chore(yamllint): fix yaml comments

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

.github/ISSUE_TEMPLATE/bug_report.md

@@ -9,7 +9,7 @@ assignees: ''
 
 <!--
 Thanks for taking time reporting a Capsule bug!
-  
+
 -->
 
 # Bug description

.github/ISSUE_TEMPLATE/feature_request.md

@@ -32,4 +32,4 @@ How would the new interaction with Capsule look like? E.g.
 Feel free to add a diagram if that helps explain things.
 
 # Expected behavior
-A clear and concise description of what you expect to happen.
+A clear and concise description of what you expect to happen.

.github/actions/exists/action.yaml

@@ -18,4 +18,4 @@ runs:
     - shell: bash
       id: check
       run: |
-        echo "result=${{ inputs.value != '' }}" >> $GITHUB_OUTPUT
+        echo "result=${{ inputs.value != '' }}" >> $GITHUB_OUTPUT

.github/actions/setup-caches/action.yaml

@@ -9,12 +9,12 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
+    - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       with:
         path: ~/go/pkg/mod
         key: ${{ runner.os }}-go-pkg-mod-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
-    - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
+    - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       if: ${{ inputs.build-cache-key }}
       with:
         path: ~/.cache/go-build
-        key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
+        key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}

.github/configs/ct.yaml

@@ -2,7 +2,9 @@ remote: origin
 target-branch: main
 chart-dirs:
   - charts
-helm-extra-args: "--timeout 600s"  
+chart-repos:
+  - capsule=https://projectcapsule.github.io/charts/
+helm-extra-args: "--timeout 600s"
 validate-chart-schema: false
 validate-maintainers: false
 validate-yaml: true

.github/configs/lintconf.yaml

@@ -1,6 +1,17 @@
-
 ---
+ignore:
+  - config/
+  - charts/*/templates/
+  - charts/**/templates/
 rules:
+  truthy:
+    level: warning
+    allowed-values:
+    - "true"
+    - "false"
+    - "on"
+    - "off"
+    check-keys: false
   braces:
     min-spaces-inside: 0
     max-spaces-inside: 0
@@ -39,5 +50,3 @@ rules:
   new-lines:
     type: unix
   trailing-spaces: enable
-  truthy:
-    level: warning

.github/dependabot.yml

@@ -1,16 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: gomod
-    directory: /
-    schedule:
-      interval: daily
-    rebase-strategy: disabled
-    commit-message:
-      prefix: "feat(deps)"
-  - package-ecosystem: github-actions
-    directory: /
-    schedule:
-      interval: daily
-    rebase-strategy: disabled
-    commit-message:
-      prefix: "ci(deps)"

.github/workflows/check-actions.yml

@@ -3,7 +3,8 @@ permissions: {}
 
 on:
   pull_request:
-    branches: [ "main" ]
+    branches:
+      - "*"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,11 +15,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Ensure SHA pinned actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@ba37328d4ea95eaf8b3bd6c6cef308f709a5f2ec # v3.0.3
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@4830be28ce81da52ec70d65c552a7403821d98d4 # v3.0.23
         with:
-          # slsa-github-generator requires using a semver tag for reusable workflows. 
+          # slsa-github-generator requires using a semver tag for reusable workflows.
           # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
           allowlist: |
-            slsa-framework/slsa-github-generator
+            slsa-framework/slsa-github-generator

.github/workflows/check-commit.yml

@@ -3,21 +3,20 @@ permissions: {}
 
 on:
   push:
-    branches: [ "*" ]
+    branches:
+      - "*"
   pull_request:
-    branches: [ "*" ]
+    branches:
+      - "*"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
-
 jobs:
   commit_lint:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@5ce82f5d814d4010519d15f0552aec4f17a1e1fe #v5.4.5
-        with:
-          firstParent: true
+      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1

.github/workflows/check-pr.yml

@@ -15,7 +15,7 @@ jobs:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f
+      - uses: amannn/action-semantic-pull-request@335288255954904a41ddda8947c8f2c844b8bfeb
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/codecov.yml

@@ -1,38 +0,0 @@
-name: Codecov
-permissions: {}
-
-on:
-  pull_request:
-    branches: [ "main" ]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  codecov:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Setup caches
-        uses: ./.github/actions/setup-caches
-        timeout-minutes: 5
-        continue-on-error: true
-        with:
-          build-cache-key: codecov
-      - name: Check secret
-        id: checksecret
-        uses: ./.github/actions/exists
-        with:
-          value: ${{ secrets.CODECOV_TOKEN }}
-      - name: Generate Code Coverage Report
-        if: steps.checksecret.outputs.result == 'true'
-        run: make test
-      - name: Upload Report to Codecov
-        if: steps.checksecret.outputs.result == 'true'
-        uses: codecov/codecov-action@0cfda1dd0a4ad9efc75517f399d859cd1ea4ced1 # v4.0.2
-        with:
-          file: ./coverage.out
-          fail_ci_if_error: true
-          verbose: true

.github/workflows/coverage.yml

@@ -0,0 +1,64 @@
+name: Coverage
+
+on:
+  push:
+    branches:
+      - "main"
+  pull_request:
+    types: [opened, reopened, synchronize]
+    branches:
+      - "main"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  sast:
+    name: "SAST"
+    runs-on: ubuntu-24.04
+    env:
+      GO111MODULE: on
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        with:
+          go-version-file: 'go.mod'
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@955a68d0d19f4afb7503068f95059f7d0c529017 # v2.22.3
+        with:
+          args: '-no-fail -fmt sarif -out gosec.sarif ./...'
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@ed51cb5abd90d0e898e492d5e3f24423da71c2fb
+        with:
+          sarif_file: gosec.sarif
+  unit_tests:
+    name: "Unit tests"
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        with:
+          go-version-file: 'go.mod'
+      - name: Unit Test
+        run: make test
+      - name: Check secret
+        id: checksecret
+        uses: ./.github/actions/exists
+        with:
+          value: ${{ secrets.CODECOV_TOKEN }}
+      - name: Upload Report to Codecov
+        if: ${{ steps.checksecret.outputs.result == 'true' }}
+        uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          slug: projectcapsule/capsule
+          files: ./coverage.out
+          fail_ci_if_error: true
+          verbose: true

.github/workflows/diff.yml

@@ -1,34 +0,0 @@
-name: Diff checks
-permissions: {}
-
-on:
-  push:
-    branches: [ "*" ]
-  pull_request:
-    branches: [ "*" ]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  diff:
-    name: diff
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          fetch-depth: 0
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
-        with:
-          go-version: '1.21'
-      - run: make installer
-      - name: Checking if YAML installer file is not aligned
-        run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> Untracked generated files have not been committed" && git --no-pager diff && exit 1; fi
-      - run: make apidoc
-      - name: Checking if the CRDs documentation is not aligned
-        run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> CRDs generated documentation have not been committed" && git --no-pager diff && exit 1; fi
-      - name: Checking if YAML installer generated untracked files
-        run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
-      - name: Checking if source code is not formatted
-        run: test -z "$(git diff 2> /dev/null)"

.github/workflows/docker-build.yml

@@ -0,0 +1,45 @@
+name: Build images
+permissions: {}
+on:
+  pull_request:
+    branches:
+      - "*"
+    paths:
+      - '.github/workflows/docker-*.yml'
+      - 'api/**'
+      - 'controllers/**'
+      - 'pkg/**'
+      - 'e2e/*'
+      - '.ko.yaml'
+      - 'go.*'
+      - 'main.go'
+      - 'Makefile'
+
+jobs:
+  build-images:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: ko build
+        run: VERSION=${{ github.sha }} make ko-build-all
+      - name: Trivy Scan Image
+        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+        env:
+          # Trivy is returning TOOMANYREQUESTS
+          # See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
+          TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@ed51cb5abd90d0e898e492d5e3f24423da71c2fb
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/docker-publish.yml

@@ -15,12 +15,12 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       packages: write
-      id-token: write 
+      id-token: write
     outputs:
       capsule-digest: ${{ steps.publish-capsule.outputs.digest }}
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup caches
         uses: ./.github/actions/setup-caches
         timeout-minutes: 5
@@ -28,7 +28,7 @@ jobs:
         with:
           build-cache-key: publish-images
       - name: Run Trivy vulnerability (Repo)
-        uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # v0.17.0
+        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
         with:
           scan-type: 'fs'
           ignore-unfixed: true
@@ -36,10 +36,10 @@ jobs:
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
       - name: Install Cosign
-        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
       - name: Publish Capsule
         id: publish-capsule
-        uses: peak-scale/github-actions/make-ko-publish@38322faabccd75abfa581c435e367d446b6d2c3b # v0.1.0
+        uses: peak-scale/github-actions/make-ko-publish@a441cca016861c546ab7e065277e40ce41a3eb84 # v0.2.0
         with:
           makefile-target: ko-publish-capsule
           registry: ghcr.io
@@ -49,8 +49,8 @@ jobs:
           version: ${{ github.ref_name }}
           sign-image: true
           sbom-name: capsule
-          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
-          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/capsule
+          signature-repository: ghcr.io/${{ github.repository_owner }}/capsule
           main-path: ./
         env:
           REPOSITORY: ${{ github.repository }}
@@ -60,10 +60,10 @@ jobs:
       id-token: write   # To sign the provenance.
       packages: write   # To upload assets to release.
       actions: read     # To read the workflow path.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
     with:
       image: ghcr.io/${{ github.repository_owner }}/capsule
       digest: "${{ needs.publish-images.outputs.capsule-digest }}"
       registry-username: ${{ github.actor }}
     secrets:
-      registry-password: ${{ secrets.GITHUB_TOKEN }}
+      registry-password: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/docs-lint.yml

@@ -3,12 +3,14 @@ permissions: {}
 
 on:
   push:
-    branches: [ "*" ]
+    branches:
+      - "*"
     paths:
       - '.github/workflows/docs-lint.yml'
       - 'docs/content/**'
   pull_request:
-    branches: [ "*" ]
+    branches:
+      - "*"
     paths:
       - '.github/workflows/docs-lint.yml'
       - 'docs/content/**'
@@ -22,10 +24,10 @@ jobs:
     name: Spell Check
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: 18
-      - run: make docs-lint
+      - run: make docs-lint

.github/workflows/e2e.yml

@@ -2,20 +2,9 @@ name: e2e
 permissions: {}
 
 on:
-  push:
-    branches: [ "*" ]
-    paths:
-      - '.github/workflows/e2e.yml'
-      - 'api/**'
-      - 'controllers/**'
-      - 'pkg/**'
-      - 'e2e/*'
-      - 'Dockerfile'
-      - 'go.*'
-      - 'main.go'
-      - 'Makefile'
   pull_request:
-    branches: [ "*" ]
+    branches:
+      - "*"
     paths:
       - '.github/workflows/e2e.yml'
       - 'api/**'
@@ -32,31 +21,18 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  kind:
-    name: Kubernetes
-    strategy:
-      fail-fast: false
-      matrix:
-        k8s-version: [ 'v1.22.4', 'v1.23.6', 'v1.24.7', 'v1.25.3', 'v1.26.3', 'v1.27.2', 'v1.28.0', 'v1.29.0']
-    runs-on: ubuntu-20.04
+  e2e:
+    name: E2E Testing
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: '1.21'
-      - run: make manifests
-      - name: Checking if manifests are disaligned
-        run: test -z "$(git diff 2> /dev/null)"
-      - name: Checking if manifests generated untracked files
-        run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
-      - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
+          go-version-file: 'go.mod'
+      - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4
         with:
-          skipClusterCreation: true
-          version: v0.14.0
-      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
-        with:
-          version: 3.3.4
+          version: v3.14.2
       - name: e2e testing
-        run: make e2e/${{ matrix.k8s-version }}
+        run: make e2e

.github/workflows/fossa.yml

@@ -1,35 +0,0 @@
-name: FOSSA
-permissions: {}
-
-on:
-  push:
-    branches: [ "*" ]
-  pull_request:
-    branches: [ "*" ]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true    
-
-jobs:
-  fossa-scan:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: "Checkout Code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Check secret
-        id: checksecret
-        uses: ./.github/actions/exists
-        with:
-          value: ${{ secrets.FOSSA_API_KEY }}
-      - name: "Run FOSSA Scan"
-        if: steps.checksecret.outputs.result == 'true'
-        uses: fossas/fossa-action@47ef11b1e1e3812e88dae436ccbd2d0cbd1adab0 # v1.3.3
-        with:
-          api-key: ${{ secrets.FOSSA_API_KEY }}
-      - name: "Run FOSSA Test"
-        if: steps.checksecret.outputs.result == 'true'
-        uses: fossas/fossa-action@47ef11b1e1e3812e88dae436ccbd2d0cbd1adab0 # v1.3.3
-        with:
-          api-key: ${{ secrets.FOSSA_API_KEY }}
-          run-tests: true

.github/workflows/gosec.yml

@@ -1,24 +0,0 @@
-name: CI gosec
-permissions: {}
-on:
-  push:
-    branches: [ "*" ]
-  pull_request:
-    branches: [ "*" ]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  tests:
-    runs-on: ubuntu-20.04
-    env:
-      GO111MODULE: on
-    steps:
-      - name: Checkout Source
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Run Gosec Security Scanner
-        uses: securego/gosec@26e57d6b340778c2983cd61775bc7e8bb41d002a # v2.19.0
-        with:
-          args: ./...

.github/workflows/helm-publish.yml

@@ -1,8 +1,10 @@
 name: Publish charts
 permissions: read-all
+
 on:
   push:
-    tags: [ "helm-v*" ]
+    tags:
+      - 'v*'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -12,9 +14,9 @@ jobs:
   publish-helm:
     # Skip this Release on forks
     if: github.repository_owner == 'projectcapsule'
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: "Extract Version"
         id: extract_version
         run: |
@@ -27,6 +29,7 @@ jobs:
           token: "${{ secrets.HELM_CHARTS_PUSH_TOKEN }}"
           linting: off
           chart_version: ${{ steps.extract_version.outputs.version }}
+          app_version: ${{ steps.extract_version.outputs.version }}
           charts_dir: charts
           charts_url: https://${{ github.repository_owner }}.github.io/charts
           owner: ${{ github.repository_owner }}
@@ -34,7 +37,7 @@ jobs:
           branch: gh-pages
           commit_username: ${{ github.actor }}
   publish-helm-oci:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: write
       id-token: write
@@ -42,8 +45,8 @@ jobs:
     outputs:
       chart-digest: ${{ steps.helm_publish.outputs.digest }}
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
       - name: "Extract Version"
         id: extract_version
         run: |
@@ -52,24 +55,25 @@ jobs:
           echo "version=$(echo $VERSION)" >> $GITHUB_OUTPUT
       - name: Helm | Publish
         id: helm_publish
-        uses: peak-scale/github-actions/helm-oci-chart@38322faabccd75abfa581c435e367d446b6d2c3b # v0.1.0
+        uses: peak-scale/github-actions/helm-oci-chart@a441cca016861c546ab7e065277e40ce41a3eb84 # v0.2.0
         with:
           registry: ghcr.io
           repository: ${{ github.repository_owner }}/charts
           name: "capsule"
           version: ${{ steps.extract_version.outputs.version }}
+          app-version: ${{ steps.extract_version.outputs.version }}
           registry-username: ${{ github.actor }}
           registry-password: ${{ secrets.GITHUB_TOKEN }}
           update-dependencies: 'true' # Defaults to false
           sign-image: 'true'
-          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          signature-repository: ghcr.io/${{ github.repository_owner }}/charts/capsule
   helm-provenance:
     needs: publish-helm-oci
     permissions:
       id-token: write   # To sign the provenance.
       packages: write   # To upload assets to release.
       actions: read     # To read the workflow path.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
     with:
       image: ghcr.io/${{ github.repository_owner }}/charts/capsule
       digest: "${{ needs.publish-helm-oci.outputs.chart-digest }}"

.github/workflows/helm-test.yml

@@ -3,34 +3,43 @@ permissions: {}
 
 on:
   pull_request:
-    branches: [ "main" ]
+    branches:
+      - "main"
+    paths:
+      - '.github/configs/**'
+      - '.github/workflows/helm-*.yml'
+      - 'charts/**'
+      - 'Makefile'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
-  lint:
-    runs-on: ubuntu-20.04
+  linter-artifacthub:
+    runs-on: ubuntu-latest
+    container:
+      image: artifacthub/ah
+      options: --user root
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Run ah lint
+        working-directory: ./charts/
+        run: ah lint
+  lint:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
+      - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4
       - name: Linting Chart
         run: helm lint ./charts/capsule
-      - name: Setup Chart Linting
-        id: lint
-        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
-      - name: Run chart-testing (list-changed)
-        id: list-changed
-        run: |
-          changed=$(ct list-changed --config ./.github/configs/ct.yaml)
-          if [[ -n "$changed" ]]; then
-            echo "::set-output name=changed::true"
-          fi
+
       - name: Run chart-testing (lint)
-        run: ct lint --debug --config ./.github/configs/ct.yaml --lint-conf ./.github/configs/lintconf.yaml
+        run: make helm-lint
+
       - name: Run docs-testing (helm-docs)
         id: helm-docs
         run: |
@@ -42,7 +51,16 @@ jobs:
           else
             echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
           fi
-
+      - name: Run schema-testing (helm-schema)
+        id: helm-schema
+        run: |
+          make helm-schema
+          if [[ $(git diff --stat) != '' ]]; then
+            echo -e '\033[0;31mSchema outdated! (Run make helm-schema locally and commit)\033[0m ❌'
+            git diff --color
+            exit 1
+          else
+            echo -e '\033[0;32mSchema up to date\033[0m ✔'
+          fi
       - name: Run chart-testing (install)
-        run: make helm-test
-        if: steps.list-changed.outputs.changed == 'true'
+        run: HELM_KIND_CONFIG="./hack/kind-cluster.yml" make helm-test

.github/workflows/lint.yml

@@ -1,28 +1,52 @@
 name: Linting
 permissions: {}
-
 on:
   push:
-    branches: [ "*" ]
+    branches:
+      - "*"
   pull_request:
-    branches: [ "*" ]
-
+    branches:
+      - "*"
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
-
 jobs:
+  manifests:
+    name: diff
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        with:
+          go-version-file: 'go.mod'
+      - name: Generate manifests
+        run: |
+          make manifests
+          if [[ $(git diff --stat) != '' ]]; then
+            echo -e '\033[0;31mManifests outdated! (Run make manifests locally and commit)\033[0m ❌'
+            git diff --color
+            exit 1
+          else
+            echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
+          fi
+  yamllint:
+    name: yamllint
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Install yamllint
+        run: pip install yamllint
+      - name: Lint YAML files
+        run: yamllint -c=.github/configs/lintconf.yaml .
   golangci:
     name: lint
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: '1.21'
+          go-version-file: 'go.mod'
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
-        with:
-          version: v1.56.2
-          only-new-issues: false
-          args: --timeout 5m --config .golangci.yml
+        run: make golint

