chore(helm): bumping up chart

Bumps [moment](https://github.com/moment/moment) from 2.29.2 to 2.29.4.
- [Release notes](https://github.com/moment/moment/releases)
- [Changelog](https://github.com/moment/moment/blob/develop/CHANGELOG.md)
- [Commits](https://github.com/moment/moment/compare/2.29.2...2.29.4)

---
updated-dependencies:
- dependency-name: moment
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/e2e.yml

@@ -7,6 +7,7 @@ on:
       - '.github/workflows/e2e.yml'
       - 'api/**'
       - 'controllers/**'
+      - 'pkg/**'
       - 'e2e/*'
       - 'Dockerfile'
       - 'go.*'
@@ -18,6 +19,7 @@ on:
       - '.github/workflows/e2e.yml'
       - 'api/**'
       - 'controllers/**'
+      - 'pkg/**'
       - 'e2e/*'
       - 'Dockerfile'
       - 'go.*'

api/v1alpha1/capsuleconfiguration_annotations.go

@@ -8,5 +8,5 @@ const (
 	TLSSecretNameAnnotation                  = "capsule.clastix.io/tls-secret-name"
 	MutatingWebhookConfigurationName         = "capsule.clastix.io/mutating-webhook-configuration-name"
 	ValidatingWebhookConfigurationName       = "capsule.clastix.io/validating-webhook-configuration-name"
-	GenerateCertificatesAnnotationName       = "capsule.clastix.io/generate-certificates"
+	EnableTLSConfigurationAnnotationName     = "capsule.clastix.io/enable-tls-configuration"
 )

charts/capsule/Chart.yaml

@@ -21,8 +21,8 @@ sources:
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.1.9
+version: 0.1.11
 
 # This is the version number of the application being deployed.
 # This version number should be incremented each time you make changes to the application.
-appVersion: 0.1.1
+appVersion: 0.1.2

charts/capsule/Makefile

@@ -0,0 +1,9 @@
+docs: HELMDOCS_VERSION := v1.8.1
+docs: docker
+	@docker run --rm -v "$$(pwd):/helm-docs" -u $$(id -u) jnorwood/helm-docs:$(HELMDOCS_VERSION)
+
+docker:
+	@hash docker 2>/dev/null || {\
+		echo "You need docker" &&\
+		exit 1;\
+	}

charts/capsule/README.md

@@ -78,6 +78,9 @@ Here the values you can override:
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
 | serviceAccount.name | string | `"capsule"` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
+| tls.create | bool | `true` | When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion. |
+| tls.enableController | bool | `true` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. |
+| tls.name | string | `""` | Override name of the Capsule TLS Secret name when externally managed. |
 | tolerations | list | `[]` | Set list of tolerations for the Capsule pod |
 | validatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for validating webhooks |
 
@@ -90,6 +93,7 @@ Here the values you can override:
 | manager.image.repository | string | `"clastix/capsule"` | Set the image repository of the capsule. |
 | manager.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
 | manager.imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry.   |
+| manager.kind | string | `"Deployment"` | Set the controller deployment mode as `Deployment` or `DaemonSet`.  |
 | manager.livenessProbe | object | `{"httpGet":{"path":"/healthz","port":10080}}` | Configure the liveness probe using Deployment probe spec    |
 | manager.options.capsuleUserGroups | list | `["capsule.clastix.io"]` | Override the Capsule user groups   |
 | manager.options.forceTenantPrefix | bool | `false` | Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash |
@@ -174,6 +178,34 @@ And optionally, depending on the values set:
 
 Capsule, as many other add-ons, defines its own set of Custom Resource Definitions (CRDs). Helm3 removed the old CRDs installation method for a more simple methodology. In the Helm Chart, there is now a special directory called `crds` to hold the CRDs. These CRDs are not templated, but will be installed by default when running a `helm install` for the chart. If the CRDs already exist (for example, you already executed `helm install`), it will be skipped with a warning. When you wish to skip the CRDs installation, and do not see the warning, you can pass the `--skip-crds` flag to the `helm install` command.
 
+## Cert-Manager integration
+
+You can enable the generation of certificates using `cert-manager` as follows.
+
+```
+helm upgrade --install capsule clastix/capsule --namespace capsule-system --create-namespace \
+  --set "certManager.generateCertificates=true" \
+  --set "tls.create=false" \
+  --set "tls.enableController=false"
+```
+
+With the usage of `tls.enableController=false` value, you're delegating the injection of the Validating and Mutating Webhooks' CA to `cert-manager`.
+Since Helm3 doesn't allow to template _CRDs_, you have to patch manually the Custom Resource Definition `tenants.capsule.clastix.io` adding the proper annotation (YMMV).
+
+```yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.5.0
+    cert-manager.io/inject-ca-from: capsule-system/capsule-webhook-cert
+  creationTimestamp: "2022-07-22T08:32:51Z"
+  generation: 45
+  name: tenants.capsule.clastix.io
+  resourceVersion: "9832"
+  uid: 61e287df-319b-476d-88d5-bdb8dc14d4a6
+```
+
 ## More
 
 See Capsule [tutorial](https://github.com/clastix/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.

charts/capsule/README.md.gotmpl

@@ -127,6 +127,34 @@ And optionally, depending on the values set:
 
 Capsule, as many other add-ons, defines its own set of Custom Resource Definitions (CRDs). Helm3 removed the old CRDs installation method for a more simple methodology. In the Helm Chart, there is now a special directory called `crds` to hold the CRDs. These CRDs are not templated, but will be installed by default when running a `helm install` for the chart. If the CRDs already exist (for example, you already executed `helm install`), it will be skipped with a warning. When you wish to skip the CRDs installation, and do not see the warning, you can pass the `--skip-crds` flag to the `helm install` command.
 
