Compare commits

..

2 Commits

Author SHA1 Message Date
Oliver Bähler
203ae61072 chore(yamllint): fix yaml comments
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2025-04-29 18:55:58 +02:00
Oliver Bähler
dbc1502d20 fix(ci): remove harpoon from workflow
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2025-04-08 14:11:02 +02:00
427 changed files with 43513 additions and 12992 deletions

View File

@@ -11,7 +11,6 @@ rules:
- "false"
- "on"
- "off"
check-keys: false
braces:
min-spaces-inside: 0

View File

@@ -1,4 +1,3 @@
maintainers:
- name: Adriano Pezzuto
github: https://github.com/bsctl
company: Clastix
@@ -22,16 +21,9 @@ maintainers:
company: Peak Scale
projects:
- https://github.com/projectcapsule/capsule
- https://github.com/projectcapsule/capsule-proxy
- name: Massimiliano Giovagnoli
github: https://github.com/maxgio92
company: Proximus
projects:
- https://github.com/projectcapsule/capsule
- https://github.com/projectcapsule/capsule-proxy
- name: Hristo Hristov
github: https://github.com/Svarrogh1337
company: Vaerolabs
projects:
- https://github.com/projectcapsule/capsule
- https://github.com/projectcapsule/capsule-proxy

View File

@@ -17,7 +17,7 @@ jobs:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Ensure SHA pinned actions
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@fc87bb5b5a97953d987372e74478de634726b3e5 # v3.0.25
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@4830be28ce81da52ec70d65c552a7403821d98d4 # v3.0.23
with:
# slsa-github-generator requires using a semver tag for reusable workflows.
# See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators

View File

@@ -14,28 +14,6 @@ concurrency:
cancel-in-progress: true
jobs:
compliance:
name: "License Compliance"
runs-on: ubuntu-24.04
steps:
- name: "Checkout Code"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Check secret
id: checksecret
uses: ./.github/actions/exists
with:
value: ${{ secrets.FOSSA_API_KEY }}
- name: "Run FOSSA Scan"
if: steps.checksecret.outputs.result == 'true'
uses: fossas/fossa-action@3ebcea1862c6ffbd5cf1b4d0bd6b3fe7bd6f2cac # v1.7.0
with:
api-key: ${{ secrets.FOSSA_API_KEY }}
- name: "Run FOSSA Test"
if: steps.checksecret.outputs.result == 'true'
uses: fossas/fossa-action@3ebcea1862c6ffbd5cf1b4d0bd6b3fe7bd6f2cac # v1.7.0
with:
api-key: ${{ secrets.FOSSA_API_KEY }}
run-tests: true
sast:
name: "SAST"
runs-on: ubuntu-24.04
@@ -48,15 +26,15 @@ jobs:
steps:
- name: Checkout Source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
with:
go-version-file: 'go.mod'
- name: Run Gosec Security Scanner
uses: securego/gosec@32975f4bab0d7b683a88756aaf3fa5502188b476 # v2.22.7
uses: securego/gosec@955a68d0d19f4afb7503068f95059f7d0c529017 # v2.22.3
with:
args: '-no-fail -fmt sarif -out gosec.sarif ./...'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@b9b3b12fa29bb4f95fb2e36128124ff9364aaf0e
uses: github/codeql-action/upload-sarif@ed51cb5abd90d0e898e492d5e3f24423da71c2fb
with:
sarif_file: gosec.sarif
unit_tests:
@@ -65,7 +43,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
with:
go-version-file: 'go.mod'
- name: Unit Test
@@ -77,7 +55,7 @@ jobs:
value: ${{ secrets.CODECOV_TOKEN }}
- name: Upload Report to Codecov
if: ${{ steps.checksecret.outputs.result == 'true' }}
uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
with:
token: ${{ secrets.CODECOV_TOKEN }}
slug: projectcapsule/capsule

View File

@@ -28,7 +28,7 @@ jobs:
- name: ko build
run: VERSION=${{ github.sha }} make ko-build-all
- name: Trivy Scan Image
uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.32.0
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
with:
scan-type: 'fs'
ignore-unfixed: true
@@ -40,6 +40,6 @@ jobs:
# See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@b9b3b12fa29bb4f95fb2e36128124ff9364aaf0e
uses: github/codeql-action/upload-sarif@ed51cb5abd90d0e898e492d5e3f24423da71c2fb
with:
sarif_file: 'trivy-results.sarif'

View File

@@ -28,7 +28,7 @@ jobs:
with:
build-cache-key: publish-images
- name: Run Trivy vulnerability (Repo)
uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.32.0
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
with:
scan-type: 'fs'
ignore-unfixed: true
@@ -36,7 +36,7 @@ jobs:
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Install Cosign
uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
- name: Publish Capsule
id: publish-capsule
uses: peak-scale/github-actions/make-ko-publish@a441cca016861c546ab7e065277e40ce41a3eb84 # v0.2.0
@@ -51,7 +51,7 @@ jobs:
sbom-name: capsule
sbom-repository: ghcr.io/${{ github.repository_owner }}/capsule
signature-repository: ghcr.io/${{ github.repository_owner }}/capsule
main-path: ./cmd/
main-path: ./
env:
REPOSITORY: ${{ github.repository }}
generate-capsule-provenance:

View File

@@ -23,26 +23,16 @@ concurrency:
jobs:
e2e:
name: E2E Testing
runs-on:
labels: ubuntu-latest-8-cores
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
with:
go-version-file: 'go.mod'
- uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4
with:
version: v3.14.2
- name: unit tracing
run: sudo make trace-unit
- name: e2e tracing
run: sudo make trace-e2e
- name: build seccomp profile
run: make seccomp
- name: upload artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: capsule-seccomp
path: capsule-seccomp.json
- name: e2e testing
run: make e2e

View File

@@ -46,7 +46,7 @@ jobs:
chart-digest: ${{ steps.helm_publish.outputs.digest }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
- uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
- name: "Extract Version"
id: extract_version
run: |

View File

@@ -18,7 +18,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
with:
go-version-file: 'go.mod'
- name: Generate manifests
@@ -45,7 +45,7 @@ jobs:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
with:
go-version-file: 'go.mod'
- name: Run golangci-lint

View File

@@ -11,41 +11,40 @@ concurrency:
cancel-in-progress: true
jobs:
seccomp-generation:
name: Seccomp Generation
strategy:
fail-fast: false
matrix:
# differently from the e2e workflow
# we don't need all the versions of kubernetes
# to generate the seccomp profile.
k8s-version:
- "v1.30.0"
runs-on: ubuntu-latest-8-cores
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: 'go.mod'
- uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4
with:
version: v3.14.2
- name: unit tracing
run: sudo make trace-unit
- name: e2e tracing
run: sudo KIND_K8S_VERSION=${{ matrix.k8s-version }} make trace-e2e
- name: build seccomp profile
run: make seccomp
- name: upload artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: capsule-seccomp
path: capsule-seccomp.json
# seccomp-generation:
# name: Seccomp Generation
# strategy:
# fail-fast: false
# matrix:
# # differently from the e2e workflow
# # we don't need all the versions of kubernetes
# # to generate the seccomp profile.
# k8s-version:
# - "v1.30.0"
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# with:
# fetch-depth: 0
# - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
# with:
# go-version-file: 'go.mod'
# - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4
# with:
# version: v3.14.2
# - name: unit tracing
# run: sudo make trace-unit
# - name: e2e tracing
# run: sudo KIND_K8S_VERSION=${{ matrix.k8s-version }} make trace-e2e
# - name: build seccomp profile
# run: make seccomp
# - name: upload artifact
# uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
# with:
# name: capsule-seccomp
# path: capsule-seccomp.json
create-release:
needs: seccomp-generation
# needs: seccomp-generation
runs-on: ubuntu-latest
permissions:
contents: write
@@ -56,7 +55,7 @@ jobs:
with:
fetch-depth: 0
- name: Install Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
with:
go-version-file: 'go.mod'
- name: Setup caches
@@ -64,14 +63,14 @@ jobs:
timeout-minutes: 5
continue-on-error: true
- uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
- uses: anchore/sbom-action/download-syft@7b36ad622f042cab6f59a75c2ac24ccb256e9b45
- uses: anchore/sbom-action/download-syft@9f7302141466aa6482940f15371237e9d9f4c34a
- name: Install Cosign
uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
- name: download artifact
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: capsule-seccomp
path: ./capsule-seccomp.json
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
# - name: download artifact
# uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
# with:
# name: capsule-seccomp
# path: ./capsule-seccomp.json
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
with:

View File

@@ -24,7 +24,7 @@ jobs:
with:
persist-credentials: false
- name: Run analysis
uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
with:
results_file: results.sarif
results_format: sarif
@@ -37,6 +37,6 @@ jobs:
path: results.sarif
retention-days: 5
- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
with:
sarif_file: results.sarif

View File

@@ -1,26 +0,0 @@
name: Stale-Bot
permissions: {}
on:
schedule:
- cron: '0 0 * * *' # Run every day at midnight
jobs:
stale:
runs-on: ubuntu-latest
permissions:
actions: write
contents: write # only for delete-branch option
issues: write
pull-requests: write
steps:
- name: Close stale pull requests
uses: actions/stale@a92fd57ffeff1a7d5e9f90394c229c1cebb74321
with:
stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.'
stale-pr-message: 'This pull request has been marked as stale because it has been inactive for more than 30 days. Please update this pull request or it will be automatically closed in 30 days.'
days-before-issue-stale: 60
days-before-pr-stale: 30
days-before-issue-close: 30
days-before-pr-close: 30
stale-pr-label: stale

1
.gitignore vendored
View File

@@ -7,7 +7,6 @@
*.dylib
bin
dist/
config/
# Test binary, build with `go test -c`
*.test

View File

@@ -1,89 +0,0 @@
version: "2"
run:
tests: false
allow-parallel-runners: true
linters:
default: all
disable:
- depguard
- err113
- exhaustruct
- funlen
- gochecknoglobals
- gochecknoinits
- ireturn
- lll
- mnd
- nilnil
- nonamedreturns
- paralleltest
- perfsprint
- recvcheck
- testpackage
- unparam
- varnamelen
- wrapcheck
- noinlineerr
- revive
settings:
cyclop:
max-complexity: 27
dupl:
threshold: 100
gocognit:
min-complexity: 50
goconst:
min-len: 2
min-occurrences: 2
goheader:
template: |-
Copyright 2020-2025 Project Capsule Authors
SPDX-License-Identifier: Apache-2.0
inamedparam:
skip-single-param: true
nakedret:
max-func-lines: 50
exclusions:
generated: lax
presets:
- comments
- common-false-positives
- legacy
- std-error-handling
paths:
- zz_.*\.go$
- .+\.generated.go
- .+_test.go
- .+_test_.+.go
- third_party$
- builtin$
- examples$
rules:
- path: pkg/meta/
linters:
- dupl
formatters:
enable:
- gci
- gofmt
- gofumpt
- goimports
settings:
gci:
sections:
- standard
- default
- prefix(github.com/projectcapsule/capsule)
gofumpt:
module-path: github.com/projectcapsule/capsule
extra-rules: false
exclusions:
generated: lax
paths:
- zz_.*\.go$
- .+\.generated.go
- .+_test.go
- .+_test_.+.go
- third_party$
- builtin$
- examples$

60
.golangci.yml Normal file
View File

@@ -0,0 +1,60 @@
linters-settings:
dupl:
threshold: 100
goconst:
min-len: 2
min-occurrences: 2
cyclop:
max-complexity: 27
gocognit:
min-complexity: 50
gci:
sections:
- standard
- default
- prefix(github.com/projectcapsule/capsule)
goheader:
template: |-
Copyright 2020-2023 Project Capsule Authors.
SPDX-License-Identifier: Apache-2.0
gofumpt:
module-path: github.com/projectcapsule/capsule
extra-rules: false
inamedparam:
# Skips check for interface methods with only a single parameter.
# Default: false
skip-single-param: true
nakedret:
# Make an issue if func has more lines of code than this setting, and it has naked returns.
max-func-lines: 50
linters:
enable-all: true
disable:
- err113
- depguard
- perfsprint
- funlen
- gochecknoinits
- lll
- gochecknoglobals
- mnd
- nilnil
- recvcheck
- unparam
- paralleltest
- ireturn
- testpackage
- varnamelen
- wrapcheck
- exhaustruct
- nonamedreturns
issues:
exclude-files:
- "zz_.*\\.go$"
- ".+\\.generated.go"
- ".+_test.go"
- ".+_test_.+.go"
run:
timeout: 3m
allow-parallel-runners: true
tests: false

