51 +58,57 @@ If you only need to make minor customizations, you can specify them on the comma
 
 Here the values you can override:
 
-Parameter | Description | Default
---- | --- | ---
-`manager.hostNetwork` | Specifies if the container should be started in `hostNetwork` mode. | `false` 
-`manager.options.logLevel` | Set the log verbosity of the controller with a value from 1 to 10.| `4`
+Parameter | Description                                                                                                                             | Default
+--- |-----------------------------------------------------------------------------------------------------------------------------------------| ---
+`manager.hostNetwork` | Specifies if the container should be started in `hostNetwork` mode.                                                                     | `false` 
+`manager.options.logLevel` | Set the log verbosity of the controller with a value from 1 to 10.                                                                      | `4`
 `manager.options.forceTenantPrefix` | Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash | `false`
-`manager.options.capsuleUserGroup` | Override the Capsule user group | `capsule.clastix.io`
-`manager.options.protectedNamespaceRegex` | If specified, disallows creation of namespaces matching the passed regexp | `null`
-`manager.options.allowIngressHostnameCollision` | Allow the Ingress hostname collision at Ingress resource level across all the Tenants | `true`
-`manager.options.allowTenantIngressHostnamesCollision` | Skip the validation check at Tenant level for colliding Ingress hostnames | `false`
-`manager.image.repository` | Set the image repository of the controller. | `quay.io/clastix/capsule`
-`manager.image.tag` | Overrides the image tag whose default is the chart. `appVersion` | `null`
-`manager.image.pullPolicy` | Set the image pull policy. | `IfNotPresent`
-`manager.livenessProbe` | Configure the liveness probe using Deployment probe spec | `GET :10080/healthz`
-`manager.readinessProbe` | Configure the readiness probe using Deployment probe spec | `GET :10080/readyz`
-`manager.resources.requests/cpu` | Set the CPU requests assigned to the controller. | `200m`
-`manager.resources.requests/memory` | Set the memory requests assigned to the controller. | `128Mi`
-`manager.resources.limits/cpu` | Set the CPU limits assigned to the controller. | `200m`
-`manager.resources.limits/cpu` | Set the memory limits assigned to the controller. | `128Mi`
-`mutatingWebhooksTimeoutSeconds` | Timeout in seconds for mutating webhooks. | `30`
-`validatingWebhooksTimeoutSeconds` | Timeout in seconds for validating webhooks. | `30`
-`imagePullSecrets` | Configuration for `imagePullSecrets` so that you can use a private images registry. | `[]`
-`serviceAccount.create` | Specifies whether a service account should be created. | `true`
-`serviceAccount.annotations` | Annotations to add to the service account. | `{}`
-`serviceAccount.name` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template | `capsule`
-`podAnnotations` | Annotations to add to the Capsule pod. | `{}`
-`priorityClassName` | Set the priority class name of the Capsule pod. | `null`
-`nodeSelector` | Set the node selector for the Capsule pod. | `{}`
-`tolerations` | Set list of tolerations for the Capsule pod. | `[]`
-`replicaCount` | Set the replica count for Capsule pod. | `1`
-`affinity` | Set affinity rules for the Capsule pod. | `{}`
-`podSecurityPolicy.enabled` | Specify if a Pod Security Policy must be created. | `false`
-`serviceMonitor.enabled` | Specify if a Service Monitor must be created. | `false`
-`serviceMonitor.serviceAccount.name` | Specify Service Account name for metrics scrape. | `capsule`
-`serviceMonitor.serviceAccount.namespace` | Specify Service Account namespace for metrics scrape. | `capsule-system`
-
+`manager.options.capsuleUserGroups` | Override the Capsule user groups                                                                                                        | `[capsule.clastix.io]`
+`manager.options.protectedNamespaceRegex` | If specified, disallows creation of namespaces matching the passed regexp                                                               | `null`
+`manager.options.enableSecretController` | Boolean, enables apsule secret controller which reconciles TLS and CA secrets for capsule webhooks.                                     | `true`
+`manager.image.repository` | Set the image repository of the controller.                                                                                             | `quay.io/clastix/capsule`
+`manager.image.tag` | Overrides the image tag whose default is the chart. `appVersion`                                                                        | `null`
+`manager.image.pullPolicy` | Set the image pull policy.                                                                                                              | `IfNotPresent`
+`manager.livenessProbe` | Configure the liveness probe using Deployment probe spec                                                                                | `GET :10080/healthz`
+`manager.readinessProbe` | Configure the readiness probe using Deployment probe spec                                                                               | `GET :10080/readyz`
+`manager.resources.requests/cpu` | Set the CPU requests assigned to the controller.                                                                                        | `200m`
+`manager.resources.requests/memory` | Set the memory requests assigned to the controller.                                                                                     | `128Mi`
+`manager.resources.limits/cpu` | Set the CPU limits assigned to the controller.                                                                                          | `200m`
+`manager.resources.limits/cpu` | Set the memory limits assigned to the controller.                                                                                       | `128Mi`
+`mutatingWebhooksTimeoutSeconds` | Timeout in seconds for mutating webhooks.                                                                                               | `30`
+`validatingWebhooksTimeoutSeconds` | Timeout in seconds for validating webhooks.                                                                                             | `30`
+`webhooks` | Additional configuration for capsule webhooks.                                                                                          |
+`imagePullSecrets` | Configuration for `imagePullSecrets` so that you can use a private images registry.                                                     | `[]`
+`serviceAccount.create` | Specifies whether a service account should be created.                                                                                  | `true`
+`serviceAccount.annotations` | Annotations to add to the service account.                                                                                              | `{}`
+`serviceAccount.name` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template    | `capsule`
+`podAnnotations` | Annotations to add to the Capsule pod.                                                                                                  | `{}`
+`priorityClassName` | Set the priority class name of the Capsule pod.                                                                                         | `null`
+`nodeSelector` | Set the node selector for the Capsule pod.                                                                                              | `{}`
+`tolerations` | Set list of tolerations for the Capsule pod.                                                                                            | `[]`
+`replicaCount` | Set the replica count for Capsule pod.                                                                                                  | `1`
+`affinity` | Set affinity rules for the Capsule pod.                                                                                                 | `{}`
+`podSecurityPolicy.enabled` | Specify if a Pod Security Policy must be created.                                                                                       | `false`
+`serviceMonitor.enabled` | Specifies if a service monitor must be created.                                                                                         | `false`
+`serviceMonitor.labels` | Additional labels which will be added to service monitor.                                                                               | `{}`
+`serviceMonitor.annotations` | Additional annotations which will be added to service monitor.                                                                          | `{}`
+`serviceMonitor.matchLabels` | Additional matchLabels which will be added to service monitor.                                                                          | `{}`
+`serviceMonitor.serviceAccount.name` | Specifies service account name for metrics scrape.                                                                                      | `capsule`
+`serviceMonitor.serviceAccount.namespace` | Specifies service account namespace for metrics scrape.                                                                                 | `capsule-system`
+`customLabels` | Additional labels which will be added to all resources created by Capsule helm chart .                                                  | `{}`
+`customAnnotations` | Additional annotations which will be added to all resources created by Capsule helm chart .                                             | `{}`
+`certManager.generateCertificates` | Specifies whether capsule webhooks certificates should be generated using cert-manager.                                                 | `false`
 ## Created resources
 
-This Helm Chart cretes the following Kubernetes resources in the release namespace:
+This Helm Chart creates the following Kubernetes resources in the release namespace:
 
 * Capsule Namespace
 * Capsule Operator Deployment
 * Capsule Service
 * CA Secret
-* Certfificate Secret
+* Certificate Secret
 * Tenant Custom Resource Definition
+* CapsuleConfiguration Custom Resource Definition
 * MutatingWebHookConfiguration
 * ValidatingWebHookConfiguration
 * RBAC Cluster Roles
@@ -122,4 +128,4 @@ Capsule, as many other add-ons, defines its own set of Custom Resource Definitio
 
 ## More
 
-See Capsule [use cases](https://github.com/clastix/capsule/blob/master/use_cases.md) for more information about how to use Capsule.
+See Capsule [tutorial](https://github.com/clastix/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.

charts/capsule/crds/capsuleconfiguration-crd.yaml

@@ -17,7 +17,7 @@ spec:
     - name: v1alpha1
       schema:
         openAPIV3Schema:
-          description: CapsuleConfiguration is the Schema for the Capsule configuration API
+          description: CapsuleConfiguration is the Schema for the Capsule configuration API.
           properties:
             apiVersion:
               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -28,16 +28,10 @@ spec:
             metadata:
               type: object
             spec:
-              description: CapsuleConfigurationSpec defines the Capsule configuration
+              description: CapsuleConfigurationSpec defines the Capsule configuration.
               properties:
-                allowIngressHostnameCollision:
-                  default: true
-                  description: Allow the collision of Ingress resource hostnames across all the Tenants.
-                  type: boolean
-                allowTenantIngressHostnamesCollision:
-                  description: "When defining the exact match for allowed Ingress hostnames at Tenant level, a collision is not allowed. Toggling this, Capsule will not check if a hostname collision is in place, allowing the creation of two or more Tenant resources although sharing the same allowed hostname(s). \n The JSON path of the resource is: /spec/ingressHostnames/allowed"
-                  type: boolean
                 forceTenantPrefix:
+                  default: false
                   description: Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
                   type: boolean
                 protectedNamespaceRegex:

charts/capsule/crds/tenant-crd.yaml

@@ -7,7 +7,17 @@ metadata:
   name: tenants.capsule.clastix.io
 spec:
   conversion:
-    strategy: None
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: capsule-webhook-service
+          namespace: capsule-system
+          path: /convert
+          port: 443
+      conversionReviewVersions:
+        - v1alpha1
+        - v1beta1
   group: capsule.clastix.io
   names:
     kind: Tenant
@@ -46,7 +56,7 @@ spec:
       name: v1alpha1
       schema:
         openAPIV3Schema:
-          description: Tenant is the Schema for the tenants API
+          description: Tenant is the Schema for the tenants API.
           properties:
             apiVersion:
               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -57,7 +67,7 @@ spec:
             metadata:
               type: object
             spec:
-              description: TenantSpec defines the desired state of Tenant
+              description: TenantSpec defines the desired state of Tenant.
               properties:
                 additionalRoleBindings:
                   items:
@@ -222,11 +232,15 @@ spec:
                               items:
                                 description: NetworkPolicyPort describes a port to allow traffic on
                                 properties:
+                                  endPort:
+                                    description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                    format: int32
+                                    type: integer
                                   port:
                                     anyOf:
                                       - type: integer
                                       - type: string
-                                    description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                    description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                     x-kubernetes-int-or-string: true
                                   protocol:
                                     default: TCP
@@ -408,11 +422,15 @@ spec:
                               items:
                                 description: NetworkPolicyPort describes a port to allow traffic on
                                 properties:
+                                  endPort:
+                                    description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                    format: int32
+                                    type: integer
                                   port:
                                     anyOf:
                                       - type: integer
                                       - type: string
-                                    description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                    description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                     x-kubernetes-int-or-string: true
                                   protocol:
                                     default: TCP
@@ -453,9 +471,9 @@ spec:
                             type: object
                         type: object
                       policyTypes:
-                        description: List of rule types that the NetworkPolicy relates to. Valid options are "Ingress", "Egress", or "Ingress,Egress". If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
+                        description: List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
                         items:
-                          description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8
+                          description: PolicyType string describes the NetworkPolicy type This type is beta-level in 1.8
                           type: string
                         type: array
                     required:
@@ -467,7 +485,7 @@ spec:
                     type: string
                   type: object
                 owner:
-                  description: OwnerSpec defines tenant owner name and kind
+                  description: OwnerSpec defines tenant owner name and kind.
                   properties:
                     kind:
                       enum:
@@ -550,7 +568,7 @@ spec:
                 - owner
               type: object
             status:
-              description: TenantStatus defines the observed state of Tenant
+              description: TenantStatus defines the observed state of Tenant.
               properties:
                 namespaces:
                   items:
@@ -572,7 +590,7 @@ spec:
           name: State
           type: string
         - description: The max amount of Namespaces can be created
-          jsonPath: .spec.namespaceQuota
+          jsonPath: .spec.namespaceOptions.quota
           name: Namespace quota
           type: integer
         - description: The total amount of Namespaces in use
@@ -590,7 +608,7 @@ spec:
       name: v1beta1
       schema:
         openAPIV3Schema:
-          description: Tenant is the Schema for the tenants API
+          description: Tenant is the Schema for the tenants API.
           properties:
             apiVersion:
               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -601,7 +619,7 @@ spec:
             metadata:
               type: object
             spec:
-              description: TenantSpec defines the desired state of Tenant
+              description: TenantSpec defines the desired state of Tenant.
               properties:
                 additionalRoleBindings:
                   description: Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional.
@@ -646,21 +664,6 @@ spec:
                     allowedRegex:
                       type: string
                   type: object
-                enableNodePorts:
-                  default: true
-                  description: Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.
-                  type: boolean
-                externalServiceIPs:
-                  description: Specifies the external IPs that can be used in Services with type ClusterIP. An empty list means all the IPs are allowed. Optional.
-                  properties:
-                    allowed:
-                      items:
-                        pattern: ^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$
-                        type: string
-                      type: array
-                  required:
-                    - allowed
-                  type: object
                 imagePullPolicies:
                   description: Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
                   items:
@@ -670,28 +673,41 @@ spec:
                       - IfNotPresent
                     type: string
                   type: array
-                ingressClasses:
-                  description: Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+                ingressOptions:
+                  description: Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional.
                   properties:
-                    allowed:
-                      items:
-                        type: string
-                      type: array
-                    allowedRegex:
-                      type: string
-                  type: object
-                ingressHostnames:
-                  description: Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional.
-                  properties:
-                    allowed:
-                      items:
-                        type: string
-                      type: array
-                    allowedRegex:
+                    allowedClasses:
+                      description: Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+                      properties:
+                        allowed:
+                          items:
+                            type: string
+                          type: array
+                        allowedRegex:
+                          type: string
+                      type: object
+                    allowedHostnames:
+                      description: Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional.
+                      properties:
+                        allowed:
+                          items:
+                            type: string
+                          type: array
+                        allowedRegex:
+                          type: string
+                      type: object
+                    hostnameCollisionScope:
+                      default: Disabled
+                      description: "Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames. \n - Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule. \n - Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant. \n - Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace. \n Optional."
+                      enum:
+                        - Cluster
+                        - Tenant
+                        - Namespace
+                        - Disabled
                       type: string
                   type: object
                 limitRanges:
-                  description: Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
+                  description: Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
                   properties:
                     items:
                       items:
@@ -759,22 +775,26 @@ spec:
                         type: object
                       type: array
                   type: object
-                namespaceQuota:
-                  description: Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
-                  format: int32
-                  minimum: 1
-                  type: integer
-                namespacesMetadata:
-                  description: Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
+                namespaceOptions:
+                  description: Specifies options for the Namespaces, such as additional metadata or maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
                   properties:
-                    additionalAnnotations:
-                      additionalProperties:
-                        type: string
-                      type: object
-                    additionalLabels:
-                      additionalProperties:
-                        type: string
+                    additionalMetadata:
+                      description: Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        labels:
+                          additionalProperties:
+                            type: string
+                          type: object
                       type: object
+                    quota:
+                      description: Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
+                      format: int32
+                      minimum: 1
+                      type: integer
                   type: object
                 networkPolicies:
                   description: Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
@@ -793,11 +813,15 @@ spec:
                                   items:
                                     description: NetworkPolicyPort describes a port to allow traffic on
                                     properties:
+                                      endPort:
+                                        description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                        format: int32
+                                        type: integer
                                       port:
                                         anyOf:
                                           - type: integer
                                           - type: string
-                                        description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                        description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                         x-kubernetes-int-or-string: true
                                       protocol:
                                         default: TCP
@@ -979,11 +1003,15 @@ spec:
                                   items:
                                     description: NetworkPolicyPort describes a port to allow traffic on
                                     properties:
+                                      endPort:
+                                        description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                        format: int32
+                                        type: integer
                                       port:
                                         anyOf:
                                           - type: integer
                                           - type: string
-                                        description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                        description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                         x-kubernetes-int-or-string: true
                                       protocol:
                                         default: TCP
@@ -1024,9 +1052,9 @@ spec:
                                 type: object
                             type: object
                           policyTypes:
-                            description: List of rule types that the NetworkPolicy relates to. Valid options are "Ingress", "Egress", or "Ingress,Egress". If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
+                            description: List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
                             items:
-                              description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8
+                              description: PolicyType string describes the NetworkPolicy type This type is beta-level in 1.8
                               type: string
                             type: array
                         required:
@@ -1037,7 +1065,7 @@ spec:
                 nodeSelector:
                   additionalProperties:
                     type: string
-                  description: Specifies the label to control the placement of pods on a given pool of worker nodes. All namesapces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
+                  description: Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
                   type: object
                 owners:
                   description: Specifies the owners of the Tenant. Mandatory.
@@ -1062,6 +1090,7 @@ spec:
                                 - Nodes
                                 - StorageClasses
                                 - IngressClasses
+                                - PriorityClasses
                               type: string
                             operations:
                               items:
@@ -1082,7 +1111,7 @@ spec:
                     type: object
                   type: array
                 priorityClasses:
-                  description: Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+                  description: Specifies the allowed priorityClasses assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses. Optional.
                   properties:
                     allowed:
                       items:
@@ -1140,17 +1169,55 @@ spec:
                             type: array
                         type: object
                       type: array
+                    scope:
+                      default: Tenant
+                      description: Define if the Resource Budget should compute resource across all Namespaces in the Tenant or individually per cluster. Default is Tenant
+                      enum:
+                        - Tenant
+                        - Namespace
+                      type: string
                   type: object
-                servicesMetadata:
-                  description: Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional.
+                serviceOptions:
+                  description: Specifies options for the Service, such as additional metadata or block of certain type of Services. Optional.
                   properties:
-                    additionalAnnotations:
-                      additionalProperties:
-                        type: string
+                    additionalMetadata:
+                      description: Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional.
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        labels:
+                          additionalProperties:
+                            type: string
+                          type: object
                       type: object
-                    additionalLabels:
-                      additionalProperties:
-                        type: string
+                    allowedServices:
+                      description: Block or deny certain type of Services. Optional.
+                      properties:
+                        externalName:
+                          default: true
+                          description: Specifies if ExternalName service type resources are allowed for the Tenant. Default is true. Optional.
+                          type: boolean
+                        loadBalancer:
+                          default: true
+                          description: Specifies if LoadBalancer service type resources are allowed for the Tenant. Default is true. Optional.
+                          type: boolean
+                        nodePort:
+                          default: true
+                          description: Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.
+                          type: boolean
+                      type: object
+                    externalIPs:
+                      description: Specifies the external IPs that can be used in Services with type ClusterIP. An empty list means no IPs are allowed. Optional.
+                      properties:
+                        allowed:
+                          items:
+                            pattern: ^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$
+                            type: string
+                          type: array
+                      required:
+                        - allowed
                       type: object
                   type: object
                 storageClasses:
@@ -1167,7 +1234,7 @@ spec:
                 - owners
               type: object
             status:
-              description: Returns the observed state of the Tenant
+              description: Returns the observed state of the Tenant.
               properties:
                 namespaces:
                   description: List of namespaces assigned to the Tenant.
@@ -1178,11 +1245,11 @@ spec:
                   description: How many namespaces are assigned to the Tenant.
                   type: integer
                 state:
-                  default: active
-                  description: The operational state of the Tenant. Possible values are "active", "cordoned".
+                  default: Active
+                  description: The operational state of the Tenant. Possible values are "Active", "Cordoned".
                   enum:
-                    - cordoned
-                    - active
+                    - Cordoned
+                    - Active
                   type: string
               required:
                 - size

charts/capsule/templates/_helpers.tpl

@@ -40,6 +40,9 @@ helm.sh/chart: {{ include "capsule.chart" . }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.customLabels }}
+{{ toYaml .Values.customLabels }}
+{{- end }}
 {{- end }}
 
 {{/*
@@ -50,6 +53,32 @@ app.kubernetes.io/name: {{ include "capsule.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+ServiceAccount annotations
+*/}}
+{{- define "capsule.serviceAccountAnnotations" -}}
+{{- if .Values.serviceAccount.annotations }}
+{{- toYaml .Values.serviceAccount.annotations }}
+{{- end }}
+{{- if .Values.customAnnotations }}
+{{ toYaml .Values.customAnnotations }}
+{{- end }}
+{{- end }}
+
+
+{{/*
+Webhook annotations
+*/}}
+{{- define "capsule.webhookAnnotations" -}}
+{{- if .Values.certManager.generateCertificates -}}
+cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "capsule.fullname" . }}-webhook-cert
+{{- end }}
+{{- if .Values.customAnnotations }}
+{{ toYaml .Values.customAnnotations }}
+{{- end }}
+{{- end }}
+
+
 {{/*
 Create the name of the service account to use
 */}}
@@ -75,11 +104,26 @@ Create the proxy fully-qualified Docker image to use
 {{- printf "%s:%s" .Values.proxy.image.repository .Values.proxy.image.tag -}}
 {{- end }}
 