+## Cert-Manager integration
+
+You can enable the generation of certificates using `cert-manager` as follows.
+
+```
+helm upgrade --install capsule clastix/capsule --namespace capsule-system --create-namespace \
+  --set "certManager.generateCertificates=true" \
+  --set "tls.create=false" \
+  --set "tls.enableController=false"
+```
+
+With the usage of `tls.enableController=false` value, you're delegating the injection of the Validating and Mutating Webhooks' CA to `cert-manager`.
+Since Helm3 doesn't allow to template _CRDs_, you have to patch manually the Custom Resource Definition `tenants.capsule.clastix.io` adding the proper annotation (YMMV).
+
+```yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.5.0
+    cert-manager.io/inject-ca-from: capsule-system/capsule-webhook-cert
+  creationTimestamp: "2022-07-22T08:32:51Z"
+  generation: 45
+  name: tenants.capsule.clastix.io
+  resourceVersion: "9832"
+  uid: 61e287df-319b-476d-88d5-bdb8dc14d4a6
+```
+
 ## More
 
 See Capsule [tutorial](https://github.com/clastix/capsule/blob/master/docs/content/general/tutorial.md) for more information about how to use Capsule.

charts/capsule/templates/NOTES.txt

@@ -5,7 +5,7 @@
 
 
    # Check the capsule logs
-   $ kubectl logs -f deployment/{{ template "capsule.fullname" . }}-controller-manager -c manager -n{{ .Release.Namespace }}
+   $ kubectl logs -f deployment/{{ template "capsule.fullname" . }}-controller-manager -c manager -n {{ .Release.Namespace }}
 
 - Manage this chart:
 

charts/capsule/templates/_helpers.tpl

@@ -113,9 +113,9 @@ Create the jobs fully-qualified Docker image to use
 {{- end }}
 
 {{/*
-Create the Capsule Deployment name to use
+Create the Capsule controller name to use
 */}}
-{{- define "capsule.deploymentName" -}}
+{{- define "capsule.controllerName" -}}
 {{- printf "%s-controller-manager" (include "capsule.fullname" .) -}}
 {{- end }}
 
@@ -123,5 +123,5 @@ Create the Capsule Deployment name to use
 Create the Capsule TLS Secret name to use
 */}}
 {{- define "capsule.secretTlsName" -}}
-{{- printf "%s-tls" (include "capsule.fullname" .) -}}
+{{ default ( printf "%s-tls" ( include "capsule.fullname" . ) ) .Values.tls.name }}
 {{- end }}

charts/capsule/templates/certs.yaml

@@ -1,3 +1,4 @@
+{{- if or (not .Values.certManager.generateCertificates) (.Values.tls.create) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -8,3 +9,4 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
   name: {{ include "capsule.secretTlsName" . }}
+{{- end }}

charts/capsule/templates/configuration-default.yaml

@@ -8,7 +8,7 @@ metadata:
     capsule.clastix.io/mutating-webhook-configuration-name: {{ include "capsule.fullname" . }}-mutating-webhook-configuration
     capsule.clastix.io/tls-secret-name: {{ include "capsule.secretTlsName" . }}
     capsule.clastix.io/validating-webhook-configuration-name: {{ include "capsule.fullname" . }}-validating-webhook-configuration
-    capsule.clastix.io/generate-certificates: "{{ .Values.manager.options.generateCertificates }}"
+    capsule.clastix.io/enable-tls-configuration: "{{ .Values.tls.enableController }}"
   {{- with .Values.customAnnotations }}
     {{- toYaml . | nindent 4 }}
   {{- end }}

charts/capsule/templates/daemonset.yaml

@@ -0,0 +1,88 @@
+{{- if eq .Values.manager.kind "DaemonSet" }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "capsule.controllerName" . }}
+  labels:
+    {{- include "capsule.labels" . | nindent 4 }}
+  {{- with .Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  updateStrategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      {{- include "capsule.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "capsule.labels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "capsule.serviceAccountName" . }}
+      {{- if .Values.manager.hostNetwork }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      {{- end }}
+      priorityClassName: {{ .Values.priorityClassName }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: cert
+          secret:
+            defaultMode: 420
+            secretName: {{ include "capsule.secretTlsName" . }}
+      containers:
+        - name: manager
+          command:
+          - /manager
+          args:
+          - --enable-leader-election
+          - --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
+          - --configuration-name=default
+          image: {{ include "capsule.managerFullyQualifiedDockerImage" . }}
+          imagePullPolicy: {{ .Values.manager.image.pullPolicy }}
+          env:
+          - name: NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          ports:
+            - name: webhook-server
+              containerPort: 9443
+              protocol: TCP
+            - name: metrics
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            {{- toYaml .Values.manager.livenessProbe | nindent 12}}
+          readinessProbe:
+            {{- toYaml .Values.manager.readinessProbe | nindent 12}}
+          volumeMounts:
+          - mountPath: /tmp/k8s-webhook-server/serving-certs
+            name: cert
+            readOnly: true
+          resources:
+            {{- toYaml .Values.manager.resources | nindent 12 }}
+          securityContext:
+            allowPrivilegeEscalation: false
+{{- end }}

charts/capsule/templates/deployment.yaml

@@ -1,7 +1,8 @@
+{{- if eq .Values.manager.kind "Deployment" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "capsule.deploymentName" . }}
+  name: {{ include "capsule.controllerName" . }}
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
   {{- with .Values.customAnnotations }}
@@ -29,6 +30,7 @@ spec:
       serviceAccountName: {{ include "capsule.serviceAccountName" . }}
       {{- if .Values.manager.hostNetwork }}
       hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
       {{- end }}
       priorityClassName: {{ .Values.priorityClassName }}
       {{- with .Values.nodeSelector }}
@@ -82,3 +84,4 @@ spec:
             {{- toYaml .Values.manager.resources | nindent 12 }}
           securityContext:
             allowPrivilegeEscalation: false
+{{- end }}

charts/capsule/templates/mutatingwebhookconfiguration.yaml

@@ -4,8 +4,11 @@ metadata:
   name: {{ include "capsule.fullname" . }}-mutating-webhook-configuration
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
-  {{- with .Values.customAnnotations }}
   annotations:
+  {{- if .Values.certManager.generateCertificates }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "capsule.fullname" . }}-webhook-cert
+  {{-  end }}
+  {{- with .Values.customAnnotations }}
     {{- toYaml . | nindent 4 }}
   {{- end }}
 webhooks:

charts/capsule/templates/post-install-job.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.tls.create }}
 {{- $cmd := printf "while [ -z $$(kubectl -n $NAMESPACE get secret %s -o jsonpath='{.data.tls\\\\.crt}') ];" (include "capsule.secretTlsName" .) -}}
 {{- $cmd = printf "%s do echo 'waiting Capsule to be up and running...' && sleep 5;" $cmd -}}
 {{- $cmd = printf "%s done" $cmd -}}
@@ -44,4 +45,5 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-      serviceAccountName: {{ include "capsule.serviceAccountName" . }}
+      serviceAccountName: {{ include "capsule.serviceAccountName" . }}
+{{- end }}

charts/capsule/templates/pre-delete-job.yaml

@@ -1,5 +1,5 @@
-{{- $cmd := printf "kubectl scale deployment -n $NAMESPACE %s --replicas 0 &&" (include "capsule.deploymentName" .) -}}
-{{- if not .Values.certManager.generateCertificates }}
+{{- $cmd := ""}}
+{{- if or (.Values.tls.create) (.Values.certManager.generateCertificates) }}
 {{- $cmd = printf "%s kubectl delete secret -n $NAMESPACE %s --ignore-not-found &&" $cmd (include "capsule.secretTlsName" .) -}}
 {{- end }}
 {{- $cmd = printf "%s kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found &&" $cmd -}}

charts/capsule/templates/validatingwebhookconfiguration.yaml

@@ -4,8 +4,11 @@ metadata:
   name: {{ include "capsule.fullname" . }}-validating-webhook-configuration
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
-  {{- with .Values.customAnnotations }}
   annotations:
+  {{- if .Values.certManager.generateCertificates }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "capsule.fullname" . }}-webhook-cert
+  {{-  end }}
+  {{- with .Values.customAnnotations }}
     {{- toYaml . | nindent 4 }}
   {{- end }}
 webhooks:

charts/capsule/values.yaml

@@ -2,9 +2,21 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
+# Secret Options
+tls:
+  # -- Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well.
+  enableController: true
+  # -- When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion.
+  create: true
+  # -- Override name of the Capsule TLS Secret name when externally managed.
+  name: ""
+
 # Manager Options
 manager:
 