.github/workflows/releaser.yml

@@ -11,28 +11,70 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  # seccomp-generation:
+  #  name: Seccomp Generation
+  #  strategy:
+  #    fail-fast: false
+  #    matrix:
+  #      # differently from the e2e workflow
+  #      # we don't need all the versions of kubernetes
+  #      # to generate the seccomp profile.
+  #      k8s-version:
+  #        - "v1.30.0"
+  #  runs-on: ubuntu-latest
+  #  steps:
+  #    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+  #      with:
+  #        fetch-depth: 0
+  #    - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+  #      with:
+  #        go-version-file: 'go.mod'
+  #    - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4
+  #      with:
+  #        version: v3.14.2
+  #    - name: unit tracing
+  #      run: sudo make trace-unit
+  #    - name: e2e tracing
+  #      run: sudo KIND_K8S_VERSION=${{ matrix.k8s-version }} make trace-e2e
+  #    - name: build seccomp profile
+  #      run: make seccomp
+  #    - name: upload artifact
+  #      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+  #      with:
+  #        name: capsule-seccomp
+  #        path: capsule-seccomp.json
   create-release:
+    # needs: seccomp-generation
     runs-on: ubuntu-latest
     permissions:
       contents: write
       id-token: write
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+      - name: Install Go
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        with:
+          go-version-file: 'go.mod'
       - name: Setup caches
         uses: ./.github/actions/setup-caches
         timeout-minutes: 5
         continue-on-error: true
       - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
-      - uses: anchore/sbom-action/download-syft@b6a39da80722a2cb0ef5d197531764a89b5d48c3
+      - uses: anchore/sbom-action/download-syft@9f7302141466aa6482940f15371237e9d9f4c34a
       - name: Install Cosign
-        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+      # - name: download artifact
+      #  uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      #  with:
+      #    name: capsule-seccomp
+      #    path: ./capsule-seccomp.json
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
         with:
           version: latest
-          args: release --clean --timeout 90m --debug
+          args: release --clean --timeout 90m
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/scorecard.yml

@@ -20,23 +20,23 @@ jobs:
       id-token: write
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
       - name: Run analysis
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
           repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
           publish_results: true
       - name: Upload artifact
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
         with:
-          sarif_file: results.sarif
+          sarif_file: results.sarif

.gitignore

@@ -31,3 +31,4 @@ dist/
 .DS_Store
 *.tgz
 kind.yaml
+capsule-seccomp.json

.golangci.yml

@@ -1,7 +1,4 @@
-
 linters-settings:
-  govet:
-    check-shadowing: true
   dupl:
     threshold: 100
   goconst:
@@ -33,40 +30,31 @@ linters-settings:
 linters:
   enable-all: true
   disable:
+    - err113
     - depguard
     - perfsprint
     - funlen
     - gochecknoinits
     - lll
-    - exhaustivestruct
-    - maligned
-    - interfacer
-    - scopelint
-    - golint
     - gochecknoglobals
-    - goerr113
-    - gomnd
+    - mnd
+    - nilnil
+    - recvcheck
+    - unparam
     - paralleltest
     - ireturn
     - testpackage
     - varnamelen
     - wrapcheck
     - exhaustruct
-    - varcheck
-    - structcheck
-    - nosnakecase
-    - deadcode
-    - ifshort
     - nonamedreturns
-
-service:
-  golangci-lint-version: 1.56.x
-
-run:
-  timeout: 3m
-  go: '1.21'
-  skip-files:
+issues:
+  exclude-files:
     - "zz_.*\\.go$"
     - ".+\\.generated.go"
     - ".+_test.go"
     - ".+_test_.+.go"
+run:
+  timeout: 3m
+  allow-parallel-runners: true
+  tests: false

.goreleaser.yml

@@ -31,13 +31,33 @@ builds:
 release:
   prerelease: auto
   footer: |
-    Thanks to all the contributors!
-
     **Full Changelog**: https://github.com/projectcapsule/{{ .ProjectName }}/compare/{{ .PreviousTag }}...{{ .Tag }}
-    
+
     **Docker Images**
-    - `ghcr.io/projectcapsule/{{ .ProjectName }}:{{ .Tag }}`
+    - `ghcr.io/projectcapsule/{{ .ProjectName }}:{{ .Version }}`
     - `ghcr.io/projectcapsule/{{ .ProjectName }}:latest`
+
+    **Helm Chart**
+    View this release on [Artifact Hub](https://artifacthub.io/packages/helm/projectcapsule/capsule/{{ .Version }}) or use the OCI helm chart:
+
+    - `ghcr.io/projectcapsule/charts/{{ .ProjectName }}:{{ .Version }}`
+
+    [Review the Major Changes section first before upgrading to a new version](https://artifacthub.io/packages/helm/projectcapsule/capsule/{{ .Version }}#major-changes)
+
+    **Kubernetes compatibility**
+
+    [!IMPORTANT]
+    Note that the Capsule project offers support only for the latest minor version of Kubernetes.
+    Backwards compatibility with older versions of Kubernetes and OpenShift is [offered by vendors](https://projectcapsule.dev/support/).
+
+    | Kubernetes version | Minimum required |
+    |--------------------|------------------|
+    | `v1.31`            | `>= 1.31.0`      |
+
+
+    Thanks to all the contributors! 🚀 🦄
+  # extra_files:
+  #  - glob: ./capsule-seccomp.json
 checksum:
   name_template: 'checksums.txt'
 changelog:
@@ -83,4 +103,4 @@ signs:
   - "--output-signature=${signature}"
   - "${artifact}"
   - "--yes"
-  artifacts: all
+  artifacts: all

.ko.yaml

@@ -6,4 +6,4 @@ builds:
 - id: capsule
   main: ./
   ldflags:
-  - '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}'
+  - '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}'

.pre-commit-config.yaml

@@ -0,0 +1,42 @@
+repos:
+- repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
+  rev: v9.22.0
+  hooks:
+  - id: commitlint
+    stages: [commit-msg]
+    additional_dependencies: ['@commitlint/config-conventional', 'commitlint-plugin-function-rules']
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v5.0.0
+  hooks:
+  - id: check-executables-have-shebangs
+  - id: check-yaml
+  - id: double-quote-string-fixer
+  - id: end-of-file-fixer
+  - id: trailing-whitespace
+- repo: https://github.com/adrienverge/yamllint
+  rev: v1.37.0
+  hooks:
+  - id: yamllint
+    args: [-c=.github/configs/lintconf.yaml]
+- repo: local
+  hooks:
+  - id: run-helm-docs
+    name: Execute helm-docs
+    entry: make helm-docs
+    language: system
+    files: ^charts/
+  - id: run-helm-schema
+    name: Execute helm-schema
+    entry: make helm-schema
+    language: system
+    files: ^charts/
+  - id: run-helm-lint
+    name: Execute helm-lint
+    entry: make helm-lint
+    language: system
+    files: ^charts/
+  - id: golangci-lint
+    name: Execute golangci-lint
+    entry: make golint
+    language: system
+    files: \.go$

ADOPTERS.md

@@ -7,8 +7,14 @@ This is a list of companies that have adopted Capsule, feel free to open a Pull-
 ### [Bedag Informatik AG](https://www.bedag.ch/)
 ![Bedag](https://www.bedag.ch/wGlobal/wGlobal/layout/images/logo.svg)
 
-### [EPAM Delivery Platform](https://epam.github.io/edp-install/)
-![EPAM Delivery Platform](https://raw.githubusercontent.com/epam/edp-install/master/docs/assets/edp-logo-150x150-black.png)
+### [Begasoft AG](https://www.begasoft.ch)
+![Begasoft](./assets/adopters/begasoft.png)
+
+### [Department of Defense](https://www.defense.gov/)
+![United States Department of Defense](https://www.access-board.gov/images/dod-seal.png)
+
+### [KubeRocketCI](https://docs.kuberocketci.io/)
+![KubeRocketCI](https://raw.githubusercontent.com/epam/edp-install/master/docs/assets/krci-logo-267×150-white.png)
 
 ### [Fastweb](https://www.fastweb.it/)
 ![Fastweb](https://www.fastweb.it/grandi-aziende/gfx/common/logo-fastweb-header.svg)
@@ -25,6 +31,9 @@ This is a list of companies that have adopted Capsule, feel free to open a Pull-
 ### [Reevo](https://www.reevo.it/)
 ![Reevo Cloud and CyberSecurity](https://www.dropbox.com/s/x3q6r0oqstgvtdr/Logo_ReeVo_270x200px.svg)
 
+### [Seeweb](https://seeweb.it/en)
+![Seeweb x Serverless GPU](https://www.seeweb.it/assets/images/logo-seeweb.svg)
+
 ### [University of Torino](https://www.unito.it)
 ![University of Torino](https://www.unito.it/sites/all/themes/bsunito/img/logo_new_2022.svg)
 
@@ -33,3 +42,6 @@ This is a list of companies that have adopted Capsule, feel free to open a Pull-
 
 ### [Wargaming.net](https://www.wargaming.net/)
 ![Wargaming.net](https://static-cspbe-eu.wargaming.net/images/logo@2x.png)
+
+### [Enreach](https://www.enreach.com/)
+![Enreach](https://campaigns.enreach.com/hubfs/Global/logos/Enreach-logo-vertical-indigo.svg)

CHANGELOG.md

@@ -7,4 +7,4 @@ See the [Releases](https://github.com/projectcapsule/capsule/releases)
 
 ## Helm Chart
 
-For the helm chart, a dedicated changelog is created based on the chart's annotations ([See](./DEVELOPMENT.md#helm-changelog)).
+For the helm chart, a dedicated changelog is created based on the chart's annotations ([See](./DEVELOPMENT.md#helm-changelog)).

CONTRIBUTING.md

@@ -45,7 +45,7 @@ Prereleases are marked as `-rc.x` (release candidate) and may refere to any type
 
 The pull request title is checked according to the described [semantics](#semantics) (pull requests don't require a scope). However pull requests are currently not used to generate the changelog. Check if your pull requests body meets the following criteria:
 
-- reference a previously opened issue: https://docs.github.com/en/github/writing-on-github/autolinked-references-and-urls#issues-and-pull-requests 
+- reference a previously opened issue: https://docs.github.com/en/github/writing-on-github/autolinked-references-and-urls#issues-and-pull-requests
 - splitting changes into several and documented small commits
 - limit the git subject to 50 characters and write as the continuation of the
   sentence "If applied, this commit will ..."
@@ -70,7 +70,7 @@ git clone https://hostname/YOUR-USERNAME/YOUR-REPOSITORY
 
 2. **Create a branch:**
 
-Create a new brach and navigate to the branch using this command.
+Create a new branch and navigate to it using this command.
 
 ```sh
 git checkout -b <new-branch>
@@ -104,7 +104,7 @@ To reorganise your commits, do the following (or use your way of doing it):
 
 
 1. Pull upstream changes
-   
+
 ```bash
 git remote add upstream git@github.com:projectcapsule/capsule.git
 git pull upstream main
@@ -180,10 +180,9 @@ The semantics should indicate the change and it's impact. The general format for
 The following types are allowed for commits and pull requests:
 
   * `chore`: housekeeping changes, no production code change
-  * `ci`: changes to buillding process/workflows
+  * `ci`: changes to building process/workflows
   * `docs`: changes to documentation
   * `feat`: new features
   * `fix`: bug fixes
   * `test`: test related changes
   * `sec`: security related changes
-

DEPENDENCY.md

@@ -23,10 +23,10 @@ Capsule maintainers must follow these guidelines when consuming third-party pack
 
 When adding a new third-party package to Capsule, maintainers must follow these steps:
 
-1. Evaluate the need for the package. Is it necessary for the functionality of Capsule? 
-2. Research the package. Is it well-maintained? Does it have a good reputation? 
-3. Choose a version of the package. Use the latest version whenever possible. 
-4. Pin the package to the specific version in the Capsule codebase. 
+1. Evaluate the need for the package. Is it necessary for the functionality of Capsule?
+2. Research the package. Is it well-maintained? Does it have a good reputation?
+3. Choose a version of the package. Use the latest version whenever possible.
+4. Pin the package to the specific version in the Capsule codebase.
 5. Update the Capsule documentation to reflect the new dependency.
 
 ## Archive/Deprecation

DEVELOPMENT.md

@@ -60,7 +60,7 @@ To achieve that, there are some necessary steps we need to walk through, which h
 
 So the TL;DR answer is:
 
-**Make sure a *KinD* cluster is running on your laptop, and then run `make dev-setup` to setup the dev environment.**. This is not done in the `make dev-setup` setup. 
+**Make sure a *KinD* cluster is running on your laptop, and then run `make dev-setup` to setup the dev environment.**. This is not done in the `make dev-setup` setup.
 
 ```bash
 # If you haven't installed or run `make deploy` before, do it first
@@ -222,12 +222,12 @@ time="2023-10-23T13:45:08Z" level=info msg="Found Chart directories [charts/caps
 time="2023-10-23T13:45:08Z" level=info msg="Generating README Documentation for chart /helm-docs/charts/capsule"
 ```
 
-This will update the documentation for the chart in the `README.md` file. 
+This will update the documentation for the chart in the `README.md` file.
 
-### Helm Changelog 
+### Helm Changelog
 
 The `version` of the chart does not require a bump, since it's driven by our release process. The `appVersion` of the chart is the version of the Capsule project. This is the version that should be bumped when a new Capsule version is released. This will be done by the maintainers.
 
 To create the proper changelog for the helm chart, all changes which affect the helm chart must be documented as chart annotation. See all the available [chart annotations](https://artifacthub.io/docs/topics/annotations/helm/).
 
-This annotation can be provided using two different formats: using a plain list of strings with the description of the change or using a list of objects with some extra structured information (see example below). Please feel free to use the one that better suits your needs. The UI experience will be slightly different depending on the choice. When using the list of objects option the valid supported kinds are `added`, `changed`, `deprecated`, `removed`, `fixed` and `security`.
+This annotation can be provided using two different formats: using a plain list of strings with the description of the change or using a list of objects with some extra structured information (see example below). Please feel free to use the one that better suits your needs. The UI experience will be slightly different depending on the choice. When using the list of objects option the valid supported kinds are `added`, `changed`, `deprecated`, `removed`, `fixed` and `security`.

Dockerfile

@@ -1,40 +0,0 @@
-# Build the manager binary
-FROM golang:1.20.10 as builder
-
-WORKDIR /workspace
-# Copy the Go Modules manifests
-COPY go.mod go.mod
-COPY go.sum go.sum
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
-RUN go mod download
-
-ARG TARGETARCH
-ARG GIT_HEAD_COMMIT
-ARG GIT_TAG_COMMIT
-ARG GIT_LAST_TAG
-ARG GIT_MODIFIED
-ARG GIT_REPO
-ARG BUILD_DATE
-
-# Copy the go source
-COPY main.go main.go
-COPY version.go version.go
-COPY api/ api/
-COPY controllers/ controllers/
-COPY pkg/ pkg/
-
-# Build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on go build \
-        -gcflags "-N -l" \
-        -ldflags "-X main.GitRepo=$GIT_REPO -X main.GitTag=$GIT_LAST_TAG -X main.GitCommit=$GIT_HEAD_COMMIT -X main.GitDirty=$GIT_MODIFIED -X main.BuildTime=$BUILD_DATE" \
-        -o manager
-
-# Use distroless as minimal base image to package the manager binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot
-WORKDIR /
-COPY --from=builder /workspace/manager .
-USER nonroot:nonroot
-
-ENTRYPOINT ["/manager"]

Dockerfile.tracing

@@ -0,0 +1,17 @@
+# Target Binary
+ARG TARGET_IMAGE
+FROM ${TARGET_IMAGE} AS target
+
+# Inject Harpoon Image
+FROM ghcr.io/alegrey91/harpoon:latest
+WORKDIR /
+COPY --from=target /ko-app/capsule ./manager
+RUN chmod +x ./harpoon
+ENTRYPOINT ["/harpoon", \
+		"capture", \
+		"-f", "main.main", \
+		"-E", "NAMESPACE=capsule-system", \
+		"-i", "2", \
+		"-c", "-e", \
+		"-S", "-D", "/tmp/results/", \
+		"--", "/manager"]

GOVERNANCE.md

@@ -0,0 +1,133 @@
+# Capsule Project Governance
+
+The **Capsule** project is dedicated to creating a multi-tenancy and policy-based framework for Kubernetes. This governance explains how the project is run.
+
+- [Values](#values)
+- [Maintainers](#maintainers)
+- [Becoming a Maintainer](#becoming-a-maintainer)
+- [Meetings](#meetings)
+- [CNCF Resources](#cncf-resources)
+- [Code of Conduct Enforcement](#code-of-conduct)
+- [Security Response Team](#security-response-team)
+- [Voting](#voting)
+- [Modifications](#modifying-this-charter)
+
+## Values
+
+The Capsule and its leadership embrace the following values:
+
+* Openness: Communication and decision-making happens in the open and is discoverable for future
+  reference. As much as possible, all discussions and work take place in public
+  Slack channels and open repositories.
+
+* Fairness: All stakeholders have the opportunity to provide feedback and submit
+  contributions, which will be considered on their merits.
+
+* Community over Product or Company: Sustaining and growing our community takes
+  priority over shipping code or sponsors' organizational goals.  Each
+  contributor participates in the project as an individual.
+
+* Community Before Individual Demand: As a community-driven open source project, we emphasize
+  the importance of collaboration and contribution. Maintainers and contributors work together towards the project's growth, not to serve unilateral user demands. Users pretending features or enhancements for their sole benefit without contributing to the effort are not aligned with our community values.
+
+* Inclusivity: We innovate through different perspectives and skill sets, which
+  can only be accomplished in a welcoming and respectful environment.
+
+* Participation: Responsibilities within the project are earned through
+  participation, and there is a clear path up the contributor ladder into leadership
+  positions.
+
+## Maintainers
+
+Capsule Maintainers have write access to the [project GitHub repository](https://github.com/orgs/projectcapsule). They can merge their own patches or patches from others. The current maintainers
+can be found in [MAINTAINERS.md](./MAINTAINERS.md).  Maintainers collectively manage the project's
+resources and contributors.
+
+This privilege is granted with some expectation of responsibility: maintainers
+are people who care about the Capsule project and want to help it grow and
+improve. A maintainer is not just someone who can make changes, but someone who
+has demonstrated their ability to collaborate with the team, get the most
+knowledgeable people to review code and docs.
+
+A maintainer is a contributor to the project's success and a citizen helping
+the project succeed. The collective team of all Maintainers is known as the Maintainer Council, which
+is the governing body for the project.
+
+### Becoming a Maintainer
+
+To become a Maintainer you need to demonstrate the following:
+
+  * commitment to the project:
+    * participate in discussions, contributions, code and documentation reviews,
+    * perform reviews for non-trivial pull requests,
+    * contribute non-trivial pull requests and have them merged,
+  * ability to write quality code and/or documentation,
+  * ability to collaborate with the team,
+  * understanding of how the team works (policies, processes for testing and code review, etc),
+  * understanding of the project's purpose, code base and coding and documentation style.
+
+A new Maintainer must be proposed by an existing maintainer by sending a message to all the other existing Maintainers. A simple majority vote of existing Maintainers
+approves the application. Maintainers nominations will be evaluated without prejudice
+to employer or demographics.
+
+Maintainers who are selected will be granted the necessary GitHub rights.
+
+### Removing a Maintainer
+
+Maintainers may resign at any time if they feel that they will not be able to
+continue fulfilling their project duties.
+
+Maintainers may also be removed after being inactive, failure to fulfill their
+Maintainer responsibilities, violating the Code of Conduct, or other reasons.
+A Maintainer may be removed at any time by a 2/3 vote of the remaining maintainers.
+
+Depending on the reason for removal, a Maintainer may be converted to Emeritus
+status.  Emeritus Maintainers will still be consulted on some project matters,
+and can be rapidly returned to Maintainer status if their availability changes.
+
+## Meetings
+
+Time zones permitting, Maintainers are expected to participate in the public
+developer meeting and/or public discussions.
+
+Maintainers will also have closed meetings in order to discuss security reports
+or Code of Conduct violations. Such meetings should be scheduled by any
+Maintainer on receipt of a security issue or CoC report. All current Maintainers
+must be invited to such closed meetings, except for any Maintainer who is
+accused of a CoC violation.
+
+## CNCF Resources
+
+Any Maintainer may suggest a request for CNCF resources. A simple majority of Maintainers
+approves the request. The Maintainers may also choose to delegate working with the CNCF to non-Maintainer community members, who will then be added to the [CNCF's Maintainer List](https://github.com/cncf/foundation/blob/main/project-maintainers.csv) for that purpose.
+
+## Code of Conduct
+
+[Code of Conduct](./CODE_OF_CONDUCT.md)
+violations by community members will be discussed and resolved in private Maintainer meetings. If a Maintainer is directly involved in the report, the Maintainers will instead designate two Maintainers to work with the CNCF Code of Conduct Committee in resolving it.
+
+## Security Response Team
+
+The Maintainers will appoint a Security Response Team to handle security reports.
+This committee may simply consist of the Maintainer Council themselves.  If this
+responsibility is delegated, the Maintainers will appoint a team of at least two
+contributors to handle it.  The Maintainers will review who is assigned to this
+at least once a year.
+
+The Security Response Team is responsible for handling all reports of security
+holes and breaches according to the [security policy](TODO:Link to security.md).
+
+## Voting
+
+While most business in Capsule Project is conducted by "[lazy consensus](https://community.apache.org/committers/lazyConsensus.html)",
+periodically the Maintainers may need to vote on specific actions or changes.
+Any Maintainer may demand a vote be taken.
+
+Most votes require a simple majority of all Maintainers to succeed, except where
+otherwise noted. Two-thirds majority votes mean at least two-thirds of all
+existing maintainers.
+
+## Modifying this Charter
+
+Changes to this Governance and its supporting documents may be approved by
+a 2/3 vote of the Maintainers.