+{{/*
+Determine the Kubernetes version to use for jobsFullyQualifiedDockerImage tag
+*/}}
+{{- define "capsule.jobsTagKubeVersion" -}}
+{{- if contains "-eks-" .Capabilities.KubeVersion.GitVersion }}
+{{- print "v" .Capabilities.KubeVersion.Major "." (.Capabilities.KubeVersion.Minor | replace "+" "") -}}
+{{- else }}
+{{- print "v" .Capabilities.KubeVersion.Major "." .Capabilities.KubeVersion.Minor -}}
+{{- end }}
+{{- end }}
+
 {{/*
 Create the jobs fully-qualified Docker image to use
 */}}
 {{- define "capsule.jobsFullyQualifiedDockerImage" -}}
+{{- if .Values.jobs.image.tag }}
 {{- printf "%s:%s" .Values.jobs.image.repository .Values.jobs.image.tag -}}
+{{- else }}
+{{- printf "%s:%s" .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
+{{- end }}
 {{- end }}
 
 {{/*
@@ -93,8 +137,12 @@ Create the Capsule Deployment name to use
 Create the Capsule CA Secret name to use
 */}}
 {{- define "capsule.secretCaName" -}}
+{{- if .Values.certManager.generateCertificates }}
+{{- printf "%s-tls" (include "capsule.fullname" .) -}}
+{{- else }}
 {{- printf "%s-ca" (include "capsule.fullname" .) -}}
 {{- end }}
+{{- end }}
 
 {{/*
 Create the Capsule TLS Secret name to use

charts/capsule/templates/ca.yaml

@@ -1,7 +1,12 @@
+{{- if not .Values.certManager.generateCertificates }}
 apiVersion: v1
 kind: Secret
 metadata:
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   name: {{ include "capsule.secretCaName" . }}
-data:
+{{- end }}

charts/capsule/templates/certificate.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.certManager.generateCertificates }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "capsule.fullname" . }}-webhook-selfsigned
+  labels:
+    {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "capsule.fullname" . }}-webhook-cert
+  labels:
+    {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  dnsNames:
+  - {{ include "capsule.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc
+  - {{ include "capsule.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: {{ include "capsule.fullname" . }}-webhook-selfsigned
+  secretName: {{ include "capsule.fullname" . }}-tls
+{{- end }}

charts/capsule/templates/certs.yaml

@@ -3,5 +3,8 @@ kind: Secret
 metadata:
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   name: {{ include "capsule.secretTlsName" . }}
-data:

charts/capsule/templates/configuration-default.yaml

@@ -2,6 +2,16 @@ apiVersion: capsule.clastix.io/v1alpha1
 kind: CapsuleConfiguration
 metadata:
   name: default
+  labels:
+  {{- include "capsule.labels" . | nindent 4 }}
+  annotations:
+    capsule.clastix.io/ca-secret-name: {{ include "capsule.secretCaName" . }}
+    capsule.clastix.io/mutating-webhook-configuration-name: {{ include "capsule.fullname" . }}-mutating-webhook-configuration
+    capsule.clastix.io/tls-secret-name: {{ include "capsule.secretTlsName" . }}
+    capsule.clastix.io/validating-webhook-configuration-name: {{ include "capsule.fullname" . }}-validating-webhook-configuration
+  {{- with .Values.customAnnotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   forceTenantPrefix: {{ .Values.manager.options.forceTenantPrefix }}
   userGroups:
@@ -9,5 +19,3 @@ spec:
     - {{ . }}
 {{- end}}
   protectedNamespaceRegex: {{ .Values.manager.options.protectedNamespaceRegex | quote }}
-  allowTenantIngressHostnamesCollision: {{ .Values.manager.options.allowTenantIngressHostnamesCollision }}
-  allowIngressHostnameCollision: {{ .Values.manager.options.allowIngressHostnameCollision }}

charts/capsule/templates/deployment.yaml

@@ -4,6 +4,10 @@ metadata:
   name: {{ include "capsule.deploymentName" . }}
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:
@@ -11,12 +15,12 @@ spec:
       {{- include "capsule.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-    {{- with .Values.podAnnotations }}
+      {{- with .Values.podAnnotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
       labels:
-        {{- include "capsule.selectorLabels" . | nindent 8 }}
+        {{- include "capsule.labels" . | nindent 8 }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
@@ -52,6 +56,7 @@ spec:
           - --enable-leader-election
           - --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
           - --configuration-name=default
+          - --enable-secret-controller={{ .Values.manager.options.enableSecretController }}
           image: {{ include "capsule.managerFullyQualifiedDockerImage" . }}
           imagePullPolicy: {{ .Values.manager.image.pullPolicy }}
           env:

charts/capsule/templates/metrics-rbac.yaml

@@ -4,9 +4,13 @@ kind: Role
 metadata:
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
-    {{- if .Values.serviceMonitor.labels }}
+  {{- if .Values.serviceMonitor.labels }}
     {{- toYaml .Values.serviceMonitor.labels | nindent 4 }}
-    {{- end }}
+  {{- end }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   name: {{ include "capsule.fullname" . }}-metrics-role
   namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace }}
 rules:

charts/capsule/templates/metrics-service.yaml

@@ -4,6 +4,10 @@ metadata:
   name: {{ include "capsule.fullname" . }}-controller-manager-metrics-service
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   ports:
   - port: 8080

charts/capsule/templates/mutatingwebhookconfiguration.yaml

@@ -4,18 +4,24 @@ metadata:
   name: {{ include "capsule.fullname" . }}-mutating-webhook-configuration
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- if or (.Values.certManager.generateCertificates) (.Values.customAnnotations)  }}
+  annotations:
+     {{- include "capsule.webhookAnnotations" . | nindent 4 }}
+  {{- end }}
 webhooks:
 - admissionReviewVersions:
     - v1
     - v1beta1
   clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
     caBundle: Cg==
+{{- end }}
     service:
       name: {{ include "capsule.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
       path: /namespace-owner-reference
       port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.namespaceOwnerReference.failurePolicy }}
   matchPolicy: Equivalent
   name: owner.namespace.capsule.clastix.io
   namespaceSelector: {}
@@ -28,6 +34,7 @@ webhooks:
       - v1
       operations:
       - CREATE
+      - UPDATE
       resources:
       - namespaces
       scope: '*'

charts/capsule/templates/podsecuritypolicy.yaml

@@ -5,6 +5,10 @@ metadata:
   name: {{ include "capsule.fullname" . }}
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   fsGroup:
     rule: RunAsAny

charts/capsule/templates/post-install-job.yaml

@@ -1,4 +1,4 @@
-{{- $cmd := "while [ -z $$(kubectl -n $NAMESPACE get secret capsule-tls -o jsonpath='{.data.tls\\\\.crt}') ];" -}}
+{{- $cmd := printf "while [ -z $$(kubectl -n $NAMESPACE get secret %s -o jsonpath='{.data.tls\\\\.crt}') ];" (include "capsule.secretCaName" .) -}}
 {{- $cmd = printf "%s do echo 'waiting Capsule to be up and running...' && sleep 5;" $cmd -}}
 {{- $cmd = printf "%s done" $cmd -}}
 apiVersion: batch/v1
@@ -6,16 +6,16 @@ kind: Job
 metadata:
   name: "{{ .Release.Name }}-waiting-certs"
   labels:
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/instance: {{ .Release.Name | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion }}
-    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    {{- include "capsule.labels" . | nindent 4 }}
   annotations:
     # This is what defines this resource as a hook. Without this line, the
     # job is considered part of the release.
     "helm.sh/hook": post-install
     "helm.sh/hook-weight": "-5"
     "helm.sh/hook-delete-policy": hook-succeeded
+  {{- with .Values.customAnnotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   template:
     metadata:
@@ -25,6 +25,14 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name | quote }}
         helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
     spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       restartPolicy: Never
       containers:
       - name: post-install-job

charts/capsule/templates/pre-delete-job.yaml

@@ -1,5 +1,7 @@
 {{- $cmd := printf "kubectl scale deployment -n $NAMESPACE %s --replicas 0 &&" (include "capsule.deploymentName" .) -}}
+{{- if not .Values.certManager.generateCertificates }}
 {{- $cmd = printf "%s kubectl delete secret -n $NAMESPACE %s %s --ignore-not-found &&" $cmd (include "capsule.secretTlsName" .) (include "capsule.secretCaName" .) -}}
+{{- end }}
 {{- $cmd = printf "%s kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found &&" $cmd -}}
 {{- $cmd = printf "%s kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found" $cmd -}}
 apiVersion: batch/v1
@@ -7,16 +9,16 @@ kind: Job
 metadata:
   name: "{{ .Release.Name }}-rbac-cleaner"
   labels:
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/instance: {{ .Release.Name | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion }}
-    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    {{- include "capsule.labels" . | nindent 4 }}
   annotations:
     # This is what defines this resource as a hook. Without this line, the
     # job is considered part of the release.
     "helm.sh/hook": pre-delete
     "helm.sh/hook-weight": "-5"
     "helm.sh/hook-delete-policy": hook-succeeded
+  {{- with .Values.customAnnotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   template:
     metadata:
@@ -26,6 +28,14 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name | quote }}
         helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
     spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       restartPolicy: Never
       containers:
         - name: pre-delete-job

charts/capsule/templates/rbac.yaml

@@ -4,6 +4,10 @@ metadata:
   name: {{ include "capsule.fullname" . }}-proxy-role
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 rules:
 - apiGroups:
   - authentication.k8s.io
@@ -24,6 +28,10 @@ metadata:
   name: {{ include "capsule.fullname" . }}-metrics-reader
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 rules:
 - nonResourceURLs:
   - /metrics
@@ -36,6 +44,10 @@ metadata:
   name: {{ include "capsule.fullname" . }}-proxy-rolebinding
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -51,6 +63,10 @@ metadata:
   name: {{ include "capsule.fullname" . }}-manager-rolebinding
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

charts/capsule/templates/serviceaccount.yaml

@@ -5,8 +5,8 @@ metadata:
   name: {{ include "capsule.serviceAccountName" . }}
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
+  {{- if or (.Values.serviceAccount.annotations) (.Values.customAnnotations)  }}
   annotations:
-    {{- toYaml . | nindent 4 }}
+    {{- include "capsule.serviceAccountAnnotations" . | nindent 4 }}
   {{- end }}
 {{- end }}

charts/capsule/templates/servicemonitor.yaml

@@ -6,9 +6,13 @@ metadata:
   namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace }}
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
-    {{- if .Values.serviceMonitor.labels }}
-    {{- toYaml .Values.serviceMonitor.labels | nindent 4 }}
+    {{- with .Values.serviceMonitor.labels }}
+    {{- toYaml . | nindent 4 }}
     {{- end }}
+  {{- with .Values.serviceMonitor.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   endpoints:
   - interval: 15s
@@ -16,7 +20,11 @@ spec:
     path: /metrics
   jobLabel: app.kubernetes.io/name
   selector:
-    matchLabels: {{ include "capsule.labels" . | nindent 6 }}
+    matchLabels:
+    {{- include "capsule.labels" . | nindent 6 }}
+    {{- with .Values.serviceMonitor.matchLabels }}
+    {{- toYaml . | nindent 6 }}
+    {{- end }}
   namespaceSelector:
     matchNames:
       - {{ .Release.Namespace }}

charts/capsule/templates/validatingwebhookconfiguration.yaml

@@ -4,24 +4,28 @@ metadata:
   name: {{ include "capsule.fullname" . }}-validating-webhook-configuration
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- if or (.Values.certManager.generateCertificates) (.Values.customAnnotations)  }}
+  annotations:
+     {{- include "capsule.webhookAnnotations" . | nindent 4 }}
+  {{- end }}
 webhooks:
 - admissionReviewVersions:
     - v1
     - v1beta1
   clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
     caBundle: Cg==
+{{- end }}
     service:
       name: {{ include "capsule.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
       path: /cordoning
       port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.cordoning.failurePolicy }}
   matchPolicy: Equivalent
   name: cordoning.tenant.capsule.clastix.io
   namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.cordoning.namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -41,19 +45,19 @@ webhooks:
     - v1
     - v1beta1
   clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
     caBundle: Cg==
+{{- end }}
     service:
       name: {{ include "capsule.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
       path: /ingresses
       port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.ingresses.failurePolicy }}
   matchPolicy: Equivalent
   name: ingress.capsule.clastix.io
   namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.ingresses.namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -74,13 +78,15 @@ webhooks:
     - v1
     - v1beta1
   clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
     caBundle: Cg==
+{{- end }}
     service:
       name: {{ include "capsule.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
       path: /namespaces
       port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.namespaces.failurePolicy }}
   matchPolicy: Equivalent
   name: namespaces.capsule.clastix.io
   namespaceSelector: {}
@@ -103,19 +109,19 @@ webhooks:
     - v1
     - v1beta1
   clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
     caBundle: Cg==
+{{- end }}
     service:
       name: {{ include "capsule.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
       path: /networkpolicies
       port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.networkpolicies.failurePolicy }}
   matchPolicy: Equivalent
   name: networkpolicies.capsule.clastix.io
   namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.networkpolicies.namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -134,19 +140,19 @@ webhooks:
     - v1
     - v1beta1
   clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
     caBundle: Cg==
+{{- end }}
     service:
       name: {{ include "capsule.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
       path: /pods
       port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.pods.failurePolicy }}
   matchPolicy: Exact
   name: pods.capsule.clastix.io
   namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.pods.namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -164,17 +170,17 @@ webhooks:
     - v1
     - v1beta1
   clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
     caBundle: Cg==
+{{- end }}
     service:
       name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: capsule-system
+      namespace: {{ .Release.Namespace }}
       path: /persistentvolumeclaims
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.persistentvolumeclaims.failurePolicy }}
   name: pvc.capsule.clastix.io
   namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.persistentvolumeclaims.namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -192,19 +198,19 @@ webhooks:
     - v1
     - v1beta1
   clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
     caBundle: Cg==
+{{- end }}
     service:
       name: {{ include "capsule.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
       path: /services
       port: 443
-  failurePolicy: Fail
+  failurePolicy: {{ .Values.webhooks.services.failurePolicy }}
   matchPolicy: Exact
   name: services.capsule.clastix.io
   namespaceSelector:
-    matchExpressions:
-      - key: capsule.clastix.io/tenant
-        operator: Exists
+  {{- toYaml .Values.webhooks.services.namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -223,13 +229,15 @@ webhooks:
     - v1
     - v1beta1
   clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
     caBundle: Cg==
+{{- end }}
     service:
       name: {{ include "capsule.fullname" . }}-webhook-service
       namespace: {{ .Release.Namespace }}
       path: /tenants
       port: 443
-  failurePolicy: Fail
+  failurePolicy:  {{ .Values.webhooks.tenants.failurePolicy }}
   matchPolicy: Exact
   name: tenants.capsule.clastix.io
   namespaceSelector: {}
@@ -248,3 +256,31 @@ webhooks:
       scope: '*'
   sideEffects: None
   timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+- admissionReviewVersions:
+    - v1
+    - v1beta1
+  clientConfig:
+{{- if not .Values.certManager.generateCertificates }}
+    caBundle: Cg==
+{{- end }}
+    service:
+      name: {{ include "capsule.fullname" . }}-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /nodes
+      port: 443
+  failurePolicy: {{ .Values.webhooks.nodes.failurePolicy }}
+  name: nodes.capsule.clastix.io
+  matchPolicy: Exact
+  namespaceSelector: {}
+  objectSelector: {}
+  rules:
+    - apiGroups:
+        - ""
+      apiVersions:
+        - v1
+      operations:
+        - UPDATE
+      resources:
+        - nodes
+  sideEffects: None
+  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}

charts/capsule/templates/webhook-service.yaml

@@ -4,6 +4,10 @@ metadata:
   name: {{ include "capsule.fullname" . }}-webhook-service
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+   {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   ports:
   - port: 443

charts/capsule/values.yaml

@@ -21,8 +21,7 @@ manager:
     forceTenantPrefix: false
     capsuleUserGroups: ["capsule.clastix.io"]
     protectedNamespaceRegex: ""
-    allowIngressHostnameCollision: true
-    allowTenantIngressHostnamesCollision: false
+    enableSecretController: true
   livenessProbe:
     httpGet:
       path: /healthz
@@ -43,9 +42,7 @@ jobs:
   image:
     repository: quay.io/clastix/kubectl
     pullPolicy: IfNotPresent
-    tag: "v1.20.7"
-mutatingWebhooksTimeoutSeconds: 30
-validatingWebhooksTimeoutSeconds: 30
+    tag: ""
 imagePullSecrets: []
 serviceAccount:
   create: true
@@ -65,10 +62,13 @@ affinity: {}
 podSecurityPolicy:
   enabled: false
 
+certManager:
+  generateCertificates: false
+
 serviceMonitor:
   enabled: false
   # Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one)
-  namespace:
+  namespace: ''
   # Assign additional labels according to Prometheus' serviceMonitorSelector matching labels
   labels: {}
   annotations: {}
@@ -76,3 +76,58 @@ serviceMonitor:
   serviceAccount:
     name: capsule
     namespace: capsule-system
+
+# Additional labels
+customLabels: {}
+
+# Additional annotations
+customAnnotations: {}
+
+# Webhooks configurations
+webhooks:
+  namespaceOwnerReference:
+    failurePolicy: Fail
+  cordoning:
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: capsule.clastix.io/tenant
+          operator: Exists
+  ingresses:
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: capsule.clastix.io/tenant
+          operator: Exists
+  namespaces:
+    failurePolicy: Fail
+  networkpolicies:
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: capsule.clastix.io/tenant
+          operator: Exists
+  pods:
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: capsule.clastix.io/tenant
+          operator: Exists
+  persistentvolumeclaims:
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: capsule.clastix.io/tenant
+          operator: Exists
+  tenants:
+    failurePolicy: Fail
+  services:
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: capsule.clastix.io/tenant
+          operator: Exists
+  nodes:
+    failurePolicy: Fail
+mutatingWebhooksTimeoutSeconds: 30
+validatingWebhooksTimeoutSeconds: 30

config/crd/bases/capsule.clastix.io_capsuleconfigurations.yaml

@@ -19,7 +19,7 @@ spec:
   - name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: CapsuleConfiguration is the Schema for the Capsule configuration API
+        description: CapsuleConfiguration is the Schema for the Capsule configuration API.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -30,15 +30,8 @@ spec:
           metadata:
             type: object
           spec:
-            description: CapsuleConfigurationSpec defines the Capsule configuration nolint:maligned
+            description: CapsuleConfigurationSpec defines the Capsule configuration.
             properties:
-              allowIngressHostnameCollision:
-                default: true
-                description: Allow the collision of Ingress resource hostnames across all the Tenants.
-                type: boolean
-              allowTenantIngressHostnamesCollision:
-                description: "When defining the exact match for allowed Ingress hostnames at Tenant level, a collision is not allowed. Toggling this, Capsule will not check if a hostname collision is in place, allowing the creation of two or more Tenant resources although sharing the same allowed hostname(s). \n The JSON path of the resource is: /spec/ingressHostnames/allowed"
-                type: boolean
               forceTenantPrefix:
                 default: false
                 description: Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.