+  # -- Set the controller deployment mode as `Deployment` or `DaemonSet`. 
+  kind: Deployment
+
   image:
     # -- Set the image repository of the capsule.
     repository: clastix/capsule
@@ -193,4 +205,4 @@ serviceMonitor:
     # -- Set metricRelabelings for the endpoint of the serviceMonitor
     metricRelabelings: []
     # -- Set relabelings for the endpoint of the serviceMonitor
-    relabelings: []
+    relabelings: []

config/grafana/dashboard.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    # label selector used by Grafana to load the dashboards from Config Maps
+    grafana_dashboard: "1"
+  name: capsule-grafana-dashboard

config/grafana/kustomization.yaml

@@ -0,0 +1,8 @@
+configMapGenerator:
+- name: capsule-grafana-dashboard
+  files:
+  - dashboard.json
+generatorOptions:
+  disableNameSuffixHash: true
+patchesStrategicMerge:
+- dashboard.yaml

config/install.yaml

@@ -1411,7 +1411,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: clastix/capsule:v0.1.2-rc0
+        image: clastix/capsule:v0.1.2
         imagePullPolicy: IfNotPresent
         name: manager
         ports:

config/manager/kustomization.yaml

@@ -7,4 +7,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: clastix/capsule
-  newTag: v0.1.2-rc0
+  newTag: v0.1.2

controllers/tls/manager.go

@@ -177,31 +177,21 @@ func (r Reconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.R
 		return reconcile.Result{}, err
 	}
 
-	if r.Configuration.GenerateCertificates() {
-		certificate, err := cert.GetCertificateFromBytes(certSecret.Data[corev1.TLSCertKey])
-		if err != nil {
-			return reconcile.Result{}, err
-		}
-
-		now := time.Now()
-		requeueTime := certificate.NotAfter.Add(-(certificateExpirationThreshold - 1*time.Second))
-		rq := requeueTime.Sub(now)
-
-		r.Log.Info("Reconciliation completed, processing back in " + rq.String())
-
-		return reconcile.Result{Requeue: true, RequeueAfter: rq}, nil
+	certificate, err := cert.GetCertificateFromBytes(certSecret.Data[corev1.TLSCertKey])
+	if err != nil {
+		return reconcile.Result{}, err
 	}
 
-	return reconcile.Result{}, nil
+	now := time.Now()
+	requeueTime := certificate.NotAfter.Add(-(certificateExpirationThreshold - 1*time.Second))
+	rq := requeueTime.Sub(now)
+
+	r.Log.Info("Reconciliation completed, processing back in " + rq.String())
+
+	return reconcile.Result{Requeue: true, RequeueAfter: rq}, nil
 }
 
 func (r Reconciler) shouldUpdateCertificate(secret *corev1.Secret) bool {
-	if !r.Configuration.GenerateCertificates() {
-		r.Log.Info("Skipping TLS certificate generation as it is disabled in CapsuleConfiguration")
-
-		return false
-	}
-
 	if _, ok := secret.Data[corev1.ServiceAccountRootCAKey]; !ok {
 		return true
 	}

docs/content/general/proxy.md

@@ -452,6 +452,45 @@ $ curl -H "Authorization: Bearer $TOKEN" http://localhost:9001/api/v1/namespaces
 
 > NOTE: `kubectl` will not work against a `http` server.
 
+## Metrics
+
+Starting from the v0.3.0 release, Capsule Proxy exposes Prometheus metrics available at `http://0.0.0.0:8080/metrics`.
+
+The offered metrics are related to the internal `controller-manager` code base, such as work-queue and REST client requests, and the Go runtime ones.
+
+Along with these, metrics `capsule_proxy_response_time_seconds` and `capsule_proxy_requests_total` have been introduced and are specific to the Capsule Proxy code-base and functionalities.
+
+`capsule_proxy_response_time_seconds` offers a bucket representation of the HTTP request duration.
+The available variables for this metrics are the following ones:
+- `path`: the HTTP path of each single request that Capsule Proxy passes to the upstream
+
+`capsule_proxy_requests_total` counts the global requests that Capsule Proxy is passing to the upstream with the following labels.
+- `path`: the HTTP path of each single request that Capsule Proxy passes to the upstream
+- `status`: the HTTP status code of the request
+
+> Example output of the metrics:
+> ```
+> # HELP capsule_proxy_requests_total Number of requests
+> # TYPE capsule_proxy_requests_total counter
+> capsule_proxy_requests_total{path="/api/v1/namespaces",status="403"} 1
+> # HELP capsule_proxy_response_time_seconds Duration of capsule proxy requests.
+> # TYPE capsule_proxy_response_time_seconds histogram
+> capsule_proxy_response_time_seconds_bucket{path="/api/v1/namespaces",le="0.005"} 0
+> capsule_proxy_response_time_seconds_bucket{path="/api/v1/namespaces",le="0.01"} 0
+> capsule_proxy_response_time_seconds_bucket{path="/api/v1/namespaces",le="0.025"} 0
+> capsule_proxy_response_time_seconds_bucket{path="/api/v1/namespaces",le="0.05"} 0
+> capsule_proxy_response_time_seconds_bucket{path="/api/v1/namespaces",le="0.1"} 0
+> capsule_proxy_response_time_seconds_bucket{path="/api/v1/namespaces",le="0.25"} 0
+> capsule_proxy_response_time_seconds_bucket{path="/api/v1/namespaces",le="0.5"} 0
+> capsule_proxy_response_time_seconds_bucket{path="/api/v1/namespaces",le="1"} 0
+> capsule_proxy_response_time_seconds_bucket{path="/api/v1/namespaces",le="2.5"} 1
+> capsule_proxy_response_time_seconds_bucket{path="/api/v1/namespaces",le="5"} 1
+> capsule_proxy_response_time_seconds_bucket{path="/api/v1/namespaces",le="10"} 1
+> capsule_proxy_response_time_seconds_bucket{path="/api/v1/namespaces",le="+Inf"} 1
+> capsule_proxy_response_time_seconds_sum{path="/api/v1/namespaces"} 2.206192787
+> capsule_proxy_response_time_seconds_count{path="/api/v1/namespaces"} 1
+> ```
+
 ## Contributing
 