MAINTAINERS.md

@@ -0,0 +1,13 @@
+The current Maintainers Group for the [TODO: Projectname] Project consists of:
+
+| Name                      | Employer    | Responsibilities |
+| ------------------------- | ----------- | ---------------- |
+|  Adriano Pezzuto          | Clastix     |  Maintainer      |
+|  Dario Tranchitella       | Clastix     |  Maintainer      |
+|  Maksim Fedotov           | Wargaming   |  Maintainer      |
+|  Oliver Bähler            | Peak Scale  |  Maintainer      |
+|  Massimiliano Giovagnoli  | Proximus    |  Maintainer      |
+
+This list must be kept in sync with the [CNCF Project Maintainers list](https://github.com/cncf/foundation/blob/master/project-maintainers.csv).
+
+See [the project Governance](GOVERNANCE.md) for how maintainers are selected and replaced.

Makefile

@@ -1,6 +1,8 @@
 # Version
 GIT_HEAD_COMMIT ?= $(shell git rev-parse --short HEAD)
 VERSION         ?= $(or $(shell git describe --abbrev=0 --tags --match "v*" 2>/dev/null),$(GIT_HEAD_COMMIT))
+GOOS                 ?= $(shell go env GOOS)
+GOARCH               ?= $(shell go env GOARCH)
 
 # Defaults
 REGISTRY        ?= ghcr.io
@@ -14,6 +16,14 @@ BUILD_DATE      ?= $(shell git log -1 --format="%at" | xargs -I{} sh -c 'if [ "$
 IMG_BASE        ?= $(REPOSITORY)
 IMG             ?= $(IMG_BASE):$(VERSION)
 CAPSULE_IMG     ?= $(REGISTRY)/$(IMG_BASE)
+CLUSTER_NAME    ?= capsule
+
+## Kubernetes Version Support
+KUBERNETES_SUPPORTED_VERSION ?= "v1.31.0"
+
+## Tool Binaries
+KUBECTL ?= kubectl
+HELM ?= helm
 
 # Options for 'bundle-build'
 ifneq ($(origin CHANNELS), undefined)
@@ -50,40 +60,14 @@ manager: generate golint
 run: generate manifests
 	go run .
 
-# Creates the single file to install Capsule without any external dependency
-installer: manifests kustomize
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${CAPSULE_IMG}
-	$(KUSTOMIZE) build config/default > config/install.yaml
-
-# Install CRDs into a cluster
-install: installer
-	$(KUSTOMIZE) build config/crd | kubectl apply -f -
-
-# Uninstall CRDs from a cluster
-uninstall: installer
-	$(KUSTOMIZE) build config/crd | kubectl delete -f -
-
-# Deploy controller in the configured Kubernetes cluster in ~/.kube/config
-deploy: installer
-	kubectl apply -f config/install.yaml
-
-# Remove controller in the configured Kubernetes cluster in ~/.kube/config
-remove: installer
-	kubectl delete -f config/install.yaml
-	kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
-	kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
-
 # Generate manifests e.g. CRD, RBAC etc.
-manifests: controller-gen
-	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+manifests: generate
+	$(CONTROLLER_GEN) crd paths="./..." output:crd:artifacts:config=charts/capsule/crds
 
 # Generate code
 generate: controller-gen
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
 
-apidoc: apidocs-gen
-	$(APIDOCS_GEN) crdoc --resources config/crd/bases --output docs/content/general/crds-apis.md --template docs/template/reference-cr.tmpl
-
 # Helm
 SRC_ROOT = $(shell git rev-parse --show-toplevel)
 
@@ -91,31 +75,33 @@ helm-controller-version:
 	$(eval VERSION := $(shell grep 'appVersion:' charts/capsule/Chart.yaml | awk '{print "v"$$2}'))
 	$(eval KO_TAGS := $(shell grep 'appVersion:' charts/capsule/Chart.yaml | awk '{print "v"$$2}'))
 
-helm-docs: HELMDOCS_VERSION := v1.11.0
-helm-docs: docker
-	@docker run -v "$(SRC_ROOT):/helm-docs" jnorwood/helm-docs:$(HELMDOCS_VERSION) --chart-search-root /helm-docs
+helm-docs: helm-doc
+	$(HELM_DOCS) --chart-search-root ./charts
 
-helm-lint: CT_VERSION := v3.3.1
-helm-lint: docker
-	@docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:$(CT_VERSION) -c "cd /workdir; ct lint --config .github/configs/ct.yaml  --lint-conf .github/configs/lintconf.yaml  --all --debug"
+helm-lint: ct
+	@$(CT) lint --config .github/configs/ct.yaml --validate-yaml=false --all --debug
 
-helm-test: helm-controller-version kind ct ko-build-all
-	@kind create cluster --wait=60s --name capsule-charts
-	@kind load docker-image --name capsule-charts $(CAPSULE_IMG):$(VERSION)
-	@kubectl create ns capsule-system
-	@kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
-	@kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
-	@ct install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
-	@kind delete cluster --name capsule-charts
+helm-schema: helm-plugin-schema
+	cd charts/capsule && $(HELM) schema -output values.schema.json
 
-docker:
-	@hash docker 2>/dev/null || {\
-		echo "You need docker" &&\
-		exit 1;\
-	}
+helm-test: HELM_KIND_CONFIG ?= ""
+helm-test: kind
+	@mkdir -p /tmp/results || true
+	@$(KIND) create cluster --wait=60s --name capsule-charts --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION) --config $(HELM_KIND_CONFIG)
+	@make helm-test-exec
+	@$(KIND) delete cluster --name capsule-charts
+
+helm-test-exec: ct helm-controller-version ko-build-all
+	$(MAKE) docker-build-capsule-trace
+	$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=v0.0.0
+	$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=tracing
+	@$(KUBECTL) create ns capsule-system || true
+	@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
+	@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
+	@$(CT) install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
 
 # Setup development env
-# Usage: 
+# Usage:
 # 	LAPTOP_HOST_IP=<YOUR_LAPTOP_IP> make dev-setup
 # For example:
 #	LAPTOP_HOST_IP=192.168.10.101 make dev-setup
@@ -137,7 +123,6 @@ IP.1   = $(LAPTOP_HOST_IP)
 endef
 export TLS_CNF
 dev-setup:
-	kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0
 	mkdir -p /tmp/k8s-webhook-server/serving-certs
 	echo "$${TLS_CNF}" > _tls.cnf
 	openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
@@ -146,43 +131,32 @@ dev-setup:
 		-config _tls.cnf \
 		-keyout /tmp/k8s-webhook-server/serving-certs/tls.key \
 		-out /tmp/k8s-webhook-server/serving-certs/tls.crt
-	rm -f _tls.cnf 
+	$(KUBECTL) create secret tls capsule-tls -n capsule-system \
+		--cert=/tmp/k8s-webhook-server/serving-certs/tls.crt\
+		--key=/tmp/k8s-webhook-server/serving-certs/tls.key || true
+	rm -f _tls.cnf
 	export WEBHOOK_URL="https://$${LAPTOP_HOST_IP}:9443"; \
 	export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`; \
-	kubectl patch MutatingWebhookConfiguration capsule-mutating-webhook-configuration \
-		--type='json' -p="[\
-		    {'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/defaults\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/defaults\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/defaults\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/namespace-owner-reference\",'caBundle':\"$${CA_BUNDLE}\"}}\
-		]" && \
-	kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \
-		--type='json' -p="[\
-			{'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/cordoning\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/ingresses\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/namespaces\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/networkpolicies\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/4/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/nodes\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/5/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/pods\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/6/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/persistentvolumeclaims\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/7/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/services\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/8/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/tenantresource-objects\",'caBundle':\"$${CA_BUNDLE}\"}},\
-			{'op': 'replace', 'path': '/webhooks/9/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/tenants\",'caBundle':\"$${CA_BUNDLE}\"}}\
-		]" && \
-	kubectl patch crd tenants.capsule.clastix.io \
-		--type='json' -p="[\
-			{'op': 'replace', 'path': '/spec/conversion/webhook/clientConfig', 'value':{'url': \"$${WEBHOOK_URL}\", 'caBundle': \"$${CA_BUNDLE}\"}}\
-		]" && \
-	kubectl patch crd capsuleconfigurations.capsule.clastix.io \
-		--type='json' -p="[\
-			{'op': 'replace', 'path': '/spec/conversion/webhook/clientConfig', 'value':{'url': \"$${WEBHOOK_URL}\", 'caBundle': \"$${CA_BUNDLE}\"}}\
-		]";
-
+	$(HELM) upgrade \
+	    --dependency-update \
+		--debug \
+		--install \
+		--namespace capsule-system \
+		--create-namespace \
+		--set 'crds.install=true' \
+		--set 'crds.exclusive=true'\
+		--set "webhooks.exclusive=true"\
+		--set "webhooks.service.url=$${WEBHOOK_URL}" \
+		--set "webhooks.service.caBundle=$${CA_BUNDLE}" \
+		capsule \
+		./charts/capsule
+	$(KUBECTL) -n capsule-system scale deployment capsule-controller-manager --replicas=0 || true
 
 ####################
 # -- Docker
 ####################
 
+KO_PLATFORM     ?= linux/$(GOARCH)
 KOCACHE         ?= /tmp/ko-cache
 KO_REGISTRY     := ko.local
 KO_TAGS         ?= "latest"
@@ -202,13 +176,21 @@ LD_FLAGS        := "-X main.Version=$(VERSION) \
 
 .PHONY: ko-build-capsule
 ko-build-capsule: ko
-	@echo Building Capsule $(KO_TAGS) >&2
+	@echo Building Capsule $(KO_TAGS) for $(KO_PLATFORM) >&2
 	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(CAPSULE_IMG) \
-		$(KO) build ./ --bare --tags=$(KO_TAGS) --push=false --local
+		$(KO) build ./ --bare --tags=$(KO_TAGS) --push=false --local --platform=$(KO_PLATFORM)
 
 .PHONY: ko-build-all
 ko-build-all: ko-build-capsule
 
+.PHONY: docker-build-capsule-trace
+docker-build-capsule-trace: ko-build-capsule
+	@docker build \
+		--no-cache \
+		--build-arg TARGET_IMAGE=$(CAPSULE_IMG):$(VERSION) \
+		-t $(CAPSULE_IMG):tracing \
+		-f Dockerfile.tracing .
+
 # Docker Image Publish
 # ------------------
 
@@ -227,105 +209,30 @@ ko-publish-capsule: ko-login ## Build and publish kyvernopre image (with ko)
 .PHONY: ko-publish-all
 ko-publish-all: ko-publish-capsule
 
-####################
-# -- Binaries
-####################
-
-CONTROLLER_GEN         := $(shell pwd)/bin/controller-gen
-CONTROLLER_GEN_VERSION := v0.10.0
-controller-gen: ## Download controller-gen locally if necessary.
-	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
-
-APIDOCS_GEN         := $(shell pwd)/bin/crdoc
-APIDOCS_GEN_VERSION := latest
-apidocs-gen: ## Download crdoc locally if necessary.
-	$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@$(APIDOCS_GEN_VERSION))
-
-GINKGO         := $(shell pwd)/bin/ginkgo
-GINGKO_VERSION := v2.15.0
-ginkgo: ## Download ginkgo locally if necessary.
-	$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo@$(GINGKO_VERSION))
-
-CT         := $(shell pwd)/bin/ct
-CT_VERSION := v3.7.1
-ct: ## Download ct locally if necessary.
-	$(call go-install-tool,$(CT),github.com/helm/chart-testing/v3/ct@$(CT_VERSION))
-
-KIND         := $(shell pwd)/bin/kind
-KIND_VERSION := v0.17.0
-kind: ## Download kind locally if necessary.
-	$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@$(KIND_VERSION))
-
-KUSTOMIZE         := $(shell pwd)/bin/kustomize
-KUSTOMIZE_VERSION := 3.8.7
-kustomize: ## Download kustomize locally if necessary.
-	$(call install-kustomize,$(KUSTOMIZE),$(KUSTOMIZE_VERSION))
-
-KO = $(shell pwd)/bin/ko
-KO_VERSION = v0.14.1
-ko:
-	$(call go-install-tool,$(KO),github.com/google/ko@$(KO_VERSION))
-
-####################
-# -- Helpers
-####################
-pull-upstream:
-	git remote add upstream https://github.com/capsuleproject/capsule.git
-	git fetch --all && git pull upstream
-
-define install-kustomize
-@[ -f $(1) ] || { \
-set -e ;\
-echo "Installing v$(2)" ;\
-cd bin ;\
-wget "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" ;\
-bash ./install_kustomize.sh $(2) ;\
-}
-endef
-
-# go-install-tool will 'go install' any package $2 and install it to $1.
-PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
-define go-install-tool
-@[ -f $(1) ] || { \
-set -e ;\
-GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
-}
-endef
-
-# Generate bundle manifests and metadata, then validate generated files.
-bundle: manifests
-	operator-sdk generate kustomize manifests -q
-	kustomize build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
-	operator-sdk bundle validate ./bundle
-
 # Sorting imports
 .PHONY: goimports
 goimports:
 	goimports -w -l -local "github.com/projectcapsule/capsule" .
 
-GOLANGCI_LINT = $(shell pwd)/bin/golangci-lint
-GOLANGCI_LINT_VERSION = v1.56.2
-golangci-lint: ## Download golangci-lint locally if necessary.
-	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION))
-
 # Linting code as PR is expecting
 .PHONY: golint
 golint: golangci-lint
-	$(GOLANGCI_LINT) run -c .golangci.yml
+	$(GOLANGCI_LINT) run -c .golangci.yml --verbose --fix
 
 # Running e2e tests in a KinD instance
 .PHONY: e2e
-e2e/%: ginkgo
-	$(MAKE) e2e-build/$* && $(MAKE) e2e-exec && $(MAKE) e2e-destroy
+e2e: ginkgo
+	$(MAKE) e2e-build && $(MAKE) e2e-exec && $(MAKE) e2e-destroy
 
-e2e-build/%:
-	kind create cluster --wait=60s --name capsule --image=kindest/node:$*
-	make e2e-load-image
-	make e2e-install
+e2e-build: kind
+	$(KIND) create cluster --wait=60s --name $(CLUSTER_NAME) --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION)
+	$(MAKE) e2e-install
 
 .PHONY: e2e-install
-e2e-install:
-	helm upgrade \
+e2e-install: ko-build-all
+	$(MAKE) e2e-load-image CLUSTER_NAME=$(CLUSTER_NAME) IMAGE=$(CAPSULE_IMG) VERSION=$(VERSION)
+	$(HELM) upgrade \
+	    --dependency-update \
 		--debug \
 		--install \
 		--namespace capsule-system \
@@ -335,23 +242,147 @@ e2e-install:
 		--set "manager.image.tag=$(VERSION)" \
 		--set 'manager.livenessProbe.failureThreshold=10' \
 		--set 'manager.readinessProbe.failureThreshold=10' \
-		--set 'podSecurityContext.seccompProfile=null' \
 		capsule \
 		./charts/capsule
 
+.PHONY: trace-install
+trace-install:
+	helm upgrade \
+	    --dependency-update \
+		--debug \
+		--install \
+		--namespace capsule-system \
+		--create-namespace \
+		--set 'manager.resources=null'\
+		--set 'manager.livenessProbe.failureThreshold=10' \
+		--set 'manager.readinessProbe.failureThreshold=10' \
+		--values charts/capsule/ci/tracing-values.yaml \
+		capsule \
+		./charts/capsule
+
+.PHONY: trace-e2e
+trace-e2e: kind
+	$(MAKE) docker-build-capsule-trace
+	$(KIND) create cluster --wait=60s --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION) --config hack/kind-cluster.yml
+	$(MAKE) e2e-load-image CLUSTER_NAME=capsule-tracing IMAGE=$(CAPSULE_IMG) VERSION=tracing
+	$(MAKE) trace-install
+	$(MAKE) e2e-exec
+	$(KIND) delete cluster --name capsule-tracing
+
+.PHONY: trace-unit
+trace-unit: harpoon
+	$(HARPOON) analyze -e .git/ -e assets/ -e charts/ -e config/ -e docs/ -e e2e/ -e hack/ --directory /tmp/artifacts/ --save
+	$(HARPOON) hunt -D /tmp/results -F harpoon-report.yml --include-cmd-stdout --save
+
+.PHONY: seccomp
+seccomp:
+	$(HARPOON) build --add-syscall-sets=dynamic,docker -D /tmp/results --name capsule-seccomp.json --save
+
 .PHONY: e2e-load-image
-e2e-load-image: ko-build-all
-	kind load docker-image --nodes capsule-control-plane --name capsule $(CAPSULE_IMG):$(VERSION)
+e2e-load-image: kind
+	$(KIND) load docker-image $(IMAGE):$(VERSION) --name $(CLUSTER_NAME)
 
 .PHONY: e2e-exec
 e2e-exec: ginkgo
 	$(GINKGO) -v -tags e2e ./e2e
 
 .PHONY: e2e-destroy
-e2e-destroy:
-	kind delete cluster --name capsule
+e2e-destroy: kind
+	$(KIND) delete cluster --name capsule
 
 SPELL_CHECKER = npx spellchecker-cli
 docs-lint:
-	cd docs/content && $(SPELL_CHECKER) -f "*.md" "*/*.md" -d dictionary.txt
+	cd docs/content && $(SPELL_CHECKER) -f "*.md" "*/*.md" "!general/crds-apis.md" -d dictionary.txt
 