View File

@@ -8,8 +8,7 @@ before:
gomod:
proxy: false
builds:
- id: "{{ .ProjectName }}"
main: ./cmd/
- main: .
binary: "{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}"
env:
- CGO_ENABLED=0
@@ -29,26 +28,6 @@ builds:
-X main.GitDirty={{ .Date }}
-X main.BuildTime={{ .Date }}
-X main.GitRepo={{ .ProjectName }}
# - id: "{{ .ProjectName }}-wasm"
# main: ./cmd/
# binary: "{{ .ProjectName }}.wasm"
# env:
# - CGO_ENABLED=0
# goos:
# - js
# goarch:
# - wasm
# flags:
# - -trimpath
# mod_timestamp: '{{ .CommitTimestamp }}'
# ldflags:
# - >-
# -X main.Version={{ .Tag }}
# -X main.GitCommit={{ .Commit }}
# -X main.GitTag={{ .Tag }}
# -X main.GitDirty={{ .Date }}
# -X main.BuildTime={{ .Date }}
# -X main.GitRepo={{ .ProjectName }}
release:
prerelease: auto
footer: |
@@ -65,20 +44,20 @@ release:
[Review the Major Changes section first before upgrading to a new version](https://artifacthub.io/packages/helm/projectcapsule/capsule/{{ .Version }}#major-changes)
> [!IMPORTANT]
> **Kubernetes compatibility**
>
> Note that the Capsule project offers support only for the latest minor version of Kubernetes.
> Backwards compatibility with older versions of Kubernetes and OpenShift is [offered by vendors](https://projectcapsule.dev/support/).
>
> | Kubernetes version | Minimum required |
> |--------------------|------------------|
> | `v1.33` | `>= 1.33.0` |
**Kubernetes compatibility**
[!IMPORTANT]
Note that the Capsule project offers support only for the latest minor version of Kubernetes.
Backwards compatibility with older versions of Kubernetes and OpenShift is [offered by vendors](https://projectcapsule.dev/support/).
| Kubernetes version | Minimum required |
|--------------------|------------------|
| `v1.31` | `>= 1.31.0` |
Thanks to all the contributors! 🚀 🦄
extra_files:
- glob: ./capsule-seccomp.json
# extra_files:
# - glob: ./capsule-seccomp.json
checksum:
name_template: 'checksums.txt'
changelog:
@@ -95,27 +74,26 @@ changelog:
- Merge branch
groups:
# https://github.com/conventional-changelog/commitlint/tree/master/%40commitlint/config-conventional
- title: '🛠 Dependency updates'
regexp: '^fix\(deps\):|^feat\(deps\):'
order: 300
- title: '✨ New Features'
regexp: '^feat(\([^)]*\))?:'
order: 100
- title: '🐛 Bug fixes'
regexp: '^fix(\([^)]*\))?:'
order: 200
- title: '📖 Documentation updates'
regexp: '^docs(\([^)]*\))?:'
order: 400
- title: '🛡️ Security updates'
regexp: '^sec(\([^)]*\))?:'
order: 500
- title: '🚀 Build process updates'
regexp: '^(build|ci)(\([^)]*\))?:'
order: 600
- title: '📦 Other work'
regexp: '^chore(\([^)]*\))?:|^chore:'
order: 9999
- title: '🛠 Dependency updates'
regexp: '^.*?(feat|fix)\(deps\)!?:.+$'
order: 300
- title: '✨ New Features'
regexp: '^.*?feat(\([[:word:]]+\))??!?:.+$'
order: 100
- title: '🐛 Bug fixes'
regexp: '^.*?fix(\([[:word:]]+\))??!?:.+$'
order: 200
- title: '📖 Documentation updates'
regexp: ^.*?docs(\([[:word:]]+\))??!?:.+$
order: 400
- title: '🛡️ Security updates'
regexp: ^.*?(sec)(\([[:word:]]+\))??!?:.+$
order: 500
- title: '🚀 Build process updates'
regexp: ^.*?(build|ci)(\([[:word:]]+\))??!?:.+$
order: 600
- title: '📦 Other work'
order: 9999
sboms:
- artifacts: archive
signs:

View File

@@ -4,6 +4,6 @@ defaultPlatforms:
- linux/arm
builds:
- id: capsule
main: ./cmd/
main: ./
ldflags:
- '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}'

View File

@@ -1,14 +0,0 @@
nwa:
cmd: "update"
holder: "Project Capsule Authors"
year: "2020-2025"
spdxids: "Apache-2.0"
path:
- "pkg/**/*.go"
- "cmd/**/*.go"
- "api/**/*.go"
- "controllers/**/*.go"
- "main.go"
mute: false
verbose: true
fuzzy: true

View File

@@ -9,11 +9,12 @@ repos:
rev: v5.0.0
hooks:
- id: check-executables-have-shebangs
- id: check-yaml
- id: double-quote-string-fixer
- id: end-of-file-fixer
- id: trailing-whitespace
- repo: https://github.com/adrienverge/yamllint
rev: v1.37.1
rev: v1.37.0
hooks:
- id: yamllint
args: [-c=.github/configs/lintconf.yaml]
@@ -39,8 +40,3 @@ repos:
entry: make golint
language: system
files: \.go$
- id: go-test
name: Execute go test
entry: make test
language: system
files: \.go$

View File

@@ -2,13 +2,14 @@
This is a list of companies that have adopted Capsule, feel free to open a Pull-Request to get yours listed.
[See all on the website](https://projectcapsule.dev/adopters/)
## Adopters list (alphabetically)
### [Bedag Informatik AG](https://www.bedag.ch/)
![Bedag](https://www.bedag.ch/wGlobal/wGlobal/layout/images/logo.svg)
### [Begasoft AG](https://www.begasoft.ch)
![Begasoft](./assets/adopters/begasoft.png)
### [Department of Defense](https://www.defense.gov/)
![United States Department of Defense](https://www.access-board.gov/images/dod-seal.png)

View File

@@ -5,7 +5,7 @@ FROM ${TARGET_IMAGE} AS target
# Inject Harpoon Image
FROM ghcr.io/alegrey91/harpoon:latest
WORKDIR /
COPY --from=target /ko-app/cmd ./manager
COPY --from=target /ko-app/capsule ./manager
RUN chmod +x ./harpoon
ENTRYPOINT ["/harpoon", \
"capture", \

View File

@@ -6,7 +6,6 @@ The current Maintainers Group for the [TODO: Projectname] Project consists of:
| Dario Tranchitella | Clastix | Maintainer |
| Maksim Fedotov | Wargaming | Maintainer |
| Oliver Bähler | Peak Scale | Maintainer |
| Hristo Hristov | Vaerolabs | Maintainer |
| Massimiliano Giovagnoli | Proximus | Maintainer |
This list must be kept in sync with the [CNCF Project Maintainers list](https://github.com/cncf/foundation/blob/master/project-maintainers.csv).

View File

@@ -19,7 +19,7 @@ CAPSULE_IMG ?= $(REGISTRY)/$(IMG_BASE)
CLUSTER_NAME ?= capsule
## Kubernetes Version Support
KUBERNETES_SUPPORTED_VERSION ?= "v1.33.0"
KUBERNETES_SUPPORTED_VERSION ?= "v1.31.0"
## Tool Binaries
KUBECTL ?= kubectl
@@ -46,7 +46,7 @@ all: manager
# Run tests
.PHONY: test
test: test-clean generate manifests test-clean
@GO111MODULE=on go test -v $(shell go list ./... | grep -v "e2e") -coverprofile coverage.out
@GO111MODULE=on go test -v ./... -coverprofile coverage.out
.PHONY: test-clean
test-clean: ## Clean tests cache
@@ -68,11 +68,6 @@ manifests: generate
generate: controller-gen
$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
# Generate License Header
license-headers: nwa
$(NWA) config
# Helm
SRC_ROOT = $(shell git rev-parse --show-toplevel)
@@ -87,7 +82,7 @@ helm-lint: ct
@$(CT) lint --config .github/configs/ct.yaml --validate-yaml=false --all --debug
helm-schema: helm-plugin-schema
cd charts/capsule && $(HELM) schema --use-helm-docs
cd charts/capsule && $(HELM) schema -output values.schema.json
helm-test: HELM_KIND_CONFIG ?= ""
helm-test: kind
@@ -101,7 +96,6 @@ helm-test-exec: ct helm-controller-version ko-build-all
$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=v0.0.0
$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=tracing
@$(KUBECTL) create ns capsule-system || true
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/grafana/grafana-operator/releases/download/v5.18.0/crds.yaml
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
@$(CT) install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
@@ -184,7 +178,7 @@ LD_FLAGS := "-X main.Version=$(VERSION) \
ko-build-capsule: ko
@echo Building Capsule $(KO_TAGS) for $(KO_PLATFORM) >&2
@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(CAPSULE_IMG) \
$(KO) build ./cmd/ --bare --tags=$(KO_TAGS) --push=false --local --platform=$(KO_PLATFORM)
$(KO) build ./ --bare --tags=$(KO_TAGS) --push=false --local --platform=$(KO_PLATFORM)
.PHONY: ko-build-all
ko-build-all: ko-build-capsule
@@ -210,7 +204,7 @@ ko-login: ko
.PHONY: ko-publish-capsule
ko-publish-capsule: ko-login ## Build and publish kyvernopre image (with ko)
@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(CAPSULE_IMG) \
$(KO) build ./cmd/ --bare --tags=$(KO_TAGS)
$(KO) build ./ --bare --tags=$(KO_TAGS)
.PHONY: ko-publish-all
ko-publish-all: ko-publish-capsule
@@ -223,27 +217,15 @@ goimports:
# Linting code as PR is expecting
.PHONY: golint
golint: golangci-lint
$(GOLANGCI_LINT) run -c .golangci.yaml --verbose
.PHONY: golint-fix
golint-fix: golangci-lint
$(GOLANGCI_LINT) run -c .golangci.yaml --verbose --fix
$(GOLANGCI_LINT) run -c .golangci.yml --verbose --fix
# Running e2e tests in a KinD instance
.PHONY: e2e
e2e: ginkgo
$(MAKE) e2e-build && $(MAKE) e2e-exec && $(MAKE) e2e-destroy
API_GW := none
API_GW_VERSION := v1.3.0
API_GW_LOOKUP := kubernetes-sigs/gateway-api/
e2e-install-deps:
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/$(API_GW_LOOKUP)/releases/download/$(API_GW_VERSION)/standard-install.yaml
e2e-build: kind
$(KIND) create cluster --wait=60s --name $(CLUSTER_NAME) --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION)
$(MAKE) e2e-install-deps
$(MAKE) e2e-install
.PHONY: e2e-install
@@ -284,7 +266,6 @@ trace-e2e: kind
$(KIND) create cluster --wait=60s --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION) --config hack/kind-cluster.yml
$(MAKE) e2e-load-image CLUSTER_NAME=capsule-tracing IMAGE=$(CAPSULE_IMG) VERSION=tracing
$(MAKE) trace-install
$(MAKE) e2e-install-deps
$(MAKE) e2e-exec
$(KIND) delete cluster --name capsule-tracing
@@ -344,7 +325,7 @@ helm-doc:
# -- Tools
####################
CONTROLLER_GEN := $(LOCALBIN)/controller-gen
CONTROLLER_GEN_VERSION ?= v0.18.0
CONTROLLER_GEN_VERSION ?= v0.17.3
CONTROLLER_GEN_LOOKUP := kubernetes-sigs/controller-tools
controller-gen:
@test -s $(CONTROLLER_GEN) && $(CONTROLLER_GEN) --version | grep -q $(CONTROLLER_GEN_VERSION) || \
@@ -355,39 +336,32 @@ ginkgo:
$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo)
CT := $(LOCALBIN)/ct
CT_VERSION := v3.13.0
CT_VERSION := v3.12.0
CT_LOOKUP := helm/chart-testing
ct:
@test -s $(CT) && $(CT) version | grep -q $(CT_VERSION) || \
$(call go-install-tool,$(CT),github.com/$(CT_LOOKUP)/v3/ct@$(CT_VERSION))
KIND := $(LOCALBIN)/kind
KIND_VERSION := v0.29.0
KIND_VERSION := v0.27.0
KIND_LOOKUP := kubernetes-sigs/kind
kind:
@test -s $(KIND) && $(KIND) --version | grep -q $(KIND_VERSION) || \
$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@$(KIND_VERSION))
KO := $(LOCALBIN)/ko
KO_VERSION := v0.18.0
KO_VERSION := v0.17.1
KO_LOOKUP := google/ko
ko:
@test -s $(KO) && $(KO) -h | grep -q $(KO_VERSION) || \
$(call go-install-tool,$(KO),github.com/$(KO_LOOKUP)@$(KO_VERSION))
NWA := $(LOCALBIN)/nwa
NWA_VERSION := v0.7.5
NWA_LOOKUP := B1NARY-GR0UP/nwa
nwa:
@test -s $(NWA) && $(NWA) -h | grep -q $(NWA_VERSION) || \
$(call go-install-tool,$(NWA),github.com/$(NWA_LOOKUP)@$(NWA_VERSION))
GOLANGCI_LINT := $(LOCALBIN)/golangci-lint
GOLANGCI_LINT_VERSION := v2.3.0
GOLANGCI_LINT_VERSION := v1.64.5
GOLANGCI_LINT_LOOKUP := golangci/golangci-lint
golangci-lint: ## Download golangci-lint locally if necessary.
@test -s $(GOLANGCI_LINT) && $(GOLANGCI_LINT) -h | grep -q $(GOLANGCI_LINT_VERSION) || \
$(call go-install-tool,$(GOLANGCI_LINT),github.com/$(GOLANGCI_LINT_LOOKUP)/v2/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION))
$(call go-install-tool,$(GOLANGCI_LINT),github.com/$(GOLANGCI_LINT_LOOKUP)/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION))
APIDOCS_GEN := $(LOCALBIN)/crdoc
APIDOCS_GEN_VERSION := v0.6.4
@@ -397,7 +371,7 @@ apidocs-gen: ## Download crdoc locally if necessary.
$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@$(APIDOCS_GEN_VERSION))
HARPOON := $(LOCALBIN)/harpoon
HARPOON_VERSION := v0.10.2
HARPOON_VERSION := v0.9.6
HARPOON_LOOKUP := alegrey91/harpoon
harpoon:
@mkdir $(LOCALBIN)