 `capsule-proxy` is an open-source software released with Apache2 [license](https://github.com/clastix/capsule-proxy/blob/master/LICENSE).

docs/content/guides/flux2-capsule.md

@@ -0,0 +1,470 @@
+# Multi-tenancy the GitOps way
+
+This guide is intended to cover how to use Flux v2 with [multi-tenancy lockdown features](https://fluxcd.io/docs/installation/#multi-tenancy-lockdown) with Capsule and Capsule Proxy together, to enable a Namespace-as-a-Service the GitOps-way.
+
+### Flux and multi-tenancy
+
+Flux v2 released a [set of features](https://fluxcd.io/blog/2022/05/may-2022-security-announcement/#whats-next-for-flux) that further increasesed security for multi-tenancy scenarios.
+
+These features enable you to:
+- disable cross-Namespace reference of Source CRs from Reconciliation CRs and Notification CRs. This way, especially for tenants, they can't access resources outside their space. This can be achieved with `--no-cross-namespace-refs=true` option of kustomize, helm, notification, image-reflector, image-automation controllers.
+- set a default `ServiceAccount` impersonation for Reconciliation CRs. This is supposed to be an unprivileged SA that reconciles just the tenant's desired state. This will be enforced when is not otherwise specified explicitely in Reconciliation CR spec. This can be enforced with the `--default-service-account=<name>` option of helm and kustomize controllers.
+
+  > For this responsibility we identify a Tenant GitOps Reconciler identity, which is a ServiceAccount and it's also the tenant owner (more on tenants and owners later on, with Capsule).
+
+- disallow remote bases for Kustomizations. Actually, this is not stryctly required, but it decreases the risk of referencing Kustomizations which aren't part of the controlled GitOps pipelines. In a multi-tenant scenario this is important too. They can be disabled with `--no-remote-bases=true` option of the kustomize controller.
+
+Where required, to ensure privileged Reconciliation resources have the needed privileges to be reconciled, we can explicitely set a privileged `ServiceAccount`s.
+
+In any case, is required that the `ServiceAccount` is in the same `Namespace` of the `Kustomization`, so unprivileged spaces should not have privileged `ServiceAccount`s available.
+
+For example, for the root `Kustomization`:
+
+```yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  serviceAccountName: kustomize-controller # It has cluster-admin permissions
+  path: ./clusters/staging
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+```
+
+In example, the cluster admin is supposed to apply this Kustomization, during the cluster bootstrap that i.e. will reconcile also Flux itself.
+All the remaining Reconciliation resources can be children of this Kustomization.
+
+![bootstrap](./kustomization-hierarchy-root-tenants.png)
+
+### Namespace-as-a-Service
+
+Tenants could have his own set of Namespaces to operate on but it should be prepared by higher-level roles, like platform admins: the declarations would be part of the platform space.
+They would be responsible of tenants administration, and each change (e.g. new tenant Namespace) should be a request that would pass through approval.
+
+![no-naas](./flux-tenants-reconciliation.png)
+
+What if we would like to provide tenants the ability to manage also their own space the GitOps-way? Enter Capsule.
+
+![naas](./flux-tenants-capsule-reconciliation.png)
+
+## The ingredients of the recipe
+
+> Legenda:
+> - Privileged space: group of Namespaces which are not part of any Tenant.
+> - Privileged identity: identity that won't pass through Capsule tenant access control.
+> - Unprivileged space: group of Namespaces which are part of a Tenant.
+> - Unprivileged identity: identity that would pass through Capsule tenant access control.
+> - Tenant GitOps Reconciler: a machine Tenant Owner expected to reconcile Tenant desired state.
+
+### Capsule
+
+Capsule provides a Custom Resource `Tenant` and ability to set its owners through `spec.owners` as references to:
+- `User`
+- `Group`
+- `ServiceAccount`
+
+#### Tenant and Tenant Owner
+
+We would like to let a machine reconcile Tenant's states, we'll need a `ServiceAccount` as a Tenant Owner:
+
+```yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gitops-reconciler
+  namespace: my-tenant
+---
+apiVersion: capsule.clastix.io/v1beta1
+kind: Tenant
+metadata:
+  name: my-tenant
+spec:
+  owners:
+  - name: system:serviceaccount:my-tenant:gitops-reconciler # the Tenant GitOps Reconciler
+```
+
+From now on, we'll refer to it as the **Tenant GitOps Reconciler**.
+
+#### Tenant Groups
+
+We also need to state that Capsule should enforce tenant access control for requests coming from tenants, and we can do that by specifying one of the `Group`s bound by default by Kubernetes to the Tenant GitOps Reconciler `ServiceAccount` in the `CapsuleConfiguration`:
+
+```yaml
+apiVersion: capsule.clastix.io/v1alpha1
+kind: CapsuleConfiguration
+metadata:
+  name: default
+spec:
+  userGroups:
+  - system:serviceaccounts:my-tenant
+```
+
+Other privileged requests, e.g. for reconciliation coming from the Flux privileged `ServiceAccount`s like `flux-system/kustomize-controller` will bypass Capsule.
+
+### Flux
+
+Flux enables to specify with which identity Reconciliation resources are reconciled, through:
+- `ServiceAccount` impersonation
+- `kubeconfig`
+
+#### ServiceAccount
+
+As by default Flux reconciles those resources with Flux `cluster-admin` Service Accounts, we set at controller-level the **default `ServiceAccount` impersonation** to the unprivileged **Tenant GitOps Reconciler**:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- flux-controllers.yaml
+patches:
+  - patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/args/0
+        value: --default-service-account=gitops-reconciler # the Tenant GitOps Reconciler
+    target:
+      kind: Deployment
+      name: "(kustomize-controller|helm-controller)"
+```
+
+This way tenants can't make Flux apply their Reconciliation resources with Flux's privileged Service Accounts, by not specifying a `spec.ServiceAccountName` on them. 
+
+At the same time at resource-level in privileged space we still can specify a privileged ServiceAccount, and its reconciliation requests won't pass through Capsule validation:
+
+```yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  serviceAccountName: kustomize-controller
+  path: ./clusters/staging
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+```
+
+#### Kubeconfig
+