+####################
+# -- Helpers
+####################
+pull-upstream:
+	git remote add upstream https://github.com/capsuleproject/capsule.git
+	git fetch --all && git pull upstream
+
+## Location to install dependencies to
+LOCALBIN ?= $(shell pwd)/bin
+$(LOCALBIN):
+	mkdir -p $(LOCALBIN)
+
+####################
+# -- Helm Plugins
+####################
+
+HELM_SCHEMA_VERSION   := ""
+helm-plugin-schema:
+	@$(HELM) plugin install https://github.com/losisin/helm-values-schema-json.git --version $(HELM_SCHEMA_VERSION) || true
+
+HELM_DOCS         := $(LOCALBIN)/helm-docs
+HELM_DOCS_VERSION := v1.14.1
+HELM_DOCS_LOOKUP  := norwoodj/helm-docs
+helm-doc:
+	@test -s $(HELM_DOCS) || \
+	$(call go-install-tool,$(HELM_DOCS),github.com/$(HELM_DOCS_LOOKUP)/cmd/helm-docs@$(HELM_DOCS_VERSION))
+
+####################
+# -- Tools
+####################
+CONTROLLER_GEN         := $(LOCALBIN)/controller-gen
+CONTROLLER_GEN_VERSION ?= v0.17.3
+CONTROLLER_GEN_LOOKUP  := kubernetes-sigs/controller-tools
+controller-gen:
+	@test -s $(CONTROLLER_GEN) && $(CONTROLLER_GEN) --version | grep -q $(CONTROLLER_GEN_VERSION) || \
+	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
+
+GINKGO := $(LOCALBIN)/ginkgo
+ginkgo:
+	$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo)
+
+CT         := $(LOCALBIN)/ct
+CT_VERSION := v3.12.0
+CT_LOOKUP  := helm/chart-testing
+ct:
+	@test -s $(CT) && $(CT) version | grep -q $(CT_VERSION) || \
+	$(call go-install-tool,$(CT),github.com/$(CT_LOOKUP)/v3/ct@$(CT_VERSION))
+
+KIND         := $(LOCALBIN)/kind
+KIND_VERSION := v0.27.0
+KIND_LOOKUP  := kubernetes-sigs/kind
+kind:
+	@test -s $(KIND) && $(KIND) --version | grep -q $(KIND_VERSION) || \
+	$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@$(KIND_VERSION))
+
+KO           := $(LOCALBIN)/ko
+KO_VERSION   := v0.17.1
+KO_LOOKUP    := google/ko
+ko:
+	@test -s $(KO) && $(KO) -h | grep -q $(KO_VERSION) || \
+	$(call go-install-tool,$(KO),github.com/$(KO_LOOKUP)@$(KO_VERSION))
+
+GOLANGCI_LINT          := $(LOCALBIN)/golangci-lint
+GOLANGCI_LINT_VERSION  := v1.64.5
+GOLANGCI_LINT_LOOKUP   := golangci/golangci-lint
+golangci-lint: ## Download golangci-lint locally if necessary.
+	@test -s $(GOLANGCI_LINT) && $(GOLANGCI_LINT) -h | grep -q $(GOLANGCI_LINT_VERSION) || \
+	$(call go-install-tool,$(GOLANGCI_LINT),github.com/$(GOLANGCI_LINT_LOOKUP)/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION))
+
+APIDOCS_GEN         := $(LOCALBIN)/crdoc
+APIDOCS_GEN_VERSION := v0.6.4
+APIDOCS_GEN_LOOKUP  := fybrik/crdoc
+apidocs-gen: ## Download crdoc locally if necessary.
+	@test -s $(APIDOCS_GEN) && $(APIDOCS_GEN) --version | grep -q $(APIDOCS_GEN_VERSION) || \
+	$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@$(APIDOCS_GEN_VERSION))
+
+HARPOON         := $(LOCALBIN)/harpoon
+HARPOON_VERSION := v0.9.6
+HARPOON_LOOKUP  := alegrey91/harpoon
+harpoon:
+	@mkdir $(LOCALBIN)
+	@curl -s https://raw.githubusercontent.com/alegrey91/harpoon/main/install | \
+		sudo bash -s -- --install-version $(HARPOON_VERSION) --install-dir $(LOCALBIN)
+
+# go-install-tool will 'go install' any package $2 and install it to $1.
+PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
+define go-install-tool
+[ -f $(1) ] || { \
+    set -e ;\
+    GOBIN=$(LOCALBIN) go install $(2) ;\
+}
+endef

README.md

@@ -23,7 +23,7 @@
 </p>
 
 <p align="center">
-  <img src="assets/logo/capsule_medium.png" />
+  <img src="assets/logo/capsule.svg" height=560 />
 </p>
 
 ---
@@ -40,9 +40,9 @@ Kubernetes introduces the _Namespace_ object type to create logical partitions o
 
 # Entering Capsule
 
-Capsule takes a different approach. In a single cluster, the Capsule Controller aggregates multiple namespaces in a lightweight abstraction called _Tenant_, basically a grouping of Kubernetes Namespaces. Within each tenant, users are free to create their namespaces and share all the assigned resources. 
+Capsule takes a different approach. In a single cluster, the Capsule Controller aggregates multiple namespaces in a lightweight abstraction called _Tenant_, basically a grouping of Kubernetes Namespaces. Within each tenant, users are free to create their namespaces and share all the assigned resources.
 
-On the other side, the Capsule Policy Engine keeps the different tenants isolated from each other. _Network and Security Policies_, _Resource Quota_, _Limit Ranges_, _RBAC_, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator. 
+On the other side, the Capsule Policy Engine keeps the different tenants isolated from each other. _Network and Security Policies_, _Resource Quota_, _Limit Ranges_, _RBAC_, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator.
 
 # Features
 
@@ -76,30 +76,12 @@ Assign to tenants a dedicated set of compute, storage, and network resources and
 
 # Documentation
 
-Please, check the project [documentation](https://capsule.clastix.io) for the cool things you can do with Capsule.
+Please check the project [documentation](https://projectcapsule.dev) for the cool things you can do with Capsule.
 
 # Contributions
 
 Capsule is Open Source with Apache 2 license and any contribution is welcome.
 
-## Chart Development
-
-### Chart Linting
-
-The chart is linted with [ct](https://github.com/helm/chart-testing). You can run the linter locally with this command:
-
-```
-make helm-lint
-```
-
-### Chart Documentation
-
-The documentation for each chart is done with [helm-docs](https://github.com/norwoodj/helm-docs). This way we can ensure that values are consistent with the chart documentation. Run this anytime you make changes to a `values.yaml` file:
-
-```
-make helm-docs
-```
-
 ## Community meeting
 
 Join the community, share and learn from it. You can find all the resources to how to contribute code and docs, connect with people in the [community repository](https://github.com/projectcapsule/capsule-community).
@@ -110,17 +92,19 @@ Please read the [code of conduct](CODE_OF_CONDUCT.md).
 
 See the [ADOPTERS.md](ADOPTERS.md) file for a list of companies that are using Capsule.
 
-# Governance
+# Project Governance
 
-You can find how the Capsule project is governed [here](https://capsule.clastix.io/docs/contributing/governance).
+You can find how the Capsule project is governed [here](https://projectcapsule.dev/project/governance/).
 
 ## Maintainers
 
-Please, refer to the maintainers file available [here](.github/maintainers.yaml).
+Please refer to the maintainers file available [here](.github/maintainers.yaml).
 
-## Release process
+## CLOMonitor
 
-Please, refer to the [documentation page](https://capsule.clastix.io/docs/contributing/release).
+CLOMonitor is a tool that periodically checks open source project repositories to verify they meet certain project health best practices.
+
+[![CloMonitor report summary](https://clomonitor.io/api/projects/cncf/capsule/report-summary?theme=light)](https://clomonitor.io/projects/cncf/capsule)
 
 ### Changelog
 
@@ -128,22 +112,22 @@ Read how we log changes [here](CHANGELOG.md)
 
 ### Software Bill of Materials
 
-All OCI release artifacts include a Software Bill of Materials (SBOM) in CycloneDX JSON format. More information on this is available [here](SECURITY.md#software-bill-of-materials-sbom)
+All OCI release artifacts include a Software Bill of Materials (SBOM) in CycloneDX JSON format. More information about this is available [here](SECURITY.md#software-bill-of-materials-sbom)
 
 # FAQ
 
-- Q. How to pronounce Capsule?
+- Q. How do you pronounce Capsule?
 
   A. It should be pronounced as `/ˈkæpsjuːl/`.
 
 - Q. Is it production grade?
 
-  A. Although under frequent development and improvements, Capsule is ready to be used in production environments as currently, people are using it in public and private deployments. Check out the [release](https://github.com/projectcapsule/capsule/releases) page for a detailed list of available versions.
+  A. Although under frequent development and improvement, Capsule is ready to be used in production environments as currently, people are using it in public and private deployments. Check out the [release](https://github.com/projectcapsule/capsule/releases) page for a detailed list of available versions.
 
 - Q. Does it work with my Kubernetes XYZ distribution?
 
-  A. We tested Capsule with vanilla Kubernetes 1.16+ on private environments and public clouds. We expect it to work smoothly on any other Kubernetes distribution. Please, let us know if you find it doesn't.
+  A. We tested Capsule with vanilla Kubernetes 1.16+ on private environments and public clouds. We expect it to work smoothly on any other Kubernetes distribution. Please let us know if you find it doesn't.
 
 - Q. Do you provide commercial support?
 
-  A. Yes, we're available to help and provide commercial support. [Clastix](https://clastix.io) is the company behind Capsule. Please, contact us for a quote. 
+  A. Yes, we're available to help and provide commercial support. [Clastix](https://clastix.io) is the company behind Capsule. Please, contact us for a quote.

ROADMAP.md

@@ -1,3 +1,3 @@
 # Roadmap
 
-future features and fixes are planned with [release milestones on GitHub](https://github.com/projectcapsule/capsule/milestones?direction=asc&sort=due_date&state=open). You can influence the roadmap by opening issues or joining our community meetings.
+future features and fixes are planned with [release milestones on GitHub](https://github.com/projectcapsule/capsule/milestones?direction=asc&sort=due_date&state=open). You can influence the roadmap by opening issues or joining our community meetings.

SECURITY-INSIGHTS.yml

@@ -57,4 +57,3 @@ security-contacts:
 - type: email
   value: cncf-capsule-maintainers@lists.cncf.io
   primary: true
-

SECURITY.md

@@ -6,7 +6,6 @@ The Capsule community has adopted this security disclosures and response policy
 
 For information regarding the security of this project please join our [slack channel](https://kubernetes.slack.com/archives/C03GETTJQRL).
 
-
 ## Covered Repositories and Issues
 
 When we say "a security vulnerability in capsule" we mean a security issue
@@ -35,7 +34,7 @@ To report a security issue or vulnerability, [submit a private vulnerability rep
 Describe the issue in English, ideally with some example configuration or code which allows the issue to be reproduced. Explain why you believe this to be a security issue in capsule, if that's not obvious. should contain the following:
 
      * description of the problem
-     * precise and detailed steps (include screenshots) 
+     * precise and detailed steps (include screenshots)
      * the affected version(s). This may also include environment relevant versions.
      * any possible mitigations
 
@@ -55,19 +54,23 @@ Response times could be affected by weekends, holidays, breaks or time zone diff
 
 ## Verifing
 
-To verify artifacts you need to have [cosign installed](https://github.com/sigstore/cosign#installation). This guide assumes you are using v2.x of cosign. All of the signatures are created using [keyless signing](https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect). We have a seperate repository for all the signatures for all the artifacts released under the projectcapsule - `ghcr.io/projectcapsule/signatures`. You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
+To verify artifacts you need to have [cosign installed](https://github.com/sigstore/cosign#installation). This guide assumes you are using v2.x of cosign. All of the signatures are created using [keyless signing](https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect). You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
 
-    export COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures
+    # Docker Image
+    export COSIGN_REPOSITORY=ghcr.io/projectcapsule/capsule
+
+    # Helm Chart
+    export COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule
 
 To verify the signature of the docker image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/capsule):
 
-    COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures cosign verify ghcr.io/projectcapsule/capsule:<release_tag> \
+    COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule cosign verify ghcr.io/projectcapsule/capsule:<release_tag> \
       --certificate-identity-regexp="https://github.com/projectcapsule/capsule/.github/workflows/docker-publish.yml@refs/tags/*" \
       --certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq
 
 To verify the signature of the helm image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/charts%2Fcapsule):
 
-    COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures cosign verify ghcr.io/projectcapsule/charts/capsule:<release_tag> \
+    COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule cosign verify ghcr.io/projectcapsule/charts/capsule:<release_tag> \
       --certificate-identity-regexp="https://github.com/projectcapsule/capsule/.github/workflows/helm-publish.yml@refs/tags/*" \
       --certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq
 
@@ -96,19 +99,23 @@ cosign verify-attestation --type slsaprovenance \
 
 ## Software Bill of Materials (SBOM)
 
-An SBOM (Software Bill of Materials) in CycloneDX JSON format is published for each Kyverno release, including pre-releases. Like signatures, SBOMs are stored in a separate repository at `ghcr.io/projectcapsule/sbom`. You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
+An SBOM (Software Bill of Materials) in CycloneDX JSON format is published for each release, including pre-releases. You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
+
+    # Docker Image
+    export COSIGN_REPOSITORY=ghcr.io/projectcapsule/capsule
+
+    # Helm Chart
+    export COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule
 
-    export COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom
 
 To inspect the SBOM of the docker image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/capsule):
 
 
-    COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom cosign download sbom ghcr.io/projectcapsule/capsule:<release_tag>
-    
+    COSIGN_REPOSITORY=ghcr.io/projectcapsule/capsule cosign download sbom ghcr.io/projectcapsule/capsule:<release_tag>
+
 To inspect the SBOM of the helm image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/charts%2Fcapsule):
 
-    COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom cosign download sbom ghcr.io/projectcapsule/charts/capsule:<release_tag>
-
+    COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule cosign download sbom ghcr.io/projectcapsule/charts/capsule:<release_tag>
 
 # Credits
 

SELF_ASSESSMENT.md

@@ -81,7 +81,7 @@ Capsule was accepted as a CNCF sandbox project in December 2022.
 It's the Operator which provides all the multi-tenant capabilities offered by Capsule.
 It's made of two internal components, such as the webhooks server (known as _policy engine_), and the _tenant controller_.
 
-**Capsule Tenant Controller** 
+**Capsule Tenant Controller**
 
 The controller is responsible for managing the tenants by reconciling the required objects at the Namespace level, such as _Network Policy_, _LimitRange_, _ResourceQuota_, _Role Binding_, as well as labelling the Namespace objects belonging to a Tenant according to their desired metadata.
 It is responsible for binding Namespaces to the selected Tenant, and managing their lifecycle.
@@ -90,10 +90,10 @@ Furthermore, the manager can replicate objects thanks to the **Tenant Resource**
 
 The replicated resources are dynamically created, and replicated by Capsule itself, as well as preserving the deletion of these objects by the Tenant owner.
 
-**Capsule Tenant Controller (Policy Engine)** 
+**Capsule Tenant Controller (Policy Engine)**
 
 Policies are defined on a Tenant basis: therefore the policy engine is enforcing these policies on the tenants's Namespaces and their children's resources.
-The Policy Engine is currently not a dedicated component, but a part of the Capsule Tenant Controller. 
+The Policy Engine is currently not a dedicated component, but a part of the Capsule Tenant Controller.
 
 The webhook server, also known as the policy engine, interpolates the Tenant rules and takes full advantage of the dynamic admission controllers offered by Kubernetes itself (such as `ValidatingWebhookConfiguration` and `MutatingWebhookConfiguration`).
 Thanks to the _policy engine_ the cluster administrators can enforce specific rules such as preventing _Pod_ objects from untrusted registries to run or preventing the creation of _PersistentVolumeClaim_ resources using a non-allowed _StorageClass_, etc.
@@ -152,7 +152,7 @@ This is a further abstraction from having cluster defaults (eg. default `Storage
 
 **General**
 
-* **Control Plane**: Capsule can't mimic for each tenant a feeling of a dedicated control plane. 
+* **Control Plane**: Capsule can't mimic for each tenant a feeling of a dedicated control plane.
 
 * **Custom Resource Definitions**: Capsule doesn't want to provide virtual cluster capabilities and it's sticking to the native Kubernetes user experience and design; rather, its focus is to provide a governance solution by focusing on resource optimization and security lockdown.
 

api/v1beta1/zz_generated.deepcopy.go

@@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated
 
 // Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0

api/v1beta2/tenant_func.go

@@ -4,9 +4,13 @@
 package v1beta2
 
 import (
+	"slices"
 	"sort"
 
 	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+
+	"github.com/projectcapsule/capsule/pkg/api"
 )
 
 func (in *Tenant) IsFull() bool {
@@ -36,3 +40,128 @@ func (in *Tenant) AssignNamespaces(namespaces []corev1.Namespace) {
 func (in *Tenant) GetOwnerProxySettings(name string, kind OwnerKind) []ProxySettings {
 	return in.Spec.Owners.FindOwner(name, kind).ProxyOperations
 }
+
+// GetClusterRolePermissions returns a map where the clusterRole is the key
+// and the value is a list of permission subjects (kind and name) that reference that role.
+// These mappings are gathered from the owners and additionalRolebindings spec.
+func (in *Tenant) GetSubjectsByClusterRoles(ignoreOwnerKind []OwnerKind) (rolePerms map[string][]rbacv1.Subject) {
+	rolePerms = make(map[string][]rbacv1.Subject)
+
+	// Helper to add permissions for a given clusterRole
+	addPermission := func(clusterRole string, permission rbacv1.Subject) {
+		if _, exists := rolePerms[clusterRole]; !exists {
+			rolePerms[clusterRole] = []rbacv1.Subject{}
+		}
+
+		rolePerms[clusterRole] = append(rolePerms[clusterRole], permission)
+	}
+
+	// Helper to check if a kind is in the ignoreOwnerKind list
+	isIgnoredKind := func(kind string) bool {
+		for _, ignored := range ignoreOwnerKind {
+			if kind == ignored.String() {
+				return true
+			}
+		}
+
+		return false
+	}
+
+	// Process owners
+	for _, owner := range in.Spec.Owners {
+		if !isIgnoredKind(owner.Kind.String()) {
+			for _, clusterRole := range owner.ClusterRoles {
+				perm := rbacv1.Subject{
+					Name: owner.Name,
+					Kind: owner.Kind.String(),
+				}
+				addPermission(clusterRole, perm)
+			}
+		}
+	}
+
+	// Process additional role bindings
+	for _, role := range in.Spec.AdditionalRoleBindings {
+		for _, subject := range role.Subjects {
+			if !isIgnoredKind(subject.Kind) {
+				perm := rbacv1.Subject{
+					Name: subject.Name,
+					Kind: subject.Kind,
+				}
+				addPermission(role.ClusterRoleName, perm)
+			}
+		}
+	}
+
+	return
+}
+
+// Get the permissions for a tenant ordered by groups and users.
+func (in *Tenant) GetClusterRolesBySubject(ignoreOwnerKind []OwnerKind) (maps map[string]map[string]api.TenantSubjectRoles) {
+	maps = make(map[string]map[string]api.TenantSubjectRoles)
+
+	// Initialize a nested map for kind ("User", "Group") and name
+	initNestedMap := func(kind string) {
+		if _, exists := maps[kind]; !exists {
+			maps[kind] = make(map[string]api.TenantSubjectRoles)
+		}
+	}
+	// Helper to check if a kind is in the ignoreOwnerKind list
+	isIgnoredKind := func(kind string) bool {
+		for _, ignored := range ignoreOwnerKind {
+			if kind == ignored.String() {
+				return true
+			}
+		}
+
+		return false
+	}
+
+	// Process owners
+	for _, owner := range in.Spec.Owners {
+		if !isIgnoredKind(owner.Kind.String()) {
+			initNestedMap(owner.Kind.String())
+
+			if perm, exists := maps[owner.Kind.String()][owner.Name]; exists {
+				// If the permission entry already exists, append cluster roles
+				perm.ClusterRoles = append(perm.ClusterRoles, owner.ClusterRoles...)
+				maps[owner.Kind.String()][owner.Name] = perm
+			} else {
+				// Create a new permission entry
+				maps[owner.Kind.String()][owner.Name] = api.TenantSubjectRoles{
+					ClusterRoles: owner.ClusterRoles,
+				}
+			}
+		}
+	}
+
+	// Process additional role bindings
+	for _, role := range in.Spec.AdditionalRoleBindings {
+		for _, subject := range role.Subjects {
+			if !isIgnoredKind(subject.Kind) {
+				initNestedMap(subject.Kind)
+
+				if perm, exists := maps[subject.Kind][subject.Name]; exists {
+					// If the permission entry already exists, append cluster roles
+					perm.ClusterRoles = append(perm.ClusterRoles, role.ClusterRoleName)
+					maps[subject.Kind][subject.Name] = perm
+				} else {
+					// Create a new permission entry
+					maps[subject.Kind][subject.Name] = api.TenantSubjectRoles{
+						ClusterRoles: []string{role.ClusterRoleName},
+					}
+				}
+			}
+		}
+	}
+
+	// Remove duplicates from cluster roles in both maps
+	for kind, nameMap := range maps {
+		for name, perm := range nameMap {
+			perm.ClusterRoles = slices.Compact(perm.ClusterRoles)
+			maps[kind][name] = perm
+		}
+	}
+
+	return maps
+}