22
PROJECT
View File

@@ -1,10 +1,6 @@
# Code generated by tool. DO NOT EDIT.
# This file is used to track the info used to scaffold your project
# and allow the plugins properly work.
# More info: https://book.kubebuilder.io/reference/project-config.html
domain: clastix.io
layout:
- go.kubebuilder.io/v4
- go.kubebuilder.io/v3
plugins:
manifests.sdk.operatorframework.io/v2: {}
scorecard.sdk.operatorframework.io/v2: {}
@@ -48,20 +44,4 @@ resources:
kind: GlobalTenantResource
path: github.com/projectcapsule/capsule/api/v1beta2
version: v1beta2
- api:
crdVersion: v1
domain: clastix.io
group: capsule
kind: ResourcePool
path: github.com/projectcapsule/capsule/api/v1beta2
version: v1beta2
- api:
crdVersion: v1
namespaced: true
controller: true
domain: clastix.io
group: capsule
kind: ResourcePoolClaim
path: github.com/projectcapsule/capsule/api/v1beta2
version: v1beta2
version: "3"

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta1

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta1

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
// Package v1beta1 contains API Schema definitions for the capsule v1beta1 API group

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta1

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta1

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta1

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta1

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta1

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta1

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta1

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta1

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta1

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta1

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta1
@@ -65,8 +65,7 @@ func (in *Tenant) Hub() {}
type TenantList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []Tenant `json:"items"`
Items []Tenant `json:"items"`
}
func init() {

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta1

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -71,8 +71,7 @@ type CapsuleConfiguration struct {
type CapsuleConfigurationList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []CapsuleConfiguration `json:"items"`
Items []CapsuleConfiguration `json:"items"`
}
func init() {

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2

View File

@@ -1,12 +0,0 @@
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
"github.com/projectcapsule/capsule/pkg/api"
)
type GatewayOptions struct {
AllowedClasses *api.SelectionListWithDefaultSpec `json:"allowedClasses,omitempty"`
}

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
// Package v1beta2 contains API Schema definitions for the capsule v1beta2 API group

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -13,8 +13,6 @@ type NamespaceOptions struct {
Quota *int32 `json:"quota,omitempty"`
// Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
AdditionalMetadata *api.AdditionalMetadataSpec `json:"additionalMetadata,omitempty"`
// Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant via a list. Optional.
AdditionalMetadataList []api.AdditionalMetadataSelectorSpec `json:"additionalMetadataList,omitempty"`
// Define the labels that a Tenant Owner cannot set for their Namespace resources.
ForbiddenLabels api.ForbiddenListSpec `json:"forbiddenLabels,omitempty"`
// Define the annotations that a Tenant Owner cannot set for their Namespace resources.

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2

View File

@@ -1,276 +0,0 @@
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
"errors"
"sort"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
"github.com/projectcapsule/capsule/pkg/api"
)
func (r *ResourcePool) AssignNamespaces(namespaces []corev1.Namespace) {
var l []string
for _, ns := range namespaces {
if ns.Status.Phase == corev1.NamespaceActive && ns.DeletionTimestamp == nil {
l = append(l, ns.GetName())
}
}
sort.Strings(l)
r.Status.NamespaceSize = uint(len(l))
r.Status.Namespaces = l
}
func (r *ResourcePool) AssignClaims() {
var size uint
for _, claims := range r.Status.Claims {
for range claims {
size++
}
}
r.Status.ClaimSize = size
}
func (r *ResourcePool) GetClaimFromStatus(cl *ResourcePoolClaim) *ResourcePoolClaimsItem {
ns := cl.Namespace
claims := r.Status.Claims[ns]
if claims == nil {
return nil
}
for _, claim := range claims {
if claim.UID == cl.UID {
return claim
}
}
return nil
}
func (r *ResourcePool) AddClaimToStatus(claim *ResourcePoolClaim) {
ns := claim.Namespace
if r.Status.Claims == nil {
r.Status.Claims = ResourcePoolNamespaceClaimsStatus{}
}
if r.Status.Allocation.Claimed == nil {
r.Status.Allocation.Claimed = corev1.ResourceList{}
}
claims := r.Status.Claims[ns]
if claims == nil {
claims = ResourcePoolClaimsList{}
}
scl := &ResourcePoolClaimsItem{
StatusNameUID: api.StatusNameUID{
UID: claim.UID,
Name: api.Name(claim.Name),
},
Claims: claim.Spec.ResourceClaims,
}
// Try to update existing entry if UID matches
exists := false
for i, cl := range claims {
if cl.UID == claim.UID {
claims[i] = scl
exists = true
break
}
}
if !exists {
claims = append(claims, scl)
}
r.Status.Claims[ns] = claims
r.CalculateClaimedResources()
}
func (r *ResourcePool) RemoveClaimFromStatus(claim *ResourcePoolClaim) {
newClaims := ResourcePoolClaimsList{}
claims, ok := r.Status.Claims[claim.Namespace]
if !ok {
return
}
for _, cl := range claims {
if cl.UID != claim.UID {
newClaims = append(newClaims, cl)
}
}
r.Status.Claims[claim.Namespace] = newClaims
if len(newClaims) == 0 {
delete(r.Status.Claims, claim.Namespace)
}
}
func (r *ResourcePool) CalculateClaimedResources() {
usage := corev1.ResourceList{}
for res := range r.Status.Allocation.Hard {
usage[res] = resource.MustParse("0")
}
for _, claims := range r.Status.Claims {
for _, claim := range claims {
for resourceName, qt := range claim.Claims {
amount, exists := usage[resourceName]
if !exists {
amount = resource.MustParse("0")
}
amount.Add(qt)
usage[resourceName] = amount
}
}
}
r.Status.Allocation.Claimed = usage
r.CalculateAvailableResources()
}
func (r *ResourcePool) CalculateAvailableResources() {
available := corev1.ResourceList{}
for res, qt := range r.Status.Allocation.Hard {
amount, exists := r.Status.Allocation.Claimed[res]
if exists {
qt.Sub(amount)
}
available[res] = qt
}
r.Status.Allocation.Available = available
}
func (r *ResourcePool) CanClaimFromPool(claim corev1.ResourceList) []error {
claimable := r.GetAvailableClaimableResources()
errs := []error{}
for resourceName, req := range claim {
available, exists := claimable[resourceName]
if !exists || available.IsZero() || available.Cmp(req) < 0 {
errs = append(errs, errors.New("not enough resources"+string(resourceName)+"available"))
}
}
return errs
}
func (r *ResourcePool) GetAvailableClaimableResources() corev1.ResourceList {
hard := r.Status.Allocation.Hard.DeepCopy()
for resourceName, qt := range hard {
claimed, exists := r.Status.Allocation.Claimed[resourceName]
if !exists {
claimed = resource.MustParse("0")
}
qt.Sub(claimed)
hard[resourceName] = qt
}
return hard
}
// Gets the Hard specification for the resourcequotas
// This takes into account the default resources being used. However they don't count towards the claim usage
// This can be changed in the future, the default is not calculated as usage because this might interrupt the namespace management
// As we would need to verify if a new namespace with it's defaults still has place in the Pool. Same with attempting to join existing namespaces.
func (r *ResourcePool) GetResourceQuotaHardResources(namespace string) corev1.ResourceList {
_, claimed := r.GetNamespaceClaims(namespace)
for resourceName, amount := range claimed {
if amount.IsZero() {
delete(claimed, resourceName)
}
}
// Only Consider Default, when enabled
for resourceName, amount := range r.Spec.Defaults {
usedValue := claimed[resourceName]
usedValue.Add(amount)
claimed[resourceName] = usedValue
}
return claimed
}
// Gets the total amount of claimed resources for a namespace.
func (r *ResourcePool) GetNamespaceClaims(namespace string) (claims map[string]*ResourcePoolClaimsItem, claimedResources corev1.ResourceList) {
claimedResources = corev1.ResourceList{}
claims = map[string]*ResourcePoolClaimsItem{}
// First, check if quota exists in the status
for ns, cl := range r.Status.Claims {
if ns != namespace {
continue
}
for _, claim := range cl {
for resourceName, claimed := range claim.Claims {
usedValue, usedExists := claimedResources[resourceName]
if !usedExists {
usedValue = resource.MustParse("0") // Default to zero if no used value is found
}
// Combine with claim
usedValue.Add(claimed)
claimedResources[resourceName] = usedValue
}
claims[string(claim.UID)] = claim
}
}
return
}
// Calculate usage for each namespace.
func (r *ResourcePool) GetClaimedByNamespaceClaims() (claims map[string]corev1.ResourceList) {
claims = map[string]corev1.ResourceList{}
// First, check if quota exists in the status
for ns, cl := range r.Status.Claims {
claims[ns] = corev1.ResourceList{}
nsScope := claims[ns]
for _, claim := range cl {
for resourceName, claimed := range claim.Claims {
usedValue, usedExists := nsScope[resourceName]
if !usedExists {
usedValue = resource.MustParse("0")
}
usedValue.Add(claimed)
nsScope[resourceName] = usedValue
}
}
}
return
}