config/crd/bases/capsule.clastix.io_tenants.yaml

@@ -46,7 +46,7 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Tenant is the Schema for the tenants API
+        description: Tenant is the Schema for the tenants API.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -57,7 +57,7 @@ spec:
           metadata:
             type: object
           spec:
-            description: TenantSpec defines the desired state of Tenant
+            description: TenantSpec defines the desired state of Tenant.
             properties:
               additionalRoleBindings:
                 items:
@@ -222,11 +222,15 @@ spec:
                             items:
                               description: NetworkPolicyPort describes a port to allow traffic on
                               properties:
+                                endPort:
+                                  description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                  format: int32
+                                  type: integer
                                 port:
                                   anyOf:
                                   - type: integer
                                   - type: string
-                                  description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                  description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                   x-kubernetes-int-or-string: true
                                 protocol:
                                   default: TCP
@@ -408,11 +412,15 @@ spec:
                             items:
                               description: NetworkPolicyPort describes a port to allow traffic on
                               properties:
+                                endPort:
+                                  description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                  format: int32
+                                  type: integer
                                 port:
                                   anyOf:
                                   - type: integer
                                   - type: string
-                                  description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                  description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                   x-kubernetes-int-or-string: true
                                 protocol:
                                   default: TCP
@@ -453,9 +461,9 @@ spec:
                           type: object
                       type: object
                     policyTypes:
-                      description: List of rule types that the NetworkPolicy relates to. Valid options are "Ingress", "Egress", or "Ingress,Egress". If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
+                      description: List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
                       items:
-                        description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8
+                        description: PolicyType string describes the NetworkPolicy type This type is beta-level in 1.8
                         type: string
                       type: array
                   required:
@@ -467,7 +475,7 @@ spec:
                   type: string
                 type: object
               owner:
-                description: OwnerSpec defines tenant owner name and kind
+                description: OwnerSpec defines tenant owner name and kind.
                 properties:
                   kind:
                     enum:
@@ -550,7 +558,7 @@ spec:
             - owner
             type: object
           status:
-            description: TenantStatus defines the observed state of Tenant
+            description: TenantStatus defines the observed state of Tenant.
             properties:
               namespaces:
                 items:
@@ -572,7 +580,7 @@ spec:
       name: State
       type: string
     - description: The max amount of Namespaces can be created
-      jsonPath: .spec.namespaceQuota
+      jsonPath: .spec.namespaceOptions.quota
       name: Namespace quota
       type: integer
     - description: The total amount of Namespaces in use
@@ -590,7 +598,7 @@ spec:
     name: v1beta1
     schema:
       openAPIV3Schema:
-        description: Tenant is the Schema for the tenants API
+        description: Tenant is the Schema for the tenants API.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -601,7 +609,7 @@ spec:
           metadata:
             type: object
           spec:
-            description: TenantSpec defines the desired state of Tenant
+            description: TenantSpec defines the desired state of Tenant.
             properties:
               additionalRoleBindings:
                 description: Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional.
@@ -646,21 +654,6 @@ spec:
                   allowedRegex:
                     type: string
                 type: object
-              enableNodePorts:
-                default: true
-                description: Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.
-                type: boolean
-              externalServiceIPs:
-                description: Specifies the external IPs that can be used in Services with type ClusterIP. An empty list means all the IPs are allowed. Optional.
-                properties:
-                  allowed:
-                    items:
-                      pattern: ^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$
-                      type: string
-                    type: array
-                required:
-                - allowed
-                type: object
               imagePullPolicies:
                 description: Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
                 items:
@@ -670,28 +663,41 @@ spec:
                   - IfNotPresent
                   type: string
                 type: array
-              ingressClasses:
-                description: Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+              ingressOptions:
+                description: Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional.
                 properties:
-                  allowed:
-                    items:
-                      type: string
-                    type: array
-                  allowedRegex:
-                    type: string
-                type: object
-              ingressHostnames:
-                description: Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional.
-                properties:
-                  allowed:
-                    items:
-                      type: string
-                    type: array
-                  allowedRegex:
+                  allowedClasses:
+                    description: Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+                    properties:
+                      allowed:
+                        items:
+                          type: string
+                        type: array
+                      allowedRegex:
+                        type: string
+                    type: object
+                  allowedHostnames:
+                    description: Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional.
+                    properties:
+                      allowed:
+                        items:
+                          type: string
+                        type: array
+                      allowedRegex:
+                        type: string
+                    type: object
+                  hostnameCollisionScope:
+                    default: Disabled
+                    description: "Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames. \n - Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule. \n - Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant. \n - Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace. \n Optional."
+                    enum:
+                    - Cluster
+                    - Tenant
+                    - Namespace
+                    - Disabled
                     type: string
                 type: object
               limitRanges:
-                description: Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
+                description: Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
                 properties:
                   items:
                     items:
@@ -759,22 +765,26 @@ spec:
                       type: object
                     type: array
                 type: object
-              namespaceQuota:
-                description: Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
-                format: int32
-                minimum: 1
-                type: integer
-              namespacesMetadata:
-                description: Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
+              namespaceOptions:
+                description: Specifies options for the Namespaces, such as additional metadata or maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
                 properties:
-                  additionalAnnotations:
-                    additionalProperties:
-                      type: string
-                    type: object
-                  additionalLabels:
-                    additionalProperties:
-                      type: string
+                  additionalMetadata:
+                    description: Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        type: object
                     type: object
+                  quota:
+                    description: Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
+                    format: int32
+                    minimum: 1
+                    type: integer
                 type: object
               networkPolicies:
                 description: Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
@@ -793,11 +803,15 @@ spec:
                                 items:
                                   description: NetworkPolicyPort describes a port to allow traffic on
                                   properties:
+                                    endPort:
+                                      description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                      format: int32
+                                      type: integer
                                     port:
                                       anyOf:
                                       - type: integer
                                       - type: string
-                                      description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                      description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                       x-kubernetes-int-or-string: true
                                     protocol:
                                       default: TCP
@@ -979,11 +993,15 @@ spec:
                                 items:
                                   description: NetworkPolicyPort describes a port to allow traffic on
                                   properties:
+                                    endPort:
+                                      description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                      format: int32
+                                      type: integer
                                     port:
                                       anyOf:
                                       - type: integer
                                       - type: string
-                                      description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                      description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                       x-kubernetes-int-or-string: true
                                     protocol:
                                       default: TCP
@@ -1024,9 +1042,9 @@ spec:
                               type: object
                           type: object
                         policyTypes:
-                          description: List of rule types that the NetworkPolicy relates to. Valid options are "Ingress", "Egress", or "Ingress,Egress". If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
+                          description: List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
                           items:
-                            description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8
+                            description: PolicyType string describes the NetworkPolicy type This type is beta-level in 1.8
                             type: string
                           type: array
                       required:
@@ -1037,7 +1055,7 @@ spec:
               nodeSelector:
                 additionalProperties:
                   type: string
-                description: Specifies the label to control the placement of pods on a given pool of worker nodes. All namesapces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
+                description: Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
                 type: object
               owners:
                 description: Specifies the owners of the Tenant. Mandatory.
@@ -1062,6 +1080,7 @@ spec:
                             - Nodes
                             - StorageClasses
                             - IngressClasses
+                            - PriorityClasses
                             type: string
                           operations:
                             items:
@@ -1082,7 +1101,7 @@ spec:
                   type: object
                 type: array
               priorityClasses:
-                description: Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+                description: Specifies the allowed priorityClasses assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses. Optional.
                 properties:
                   allowed:
                     items:
@@ -1140,17 +1159,55 @@ spec:
                           type: array
                       type: object
                     type: array
+                  scope:
+                    default: Tenant
+                    description: Define if the Resource Budget should compute resource across all Namespaces in the Tenant or individually per cluster. Default is Tenant
+                    enum:
+                    - Tenant
+                    - Namespace
+                    type: string
                 type: object
-              servicesMetadata:
-                description: Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional.
+              serviceOptions:
+                description: Specifies options for the Service, such as additional metadata or block of certain type of Services. Optional.
                 properties:
-                  additionalAnnotations:
-                    additionalProperties:
-                      type: string
+                  additionalMetadata:
+                    description: Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional.
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        type: object
                     type: object
-                  additionalLabels:
-                    additionalProperties:
-                      type: string
+                  allowedServices:
+                    description: Block or deny certain type of Services. Optional.
+                    properties:
+                      externalName:
+                        default: true
+                        description: Specifies if ExternalName service type resources are allowed for the Tenant. Default is true. Optional.
+                        type: boolean
+                      loadBalancer:
+                        default: true
+                        description: Specifies if LoadBalancer service type resources are allowed for the Tenant. Default is true. Optional.
+                        type: boolean
+                      nodePort:
+                        default: true
+                        description: Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.
+                        type: boolean
+                    type: object
+                  externalIPs:
+                    description: Specifies the external IPs that can be used in Services with type ClusterIP. An empty list means no IPs are allowed. Optional.
+                    properties:
+                      allowed:
+                        items:
+                          pattern: ^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$
+                          type: string
+                        type: array
+                    required:
+                    - allowed
                     type: object
                 type: object
               storageClasses:
@@ -1167,7 +1224,7 @@ spec:
             - owners
             type: object
           status:
-            description: Returns the observed state of the Tenant
+            description: Returns the observed state of the Tenant.
             properties:
               namespaces:
                 description: List of namespaces assigned to the Tenant.
@@ -1178,11 +1235,11 @@ spec:
                 description: How many namespaces are assigned to the Tenant.
                 type: integer
               state:
-                default: active
-                description: The operational state of the Tenant. Possible values are "active", "cordoned".
+                default: Active
+                description: The operational state of the Tenant. Possible values are "Active", "Cordoned".
                 enum:
-                - cordoned
-                - active
+                - Cordoned
+                - Active
                 type: string
             required:
             - size

config/install.yaml

@@ -24,7 +24,7 @@ spec:
   - name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: CapsuleConfiguration is the Schema for the Capsule configuration API
+        description: CapsuleConfiguration is the Schema for the Capsule configuration API.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -35,15 +35,8 @@ spec:
           metadata:
             type: object
           spec:
-            description: CapsuleConfigurationSpec defines the Capsule configuration nolint:maligned
+            description: CapsuleConfigurationSpec defines the Capsule configuration.
             properties:
-              allowIngressHostnameCollision:
-                default: true
-                description: Allow the collision of Ingress resource hostnames across all the Tenants.
-                type: boolean
-              allowTenantIngressHostnamesCollision:
-                description: "When defining the exact match for allowed Ingress hostnames at Tenant level, a collision is not allowed. Toggling this, Capsule will not check if a hostname collision is in place, allowing the creation of two or more Tenant resources although sharing the same allowed hostname(s). \n The JSON path of the resource is: /spec/ingressHostnames/allowed"
-                type: boolean
               forceTenantPrefix:
                 default: false
                 description: Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
@@ -125,7 +118,7 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: Tenant is the Schema for the tenants API
+        description: Tenant is the Schema for the tenants API.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -136,7 +129,7 @@ spec:
           metadata:
             type: object
           spec:
-            description: TenantSpec defines the desired state of Tenant
+            description: TenantSpec defines the desired state of Tenant.
             properties:
               additionalRoleBindings:
                 items:
@@ -301,11 +294,15 @@ spec:
                             items:
                               description: NetworkPolicyPort describes a port to allow traffic on
                               properties:
+                                endPort:
+                                  description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                  format: int32
+                                  type: integer
                                 port:
                                   anyOf:
                                   - type: integer
                                   - type: string
-                                  description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                  description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                   x-kubernetes-int-or-string: true
                                 protocol:
                                   default: TCP
@@ -487,11 +484,15 @@ spec:
                             items:
                               description: NetworkPolicyPort describes a port to allow traffic on
                               properties:
+                                endPort:
+                                  description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                  format: int32
+                                  type: integer
                                 port:
                                   anyOf:
                                   - type: integer
                                   - type: string
-                                  description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                  description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                   x-kubernetes-int-or-string: true
                                 protocol:
                                   default: TCP
@@ -532,9 +533,9 @@ spec:
                           type: object
                       type: object
                     policyTypes:
-                      description: List of rule types that the NetworkPolicy relates to. Valid options are "Ingress", "Egress", or "Ingress,Egress". If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
+                      description: List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
                       items:
-                        description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8
+                        description: PolicyType string describes the NetworkPolicy type This type is beta-level in 1.8
                         type: string
                       type: array
                   required:
@@ -546,7 +547,7 @@ spec:
                   type: string
                 type: object
               owner:
-                description: OwnerSpec defines tenant owner name and kind
+                description: OwnerSpec defines tenant owner name and kind.
                 properties:
                   kind:
                     enum:
@@ -629,7 +630,7 @@ spec:
             - owner
             type: object
           status:
-            description: TenantStatus defines the observed state of Tenant
+            description: TenantStatus defines the observed state of Tenant.
             properties:
               namespaces:
                 items:
@@ -651,7 +652,7 @@ spec:
       name: State
       type: string
     - description: The max amount of Namespaces can be created
-      jsonPath: .spec.namespaceQuota
+      jsonPath: .spec.namespaceOptions.quota
       name: Namespace quota
       type: integer
     - description: The total amount of Namespaces in use
@@ -669,7 +670,7 @@ spec:
     name: v1beta1
     schema:
       openAPIV3Schema:
-        description: Tenant is the Schema for the tenants API
+        description: Tenant is the Schema for the tenants API.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -680,7 +681,7 @@ spec:
           metadata:
             type: object
           spec:
-            description: TenantSpec defines the desired state of Tenant
+            description: TenantSpec defines the desired state of Tenant.
             properties:
               additionalRoleBindings:
                 description: Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional.
@@ -725,21 +726,6 @@ spec:
                   allowedRegex:
                     type: string
                 type: object
-              enableNodePorts:
-                default: true
-                description: Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.
-                type: boolean
-              externalServiceIPs:
-                description: Specifies the external IPs that can be used in Services with type ClusterIP. An empty list means all the IPs are allowed. Optional.
-                properties:
-                  allowed:
-                    items:
-                      pattern: ^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$
-                      type: string
-                    type: array
-                required:
-                - allowed
-                type: object
               imagePullPolicies:
                 description: Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
                 items:
@@ -749,28 +735,41 @@ spec:
                   - IfNotPresent
                   type: string
                 type: array
-              ingressClasses:
-                description: Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+              ingressOptions:
+                description: Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional.
                 properties:
-                  allowed:
-                    items:
-                      type: string
-                    type: array
-                  allowedRegex:
-                    type: string
-                type: object
-              ingressHostnames:
-                description: Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional.
-                properties:
-                  allowed:
-                    items:
-                      type: string
-                    type: array
-                  allowedRegex:
+                  allowedClasses:
+                    description: Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+                    properties:
+                      allowed:
+                        items:
+                          type: string
+                        type: array
+                      allowedRegex:
+                        type: string
+                    type: object
+                  allowedHostnames:
+                    description: Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional.
+                    properties:
+                      allowed:
+                        items:
+                          type: string
+                        type: array
+                      allowedRegex:
+                        type: string
+                    type: object
+                  hostnameCollisionScope:
+                    default: Disabled
+                    description: "Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames. \n - Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule. \n - Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant. \n - Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace. \n Optional."
+                    enum:
+                    - Cluster
+                    - Tenant
+                    - Namespace
+                    - Disabled
                     type: string
                 type: object
               limitRanges:
-                description: Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
+                description: Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
                 properties:
                   items:
                     items:
@@ -838,22 +837,26 @@ spec:
                       type: object
                     type: array
                 type: object
-              namespaceQuota:
-                description: Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
-                format: int32
-                minimum: 1
-                type: integer
-              namespacesMetadata:
-                description: Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
+              namespaceOptions:
+                description: Specifies options for the Namespaces, such as additional metadata or maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
                 properties:
-                  additionalAnnotations:
-                    additionalProperties:
-                      type: string
-                    type: object
-                  additionalLabels:
-                    additionalProperties:
-                      type: string
+                  additionalMetadata:
+                    description: Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        type: object
                     type: object
+                  quota:
+                    description: Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
+                    format: int32
+                    minimum: 1
+                    type: integer
                 type: object
               networkPolicies:
                 description: Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
@@ -872,11 +875,15 @@ spec:
                                 items:
                                   description: NetworkPolicyPort describes a port to allow traffic on
                                   properties:
+                                    endPort:
+                                      description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                      format: int32
+                                      type: integer
                                     port:
                                       anyOf:
                                       - type: integer
                                       - type: string
-                                      description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                      description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                       x-kubernetes-int-or-string: true
                                     protocol:
                                       default: TCP
@@ -1058,11 +1065,15 @@ spec:
                                 items:
                                   description: NetworkPolicyPort describes a port to allow traffic on
                                   properties:
+                                    endPort:
+                                      description: If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+                                      format: int32
+                                      type: integer
                                     port:
                                       anyOf:
                                       - type: integer
                                       - type: string
-                                      description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
+                                      description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
                                       x-kubernetes-int-or-string: true
                                     protocol:
                                       default: TCP
@@ -1103,9 +1114,9 @@ spec:
                               type: object
                           type: object
                         policyTypes:
-                          description: List of rule types that the NetworkPolicy relates to. Valid options are "Ingress", "Egress", or "Ingress,Egress". If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
+                          description: List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
                           items:
-                            description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8
+                            description: PolicyType string describes the NetworkPolicy type This type is beta-level in 1.8
                             type: string
                           type: array
                       required:
@@ -1116,7 +1127,7 @@ spec:
               nodeSelector:
                 additionalProperties:
                   type: string
-                description: Specifies the label to control the placement of pods on a given pool of worker nodes. All namesapces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
+                description: Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
                 type: object
               owners:
                 description: Specifies the owners of the Tenant. Mandatory.
@@ -1141,6 +1152,7 @@ spec:
                             - Nodes
                             - StorageClasses
                             - IngressClasses
+                            - PriorityClasses
                             type: string
                           operations:
                             items:
@@ -1161,7 +1173,7 @@ spec:
                   type: object
                 type: array
               priorityClasses:
-                description: Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
+                description: Specifies the allowed priorityClasses assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses. Optional.
                 properties:
                   allowed:
                     items:
@@ -1219,17 +1231,55 @@ spec:
                           type: array
                       type: object
                     type: array
+                  scope:
+                    default: Tenant
+                    description: Define if the Resource Budget should compute resource across all Namespaces in the Tenant or individually per cluster. Default is Tenant
+                    enum:
+                    - Tenant
+                    - Namespace
+                    type: string
                 type: object
-              servicesMetadata:
-                description: Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional.
+              serviceOptions:
+                description: Specifies options for the Service, such as additional metadata or block of certain type of Services. Optional.
                 properties:
-                  additionalAnnotations:
-                    additionalProperties:
-                      type: string
+                  additionalMetadata:
+                    description: Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional.
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        type: object
                     type: object
-                  additionalLabels:
-                    additionalProperties:
-                      type: string
+                  allowedServices:
+                    description: Block or deny certain type of Services. Optional.
+                    properties:
+                      externalName:
+                        default: true
+                        description: Specifies if ExternalName service type resources are allowed for the Tenant. Default is true. Optional.
+                        type: boolean
+                      loadBalancer:
+                        default: true
+                        description: Specifies if LoadBalancer service type resources are allowed for the Tenant. Default is true. Optional.
+                        type: boolean
+                      nodePort:
+                        default: true
+                        description: Specifies if NodePort service type resources are allowed for the Tenant. Default is true. Optional.
+                        type: boolean
+                    type: object
+                  externalIPs:
+                    description: Specifies the external IPs that can be used in Services with type ClusterIP. An empty list means no IPs are allowed. Optional.
+                    properties:
+                      allowed:
+                        items:
+                          pattern: ^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$
+                          type: string
+                        type: array
+                    required:
+                    - allowed
                     type: object
                 type: object
               storageClasses:
@@ -1246,7 +1296,7 @@ spec:
             - owners
             type: object
           status:
-            description: Returns the observed state of the Tenant
+            description: Returns the observed state of the Tenant.
             properties:
               namespaces:
                 description: List of namespaces assigned to the Tenant.
@@ -1257,11 +1307,11 @@ spec:
                 description: How many namespaces are assigned to the Tenant.
                 type: integer
               state:
-                default: active
-                description: The operational state of the Tenant. Possible values are "active", "cordoned".
+                default: Active
+                description: The operational state of the Tenant. Possible values are "Active", "Cordoned".
                 enum:
-                - cordoned
-                - active
+                - Cordoned
+                - Active
                 type: string
             required:
             - size
@@ -1361,7 +1411,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/clastix/capsule:v0.1.0-rc3
+        image: quay.io/clastix/capsule:v0.1.1
         imagePullPolicy: IfNotPresent
         name: manager
         ports:
@@ -1395,8 +1445,6 @@ metadata:
   name: capsule-default
   namespace: capsule-system
 spec:
-  allowIngressHostnameCollision: false
-  allowTenantIngressHostnamesCollision: false
   forceTenantPrefix: false
   protectedNamespaceRegex: ""
   userGroups:
@@ -1424,6 +1472,7 @@ webhooks:
     - v1
     operations:
     - CREATE
+    - UPDATE
     resources:
     - namespaces
   sideEffects: None
@@ -1533,6 +1582,29 @@ webhooks:
     - networkpolicies
     scope: Namespaced
   sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: capsule-webhook-service
+      namespace: capsule-system
+      path: /nodes
+  failurePolicy: Fail
+  name: nodes.capsule.clastix.io
+  namespaceSelector:
+    matchExpressions:
+    - key: capsule.clastix.io/tenant
+      operator: Exists
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - UPDATE
+    resources:
+    - nodes
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   clientConfig:

config/manager/configuration.yaml

@@ -6,5 +6,3 @@ spec:
   userGroups: ["capsule.clastix.io"]
   forceTenantPrefix: false
   protectedNamespaceRegex: ""
-  allowTenantIngressHostnamesCollision: false
-  allowIngressHostnameCollision: false

config/manager/kustomization.yaml

@@ -7,4 +7,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: quay.io/clastix/capsule
-  newTag: v0.1.0-rc3
+  newTag: v0.1.1

config/samples/capsule_v1alpha1_capsuleconfiguration.yaml

@@ -7,5 +7,3 @@ spec:
   userGroups: ["capsule.clastix.io"]
   forceTenantPrefix: false
   protectedNamespaceRegex: ""
-  allowTenantIngressHostnamesCollision: false
-  allowIngressHostnameCollision: false

config/samples/capsule_v1beta1_tenant.yaml

@@ -16,21 +16,31 @@ spec:
       - docker.io
       - quay.io
     allowedRegex: ^\w+.gcr.io$
-  enableNodePorts: false
-  externalServiceIPs:
-    allowed:
-      - 10.20.0.0/16
-      - "10.96.42.42"
+  serviceOptions:
+    additionalMetadata:
+      annotations:
+        capsule.clastix.io/bgp: "true"
+      labels:
+        capsule.clastix.io/pool: gas
+    allowedServices:
+      nodePort: false
+      externalName: false
+    externalIPs:
+      allowed:
+        - 10.20.0.0/16
+        - "10.96.42.42"
   imagePullPolicies:
     - Always
-  ingressClasses:
-    allowed:
-      - default
-    allowedRegex: ^\w+-lb$
-  ingressHostnames:
-    allowed:
-      - gas.acmecorp.com
-    allowedRegex: ^.*acmecorp.com$
+  ingressOptions:
+    hostnameCollisionScope: Cluster
+    allowedClasses:
+      allowed:
+        - default
+      allowedRegex: ^\w+-lb$
+    allowedHostnames:
+      allowed:
+        - gas.acmecorp.com
+      allowedRegex: ^.*acmecorp.com$
   limitRanges:
     items:
       -
@@ -63,12 +73,13 @@ spec:
             min:
               storage: 1Gi
             type: PersistentVolumeClaim
-  namespaceQuota: 3
-  namespacesMetadata:
-    additionalAnnotations:
-      capsule.clastix.io/backup: "false"
-    additionalLabels:
-      capsule.clastix.io/tenant: gas
+  namespaceOptions:
+    quota: 3
+    additionalMetadata:
+      annotations:
+        capsule.clastix.io/backup: "false"
+      labels:
+        capsule.clastix.io/tenant: gas
   networkPolicies:
     items:
       -
@@ -122,11 +133,6 @@ spec:
       -
         hard:
           requests.storage: 100Gi
-  servicesMetadata:
-    additionalAnnotations:
-      capsule.clastix.io/bgp: "true"
-    additionalLabels:
-      capsule.clastix.io/pool: gas
   storageClasses:
     allowed:
       - default

config/webhook/manifests.yaml

@@ -22,6 +22,7 @@ webhooks:
     - v1
     operations:
     - CREATE
+    - UPDATE
     resources:
     - namespaces
   sideEffects: None
@@ -117,6 +118,25 @@ webhooks:
     resources:
     - networkpolicies
   sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /nodes
+  failurePolicy: Fail
+  name: nodes.capsule.clastix.io
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - UPDATE
+    resources:
+    - nodes
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   clientConfig:

config/webhook/patch_ns_selector.yaml

@@ -34,6 +34,12 @@
     matchExpressions:
       - key: capsule.clastix.io/tenant
         operator: Exists
+- op: add
+  path: /webhooks/7/namespaceSelector
+  value:
+    matchExpressions:
+      - key: capsule.clastix.io/tenant
+        operator: Exists
 - op: add
   path: /webhooks/0/rules/0/scope
   value: Namespaced
@@ -43,12 +49,12 @@
 - op: add
   path: /webhooks/3/rules/0/scope
   value: Namespaced
-- op: add
-  path: /webhooks/4/rules/0/scope
-  value: Namespaced
 - op: add
   path: /webhooks/5/rules/0/scope
   value: Namespaced
 - op: add
   path: /webhooks/6/rules/0/scope
   value: Namespaced
+- op: add
+  path: /webhooks/7/rules/0/scope
+  value: Namespaced

controllers/config/manager.go

@@ -1,7 +1,7 @@
 // Copyright 2020-2021 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0
 