api/v1beta2/tenant_func_test.go

@@ -0,0 +1,192 @@
+// Copyright 2020-2023 Project Capsule Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta2
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/projectcapsule/capsule/pkg/api"
+	rbacv1 "k8s.io/api/rbac/v1"
+)
+
+var tenant = &Tenant{
+	Spec: TenantSpec{
+		Owners: []OwnerSpec{
+			{
+				Kind:         "User",
+				Name:         "user1",
+				ClusterRoles: []string{"cluster-admin", "read-only"},
+			},
+			{
+				Kind:         "Group",
+				Name:         "group1",
+				ClusterRoles: []string{"edit"},
+			},
+			{
+				Kind:         ServiceAccountOwner,
+				Name:         "service",
+				ClusterRoles: []string{"read-only"},
+			},
+		},
+		AdditionalRoleBindings: []api.AdditionalRoleBindingsSpec{
+			{
+				ClusterRoleName: "developer",
+				Subjects: []rbacv1.Subject{
+					{Kind: "User", Name: "user2"},
+					{Kind: "Group", Name: "group1"},
+				},
+			},
+			{
+				ClusterRoleName: "cluster-admin",
+				Subjects: []rbacv1.Subject{
+					{
+						Kind: "User",
+						Name: "user3",
+					},
+					{
+						Kind: "Group",
+						Name: "group1",
+					},
+				},
+			},
+			{
+				ClusterRoleName: "deployer",
+				Subjects: []rbacv1.Subject{
+					{
+						Kind: "ServiceAccount",
+						Name: "system:serviceaccount:argocd:argo-operator",
+					},
+				},
+			},
+		},
+	},
+}
+
+// TestGetClusterRolePermissions tests the GetClusterRolePermissions function
+func TestGetSubjectsByClusterRoles(t *testing.T) {
+	expected := map[string][]rbacv1.Subject{
+		"cluster-admin": {
+			{Kind: "User", Name: "user1"},
+			{Kind: "User", Name: "user3"},
+			{Kind: "Group", Name: "group1"},
+		},
+		"read-only": {
+			{Kind: "User", Name: "user1"},
+			{Kind: "ServiceAccount", Name: "service"},
+		},
+		"edit": {
+			{Kind: "Group", Name: "group1"},
+		},
+		"developer": {
+			{Kind: "User", Name: "user2"},
+			{Kind: "Group", Name: "group1"},
+		},
+		"deployer": {
+			{Kind: "ServiceAccount", Name: "system:serviceaccount:argocd:argo-operator"},
+		},
+	}
+
+	// Call the function to test
+	permissions := tenant.GetSubjectsByClusterRoles(nil)
+
+	if !reflect.DeepEqual(permissions, expected) {
+		t.Errorf("Expected %v, but got %v", expected, permissions)
+	}
+
+	// Ignore SubjectTypes (Ignores ServiceAccounts)
+	ignored := tenant.GetSubjectsByClusterRoles([]OwnerKind{"ServiceAccount"})
+	expectedIgnored := map[string][]rbacv1.Subject{
+		"cluster-admin": {
+			{Kind: "User", Name: "user1"},
+			{Kind: "User", Name: "user3"},
+			{Kind: "Group", Name: "group1"},
+		},
+		"read-only": {
+			{Kind: "User", Name: "user1"},
+		},
+		"edit": {
+			{Kind: "Group", Name: "group1"},
+		},
+		"developer": {
+			{Kind: "User", Name: "user2"},
+			{Kind: "Group", Name: "group1"},
+		},
+	}
+
+	if !reflect.DeepEqual(ignored, expectedIgnored) {
+		t.Errorf("Expected %v, but got %v", expectedIgnored, ignored)
+	}
+
+}
+
+func TestGetClusterRolesBySubject(t *testing.T) {
+
+	expected := map[string]map[string]api.TenantSubjectRoles{
+		"User": {
+			"user1": {
+				ClusterRoles: []string{"cluster-admin", "read-only"},
+			},
+			"user2": {
+				ClusterRoles: []string{"developer"},
+			},
+			"user3": {
+				ClusterRoles: []string{"cluster-admin"},
+			},
+		},
+		"Group": {
+			"group1": {
+				ClusterRoles: []string{"edit", "developer", "cluster-admin"},
+			},
+		},
+		"ServiceAccount": {
+			"service": {
+				ClusterRoles: []string{"read-only"},
+			},
+			"system:serviceaccount:argocd:argo-operator": {
+				ClusterRoles: []string{"deployer"},
+			},
+		},
+	}
+
+	permissions := tenant.GetClusterRolesBySubject(nil)
+	if !reflect.DeepEqual(permissions, expected) {
+		t.Errorf("Expected %v, but got %v", expected, permissions)
+	}
+
+	delete(expected, "ServiceAccount")
+	ignored := tenant.GetClusterRolesBySubject([]OwnerKind{"ServiceAccount"})
+
+	if !reflect.DeepEqual(ignored, expected) {
+		t.Errorf("Expected %v, but got %v", expected, ignored)
+	}
+}
+
+// Helper function to run tests
+func TestMain(t *testing.M) {
+	t.Run()
+}
+
+// permissionsEqual checks the equality of two TenantPermission structs.
+func permissionsEqual(a, b api.TenantSubjectRoles) bool {
+	if a.Kind != b.Kind {
+		return false
+	}
+	if len(a.ClusterRoles) != len(b.ClusterRoles) {
+		return false
+	}
+
+	// Create a map to count occurrences of cluster roles
+	counts := make(map[string]int)
+	for _, role := range a.ClusterRoles {
+		counts[role]++
+	}
+	for _, role := range b.ClusterRoles {
+		counts[role]--
+		if counts[role] < 0 {
+			return false // More occurrences in b than in a
+		}
+	}
+	return true
+}

api/v1beta2/tenant_types.go

@@ -43,17 +43,28 @@ type TenantSpec struct {
 	// Specifies the allowed RuntimeClasses assigned to the Tenant.
 	// Capsule assures that all Pods resources created in the Tenant can use only one of the allowed RuntimeClasses.
 	// Optional.
-	RuntimeClasses *api.SelectorAllowedListSpec `json:"runtimeClasses,omitempty"`
+	RuntimeClasses *api.DefaultAllowedListSpec `json:"runtimeClasses,omitempty"`
 	// Specifies the allowed priorityClasses assigned to the Tenant.
 	// Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses.
 	// A default value can be specified, and all the Pod resources created will inherit the declared class.
 	// Optional.
 	PriorityClasses *api.DefaultAllowedListSpec `json:"priorityClasses,omitempty"`
 	// Toggling the Tenant resources cordoning, when enable resources cannot be deleted.
+	//+kubebuilder:default:=false
 	Cordoned bool `json:"cordoned,omitempty"`
 	// Prevent accidental deletion of the Tenant.
 	// When enabled, the deletion request will be declined.
+	//+kubebuilder:default:=false
 	PreventDeletion bool `json:"preventDeletion,omitempty"`
+	// Use this if you want to disable/enable the Tenant name prefix to specific Tenants, overriding global forceTenantPrefix in CapsuleConfiguration.
+	// When set to 'true', it enforces Namespaces created for this Tenant to be named with the Tenant name prefix,
+	// separated by a dash (i.e. for Tenant 'foo', namespace names must be prefixed with 'foo-'),
+	// this is useful to avoid Namespace name collision.
+	// When set to 'false', it allows Namespaces created for this Tenant to be named anything.
+	// Overrides CapsuleConfiguration global forceTenantPrefix for the Tenant only.
+	// If unset, Tenant uses CapsuleConfiguration's forceTenantPrefix
+	// Optional
+	ForceTenantPrefix *bool `json:"forceTenantPrefix,omitempty"`
 }
 
 // +kubebuilder:object:root=true

api/v1beta2/zz_generated.deepcopy.go

@@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated
 
 // Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
@@ -756,7 +755,7 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 	}
 	if in.RuntimeClasses != nil {
 		in, out := &in.RuntimeClasses, &out.RuntimeClasses
-		*out = new(api.SelectorAllowedListSpec)
+		*out = new(api.DefaultAllowedListSpec)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.PriorityClasses != nil {
@@ -764,6 +763,11 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
 		*out = new(api.DefaultAllowedListSpec)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.ForceTenantPrefix != nil {
+		in, out := &in.ForceTenantPrefix, &out.ForceTenantPrefix
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantSpec.