View File

@@ -1,295 +0,0 @@
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
"testing"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"github.com/projectcapsule/capsule/pkg/api"
"github.com/projectcapsule/capsule/pkg/meta"
"github.com/stretchr/testify/assert"
)
func TestGetClaimFromStatus(t *testing.T) {
ns := "test-namespace"
testUID := types.UID("test-uid")
otherUID := types.UID("wrong-uid")
claim := &ResourcePoolClaim{
ObjectMeta: metav1.ObjectMeta{
Name: "claim-a",
Namespace: ns,
UID: testUID,
},
}
pool := &ResourcePool{
Status: ResourcePoolStatus{
Claims: ResourcePoolNamespaceClaimsStatus{
ns: {
&ResourcePoolClaimsItem{
StatusNameUID: api.StatusNameUID{
UID: testUID,
},
Claims: corev1.ResourceList{
corev1.ResourceCPU: resource.MustParse("500m"),
corev1.ResourceMemory: resource.MustParse("256Mi"),
},
},
},
},
},
}
t.Run("returns matching claim", func(t *testing.T) {
found := pool.GetClaimFromStatus(claim)
assert.NotNil(t, found)
assert.Equal(t, testUID, found.UID)
})
t.Run("returns nil if UID doesn't match", func(t *testing.T) {
claimWrongUID := *claim
claimWrongUID.UID = otherUID
found := pool.GetClaimFromStatus(&claimWrongUID)
assert.Nil(t, found)
})
t.Run("returns nil if namespace has no claims", func(t *testing.T) {
claimWrongNS := *claim
claimWrongNS.Namespace = "other-ns"
found := pool.GetClaimFromStatus(&claimWrongNS)
assert.Nil(t, found)
})
}
func makeResourceList(cpu, memory string) corev1.ResourceList {
return corev1.ResourceList{
corev1.ResourceLimitsCPU: resource.MustParse(cpu),
corev1.ResourceLimitsMemory: resource.MustParse(memory),
}
}
func makeClaim(name, ns string, uid types.UID, res corev1.ResourceList) *ResourcePoolClaim {
return &ResourcePoolClaim{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: ns,
UID: uid,
},
Spec: ResourcePoolClaimSpec{
ResourceClaims: res,
},
}
}
func TestAssignNamespaces(t *testing.T) {
pool := &ResourcePool{}
namespaces := []corev1.Namespace{
{ObjectMeta: metav1.ObjectMeta{Name: "active-ns"}, Status: corev1.NamespaceStatus{Phase: corev1.NamespaceActive}},
{ObjectMeta: metav1.ObjectMeta{Name: "terminating-ns", DeletionTimestamp: &metav1.Time{}}, Status: corev1.NamespaceStatus{Phase: corev1.NamespaceTerminating}},
}
pool.AssignNamespaces(namespaces)
assert.Equal(t, uint(1), pool.Status.NamespaceSize)
assert.Equal(t, []string{"active-ns"}, pool.Status.Namespaces)
}
func TestAssignClaims(t *testing.T) {
pool := &ResourcePool{
Status: ResourcePoolStatus{
Claims: ResourcePoolNamespaceClaimsStatus{
"ns": {
&ResourcePoolClaimsItem{},
&ResourcePoolClaimsItem{},
},
},
},
}
pool.AssignClaims()
assert.Equal(t, uint(2), pool.Status.ClaimSize)
}
func TestAddRemoveClaimToStatus(t *testing.T) {
pool := &ResourcePool{}
claim := makeClaim("claim-1", "ns", "uid-1", makeResourceList("1", "1Gi"))
pool.AddClaimToStatus(claim)
stored := pool.GetClaimFromStatus(claim)
assert.NotNil(t, stored)
assert.Equal(t, api.Name("claim-1"), stored.Name)
pool.RemoveClaimFromStatus(claim)
assert.Nil(t, pool.GetClaimFromStatus(claim))
}
func TestCalculateResources(t *testing.T) {
pool := &ResourcePool{
Status: ResourcePoolStatus{
Allocation: ResourcePoolQuotaStatus{
Hard: corev1.ResourceList{
corev1.ResourceLimitsCPU: resource.MustParse("2"),
},
},
Claims: ResourcePoolNamespaceClaimsStatus{
"ns": {
&ResourcePoolClaimsItem{
Claims: corev1.ResourceList{
corev1.ResourceLimitsCPU: resource.MustParse("1"),
},
},
},
},
},
}
pool.CalculateClaimedResources()
actualClaimed := pool.Status.Allocation.Claimed[corev1.ResourceLimitsCPU]
actualAvailable := pool.Status.Allocation.Available[corev1.ResourceLimitsCPU]
assert.Equal(t, 0, (&actualClaimed).Cmp(resource.MustParse("1")))
assert.Equal(t, 0, (&actualAvailable).Cmp(resource.MustParse("1")))
}
func TestCanClaimFromPool(t *testing.T) {
pool := &ResourcePool{
Status: ResourcePoolStatus{
Allocation: ResourcePoolQuotaStatus{
Hard: corev1.ResourceList{
corev1.ResourceLimitsMemory: resource.MustParse("1Gi"),
},
Claimed: corev1.ResourceList{
corev1.ResourceLimitsMemory: resource.MustParse("512Mi"),
},
},
},
}
errs := pool.CanClaimFromPool(corev1.ResourceList{
corev1.ResourceLimitsMemory: resource.MustParse("1Gi"),
})
assert.Len(t, errs, 1)
errs = pool.CanClaimFromPool(corev1.ResourceList{
corev1.ResourceLimitsMemory: resource.MustParse("500Mi"),
})
assert.Len(t, errs, 0)
}
func TestGetResourceQuotaHardResources(t *testing.T) {
pool := &ResourcePool{
Spec: ResourcePoolSpec{
Defaults: corev1.ResourceList{
corev1.ResourceLimitsCPU: resource.MustParse("1"),
},
},
Status: ResourcePoolStatus{
Claims: ResourcePoolNamespaceClaimsStatus{
"ns": {
&ResourcePoolClaimsItem{
Claims: corev1.ResourceList{
corev1.ResourceLimitsCPU: resource.MustParse("1"),
},
},
},
},
},
}
res := pool.GetResourceQuotaHardResources("ns")
actual := res[corev1.ResourceLimitsCPU]
assert.Equal(t, 0, (&actual).Cmp(resource.MustParse("2")))
}
func TestGetNamespaceClaims(t *testing.T) {
pool := &ResourcePool{
Status: ResourcePoolStatus{
Claims: ResourcePoolNamespaceClaimsStatus{
"ns": {
&ResourcePoolClaimsItem{
StatusNameUID: api.StatusNameUID{UID: "uid1"},
Claims: corev1.ResourceList{
corev1.ResourceLimitsCPU: resource.MustParse("1"),
},
},
},
},
},
}
claims, res := pool.GetNamespaceClaims("ns")
assert.Contains(t, claims, "uid1")
actual := res[corev1.ResourceLimitsCPU]
assert.Equal(t, 0, (&actual).Cmp(resource.MustParse("1")))
}
func TestGetClaimedByNamespaceClaims(t *testing.T) {
pool := &ResourcePool{
Status: ResourcePoolStatus{
Claims: ResourcePoolNamespaceClaimsStatus{
"ns1": {
&ResourcePoolClaimsItem{
Claims: makeResourceList("1", "1Gi"),
},
},
},
},
}
result := pool.GetClaimedByNamespaceClaims()
actualCPU := result["ns1"][corev1.ResourceLimitsCPU]
actualMem := result["ns1"][corev1.ResourceLimitsMemory]
assert.Equal(t, 0, (&actualCPU).Cmp(resource.MustParse("1")))
assert.Equal(t, 0, (&actualMem).Cmp(resource.MustParse("1Gi")))
}
func TestIsBoundToResourcePool_2(t *testing.T) {
t.Run("bound to resource pool (Assigned=True)", func(t *testing.T) {
claim := &ResourcePoolClaim{
Status: ResourcePoolClaimStatus{
Condition: metav1.Condition{
Type: meta.BoundCondition,
Status: metav1.ConditionTrue,
},
},
}
assert.Equal(t, true, claim.IsBoundToResourcePool())
})
t.Run("not bound - wrong condition type", func(t *testing.T) {
claim := &ResourcePoolClaim{
Status: ResourcePoolClaimStatus{
Condition: metav1.Condition{
Type: "Other",
Status: metav1.ConditionTrue,
},
},
}
assert.Equal(t, false, claim.IsBoundToResourcePool())
})
t.Run("not bound - condition not true", func(t *testing.T) {
claim := &ResourcePoolClaim{
Status: ResourcePoolClaimStatus{
Condition: metav1.Condition{
Type: meta.BoundCondition,
Status: metav1.ConditionFalse,
},
},
}
assert.Equal(t, false, claim.IsBoundToResourcePool())
})
}

View File

@@ -1,65 +0,0 @@
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/types"
"github.com/projectcapsule/capsule/pkg/api"
)
// GlobalResourceQuotaStatus defines the observed state of GlobalResourceQuota.
type ResourcePoolStatus struct {
// How many namespaces are considered
// +kubebuilder:default=0
NamespaceSize uint `json:"namespaceCount,omitempty"`
// Amount of claims
// +kubebuilder:default=0
ClaimSize uint `json:"claimCount,omitempty"`
// Namespaces which are considered for claims
Namespaces []string `json:"namespaces,omitempty"`
// Tracks the quotas for the Resource.
Claims ResourcePoolNamespaceClaimsStatus `json:"claims,omitempty"`
// Tracks the Usage from Claimed against what has been granted from the pool
Allocation ResourcePoolQuotaStatus `json:"allocation,omitempty"`
// Exhaustions from claims associated with the pool
Exhaustions map[string]api.PoolExhaustionResource `json:"exhaustions,omitempty"`
}
type ResourcePoolNamespaceClaimsStatus map[string]ResourcePoolClaimsList
type ResourcePoolQuotaStatus struct {
// Hard is the set of enforced hard limits for each named resource.
// More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
// +optional
Hard corev1.ResourceList `json:"hard,omitempty" protobuf:"bytes,1,rep,name=hard,casttype=ResourceList,castkey=ResourceName"`
// Used is the current observed total usage of the resource in the namespace.
// +optional
Claimed corev1.ResourceList `json:"used,omitempty" protobuf:"bytes,2,rep,name=used,casttype=ResourceList,castkey=ResourceName"`
// Used to track the usage of the resource in the pool (diff hard - claimed). May be used for further automation
// +optional
Available corev1.ResourceList `json:"available,omitempty" protobuf:"bytes,2,rep,name=available,casttype=ResourceList,castkey=ResourceName"`
}
type ResourcePoolClaimsList []*ResourcePoolClaimsItem
func (r *ResourcePoolClaimsList) GetClaimByUID(uid types.UID) *ResourcePoolClaimsItem {
for _, claim := range *r {
if claim.UID == uid {
return claim
}
}
return nil
}
// ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.
type ResourcePoolClaimsItem struct {
// Reference to the GlobalQuota being claimed from
api.StatusNameUID `json:",inline"`
// Claimed resources
Claims corev1.ResourceList `json:"claims,omitempty"`
}

View File

@@ -1,77 +0,0 @@
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/projectcapsule/capsule/pkg/api"
)
// ResourcePoolSpec.
type ResourcePoolSpec struct {
// Selector to match the namespaces that should be managed by the GlobalResourceQuota
Selectors []api.NamespaceSelector `json:"selectors,omitempty"`
// Define the resourcequota served by this resourcepool.
Quota corev1.ResourceQuotaSpec `json:"quota"`
// The Defaults given for each namespace, the default is not counted towards the total allocation
// When you use claims it's recommended to provision Defaults as the prevent the scheduling of any resources
Defaults corev1.ResourceList `json:"defaults,omitempty"`
// Additional Configuration
//+kubebuilder:default:={}
Config ResourcePoolSpecConfiguration `json:"config,omitempty"`
}
type ResourcePoolSpecConfiguration struct {
// With this option all resources which can be allocated are set to 0 for the resourcequota defaults.
// +kubebuilder:default=false
DefaultsAssignZero *bool `json:"defaultsZero,omitempty"`
// Claims are queued whenever they are allocated to a pool. A pool tries to allocate claims in order based on their
// creation date. But no matter their creation time, if a claim is requesting too much resources it's put into the queue
// but if a lower priority claim still has enough space in the available resources, it will be able to claim them. Eventough
// it's priority was lower
// Enabling this option respects to Order. Meaning the Creationtimestamp matters and if a resource is put into the queue, no
// other claim can claim the same resources with lower priority.
// +kubebuilder:default=false
OrderedQueue *bool `json:"orderedQueue,omitempty"`
// When a resourcepool is deleted, the resourceclaims bound to it are disassociated from the resourcepool but not deleted.
// By Enabling this option, the resourceclaims will be deleted when the resourcepool is deleted, if they are in bound state.
// +kubebuilder:default=false
DeleteBoundResources *bool `json:"deleteBoundResources,omitempty"`
}
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:resource:scope=Cluster,shortName=quotapool
// +kubebuilder:printcolumn:name="Claims",type="integer",JSONPath=".status.claimCount",description="The total amount of Claims bound"
// +kubebuilder:printcolumn:name="Namespaces",type="integer",JSONPath=".status.namespaceCount",description="The total amount of Namespaces considered"
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"
// Resourcepools allows you to define a set of resources as known from ResoureQuotas. The Resourcepools are defined at cluster-scope an should
// be administrated by cluster-administrators. However they create an interface, where cluster-administrators can define
// from which namespaces resources from a Resourcepool can be claimed. The claiming is done via a namespaced CRD called ResourcePoolClaim. Then
// it's up the group of users within these namespaces, to manage the resources they consume per namespace. Each Resourcepool provisions a ResourceQuotainto all the selected namespaces. Then essentially the ResourcePoolClaims, when they can be assigned to the ResourcePool stack resources on top of that
// ResourceQuota based on the namspace, where the ResourcePoolClaim was made from.
type ResourcePool struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec ResourcePoolSpec `json:"spec,omitempty"`
Status ResourcePoolStatus `json:"status,omitempty"`
}
// +kubebuilder:object:root=true
// ResourcePoolList contains a list of ResourcePool.
type ResourcePoolList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []ResourcePool `json:"items"`
}
func init() {
SchemeBuilder.Register(&ResourcePool{}, &ResourcePoolList{})
}

View File

@@ -1,20 +0,0 @@
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/projectcapsule/capsule/pkg/meta"
)
// Indicate the claim is bound to a resource pool.
func (r *ResourcePoolClaim) IsBoundToResourcePool() bool {
if r.Status.Condition.Type == meta.BoundCondition &&
r.Status.Condition.Status == metav1.ConditionTrue {
return true
}
return false
}