-package rbac
+package config
 
 import (
 	"context"
@@ -9,13 +9,11 @@ import (
 	"github.com/go-logr/logr"
 	"github.com/pkg/errors"
 	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/event"
-	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	capsulev1alpha1 "github.com/clastix/capsule/api/v1alpha1"
+	"github.com/clastix/capsule/controllers/utils"
 	"github.com/clastix/capsule/pkg/configuration"
 )
 
@@ -24,50 +22,29 @@ type Manager struct {
 	Client client.Client
 }
 
-// InjectClient injects the Client interface, required by the Runnable interface
-func (r *Manager) InjectClient(c client.Client) error {
-	r.Client = c
+// InjectClient injects the Client interface, required by the Runnable interface.
+func (c *Manager) InjectClient(client client.Client) error {
+	c.Client = client
 
 	return nil
 }
 
-func filterByName(objName, desired string) bool {
-	return objName == desired
-}
-
-func forOptionPerInstanceName(instanceName string) builder.ForOption {
-	return builder.WithPredicates(predicate.Funcs{
-		CreateFunc: func(event event.CreateEvent) bool {
-			return filterByName(event.Object.GetName(), instanceName)
-		},
-		DeleteFunc: func(deleteEvent event.DeleteEvent) bool {
-			return filterByName(deleteEvent.Object.GetName(), instanceName)
-		},
-		UpdateFunc: func(updateEvent event.UpdateEvent) bool {
-			return filterByName(updateEvent.ObjectNew.GetName(), instanceName)
-		},
-		GenericFunc: func(genericEvent event.GenericEvent) bool {
-			return filterByName(genericEvent.Object.GetName(), instanceName)
-		},
-	})
-}
-
-func (r *Manager) SetupWithManager(mgr ctrl.Manager, configurationName string) error {
+func (c *Manager) SetupWithManager(mgr ctrl.Manager, configurationName string) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&capsulev1alpha1.CapsuleConfiguration{}, forOptionPerInstanceName(configurationName)).
-		Complete(r)
+		For(&capsulev1alpha1.CapsuleConfiguration{}, utils.NamesMatchingPredicate(configurationName)).
+		Complete(c)
 }
 
-func (r *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res reconcile.Result, err error) {
-	r.Log.Info("CapsuleConfiguration reconciliation started", "request.name", request.Name)
+func (c *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res reconcile.Result, err error) {
+	c.Log.Info("CapsuleConfiguration reconciliation started", "request.name", request.Name)
 
-	cfg := configuration.NewCapsuleConfiguration(r.Client, request.Name)
+	cfg := configuration.NewCapsuleConfiguration(ctx, c.Client, request.Name)
 	// Validating the Capsule Configuration options
 	if _, err = cfg.ProtectedNamespaceRegexp(); err != nil {
 		panic(errors.Wrap(err, "Invalid configuration for protected Namespace regex"))
 	}
 
-	r.Log.Info("CapsuleConfiguration reconciliation finished", "request.name", request.Name)
+	c.Log.Info("CapsuleConfiguration reconciliation finished", "request.name", request.Name)
 
 	return
 }

controllers/rbac/const.go

@@ -35,7 +35,7 @@ var (
 				{
 					APIGroups: []string{""},
 					Resources: []string{"namespaces"},
-					Verbs:     []string{"delete"},
+					Verbs:     []string{"delete", "patch"},
 				},
 			},
 		},
@@ -48,7 +48,7 @@ var (
 		RoleRef: rbacv1.RoleRef{
 			Kind:     "ClusterRole",
 			Name:     ProvisionerRoleName,
-			APIGroup: "rbac.authorization.k8s.io",
+			APIGroup: rbacv1.GroupName,
 		},
 	}
 )

controllers/rbac/manager.go

@@ -10,20 +10,19 @@ import (
 	"github.com/go-logr/logr"
 	"github.com/hashicorp/go-multierror"
 	rbacv1 "k8s.io/api/rbac/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/util/workqueue"
 	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
-	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	capsulev1alpha1 "github.com/clastix/capsule/api/v1alpha1"
+	"github.com/clastix/capsule/controllers/utils"
 	"github.com/clastix/capsule/pkg/configuration"
 )
 
@@ -33,65 +32,40 @@ type Manager struct {
 	Configuration configuration.Configuration
 }
 
-// InjectClient injects the Client interface, required by the Runnable interface
+// InjectClient injects the Client interface, required by the Runnable interface.
 func (r *Manager) InjectClient(c client.Client) error {
 	r.Client = c
+
 	return nil
 }
 
-func (r *Manager) filterByNames(name string) bool {
-	return name == ProvisionerRoleName || name == DeleterRoleName
-}
+func (r *Manager) SetupWithManager(ctx context.Context, mgr ctrl.Manager, configurationName string) (err error) {
+	namesPredicate := utils.NamesMatchingPredicate(ProvisionerRoleName, DeleterRoleName)
 
-//nolint:dupl
-func (r *Manager) SetupWithManager(mgr ctrl.Manager, configurationName string) (err error) {
 	crErr := ctrl.NewControllerManagedBy(mgr).
-		For(&rbacv1.ClusterRole{}, builder.WithPredicates(predicate.Funcs{
-			CreateFunc: func(event event.CreateEvent) bool {
-				return r.filterByNames(event.Object.GetName())
-			},
-			DeleteFunc: func(deleteEvent event.DeleteEvent) bool {
-				return r.filterByNames(deleteEvent.Object.GetName())
-			},
-			UpdateFunc: func(updateEvent event.UpdateEvent) bool {
-				return r.filterByNames(updateEvent.ObjectNew.GetName())
-			},
-			GenericFunc: func(genericEvent event.GenericEvent) bool {
-				return r.filterByNames(genericEvent.Object.GetName())
-			},
-		})).
+		For(&rbacv1.ClusterRole{}, namesPredicate).
 		Complete(r)
 	if crErr != nil {
 		err = multierror.Append(err, crErr)
 	}
+
 	crbErr := ctrl.NewControllerManagedBy(mgr).
-		For(&rbacv1.ClusterRoleBinding{}, builder.WithPredicates(predicate.Funcs{
-			CreateFunc: func(event event.CreateEvent) bool {
-				return r.filterByNames(event.Object.GetName())
-			},
-			DeleteFunc: func(deleteEvent event.DeleteEvent) bool {
-				return r.filterByNames(deleteEvent.Object.GetName())
-			},
-			UpdateFunc: func(updateEvent event.UpdateEvent) bool {
-				return r.filterByNames(updateEvent.ObjectNew.GetName())
-			},
-			GenericFunc: func(genericEvent event.GenericEvent) bool {
-				return r.filterByNames(genericEvent.Object.GetName())
-			},
-		})).
+		For(&rbacv1.ClusterRoleBinding{}, namesPredicate).
 		Watches(source.NewKindWithCache(&capsulev1alpha1.CapsuleConfiguration{}, mgr.GetCache()), handler.Funcs{
 			UpdateFunc: func(updateEvent event.UpdateEvent, limitingInterface workqueue.RateLimitingInterface) {
 				if updateEvent.ObjectNew.GetName() == configurationName {
-					if crbErr := r.EnsureClusterRoleBindings(); crbErr != nil {
+					if crbErr := r.EnsureClusterRoleBindings(ctx); crbErr != nil {
 						r.Log.Error(err, "cannot update ClusterRoleBinding upon CapsuleConfiguration update")
 					}
 				}
 			},
 		}).
 		Complete(r)
+
 	if crbErr != nil {
 		err = multierror.Append(err, crbErr)
 	}
+
 	return
 }
 
@@ -100,18 +74,19 @@ func (r *Manager) SetupWithManager(mgr ctrl.Manager, configurationName string) (
 func (r *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res reconcile.Result, err error) {
 	switch request.Name {
 	case ProvisionerRoleName:
-		if err = r.EnsureClusterRole(ProvisionerRoleName); err != nil {
+		if err = r.EnsureClusterRole(ctx, ProvisionerRoleName); err != nil {
 			r.Log.Error(err, "Reconciliation for ClusterRole failed", "ClusterRole", ProvisionerRoleName)
 
 			break
 		}
-		if err = r.EnsureClusterRoleBindings(); err != nil {
+
+		if err = r.EnsureClusterRoleBindings(ctx); err != nil {
 			r.Log.Error(err, "Reconciliation for ClusterRoleBindings failed")
 
 			break
 		}
 	case DeleterRoleName:
-		if err = r.EnsureClusterRole(DeleterRoleName); err != nil {
+		if err = r.EnsureClusterRole(ctx, DeleterRoleName); err != nil {
 			r.Log.Error(err, "Reconciliation for ClusterRole failed", "ClusterRole", DeleterRoleName)
 		}
 	}
@@ -119,14 +94,14 @@ func (r *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res
 	return
 }
 
-func (r *Manager) EnsureClusterRoleBindings() (err error) {
+func (r *Manager) EnsureClusterRoleBindings(ctx context.Context) (err error) {
 	crb := &rbacv1.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: ProvisionerRoleName,
 		},
 	}
 
-	_, err = controllerutil.CreateOrUpdate(context.TODO(), r.Client, crb, func() (err error) {
+	_, err = controllerutil.CreateOrUpdate(ctx, r.Client, crb, func() (err error) {
 		crb.RoleRef = provisionerClusterRoleBinding.RoleRef
 
 		crb.Subjects = []rbacv1.Subject{}
@@ -144,7 +119,7 @@ func (r *Manager) EnsureClusterRoleBindings() (err error) {
 	return
 }
 
-func (r *Manager) EnsureClusterRole(roleName string) (err error) {
+func (r *Manager) EnsureClusterRole(ctx context.Context, roleName string) (err error) {
 	role, ok := clusterRoles[roleName]
 	if !ok {
 		return fmt.Errorf("clusterRole %s is not mapped", roleName)
@@ -156,8 +131,9 @@ func (r *Manager) EnsureClusterRole(roleName string) (err error) {
 		},
 	}
 
-	_, err = controllerutil.CreateOrUpdate(context.TODO(), r.Client, clusterRole, func() error {
+	_, err = controllerutil.CreateOrUpdate(ctx, r.Client, clusterRole, func() error {
 		clusterRole.Rules = role.Rules
+
 		return nil
 	})
 
@@ -170,8 +146,9 @@ func (r *Manager) EnsureClusterRole(roleName string) (err error) {
 func (r *Manager) Start(ctx context.Context) error {
 	for roleName := range clusterRoles {
 		r.Log.Info("setting up ClusterRoles", "ClusterRole", roleName)
-		if err := r.EnsureClusterRole(roleName); err != nil {
-			if errors.IsAlreadyExists(err) {
+
+		if err := r.EnsureClusterRole(ctx, roleName); err != nil {
+			if apierrors.IsAlreadyExists(err) {
 				continue
 			}
 
@@ -180,8 +157,9 @@ func (r *Manager) Start(ctx context.Context) error {
 	}
 
 	r.Log.Info("setting up ClusterRoleBindings")
-	if err := r.EnsureClusterRoleBindings(); err != nil {
-		if errors.IsAlreadyExists(err) {
+
+	if err := r.EnsureClusterRoleBindings(ctx); err != nil {
+		if apierrors.IsAlreadyExists(err) {
 			return nil
 		}
 

controllers/secret/ca.go

@@ -19,38 +19,62 @@ import (
 	"k8s.io/client-go/util/retry"
 	"k8s.io/utils/pointer"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	"github.com/clastix/capsule/pkg/cert"
+	"github.com/clastix/capsule/pkg/configuration"
 )
 
 type CAReconciler struct {
 	client.Client
-	Log       logr.Logger
-	Scheme    *runtime.Scheme
-	Namespace string
+	Log           logr.Logger
+	Scheme        *runtime.Scheme
+	Namespace     string
+	Configuration configuration.Configuration
 }
 
 func (r *CAReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	enqueueFn := handler.EnqueueRequestsFromMapFunc(func(client.Object) []reconcile.Request {
+		return []reconcile.Request{
+			{
+				NamespacedName: types.NamespacedName{
+					Namespace: r.Namespace,
+					Name:      r.Configuration.CASecretName(),
+				},
+			},
+		}
+	})
+
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&corev1.Secret{}, forOptionPerInstanceName(caSecretName)).
+		For(&corev1.Secret{}).
+		Watches(source.NewKindWithCache(&admissionregistrationv1.ValidatingWebhookConfiguration{}, mgr.GetCache()), enqueueFn, builder.WithPredicates(predicate.NewPredicateFuncs(func(object client.Object) bool {
+			return object.GetName() == r.Configuration.ValidatingWebhookConfigurationName()
+		}))).
+		Watches(source.NewKindWithCache(&admissionregistrationv1.MutatingWebhookConfiguration{}, mgr.GetCache()), enqueueFn, builder.WithPredicates(predicate.NewPredicateFuncs(func(object client.Object) bool {
+			return object.GetName() == r.Configuration.MutatingWebhookConfigurationName()
+		}))).
 		Complete(r)
 }
 
 // By default helm doesn't allow to use templates in CRD (https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-1-let-helm-do-it-for-you).
 // In order to overcome this, we are setting conversion strategy in helm chart to None, and then update it with CA and namespace information.
-func (r *CAReconciler) UpdateCustomResourceDefinition(caBundle []byte) error {
+func (r *CAReconciler) UpdateCustomResourceDefinition(ctx context.Context, caBundle []byte) error {
 	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
 		crd := &apiextensionsv1.CustomResourceDefinition{}
-		err = r.Get(context.TODO(), types.NamespacedName{Name: "tenants.capsule.clastix.io"}, crd)
+		err = r.Get(ctx, types.NamespacedName{Name: "tenants.capsule.clastix.io"}, crd)
 		if err != nil {
 			r.Log.Error(err, "cannot retrieve CustomResourceDefinition")
+
 			return err
 		}
 
-		_, err = controllerutil.CreateOrUpdate(context.TODO(), r.Client, crd, func() error {
+		_, err = controllerutil.CreateOrUpdate(ctx, r.Client, crd, func() error {
 			crd.Spec.Conversion = &apiextensionsv1.CustomResourceConversion{
 				Strategy: "Webhook",
 				Webhook: &apiextensionsv1.WebhookConversion{
@@ -75,12 +99,13 @@ func (r *CAReconciler) UpdateCustomResourceDefinition(caBundle []byte) error {
 }
 
 //nolint:dupl
-func (r CAReconciler) UpdateValidatingWebhookConfiguration(caBundle []byte) error {
+func (r CAReconciler) UpdateValidatingWebhookConfiguration(ctx context.Context, caBundle []byte) error {
 	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
 		vw := &admissionregistrationv1.ValidatingWebhookConfiguration{}
-		err = r.Get(context.TODO(), types.NamespacedName{Name: "capsule-validating-webhook-configuration"}, vw)
+		err = r.Get(ctx, types.NamespacedName{Name: r.Configuration.ValidatingWebhookConfigurationName()}, vw)
 		if err != nil {
 			r.Log.Error(err, "cannot retrieve ValidatingWebhookConfiguration")
+
 			return err
 		}
 		for i, w := range vw.Webhooks {
@@ -89,17 +114,19 @@ func (r CAReconciler) UpdateValidatingWebhookConfiguration(caBundle []byte) erro
 				vw.Webhooks[i].ClientConfig.CABundle = caBundle
 			}
 		}
-		return r.Update(context.TODO(), vw, &client.UpdateOptions{})
+
+		return r.Update(ctx, vw, &client.UpdateOptions{})
 	})
 }
 
 //nolint:dupl
-func (r CAReconciler) UpdateMutatingWebhookConfiguration(caBundle []byte) error {
+func (r CAReconciler) UpdateMutatingWebhookConfiguration(ctx context.Context, caBundle []byte) error {
 	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
 		mw := &admissionregistrationv1.MutatingWebhookConfiguration{}
-		err = r.Get(context.TODO(), types.NamespacedName{Name: "capsule-mutating-webhook-configuration"}, mw)
+		err = r.Get(ctx, types.NamespacedName{Name: r.Configuration.MutatingWebhookConfigurationName()}, mw)
 		if err != nil {
 			r.Log.Error(err, "cannot retrieve MutatingWebhookConfiguration")
+
 			return err
 		}
 		for i, w := range mw.Webhooks {
@@ -108,27 +135,34 @@ func (r CAReconciler) UpdateMutatingWebhookConfiguration(caBundle []byte) error
 				mw.Webhooks[i].ClientConfig.CABundle = caBundle
 			}
 		}
-		return r.Update(context.TODO(), mw, &client.UpdateOptions{})
+
+		return r.Update(ctx, mw, &client.UpdateOptions{})
 	})
 }
 
 func (r CAReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) {
 	var err error
 
+	if request.Name != r.Configuration.CASecretName() {
+		return ctrl.Result{}, nil
+	}
+
 	r.Log = r.Log.WithValues("Request.Namespace", request.Namespace, "Request.Name", request.Name)
 	r.Log.Info("Reconciling CA Secret")
 
 	// Fetch the CA instance
 	instance := &corev1.Secret{}
-	err = r.Client.Get(context.TODO(), request.NamespacedName, instance)
-	if err != nil {
+
+	if err = r.Client.Get(ctx, request.NamespacedName, instance); err != nil {
 		// Error reading the object - requeue the request.
 		return reconcile.Result{}, err
 	}
 
 	var ca cert.CA
+
 	var rq time.Duration
-	ca, err = getCertificateAuthority(r.Client, r.Namespace)
+
+	ca, err = getCertificateAuthority(ctx, r.Client, r.Namespace, r.Configuration.CASecretName())
 	if err != nil && errors.Is(err, MissingCaError{}) {
 		ca, err = cert.GenerateCertificateAuthority()
 		if err != nil {
@@ -143,6 +177,7 @@ func (r CAReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl
 	rq, err = ca.ExpiresIn(time.Now())
 	if err != nil {
 		r.Log.Info("CA is expired, cleaning to obtain a new one")
+
 		instance.Data = map[string][]byte{}
 	} else {
 		r.Log.Info("Updating CA secret with new PEM and RSA")
@@ -153,19 +188,19 @@ func (r CAReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl
 		key, _ = ca.CAPrivateKeyPem()
 
 		instance.Data = map[string][]byte{
-			certSecretKey:       crt.Bytes(),
-			privateKeySecretKey: key.Bytes(),
+			corev1.TLSCertKey:       crt.Bytes(),
+			corev1.TLSPrivateKeyKey: key.Bytes(),
 		}
 
-		group := errgroup.Group{}
+		group := new(errgroup.Group)
 		group.Go(func() error {
-			return r.UpdateMutatingWebhookConfiguration(crt.Bytes())
+			return r.UpdateMutatingWebhookConfiguration(ctx, crt.Bytes())
 		})
 		group.Go(func() error {
-			return r.UpdateValidatingWebhookConfiguration(crt.Bytes())
+			return r.UpdateValidatingWebhookConfiguration(ctx, crt.Bytes())
 		})
 		group.Go(func() error {
-			return r.UpdateCustomResourceDefinition(crt.Bytes())
+			return r.UpdateCustomResourceDefinition(ctx, crt.Bytes())
 		})
 
 		if err = group.Wait(); err != nil {
@@ -174,39 +209,50 @@ func (r CAReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl
 	}
 
 	var res controllerutil.OperationResult
+
 	t := &corev1.Secret{ObjectMeta: instance.ObjectMeta}
-	res, err = controllerutil.CreateOrUpdate(context.TODO(), r.Client, t, func() error {
+
+	res, err = controllerutil.CreateOrUpdate(ctx, r.Client, t, func() error {
 		t.Data = instance.Data
+
 		return nil
 	})
 	if err != nil {
 		r.Log.Error(err, "cannot update Capsule TLS")
+
 		return reconcile.Result{}, err
 	}
 
 	if res == controllerutil.OperationResultUpdated {
 		r.Log.Info("Capsule CA has been updated, we need to trigger TLS update too")
+
 		tls := &corev1.Secret{}
 		err = r.Get(ctx, types.NamespacedName{
 			Namespace: r.Namespace,
-			Name:      tlsSecretName,
+			Name:      r.Configuration.TLSSecretName(),
 		}, tls)
+
 		if err != nil {
 			r.Log.Error(err, "Capsule TLS Secret missing")
 		}
+
 		err = retry.RetryOnConflict(retry.DefaultBackoff, func() error {
 			_, err = controllerutil.CreateOrUpdate(ctx, r.Client, tls, func() error {
 				tls.Data = map[string][]byte{}
+
 				return nil
 			})
+
 			return err
 		})
 		if err != nil {
 			r.Log.Error(err, "Cannot clean Capsule TLS Secret due to CA update")
+
 			return reconcile.Result{}, err
 		}
 	}
 
 	r.Log.Info("Reconciliation completed, processing back in " + rq.String())
+
 	return reconcile.Result{Requeue: true, RequeueAfter: rq}, nil
 }

controllers/secret/const.go

@@ -1,12 +0,0 @@
-// Copyright 2020-2021 Clastix Labs
-// SPDX-License-Identifier: Apache-2.0
-
-package secret
-
-const (
-	certSecretKey       = "tls.crt"
-	privateKeySecretKey = "tls.key"
-
-	caSecretName  = "capsule-ca"
-	tlsSecretName = "capsule-tls"
-)

controllers/secret/errors.go

@@ -3,8 +3,7 @@
 
 package secret
 
-type MissingCaError struct {
-}
+type MissingCaError struct{}
 
 func (MissingCaError) Error() string {
 	return "CA has not been created yet, please generate a new"

controllers/secret/reconciler.go

@@ -9,54 +9,26 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/event"
-	"sigs.k8s.io/controller-runtime/pkg/predicate"
 