assets/logo/capsule.svg

@@ -1,101 +1,13 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- Generator: Adobe Illustrator 24.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-<svg version="1.1" id="Livello_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-	 viewBox="0 0 595.28 841.89" style="enable-background:new 0 0 595.28 841.89;" xml:space="preserve">
-<style type="text/css">
-	.st0{fill:#274872;}
-	.st1{fill:#314A70;}
-	.st2{fill:#5783AB;}
-	.st3{fill:#EAECEC;}
-</style>
-<path class="st0" d="M243.53,178.65c-0.06-4.5-0.37-9.02,0-13.49c0.1-1.22,2.13-3.09,3.45-3.25c6.99-0.88,14.03-1.47,21.07-1.8
-	c2.43-0.12,3.48-1.05,4.29-3.12c2-5.14,4.08-10.25,6.32-15.29c0.86-1.93,0.56-2.83-1.2-4.09c-4.42-3.15-4.97-8.41-1.6-12.08
-	c3.7-4.04,8.88-4.09,12.65-0.12c3.5,3.68,3.07,8.88-1.39,12.08c-1.93,1.39-2.08,2.44-1.22,4.44c2.19,5.06,3.96,10.31,6.33,15.27
-	c0.65,1.37,2.73,2.73,4.28,2.89c7.57,0.77,15.19,1.17,22.79,1.64c2.69,0.16,4.13,1.28,4.21,4.15c0.1,3.95,0.43,7.89,0.66,11.84
-	c-1.51,0.05-3.03,0.22-4.53,0.13c-12.54-0.76-37.47-2.65-37.47-2.65S254.81,177.52,243.53,178.65z"/>
-<g>
-	<path class="st1" d="M73.32,483.91c-5.2-2.69-9.26-6.43-12.18-11.22c-2.92-4.78-4.38-10.21-4.38-16.28c0-6.07,1.46-11.5,4.38-16.28
-		c2.92-4.78,6.98-8.52,12.18-11.22c5.2-2.69,11.06-4.04,17.59-4.04c6.45,0,12.09,1.35,16.91,4.04c4.82,2.7,8.33,6.55,10.53,11.56
-		l-13.78,7.4c-3.19-5.62-7.78-8.43-13.78-8.43c-4.63,0-8.47,1.52-11.5,4.55c-3.04,3.04-4.55,7.17-4.55,12.41
-		c0,5.24,1.52,9.38,4.55,12.41c3.04,3.04,6.87,4.55,11.5,4.55c6.07,0,10.66-2.81,13.78-8.43l13.78,7.52
-		c-2.2,4.86-5.71,8.65-10.53,11.39c-4.82,2.73-10.46,4.1-16.91,4.1C84.38,487.95,78.52,486.6,73.32,483.91z"/>
-	<path class="st1" d="M175.17,431.64c5.08,4.52,7.63,11.33,7.63,20.44v34.96h-16.62v-7.63c-3.34,5.69-9.56,8.54-18.67,8.54
-		c-4.71,0-8.79-0.8-12.24-2.39c-3.46-1.59-6.09-3.79-7.91-6.6c-1.82-2.81-2.73-6-2.73-9.56c0-5.69,2.14-10.17,6.43-13.44
-		c4.29-3.26,10.91-4.9,19.87-4.9h14.12c0-3.87-1.18-6.85-3.53-8.94c-2.35-2.09-5.88-3.13-10.59-3.13c-3.26,0-6.47,0.51-9.62,1.54
-		c-3.15,1.03-5.83,2.41-8.03,4.16l-6.38-12.41c3.34-2.35,7.34-4.17,12.01-5.47c4.67-1.29,9.47-1.94,14.4-1.94
-		C162.8,424.87,170.08,427.13,175.17,431.64z M160.03,473.89c2.35-1.4,4.02-3.47,5.01-6.21v-6.26h-12.18
-		c-7.29,0-10.93,2.39-10.93,7.17c0,2.28,0.89,4.08,2.68,5.41c1.78,1.33,4.23,1.99,7.34,1.99
-		C154.98,475.99,157.67,475.29,160.03,473.89z"/>
-	<path class="st1" d="M250.6,428.8c4.67,2.62,8.33,6.3,10.99,11.04c2.66,4.75,3.99,10.27,3.99,16.57s-1.33,11.82-3.99,16.57
-		c-2.66,4.75-6.32,8.43-10.99,11.04s-9.85,3.93-15.54,3.93c-7.82,0-13.97-2.47-18.45-7.4v28.58h-17.76v-83.35h16.97v7.06
-		c4.4-5.31,10.82-7.97,19.24-7.97C240.76,424.87,245.94,426.18,250.6,428.8z M243.2,468.76c2.92-3.07,4.38-7.19,4.38-12.35
-		s-1.46-9.28-4.38-12.35c-2.92-3.07-6.66-4.61-11.22-4.61s-8.29,1.54-11.22,4.61c-2.92,3.07-4.38,7.19-4.38,12.35
-		s1.46,9.28,4.38,12.35c2.92,3.07,6.66,4.61,11.22,4.61S240.28,471.84,243.2,468.76z"/>
-	<path class="st1" d="M283.11,486.07c-4.86-1.25-8.73-2.83-11.61-4.73l5.92-12.75c2.73,1.75,6.03,3.17,9.91,4.27
-		c3.87,1.1,7.67,1.65,11.39,1.65c7.51,0,11.27-1.86,11.27-5.58c0-1.75-1.03-3-3.07-3.76c-2.05-0.76-5.2-1.4-9.45-1.94
-		c-5.01-0.76-9.15-1.63-12.41-2.62c-3.26-0.99-6.09-2.73-8.48-5.24s-3.59-6.07-3.59-10.7c0-3.87,1.12-7.3,3.36-10.3
-		c2.24-3,5.5-5.33,9.79-7c4.29-1.67,9.35-2.5,15.2-2.5c4.33,0,8.63,0.48,12.92,1.42c4.29,0.95,7.84,2.26,10.65,3.93l-5.92,12.64
-		c-5.39-3.04-11.27-4.55-17.65-4.55c-3.8,0-6.64,0.53-8.54,1.59c-1.9,1.06-2.85,2.43-2.85,4.1c0,1.9,1.02,3.23,3.07,3.99
-		c2.05,0.76,5.31,1.48,9.79,2.16c5.01,0.84,9.11,1.73,12.3,2.68c3.19,0.95,5.96,2.68,8.31,5.18c2.35,2.5,3.53,6,3.53,10.48
-		c0,3.8-1.14,7.17-3.42,10.13c-2.28,2.96-5.6,5.26-9.96,6.89c-4.37,1.63-9.55,2.45-15.54,2.45
-		C292.94,487.95,287.97,487.32,283.11,486.07z"/>
-	<path class="st1" d="M399.59,425.78v61.26h-16.85v-7.29c-2.35,2.66-5.16,4.69-8.43,6.09c-3.26,1.4-6.79,2.11-10.59,2.11
-		c-8.05,0-14.42-2.31-19.13-6.95c-4.71-4.63-7.06-11.5-7.06-20.61v-34.61h17.76v32c0,9.87,4.14,14.8,12.41,14.8
-		c4.25,0,7.67-1.38,10.25-4.16c2.58-2.77,3.87-6.89,3.87-12.35v-30.29H399.59z"/>
-	<path class="st1" d="M416.1,402.55h17.76v84.49H416.1V402.55z"/>
-	<path class="st1" d="M510.04,461.42H463.7c0.83,3.8,2.81,6.79,5.92,9c3.11,2.2,6.98,3.3,11.61,3.3c3.19,0,6.01-0.47,8.48-1.42
-		c2.47-0.95,4.76-2.45,6.89-4.5l9.45,10.25c-5.77,6.6-14.2,9.91-25.28,9.91c-6.91,0-13.02-1.35-18.33-4.04
-		c-5.31-2.69-9.41-6.43-12.3-11.22c-2.89-4.78-4.33-10.21-4.33-16.28c0-6,1.42-11.4,4.27-16.23c2.85-4.82,6.76-8.58,11.73-11.27
-		c4.97-2.69,10.53-4.04,16.68-4.04c6,0,11.42,1.29,16.28,3.87c4.86,2.58,8.67,6.28,11.44,11.1c2.77,4.82,4.16,10.42,4.16,16.79
-		C510.38,456.86,510.27,458.46,510.04,461.42z M468.48,441.72c-2.73,2.28-4.4,5.39-5.01,9.34h30.17c-0.61-3.87-2.28-6.96-5.01-9.28
-		c-2.73-2.31-6.07-3.47-10.02-3.47C474.59,438.3,471.21,439.44,468.48,441.72z"/>
-</g>
-<g>
-	<g>
-		<path class="st2" d="M144.97,316.25c2.88-4.14,5.7-8.31,8.68-12.38c0.84-1.14,2.13-1.94,3.22-2.9c8.67,2.77,17.24,5.98,26.06,8.18
-			c7.28,1.81,7.49,1.33,11.08-5.55c9.52-18.28,18.99-36.58,28.42-54.91c3.55-6.9,7.04-13.85,10.34-20.87c1.87-3.99,1-5.28-3.27-5.1
-			c-5.07,0.21-10.13,0.68-15.19,1.04c1.72-2.35,3.24-4.87,5.2-7.01c4.47-4.88,9.14-9.57,13.74-14.34c1.84-0.03,3.68,0.02,5.52-0.1
-			c14.62-1.03,29.24-2.1,43.86-3.16c-0.08,0.84-0.24,1.68-0.24,2.52c0.01,48.41,0.03,96.83,0.05,145.24
-			c-15.73,0.85-30.48,0.97-47.48-0.65c-16.01-1.04-30.66-3.54-46.6-5.49c-13.64-1.67-26.85-5.2-39.21-11.4
-			c-4.77-2.4-5.86-5.41-4.24-10.45C145.16,318.1,144.96,317.14,144.97,316.25z"/>
-		<path class="st3" d="M282.42,346.9c-0.02-48.41-0.04-96.83-0.05-145.24c0-0.84,0.05-1.64,0.04-2.48
-			c5.63,0.1,11.47-0.06,17.08,0.32c11.35,0.78,22.67,1.83,34.01,2.77c2.69,3.09,5.47,6.1,8.05,9.28c3.38,4.17,6.61,8.47,9.9,12.71
-			c-6.04-0.52-12.07-1.2-18.13-1.49c-4.12-0.2-4.91,1.24-3.08,4.81c9.87,19.27,19.73,38.54,29.65,57.78
-			c4.02,7.79,8.22,15.49,12.24,23.29c1.46,2.83,3.6,3.9,6.61,3.17c11.52-2.81,23.03-5.68,34.54-8.52c1.8,3.04,3.52,6.13,5.42,9.1
-			c0.89,1.39,2.13,2.56,3.21,3.83c0,0.56-0.19,1.22,0.04,1.66c3.28,6.31-0.16,9.95-5.82,12.53c-14.18,6.44-29.11,9.85-44.52,11.41
-			c-12.89,1.31-25.79,2.51-38.68,3.77c-6.24,0.61-12.47,1.45-18.72,1.79c-4.58,0.24-9.2-0.17-13.81-0.3
-			c-5.95-0.04-11.9-0.08-17.85-0.12L282.42,346.9z"/>
-		<path class="st2" d="M413.28,303.3c-11.51,2.84-23.02,5.71-34.54,8.52c-3.01,0.74-5.15-0.34-6.61-3.17
-			c-4.02-7.79-8.22-15.49-12.24-23.29c-9.92-19.24-19.79-38.51-29.65-57.78c-1.83-3.57-1.04-5.01,3.08-4.81
-			c6.05,0.29,12.09,0.97,18.13,1.49c1.89,0.4,2.54,0.15,5.06,3.74c17.1,24.41,37.01,47.73,54.85,71.62
-			C412.17,300.72,412.64,302.07,413.28,303.3z"/>
-		<path class="st3" d="M155.06,302.38c11.51,2.84,22.26,5.47,33.78,8.28c3.01,0.74,5.15-0.34,6.61-3.17
-			c4.02-7.79,8.22-15.49,12.24-23.29c9.92-19.24,17.3-37.26,26.37-56.7c1.83-3.57,0.68-4.95-3.44-4.75
-			c-6.05,0.29-10.08,0.42-16.13,0.94c-2.11,1.25-2.46,1.66-3.84,3.47c-18.01,23.75-35.83,47.64-53.67,71.53
-			C156.18,299.79,155.7,301.14,155.06,302.38z"/>
-		<path class="st0" d="M421.92,316.24c0,0.56-0.19,1.22,0.04,1.66c3.28,6.31-0.16,9.95-5.82,12.53
-			c-14.18,6.44-29.11,9.85-44.52,11.41c-12.89,1.31-25.79,2.51-38.68,3.77c-6.24,0.61-12.94,1.22-18.94,1.29
-			c-4.59,0.05-8.98,0.32-13.59,0.2c-5.95-0.04-11.9-0.08-17.85-0.12c0,0-0.12-0.08-0.12-0.08c-15.36,0.35-28.73,0.35-46.17-1.19
-			c-15.98-1.41-31.97-2.99-47.91-4.95c-13.64-1.67-26.85-5.2-39.21-11.4c-4.77-2.4-5.86-5.41-4.24-10.45
-			c0.26-0.81,0.06-1.77,0.07-2.66c-6.55,2.47-11.33,6.45-12.86,13.75c-1.74,8.28,0.69,15.31,5.77,21.67
-			c1.43,1.79,2.4,3.22,0.07,5.22c-0.71,0.61-0.81,3.27-0.15,3.89c6.36,6.04,13.89,10.11,22.37,12.36c2.35,0.62,4.12,0.02,4.62-2.85
-			c0.11-0.64,1.63-1.63,2.27-1.49c8.66,1.96,17.26,4.13,25.91,6.14c1.98,0.46,2.73,1,1.52,3.01c-1.45,2.4-0.41,3.92,2,4.93
-			c8.64,3.63,17.82,3.98,26.97,4.34c2.18,0.08,4.54-0.9,3.51-3.88c-1.11-3.22,0.45-3.2,2.83-2.99c8.57,0.73,17.14,1.44,25.72,1.95
-			c3.13,0.19,3.98,1.04,2.41,3.98c-1.6,2.98-0.26,4.76,2.9,4.77c14.82,0.08,29.65,0.17,44.46-0.08c4.59-0.08,5.1-1.29,3.36-5.63
-			c-0.84-2.1-0.97-2.87,1.76-3.02c9.16-0.52,18.32-1.21,27.45-2.12c2.5-0.25,3.06,0.34,2.55,2.56c-0.53,2.31,0.05,4.05,2.72,4.11
-			c9.52,0.21,18.91-0.53,27.82-4.34c1.95-0.83,3.09-2.06,1.71-4.23c-1.72-2.71-0.09-3.15,2.17-3.67c8.24-1.87,16.46-3.83,24.64-5.93
-			c1.82-0.47,3-0.77,3.21,1.6c0.26,2.99,2.1,3.32,4.53,2.61c8.11-2.36,15.55-5.98,21.6-11.99c0.69-0.69,1.03-2.99,0.55-3.39
-			c-3.18-2.71-1.41-4.64,0.51-6.95C437.87,340.92,439.33,322.67,421.92,316.24z"/>
-	</g>
-</g>
-<path class="st3" d="M324.35,192.94c-6.72-0.27-13.4-0.35-20.23-0.52c-7.13-0.17-18.9-0.51-18.9-0.51s-1.27,0.04-2.44,0
-	c0,0-0.63-0.01-0.63,0.18c-0.01-5.67,0.01-11.83,0-17.5c12.58,0.95,24.65,1.94,37.19,2.72c1.5,0.09,3.29-0.07,4.8-0.12
-	C324.19,182.43,324.33,187.69,324.35,192.94z"/>
-<path class="st2" d="M243.35,193.45c6.72-0.27,10.02-0.35,16.86-0.52c7.13-0.17,18.9-0.51,18.9-0.51s1.27,0.04,2.44,0
-	c0,0,0.63-0.53,0.63-0.34c0.01-5.67-0.01-11.83,0-17.5c-12.58,0.95-21.28,1.94-33.82,2.72c-1.5,0.09-3.29-0.07-4.8-0.12
-	C243.51,182.43,243.38,188.21,243.35,193.45z"/>
-<path class="st0" d="M327.57,193.15c-1.31-0.1-2.62-0.17-3.93-0.26c-13.33-0.32-26.66-0.63-39.99-0.95v0c-0.03,0-0.06,0-0.1,0
-	c-0.03,0-0.06,0-0.1,0v0c-13.33,0.32-26.66,0.63-39.99,0.95c-1.31,0.08-2.62,0.15-3.93,0.26c-6.26,0.5-6.88,1.16-6.73,7.17
-	c0.02,0.7,0.18,1.39,0.27,2.09c1.91-0.03,3.82,0.02,5.72-0.1c14.92-1.02,28.65-2.07,43.57-3.11c14.92,1.04,31.01,2.1,45.93,3.11
-	c1.9,0.13,3.81,0.07,5.72,0.1c0.09-0.7,0.25-1.39,0.27-2.09C334.45,194.31,333.82,193.65,327.57,193.15z"/>
+<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" id="Livello_1" x="0" y="0" version="1.1" viewBox="36.76 68.993 493.611 493.611">
+  <style>.st0{fill:#274872}.st2{fill:#5783ab}.st3{fill:#eaecec}</style>
+  <path d="M243.53 178.65c-.06-4.5-.37-9.02 0-13.49.1-1.22 2.13-3.09 3.45-3.25 6.99-.88 14.03-1.47 21.07-1.8 2.43-.12 3.48-1.05 4.29-3.12 2-5.14 4.08-10.25 6.32-15.29.86-1.93.56-2.83-1.2-4.09-4.42-3.15-4.97-8.41-1.6-12.08 3.7-4.04 8.88-4.09 12.65-.12 3.5 3.68 3.07 8.88-1.39 12.08-1.93 1.39-2.08 2.44-1.22 4.44 2.19 5.06 3.96 10.31 6.33 15.27.65 1.37 2.73 2.73 4.28 2.89 7.57.77 15.19 1.17 22.79 1.64 2.69.16 4.13 1.28 4.21 4.15.1 3.95.43 7.89.66 11.84-1.51.05-3.03.22-4.53.13-12.54-.76-37.47-2.65-37.47-2.65s-27.36 2.32-38.64 3.45z" class="st0"/>
+  <path fill="#314a70" d="M73.32 483.91c-5.2-2.69-9.26-6.43-12.18-11.22-2.92-4.78-4.38-10.21-4.38-16.28s1.46-11.5 4.38-16.28c2.92-4.78 6.98-8.52 12.18-11.22 5.2-2.69 11.06-4.04 17.59-4.04 6.45 0 12.09 1.35 16.91 4.04 4.82 2.7 8.33 6.55 10.53 11.56l-13.78 7.4c-3.19-5.62-7.78-8.43-13.78-8.43-4.63 0-8.47 1.52-11.5 4.55-3.04 3.04-4.55 7.17-4.55 12.41s1.52 9.38 4.55 12.41c3.04 3.04 6.87 4.55 11.5 4.55 6.07 0 10.66-2.81 13.78-8.43l13.78 7.52c-2.2 4.86-5.71 8.65-10.53 11.39-4.82 2.73-10.46 4.1-16.91 4.1-6.53.01-12.39-1.34-17.59-4.03zm101.85-52.27c5.08 4.52 7.63 11.33 7.63 20.44v34.96h-16.62v-7.63c-3.34 5.69-9.56 8.54-18.67 8.54-4.71 0-8.79-.8-12.24-2.39-3.46-1.59-6.09-3.79-7.91-6.6-1.82-2.81-2.73-6-2.73-9.56 0-5.69 2.14-10.17 6.43-13.44 4.29-3.26 10.91-4.9 19.87-4.9h14.12c0-3.87-1.18-6.85-3.53-8.94-2.35-2.09-5.88-3.13-10.59-3.13-3.26 0-6.47.51-9.62 1.54-3.15 1.03-5.83 2.41-8.03 4.16l-6.38-12.41c3.34-2.35 7.34-4.17 12.01-5.47 4.67-1.29 9.47-1.94 14.4-1.94 9.49 0 16.77 2.26 21.86 6.77zm-15.14 42.25c2.35-1.4 4.02-3.47 5.01-6.21v-6.26h-12.18c-7.29 0-10.93 2.39-10.93 7.17 0 2.28.89 4.08 2.68 5.41 1.78 1.33 4.23 1.99 7.34 1.99 3.03 0 5.72-.7 8.08-2.1zm90.57-45.09c4.67 2.62 8.33 6.3 10.99 11.04 2.66 4.75 3.99 10.27 3.99 16.57s-1.33 11.82-3.99 16.57-6.32 8.43-10.99 11.04-9.85 3.93-15.54 3.93c-7.82 0-13.97-2.47-18.45-7.4v28.58h-17.76v-83.35h16.97v7.06c4.4-5.31 10.82-7.97 19.24-7.97 5.7 0 10.88 1.31 15.54 3.93zm-7.4 39.96c2.92-3.07 4.38-7.19 4.38-12.35s-1.46-9.28-4.38-12.35c-2.92-3.07-6.66-4.61-11.22-4.61s-8.29 1.54-11.22 4.61c-2.92 3.07-4.38 7.19-4.38 12.35s1.46 9.28 4.38 12.35c2.92 3.07 6.66 4.61 11.22 4.61s8.3-1.53 11.22-4.61zm39.91 17.31c-4.86-1.25-8.73-2.83-11.61-4.73l5.92-12.75c2.73 1.75 6.03 3.17 9.91 4.27 3.87 1.1 7.67 1.65 11.39 1.65 7.51 0 11.27-1.86 11.27-5.58 0-1.75-1.03-3-3.07-3.76-2.05-.76-5.2-1.4-9.45-1.94-5.01-.76-9.15-1.63-12.41-2.62-3.26-.99-6.09-2.73-8.48-5.24s-3.59-6.07-3.59-10.7c0-3.87 1.12-7.3 3.36-10.3 2.24-3 5.5-5.33 9.79-7 4.29-1.67 9.35-2.5 15.2-2.5 4.33 0 8.63.48 12.92 1.42 4.29.95 7.84 2.26 10.65 3.93l-5.92 12.64c-5.39-3.04-11.27-4.55-17.65-4.55-3.8 0-6.64.53-8.54 1.59-1.9 1.06-2.85 2.43-2.85 4.1 0 1.9 1.02 3.23 3.07 3.99 2.05.76 5.31 1.48 9.79 2.16 5.01.84 9.11 1.73 12.3 2.68 3.19.95 5.96 2.68 8.31 5.18 2.35 2.5 3.53 6 3.53 10.48 0 3.8-1.14 7.17-3.42 10.13-2.28 2.96-5.6 5.26-9.96 6.89-4.37 1.63-9.55 2.45-15.54 2.45-5.09-.01-10.06-.64-14.92-1.89zm116.48-60.29v61.26h-16.85v-7.29a23.4 23.4 0 0 1-8.43 6.09c-3.26 1.4-6.79 2.11-10.59 2.11-8.05 0-14.42-2.31-19.13-6.95-4.71-4.63-7.06-11.5-7.06-20.61v-34.61h17.76v32c0 9.87 4.14 14.8 12.41 14.8 4.25 0 7.67-1.38 10.25-4.16 2.58-2.77 3.87-6.89 3.87-12.35v-30.29h17.77zm16.51-23.23h17.76v84.49H416.1v-84.49zm93.94 58.87H463.7c.83 3.8 2.81 6.79 5.92 9 3.11 2.2 6.98 3.3 11.61 3.3 3.19 0 6.01-.47 8.48-1.42 2.47-.95 4.76-2.45 6.89-4.5l9.45 10.25c-5.77 6.6-14.2 9.91-25.28 9.91-6.91 0-13.02-1.35-18.33-4.04-5.31-2.69-9.41-6.43-12.3-11.22-2.89-4.78-4.33-10.21-4.33-16.28 0-6 1.42-11.4 4.27-16.23 2.85-4.82 6.76-8.58 11.73-11.27 4.97-2.69 10.53-4.04 16.68-4.04 6 0 11.42 1.29 16.28 3.87 4.86 2.58 8.67 6.28 11.44 11.1 2.77 4.82 4.16 10.42 4.16 16.79.01.22-.1 1.82-.33 4.78zm-41.56-19.7c-2.73 2.28-4.4 5.39-5.01 9.34h30.17c-.61-3.87-2.28-6.96-5.01-9.28-2.73-2.31-6.07-3.47-10.02-3.47-4.02-.01-7.4 1.13-10.13 3.41z"/>
+  <path d="M144.97 316.25c2.88-4.14 5.7-8.31 8.68-12.38.84-1.14 2.13-1.94 3.22-2.9 8.67 2.77 17.24 5.98 26.06 8.18 7.28 1.81 7.49 1.33 11.08-5.55 9.52-18.28 18.99-36.58 28.42-54.91 3.55-6.9 7.04-13.85 10.34-20.87 1.87-3.99 1-5.28-3.27-5.1-5.07.21-10.13.68-15.19 1.04 1.72-2.35 3.24-4.87 5.2-7.01 4.47-4.88 9.14-9.57 13.74-14.34 1.84-.03 3.68.02 5.52-.1 14.62-1.03 29.24-2.1 43.86-3.16-.08.84-.24 1.68-.24 2.52.01 48.41.03 96.83.05 145.24-15.73.85-30.48.97-47.48-.65-16.01-1.04-30.66-3.54-46.6-5.49-13.64-1.67-26.85-5.2-39.21-11.4-4.77-2.4-5.86-5.41-4.24-10.45.25-.82.05-1.78.06-2.67z" class="st2"/>
+  <path d="M282.42 346.9c-.02-48.41-.04-96.83-.05-145.24 0-.84.05-1.64.04-2.48 5.63.1 11.47-.06 17.08.32 11.35.78 22.67 1.83 34.01 2.77 2.69 3.09 5.47 6.1 8.05 9.28 3.38 4.17 6.61 8.47 9.9 12.71-6.04-.52-12.07-1.2-18.13-1.49-4.12-.2-4.91 1.24-3.08 4.81 9.87 19.27 19.73 38.54 29.65 57.78 4.02 7.79 8.22 15.49 12.24 23.29 1.46 2.83 3.6 3.9 6.61 3.17 11.52-2.81 23.03-5.68 34.54-8.52 1.8 3.04 3.52 6.13 5.42 9.1.89 1.39 2.13 2.56 3.21 3.83 0 .56-.19 1.22.04 1.66 3.28 6.31-.16 9.95-5.82 12.53-14.18 6.44-29.11 9.85-44.52 11.41-12.89 1.31-25.79 2.51-38.68 3.77-6.24.61-12.47 1.45-18.72 1.79-4.58.24-9.2-.17-13.81-.3l-17.85-.12-.13-.07z" class="st3"/>
+  <path d="M413.28 303.3c-11.51 2.84-23.02 5.71-34.54 8.52-3.01.74-5.15-.34-6.61-3.17-4.02-7.79-8.22-15.49-12.24-23.29-9.92-19.24-19.79-38.51-29.65-57.78-1.83-3.57-1.04-5.01 3.08-4.81 6.05.29 12.09.97 18.13 1.49 1.89.4 2.54.15 5.06 3.74 17.1 24.41 37.01 47.73 54.85 71.62.81 1.1 1.28 2.45 1.92 3.68z" class="st2"/>
+  <path d="M155.06 302.38c11.51 2.84 22.26 5.47 33.78 8.28 3.01.74 5.15-.34 6.61-3.17 4.02-7.79 8.22-15.49 12.24-23.29 9.92-19.24 17.3-37.26 26.37-56.7 1.83-3.57.68-4.95-3.44-4.75-6.05.29-10.08.42-16.13.94-2.11 1.25-2.46 1.66-3.84 3.47-18.01 23.75-35.83 47.64-53.67 71.53-.8 1.1-1.28 2.45-1.92 3.69z" class="st3"/>
+  <path d="M421.92 316.24c0 .56-.19 1.22.04 1.66 3.28 6.31-.16 9.95-5.82 12.53-14.18 6.44-29.11 9.85-44.52 11.41-12.89 1.31-25.79 2.51-38.68 3.77-6.24.61-12.94 1.22-18.94 1.29-4.59.05-8.98.32-13.59.2l-17.85-.12-.12-.08c-15.36.35-28.73.35-46.17-1.19-15.98-1.41-31.97-2.99-47.91-4.95-13.64-1.67-26.85-5.2-39.21-11.4-4.77-2.4-5.86-5.41-4.24-10.45.26-.81.06-1.77.07-2.66-6.55 2.47-11.33 6.45-12.86 13.75-1.74 8.28.69 15.31 5.77 21.67 1.43 1.79 2.4 3.22.07 5.22-.71.61-.81 3.27-.15 3.89 6.36 6.04 13.89 10.11 22.37 12.36 2.35.62 4.12.02 4.62-2.85.11-.64 1.63-1.63 2.27-1.49 8.66 1.96 17.26 4.13 25.91 6.14 1.98.46 2.73 1 1.52 3.01-1.45 2.4-.41 3.92 2 4.93 8.64 3.63 17.82 3.98 26.97 4.34 2.18.08 4.54-.9 3.51-3.88-1.11-3.22.45-3.2 2.83-2.99 8.57.73 17.14 1.44 25.72 1.95 3.13.19 3.98 1.04 2.41 3.98-1.6 2.98-.26 4.76 2.9 4.77 14.82.08 29.65.17 44.46-.08 4.59-.08 5.1-1.29 3.36-5.63-.84-2.1-.97-2.87 1.76-3.02 9.16-.52 18.32-1.21 27.45-2.12 2.5-.25 3.06.34 2.55 2.56-.53 2.31.05 4.05 2.72 4.11 9.52.21 18.91-.53 27.82-4.34 1.95-.83 3.09-2.06 1.71-4.23-1.72-2.71-.09-3.15 2.17-3.67 8.24-1.87 16.46-3.83 24.64-5.93 1.82-.47 3-.77 3.21 1.6.26 2.99 2.1 3.32 4.53 2.61 8.11-2.36 15.55-5.98 21.6-11.99.69-.69 1.03-2.99.55-3.39-3.18-2.71-1.41-4.64.51-6.95 7.99-9.66 9.45-27.91-7.96-34.34z" class="st0"/>
+  <path d="M324.35 192.94c-6.72-.27-13.4-.35-20.23-.52-7.13-.17-18.9-.51-18.9-.51s-1.27.04-2.44 0c0 0-.63-.01-.63.18-.01-5.67.01-11.83 0-17.5 12.58.95 24.65 1.94 37.19 2.72 1.5.09 3.29-.07 4.8-.12.05 5.24.19 10.5.21 15.75z" class="st3"/>
+  <path d="M243.35 193.45c6.72-.27 10.02-.35 16.86-.52 7.13-.17 18.9-.51 18.9-.51s1.27.04 2.44 0c0 0 .63-.53.63-.34.01-5.67-.01-11.83 0-17.5-12.58.95-21.28 1.94-33.82 2.72-1.5.09-3.29-.07-4.8-.12-.05 5.25-.18 11.03-.21 16.27z" class="st2"/>
+  <path d="M327.57 193.15c-1.31-.1-2.62-.17-3.93-.26-13.33-.32-26.66-.63-39.99-.95h-.2c-13.33.32-26.66.63-39.99.95-1.31.08-2.62.15-3.93.26-6.26.5-6.88 1.16-6.73 7.17.02.7.18 1.39.27 2.09 1.91-.03 3.82.02 5.72-.1 14.92-1.02 28.65-2.07 43.57-3.11 14.92 1.04 31.01 2.1 45.93 3.11 1.9.13 3.81.07 5.72.1.09-.7.25-1.39.27-2.09.17-6.01-.46-6.67-6.71-7.17z" class="st0"/>
 </svg>