View File

@@ -1,71 +0,0 @@
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
"testing"
"github.com/projectcapsule/capsule/pkg/meta"
"github.com/stretchr/testify/assert"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
func TestIsBoundToResourcePool(t *testing.T) {
tests := []struct {
name string
claim ResourcePoolClaim
expected bool
}{
{
name: "bound to resource pool (Assigned=True)",
claim: ResourcePoolClaim{
Status: ResourcePoolClaimStatus{
Condition: metav1.Condition{
Type: meta.BoundCondition,
Status: metav1.ConditionTrue,
},
},
},
expected: true,
},
{
name: "not bound - wrong condition type",
claim: ResourcePoolClaim{
Status: ResourcePoolClaimStatus{
Condition: metav1.Condition{
Type: "SomethingElse",
Status: metav1.ConditionTrue,
},
},
},
expected: false,
},
{
name: "not bound - status not true",
claim: ResourcePoolClaim{
Status: ResourcePoolClaimStatus{
Condition: metav1.Condition{
Type: meta.BoundCondition,
Status: metav1.ConditionFalse,
},
},
},
expected: false,
},
{
name: "not bound - empty condition",
claim: ResourcePoolClaim{
Status: ResourcePoolClaimStatus{},
},
expected: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
actual := tt.claim.IsBoundToResourcePool()
assert.Equal(t, tt.expected, actual)
})
}
}

View File

@@ -1,59 +0,0 @@
// Copyright 2020-2025 Project Capsule Authors
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/projectcapsule/capsule/pkg/api"
)
type ResourcePoolClaimSpec struct {
// If there's the possability to claim from multiple global Quotas
// You must be specific about which one you want to claim resources from
// Once bound to a ResourcePool, this field is immutable
Pool string `json:"pool"`
// Amount which should be claimed for the resourcequota
ResourceClaims corev1.ResourceList `json:"claim"`
}
// ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.
type ResourcePoolClaimStatus struct {
// Reference to the GlobalQuota being claimed from
Pool api.StatusNameUID `json:"pool,omitempty"`
// Condtion for this resource claim
Condition metav1.Condition `json:"condition,omitempty"`
}
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:printcolumn:name="Pool",type="string",JSONPath=".status.pool.name",description="The ResourcePool being claimed from"
// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.condition.type",description="Status for claim"
// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.condition.reason",description="Reason for status"
// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.condition.message",description="Condition Message"
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
// ResourcePoolClaim is the Schema for the resourcepoolclaims API.
type ResourcePoolClaim struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec ResourcePoolClaimSpec `json:"spec,omitempty"`
Status ResourcePoolClaimStatus `json:"status,omitempty"`
}
// +kubebuilder:object:root=true
// ResourceQuotaClaimList contains a list of ResourceQuotaClaim.
type ResourcePoolClaimList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []ResourcePoolClaim `json:"items"`
}
func init() {
SchemeBuilder.Register(&ResourcePoolClaim{}, &ResourcePoolClaimList{})
}

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -49,8 +49,6 @@ type TenantSpec struct {
// A default value can be specified, and all the Pod resources created will inherit the declared class.
// Optional.
PriorityClasses *api.DefaultAllowedListSpec `json:"priorityClasses,omitempty"`
// Specifies options for the GatewayClass resources.
GatewayOptions GatewayOptions `json:"gatewayOptions,omitempty"`
// Toggling the Tenant resources cordoning, when enable resources cannot be deleted.
//+kubebuilder:default:=false
Cordoned bool `json:"cordoned,omitempty"`
@@ -102,8 +100,7 @@ func (in *Tenant) GetNamespaces() (res []string) {
type TenantList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []Tenant `json:"items"`
Items []Tenant `json:"items"`
}
func init() {

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -10,10 +10,9 @@ import (
// GlobalTenantResourceSpec defines the desired state of GlobalTenantResource.
type GlobalTenantResourceSpec struct {
TenantResourceSpec `json:",inline"`
// Defines the Tenant selector used target the tenants on which resources must be propagated.
TenantSelector metav1.LabelSelector `json:"tenantSelector,omitempty"`
TenantSelector metav1.LabelSelector `json:"tenantSelector,omitempty"`
TenantResourceSpec `json:",inline"`
}
// GlobalTenantResourceStatus defines the observed state of GlobalTenantResource.
@@ -55,8 +54,7 @@ type GlobalTenantResource struct {
type GlobalTenantResourceList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []GlobalTenantResource `json:"items"`
Items []GlobalTenantResource `json:"items"`
}
func init() {

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -69,8 +69,7 @@ type TenantResource struct {
type TenantResourceList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []TenantResource `json:"items"`
Items []TenantResource `json:"items"`
}
func init() {

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2
@@ -23,7 +23,6 @@ type ObjectReferenceAbstract struct {
type ObjectReferenceStatus struct {
ObjectReferenceAbstract `json:",inline"`
// Name of the referent.
// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Name string `json:"name"`
@@ -31,7 +30,6 @@ type ObjectReferenceStatus struct {
type ObjectReference struct {
ObjectReferenceAbstract `json:",inline"`
// Label selector used to select the given resources in the given Namespace.
Selector metav1.LabelSelector `json:"selector"`
}

View File

@@ -9,7 +9,6 @@ package v1beta2
import (
"github.com/projectcapsule/capsule/pkg/api"
corev1 "k8s.io/api/core/v1"
"k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
@@ -155,26 +154,6 @@ func (in *CapsuleResources) DeepCopy() *CapsuleResources {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GatewayOptions) DeepCopyInto(out *GatewayOptions) {
*out = *in
if in.AllowedClasses != nil {
in, out := &in.AllowedClasses, &out.AllowedClasses
*out = new(api.SelectionListWithDefaultSpec)
(*in).DeepCopyInto(*out)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatewayOptions.
func (in *GatewayOptions) DeepCopy() *GatewayOptions {
if in == nil {
return nil
}
out := new(GatewayOptions)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GlobalTenantResource) DeepCopyInto(out *GlobalTenantResource) {
*out = *in
@@ -237,8 +216,8 @@ func (in *GlobalTenantResourceList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GlobalTenantResourceSpec) DeepCopyInto(out *GlobalTenantResourceSpec) {
*out = *in
in.TenantResourceSpec.DeepCopyInto(&out.TenantResourceSpec)
in.TenantSelector.DeepCopyInto(&out.TenantSelector)
in.TenantResourceSpec.DeepCopyInto(&out.TenantResourceSpec)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalTenantResourceSpec.
@@ -314,13 +293,6 @@ func (in *NamespaceOptions) DeepCopyInto(out *NamespaceOptions) {
*out = new(api.AdditionalMetadataSpec)
(*in).DeepCopyInto(*out)
}
if in.AdditionalMetadataList != nil {
in, out := &in.AdditionalMetadataList, &out.AdditionalMetadataList
*out = make([]api.AdditionalMetadataSelectorSpec, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
in.ForbiddenLabels.DeepCopyInto(&out.ForbiddenLabels)
in.ForbiddenAnnotations.DeepCopyInto(&out.ForbiddenAnnotations)
}
@@ -518,394 +490,6 @@ func (in *RawExtension) DeepCopy() *RawExtension {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ResourcePool) DeepCopyInto(out *ResourcePool) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePool.
func (in *ResourcePool) DeepCopy() *ResourcePool {
if in == nil {
return nil
}
out := new(ResourcePool)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *ResourcePool) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ResourcePoolClaim) DeepCopyInto(out *ResourcePoolClaim) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolClaim.
func (in *ResourcePoolClaim) DeepCopy() *ResourcePoolClaim {
if in == nil {
return nil
}
out := new(ResourcePoolClaim)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *ResourcePoolClaim) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ResourcePoolClaimList) DeepCopyInto(out *ResourcePoolClaimList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]ResourcePoolClaim, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolClaimList.
func (in *ResourcePoolClaimList) DeepCopy() *ResourcePoolClaimList {
if in == nil {
return nil
}
out := new(ResourcePoolClaimList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *ResourcePoolClaimList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ResourcePoolClaimSpec) DeepCopyInto(out *ResourcePoolClaimSpec) {
*out = *in
if in.ResourceClaims != nil {
in, out := &in.ResourceClaims, &out.ResourceClaims
*out = make(corev1.ResourceList, len(*in))
for key, val := range *in {
(*out)[key] = val.DeepCopy()
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolClaimSpec.
func (in *ResourcePoolClaimSpec) DeepCopy() *ResourcePoolClaimSpec {
if in == nil {
return nil
}
out := new(ResourcePoolClaimSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ResourcePoolClaimStatus) DeepCopyInto(out *ResourcePoolClaimStatus) {
*out = *in
out.Pool = in.Pool
in.Condition.DeepCopyInto(&out.Condition)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolClaimStatus.
func (in *ResourcePoolClaimStatus) DeepCopy() *ResourcePoolClaimStatus {
if in == nil {
return nil
}
out := new(ResourcePoolClaimStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ResourcePoolClaimsItem) DeepCopyInto(out *ResourcePoolClaimsItem) {
*out = *in
out.StatusNameUID = in.StatusNameUID
if in.Claims != nil {
in, out := &in.Claims, &out.Claims
*out = make(corev1.ResourceList, len(*in))
for key, val := range *in {
(*out)[key] = val.DeepCopy()
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolClaimsItem.
func (in *ResourcePoolClaimsItem) DeepCopy() *ResourcePoolClaimsItem {
if in == nil {
return nil
}
out := new(ResourcePoolClaimsItem)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in ResourcePoolClaimsList) DeepCopyInto(out *ResourcePoolClaimsList) {
{
in := &in
*out = make(ResourcePoolClaimsList, len(*in))
for i := range *in {
if (*in)[i] != nil {
in, out := &(*in)[i], &(*out)[i]
*out = new(ResourcePoolClaimsItem)
(*in).DeepCopyInto(*out)
}
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolClaimsList.
func (in ResourcePoolClaimsList) DeepCopy() ResourcePoolClaimsList {
if in == nil {
return nil
}
out := new(ResourcePoolClaimsList)
in.DeepCopyInto(out)
return *out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ResourcePoolList) DeepCopyInto(out *ResourcePoolList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]ResourcePool, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolList.
func (in *ResourcePoolList) DeepCopy() *ResourcePoolList {
if in == nil {
return nil
}
out := new(ResourcePoolList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *ResourcePoolList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in ResourcePoolNamespaceClaimsStatus) DeepCopyInto(out *ResourcePoolNamespaceClaimsStatus) {
{
in := &in
*out = make(ResourcePoolNamespaceClaimsStatus, len(*in))
for key, val := range *in {
var outVal []*ResourcePoolClaimsItem
if val == nil {
(*out)[key] = nil
} else {
inVal := (*in)[key]
in, out := &inVal, &outVal
*out = make(ResourcePoolClaimsList, len(*in))
for i := range *in {
if (*in)[i] != nil {
in, out := &(*in)[i], &(*out)[i]
*out = new(ResourcePoolClaimsItem)
(*in).DeepCopyInto(*out)
}
}
}
(*out)[key] = outVal
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolNamespaceClaimsStatus.
func (in ResourcePoolNamespaceClaimsStatus) DeepCopy() ResourcePoolNamespaceClaimsStatus {
if in == nil {
return nil
}
out := new(ResourcePoolNamespaceClaimsStatus)
in.DeepCopyInto(out)
return *out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ResourcePoolQuotaStatus) DeepCopyInto(out *ResourcePoolQuotaStatus) {
*out = *in
if in.Hard != nil {
in, out := &in.Hard, &out.Hard
*out = make(corev1.ResourceList, len(*in))
for key, val := range *in {
(*out)[key] = val.DeepCopy()
}
}
if in.Claimed != nil {
in, out := &in.Claimed, &out.Claimed
*out = make(corev1.ResourceList, len(*in))
for key, val := range *in {
(*out)[key] = val.DeepCopy()
}
}
if in.Available != nil {
in, out := &in.Available, &out.Available
*out = make(corev1.ResourceList, len(*in))
for key, val := range *in {
(*out)[key] = val.DeepCopy()
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolQuotaStatus.
func (in *ResourcePoolQuotaStatus) DeepCopy() *ResourcePoolQuotaStatus {
if in == nil {
return nil
}
out := new(ResourcePoolQuotaStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ResourcePoolSpec) DeepCopyInto(out *ResourcePoolSpec) {
*out = *in
if in.Selectors != nil {
in, out := &in.Selectors, &out.Selectors
*out = make([]api.NamespaceSelector, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
in.Quota.DeepCopyInto(&out.Quota)
if in.Defaults != nil {
in, out := &in.Defaults, &out.Defaults
*out = make(corev1.ResourceList, len(*in))
for key, val := range *in {
(*out)[key] = val.DeepCopy()
}
}
in.Config.DeepCopyInto(&out.Config)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolSpec.
func (in *ResourcePoolSpec) DeepCopy() *ResourcePoolSpec {
if in == nil {
return nil
}
out := new(ResourcePoolSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ResourcePoolSpecConfiguration) DeepCopyInto(out *ResourcePoolSpecConfiguration) {
*out = *in
if in.DefaultsAssignZero != nil {
in, out := &in.DefaultsAssignZero, &out.DefaultsAssignZero
*out = new(bool)
**out = **in
}
if in.OrderedQueue != nil {
in, out := &in.OrderedQueue, &out.OrderedQueue
*out = new(bool)
**out = **in
}
if in.DeleteBoundResources != nil {
in, out := &in.DeleteBoundResources, &out.DeleteBoundResources
*out = new(bool)
**out = **in
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolSpecConfiguration.
func (in *ResourcePoolSpecConfiguration) DeepCopy() *ResourcePoolSpecConfiguration {
if in == nil {
return nil
}
out := new(ResourcePoolSpecConfiguration)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ResourcePoolStatus) DeepCopyInto(out *ResourcePoolStatus) {
*out = *in
if in.Namespaces != nil {
in, out := &in.Namespaces, &out.Namespaces
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Claims != nil {
in, out := &in.Claims, &out.Claims
*out = make(ResourcePoolNamespaceClaimsStatus, len(*in))
for key, val := range *in {
var outVal []*ResourcePoolClaimsItem
if val == nil {
(*out)[key] = nil
} else {
inVal := (*in)[key]
in, out := &inVal, &outVal
*out = make(ResourcePoolClaimsList, len(*in))
for i := range *in {
if (*in)[i] != nil {
in, out := &(*in)[i], &(*out)[i]
*out = new(ResourcePoolClaimsItem)
(*in).DeepCopyInto(*out)
}
}
}
(*out)[key] = outVal
}
}
in.Allocation.DeepCopyInto(&out.Allocation)
if in.Exhaustions != nil {
in, out := &in.Exhaustions, &out.Exhaustions
*out = make(map[string]api.PoolExhaustionResource, len(*in))
for key, val := range *in {
(*out)[key] = *val.DeepCopy()
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePoolStatus.
func (in *ResourcePoolStatus) DeepCopy() *ResourcePoolStatus {
if in == nil {
return nil
}
out := new(ResourcePoolStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ResourceSpec) DeepCopyInto(out *ResourceSpec) {
*out = *in
@@ -1179,7 +763,6 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
*out = new(api.DefaultAllowedListSpec)
(*in).DeepCopyInto(*out)
}
in.GatewayOptions.DeepCopyInto(&out.GatewayOptions)
if in.ForceTenantPrefix != nil {
in, out := &in.ForceTenantPrefix, &out.ForceTenantPrefix
*out = new(bool)