+We also need to specify on Tenant's Reconciliation resources, the `Secret` with **`kubeconfig`** configured to use the **Capsule Proxy** as the API server in order to provide the Tenant GitOps Reconciler the ability to list cluster-level resources.
+The `kubeconfig` would specify also as the token the Tenant GitOps Reconciler SA token, 
+
+For example:
+
+```yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: my-app
+  namespace: my-tenant
+spec:
+  kubeConfig:
+    secretRef:
+      name: gitops-reconciler-kubeconfig
+      key: kubeconfig 
+  sourceRef:
+    kind: GitRepository
+    name: my-tenant
+  path: ./staging
+```
+
+> We'll see how to prepare the related `Secret` (i.e. *gitops-reconciler-kubeconfig*) later on.
+
+Each request made with this kubeconfig will be done impersonating the user of the default impersonation SA, that is the same of the token specified in the kubeconfig.
+To deepen on this please go to [#Insights](#insights).
+
+## The recipe
+
+### How to setup Tenants GitOps-ready
+
+Given that [Capsule](github.com/clastix/capsule) and [Capsule Proxy](github.com/clastix/capsule-proxy) are installed, and [Flux v2](https://github.com/fluxcd/flux2) configured with [multi-tenancy lockdown](https://fluxcd.io/docs/installation/#multi-tenancy-lockdown) features, of which the patch below:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- flux-components.yaml
+patches:
+  - patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/args/0
+        value: --no-cross-namespace-refs=true      
+    target:
+      kind: Deployment
+      name: "(kustomize-controller|helm-controller|notification-controller|image-reflector-controller|image-automation-controller)"
+  - patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --no-remote-bases=true      
+    target:
+      kind: Deployment
+      name: "kustomize-controller"
+  - patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/args/0
+        value: --default-service-account=gitops-reconciler # The Tenant GitOps Reconciler
+    target:
+      kind: Deployment
+      name: "(kustomize-controller|helm-controller)"
+  - patch: |
+      - op: add
+        path: /spec/serviceAccountName
+        value: kustomize-controller      
+    target:
+      kind: Kustomization
+      name: "flux-system"
+```
+
+this is the required set of resources to setup a Tenant:
+- `Namespace`: the Tenant GitOps Reconciler "home". This is not part of the Tenant to avoid a chicken & egg problem:
+  ```yaml
+  apiVersion: v1
+  kind: Namespace
+  metadata:
+    name: my-tenant
+  ```
+- `ServiceAccount` of the Tenant GitOps Reconciler, in the above `Namespace`:
+  ```yaml
+  apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: gitops-reconciler
+    namespace: my-tenant
+  ```
+- `Tenant` resource with the above Tenant GitOps Reconciler's SA as Tenant Owner, with:
+- Additional binding to *cluster-admin* `ClusterRole` for the Tenant's `Namespace`s and `Namespace` of the Tenant GitOps Reconciler' `ServiceAccount`.
+  By default Capsule binds only `admin` ClusterRole, which has no privileges over Custom Resources, but *cluster-admin* has. This is needed to operate on Flux CRs:
+  ```yaml
+  apiVersion: capsule.clastix.io/v1beta1
+  kind: Tenant
+  metadata:
+    name: my-tenant
+  spec:
+    additionalRoleBindings:
+    - clusterRoleName: cluster-admin
+      subjects:
+      - name: gitops-reconciler
+        kind: ServiceAccount
+        namespace: my-tenant
+    owners:
+    - name: system:serviceaccount:my-tenant:gitops-reconciler
+      kind: ServiceAccount
+  ```
+- Additional binding to *cluster-admin* `ClusterRole` for home `Namespace` of the Tenant GitOps Reconciler' `ServiceAccount`, so that the Tenant GitOps Reconciler can create Flux CRs on the tenant home Namespace and use Reconciliation resource's `spec.targetNamespace` to place resources to `Tenant` `Namespace`s:
+  ```yaml
+  apiVersion: rbac.authorization.k8s.io/v1
+  kind: RoleBinding
+  metadata:
+    name: gitops-reconciler
+    namespace: my-tenant
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: cluster-admin
+  subjects:
+  - kind: ServiceAccount
+    name: gitops-reconciler
+    namespace: my-tenant
+  ```
+- Additional `Group` in the `CapsuleConfiguration` to make Tenant GitOps Reconciler requests pass through Capsule admission (group `system:serviceaccount:<tenant-gitops-reconciler-home-namespace>`):
+  ```yaml
+  apiVersion: capsule.clastix.io/v1alpha1
+  kind: CapsuleConfiguration
+  metadata:
+    name: default
+  spec:
+    userGroups:
+    - system:serviceaccounts:my-tenant
+  ```
+- Additional `ClusterRole` with related `ClusterRoleBinding` that allows to `PATCH` requests on Namespaces, besides `CREATE`. Flux kustomize controller will `kubectl-apply` resources:
+
+  ```yaml
+  apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRole
+  metadata:
+    name: capsule-namespace-provisioner-gitops
+  rules:
+  - apiGroups:
+    - ""
+    resources:
+    - namespaces
+    verbs:
+    - patch
+  ---
+  apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRoleBinding
+  metadata:
+    name: capsule-namespace-provisioner-gitops-my-tenant
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: capsule-namespace-provisioner-gitops
+  subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: system:serviceaccounts:my-tenant
+  ```
+
+- Additional `ClusterRole` with related `ClusterRoleBinding` that allows the Tenant GitOps Reconciler to impersonate his own `User` (e.g. `system:serviceaccount:my-tenant:gitops-reconciler`):
+  ```yaml
+  apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRole
+  metadata:
+    name: my-tenant-gitops-reconciler-impersonator
+  rules:
+  - apiGroups: [""]
+    resources: ["users"]
+    verbs: ["impersonate"]
+    resourceNames: ["system:serviceaccount:my-tenant:gitops-reconciler"]
+  ---
+  apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRoleBinding
+  metadata:
+    name: my-tenant-gitops-reconciler-impersonate
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: my-tenant-gitops-reconciler-impersonator
+  subjects:
+  - name: gitops-reconciler
+    kind: ServiceAccount
+    namespace: my-tenant
+  ```
+- `Secret` with `kubeconfig` for the Tenant GitOps Reconciler with Capsule Proxy as `kubeconfig.server` and the SA token as `kubeconfig.token`.
+  > This is supported only with Service Account static tokens.
+- Flux Source and Reconciliation resources that refer to Tenant desired state. This typically points to a specific path inside a dedicated Git repository, where tenant's root configuration reside: 