 	"github.com/clastix/capsule/pkg/cert"
 )
 
-func getCertificateAuthority(client client.Client, namespace string) (ca cert.CA, err error) {
+func getCertificateAuthority(ctx context.Context, client client.Client, namespace, name string) (ca cert.CA, err error) {
 	instance := &corev1.Secret{}
 
-	err = client.Get(context.TODO(), types.NamespacedName{
-		Namespace: namespace,
-		Name:      caSecretName,
-	}, instance)
-	if err != nil {
-		return nil, fmt.Errorf("missing secret %s, cannot reconcile", caSecretName)
+	if err = client.Get(ctx, types.NamespacedName{Namespace: namespace, Name: name}, instance); err != nil {
+		return nil, fmt.Errorf("missing secret %s, cannot reconcile", name)
 	}
 
 	if instance.Data == nil {
 		return nil, MissingCaError{}
 	}
 
-	ca, err = cert.NewCertificateAuthorityFromBytes(instance.Data[certSecretKey], instance.Data[privateKeySecretKey])
+	ca, err = cert.NewCertificateAuthorityFromBytes(instance.Data[corev1.TLSCertKey], instance.Data[corev1.TLSPrivateKeyKey])
 	if err != nil {
 		return
 	}
 
 	return
 }
-
-func forOptionPerInstanceName(instanceName string) builder.ForOption {
-	return builder.WithPredicates(predicate.Funcs{
-		CreateFunc: func(event event.CreateEvent) bool {
-			return filterByName(event.Object.GetName(), instanceName)
-		},
-		DeleteFunc: func(deleteEvent event.DeleteEvent) bool {
-			return filterByName(deleteEvent.Object.GetName(), instanceName)
-		},
-		UpdateFunc: func(updateEvent event.UpdateEvent) bool {
-			return filterByName(updateEvent.ObjectNew.GetName(), instanceName)
-		},
-		GenericFunc: func(genericEvent event.GenericEvent) bool {
-			return filterByName(genericEvent.Object.GetName(), instanceName)
-		},
-	})
-}
-
-func filterByName(objName, desired string) bool {
-	return objName == desired
-}

controllers/secret/tls.go

@@ -9,85 +9,99 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
-	"syscall"
+	"os"
 	"time"
 
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	"github.com/clastix/capsule/pkg/cert"
+	"github.com/clastix/capsule/pkg/configuration"
 )
 
 type TLSReconciler struct {
 	client.Client
-	Log       logr.Logger
-	Scheme    *runtime.Scheme
-	Namespace string
+	Log           logr.Logger
+	Scheme        *runtime.Scheme
+	Namespace     string
+	Configuration configuration.Configuration
 }
 
 func (r *TLSReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&corev1.Secret{}, forOptionPerInstanceName(tlsSecretName)).
+		For(&corev1.Secret{}).
 		Complete(r)
 }
 
 func (r TLSReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) {
 	var err error
 
+	if request.Name != r.Configuration.TLSSecretName() {
+		return ctrl.Result{}, nil
+	}
+
 	r.Log = r.Log.WithValues("Request.Namespace", request.Namespace, "Request.Name", request.Name)
 	r.Log.Info("Reconciling TLS Secret")
 
 	// Fetch the Secret instance
 	instance := &corev1.Secret{}
-	err = r.Get(ctx, request.NamespacedName, instance)
-	if err != nil {
+	if err = r.Get(ctx, request.NamespacedName, instance); err != nil {
 		// Error reading the object - requeue the request.
 		return reconcile.Result{}, err
 	}
 
 	var ca cert.CA
+
 	var rq time.Duration
 
-	ca, err = getCertificateAuthority(r.Client, r.Namespace)
+	ca, err = getCertificateAuthority(ctx, r.Client, r.Namespace, r.Configuration.CASecretName())
 	if err != nil {
 		return reconcile.Result{}, err
 	}
 
 	var shouldCreate bool
-	for _, key := range []string{certSecretKey, privateKeySecretKey} {
+
+	for _, key := range []string{corev1.TLSCertKey, corev1.TLSPrivateKeyKey} {
 		if _, ok := instance.Data[key]; !ok {
 			shouldCreate = true
+
 			break
 		}
 	}
 
 	if shouldCreate {
 		r.Log.Info("Missing Capsule TLS certificate")
+
 		rq = 6 * 30 * 24 * time.Hour
 
 		opts := cert.NewCertOpts(time.Now().Add(rq), fmt.Sprintf("capsule-webhook-service.%s.svc", r.Namespace))
+
 		var crt, key *bytes.Buffer
-		crt, key, err = ca.GenerateCertificate(opts)
-		if err != nil {
+
+		if crt, key, err = ca.GenerateCertificate(opts); err != nil {
 			r.Log.Error(err, "Cannot generate new TLS certificate")
+
 			return reconcile.Result{}, err
 		}
+
 		instance.Data = map[string][]byte{
-			certSecretKey:       crt.Bytes(),
-			privateKeySecretKey: key.Bytes(),
+			corev1.TLSCertKey:       crt.Bytes(),
+			corev1.TLSPrivateKeyKey: key.Bytes(),
 		}
 	} else {
 		var c *x509.Certificate
 		var b *pem.Block
-		b, _ = pem.Decode(instance.Data[certSecretKey])
+		b, _ = pem.Decode(instance.Data[corev1.TLSCertKey])
 		c, err = x509.ParseCertificate(b.Bytes)
 		if err != nil {
 			r.Log.Error(err, "cannot parse Capsule TLS")
+
 			return reconcile.Result{}, err
 		}
 
@@ -101,21 +115,58 @@ func (r TLSReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctr
 	}
 
 	var res controllerutil.OperationResult
+
 	t := &corev1.Secret{ObjectMeta: instance.ObjectMeta}
+
 	res, err = controllerutil.CreateOrUpdate(ctx, r.Client, t, func() error {
 		t.Data = instance.Data
+
 		return nil
 	})
 	if err != nil {
 		r.Log.Error(err, "cannot update Capsule TLS")
+
 		return reconcile.Result{}, err
 	}
+	// nolint:nestif
+	if instance.Name == r.Configuration.TLSSecretName() && res == controllerutil.OperationResultUpdated {
+		r.Log.Info("Capsule TLS certificates has been updated, Controller pods must be restarted to load new certificate")
 
-	if instance.Name == tlsSecretName && res == controllerutil.OperationResultUpdated {
-		r.Log.Info("Capsule TLS certificates has been updated, we need to restart the Controller")
-		_ = syscall.Kill(syscall.Getpid(), syscall.SIGINT)
+		hostname, _ := os.Hostname()
+
+		leaderPod := &corev1.Pod{}
+
+		if err = r.Client.Get(ctx, types.NamespacedName{Namespace: os.Getenv("NAMESPACE"), Name: hostname}, leaderPod); err != nil {
+			r.Log.Error(err, "cannot retrieve the leader Pod, probably running in out of the cluster mode")
+
+			return reconcile.Result{}, nil
+		}
+
+		podList := &corev1.PodList{}
+		if err = r.Client.List(ctx, podList, client.MatchingLabels(leaderPod.ObjectMeta.Labels)); err != nil {
+			r.Log.Error(err, "cannot retrieve list of Capsule pods requiring restart upon TLS update")
+
+			return reconcile.Result{}, nil
+		}
+
+		for _, p := range podList.Items {
+			nonLeaderPod := p
+			// Skipping this Pod, must be deleted at the end
+			if nonLeaderPod.GetName() == leaderPod.GetName() {
+				continue
+			}
+
+			if err = r.Client.Delete(ctx, &nonLeaderPod); err != nil {
+				r.Log.Error(err, "cannot delete the non-leader Pod due to TLS update")
+			}
+		}
+
+		if err = r.Client.Delete(ctx, leaderPod); err != nil {
+			r.Log.Error(err, "cannot delete the leader Pod due to TLS update")
+		}
 	}
 
 	r.Log.Info("Reconciliation completed, processing back in " + rq.String())
+
 	return reconcile.Result{Requeue: true, RequeueAfter: rq}, nil
 }

controllers/servicelabels/abstract.go

@@ -8,7 +8,9 @@ import (
 	"fmt"
 
 	"github.com/go-logr/logr"
+	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
+	apierr "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -16,7 +18,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
@@ -32,29 +33,35 @@ type abstractServiceLabelsReconciler struct {
 
 func (r *abstractServiceLabelsReconciler) InjectClient(c client.Client) error {
 	r.client = c
+
 	return nil
 }
 
 func (r *abstractServiceLabelsReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) {
 	tenant, err := r.getTenant(ctx, request.NamespacedName, r.client)
 	if err != nil {
-		switch err.(type) {
-		case *NonTenantObject, *NoServicesMetadata:
+		if errors.As(err, &NonTenantObjectError{}) || errors.As(err, &NoServicesMetadataError{}) {
 			return reconcile.Result{}, nil
-		default:
-			r.log.Error(err, fmt.Sprintf("Cannot sync %t labels", r.obj))
-			return reconcile.Result{}, err
 		}
+
+		r.log.Error(err, fmt.Sprintf("Cannot sync %T %s/%s labels", r.obj, r.obj.GetNamespace(), r.obj.GetName()))
+
+		return reconcile.Result{}, err
 	}
 
 	err = r.client.Get(ctx, request.NamespacedName, r.obj)
 	if err != nil {
+		if apierr.IsNotFound(err) {
+			return reconcile.Result{}, nil
+		}
+
 		return reconcile.Result{}, err
 	}
 
 	_, err = controllerutil.CreateOrUpdate(ctx, r.client, r.obj, func() (err error) {
-		r.obj.SetLabels(r.sync(r.obj.GetLabels(), tenant.Spec.ServicesMetadata.AdditionalLabels))
-		r.obj.SetAnnotations(r.sync(r.obj.GetAnnotations(), tenant.Spec.ServicesMetadata.AdditionalAnnotations))
+		r.obj.SetLabels(r.sync(r.obj.GetLabels(), tenant.Spec.ServiceOptions.AdditionalMetadata.Labels))
+		r.obj.SetAnnotations(r.sync(r.obj.GetAnnotations(), tenant.Spec.ServiceOptions.AdditionalMetadata.Annotations))
+
 		return nil
 	})
 
@@ -78,7 +85,7 @@ func (r *abstractServiceLabelsReconciler) getTenant(ctx context.Context, namespa
 		return nil, err
 	}
 
-	if tenant.Spec.ServicesMetadata == nil {
+	if tenant.Spec.ServiceOptions == nil || tenant.Spec.ServiceOptions.AdditionalMetadata == nil {
 		return nil, NewNoServicesMetadata(namespacedName.Name)
 	}
 
@@ -97,32 +104,23 @@ func (r *abstractServiceLabelsReconciler) sync(available map[string]string, tena
 			}
 		}
 	}
+
 	return available
 }
 
-func (r *abstractServiceLabelsReconciler) forOptionPerInstanceName() builder.ForOption {
-	return builder.WithPredicates(predicate.Funcs{
-		CreateFunc: func(event event.CreateEvent) bool {
-			return r.IsNamespaceInTenant(event.Object.GetNamespace())
-		},
-		DeleteFunc: func(deleteEvent event.DeleteEvent) bool {
-			return r.IsNamespaceInTenant(deleteEvent.Object.GetNamespace())
-		},
-		UpdateFunc: func(updateEvent event.UpdateEvent) bool {
-			return r.IsNamespaceInTenant(updateEvent.ObjectNew.GetNamespace())
-		},
-		GenericFunc: func(genericEvent event.GenericEvent) bool {
-			return r.IsNamespaceInTenant(genericEvent.Object.GetNamespace())
-		},
-	})
+func (r *abstractServiceLabelsReconciler) forOptionPerInstanceName(ctx context.Context) builder.ForOption {
+	return builder.WithPredicates(predicate.NewPredicateFuncs(func(object client.Object) bool {
+		return r.IsNamespaceInTenant(ctx, object.GetNamespace())
+	}))
 }
 
-func (r *abstractServiceLabelsReconciler) IsNamespaceInTenant(namespace string) bool {
+func (r *abstractServiceLabelsReconciler) IsNamespaceInTenant(ctx context.Context, namespace string) bool {
 	tl := &capsulev1beta1.TenantList{}
-	if err := r.client.List(context.Background(), tl, client.MatchingFieldsSelector{
+	if err := r.client.List(ctx, tl, client.MatchingFieldsSelector{
 		Selector: fields.OneTermEqualSelector(".status.namespaces", namespace),
 	}); err != nil {
 		return false
 	}
+
 	return len(tl.Items) > 0
 }

controllers/servicelabels/endpoint.go

@@ -4,6 +4,8 @@
 package servicelabels
 
 import (
+	"context"
+
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -15,14 +17,13 @@ type EndpointsLabelsReconciler struct {
 	Log logr.Logger
 }
 
-func (r *EndpointsLabelsReconciler) SetupWithManager(mgr ctrl.Manager) error {
+func (r *EndpointsLabelsReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error {
 	r.abstractServiceLabelsReconciler = abstractServiceLabelsReconciler{
-		obj:    &corev1.Endpoints{},
-		scheme: mgr.GetScheme(),
-		log:    r.Log,
+		obj: &corev1.Endpoints{},
+		log: r.Log,
 	}
 
 	return ctrl.NewControllerManagedBy(mgr).
-		For(r.abstractServiceLabelsReconciler.obj, r.abstractServiceLabelsReconciler.forOptionPerInstanceName()).
+		For(r.abstractServiceLabelsReconciler.obj, r.abstractServiceLabelsReconciler.forOptionPerInstanceName(ctx)).
 		Complete(r)
 }

controllers/servicelabels/endpoint_slices.go

@@ -4,7 +4,10 @@
 package servicelabels
 
 import (
+	"context"
+
 	"github.com/go-logr/logr"
+	discoveryv1 "k8s.io/api/discovery/v1"
 	discoveryv1beta1 "k8s.io/api/discovery/v1beta1"
 	ctrl "sigs.k8s.io/controller-runtime"
 )
@@ -13,24 +16,27 @@ type EndpointSlicesLabelsReconciler struct {
 	abstractServiceLabelsReconciler
 
 	Log          logr.Logger
-	VersionMinor int
-	VersionMajor int
+	VersionMinor uint
+	VersionMajor uint
 }
 
-func (r *EndpointSlicesLabelsReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	r.scheme = mgr.GetScheme()
+func (r *EndpointSlicesLabelsReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error {
 	r.abstractServiceLabelsReconciler = abstractServiceLabelsReconciler{
-		scheme: mgr.GetScheme(),
-		log:    r.Log,
+		log: r.Log,
 	}
 
-	if r.VersionMajor == 1 && r.VersionMinor <= 16 {
+	switch {
+	case r.VersionMajor == 1 && r.VersionMinor <= 16:
 		r.Log.Info("Skipping controller setup, as EndpointSlices are not supported on current kubernetes version", "VersionMajor", r.VersionMajor, "VersionMinor", r.VersionMinor)
+
 		return nil
+	case r.VersionMajor == 1 && r.VersionMinor >= 21:
+		r.abstractServiceLabelsReconciler.obj = &discoveryv1.EndpointSlice{}
+	default:
+		r.abstractServiceLabelsReconciler.obj = &discoveryv1beta1.EndpointSlice{}
 	}
 
-	r.abstractServiceLabelsReconciler.obj = &discoveryv1beta1.EndpointSlice{}
 	return ctrl.NewControllerManagedBy(mgr).
-		For(r.obj, r.abstractServiceLabelsReconciler.forOptionPerInstanceName()).
+		For(r.obj, r.abstractServiceLabelsReconciler.forOptionPerInstanceName(ctx)).
 		Complete(r)
 }

controllers/servicelabels/errors.go

@@ -5,26 +5,26 @@ package servicelabels
 
 import "fmt"
 
-type NonTenantObject struct {
+type NonTenantObjectError struct {
 	objectName string
 }
 
 func NewNonTenantObject(objectName string) error {
-	return &NonTenantObject{objectName: objectName}
+	return &NonTenantObjectError{objectName: objectName}
 }
 
-func (n NonTenantObject) Error() string {
+func (n NonTenantObjectError) Error() string {
 	return fmt.Sprintf("Skipping labels sync for %s as it doesn't belong to tenant", n.objectName)
 }
 
-type NoServicesMetadata struct {
+type NoServicesMetadataError struct {
 	objectName string
 }
 
 func NewNoServicesMetadata(objectName string) error {
-	return &NoServicesMetadata{objectName: objectName}
+	return &NoServicesMetadataError{objectName: objectName}
 }
 
-func (n NoServicesMetadata) Error() string {
+func (n NoServicesMetadataError) Error() string {
 	return fmt.Sprintf("Skipping labels sync for %s because no AdditionalLabels or AdditionalAnnotations presents in Tenant spec", n.objectName)
 }

controllers/servicelabels/service.go

@@ -4,6 +4,8 @@
 package servicelabels
 
 import (
+	"context"
+
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -15,13 +17,13 @@ type ServicesLabelsReconciler struct {
 	Log logr.Logger
 }
 