Binary file not shown.

After

Width:  |  Height:  |  Size: 38 KiB

View File

@@ -1,6 +1,6 @@
dependencies:
- name: capsule-proxy
repository: oci://ghcr.io/projectcapsule/charts
version: 0.9.9
digest: sha256:01938e6682c7788e1f6bb38cb97969ac524ffdc1ae824b59acdc7119938ac23c
generated: "2025-07-22T22:24:44.398030885Z"
version: 0.9.3
digest: sha256:057afc3b971a7ffe5ada7d358d759ab3383ffca61aed07e224f3f6c4338568ee
generated: "2025-04-26T05:29:13.486605681Z"

View File

@@ -6,7 +6,7 @@ home: https://github.com/projectcapsule/capsule
icon: https://github.com/projectcapsule/capsule/raw/main/assets/logo/capsule_small.png
dependencies:
- name: capsule-proxy
version: 0.9.9
version: 0.9.3
repository: "oci://ghcr.io/projectcapsule/charts"
condition: proxy.enabled
alias: proxy
@@ -41,4 +41,4 @@ annotations:
url: https://projectcapsule.dev/
artifacthub.io/changes: |
- kind: added
description: added toggles for podSecurityContexts and securityContexts
description: oci chart reference

View File

@@ -108,11 +108,11 @@ Here the values you can override:
| global.jobs.kubectl.image.tag | string | `""` | Set the image tag of the helm chart job |
| global.jobs.kubectl.imagePullSecrets | list | `[]` | ImagePullSecrets |
| global.jobs.kubectl.nodeSelector | object | `{}` | Set the node selector |
| global.jobs.kubectl.podSecurityContext | object | `{"enabled":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the job pods. |
| global.jobs.kubectl.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the job pods. |
| global.jobs.kubectl.priorityClassName | string | `""` | Set a pod priorityClassName |
| global.jobs.kubectl.resources | object | `{}` | Job resources |
| global.jobs.kubectl.restartPolicy | string | `"Never"` | Set the restartPolicy |
| global.jobs.kubectl.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"enabled":true,"readOnlyRootFilesystem":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Security context for the job containers. |
| global.jobs.kubectl.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Security context for the job containers. |
| global.jobs.kubectl.tolerations | list | `[]` | Set list of tolerations |
| global.jobs.kubectl.topologySpreadConstraints | list | `[]` | Set Topology Spread Constraints |
| global.jobs.kubectl.ttlSecondsAfterFinished | int | `60` | Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete. |
@@ -130,16 +130,12 @@ Here the values you can override:
| jobs | object | `{}` | Deprecated, use .global.jobs.kubectl instead |
| nodeSelector | object | `{}` | Set the node selector for the Capsule pod |
| podAnnotations | object | `{}` | Annotations to add to the capsule pod. |
| podSecurityContext | object | `{"enabled":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002,"seccompProfile":{"type":"RuntimeDefault"}}` | Set the securityContext for the Capsule pod |
| podSecurityContext | object | `{"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002,"seccompProfile":{"type":"RuntimeDefault"}}` | Set the securityContext for the Capsule pod |
| ports | list | `[]` | Set additional ports for the deployment |
| priorityClassName | string | `""` | Set the priority class name of the Capsule pod |
| proxy.enabled | bool | `false` | Enable Installation of Capsule Proxy |
| rbac.resourcepoolclaims.create | bool | `false` | |
| rbac.resourcepoolclaims.labels."rbac.authorization.k8s.io/aggregate-to-admin" | string | `"true"` | |
| rbac.resources.create | bool | `false` | |
| rbac.resources.labels."rbac.authorization.k8s.io/aggregate-to-admin" | string | `"true"` | |
| replicaCount | int | `1` | Set the replica count for capsule pod |
| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"enabled":true,"readOnlyRootFilesystem":true}` | Set the securityContext for the Capsule container |
| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | Set the securityContext for the Capsule container |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
@@ -178,29 +174,20 @@ Here the values you can override:
| manager.volumes | list | `[]` | Set the additional volumes needed for the Capsule manager container |
| manager.webhookPort | int | `9443` | Set an alternative to the default container port. Useful for use in some kubernetes clusters (such as GKE Private) with aggregator routing turned on, because pod ports have to be opened manually on the firewall side |
### Monitoring Parameters
### ServiceMonitor Parameters
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| monitoring.dashboards.annotations | object | `{}` | Annotations for dashboard configmaps |
| monitoring.dashboards.enabled | bool | `false` | Enable Dashboards to be deployed |
| monitoring.dashboards.labels | object | `{}` | Labels for dashboard configmaps |
| monitoring.dashboards.namespace | string | `""` | Custom namespace for dashboard configmaps |
| monitoring.dashboards.operator.allowCrossNamespaceImport | bool | `true` | Allow the Operator to match this resource with Grafanas outside the current namespace |
| monitoring.dashboards.operator.enabled | bool | `true` | Enable Operator Resources (GrafanaDashboard) |
| monitoring.dashboards.operator.folder | string | `""` | folder assignment for dashboard |
| monitoring.dashboards.operator.instanceSelector | object | `{}` | Selects Grafana instances for import |
| monitoring.dashboards.operator.resyncPeriod | string | `"10m"` | How often the resource is synced, defaults to 10m0s if not set |
| monitoring.serviceMonitor.annotations | object | `{}` | Assign additional Annotations |
| monitoring.serviceMonitor.enabled | bool | `false` | Enable ServiceMonitor |
| monitoring.serviceMonitor.endpoint.interval | string | `"15s"` | Set the scrape interval for the endpoint of the serviceMonitor |
| monitoring.serviceMonitor.endpoint.metricRelabelings | list | `[]` | Set metricRelabelings for the endpoint of the serviceMonitor |
| monitoring.serviceMonitor.endpoint.relabelings | list | `[]` | Set relabelings for the endpoint of the serviceMonitor |
| monitoring.serviceMonitor.endpoint.scrapeTimeout | string | `""` | Set the scrape timeout for the endpoint of the serviceMonitor |
| monitoring.serviceMonitor.labels | object | `{}` | Assign additional labels according to Prometheus' serviceMonitorSelector matching labels |
| monitoring.serviceMonitor.matchLabels | object | `{}` | Change matching labels |
| monitoring.serviceMonitor.namespace | string | `""` | Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one) |
| monitoring.serviceMonitor.targetLabels | list | `[]` | Set targetLabels for the serviceMonitor |
| serviceMonitor.annotations | object | `{}` | Assign additional Annotations |
| serviceMonitor.enabled | bool | `false` | Enable ServiceMonitor |
| serviceMonitor.endpoint.interval | string | `"15s"` | Set the scrape interval for the endpoint of the serviceMonitor |
| serviceMonitor.endpoint.metricRelabelings | list | `[]` | Set metricRelabelings for the endpoint of the serviceMonitor |
| serviceMonitor.endpoint.relabelings | list | `[]` | Set relabelings for the endpoint of the serviceMonitor |
| serviceMonitor.endpoint.scrapeTimeout | string | `""` | Set the scrape timeout for the endpoint of the serviceMonitor |
| serviceMonitor.labels | object | `{}` | Assign additional labels according to Prometheus' serviceMonitorSelector matching labels |
| serviceMonitor.matchLabels | object | `{}` | Change matching labels |
| serviceMonitor.namespace | string | `""` | Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one) |
| serviceMonitor.targetLabels | list | `[]` | Set targetLabels for the serviceMonitor |
### Webhooks Parameters
@@ -210,12 +197,6 @@ Here the values you can override:
| webhooks.hooks.cordoning.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.cordoning.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.hooks.cordoning.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.hooks.cordoning.namespaceSelector.matchExpressions[1].key | string | `"projectcapsule.dev/cordoned"` | |
| webhooks.hooks.cordoning.namespaceSelector.matchExpressions[1].operator | string | `"Exists"` | |
| webhooks.hooks.customresources.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.customresources.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.hooks.customresources.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.hooks.customresources.objectSelector | object | `{}` | |
| webhooks.hooks.defaults.ingress.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.defaults.ingress.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.hooks.defaults.ingress.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
@@ -225,16 +206,9 @@ Here the values you can override:
| webhooks.hooks.defaults.pvc.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.defaults.pvc.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.hooks.defaults.pvc.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.hooks.gateways.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.gateways.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.hooks.gateways.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.hooks.ingresses.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.ingresses.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.hooks.ingresses.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.hooks.namespace.mutation.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.namespace.mutation.namespaceSelector | object | `{}` | |
| webhooks.hooks.namespace.mutation.objectSelector | object | `{}` | |
| webhooks.hooks.namespace.validation.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.namespaceOwnerReference.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.namespaces.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.networkpolicies.failurePolicy | string | `"Fail"` | |
@@ -247,16 +221,6 @@ Here the values you can override:
| webhooks.hooks.pods.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.hooks.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.hooks.resourcepools.claims.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.resourcepools.claims.matchPolicy | string | `"Equivalent"` | |
| webhooks.hooks.resourcepools.claims.namespaceSelector | object | `{}` | |
| webhooks.hooks.resourcepools.claims.objectSelector | object | `{}` | |
| webhooks.hooks.resourcepools.claims.reinvocationPolicy | string | `"Never"` | |
| webhooks.hooks.resourcepools.pools.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.resourcepools.pools.matchPolicy | string | `"Equivalent"` | |
| webhooks.hooks.resourcepools.pools.namespaceSelector | object | `{}` | |
| webhooks.hooks.resourcepools.pools.objectSelector | object | `{}` | |
| webhooks.hooks.resourcepools.pools.reinvocationPolicy | string | `"Never"` | |
| webhooks.hooks.services.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.services.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.hooks.services.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |

View File

@@ -112,7 +112,7 @@ Here the values you can override:
| Key | Type | Default | Description |
|-----|------|---------|-------------|
{{- range .Values }}
{{- if not (or (hasPrefix "global" .Key) (hasPrefix "manager" .Key) (hasPrefix "crds" .Key) (hasPrefix "monitoring" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) ) }}
{{- if not (or (hasPrefix "global" .Key) (hasPrefix "manager" .Key) (hasPrefix "crds" .Key) (hasPrefix "serviceMonitor" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) ) }}
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
{{- end }}
{{- end }}
@@ -127,12 +127,12 @@ Here the values you can override:
{{- end }}
{{- end }}
### Monitoring Parameters
### ServiceMonitor Parameters
| Key | Type | Default | Description |
|-----|------|---------|-------------|
{{- range .Values }}
{{- if hasPrefix "monitoring" .Key }}
{{- if hasPrefix "serviceMonitor" .Key }}
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
{{- end }}
{{- end }}

View File

@@ -1,9 +0,0 @@
monitoring:
dashboards:
enabled: true
annotations:
k8s-sidecar-target-directory: /tmp/dashboards/Capsule
labels:
grafana_dashboard: "1"
operator:
enabled: true