+  ```yaml
+  apiVersion: source.toolkit.fluxcd.io/v1beta2
+  kind: GitRepository
+  metadata:
+    name: my-tenant
+    namespace: my-tenant
+  spec:
+    url: https://github.com/my-tenant/all.git # Git repository URL
+    ref:
+      branch: main # Git reference
+  ---
+  apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+  kind: Kustomization
+  metadata:
+    name: my-tenant
+    namespace: my-tenant
+  spec:
+    kubeConfig:
+      secretRef:
+        name: gitops-reconciler-kubeconfig
+        key: kubeconfig
+    sourceRef:
+      kind: GitRepository
+      name: my-tenant
+    path: config # Path to config from GitRepository Source
+  ```
+  This `Kustomization` can in turn refer to further `Kustomization` resources creating a tenant configuration hierarchy.
+
+#### Generate the Capsule Proxy kubeconfig Secret
+
+You need to create a `Secret` in the Tenant GitOps Reconciler home `Namespace`, containing the `kubeconfig` that specifies:
+- `server`: Capsule Proxy `Service` URL with related CA certificate for TLS
+- `token`: the token of the `Tenant` GitOps Reconciler
+
+With required privileges over the target `Namespace` to create `Secret`, you can generate it with the `proxy-kubeconfig-generator` utility:
+
+```sh
+$ go install github.com/maxgio92/proxy-kubeconfig-generator@latest
+$ proxy-kubeconfig-generator \
+  --kubeconfig-secret-key kubeconfig \
+  --namespace my-tenant \
+  --server 'https://capsule-proxy.capsule-system.svc:9001' \
+  --server-tls-secret-namespace capsule-system \
+  --server-tls-secret-name capsule-proxy \
+  --serviceaccount gitops-reconciler
+```
+
+### How a Tenant can declare his state
+
+Considering the example above, a Tenant `my-tenant` could place in his own repository (i.e. `https://github.com/my-tenant/all`), on branch `main` at path `/config` further Reconciliation resources, like:
+
+```yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: my-apps
+  namespace: my-tenant
+spec:
+  kubeConfig:
+    secretRef:
+      name: gitops-reconciler-kubeconfig
+      key: kubeconfig 
+  sourceRef:
+    kind: GitRepository
+    name: my-tenant
+  path: config/apps
+```
+
+that refer to the same Source but different path (i.e. `config/apps`) that could contain his applications' manifests.
+
+The same is valid for a `HelmRelease`s, that instead will refer to an `HelmRepository` Source.
+
+The reconciliation requests will pass through Capsule Proxy as Tenant GitOps Reconciler with impersonation. Then, as the identity group of the requests matches the Capsule groups they will be validated by Capsule, and finally the RBAC will provide boundaries to Tenant GitOps Reconciler privileges.
+
+> If the `spec.kubeConfig` is not specified the Flux privileged `ServiceAccount` will impersonate the default unprivileged Tenant GitOps Reconciler `ServiceAccount` as configured with `--default-service-account` option of kustomize and helm controllers, but it list requests on cluster-level resources like `Namespace`s will fail.
+
+## Full setup
+
+To have a glimp on a full setup you can follow the [flux2-capsule-multi-tenancy](https://github.com/clastix/flux2-capsule-multi-tenancy.git) repository.
+For simplicity, the system and tenants declarations are on the same repository but on dedicated git branches.
+
+It's a fork of [flux2-multi-tenancy](https://github.com/fluxcd/flux2-multi-tenancy.git) but with the integration we saw with Capsule.
+
+## Insights
+
+### Why ServiceAccount that impersonates its own User
+
+As stated just above, you'd be wondering why a user would make a request impersonating himself (i.e. the Tenant GitOps Reconciler ServiceAccount User).
+
+This is because we need to make tenant reconciliation requests through Capsule Proxy and we want to protect from risk of privilege escalation done through bypass of impersonation.
+
+### Threats
+
+##### Bypass unprivileged impersonation
+
+The reason why we can't set impersonation to be optional is because, as each tenant is allowed to not specify neither the kubeconfig nor the impersonation SA for the Reconciliation resource, and because in any case that kubeconfig could contain whatever privileged credentials, Flux would otherwise use the privileged ServiceAccount, to reconcile tenant resources.
+
+That way, a tenant would be capable of managing the GitOps way the cluster as he was a cluster admin.
+
+Furthermore, let's see if there are other vulnerabilities we are able to protect from.
+
+##### Impersonate privileged SA
+
+Then, what if a tenant tries to escalate by using one of the Flux controllers privileged `ServiceAccount`s? 
+
+As `spec.ServiceAccountName` for Reconciliation resource cannot cross-namespace reference Service Accounts, tenants are able to let Flux apply his own resources only with ServiceAccounts that reside in his own Namespaces. Which is, Namespace of the ServiceAccount and Namespace of the Reconciliation resource must match.
+
+He could neither create the Reconciliation resource where a privileged ServiceAccount is present (like flux-system), as the Namespace has to be owned by the Tenant. Capsule would block those Reconciliation resource creation requests.
+
+##### Create and impersonate privileged SA
+
+Then, what if a tenant tries to escalate by creating a privileged `ServiceAccount` inside on of his own `Namespace`s?
+
+A tenant could create a `ServiceAccount` in an owned `Namespace`, but he can't neither bind at cluster-level nor at a non-owned Namespace-level a ClusterRole, as that wouldn't be permitted by Capsule admission controllers.
+
+Now let's go on with the practical part.
+
+##### Change ownership of privileged Namespaces (e.g. flux-system)
+
+He could try to use privileged `ServiceAccount` by changing ownership of a privileged Namespace so that he could create Reconciliation resource there and using the privileged SA.
+This is not permitted as he can't patch Namespaces which have not been created by him. Capsule request validation would not pass.
+
+For other protections against threats in this multi-tenancy scenario please see the Capsule [Multi-Tenancy Benchmark](/docs/general/mtb). 
+
+## References
+- https://fluxcd.io/docs/installation/#multi-tenancy-lockdown
+- https://fluxcd.io/blog/2022/05/may-2022-security-announcement/
+- https://github.com/clastix/capsule-proxy/issues/218
+- https://github.com/clastix/capsule/issues/528 
+- https://github.com/clastix/flux2-capsule-multi-tenancy
+- https://github.com/fluxcd/flux2-multi-tenancy
+- https://fluxcd.io/docs/guides/repository-structure/