-func (r *ServicesLabelsReconciler) SetupWithManager(mgr ctrl.Manager) error {
+func (r *ServicesLabelsReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error {
 	r.abstractServiceLabelsReconciler = abstractServiceLabelsReconciler{
-		obj:    &corev1.Service{},
-		scheme: mgr.GetScheme(),
-		log:    r.Log,
+		obj: &corev1.Service{},
+		log: r.Log,
 	}
+
 	return ctrl.NewControllerManagedBy(mgr).
-		For(r.abstractServiceLabelsReconciler.obj, r.abstractServiceLabelsReconciler.forOptionPerInstanceName()).
+		For(r.abstractServiceLabelsReconciler.obj, r.abstractServiceLabelsReconciler.forOptionPerInstanceName(ctx)).
 		Complete(r)
 }

controllers/tenant/limitranges.go

@@ -0,0 +1,84 @@
+package tenant
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+
+	"golang.org/x/sync/errgroup"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+)
+
+// nolint:dupl
+// Ensuring all the LimitRange are applied to each Namespace handled by the Tenant.
+func (r *Manager) syncLimitRanges(ctx context.Context, tenant *capsulev1beta1.Tenant) error {
+	// getting requested LimitRange keys
+	keys := make([]string, 0, len(tenant.Spec.LimitRanges.Items))
+
+	for i := range tenant.Spec.LimitRanges.Items {
+		keys = append(keys, strconv.Itoa(i))
+	}
+
+	group := new(errgroup.Group)
+
+	for _, ns := range tenant.Status.Namespaces {
+		namespace := ns
+
+		group.Go(func() error {
+			return r.syncLimitRange(ctx, tenant, namespace, keys)
+		})
+	}
+
+	return group.Wait()
+}
+
+func (r *Manager) syncLimitRange(ctx context.Context, tenant *capsulev1beta1.Tenant, namespace string, keys []string) (err error) {
+	// getting LimitRange labels for the mutateFn
+	var tenantLabel, limitRangeLabel string
+
+	if tenantLabel, err = capsulev1beta1.GetTypeLabel(&capsulev1beta1.Tenant{}); err != nil {
+		return err
+	}
+
+	if limitRangeLabel, err = capsulev1beta1.GetTypeLabel(&corev1.LimitRange{}); err != nil {
+		return err
+	}
+
+	if err = r.pruningResources(ctx, namespace, keys, &corev1.LimitRange{}); err != nil {
+		return err
+	}
+
+	for i, spec := range tenant.Spec.LimitRanges.Items {
+		target := &corev1.LimitRange{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      fmt.Sprintf("capsule-%s-%d", tenant.Name, i),
+				Namespace: namespace,
+			},
+		}
+
+		var res controllerutil.OperationResult
+		res, err = controllerutil.CreateOrUpdate(ctx, r.Client, target, func() (err error) {
+			target.ObjectMeta.Labels = map[string]string{
+				tenantLabel:     tenant.Name,
+				limitRangeLabel: strconv.Itoa(i),
+			}
+			target.Spec = spec
+
+			return controllerutil.SetControllerReference(tenant, target, r.Client.Scheme())
+		})
+
+		r.emitEvent(tenant, target.GetNamespace(), res, fmt.Sprintf("Ensuring LimitRange %s", target.GetName()), err)
+
+		r.Log.Info("LimitRange sync result: "+string(res), "name", target.Name, "namespace", target.Namespace)
+
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

controllers/tenant/manager.go

@@ -0,0 +1,140 @@
+package tenant
+
+import (
+	"context"
+
+	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/record"
+	"k8s.io/client-go/util/retry"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+)
+
+type Manager struct {
+	client.Client
+	Log        logr.Logger
+	Recorder   record.EventRecorder
+	RESTConfig *rest.Config
+}
+
+func (r *Manager) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&capsulev1beta1.Tenant{}).
+		Owns(&corev1.Namespace{}).
+		Owns(&networkingv1.NetworkPolicy{}).
+		Owns(&corev1.LimitRange{}).
+		Owns(&corev1.ResourceQuota{}).
+		Owns(&rbacv1.RoleBinding{}).
+		Complete(r)
+}
+
+func (r Manager) Reconcile(ctx context.Context, request ctrl.Request) (result ctrl.Result, err error) {
+	r.Log = r.Log.WithValues("Request.Name", request.Name)
+	// Fetch the Tenant instance
+	instance := &capsulev1beta1.Tenant{}
+	if err = r.Get(ctx, request.NamespacedName, instance); err != nil {
+		if apierrors.IsNotFound(err) {
+			r.Log.Info("Request object not found, could have been deleted after reconcile request")
+
+			return reconcile.Result{}, nil
+		}
+
+		r.Log.Error(err, "Error reading the object")
+
+		return
+	}
+	// Ensuring the Tenant Status
+	if err = r.updateTenantStatus(ctx, instance); err != nil {
+		r.Log.Error(err, "Cannot update Tenant status")
+
+		return
+	}
+	// Ensuring ResourceQuota
+	r.Log.Info("Ensuring limit resources count is updated")
+
+	if err = r.syncCustomResourceQuotaUsages(ctx, instance); err != nil {
+		r.Log.Error(err, "Cannot count limited resources")
+
+		return
+	}
+	// Ensuring all namespaces are collected
+	r.Log.Info("Ensuring all Namespaces are collected")
+
+	if err = r.collectNamespaces(ctx, instance); err != nil {
+		r.Log.Error(err, "Cannot collect Namespace resources")
+
+		return
+	}
+	// Ensuring Namespace metadata
+	r.Log.Info("Starting processing of Namespaces", "items", len(instance.Status.Namespaces))
+
+	if err = r.syncNamespaces(ctx, instance); err != nil {
+		r.Log.Error(err, "Cannot sync Namespace items")
+
+		return
+	}
+	// Ensuring NetworkPolicy resources
+	r.Log.Info("Starting processing of Network Policies")
+
+	if err = r.syncNetworkPolicies(ctx, instance); err != nil {
+		r.Log.Error(err, "Cannot sync NetworkPolicy items")
+
+		return
+	}
+	// Ensuring LimitRange resources
+	r.Log.Info("Starting processing of Limit Ranges", "items", len(instance.Spec.LimitRanges.Items))
+
+	if err = r.syncLimitRanges(ctx, instance); err != nil {
+		r.Log.Error(err, "Cannot sync LimitRange items")
+
+		return
+	}
+	// Ensuring ResourceQuota resources
+	r.Log.Info("Starting processing of Resource Quotas", "items", len(instance.Spec.ResourceQuota.Items))
+
+	if err = r.syncResourceQuotas(ctx, instance); err != nil {
+		r.Log.Error(err, "Cannot sync ResourceQuota items")
+
+		return
+	}
+	// Ensuring RoleBinding resources
+	r.Log.Info("Ensuring RoleBindings for Owners and Tenant")
+
+	if err = r.syncRoleBindings(ctx, instance); err != nil {
+		r.Log.Error(err, "Cannot sync RoleBindings items")
+
+		return
+	}
+	// Ensuring Namespace count
+	r.Log.Info("Ensuring Namespace count")
+
+	if err = r.ensureNamespaceCount(ctx, instance); err != nil {
+		r.Log.Error(err, "Cannot sync Namespace count")
+
+		return
+	}
+
+	r.Log.Info("Tenant reconciling completed")
+
+	return ctrl.Result{}, err
+}
+
+func (r *Manager) updateTenantStatus(ctx context.Context, tnt *capsulev1beta1.Tenant) error {
+	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
+		if tnt.IsCordoned() {
+			tnt.Status.State = capsulev1beta1.TenantStateCordoned
+		} else {
+			tnt.Status.State = capsulev1beta1.TenantStateActive
+		}
+
+		return r.Client.Status().Update(ctx, tnt)
+	})
+}

controllers/tenant/namespaces.go

@@ -0,0 +1,186 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package tenant
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"golang.org/x/sync/errgroup"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/util/retry"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+)
+
+// Ensuring all annotations are applied to each Namespace handled by the Tenant.
+func (r *Manager) syncNamespaces(ctx context.Context, tenant *capsulev1beta1.Tenant) (err error) {
+	group := new(errgroup.Group)
+
+	for _, item := range tenant.Status.Namespaces {
+		namespace := item
+
+		group.Go(func() error {
+			return r.syncNamespaceMetadata(ctx, namespace, tenant)
+		})
+	}
+
+	if err = group.Wait(); err != nil {
+		r.Log.Error(err, "Cannot sync Namespaces")
+
+		err = fmt.Errorf("cannot sync Namespaces: %w", err)
+	}
+
+	return
+}
+
+// nolint:gocognit
+func (r *Manager) syncNamespaceMetadata(ctx context.Context, namespace string, tnt *capsulev1beta1.Tenant) (err error) {
+	var res controllerutil.OperationResult
+
+	err = retry.RetryOnConflict(retry.DefaultBackoff, func() (conflictErr error) {
+		ns := &corev1.Namespace{}
+		if conflictErr = r.Client.Get(ctx, types.NamespacedName{Name: namespace}, ns); err != nil {
+			return
+		}
+
+		capsuleLabel, _ := capsulev1beta1.GetTypeLabel(&capsulev1beta1.Tenant{})
+
+		res, conflictErr = controllerutil.CreateOrUpdate(ctx, r.Client, ns, func() error {
+			annotations := make(map[string]string)
+			labels := map[string]string{
+				"name":       namespace,
+				capsuleLabel: tnt.GetName(),
+			}
+
+			if tnt.Spec.NamespaceOptions != nil && tnt.Spec.NamespaceOptions.AdditionalMetadata != nil {
+				for k, v := range tnt.Spec.NamespaceOptions.AdditionalMetadata.Annotations {
+					annotations[k] = v
+				}
+			}
+
+			if tnt.Spec.NamespaceOptions != nil && tnt.Spec.NamespaceOptions.AdditionalMetadata != nil {
+				for k, v := range tnt.Spec.NamespaceOptions.AdditionalMetadata.Labels {
+					labels[k] = v
+				}
+			}
+
+			if tnt.Spec.NodeSelector != nil {
+				var selector []string
+				for k, v := range tnt.Spec.NodeSelector {
+					selector = append(selector, fmt.Sprintf("%s=%s", k, v))
+				}
+				annotations["scheduler.alpha.kubernetes.io/node-selector"] = strings.Join(selector, ",")
+			}
+
+			if tnt.Spec.IngressOptions.AllowedClasses != nil {
+				if len(tnt.Spec.IngressOptions.AllowedClasses.Exact) > 0 {
+					annotations[capsulev1beta1.AvailableIngressClassesAnnotation] = strings.Join(tnt.Spec.IngressOptions.AllowedClasses.Exact, ",")
+				}
+				if len(tnt.Spec.IngressOptions.AllowedClasses.Regex) > 0 {
+					annotations[capsulev1beta1.AvailableIngressClassesRegexpAnnotation] = tnt.Spec.IngressOptions.AllowedClasses.Regex
+				}
+			}
+
+			if tnt.Spec.StorageClasses != nil {
+				if len(tnt.Spec.StorageClasses.Exact) > 0 {
+					annotations[capsulev1beta1.AvailableStorageClassesAnnotation] = strings.Join(tnt.Spec.StorageClasses.Exact, ",")
+				}
+				if len(tnt.Spec.StorageClasses.Regex) > 0 {
+					annotations[capsulev1beta1.AvailableStorageClassesRegexpAnnotation] = tnt.Spec.StorageClasses.Regex
+				}
+			}
+
+			if tnt.Spec.ContainerRegistries != nil {
+				if len(tnt.Spec.ContainerRegistries.Exact) > 0 {
+					annotations[capsulev1beta1.AllowedRegistriesAnnotation] = strings.Join(tnt.Spec.ContainerRegistries.Exact, ",")
+				}
+				if len(tnt.Spec.ContainerRegistries.Regex) > 0 {
+					annotations[capsulev1beta1.AllowedRegistriesRegexpAnnotation] = tnt.Spec.ContainerRegistries.Regex
+				}
+			}
+
+			if value, ok := tnt.Annotations[capsulev1beta1.ForbiddenNamespaceLabelsAnnotation]; ok {
+				annotations[capsulev1beta1.ForbiddenNamespaceLabelsAnnotation] = value
+			}
+
+			if value, ok := tnt.Annotations[capsulev1beta1.ForbiddenNamespaceLabelsRegexpAnnotation]; ok {
+				annotations[capsulev1beta1.ForbiddenNamespaceLabelsRegexpAnnotation] = value
+			}
+
+			if value, ok := tnt.Annotations[capsulev1beta1.ForbiddenNamespaceAnnotationsAnnotation]; ok {
+				annotations[capsulev1beta1.ForbiddenNamespaceAnnotationsAnnotation] = value
+			}
+
+			if value, ok := tnt.Annotations[capsulev1beta1.ForbiddenNamespaceAnnotationsRegexpAnnotation]; ok {
+				annotations[capsulev1beta1.ForbiddenNamespaceAnnotationsRegexpAnnotation] = value
+			}
+
+			if ns.Annotations == nil {
+				ns.SetAnnotations(annotations)
+			} else {
+				for k, v := range annotations {
+					ns.Annotations[k] = v
+				}
+			}
+
+			if ns.Labels == nil {
+				ns.SetLabels(labels)
+			} else {
+				for k, v := range labels {
+					ns.Labels[k] = v
+				}
+			}
+
+			return nil
+		})
+
+		return
+	})
+
+	r.emitEvent(tnt, namespace, res, "Ensuring Namespace metadata", err)
+
+	return err
+}
+
+func (r *Manager) ensureNamespaceCount(ctx context.Context, tenant *capsulev1beta1.Tenant) error {
+	return retry.RetryOnConflict(retry.DefaultBackoff, func() error {
+		tenant.Status.Size = uint(len(tenant.Status.Namespaces))
+
+		found := &capsulev1beta1.Tenant{}
+		if err := r.Client.Get(ctx, types.NamespacedName{Name: tenant.GetName()}, found); err != nil {
+			return err
+		}
+
+		found.Status.Size = tenant.Status.Size
+
+		return r.Client.Status().Update(ctx, found, &client.UpdateOptions{})
+	})
+}
+
+func (r *Manager) collectNamespaces(ctx context.Context, tenant *capsulev1beta1.Tenant) error {
+	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
+		list := &corev1.NamespaceList{}
+		err = r.Client.List(ctx, list, client.MatchingFieldsSelector{
+			Selector: fields.OneTermEqualSelector(".metadata.ownerReferences[*].capsule", tenant.GetName()),
+		})
+
+		if err != nil {
+			return
+		}
+
+		_, err = controllerutil.CreateOrUpdate(ctx, r.Client, tenant.DeepCopy(), func() error {
+			tenant.AssignNamespaces(list.Items)
+
+			return r.Client.Status().Update(ctx, tenant, &client.UpdateOptions{})
+		})
+
+		return
+	})
+}

controllers/tenant/networkpolicies.go

@@ -0,0 +1,83 @@
+package tenant
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+
+	"golang.org/x/sync/errgroup"
+	networkingv1 "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+)
+
+// nolint:dupl
+// Ensuring all the NetworkPolicies are applied to each Namespace handled by the Tenant.
+func (r *Manager) syncNetworkPolicies(ctx context.Context, tenant *capsulev1beta1.Tenant) error {
+	// getting requested NetworkPolicy keys
+	keys := make([]string, 0, len(tenant.Spec.NetworkPolicies.Items))
+
+	for i := range tenant.Spec.NetworkPolicies.Items {
+		keys = append(keys, strconv.Itoa(i))
+	}
+
+	group := new(errgroup.Group)
+
+	for _, ns := range tenant.Status.Namespaces {
+		namespace := ns
+
+		group.Go(func() error {
+			return r.syncNetworkPolicy(ctx, tenant, namespace, keys)
+		})
+	}
+
+	return group.Wait()
+}
+
+func (r *Manager) syncNetworkPolicy(ctx context.Context, tenant *capsulev1beta1.Tenant, namespace string, keys []string) (err error) {
+	if err = r.pruningResources(ctx, namespace, keys, &networkingv1.NetworkPolicy{}); err != nil {
+		return err
+	}
+	// getting NetworkPolicy labels for the mutateFn
+	var tenantLabel, networkPolicyLabel string
+
+	if tenantLabel, err = capsulev1beta1.GetTypeLabel(&capsulev1beta1.Tenant{}); err != nil {
+		return err
+	}
+
+	if networkPolicyLabel, err = capsulev1beta1.GetTypeLabel(&networkingv1.NetworkPolicy{}); err != nil {
+		return err
+	}
+
+	for i, spec := range tenant.Spec.NetworkPolicies.Items {
+		target := &networkingv1.NetworkPolicy{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      fmt.Sprintf("capsule-%s-%d", tenant.Name, i),
+				Namespace: namespace,
+			},
+		}
+
+		var res controllerutil.OperationResult
+		res, err = controllerutil.CreateOrUpdate(ctx, r.Client, target, func() (err error) {
+			target.SetLabels(map[string]string{
+				tenantLabel:        tenant.Name,
+				networkPolicyLabel: strconv.Itoa(i),
+			})
+			target.Spec = spec
+
+			return controllerutil.SetControllerReference(tenant, target, r.Client.Scheme())
+		})
+
+		r.emitEvent(tenant, target.GetNamespace(), res, fmt.Sprintf("Ensuring NetworkPolicy %s", target.GetName()), err)
+
+		r.Log.Info("Network Policy sync result: "+string(res), "name", target.Name, "namespace", target.Namespace)
+
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

controllers/tenant/resourcequotas.go

@@ -0,0 +1,257 @@
+package tenant
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+
+	"golang.org/x/sync/errgroup"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/selection"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/util/retry"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+)
+
+// When the Resource Budget assigned to a Tenant is Tenant-scoped we have to rely on the ResourceQuota resources to
+// represent the resource quota for the single Tenant rather than the single Namespace,
+// so abusing of this API although its Namespaced scope.
+//
+// Since a Namespace could take-up all the available resource quota, the Namespace ResourceQuota will be a 1:1 mapping
+// to the Tenant one: in first time Capsule is going to sum all the analogous ResourceQuota resources on other Tenant
+// namespaces to check if the Tenant quota has been exceeded or not, reusing the native Kubernetes policy putting the
+// .Status.Used value as the .Hard value.
+// This will trigger following reconciliations but that's ok: the mutateFn will re-use the same business logic, letting
+// the mutateFn along with the CreateOrUpdate to don't perform the update since resources are identical.
+//
+// In case of Namespace-scoped Resource Budget, we're just replicating the resources across all registered Namespaces.
+// nolint:gocognit
+func (r *Manager) syncResourceQuotas(ctx context.Context, tenant *capsulev1beta1.Tenant) (err error) {
+	// getting ResourceQuota labels for the mutateFn
+	var tenantLabel, typeLabel string
+
+	if tenantLabel, err = capsulev1beta1.GetTypeLabel(&capsulev1beta1.Tenant{}); err != nil {
+		return err
+	}
+
+	if typeLabel, err = capsulev1beta1.GetTypeLabel(&corev1.ResourceQuota{}); err != nil {
+		return err
+	}
+	// nolint:nestif
+	if tenant.Spec.ResourceQuota.Scope == capsulev1beta1.ResourceQuotaScopeTenant {
+		group := new(errgroup.Group)
+
+		for i, q := range tenant.Spec.ResourceQuota.Items {
+			index := i
+
+			resourceQuota := q
+
+			group.Go(func() (scopeErr error) {
+				// Calculating the Resource Budget at Tenant scope just if this is put in place.
+				// Requirement to list ResourceQuota of the current Tenant
+				var tntRequirement *labels.Requirement
+				if tntRequirement, scopeErr = labels.NewRequirement(tenantLabel, selection.Equals, []string{tenant.Name}); scopeErr != nil {
+					r.Log.Error(scopeErr, "Cannot build ResourceQuota Tenant requirement")
+				}
+				// Requirement to list ResourceQuota for the current index
+				var indexRequirement *labels.Requirement
+				if indexRequirement, scopeErr = labels.NewRequirement(typeLabel, selection.Equals, []string{strconv.Itoa(index)}); scopeErr != nil {
+					r.Log.Error(scopeErr, "Cannot build ResourceQuota index requirement")
+				}
+				// Listing all the ResourceQuota according to the said requirements.
+				// These are required since Capsule is going to sum all the used quota to
+				// sum them and get the Tenant one.
+				list := &corev1.ResourceQuotaList{}
+				if scopeErr = r.List(ctx, list, &client.ListOptions{LabelSelector: labels.NewSelector().Add(*tntRequirement).Add(*indexRequirement)}); scopeErr != nil {
+					r.Log.Error(scopeErr, "Cannot list ResourceQuota", "tenantFilter", tntRequirement.String(), "indexFilter", indexRequirement.String())
+
+					return
+				}
+				// Iterating over all the options declared for the ResourceQuota,
+				// summing all the used quota across different Namespaces to determinate
+				// if we're hitting a Hard quota at Tenant level.
+				// For this case, we're going to block the Quota setting the Hard as the
+				// used one.
+				for name, hardQuota := range resourceQuota.Hard {
+					r.Log.Info("Desired hard " + name.String() + " quota is " + hardQuota.String())
+
+					// Getting the whole usage across all the Tenant Namespaces
+					var quantity resource.Quantity
+					for _, item := range list.Items {
+						quantity.Add(item.Status.Used[name])
+					}
+					r.Log.Info("Computed " + name.String() + " quota for the whole Tenant is " + quantity.String())
+
+					switch quantity.Cmp(resourceQuota.Hard[name]) {
+					case 0:
+						// The Tenant is matching exactly the Quota:
+						// falling through next case since we have to block further
+						// resource allocations.
+						fallthrough
+					case 1:
+						// The Tenant is OverQuota:
+						// updating all the related ResourceQuota with the current
+						// used Quota to block further creations.
+						for item := range list.Items {
+							if _, ok := list.Items[item].Status.Used[name]; ok {
+								list.Items[item].Spec.Hard[name] = list.Items[item].Status.Used[name]
+							} else {
+								um := make(map[corev1.ResourceName]resource.Quantity)
+								um[name] = resource.Quantity{}
+								list.Items[item].Spec.Hard = um
+							}
+						}
+					default:
+						// The Tenant is respecting the Hard quota:
+						// restoring the default one for all the elements,
+						// also for the reconciled one.
+						for item := range list.Items {
+							if list.Items[item].Spec.Hard == nil {
+								list.Items[item].Spec.Hard = map[corev1.ResourceName]resource.Quantity{}
+							}
+							list.Items[item].Spec.Hard[name] = resourceQuota.Hard[name]
+						}
+					}
+					if scopeErr = r.resourceQuotasUpdate(ctx, name, quantity, resourceQuota.Hard[name], list.Items...); scopeErr != nil {
+						r.Log.Error(scopeErr, "cannot proceed with outer ResourceQuota")
+
+						return
+					}
+				}
+
+				return
+			})
+		}
+		// Waiting the update of all ResourceQuotas
+		if err = group.Wait(); err != nil {
+			return
+		}
+	}
+	// getting requested ResourceQuota keys
+	keys := make([]string, 0, len(tenant.Spec.ResourceQuota.Items))
+
+	for i := range tenant.Spec.ResourceQuota.Items {
+		keys = append(keys, strconv.Itoa(i))
+	}
+
+	group := new(errgroup.Group)
+
+	for _, ns := range tenant.Status.Namespaces {
+		namespace := ns
+
+		group.Go(func() error {
+			return r.syncResourceQuota(ctx, tenant, namespace, keys)
+		})
+	}
+
+	return group.Wait()
+}
+
+func (r *Manager) syncResourceQuota(ctx context.Context, tenant *capsulev1beta1.Tenant, namespace string, keys []string) (err error) {
+	// getting ResourceQuota labels for the mutateFn
+	var tenantLabel, typeLabel string
+
+	if tenantLabel, err = capsulev1beta1.GetTypeLabel(&capsulev1beta1.Tenant{}); err != nil {
+		return err
+	}
+
+	if typeLabel, err = capsulev1beta1.GetTypeLabel(&corev1.ResourceQuota{}); err != nil {
+		return err
+	}
+	// Pruning resource of non-requested resources
+	if err = r.pruningResources(ctx, namespace, keys, &corev1.ResourceQuota{}); err != nil {
+		return err
+	}
+
+	for index, resQuota := range tenant.Spec.ResourceQuota.Items {
+		target := &corev1.ResourceQuota{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      fmt.Sprintf("capsule-%s-%d", tenant.Name, index),
+				Namespace: namespace,
+			},
+		}
+
+		var res controllerutil.OperationResult
+
+		err = retry.RetryOnConflict(retry.DefaultBackoff, func() (retryErr error) {
+			res, retryErr = controllerutil.CreateOrUpdate(ctx, r.Client, target, func() (err error) {
+				target.SetLabels(map[string]string{
+					tenantLabel: tenant.Name,
+					typeLabel:   strconv.Itoa(index),
+				})
+				target.Spec.Scopes = resQuota.Scopes
+				target.Spec.ScopeSelector = resQuota.ScopeSelector
+				// In case of Namespace scope for the ResourceQuota we can easily apply the bare specification
+				if tenant.Spec.ResourceQuota.Scope == capsulev1beta1.ResourceQuotaScopeNamespace {
+					target.Spec.Hard = resQuota.Hard
+				}
+
+				return controllerutil.SetControllerReference(tenant, target, r.Client.Scheme())
+			})
+
+			return retryErr
+		})
+
+		r.emitEvent(tenant, target.GetNamespace(), res, fmt.Sprintf("Ensuring ResourceQuota %s", target.GetName()), err)
+
+		r.Log.Info("Resource Quota sync result: "+string(res), "name", target.Name, "namespace", target.Namespace)
+
+		if err != nil {
+			return
+		}
+	}
+
+	return nil
+}
+
+// Serial ResourceQuota processing is expensive: using Go routines we can speed it up.
+// In case of multiple errors these are logged properly, returning a generic error since we have to repush back the
+// reconciliation loop.
+func (r *Manager) resourceQuotasUpdate(ctx context.Context, resourceName corev1.ResourceName, actual, limit resource.Quantity, list ...corev1.ResourceQuota) (err error) {
+	group := new(errgroup.Group)
+
+	for _, item := range list {
+		rq := item
+
+		group.Go(func() (err error) {
+			found := &corev1.ResourceQuota{}
+			if err = r.Get(ctx, types.NamespacedName{Namespace: rq.Namespace, Name: rq.Name}, found); err != nil {
+				return
+			}
+
+			return retry.RetryOnConflict(retry.DefaultBackoff, func() (retryErr error) {
+				_, retryErr = controllerutil.CreateOrUpdate(ctx, r.Client, found, func() error {
+					// Ensuring annotation map is there to avoid uninitialized map error and
+					// assigning the overall usage
+					if found.Annotations == nil {
+						found.Annotations = make(map[string]string)
+					}
+					found.Labels = rq.Labels
+					found.Annotations[capsulev1beta1.UsedQuotaFor(resourceName)] = actual.String()
+					found.Annotations[capsulev1beta1.HardQuotaFor(resourceName)] = limit.String()
+					// Updating the Resource according to the actual.Cmp result
+					found.Spec.Hard = rq.Spec.Hard
+
+					return nil
+				})
+
+				return retryErr
+			})
+		})
+	}
+
+	if err = group.Wait(); err != nil {
+		// We had an error and we mark the whole transaction as failed
+		// to process it another time according to the Tenant controller back-off factor.
+		r.Log.Error(err, "Cannot update outer ResourceQuotas", "resourceName", resourceName.String())
+		err = fmt.Errorf("update of outer ResourceQuota items has failed: %w", err)
+	}
+
+	return err
+}