charts/capsule/.helmignore

@@ -22,3 +22,4 @@
 *.tmproj
 .vscode/
 README.md.gotmpl
+artifacthub-repo.yml

charts/capsule/.schema.yaml

@@ -0,0 +1,4 @@
+input:
+  - values.yaml
+  - ci/test-values.yaml
+  - ci/proxy-values.yaml

charts/capsule/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: capsule-proxy
+  repository: oci://ghcr.io/projectcapsule/charts
+  version: 0.9.3
+digest: sha256:057afc3b971a7ffe5ada7d358d759ab3383ffca61aed07e224f3f6c4338568ee
+generated: "2025-04-26T05:29:13.486605681Z"

charts/capsule/Chart.yaml

@@ -4,6 +4,12 @@ description: A Helm chart to deploy the Capsule Operator for easily implementing
   managing, and maintaining mutitenancy and access control in Kubernetes.
 home: https://github.com/projectcapsule/capsule
 icon: https://github.com/projectcapsule/capsule/raw/main/assets/logo/capsule_small.png
+dependencies:
+  - name: capsule-proxy
+    version: 0.9.3
+    repository: "oci://ghcr.io/projectcapsule/charts"
+    condition: proxy.enabled
+    alias: proxy
 keywords:
 - kubernetes
 - operator
@@ -18,11 +24,10 @@ maintainers:
 name: capsule
 sources:
 - https://github.com/projectcapsule/capsule
-# The version is overwritten by the release workflow.
-version: 0.6.0
-# This is the version number of the application being deployed.
-# This version number should be incremented each time you make changes to the application.
-appVersion: 0.5.0
+# Note: The version is overwritten by the release workflow.
+version: 0.0.0
+# Note: The version is overwritten by the release workflow.
+appVersion: 0.0.0
 annotations:
   artifacthub.io/operator: "true"
   artifacthub.io/prerelease: "false"
@@ -33,9 +38,7 @@ annotations:
       email: cncf-capsule-maintainers@lists.cncf.io
   artifacthub.io/links: |
     - name: Documentation
-      url: https://capsule.clastix.io/
-# artifacthub.io/changes: |
-#   - kind: added
-#     description: artifacthub annotations
-#   - kind: changed
-#     description: maintainers contact
+      url: https://projectcapsule.dev/
+  artifacthub.io/changes: |
+    - kind: added
+      description: oci chart reference

charts/capsule/README.md

@@ -16,21 +16,41 @@ Use the Capsule Operator for easily implementing, managing, and maintaining mult
 
 * A [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file accessing the Kubernetes cluster with cluster admin permissions.
 
-## Quick Start
+## Major Changes
 
+In the following sections you see actions which are required when you are upgrading to a specific version.
+
+### Upgrading to 0.7.x
+
+Introduces a new methode to manage all capsule CRDs and their lifecycle. We are no longer relying on the [native CRD hook with the Helm Chart](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). The hook only allows to manage CRDs on install and uninstall but we can't deliver updates to the CRDs.
+When you newly install the chart we recommend to set  `crds.install` to `true`. This will manage the CRDs with the Helm Chart. This behavior is the new default.
+
+#### Changed Values
+
+The following Values have changed key or Value:
+
+  * All values from previous releases under `webhooks` have moved to `webhooks.hooks`.
+  * `mutatingWebhooksTimeoutSeconds` has moved to `webhooks.mutatingWebhooksTimeoutSeconds`
+  * `validatingWebhooksTimeoutSeconds` has moved to `webhooks.validatingWebhooksTimeoutSeconds`
+
+## Installation
+
+**When using OCI we recommend our dedicated [OCI Repository](https://artifacthub.io/packages/helm/capsule/capsule) for this chart**
+
+The Capsule Operator requires it's CRDs to be installed before the operator itself. Since the Helm CRD lifecycle has limitations, we recommend to install the CRDs separately. Our chart supports the installation of crds via a dedicated Release.
 The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster.
 
 1. Add this repository:
 
         $ helm repo add projectcapsule https://projectcapsule.github.io/charts
 
-2. Install the Chart:
+2. Install Capsule:
 
-        $ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace
+        $ helm install capsule projectcapsule/capsule --version 0.7.0 -n capsule-system --create-namespace
 
         or
 
-        $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6  -n capsule-system --create-namespace
+        $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.7.0  -n capsule-system --create-namespace
 
 3. Show the status:
 
@@ -58,7 +78,7 @@ Specify your overrides file when you install the chart:
 
         $ helm install capsule capsule-helm-chart --values myvalues.yaml -n capsule-system
 
-The values in your overrides file `myvalues.yaml` will override their counterparts in the chart’s values.yaml file. Any values in `values.yaml` that weren’t overridden will keep their defaults.
+The values in your overrides file `myvalues.yaml` will override their counterparts in the chart's values.yaml file. Any values in `values.yaml` that weren’t overridden will keep their defaults.
 
 If you only need to make minor customizations, you can specify them on the command line by using the `--set` option. For example:
 
@@ -66,49 +86,79 @@ If you only need to make minor customizations, you can specify them on the comma
 
 Here the values you can override:
 
+### CustomResourceDefinition Lifecycle
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| crds.annnotations | object | `{}` | Extra Annotations for CRDs |
+| crds.exclusive | bool | `false` | Only install the CRDs, no other primitives |
+| crds.install | bool | `true` | Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations) |
+| crds.labels | object | `{}` | Extra Labels for CRDs |
+
+### Global Parameters
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| global.jobs.kubectl.affinity | object | `{}` | Set affinity rules |
+| global.jobs.kubectl.annotations | object | `{}` | Annotations to add to the certgen job. |
+| global.jobs.kubectl.backoffLimit | int | `4` | Backofflimit for jobs |
+| global.jobs.kubectl.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job |
+| global.jobs.kubectl.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job |
+| global.jobs.kubectl.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job |
+| global.jobs.kubectl.image.tag | string | `""` | Set the image tag of the helm chart job |
+| global.jobs.kubectl.imagePullSecrets | list | `[]` | ImagePullSecrets |
+| global.jobs.kubectl.nodeSelector | object | `{}` | Set the node selector |
+| global.jobs.kubectl.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the job pods. |
+| global.jobs.kubectl.priorityClassName | string | `""` | Set a pod priorityClassName |
+| global.jobs.kubectl.resources | object | `{}` | Job resources |
+| global.jobs.kubectl.restartPolicy | string | `"Never"` | Set the restartPolicy |
+| global.jobs.kubectl.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Security context for the job containers. |
+| global.jobs.kubectl.tolerations | list | `[]` | Set list of tolerations |
+| global.jobs.kubectl.topologySpreadConstraints | list | `[]` | Set Topology Spread Constraints |
+| global.jobs.kubectl.ttlSecondsAfterFinished | int | `60` | Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete. |
+
 ### General Parameters
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Set affinity rules for the Capsule pod |
+| certManager.additionalSANS | list | `[]` | Specify additional SANS to add to the certificate |
 | certManager.generateCertificates | bool | `false` | Specifies whether capsule webhooks certificates should be generated using cert-manager |
 | customAnnotations | object | `{}` | Additional annotations which will be added to all resources created by Capsule helm chart |
 | customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart |
 | imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. |
-| jobs.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job |
-| jobs.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job |
-| jobs.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job |
-| jobs.image.tag | string | `""` | Set the image tag of the helm chart job |
-| mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks |
+| jobs | object | `{}` | Deprecated, use .global.jobs.kubectl instead |
 | nodeSelector | object | `{}` | Set the node selector for the Capsule pod |
 | podAnnotations | object | `{}` | Annotations to add to the capsule pod. |
 | podSecurityContext | object | `{"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002,"seccompProfile":{"type":"RuntimeDefault"}}` | Set the securityContext for the Capsule pod |
-| podSecurityPolicy.enabled | bool | `false` | Specify if a Pod Security Policy must be created |
+| ports | list | `[]` | Set additional ports for the deployment |
 | priorityClassName | string | `""` | Set the priority class name of the Capsule pod |
+| proxy.enabled | bool | `false` | Enable Installation of Capsule Proxy |
 | replicaCount | int | `1` | Set the replica count for capsule pod |
 | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | Set the securityContext for the Capsule container |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
-| serviceAccount.name | string | `"capsule"` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
+| serviceAccount.name | string | `""` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
 | tls.create | bool | `true` | When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion. |
 | tls.enableController | bool | `true` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. |
 | tls.name | string | `""` | Override name of the Capsule TLS Secret name when externally managed. |
 | tolerations | list | `[]` | Set list of tolerations for the Capsule pod |
 | topologySpreadConstraints | list | `[]` | Set topology spread constraints for the Capsule pod |
-| validatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for validating webhooks |
 
 ### Manager Parameters
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | manager.hostNetwork | bool | `false` | Specifies if the container should be started in hostNetwork mode.  Required for use in some managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working |
+| manager.hostPID | bool | `false` | Specifies if the container should be started in hostPID mode. |
 | manager.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy. |
 | manager.image.registry | string | `"ghcr.io"` | Set the image registry of capsule. |
 | manager.image.repository | string | `"projectcapsule/capsule"` | Set the image repository of capsule. |
 | manager.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
 | manager.kind | string | `"Deployment"` | Set the controller deployment mode as `Deployment` or `DaemonSet`. |
 | manager.livenessProbe | object | `{"httpGet":{"path":"/healthz","port":10080}}` | Configure the liveness probe using Deployment probe spec |
-| manager.options.capsuleUserGroups | list | `["capsule.clastix.io"]` | Override the Capsule user groups |
+| manager.options.capsuleConfiguration | string | `"default"` | Change the default name of the capsule configuration name |
+| manager.options.capsuleUserGroups | list | `["projectcapsule.dev"]` | Override the Capsule user groups |
 | manager.options.forceTenantPrefix | bool | `false` | Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash |
 | manager.options.generateCertificates | bool | `true` | Specifies whether capsule webhooks certificates should be generated by capsule operator |
 | manager.options.logLevel | string | `"4"` | Set the log verbosity of the capsule with a value from 1 to 10 |
@@ -118,10 +168,10 @@ Here the values you can override:
 | manager.rbac.existingClusterRoles | list | `[]` | Specifies further cluster roles to be added to the Capsule manager service account. |
 | manager.rbac.existingRoles | list | `[]` | Specifies further cluster roles to be added to the Capsule manager service account. |
 | manager.readinessProbe | object | `{"httpGet":{"path":"/readyz","port":10080}}` | Configure the readiness probe using Deployment probe spec |
-| manager.resources.limits.cpu | string | `"200m"` |  |
-| manager.resources.limits.memory | string | `"128Mi"` |  |
-| manager.resources.requests.cpu | string | `"200m"` |  |
-| manager.resources.requests.memory | string | `"128Mi"` |  |
+| manager.resources | object | `{}` | Set the resource requests/limits for the Capsule manager container |
+| manager.securityContext | object | `{}` | Set the securityContext for the Capsule container |
+| manager.volumeMounts | list | `[]` | Set the additional volumeMounts needed for the Capsule manager container |
+| manager.volumes | list | `[]` | Set the additional volumes needed for the Capsule manager container |
 | manager.webhookPort | int | `9443` | Set an alternative to the default container port.  Useful for use in some kubernetes clusters (such as GKE Private) with aggregator routing turned on, because pod ports have to be opened manually on the firewall side |
 
 ### ServiceMonitor Parameters
@@ -139,42 +189,50 @@ Here the values you can override:
 | serviceMonitor.namespace | string | `""` | Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one) |
 | serviceMonitor.targetLabels | list | `[]` | Set targetLabels for the serviceMonitor |
 
-### Webhook Parameters
+### Webhooks Parameters
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| webhooks.cordoning.failurePolicy | string | `"Fail"` |  |
-| webhooks.cordoning.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
-| webhooks.cordoning.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.defaults.ingress.failurePolicy | string | `"Fail"` |  |
-| webhooks.defaults.ingress.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
-| webhooks.defaults.ingress.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.defaults.pods.failurePolicy | string | `"Fail"` |  |
-| webhooks.defaults.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
-| webhooks.defaults.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.defaults.pvc.failurePolicy | string | `"Fail"` |  |
-| webhooks.defaults.pvc.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
-| webhooks.defaults.pvc.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.ingresses.failurePolicy | string | `"Fail"` |  |
-| webhooks.ingresses.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
-| webhooks.ingresses.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.namespaceOwnerReference.failurePolicy | string | `"Fail"` |  |
-| webhooks.namespaces.failurePolicy | string | `"Fail"` |  |
-| webhooks.networkpolicies.failurePolicy | string | `"Fail"` |  |
-| webhooks.networkpolicies.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
-| webhooks.networkpolicies.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.nodes.failurePolicy | string | `"Fail"` |  |
-| webhooks.persistentvolumeclaims.failurePolicy | string | `"Fail"` |  |
-| webhooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
-| webhooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.pods.failurePolicy | string | `"Fail"` |  |
-| webhooks.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
-| webhooks.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.services.failurePolicy | string | `"Fail"` |  |
-| webhooks.services.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
-| webhooks.services.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
-| webhooks.tenantResourceObjects.failurePolicy | string | `"Fail"` |  |
-| webhooks.tenants.failurePolicy | string | `"Fail"` |  |
+| webhooks.exclusive | bool | `false` | When `crds.exclusive` is `true` the webhooks will be installed |
+| webhooks.hooks.cordoning.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.cordoning.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.cordoning.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.defaults.ingress.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.defaults.ingress.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.defaults.ingress.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.defaults.pods.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.defaults.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.defaults.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.defaults.pvc.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.defaults.pvc.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.defaults.pvc.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.ingresses.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.ingresses.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.ingresses.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.namespaceOwnerReference.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.namespaces.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.networkpolicies.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.networkpolicies.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.networkpolicies.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.nodes.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.persistentvolumeclaims.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.pods.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.services.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.services.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` |  |
+| webhooks.hooks.services.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` |  |
+| webhooks.hooks.tenantResourceObjects.failurePolicy | string | `"Fail"` |  |
+| webhooks.hooks.tenants.failurePolicy | string | `"Fail"` |  |
+| webhooks.mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks |
+| webhooks.service.caBundle | string | `""` | CABundle for the webhook service |
+| webhooks.service.name | string | `""` | Custom service name for the webhook service |
+| webhooks.service.namespace | string | `""` | Custom service namespace for the webhook service |
+| webhooks.service.port | string | `nil` | Custom service port for the webhook service |
+| webhooks.service.url | string | `""` | The URL where the capsule webhook services are running (Overwrites cluster scoped service definition) |
+| webhooks.validatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for validating webhooks |
 
 ## Created resources
 

charts/capsule/README.md.gotmpl

@@ -16,21 +16,42 @@ Use the Capsule Operator for easily implementing, managing, and maintaining mult
 
 * A [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file accessing the Kubernetes cluster with cluster admin permissions.
 
-## Quick Start
+## Major Changes
 
+In the following sections you see actions which are required when you are upgrading to a specific version.
+
+### Upgrading to 0.7.x
+
+Introduces a new methode to manage all capsule CRDs and their lifecycle. We are no longer relying on the [native CRD hook with the Helm Chart](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). The hook only allows to manage CRDs on install and uninstall but we can't deliver updates to the CRDs.
+When you newly install the chart we recommend to set  `crds.install` to `true`. This will manage the CRDs with the Helm Chart. This behavior is the new default.
+
+#### Changed Values
+
+The following Values have changed key or Value:
+
+  * All values from previous releases under `webhooks` have moved to `webhooks.hooks`.
+  * `mutatingWebhooksTimeoutSeconds` has moved to `webhooks.mutatingWebhooksTimeoutSeconds`
+  * `validatingWebhooksTimeoutSeconds` has moved to `webhooks.validatingWebhooksTimeoutSeconds`
+
+
+## Installation
+
+**When using OCI we recommend our dedicated [OCI Repository](https://artifacthub.io/packages/helm/capsule/capsule) for this chart**
+
+The Capsule Operator requires it's CRDs to be installed before the operator itself. Since the Helm CRD lifecycle has limitations, we recommend to install the CRDs separately. Our chart supports the installation of crds via a dedicated Release.
 The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster.
 
 1. Add this repository:
 
         $ helm repo add projectcapsule https://projectcapsule.github.io/charts
 
-2. Install the Chart:
+2. Install Capsule:
 
-        $ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace
+        $ helm install capsule projectcapsule/capsule --version 0.7.0 -n capsule-system --create-namespace
 
         or
 
-        $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6  -n capsule-system --create-namespace
+        $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.7.0  -n capsule-system --create-namespace
 
 3. Show the status:
 
@@ -58,7 +79,7 @@ Specify your overrides file when you install the chart:
 
         $ helm install capsule capsule-helm-chart --values myvalues.yaml -n capsule-system
 
-The values in your overrides file `myvalues.yaml` will override their counterparts in the chart’s values.yaml file. Any values in `values.yaml` that weren’t overridden will keep their defaults.
+The values in your overrides file `myvalues.yaml` will override their counterparts in the chart's values.yaml file. Any values in `values.yaml` that weren’t overridden will keep their defaults.
 