docs/content/guides/monitoring.md

@@ -47,9 +47,15 @@ Verify that the service monitor is working correctly through the Prometheus "tar
 ![Prometheus Targets](./assets/prometheus_targets.png)
 
 ### Deploy dashboard
+A dashboard for Grafana is provided as [dashboard.json](https://github.com/clastix/capsule/blob/master/config/grafana/dashboard.json).
 
-Simply upload [dashboard.json](https://github.com/clastix/capsule/blob/master/config/grafana/dashboard.json) file to Grafana through _Create_ -> _Import_,
-making sure to select the correct Prometheus data source:
+Render with `kustomize` the dashboard as a ConfigMap and apply in the namespace where Grafana is installed, making sure to select the correct Prometheus datasource:
+
+```
+kubectl -n <grafana-namespace> apply -k config/grafana
+```
+
+Alternatively, manual upload the dashboard in JSON format to Grafana through _Create -> Import_:
 
 ![Grafana Import](./assets/upload_json.png)
 

docs/gridsome.server.js

@@ -90,7 +90,11 @@ module.exports = function (api) {
                   path: '/docs/guides/managed-kubernetes/coaks'
                 },
               ]
-            }
+            },
+			{
+				label: 'Flux and Capsule for multi-tenant GitOps',
+				path: '/docs/guides/flux2-capsule'
+			}
           ]
         },
         {

docs/package-lock.json

@@ -2143,9 +2143,9 @@
       }
     },
     "arg": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/arg/-/arg-5.0.1.tgz",
-      "integrity": "sha512-e0hDa9H2Z9AwFkk2qDlwhoMYE4eToKarchkQHovNdLTCYMHZHeRjI71crOh+dio4K6u1IcwubQqo79Ga4CyAQA==",
+      "version": "5.0.2",
+      "resolved": "https://registry.npmjs.org/arg/-/arg-5.0.2.tgz",
+      "integrity": "sha512-PYjyFOLKQ9y57JvQ6QLo8dAgNqswh8M1RMJYdQduT6xbWSgK36P/Z/v+p888pM69jMMfS8Xd8F6I1kQ/I9HUGg==",
       "dev": true
     },
     "argparse": {
@@ -7703,9 +7703,9 @@
       "integrity": "sha512-qsda+H8jTaUaN/x5vzW2rzc+8Rw4TAQ/4KjB46IwK5VH+IlVeeeje/EoZRpiXvIqjFgK84QffqPztGI3VBLG1A=="
     },
     "lilconfig": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-2.0.5.tgz",
-      "integrity": "sha512-xaYmXZtTHPAw5m+xLN8ab9C+3a8YmV3asNSPOATITbtwrfbwaLJj8h66H1WMIpALCkqsIzK3h7oQ+PdX+LQ9Eg==",
+      "version": "2.0.6",
+      "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-2.0.6.tgz",
+      "integrity": "sha512-9JROoBW7pobfsx+Sq2JsASvCo6Pfo6WWoUW79HuB1BCoBXD4PLWJPqDF6fNj67pqBYTbAHkE57M1kS/+L1neOg==",
       "dev": true
     },
     "lines-and-columns": {
@@ -8243,9 +8243,9 @@
       "dev": true
     },
     "moment": {
-      "version": "2.29.2",
-      "resolved": "https://registry.npmjs.org/moment/-/moment-2.29.2.tgz",
-      "integrity": "sha512-UgzG4rvxYpN15jgCmVJwac49h9ly9NurikMWGPdVxm8GZD6XjkKPxDTjQQ43gtGgnV3X0cAyWDdP2Wexoquifg=="
+      "version": "2.29.4",
+      "resolved": "https://registry.npmjs.org/moment/-/moment-2.29.4.tgz",
+      "integrity": "sha512-5LC9SOxjSc2HF6vO2CyuTDNivEdoz2IvyJJGj6X8DJ0eFyfszE0QiEd+iXmBvUP3WHxSjFH/vIsA0EN00cgr8w=="
     },
     "move-concurrently": {
       "version": "1.0.1",
@@ -9549,7 +9549,7 @@
     "postcss-functions": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/postcss-functions/-/postcss-functions-3.0.0.tgz",
-      "integrity": "sha1-DpTQFERwCkgd4g3k1V+yZAVkJQ4=",
+      "integrity": "sha512-N5yWXWKA+uhpLQ9ZhBRl2bIAdM6oVJYpDojuI1nF2SzXBimJcdjFwiAouBVbO5VuOF3qA6BSFWFc3wXbbj72XQ==",
       "dev": true,
       "requires": {
         "glob": "^7.1.2",
@@ -10669,7 +10669,7 @@
     "pretty-hrtime": {
       "version": "1.0.3",
       "resolved": "https://registry.npmjs.org/pretty-hrtime/-/pretty-hrtime-1.0.3.tgz",
-      "integrity": "sha1-t+PqQkNaTJsnWdmeDyAesZWALuE=",
+      "integrity": "sha512-66hKPCr+72mlfiSjlEB1+45IjXSqvVAIy6mocupoww4tBFE9R9IhwwUGoI4G++Tc9Aq+2rxOt0RFU6gPcrte0A==",
       "dev": true
     },
     "prism-themes": {
@@ -13186,9 +13186,9 @@
       "integrity": "sha512-wK0Ri4fOGjv/XPy8SBHZChl8CM7uMc5VML7SqiQ0zG7+J5Vr+RMQDoHa2CNT6KHUnTGIXH34UDMkPzAUyapBZg=="
     },
     "terser": {
-      "version": "4.8.0",
-      "resolved": "https://registry.npmjs.org/terser/-/terser-4.8.0.tgz",
-      "integrity": "sha512-EAPipTNeWsb/3wLPeup1tVPaXfIaU68xMnVdPafIL1TV05OhASArYyIfFvnvJCNrR2NIOvDVNNTFRa+Re2MWyw==",
+      "version": "4.8.1",
+      "resolved": "https://registry.npmjs.org/terser/-/terser-4.8.1.tgz",
+      "integrity": "sha512-4GnLC0x667eJG0ewJTa6z/yXrbLGv80D9Ru6HIpCQmO+Q4PfEtBFi0ObSckqwL6VyQv/7ENJieXHo2ANmdQwgw==",
       "requires": {
         "commander": "^2.20.0",
         "source-map": "~0.6.1",

docs/yarn.lock

@@ -6441,9 +6441,9 @@ modern-normalize@^1.1.0:
   integrity sha512-2lMlY1Yc1+CUy0gw4H95uNN7vjbpoED7NNRSBHE25nWfLBdmMzFCsPshlzbxHz+gYMcBEUN8V4pU16prcdPSgA==
 
 moment@^2.24.0:
-  version "2.29.2"
-  resolved "https://registry.yarnpkg.com/moment/-/moment-2.29.2.tgz#00910c60b20843bcba52d37d58c628b47b1f20e4"
-  integrity sha512-UgzG4rvxYpN15jgCmVJwac49h9ly9NurikMWGPdVxm8GZD6XjkKPxDTjQQ43gtGgnV3X0cAyWDdP2Wexoquifg==
+  version "2.29.4"
+  resolved "https://registry.yarnpkg.com/moment/-/moment-2.29.4.tgz#3dbe052889fe7c1b2ed966fcb3a77328964ef108"
+  integrity sha512-5LC9SOxjSc2HF6vO2CyuTDNivEdoz2IvyJJGj6X8DJ0eFyfszE0QiEd+iXmBvUP3WHxSjFH/vIsA0EN00cgr8w==
 