controllers/tenant/resourcequotas_quota.go

@@ -0,0 +1,122 @@
+package tenant
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"golang.org/x/sync/errgroup"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/util/retry"
+
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+)
+
+func (r *Manager) syncCustomResourceQuotaUsages(ctx context.Context, tenant *capsulev1beta1.Tenant) error {
+	type resource struct {
+		kind    string
+		group   string
+		version string
+	}
+	// nolint:prealloc
+	var resourceList []resource
+
+	for k := range tenant.GetAnnotations() {
+		if !strings.HasPrefix(k, capsulev1beta1.ResourceQuotaAnnotationPrefix) {
+			continue
+		}
+
+		parts := strings.Split(k, "/")
+		if len(parts) != 2 {
+			r.Log.Info("non well-formed Resource Limit annotation", "key", k)
+
+			continue
+		}
+
+		parts = strings.Split(parts[1], "_")
+
+		if len(parts) != 2 {
+			r.Log.Info("non well-formed Resource Limit annotation, cannot retrieve version", "key", k)
+
+			continue
+		}
+
+		groupKindParts := strings.Split(parts[0], ".")
+		if len(groupKindParts) < 2 {
+			r.Log.Info("non well-formed Resource Limit annotation, cannot retrieve kind and group", "key", k)
+
+			continue
+		}
+
+		resourceList = append(resourceList, resource{
+			kind:    groupKindParts[0],
+			group:   strings.Join(groupKindParts[1:], "."),
+			version: parts[1],
+		})
+	}
+
+	errGroup := new(errgroup.Group)
+
+	usedMap := make(map[string]int)
+
+	defer func() {
+		for gvk, used := range usedMap {
+			err := retry.RetryOnConflict(retry.DefaultBackoff, func() (retryErr error) {
+				tnt := &capsulev1beta1.Tenant{}
+				if retryErr = r.Client.Get(ctx, types.NamespacedName{Name: tenant.GetName()}, tnt); retryErr != nil {
+					return
+				}
+
+				if tnt.GetAnnotations() == nil {
+					tnt.Annotations = make(map[string]string)
+				}
+
+				tnt.Annotations[capsulev1beta1.UsedAnnotationForResource(gvk)] = fmt.Sprintf("%d", used)
+
+				return r.Client.Update(ctx, tnt)
+			})
+			if err != nil {
+				r.Log.Error(err, "cannot update custom Resource Quota", "GVK", gvk)
+			}
+		}
+	}()
+
+	for _, item := range resourceList {
+		res := item
+
+		errGroup.Go(func() (scopeErr error) {
+			dynamicClient := dynamic.NewForConfigOrDie(r.RESTConfig)
+
+			for _, ns := range tenant.Status.Namespaces {
+				var list *unstructured.UnstructuredList
+
+				list, scopeErr = dynamicClient.Resource(schema.GroupVersionResource{Group: res.group, Version: res.version, Resource: res.kind}).List(ctx, metav1.ListOptions{
+					FieldSelector: fmt.Sprintf("metadata.namespace==%s", ns),
+				})
+				if scopeErr != nil {
+					return scopeErr
+				}
+
+				key := fmt.Sprintf("%s.%s_%s", res.kind, res.group, res.version)
+
+				if _, ok := usedMap[key]; !ok {
+					usedMap[key] = 0
+				}
+
+				usedMap[key] += len(list.Items)
+			}
+
+			return
+		})
+	}
+
+	if err := errGroup.Wait(); err != nil {
+		return err
+	}
+
+	return nil
+}

controllers/tenant/rolebindings.go

@@ -0,0 +1,154 @@
+package tenant
+
+import (
+	"context"
+	"fmt"
+	"hash/fnv"
+	"strings"
+
+	"golang.org/x/sync/errgroup"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+)
+
+// ownerClusterRoleBindings generates a Capsule AdditionalRoleBinding object for the Owner dynamic clusterrole in order
+// to take advantage of the additional role binding feature.
+func (r *Manager) ownerClusterRoleBindings(owner capsulev1beta1.OwnerSpec, clusterRole string) capsulev1beta1.AdditionalRoleBindingsSpec {
+	var subject rbacv1.Subject
+
+	if owner.Kind == "ServiceAccount" {
+		splitName := strings.Split(owner.Name, ":")
+
+		subject = rbacv1.Subject{
+			Kind:      owner.Kind.String(),
+			Name:      splitName[len(splitName)-1],
+			Namespace: splitName[len(splitName)-2],
+		}
+	} else {
+		subject = rbacv1.Subject{
+			APIGroup: rbacv1.GroupName,
+			Kind:     owner.Kind.String(),
+			Name:     owner.Name,
+		}
+	}
+
+	return capsulev1beta1.AdditionalRoleBindingsSpec{
+		ClusterRoleName: clusterRole,
+		Subjects: []rbacv1.Subject{
+			subject,
+		},
+	}
+}
+
+// Sync the dynamic Tenant Owner specific cluster-roles and additional Role Bindings, which can be used in many ways:
+// applying Pod Security Policies or giving access to CRDs or specific API groups.
+func (r *Manager) syncRoleBindings(ctx context.Context, tenant *capsulev1beta1.Tenant) (err error) {
+	// hashing the RoleBinding name due to DNS RFC-1123 applied to Kubernetes labels
+	hashFn := func(binding capsulev1beta1.AdditionalRoleBindingsSpec) string {
+		h := fnv.New64a()
+
+		_, _ = h.Write([]byte(binding.ClusterRoleName))
+
+		for _, sub := range binding.Subjects {
+			_, _ = h.Write([]byte(sub.Kind + sub.Name))
+		}
+
+		return fmt.Sprintf("%x", h.Sum64())
+	}
+	// getting requested Role Binding keys
+	keys := make([]string, 0, len(tenant.Spec.Owners))
+	// Generating for dynamic tenant owners cluster roles
+	for _, owner := range tenant.Spec.Owners {
+		for _, clusterRoleName := range owner.GetRoles(*tenant) {
+			cr := r.ownerClusterRoleBindings(owner, clusterRoleName)
+
+			keys = append(keys, hashFn(cr))
+		}
+	}
+	// Generating hash of additional role bindings
+	for _, i := range tenant.Spec.AdditionalRoleBindings {
+		keys = append(keys, hashFn(i))
+	}
+
+	group := new(errgroup.Group)
+
+	for _, ns := range tenant.Status.Namespaces {
+		namespace := ns
+
+		group.Go(func() error {
+			return r.syncAdditionalRoleBinding(ctx, tenant, namespace, keys, hashFn)
+		})
+	}
+
+	return group.Wait()
+}
+
+func (r *Manager) syncAdditionalRoleBinding(ctx context.Context, tenant *capsulev1beta1.Tenant, ns string, keys []string, hashFn func(binding capsulev1beta1.AdditionalRoleBindingsSpec) string) (err error) {
+	var tenantLabel, roleBindingLabel string
+
+	if tenantLabel, err = capsulev1beta1.GetTypeLabel(&capsulev1beta1.Tenant{}); err != nil {
+		return
+	}
+
+	if roleBindingLabel, err = capsulev1beta1.GetTypeLabel(&rbacv1.RoleBinding{}); err != nil {
+		return
+	}
+
+	if err = r.pruningResources(ctx, ns, keys, &rbacv1.RoleBinding{}); err != nil {
+		return
+	}
+
+	var roleBindings []capsulev1beta1.AdditionalRoleBindingsSpec
+
+	for _, owner := range tenant.Spec.Owners {
+		for _, clusterRoleName := range owner.GetRoles(*tenant) {
+			roleBindings = append(roleBindings, r.ownerClusterRoleBindings(owner, clusterRoleName))
+		}
+	}
+
+	roleBindings = append(roleBindings, tenant.Spec.AdditionalRoleBindings...)
+
+	for i, roleBinding := range roleBindings {
+		roleBindingHashLabel := hashFn(roleBinding)
+
+		target := &rbacv1.RoleBinding{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      fmt.Sprintf("capsule-%s-%d-%s", tenant.Name, i, roleBinding.ClusterRoleName),
+				Namespace: ns,
+			},
+		}
+
+		var res controllerutil.OperationResult
+		res, err = controllerutil.CreateOrUpdate(ctx, r.Client, target, func() error {
+			target.ObjectMeta.Labels = map[string]string{
+				tenantLabel:      tenant.Name,
+				roleBindingLabel: roleBindingHashLabel,
+			}
+			target.RoleRef = rbacv1.RoleRef{
+				APIGroup: rbacv1.GroupName,
+				Kind:     "ClusterRole",
+				Name:     roleBinding.ClusterRoleName,
+			}
+			target.Subjects = roleBinding.Subjects
+
+			return controllerutil.SetControllerReference(tenant, target, r.Client.Scheme())
+		})
+
+		r.emitEvent(tenant, target.GetNamespace(), res, fmt.Sprintf("Ensuring RoleBinding %s", target.GetName()), err)
+
+		if err != nil {
+			r.Log.Error(err, "Cannot sync RoleBinding")
+		}
+
+		r.Log.Info(fmt.Sprintf("RoleBinding sync result: %s", string(res)), "name", target.Name, "namespace", target.Namespace)
+
+		if err != nil {
+			return
+		}
+	}
+
+	return nil
+}

controllers/tenant/utils.go

@@ -0,0 +1,68 @@
+package tenant
+
+import (
+	"context"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/selection"
+	"k8s.io/client-go/util/retry"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+)
+
+// pruningResources is taking care of removing the no more requested sub-resources as LimitRange, ResourceQuota or
+// NetworkPolicy using the "exists" and "notin" LabelSelector to perform an outer-join removal.
+func (r *Manager) pruningResources(ctx context.Context, ns string, keys []string, obj client.Object) (err error) {
+	var capsuleLabel string
+
+	if capsuleLabel, err = capsulev1beta1.GetTypeLabel(obj); err != nil {
+		return
+	}
+
+	selector := labels.NewSelector()
+
+	var exists *labels.Requirement
+
+	if exists, err = labels.NewRequirement(capsuleLabel, selection.Exists, []string{}); err != nil {
+		return
+	}
+
+	selector = selector.Add(*exists)
+
+	if len(keys) > 0 {
+		var notIn *labels.Requirement
+
+		if notIn, err = labels.NewRequirement(capsuleLabel, selection.NotIn, keys); err != nil {
+			return err
+		}
+
+		selector = selector.Add(*notIn)
+	}
+
+	r.Log.Info("Pruning objects with label selector " + selector.String())
+
+	return retry.RetryOnConflict(retry.DefaultBackoff, func() error {
+		return r.DeleteAllOf(ctx, obj, &client.DeleteAllOfOptions{
+			ListOptions: client.ListOptions{
+				LabelSelector: selector,
+				Namespace:     ns,
+			},
+			DeleteOptions: client.DeleteOptions{},
+		})
+	})
+}
+
+func (r *Manager) emitEvent(object runtime.Object, namespace string, res controllerutil.OperationResult, msg string, err error) {
+	eventType := corev1.EventTypeNormal
+
+	if err != nil {
+		eventType = corev1.EventTypeWarning
+		res = "Error"
+	}
+
+	r.Recorder.AnnotatedEventf(object, map[string]string{"OperationResult": string(res)}, eventType, namespace, msg)
+}