View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.18.0
controller-gen.kubebuilder.io/version: v0.17.3
name: capsuleconfigurations.capsule.clastix.io
spec:
group: capsule.clastix.io

View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.18.0
controller-gen.kubebuilder.io/version: v0.17.3
name: globaltenantresources.capsule.clastix.io
spec:
group: capsule.clastix.io

View File

@@ -1,158 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.18.0
name: resourcepoolclaims.capsule.clastix.io
spec:
group: capsule.clastix.io
names:
kind: ResourcePoolClaim
listKind: ResourcePoolClaimList
plural: resourcepoolclaims
singular: resourcepoolclaim
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The ResourcePool being claimed from
jsonPath: .status.pool.name
name: Pool
type: string
- description: Status for claim
jsonPath: .status.condition.type
name: Status
type: string
- description: Reason for status
jsonPath: .status.condition.reason
name: Reason
type: string
- description: Condition Message
jsonPath: .status.condition.message
name: Message
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1beta2
schema:
openAPIV3Schema:
description: ResourcePoolClaim is the Schema for the resourcepoolclaims API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
claim:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: Amount which should be claimed for the resourcequota
type: object
pool:
description: |-
If there's the possability to claim from multiple global Quotas
You must be specific about which one you want to claim resources from
Once bound to a ResourcePool, this field is immutable
type: string
required:
- claim
- pool
type: object
status:
description: ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.
properties:
condition:
description: Condtion for this resource claim
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
pool:
description: Reference to the GlobalQuota being claimed from
properties:
name:
description: Name
maxLength: 253
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
namespace:
description: Namespace
maxLength: 253
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
uid:
description: UID of the tracked Tenant to pin point tracking
type: string
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}

View File

@@ -1,328 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.18.0
name: resourcepools.capsule.clastix.io
spec:
group: capsule.clastix.io
names:
kind: ResourcePool
listKind: ResourcePoolList
plural: resourcepools
shortNames:
- quotapool
singular: resourcepool
scope: Cluster
versions:
- additionalPrinterColumns:
- description: The total amount of Claims bound
jsonPath: .status.claimCount
name: Claims
type: integer
- description: The total amount of Namespaces considered
jsonPath: .status.namespaceCount
name: Namespaces
type: integer
- description: Age
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1beta2
schema:
openAPIV3Schema:
description: |-
Resourcepools allows you to define a set of resources as known from ResoureQuotas. The Resourcepools are defined at cluster-scope an should
be administrated by cluster-administrators. However they create an interface, where cluster-administrators can define
from which namespaces resources from a Resourcepool can be claimed. The claiming is done via a namespaced CRD called ResourcePoolClaim. Then
it's up the group of users within these namespaces, to manage the resources they consume per namespace. Each Resourcepool provisions a ResourceQuotainto all the selected namespaces. Then essentially the ResourcePoolClaims, when they can be assigned to the ResourcePool stack resources on top of that
ResourceQuota based on the namspace, where the ResourcePoolClaim was made from.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ResourcePoolSpec.
properties:
config:
default: {}
description: Additional Configuration
properties:
defaultsZero:
default: false
description: With this option all resources which can be allocated
are set to 0 for the resourcequota defaults.
type: boolean
deleteBoundResources:
default: false
description: |-
When a resourcepool is deleted, the resourceclaims bound to it are disassociated from the resourcepool but not deleted.
By Enabling this option, the resourceclaims will be deleted when the resourcepool is deleted, if they are in bound state.
type: boolean
orderedQueue:
default: false
description: |-
Claims are queued whenever they are allocated to a pool. A pool tries to allocate claims in order based on their
creation date. But no matter their creation time, if a claim is requesting too much resources it's put into the queue
but if a lower priority claim still has enough space in the available resources, it will be able to claim them. Eventough
it's priority was lower
Enabling this option respects to Order. Meaning the Creationtimestamp matters and if a resource is put into the queue, no
other claim can claim the same resources with lower priority.
type: boolean
type: object
defaults:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
The Defaults given for each namespace, the default is not counted towards the total allocation
When you use claims it's recommended to provision Defaults as the prevent the scheduling of any resources
type: object
quota:
description: Define the resourcequota served by this resourcepool.
properties:
hard:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
hard is the set of desired hard limits for each named resource.
More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
type: object
scopeSelector:
description: |-
scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota
but expressed using ScopeSelectorOperator in combination with possible values.
For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.
properties:
matchExpressions:
description: A list of scope selector requirements by scope
of the resources.
items:
description: |-
A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator
that relates the scope name and values.
properties:
operator:
description: |-
Represents a scope's relationship to a set of values.
Valid operators are In, NotIn, Exists, DoesNotExist.
type: string
scopeName:
description: The name of the scope that the selector
applies to.
type: string
values:
description: |-
An array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty.
This array is replaced during a strategic merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- operator
- scopeName
type: object
type: array
x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
scopes:
description: |-
A collection of filters that must match each object tracked by a quota.
If not specified, the quota matches all objects.
items:
description: A ResourceQuotaScope defines a filter that must
match each object tracked by a quota
type: string
type: array
x-kubernetes-list-type: atomic
type: object
selectors:
description: Selector to match the namespaces that should be managed
by the GlobalResourceQuota
items:
description: Selector for resources and their labels or selecting
origin namespaces
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: array
required:
- quota
type: object
status:
description: GlobalResourceQuotaStatus defines the observed state of GlobalResourceQuota.
properties:
allocation:
description: Tracks the Usage from Claimed against what has been granted
from the pool
properties:
available:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: Used to track the usage of the resource in the pool
(diff hard - claimed). May be used for further automation
type: object
hard:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Hard is the set of enforced hard limits for each named resource.
More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
type: object
used:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: Used is the current observed total usage of the resource
in the namespace.
type: object
type: object
claimCount:
default: 0
description: Amount of claims
type: integer
claims:
additionalProperties:
items:
description: ResourceQuotaClaimStatus defines the observed state
of ResourceQuotaClaim.
properties:
claims:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: Claimed resources
type: object
name:
description: Name
maxLength: 253
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
namespace:
description: Namespace
maxLength: 253
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
uid:
description: UID of the tracked Tenant to pin point tracking
type: string
type: object
type: array
description: Tracks the quotas for the Resource.
type: object
exhaustions:
additionalProperties:
properties:
available:
anyOf:
- type: integer
- type: string
description: Available Resources to be claimed
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
requesting:
anyOf:
- type: integer
- type: string
description: Requesting Resources
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
description: Exhaustions from claims associated with the pool
type: object
namespaceCount:
default: 0
description: How many namespaces are considered
type: integer
namespaces:
description: Namespaces which are considered for claims
items:
type: string
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}

View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.18.0
controller-gen.kubebuilder.io/version: v0.17.3
name: tenantresources.capsule.clastix.io
spec:
group: capsule.clastix.io

View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.18.0
controller-gen.kubebuilder.io/version: v0.17.3
name: tenants.capsule.clastix.io
spec:
group: capsule.clastix.io
@@ -1160,57 +1160,6 @@ spec:
If unset, Tenant uses CapsuleConfiguration's forceTenantPrefix
Optional
type: boolean
gatewayOptions:
description: Specifies options for the GatewayClass resources.
properties:
allowedClasses:
properties:
default:
type: string
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
imagePullPolicies:
description: Specify the allowed values for the imagePullPolicies
option in Pod resources. Capsule assures that all Pod resources
@@ -1424,71 +1373,6 @@ spec:
type: string
type: object
type: object
additionalMetadataList:
description: Specifies additional labels and annotations the Capsule
operator places on any Namespace resource in the Tenant via
a list. Optional.
items:
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
type: array
forbiddenAnnotations:
description: Define the annotations that a Tenant Owner cannot
set for their Namespace resources.

File diff suppressed because it is too large Load Diff

View File

@@ -19,7 +19,9 @@ metadata:
{{- include "capsule.labels" . | nindent 4 }}
spec:
backoffLimit: {{ $Values.backoffLimit }}
{{- if ge $Values.ttlSecondsAfterFinished 0.0 }}
ttlSecondsAfterFinished: {{ $Values.ttlSecondsAfterFinished }}
{{- end }}
template:
metadata:
name: "{{ include "capsule.crds.name" . }}"
@@ -28,8 +30,9 @@ spec:
{{- include "capsule.selectorLabels" . | nindent 8 }}
spec:
restartPolicy: {{ $Values.restartPolicy }}
{{- if $Values.podSecurityContext.enabled }}
securityContext: {{- omit $Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- with $Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.nodeSelector }}
nodeSelector:
@@ -59,8 +62,9 @@ spec:
- name: crds-hook
image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
imagePullPolicy: {{ $Values.image.pullPolicy }}
{{- if $Values.securityContext.enabled }}
securityContext: {{- omit $Values.securityContext "enabled" | toYaml | nindent 10 }}
{{- with $Values.securityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
command:
- sh

View File

@@ -30,8 +30,9 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "capsule.serviceAccountName" . }}
{{- if .Values.podSecurityContext.enabled }}
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.manager.hostNetwork }}
hostNetwork: true
@@ -57,6 +58,8 @@ spec:
secretName: {{ include "capsule.secretTlsName" . }}
containers:
- name: manager
command:
- /manager
args:
- --webhook-port={{ .Values.manager.webhookPort }}
- --enable-leader-election
@@ -86,8 +89,7 @@ spec:
readOnly: true
resources:
{{- toYaml .Values.manager.resources | nindent 12 }}
{{- if .Values.securityContext.enabled }}
securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
{{- end }}

View File

@@ -1,51 +0,0 @@
{{- if $.Values.monitoring.dashboards.enabled }}
{{ range $path, $_ := .Files.Glob "dashboards/**-dashboard.json" }}
{{- with $ }}
{{- $content := (.Files.Get $path) }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "capsule.fullname" . }}-{{ $path | base | trimSuffix "-dashboard.json" | regexFind "[^_]+$" }}-dashboard
namespace: {{ default $.Release.Namespace $.Values.monitoring.dashboards.namespace | quote }}
annotations:
{{- with $.Values.monitoring.dashboards.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "capsule.labels" $ | nindent 4 }}
{{- with $.Values.monitoring.dashboards.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
data:
{{ base $path }}: |-
{{- $content | nindent 4 }}
{{- if $.Values.monitoring.dashboards.operator.enabled }}
---
apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDashboard
metadata:
name: {{ include "capsule.fullname" $ }}-{{ $path | base | trimSuffix "-dashboard.json" | regexFind "[^_]+$" }}
namespace: {{ default $.Release.Namespace $.Values.monitoring.dashboards.namespace | quote }}
annotations:
{{- with $.Values.monitoring.dashboards.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "capsule.labels" $ | nindent 4 }}
{{- with $.Values.monitoring.dashboards.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
configMapRef:
name: {{ include "capsule.fullname" $ }}-{{ $path | base | trimSuffix "-dashboard.json" | regexFind "[^_]+$" }}-dashboard
key: {{ base $path }}
{{- with (omit $.Values.monitoring.dashboards.operator "enabled") }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

View File

@@ -29,8 +29,9 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "capsule.serviceAccountName" . }}
{{- if .Values.podSecurityContext.enabled }}
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.manager.hostNetwork }}
hostNetwork: true
@@ -88,9 +89,6 @@ spec:
- name: metrics
containerPort: 8080
protocol: TCP
- name: health-api
containerPort: 10080
protocol: TCP
{{- end }}
{{- with .Values.manager.ports }}
{{- . | nindent 12 }}
@@ -108,10 +106,11 @@ spec:
{{- end }}
resources:
{{- toYaml .Values.manager.resources | nindent 12 }}
{{- if .Values.manager.securityContext }}
securityContext: {{- omit .Values.manager.securityContext "enabled" | toYaml | nindent 12 }}
{{- else if .Values.securityContext.enabled }}
securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
securityContext:
{{- if .Values.manager.securityContext }}
{{- toYaml .Values.manager.securityContext | nindent 12 }}
{{- else }}
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}

View File

@@ -15,10 +15,6 @@ spec:
name: metrics
protocol: TCP
targetPort: 8080
- port: 10080
name: health-api
protocol: TCP
targetPort: 10080
selector:
{{- include "capsule.selectorLabels" . | nindent 4 }}
sessionAffinity: None