 move-concurrently@^1.0.1:
   version "1.0.1"
@@ -9022,9 +9022,9 @@ source-map-resolve@^0.5.0:
     urix "^0.1.0"
 
 source-map-support@~0.5.12:
-  version "0.5.20"
-  resolved "https://registry.yarnpkg.com/source-map-support/-/source-map-support-0.5.20.tgz#12166089f8f5e5e8c56926b377633392dd2cb6c9"
-  integrity sha512-n1lZZ8Ve4ksRqizaBQgxXDgKwttHDhyfQjA6YZZn8+AroHbsIz+JjwxQDxbp+7y5OYCI8t1Yk7etjD9CRd2hIw==
+  version "0.5.21"
+  resolved "https://registry.yarnpkg.com/source-map-support/-/source-map-support-0.5.21.tgz#04fe7c7f9e1ed2d662233c28cb2b35b9f63f6e4f"
+  integrity sha512-uBHU3L3czsIyYXKX88fdrGovxdSCoTGDRZ6SYXtSRxLZUzHg5P/66Ht6uoUlHu9EZod+inXhKo3qQgwXUT/y1w==
   dependencies:
     buffer-from "^1.0.0"
     source-map "^0.6.0"
@@ -9538,9 +9538,9 @@ terser-webpack-plugin@^1.4.3:
     worker-farm "^1.7.0"
 
 terser@^4.1.2:
-  version "4.8.0"
-  resolved "https://registry.yarnpkg.com/terser/-/terser-4.8.0.tgz#63056343d7c70bb29f3af665865a46fe03a0df17"
-  integrity sha512-EAPipTNeWsb/3wLPeup1tVPaXfIaU68xMnVdPafIL1TV05OhASArYyIfFvnvJCNrR2NIOvDVNNTFRa+Re2MWyw==
+  version "4.8.1"
+  resolved "https://registry.yarnpkg.com/terser/-/terser-4.8.1.tgz#a00e5634562de2239fd404c649051bf6fc21144f"
+  integrity sha512-4GnLC0x667eJG0ewJTa6z/yXrbLGv80D9Ru6HIpCQmO+Q4PfEtBFi0ObSckqwL6VyQv/7ENJieXHo2ANmdQwgw==
   dependencies:
     commander "^2.20.0"
     source-map "~0.6.1"

main.go

@@ -142,29 +142,30 @@ func main() {
 
 	directCfg := configuration.NewCapsuleConfiguration(ctx, directClient, configurationName)
 
-	tlsReconciler := &tlscontroller.Reconciler{
-		Client:        directClient,
-		Log:           ctrl.Log.WithName("controllers").WithName("TLS"),
-		Namespace:     namespace,
-		Configuration: directCfg,
-	}
+	if directCfg.EnableTLSConfiguration() {
+		tlsReconciler := &tlscontroller.Reconciler{
+			Client:        directClient,
+			Log:           ctrl.Log.WithName("controllers").WithName("TLS"),
+			Namespace:     namespace,
+			Configuration: directCfg,
+		}
 
-	if err = tlsReconciler.SetupWithManager(manager); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "Namespace")
-		os.Exit(1)
-	}
+		if err = tlsReconciler.SetupWithManager(manager); err != nil {
+			setupLog.Error(err, "unable to create controller", "controller", "Namespace")
+			os.Exit(1)
+		}
 
-	tlsCert := &corev1.Secret{}
+		tlsCert := &corev1.Secret{}
 
-	if err = directClient.Get(ctx, types.NamespacedName{Namespace: namespace, Name: directCfg.TLSSecretName()}, tlsCert); err != nil {
-		setupLog.Error(err, "unable to get Capsule TLS secret")
-		os.Exit(1)
-	}
-
-	// Reconcile TLS certificates before starting controllers and webhooks
-	if err = tlsReconciler.ReconcileCertificates(ctx, tlsCert); err != nil {
-		setupLog.Error(err, "unable to reconcile Capsule TLS secret")
-		os.Exit(1)
+		if err = directClient.Get(ctx, types.NamespacedName{Namespace: namespace, Name: directCfg.TLSSecretName()}, tlsCert); err != nil {
+			setupLog.Error(err, "unable to get Capsule TLS secret")
+			os.Exit(1)
+		}
+		// Reconcile TLS certificates before starting controllers and webhooks
+		if err = tlsReconciler.ReconcileCertificates(ctx, tlsCert); err != nil {
+			setupLog.Error(err, "unable to reconcile Capsule TLS secret")
+			os.Exit(1)
+		}
 	}
 
 	if err = (&tenantcontroller.Manager{

pkg/configuration/client.go

@@ -78,8 +78,8 @@ func (c capsuleConfiguration) TLSSecretName() (name string) {
 	return
 }
 
-func (c capsuleConfiguration) GenerateCertificates() bool {
-	annotationValue, ok := c.retrievalFn().Annotations[capsulev1alpha1.GenerateCertificatesAnnotationName]
+func (c capsuleConfiguration) EnableTLSConfiguration() bool {
+	annotationValue, ok := c.retrievalFn().Annotations[capsulev1alpha1.EnableTLSConfigurationAnnotationName]
 
 	if ok {
 		value, err := strconv.ParseBool(annotationValue)

pkg/configuration/configuration.go

@@ -19,7 +19,9 @@ const (
 type Configuration interface {
 	ProtectedNamespaceRegexp() (*regexp.Regexp, error)
 	ForceTenantPrefix() bool
-	GenerateCertificates() bool
+	// EnableTLSConfiguration enabled the TLS reconciler, responsible for creating CA and TLS certificate required
+	// for the CRD conversion and webhooks.
+	EnableTLSConfiguration() bool
 	TLSSecretName() string
 	MutatingWebhookConfigurationName() string
 	ValidatingWebhookConfigurationName() string

pkg/webhook/namespace/user_metadata.go

@@ -115,7 +115,7 @@ func (r *userMetadataHandler) OnUpdate(client client.Client, decoder *admission.
 		var labels, annotations map[string]string
 
 		for key, value := range newNs.GetLabels() {
-			if _, ok := oldNs.GetLabels()[key]; !ok {
+			if _, ok := oldNs.GetLabels()[key]; ok {
 				if labels == nil {
 					labels = make(map[string]string)
 				}
@@ -125,7 +125,7 @@ func (r *userMetadataHandler) OnUpdate(client client.Client, decoder *admission.
 		}
 
 		for key, value := range newNs.GetAnnotations() {
-			if _, ok := oldNs.GetAnnotations()[key]; !ok {
+			if _, ok := oldNs.GetAnnotations()[key]; ok {
 				if annotations == nil {
 					annotations = make(map[string]string)
 				}