controllers/tenant_controller.go

@@ -1,739 +0,0 @@
-// Copyright 2020-2021 Clastix Labs
-// SPDX-License-Identifier: Apache-2.0
-
-package controllers
-
-import (
-	"context"
-	"fmt"
-	"hash/fnv"
-	"strconv"
-	"strings"
-
-	"github.com/go-logr/logr"
-	"golang.org/x/sync/errgroup"
-	corev1 "k8s.io/api/core/v1"
-	networkingv1 "k8s.io/api/networking/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/api/resource"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/fields"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/selection"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/tools/record"
-	"k8s.io/client-go/util/retry"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-
-	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
-	"github.com/clastix/capsule/controllers/rbac"
-)
-
-// TenantReconciler reconciles a Tenant object
-type TenantReconciler struct {
-	client.Client
-	Log      logr.Logger
-	Scheme   *runtime.Scheme
-	Recorder record.EventRecorder
-}
-
-func (r *TenantReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	return ctrl.NewControllerManagedBy(mgr).
-		For(&capsulev1beta1.Tenant{}).
-		Owns(&corev1.Namespace{}).
-		Owns(&networkingv1.NetworkPolicy{}).
-		Owns(&corev1.LimitRange{}).
-		Owns(&corev1.ResourceQuota{}).
-		Owns(&rbacv1.RoleBinding{}).
-		Complete(r)
-}
-
-func (r TenantReconciler) Reconcile(ctx context.Context, request ctrl.Request) (result ctrl.Result, err error) {
-	r.Log = r.Log.WithValues("Request.Name", request.Name)
-
-	// Fetch the Tenant instance
-	instance := &capsulev1beta1.Tenant{}
-	err = r.Get(ctx, request.NamespacedName, instance)
-	if err != nil {
-		if errors.IsNotFound(err) {
-			r.Log.Info("Request object not found, could have been deleted after reconcile request")
-			return reconcile.Result{}, nil
-		}
-		r.Log.Error(err, "Error reading the object")
-		return
-	}
-	// Ensuring the Tenant Status
-	if err = r.updateTenantStatus(instance); err != nil {
-		r.Log.Error(err, "Cannot update Tenant status")
-		return
-	}
-
-	// Ensuring all namespaces are collected
-	r.Log.Info("Ensuring all Namespaces are collected")
-	if err = r.collectNamespaces(instance); err != nil {
-		r.Log.Error(err, "Cannot collect Namespace resources")
-		return
-	}
-
-	r.Log.Info("Starting processing of Namespaces", "items", len(instance.Status.Namespaces))
-	if err = r.syncNamespaces(instance); err != nil {
-		r.Log.Error(err, "Cannot sync Namespace items")
-		return
-	}
-
-	if instance.Spec.NetworkPolicies != nil {
-		r.Log.Info("Starting processing of Network Policies", "items", len(instance.Spec.NetworkPolicies.Items))
-		if err = r.syncNetworkPolicies(instance); err != nil {
-			r.Log.Error(err, "Cannot sync NetworkPolicy items")
-			return
-		}
-	}
-
-	if instance.Spec.LimitRanges != nil {
-		r.Log.Info("Starting processing of Limit Ranges", "items", len(instance.Spec.LimitRanges.Items))
-		if err = r.syncLimitRanges(instance); err != nil {
-			r.Log.Error(err, "Cannot sync LimitRange items")
-			return
-		}
-	}
-
-	if instance.Spec.ResourceQuota != nil {
-		r.Log.Info("Starting processing of Resource Quotas", "items", len(instance.Spec.ResourceQuota.Items))
-		if err = r.syncResourceQuotas(instance); err != nil {
-			r.Log.Error(err, "Cannot sync ResourceQuota items")
-			return
-		}
-	}
-
-	r.Log.Info("Ensuring additional RoleBindings for owner")
-	if err = r.syncAdditionalRoleBindings(instance); err != nil {
-		r.Log.Error(err, "Cannot sync additional RoleBindings items")
-		return
-	}
-
-	r.Log.Info("Ensuring RoleBinding for owner")
-	if err = r.ownerRoleBinding(instance); err != nil {
-		r.Log.Error(err, "Cannot sync owner RoleBinding")
-		return
-	}
-
-	r.Log.Info("Ensuring Namespace count")
-	if err = r.ensureNamespaceCount(instance); err != nil {
-		r.Log.Error(err, "Cannot sync Namespace count")
-		return
-	}
-
-	r.Log.Info("Tenant reconciling completed")
-	return ctrl.Result{}, err
-}
-
-// pruningResources is taking care of removing the no more requested sub-resources as LimitRange, ResourceQuota or
-// NetworkPolicy using the "exists" and "notin" LabelSelector to perform an outer-join removal.
-func (r *TenantReconciler) pruningResources(ns string, keys []string, obj client.Object) error {
-	capsuleLabel, err := capsulev1beta1.GetTypeLabel(obj)
-	if err != nil {
-		return err
-	}
-
-	s := labels.NewSelector()
-
-	exists, err := labels.NewRequirement(capsuleLabel, selection.Exists, []string{})
-	if err != nil {
-		return err
-	}
-	s = s.Add(*exists)
-
-	if len(keys) > 0 {
-		var notIn *labels.Requirement
-		notIn, err = labels.NewRequirement(capsuleLabel, selection.NotIn, keys)
-		if err != nil {
-			return err
-		}
-		s = s.Add(*notIn)
-	}
-
-	r.Log.Info("Pruning objects with label selector " + s.String())
-	return retry.RetryOnConflict(retry.DefaultBackoff, func() error {
-		return r.DeleteAllOf(context.TODO(), obj, &client.DeleteAllOfOptions{
-			ListOptions: client.ListOptions{
-				LabelSelector: s,
-				Namespace:     ns,
-			},
-			DeleteOptions: client.DeleteOptions{},
-		})
-	})
-}
-
-// Serial ResourceQuota processing is expensive: using Go routines we can speed it up.
-// In case of multiple errors these are logged properly, returning a generic error since we have to repush back the
-// reconciliation loop.
-func (r *TenantReconciler) resourceQuotasUpdate(resourceName corev1.ResourceName, actual, limit resource.Quantity, list ...corev1.ResourceQuota) error {
-	g := errgroup.Group{}
-
-	for _, item := range list {
-		rq := item
-		g.Go(func() error {
-			found := &corev1.ResourceQuota{}
-			if err := r.Get(context.TODO(), types.NamespacedName{Namespace: rq.Namespace, Name: rq.Name}, found); err != nil {
-				return err
-			}
-
-			return retry.RetryOnConflict(retry.DefaultBackoff, func() error {
-				_, err := controllerutil.CreateOrUpdate(context.TODO(), r.Client, found, func() error {
-					// Ensuring annotation map is there to avoid uninitialized map error and
-					// assigning the overall usage
-					if found.Annotations == nil {
-						found.Annotations = make(map[string]string)
-					}
-					found.Labels = rq.Labels
-					found.Annotations[capsulev1beta1.UsedQuotaFor(resourceName)] = actual.String()
-					found.Annotations[capsulev1beta1.HardQuotaFor(resourceName)] = limit.String()
-					// Updating the Resource according to the actual.Cmp result
-					found.Spec.Hard = rq.Spec.Hard
-					return nil
-				})
-				return err
-			})
-		})
-	}
-
-	var err error
-	if err = g.Wait(); err != nil {
-		// We had an error and we mark the whole transaction as failed
-		// to process it another time according to the Tenant controller back-off factor.
-		r.Log.Error(err, "Cannot update outer ResourceQuotas", "resourceName", resourceName.String())
-		err = fmt.Errorf("update of outer ResourceQuota items has failed: %s", err.Error())
-	}
-
-	return err
-}
-
-// Additional Role Bindings can be used in many ways: applying Pod Security Policies or giving
-// access to CRDs or specific API groups.
-func (r *TenantReconciler) syncAdditionalRoleBindings(tenant *capsulev1beta1.Tenant) (err error) {
-	// hashing the RoleBinding name due to DNS RFC-1123 applied to Kubernetes labels
-	hash := func(binding capsulev1beta1.AdditionalRoleBindingsSpec) string {
-		h := fnv.New64a()
-
-		_, _ = h.Write([]byte(binding.ClusterRoleName))
-
-		for _, sub := range binding.Subjects {
-			_, _ = h.Write([]byte(sub.Kind + sub.Name))
-		}
-
-		return fmt.Sprintf("%x", h.Sum64())
-	}
-	// getting requested Role Binding keys
-	var keys []string
-	for _, i := range tenant.Spec.AdditionalRoleBindings {
-		keys = append(keys, hash(i))
-	}
-
-	var tl, ll string
-	tl, err = capsulev1beta1.GetTypeLabel(&capsulev1beta1.Tenant{})
-	if err != nil {
-		return
-	}
-	ll, err = capsulev1beta1.GetTypeLabel(&rbacv1.RoleBinding{})
-	if err != nil {
-		return
-	}
-
-	for _, ns := range tenant.Status.Namespaces {
-		if err = r.pruningResources(ns, keys, &rbacv1.RoleBinding{}); err != nil {
-			return err
-		}
-		for i, roleBinding := range tenant.Spec.AdditionalRoleBindings {
-			lv := hash(roleBinding)
-			rb := &rbacv1.RoleBinding{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      fmt.Sprintf("capsule-%s-%d-%s", tenant.Name, i, roleBinding.ClusterRoleName),
-					Namespace: ns,
-				},
-			}
-			var res controllerutil.OperationResult
-			res, err = controllerutil.CreateOrUpdate(context.TODO(), r.Client, rb, func() error {
-				rb.ObjectMeta.Labels = map[string]string{
-					tl: tenant.Name,
-					ll: lv,
-				}
-				rb.RoleRef = rbacv1.RoleRef{
-					APIGroup: "rbac.authorization.k8s.io",
-					Kind:     "ClusterRole",
-					Name:     roleBinding.ClusterRoleName,
-				}
-				rb.Subjects = roleBinding.Subjects
-
-				return controllerutil.SetControllerReference(tenant, rb, r.Scheme)
-			})
-
-			r.emitEvent(tenant, rb.GetNamespace(), res, fmt.Sprintf("Ensuring additional RoleBinding %s", rb.GetName()), err)
-
-			if err != nil {
-				r.Log.Error(err, "Cannot sync Additional RoleBinding")
-			}
-			r.Log.Info(fmt.Sprintf("Additional RoleBindings sync result: %s", string(res)), "name", rb.Name, "namespace", rb.Namespace)
-			if err != nil {
-				return
-			}
-		}
-	}
-
-	return nil
-}
-
-// We're relying on the ResourceQuota resource to represent the resource quota for the single Tenant rather than the
-// single Namespace, so abusing of this API although its Namespaced scope.
-// Since a Namespace could take-up all the available resource quota, the Namespace ResourceQuota will be a 1:1 mapping
-// to the Tenant one: in a second time Capsule is going to sum all the analogous ResourceQuota resources on other Tenant
-// namespaces to check if the Tenant quota has been exceeded or not, reusing the native Kubernetes policy putting the
-// .Status.Used value as the .Hard value.
-// This will trigger a following reconciliation but that's ok: the mutateFn will re-use the same business logic, letting
-// the mutateFn along with the CreateOrUpdate to don't perform the update since resources are identical.
-func (r *TenantReconciler) syncResourceQuotas(tenant *capsulev1beta1.Tenant) error {
-	// getting requested ResourceQuota keys
-	keys := make([]string, 0, len(tenant.Spec.ResourceQuota.Items))
-	for i := range tenant.Spec.ResourceQuota.Items {
-		keys = append(keys, strconv.Itoa(i))
-	}
-
-	// getting ResourceQuota labels for the mutateFn
-	tenantLabel, err := capsulev1beta1.GetTypeLabel(&capsulev1beta1.Tenant{})
-	if err != nil {
-		return err
-	}
-	typeLabel, err := capsulev1beta1.GetTypeLabel(&corev1.ResourceQuota{})
-	if err != nil {
-		return err
-	}
-
-	for _, ns := range tenant.Status.Namespaces {
-		if err := r.pruningResources(ns, keys, &corev1.ResourceQuota{}); err != nil {
-			return err
-		}
-		for i, q := range tenant.Spec.ResourceQuota.Items {
-			target := &corev1.ResourceQuota{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      fmt.Sprintf("capsule-%s-%d", tenant.Name, i),
-					Namespace: ns,
-				},
-			}
-			res, err := controllerutil.CreateOrUpdate(context.TODO(), r.Client, target, func() (err error) {
-				target.SetLabels(map[string]string{
-					tenantLabel: tenant.Name,
-					typeLabel:   strconv.Itoa(i),
-				})
-				// Requirement to list ResourceQuota of the current Tenant
-				tr, err := labels.NewRequirement(tenantLabel, selection.Equals, []string{tenant.Name})
-				if err != nil {
-					r.Log.Error(err, "Cannot build ResourceQuota Tenant requirement")
-				}
-				// Requirement to list ResourceQuota for the current index
-				ir, err := labels.NewRequirement(typeLabel, selection.Equals, []string{strconv.Itoa(i)})
-				if err != nil {
-					r.Log.Error(err, "Cannot build ResourceQuota index requirement")
-				}
-
-				// Listing all the ResourceQuota according to the said requirements.
-				// These are required since Capsule is going to sum all the used quota to
-				// sum them and get the Tenant one.
-				rql := &corev1.ResourceQuotaList{}
-				err = r.List(context.TODO(), rql, &client.ListOptions{
-					LabelSelector: labels.NewSelector().Add(*tr).Add(*ir),
-				})
-				if err != nil {
-					r.Log.Error(err, "Cannot list ResourceQuota", "tenantFilter", tr.String(), "indexFilter", ir.String())
-					return err
-				}
-
-				// Iterating over all the options declared for the ResourceQuota,
-				// summing all the used quota across different Namespaces to determinate
-				// if we're hitting a Hard quota at Tenant level.
-				// For this case, we're going to block the Quota setting the Hard as the
-				// used one.
-				for rn, rq := range q.Hard {
-					r.Log.Info("Desired hard " + rn.String() + " quota is " + rq.String())
-
-					// Getting the whole usage across all the Tenant Namespaces
-					var qt resource.Quantity
-					for _, rq := range rql.Items {
-						qt.Add(rq.Status.Used[rn])
-					}
-					r.Log.Info("Computed " + rn.String() + " quota for the whole Tenant is " + qt.String())
-
-					switch qt.Cmp(q.Hard[rn]) {
-					case 0:
-						// The Tenant is matching exactly the Quota:
-						// falling through next case since we have to block further
-						// resource allocations.
-						fallthrough
-					case 1:
-						// The Tenant is OverQuota:
-						// updating all the related ResourceQuota with the current
-						// used Quota to block further creations.
-						for i := range rql.Items {
-							if _, ok := rql.Items[i].Status.Used[rn]; ok {
-								rql.Items[i].Spec.Hard[rn] = rql.Items[i].Status.Used[rn]
-							} else {
-								um := make(map[corev1.ResourceName]resource.Quantity)
-								um[rn] = resource.Quantity{}
-								rql.Items[i].Spec.Hard = um
-							}
-						}
-					default:
-						// The Tenant is respecting the Hard quota:
-						// restoring the default one for all the elements,
-						// also for the reconciled one.
-						for i := range rql.Items {
-							if rql.Items[i].Spec.Hard == nil {
-								rql.Items[i].Spec.Hard = map[corev1.ResourceName]resource.Quantity{}
-							}
-							rql.Items[i].Spec.Hard[rn] = q.Hard[rn]
-						}
-						target.Spec = q
-					}
-					if err := r.resourceQuotasUpdate(rn, qt, q.Hard[rn], rql.Items...); err != nil {
-						r.Log.Error(err, "cannot proceed with outer ResourceQuota")
-						return err
-					}
-				}
-				return controllerutil.SetControllerReference(tenant, target, r.Scheme)
-			})
-
-			r.emitEvent(tenant, target.GetNamespace(), res, fmt.Sprintf("Ensuring ResourceQuota %s", target.GetName()), err)
-
-			r.Log.Info("Resource Quota sync result: "+string(res), "name", target.Name, "namespace", target.Namespace)
-			if err != nil {
-				return err
-			}
-		}
-	}
-
-	return nil
-}
-
-// Ensuring all the LimitRange are applied to each Namespace handled by the Tenant.
-func (r *TenantReconciler) syncLimitRanges(tenant *capsulev1beta1.Tenant) error {
-	// getting requested LimitRange keys
-	keys := make([]string, 0, len(tenant.Spec.LimitRanges.Items))
-	for i := range tenant.Spec.LimitRanges.Items {
-		keys = append(keys, strconv.Itoa(i))
-	}
-
-	// getting LimitRange labels for the mutateFn
-	tl, err := capsulev1beta1.GetTypeLabel(&capsulev1beta1.Tenant{})
-	if err != nil {
-		return err
-	}
-	ll, err := capsulev1beta1.GetTypeLabel(&corev1.LimitRange{})
-	if err != nil {
-		return err
-	}
-
-	for _, ns := range tenant.Status.Namespaces {
-		if err := r.pruningResources(ns, keys, &corev1.LimitRange{}); err != nil {
-			return err
-		}
-		for i, spec := range tenant.Spec.LimitRanges.Items {
-			t := &corev1.LimitRange{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      fmt.Sprintf("capsule-%s-%d", tenant.Name, i),
-					Namespace: ns,
-				},
-			}
-			res, err := controllerutil.CreateOrUpdate(context.TODO(), r.Client, t, func() (err error) {
-				t.ObjectMeta.Labels = map[string]string{
-					tl: tenant.Name,
-					ll: strconv.Itoa(i),
-				}
-				t.Spec = spec
-				return controllerutil.SetControllerReference(tenant, t, r.Scheme)
-			})
-
-			r.emitEvent(tenant, t.GetNamespace(), res, fmt.Sprintf("Ensuring LimitRange %s", t.GetName()), err)
-
-			r.Log.Info("LimitRange sync result: "+string(res), "name", t.Name, "namespace", t.Namespace)
-			if err != nil {
-				return err
-			}
-		}
-	}
-
-	return nil
-}
-
-func (r *TenantReconciler) syncNamespaceMetadata(namespace string, tnt *capsulev1beta1.Tenant) (err error) {
-	var res controllerutil.OperationResult
-
-	err = retry.RetryOnConflict(retry.DefaultBackoff, func() (conflictErr error) {
-		ns := &corev1.Namespace{}
-		if conflictErr = r.Client.Get(context.TODO(), types.NamespacedName{Name: namespace}, ns); err != nil {
-			return
-		}
-
-		res, conflictErr = controllerutil.CreateOrUpdate(context.TODO(), r.Client, ns, func() error {
-			a := make(map[string]string)
-
-			if tnt.Spec.NamespacesMetadata != nil {
-				for k, v := range tnt.Spec.NamespacesMetadata.AdditionalAnnotations {
-					a[k] = v
-				}
-			}
-
-			if tnt.Spec.NodeSelector != nil {
-				var selector []string
-				for k, v := range tnt.Spec.NodeSelector {
-					selector = append(selector, fmt.Sprintf("%s=%s", k, v))
-				}
-				a["scheduler.alpha.kubernetes.io/node-selector"] = strings.Join(selector, ",")
-			}
-
-			if tnt.Spec.IngressClasses != nil {
-				if len(tnt.Spec.IngressClasses.Exact) > 0 {
-					a[capsulev1beta1.AvailableIngressClassesAnnotation] = strings.Join(tnt.Spec.IngressClasses.Exact, ",")
-				}
-				if len(tnt.Spec.IngressClasses.Regex) > 0 {
-					a[capsulev1beta1.AvailableIngressClassesRegexpAnnotation] = tnt.Spec.IngressClasses.Regex
-				}
-			}
-
-			if tnt.Spec.StorageClasses != nil {
-				if len(tnt.Spec.StorageClasses.Exact) > 0 {
-					a[capsulev1beta1.AvailableStorageClassesAnnotation] = strings.Join(tnt.Spec.StorageClasses.Exact, ",")
-				}
-				if len(tnt.Spec.StorageClasses.Regex) > 0 {
-					a[capsulev1beta1.AvailableStorageClassesRegexpAnnotation] = tnt.Spec.StorageClasses.Regex
-				}
-			}
-
-			if tnt.Spec.ContainerRegistries != nil {
-				if len(tnt.Spec.ContainerRegistries.Exact) > 0 {
-					a[capsulev1beta1.AllowedRegistriesAnnotation] = strings.Join(tnt.Spec.ContainerRegistries.Exact, ",")
-				}
-				if len(tnt.Spec.ContainerRegistries.Regex) > 0 {
-					a[capsulev1beta1.AllowedRegistriesRegexpAnnotation] = tnt.Spec.ContainerRegistries.Regex
-				}
-			}
-
-			ns.SetAnnotations(a)
-
-			l := make(map[string]string)
-
-			if tnt.Spec.NamespacesMetadata != nil {
-				for k, v := range tnt.Spec.NamespacesMetadata.AdditionalLabels {
-					l[k] = v
-				}
-			}
-
-			l["name"] = namespace
-			capsuleLabel, _ := capsulev1beta1.GetTypeLabel(&capsulev1beta1.Tenant{})
-			l[capsuleLabel] = tnt.GetName()
-			ns.SetLabels(l)
-
-			return nil
-		})
-
-		return
-	})
-
-	r.emitEvent(tnt, namespace, res, "Ensuring Namespace metadata", err)
-
-	return
-}
-
-// Ensuring all annotations are applied to each Namespace handled by the Tenant.
-func (r *TenantReconciler) syncNamespaces(tenant *capsulev1beta1.Tenant) (err error) {
-	group := errgroup.Group{}
-
-	for _, item := range tenant.Status.Namespaces {
-		namespace := item
-		group.Go(func() error {
-			return r.syncNamespaceMetadata(namespace, tenant)
-		})
-	}
-
-	if err = group.Wait(); err != nil {
-		r.Log.Error(err, "Cannot sync Namespaces")
-		err = fmt.Errorf("cannot sync Namespaces: %s", err.Error())
-	}
-	return
-}
-
-// Ensuring all the NetworkPolicies are applied to each Namespace handled by the Tenant.
-func (r *TenantReconciler) syncNetworkPolicies(tenant *capsulev1beta1.Tenant) error {
-	// getting requested NetworkPolicy keys
-	keys := make([]string, 0, len(tenant.Spec.NetworkPolicies.Items))
-	for i := range tenant.Spec.NetworkPolicies.Items {
-		keys = append(keys, strconv.Itoa(i))
-	}
-
-	// getting NetworkPolicy labels for the mutateFn
-	tl, err := capsulev1beta1.GetTypeLabel(&capsulev1beta1.Tenant{})
-	if err != nil {
-		return err
-	}
-	nl, err := capsulev1beta1.GetTypeLabel(&networkingv1.NetworkPolicy{})
-	if err != nil {
-		return err
-	}
-
-	for _, ns := range tenant.Status.Namespaces {
-		if err := r.pruningResources(ns, keys, &networkingv1.NetworkPolicy{}); err != nil {
-			return err
-		}
-		for i, spec := range tenant.Spec.NetworkPolicies.Items {
-			t := &networkingv1.NetworkPolicy{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      fmt.Sprintf("capsule-%s-%d", tenant.Name, i),
-					Namespace: ns,
-				},
-			}
-			res, err := controllerutil.CreateOrUpdate(context.TODO(), r.Client, t, func() (err error) {
-				t.SetLabels(map[string]string{
-					tl: tenant.Name,
-					nl: strconv.Itoa(i),
-				})
-				t.Spec = spec
-
-				return controllerutil.SetControllerReference(tenant, t, r.Scheme)
-			})
-
-			r.emitEvent(tenant, t.GetNamespace(), res, fmt.Sprintf("Ensuring NetworkPolicy %s", t.GetName()), err)
-
-			r.Log.Info("Network Policy sync result: "+string(res), "name", t.Name, "namespace", t.Namespace)
-			if err != nil {
-				return err
-			}
-		}
-	}
-
-	return nil
-}
-
-// Each Tenant owner needs the admin Role attached to each Namespace, otherwise no actions on it can be performed.
-// Since RBAC is based on deny all first, some specific actions like editing Capsule resources are going to be blocked
-// via Dynamic Admission Webhooks.
-// TODO(prometherion): we could create a capsule:admin role rather than hitting webhooks for each action
-func (r *TenantReconciler) ownerRoleBinding(tenant *capsulev1beta1.Tenant) error {
-	// getting RoleBinding label for the mutateFn
-	var subjects []rbacv1.Subject
-
-	tl, err := capsulev1beta1.GetTypeLabel(&capsulev1beta1.Tenant{})
-	if err != nil {
-		return err
-	}
-
-	l := map[string]string{tl: tenant.Name}
-
-	for _, owner := range tenant.Spec.Owners {
-		if owner.Kind == "ServiceAccount" {
-			splitName := strings.Split(owner.Name, ":")
-			subjects = append(subjects, rbacv1.Subject{
-				Kind:      owner.Kind.String(),
-				Name:      splitName[len(splitName)-1],
-				Namespace: splitName[len(splitName)-2],
-			})
-		} else {
-			subjects = append(subjects, rbacv1.Subject{
-				APIGroup: "rbac.authorization.k8s.io",
-				Kind:     owner.Kind.String(),
-				Name:     owner.Name,
-			})
-		}
-	}
-
-	rbl := make(map[types.NamespacedName]rbacv1.RoleRef)
-	for _, i := range tenant.Status.Namespaces {
-		rbl[types.NamespacedName{Namespace: i, Name: "namespace:admin"}] = rbacv1.RoleRef{
-			APIGroup: "rbac.authorization.k8s.io",
-			Kind:     "ClusterRole",
-			Name:     "admin",
-		}
-		rbl[types.NamespacedName{Namespace: i, Name: "namespace-deleter"}] = rbacv1.RoleRef{
-			APIGroup: "rbac.authorization.k8s.io",
-			Kind:     "ClusterRole",
-			Name:     rbac.DeleterRoleName,
-		}
-	}
-
-	for nn, rr := range rbl {
-		target := &rbacv1.RoleBinding{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      nn.Name,
-				Namespace: nn.Namespace,
-			},
-		}
-
-		var res controllerutil.OperationResult
-		res, err = controllerutil.CreateOrUpdate(context.TODO(), r.Client, target, func() (err error) {
-			target.ObjectMeta.Labels = l
-			target.Subjects = subjects
-			target.RoleRef = rr
-			return controllerutil.SetControllerReference(tenant, target, r.Scheme)
-		})
-
-		r.emitEvent(tenant, target.GetNamespace(), res, fmt.Sprintf("Ensuring Capsule RoleBinding %s", target.GetName()), err)
-
-		r.Log.Info("Role Binding sync result: "+string(res), "name", target.Name, "namespace", target.Namespace)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (r *TenantReconciler) ensureNamespaceCount(tenant *capsulev1beta1.Tenant) error {
-	return retry.RetryOnConflict(retry.DefaultBackoff, func() error {
-		tenant.Status.Size = uint(len(tenant.Status.Namespaces))
-		found := &capsulev1beta1.Tenant{}
-		if err := r.Client.Get(context.TODO(), types.NamespacedName{Name: tenant.GetName()}, found); err != nil {
-			return err
-		}
-		found.Status.Size = tenant.Status.Size
-		return r.Client.Status().Update(context.TODO(), found, &client.UpdateOptions{})
-	})
-}
-
-func (r *TenantReconciler) emitEvent(object runtime.Object, namespace string, res controllerutil.OperationResult, msg string, err error) {
-	var eventType = corev1.EventTypeNormal
-	if err != nil {
-		eventType = corev1.EventTypeWarning
-		res = "Error"
-	}
-
-	r.Recorder.AnnotatedEventf(object, map[string]string{"OperationResult": string(res)}, eventType, namespace, msg)
-}
-
-func (r *TenantReconciler) collectNamespaces(tenant *capsulev1beta1.Tenant) error {
-	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
-		nl := &corev1.NamespaceList{}
-		err = r.Client.List(context.TODO(), nl, client.MatchingFieldsSelector{
-			Selector: fields.OneTermEqualSelector(".metadata.ownerReferences[*].capsule", tenant.GetName()),
-		})
-		if err != nil {
-			return
-		}
-		_, err = controllerutil.CreateOrUpdate(context.TODO(), r.Client, tenant.DeepCopy(), func() error {
-			tenant.AssignNamespaces(nl.Items)
-			return r.Client.Status().Update(context.TODO(), tenant, &client.UpdateOptions{})
-		})
-		return
-	})
-}
-
-func (r *TenantReconciler) updateTenantStatus(tnt *capsulev1beta1.Tenant) error {
-	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
-		if tnt.IsCordoned() {
-			tnt.Status.State = capsulev1beta1.TenantStateCordoned
-		} else {
-			tnt.Status.State = capsulev1beta1.TenantStateActive
-		}
-
-		return r.Client.Status().Update(context.Background(), tnt)
-	})
-}