View File

@@ -81,111 +81,30 @@ webhooks:
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.gateways }}
- admissionReviewVersions:
- v1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
name: gateway.defaults.projectcapsule.dev
rules:
- apiGroups:
- gateway.networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- gateways
scope: "Namespaced"
namespaceSelector:
{{- toYaml .namespaceSelector | nindent 4}}
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with (mergeOverwrite .Values.webhooks.hooks.namespace.mutation .Values.webhooks.hooks.namespaceOwnerReference) }}
{{- with .Values.webhooks.hooks.namespaceOwnerReference }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/namespace-patch" "ctx" $) | nindent 4 }}
{{- include "capsule.webhooks.service" (dict "path" "/namespace-owner-reference" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: Equivalent
name: namespace-patching.tenants.projectcapsule.dev
{{- with .namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
name: owner.namespace.projectcapsule.dev
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- ""
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- namespaces
scope: '*'
sideEffects: NoneOnDryRun
timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.resourcepools.pools }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/resourcepool/mutating" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
name: resourcepools.projectcapsule.dev
namespaceSelector: {{ toYaml .namespaceSelector | nindent 4 }}
objectSelector: {{ toYaml .objectSelector | nindent 4 }}
reinvocationPolicy: {{ .reinvocationPolicy }}
rules:
- apiGroups:
- "capsule.clastix.io"
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
resources:
- resourcepools
scope: '*'
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.resourcepools.claims }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/resourcepool/claim/mutating" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
name: resourcepoolclaims.projectcapsule.dev
namespaceSelector: {{ toYaml .namespaceSelector | nindent 4 }}
objectSelector: {{ toYaml .objectSelector | nindent 4 }}
reinvocationPolicy: {{ .reinvocationPolicy }}
rules:
- apiGroups:
- "capsule.clastix.io"
apiVersions:
- "*"
- v1
operations:
- CREATE
- UPDATE
resources:
- resourcepoolclaims
- namespaces
scope: '*'
sideEffects: None
sideEffects: NoneOnDryRun
timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
{{- end }}
{{- end }}
{{- end }}

View File

@@ -17,7 +17,9 @@ metadata:
{{- end }}
spec:
backoffLimit: {{ $Values.backoffLimit }}
{{- if ge $Values.ttlSecondsAfterFinished 0.0 }}
ttlSecondsAfterFinished: {{ $Values.ttlSecondsAfterFinished }}
{{- end }}
template:
metadata:
labels:
@@ -25,8 +27,9 @@ spec:
{{- include "capsule.selectorLabels" . | nindent 8 }}
spec:
restartPolicy: {{ $Values.restartPolicy }}
{{- if $Values.podSecurityContext.enabled }}
securityContext: {{- omit $Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- with $Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.nodeSelector }}
nodeSelector:
@@ -69,8 +72,9 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if $Values.securityContext.enabled }}
securityContext: {{- omit $Values.securityContext "enabled" | toYaml | nindent 10 }}
{{- with $Values.securityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with $Values.resources }}
resources:

View File

@@ -17,7 +17,9 @@ metadata:
{{- end }}
spec:
backoffLimit: {{ $Values.backoffLimit }}
{{- if ge $Values.ttlSecondsAfterFinished 0.0 }}
ttlSecondsAfterFinished: {{ $Values.ttlSecondsAfterFinished }}
{{- end }}
template:
metadata:
labels:
@@ -25,8 +27,9 @@ spec:
{{- include "capsule.selectorLabels" . | nindent 8 }}
spec:
restartPolicy: {{ $Values.restartPolicy }}
{{- if $Values.podSecurityContext.enabled }}
securityContext: {{- omit $Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- with $Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.nodeSelector }}
nodeSelector:
@@ -71,8 +74,9 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if $Values.securityContext.enabled }}
securityContext: {{- omit $Values.securityContext "enabled" | toYaml | nindent 12 }}
{{- with $Values.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with $Values.resources }}
resources:

View File

@@ -1,24 +0,0 @@
{{- if $.Values.rbac.resourcepoolclaims.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "capsule.fullname" $ }}-resourcepoolclaims
labels:
{{- toYaml $.Values.rbac.resourcepoolclaims.labels | nindent 4 }}
rules:
- apiGroups: ["capsule.clastix.io"]
resources: ["resourcepoolclaims"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
{{- end }}
{{- if $.Values.rbac.resources.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "capsule.fullname" $ }}-resources
labels:
{{- toYaml $.Values.rbac.resources.labels | nindent 4 }}
rules:
- apiGroups: ["capsule.clastix.io"]
resources: ["tenantresources"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
{{- end }}

View File

@@ -1,23 +1,22 @@
{{- if not $.Values.crds.exclusive }}
{{- with (mergeOverwrite .Values.monitoring.serviceMonitor (default dict .Values.serviceMonitor)) -}}
{{- if .enabled }}
{{- if .Values.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "capsule.fullname" $ }}
namespace: {{ .namespace | default $.Release.Namespace }}
name: {{ include "capsule.fullname" . }}-monitor
namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace }}
labels:
{{- include "capsule.labels" $ | nindent 4 }}
{{- with .labels }}
{{- include "capsule.labels" . | nindent 4 }}
{{- with .Values.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .annotations }}
{{- with .Values.serviceMonitor.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
{{- with .endpoint }}
{{- with .Values.serviceMonitor.endpoint }}
- interval: {{ .interval }}
port: metrics
path: /metrics
@@ -32,19 +31,18 @@ spec:
{{- end }}
{{- end }}
jobLabel: app.kubernetes.io/name
{{- with .targetLabels }}
{{- with .Values.serviceMonitor.targetLabels }}
targetLabels: {{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- if .matchLabels }}
{{- toYaml .matchLabels | nindent 6 }}
{{- if .Values.serviceMonitor.matchLabels }}
{{- toYaml .Values.serviceMonitor.matchLabels | nindent 6 }}
{{- else }}
{{- include "capsule.selectorLabels" $ | nindent 6 }}
{{- include "capsule.labels" . | nindent 6 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ $.Release.Namespace }}
{{- end }}
- {{ .Release.Namespace }}
{{- end }}
{{- end }}

View File

@@ -40,32 +40,6 @@ webhooks:
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.gateways }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/gateways" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: Equivalent
name: gateway.projectcapsule.dev
namespaceSelector:
{{- toYaml .namespaceSelector | nindent 4}}
objectSelector: {}
rules:
- apiGroups:
- gateway.networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- gateways
scope: Namespaced
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.ingresses }}
- admissionReviewVersions:
- v1
@@ -274,7 +248,7 @@ webhooks:
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.tenants }}
{{- with .Values.webhooks.hooks.tenants }}
- admissionReviewVersions:
- v1
- v1beta1
@@ -299,87 +273,5 @@ webhooks:
scope: '*'
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.resourcepools.pools }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/resourcepool/validating" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
name: resourcepools.projectcapsule.dev
namespaceSelector: {{ toYaml .namespaceSelector | nindent 4 }}
objectSelector: {{ toYaml .objectSelector | nindent 4 }}
rules:
- apiGroups:
- "capsule.clastix.io"
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
resources:
- resourcepools
scope: '*'
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.resourcepools.pools }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/resourcepool/claim/validating" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: {{ .matchPolicy }}
name: resourcepoolclaims.projectcapsule.dev
namespaceSelector: {{ toYaml .namespaceSelector | nindent 4 }}
objectSelector: {{ toYaml .objectSelector | nindent 4 }}
rules:
- apiGroups:
- "capsule.clastix.io"
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
resources:
- resourcepoolclaims
scope: '*'
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.customresources }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/customresources" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: Equivalent
name: customresources.tenant.projectcapsule.dev
{{- with .namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .objectSelector }}
objectSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
- DELETE
resources:
- '*'
scope: Namespaced
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- end }}

File diff suppressed because it is too large Load Diff

View File

@@ -24,12 +24,10 @@ global:
ttlSecondsAfterFinished: 60
# -- Security context for the job pods.
podSecurityContext:
enabled: true
seccompProfile:
type: "RuntimeDefault"
# -- Security context for the job containers.
securityContext:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
@@ -78,17 +76,6 @@ proxy:
# -- Enable Installation of Capsule Proxy
enabled: false
# These are ClusterRoles which grant permissions for Capsule CRDs to Tenant Owners
rbac:
resources:
create: false
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
resourcepoolclaims:
create: false
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
# Manager Options
manager:
@@ -194,7 +181,6 @@ priorityClassName: '' # system-cluster-critical
# -- Set the securityContext for the Capsule pod
podSecurityContext:
enabled: true
seccompProfile:
type: "RuntimeDefault"
runAsGroup: 1002
@@ -203,7 +189,6 @@ podSecurityContext:
# -- Set the securityContext for the Capsule container
securityContext:
enabled: true
capabilities:
drop:
- ALL
@@ -280,44 +265,9 @@ webhooks:
# Hook Configuration
hooks:
resourcepools:
pools:
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
matchPolicy: Equivalent
failurePolicy: Fail
claims:
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
matchPolicy: Equivalent
failurePolicy: Fail
namespaceOwnerReference:
failurePolicy: Fail
customresources:
failurePolicy: Fail
namespaceSelector:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
objectSelector: {}
namespace:
validation:
failurePolicy: Fail
mutation:
failurePolicy: Fail
namespaceSelector: {}
objectSelector: {}
cordoning:
failurePolicy: Fail
namespaceSelector:
matchExpressions:
- key: capsule.clastix.io/tenant
operator: Exists
- key: projectcapsule.dev/cordoned
operator: Exists
gateways:
failurePolicy: Fail
namespaceSelector:
matchExpressions:
@@ -381,52 +331,26 @@ webhooks:
- key: capsule.clastix.io/tenant
operator: Exists
# Monitoring Settings
monitoring:
dashboards:
# -- Enable Dashboards to be deployed
enabled: false
# -- Annotations for dashboard configmaps
annotations: {}
# -- Labels for dashboard configmaps
labels: {}
# grafana_dashboard: "1"
# -- Custom namespace for dashboard configmaps
namespace: ""
# Grafana Operator
operator:
# -- Enable Operator Resources (GrafanaDashboard)
enabled: true
# -- Allow the Operator to match this resource with Grafanas outside the current namespace
allowCrossNamespaceImport: true
# -- How often the resource is synced, defaults to 10m0s if not set
resyncPeriod: "10m"
# -- Selects Grafana instances for import
instanceSelector: {}
# -- folder assignment for dashboard
folder: ""
# ServiceMonitor
serviceMonitor:
# -- Enable ServiceMonitor
enabled: false
# -- Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one)
namespace: ''
# -- Assign additional labels according to Prometheus' serviceMonitorSelector matching labels
labels: {}
# -- Assign additional Annotations
annotations: {}
# -- Change matching labels
matchLabels: {}
# -- Set targetLabels for the serviceMonitor
targetLabels: []
endpoint:
# -- Set the scrape interval for the endpoint of the serviceMonitor
interval: "15s"
# -- Set the scrape timeout for the endpoint of the serviceMonitor
scrapeTimeout: ""
# -- Set metricRelabelings for the endpoint of the serviceMonitor
metricRelabelings: []
# -- Set relabelings for the endpoint of the serviceMonitor
relabelings: []
# ServiceMonitor
serviceMonitor:
# -- Enable ServiceMonitor
enabled: false
# -- Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one)
namespace: ''
# -- Assign additional labels according to Prometheus' serviceMonitorSelector matching labels
labels: {}
# -- Assign additional Annotations
annotations: {}
# -- Change matching labels
matchLabels: {}
# -- Set targetLabels for the serviceMonitor
targetLabels: []
endpoint:
# -- Set the scrape interval for the endpoint of the serviceMonitor
interval: "15s"
# -- Set the scrape timeout for the endpoint of the serviceMonitor
scrapeTimeout: ""
# -- Set metricRelabelings for the endpoint of the serviceMonitor
metricRelabelings: []
# -- Set relabelings for the endpoint of the serviceMonitor
relabelings: []

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package config

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package pod

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package pod
@@ -28,12 +28,6 @@ type MetadataReconciler struct {
Client client.Client
}
func (m *MetadataReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error {
return ctrl.NewControllerManagedBy(mgr).
For(&corev1.Pod{}, m.forOptionPerInstanceName(ctx)).
Complete(m)
}
func (m *MetadataReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) {
var pod corev1.Pod
@@ -42,8 +36,8 @@ func (m *MetadataReconciler) Reconcile(ctx context.Context, request ctrl.Request
tenant, err := m.getTenant(ctx, request.NamespacedName, m.Client)
if err != nil {
noTenantObjError := &NonTenantObjectError{}
noPodMetaError := &NoPodMetadataError{}
if errors.As(err, &noTenantObjError) || errors.As(err, &noPodMetaError) {
return reconcile.Result{}, nil
}
@@ -128,3 +122,9 @@ func (m *MetadataReconciler) isNamespaceInTenant(ctx context.Context, namespace
return len(tl.Items) > 0
}
func (m *MetadataReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error {
return ctrl.NewControllerManagedBy(mgr).
For(&corev1.Pod{}, m.forOptionPerInstanceName(ctx)).
Complete(m)
}

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package pv

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package rbac

View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 Project Capsule Authors
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package rbac
@@ -53,6 +53,7 @@ func (r *Manager) SetupWithManager(ctx context.Context, mgr ctrl.Manager, config
}
},
}).Complete(r)
if crbErr != nil {
err = errors.Join(err, crbErr)
}

Some files were not shown because too many files have changed in this diff Show More