 If you only need to make minor customizations, you can specify them on the command line by using the `--set` option. For example:
 
@@ -66,13 +87,32 @@ If you only need to make minor customizations, you can specify them on the comma
 
 Here the values you can override:
 
+### CustomResourceDefinition Lifecycle
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+{{- range .Values }}
+  {{- if (hasPrefix "crds" .Key)  }}
+| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
+  {{- end }}
+{{- end }}
+
+### Global Parameters
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+{{- range .Values }}
+  {{- if (hasPrefix "global" .Key)  }}
+| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
+  {{- end }}
+{{- end }}
 
 ### General Parameters
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 {{- range .Values }}
-  {{- if not (or (hasPrefix "manager" .Key) (hasPrefix "serviceMonitor" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) )  }}
+  {{- if not (or (hasPrefix "global" .Key) (hasPrefix "manager" .Key) (hasPrefix "crds" .Key) (hasPrefix "serviceMonitor" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) )  }}
 | {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
   {{- end }}
 {{- end }}
@@ -97,7 +137,7 @@ Here the values you can override:
   {{- end }}
 {{- end }}
 
-### Webhook Parameters
+### Webhooks Parameters
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|

charts/capsule/artifacthub-repo.yml

@@ -0,0 +1,4 @@
+repositoryID: 783775bb-96c2-4915-8c7d-ba4a1118323c
+owners:
+  - name: capsule-maintainers
+    email: cncf-capsule-maintainers@lists.cncf.io

charts/capsule/ci/proxy-values.yaml

@@ -0,0 +1,7 @@
+proxy:
+  enabled: true
+manager:
+  resources:
+    requests:
+      cpu: 200m
+      memory: 128Mi

charts/capsule/ci/test-values.yaml

@@ -1,16 +1,12 @@
 fullnameOverride: capsule
 manager:
-    # Manager RBAC
+  resources:
+    requests:
+      cpu: 200m
+      memory: 128Mi
   rbac:
     create: true
     existingClusterRoles:
     - "view"
     existingRoles:
     - "some-role"
-  resources:
-    limits:
-      cpu: 500m
-      memory: 512Mi
-    requests:
-      cpu: 200m
-      memory: 128Mi

charts/capsule/ci/tracing-draft.yaml

@@ -0,0 +1,38 @@
+# Custome values for capsule tracing.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+manager:
+  image:
+    registry: ghcr.io
+    repository: projectcapsule/capsule
+    pullPolicy: Never
+    tag: tracing
+  hostNetwork: true
+  hostPID: true
+  volumes:
+    - name: debugfs
+      hostPath:
+        path: /sys/kernel/debug
+        type: Directory
+    - name: data
+      hostPath:
+        path: /tmp/results
+        type: Directory
+  volumeMounts:
+    - name: debugfs
+      mountPath: /sys/kernel/debug
+    - mountPath: /tmp/results
+      name: data
+  securityContext:
+    capabilities:
+      add:
+      - SYS_ADMIN
+      - NET_ADMIN
+      - PERFOM
+    privileged: true
+podSecurityContext:
+  seccompProfile:
+    type: "Unconfined"
+  runAsGroup: 0
+  runAsNonRoot: false
+  runAsUser: 0

charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.patch

@@ -0,0 +1,14 @@
+metadata:
+  annotations:
+  {{- if $.Values.certManager.generateCertificates }}
+    cert-manager.io/inject-ca-from: {{ $.Release.Namespace }}/{{ include "capsule.fullname" $ }}-webhook-cert
+  {{-  end }}
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        {{- include "capsule.webhooks.service" (dict "path" "/convert" "ctx" $) | nindent 8 }}
+      conversionReviewVersions:
+        - v1beta1
+        - v1beta2

charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.17.3
   name: capsuleconfigurations.capsule.clastix.io
 spec:
   group: capsule.clastix.io
@@ -22,14 +21,19 @@ spec:
           API.
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -38,23 +42,20 @@ spec:
             properties:
               enableTLSReconciler:
                 default: true
-                description: Toggles the TLS reconciler, the controller that is able
-                  to generate CA and certificates for the webhooks when not using
-                  an already provided CA and certificate, or when these are managed
-                  externally with Vault, or cert-manager.
+                description: |-
+                  Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks
+                  when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
                 type: boolean
               forceTenantPrefix:
                 default: false
-                description: Enforces the Tenant owner, during Namespace creation,
-                  to name it using the selected Tenant name as prefix, separated by
-                  a dash. This is useful to avoid Namespace name collision in a public
-                  CaaS environment.
+                description: |-
+                  Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,
+                  separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
                 type: boolean
               nodeMetadata:
-                description: Allows to set the forbidden metadata for the worker nodes
-                  that could be patched by a Tenant. This applies only if the Tenant
-                  has an active NodeSelector, and the Owner have right to patch their
-                  nodes.
+                description: |-
+                  Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.
+                  This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
                 properties:
                   forbiddenAnnotations:
                     description: Define the annotations that a Tenant Owner cannot
@@ -87,15 +88,15 @@ spec:
                   TLSSecretName: capsule-tls
                   mutatingWebhookConfigurationName: capsule-mutating-webhook-configuration
                   validatingWebhookConfigurationName: capsule-validating-webhook-configuration
-                description: Allows to set different name rather than the canonical
-                  one for the Capsule configuration objects, such as webhook secret
-                  or configurations.
+                description: |-
+                  Allows to set different name rather than the canonical one for the Capsule configuration objects,
+                  such as webhook secret or configurations.
                 properties:
                   TLSSecretName:
                     default: capsule-tls
-                    description: Defines the Secret name used for the webhook server.
-                      Must be in the same Namespace where the Capsule Deployment is
-                      deployed.
+                    description: |-
+                      Defines the Secret name used for the webhook server.
+                      Must be in the same Namespace where the Capsule Deployment is deployed.
                     type: string
                   mutatingWebhookConfigurationName:
                     default: capsule-mutating-webhook-configuration

charts/capsule/crds/capsule.clastix.io_globaltenantresources.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.17.3
   name: globaltenantresources.capsule.clastix.io
 spec:
   group: capsule.clastix.io
@@ -22,14 +21,19 @@ spec:
           to a specific subset of Tenant resources.
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -38,10 +42,9 @@ spec:
             properties:
               pruningOnDelete:
                 default: true
-                description: When the replicated resource manifest is deleted, all
-                  the objects replicated so far will be automatically deleted. Disable
-                  this to keep replicated resources although the deletion of the replication
-                  manifest.
+                description: |-
+                  When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
+                  Disable this to keep replicated resources although the deletion of the replication manifest.
                 type: boolean
               resources:
                 description: Defines the rules to select targeting Namespace, along
@@ -49,9 +52,9 @@ spec:
                 items:
                   properties:
                     additionalMetadata:
-                      description: Besides the Capsule metadata required by TenantResource
-                        controller, defines additional metadata that must be added
-                        to the replicated resources.
+                      description: |-
+                        Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
+                        added to the replicated resources.
                       properties:
                         annotations:
                           additionalProperties:
@@ -63,49 +66,50 @@ spec:
                           type: object
                       type: object
                     namespaceSelector:
-                      description: Defines the Namespace selector to select the Tenant
-                        Namespaces on which the resources must be propagated. In case
-                        of nil value, all the Tenant Namespaces are targeted.
+                      description: |-
+                        Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
+                        In case of nil value, all the Tenant Namespaces are targeted.
                       properties:
                         matchExpressions:
                           description: matchExpressions is a list of label selector
                             requirements. The requirements are ANDed.
                           items:
-                            description: A label selector requirement is a selector
-                              that contains values, a key, and an operator that relates
-                              the key and values.
+                            description: |-
+                              A label selector requirement is a selector that contains values, a key, and an operator that
+                              relates the key and values.
                             properties:
                               key:
                                 description: key is the label key that the selector
                                   applies to.
                                 type: string
                               operator:
-                                description: operator represents a key's relationship
-                                  to a set of values. Valid operators are In, NotIn,
-                                  Exists and DoesNotExist.
+                                description: |-
+                                  operator represents a key's relationship to a set of values.
+                                  Valid operators are In, NotIn, Exists and DoesNotExist.
                                 type: string
                               values:
-                                description: values is an array of string values.
-                                  If the operator is In or NotIn, the values array
-                                  must be non-empty. If the operator is Exists or
-                                  DoesNotExist, the values array must be empty. This
-                                  array is replaced during a strategic merge patch.
+                                description: |-
+                                  values is an array of string values. If the operator is In or NotIn,
+                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                  the values array must be empty. This array is replaced during a strategic
+                                  merge patch.
                                 items:
                                   type: string
                                 type: array
+                                x-kubernetes-list-type: atomic
                             required:
                             - key
                             - operator
                             type: object
                           type: array
+                          x-kubernetes-list-type: atomic
                         matchLabels:
                           additionalProperties:
                             type: string
-                          description: matchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
+                          description: |-
+                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                           type: object
                       type: object
                       x-kubernetes-map-type: atomic
@@ -118,10 +122,14 @@ spec:
                             description: API version of the referent.
                             type: string
                           kind:
-                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            description: |-
+                              Kind of the referent.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                             type: string
                           namespace:
-                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                            description: |-
+                              Namespace of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                             type: string
                           selector:
                             description: Label selector used to select the given resources
@@ -131,8 +139,8 @@ spec:
                                 description: matchExpressions is a list of label selector
                                   requirements. The requirements are ANDed.
                                 items:
-                                  description: A label selector requirement is a selector
-                                    that contains values, a key, and an operator that
+                                  description: |-
+                                    A label selector requirement is a selector that contains values, a key, and an operator that
                                     relates the key and values.
                                   properties:
                                     key:
@@ -140,33 +148,33 @@ spec:
                                         applies to.
                                       type: string
                                     operator:
-                                      description: operator represents a key's relationship
-                                        to a set of values. Valid operators are In,
-                                        NotIn, Exists and DoesNotExist.
+                                      description: |-
+                                        operator represents a key's relationship to a set of values.
+                                        Valid operators are In, NotIn, Exists and DoesNotExist.
                                       type: string
                                     values:
-                                      description: values is an array of string values.
-                                        If the operator is In or NotIn, the values
-                                        array must be non-empty. If the operator is
-                                        Exists or DoesNotExist, the values array must
-                                        be empty. This array is replaced during a
-                                        strategic merge patch.
+                                      description: |-
+                                        values is an array of string values. If the operator is In or NotIn,
+                                        the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                        the values array must be empty. This array is replaced during a strategic
+                                        merge patch.
                                       items:
                                         type: string
                                       type: array
+                                      x-kubernetes-list-type: atomic
                                   required:
                                   - key
                                   - operator
                                   type: object
                                 type: array
+                                x-kubernetes-list-type: atomic
                               matchLabels:
                                 additionalProperties:
                                   type: string
-                                description: matchLabels is a map of {key,value} pairs.
-                                  A single {key,value} in the matchLabels map is equivalent
-                                  to an element of matchExpressions, whose key field
-                                  is "key", the operator is "In", and the values array
-                                  contains only "value". The requirements are ANDed.
+                                description: |-
+                                  matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                  map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                  operator is "In", and the values array contains only "value". The requirements are ANDed.
                                 type: object
                             type: object
                             x-kubernetes-map-type: atomic
@@ -187,9 +195,9 @@ spec:
                 type: array
               resyncPeriod:
                 default: 60s
-                description: Define the period of time upon a second reconciliation
-                  must be invoked. Keep in mind that any change to the manifests will
-                  trigger a new reconciliation.
+                description: |-
+                  Define the period of time upon a second reconciliation must be invoked.
+                  Keep in mind that any change to the manifests will trigger a new reconciliation.
                 type: string
               tenantSelector:
                 description: Defines the Tenant selector used target the tenants on
@@ -199,41 +207,42 @@ spec:
                     description: matchExpressions is a list of label selector requirements.
                       The requirements are ANDed.
                     items:
-                      description: A label selector requirement is a selector that
-                        contains values, a key, and an operator that relates the key
-                        and values.
+                      description: |-
+                        A label selector requirement is a selector that contains values, a key, and an operator that
+                        relates the key and values.
                       properties:
                         key:
                           description: key is the label key that the selector applies
                             to.
                           type: string
                         operator:
-                          description: operator represents a key's relationship to
-                            a set of values. Valid operators are In, NotIn, Exists
-                            and DoesNotExist.
+                          description: |-
+                            operator represents a key's relationship to a set of values.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
                           type: string
                         values:
-                          description: values is an array of string values. If the
-                            operator is In or NotIn, the values array must be non-empty.
-                            If the operator is Exists or DoesNotExist, the values
-                            array must be empty. This array is replaced during a strategic
+                          description: |-
+                            values is an array of string values. If the operator is In or NotIn,
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                            the values array must be empty. This array is replaced during a strategic
                             merge patch.
                           items:
                             type: string
                           type: array
+                          x-kubernetes-list-type: atomic
                       required:
                       - key
                       - operator
                       type: object
                     type: array
+                    x-kubernetes-list-type: atomic
                   matchLabels:
                     additionalProperties:
                       type: string
-                    description: matchLabels is a map of {key,value} pairs. A single
-                      {key,value} in the matchLabels map is equivalent to an element
-                      of matchExpressions, whose key field is "key", the operator
-                      is "In", and the values array contains only "value". The requirements
-                      are ANDed.
+                    description: |-
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
                     type: object
                 type: object
                 x-kubernetes-map-type: atomic
@@ -253,13 +262,19 @@ spec:
                       description: API version of the referent.
                       type: string
                     kind:
-                      description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      description: |-
+                        Kind of the referent.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                       type: string
                     name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                      description: |-
+                        Name of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                       type: string
                     namespace:
-                      description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                      description: |-
+                        Namespace of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                       type: string
                   required:
                   - kind

charts/capsule/crds/capsule.clastix.io_tenantresources.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.17.3
   name: tenantresources.capsule.clastix.io
 spec:
   group: capsule.clastix.io
@@ -18,20 +17,25 @@ spec:
   - name: v1beta2
     schema:
       openAPIV3Schema:
-        description: TenantResource allows a Tenant Owner, if enabled with proper
-          RBAC, to propagate resources in its Namespace. The object must be deployed
-          in a Tenant Namespace, and cannot reference object living in non-Tenant
-          namespaces. For such cases, the GlobalTenantResource must be used.
+        description: |-
+          TenantResource allows a Tenant Owner, if enabled with proper RBAC, to propagate resources in its Namespace.
+          The object must be deployed in a Tenant Namespace, and cannot reference object living in non-Tenant namespaces.
+          For such cases, the GlobalTenantResource must be used.
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -40,10 +44,9 @@ spec:
             properties:
               pruningOnDelete:
                 default: true
-                description: When the replicated resource manifest is deleted, all
-                  the objects replicated so far will be automatically deleted. Disable
-                  this to keep replicated resources although the deletion of the replication
-                  manifest.
+                description: |-
+                  When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
+                  Disable this to keep replicated resources although the deletion of the replication manifest.
                 type: boolean
               resources:
                 description: Defines the rules to select targeting Namespace, along
@@ -51,9 +54,9 @@ spec:
                 items:
                   properties:
                     additionalMetadata:
-                      description: Besides the Capsule metadata required by TenantResource
-                        controller, defines additional metadata that must be added
-                        to the replicated resources.
+                      description: |-
+                        Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
+                        added to the replicated resources.
                       properties:
                         annotations:
                           additionalProperties:
@@ -65,49 +68,50 @@ spec:
                           type: object
                       type: object
                     namespaceSelector:
-                      description: Defines the Namespace selector to select the Tenant
-                        Namespaces on which the resources must be propagated. In case
-                        of nil value, all the Tenant Namespaces are targeted.
+                      description: |-
+                        Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
+                        In case of nil value, all the Tenant Namespaces are targeted.
                       properties:
                         matchExpressions:
                           description: matchExpressions is a list of label selector
                             requirements. The requirements are ANDed.
                           items:
-                            description: A label selector requirement is a selector
-                              that contains values, a key, and an operator that relates
-                              the key and values.
+                            description: |-
+                              A label selector requirement is a selector that contains values, a key, and an operator that
+                              relates the key and values.
                             properties:
                               key:
                                 description: key is the label key that the selector
                                   applies to.
                                 type: string
                               operator:
-                                description: operator represents a key's relationship
-                                  to a set of values. Valid operators are In, NotIn,
-                                  Exists and DoesNotExist.
+                                description: |-
+                                  operator represents a key's relationship to a set of values.
+                                  Valid operators are In, NotIn, Exists and DoesNotExist.
                                 type: string
                               values:
-                                description: values is an array of string values.
-                                  If the operator is In or NotIn, the values array
-                                  must be non-empty. If the operator is Exists or
-                                  DoesNotExist, the values array must be empty. This
-                                  array is replaced during a strategic merge patch.
+                                description: |-
+                                  values is an array of string values. If the operator is In or NotIn,
+                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                  the values array must be empty. This array is replaced during a strategic
+                                  merge patch.
                                 items:
                                   type: string
                                 type: array
+                                x-kubernetes-list-type: atomic
                             required:
                             - key
                             - operator
                             type: object
                           type: array
+                          x-kubernetes-list-type: atomic
                         matchLabels:
                           additionalProperties:
                             type: string
-                          description: matchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
+                          description: |-
+                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                           type: object
                       type: object
                       x-kubernetes-map-type: atomic
@@ -120,10 +124,14 @@ spec:
                             description: API version of the referent.
                             type: string
                           kind:
-                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            description: |-
+                              Kind of the referent.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                             type: string
                           namespace:
-                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                            description: |-
+                              Namespace of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                             type: string
                           selector:
                             description: Label selector used to select the given resources
@@ -133,8 +141,8 @@ spec:
                                 description: matchExpressions is a list of label selector
                                   requirements. The requirements are ANDed.
                                 items:
-                                  description: A label selector requirement is a selector
-                                    that contains values, a key, and an operator that
+                                  description: |-
+                                    A label selector requirement is a selector that contains values, a key, and an operator that
                                     relates the key and values.
                                   properties:
                                     key:
@@ -142,33 +150,33 @@ spec:
                                         applies to.
                                       type: string
                                     operator:
-                                      description: operator represents a key's relationship
-                                        to a set of values. Valid operators are In,
-                                        NotIn, Exists and DoesNotExist.
+                                      description: |-
+                                        operator represents a key's relationship to a set of values.
+                                        Valid operators are In, NotIn, Exists and DoesNotExist.
                                       type: string
                                     values:
-                                      description: values is an array of string values.
-                                        If the operator is In or NotIn, the values
-                                        array must be non-empty. If the operator is
-                                        Exists or DoesNotExist, the values array must
-                                        be empty. This array is replaced during a
-                                        strategic merge patch.
+                                      description: |-
+                                        values is an array of string values. If the operator is In or NotIn,
+                                        the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                        the values array must be empty. This array is replaced during a strategic
+                                        merge patch.
                                       items:
                                         type: string
                                       type: array
+                                      x-kubernetes-list-type: atomic
                                   required:
                                   - key
                                   - operator
                                   type: object
                                 type: array
+                                x-kubernetes-list-type: atomic
                               matchLabels:
                                 additionalProperties:
                                   type: string
-                                description: matchLabels is a map of {key,value} pairs.
-                                  A single {key,value} in the matchLabels map is equivalent
-                                  to an element of matchExpressions, whose key field
-                                  is "key", the operator is "In", and the values array
-                                  contains only "value". The requirements are ANDed.
+                                description: |-
+                                  matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                  map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                  operator is "In", and the values array contains only "value". The requirements are ANDed.
                                 type: object
                             type: object
                             x-kubernetes-map-type: atomic
@@ -189,9 +197,9 @@ spec:
                 type: array
               resyncPeriod:
                 default: 60s
-                description: Define the period of time upon a second reconciliation
-                  must be invoked. Keep in mind that any change to the manifests will
-                  trigger a new reconciliation.
+                description: |-
+                  Define the period of time upon a second reconciliation must be invoked.
+                  Keep in mind that any change to the manifests will trigger a new reconciliation.
                 type: string
             required:
             - resources
@@ -208,13 +216,19 @@ spec:
                       description: API version of the referent.
                       type: string
                     kind:
-                      description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      description: |-
+                        Kind of the referent.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                       type: string
                     name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                      description: |-
+                        Name of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                       type: string
                     namespace:
-                      description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                      description: |-
+                        Namespace of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                       type: string
                   required:
                   - kind

charts/capsule/crds/capsule.clastix.io_tenants.patch

@@ -0,0 +1,14 @@
+metadata:
+  annotations:
+  {{- if $.Values.certManager.generateCertificates }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "capsule.fullname" . }}-webhook-cert
+  {{-  end }}
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        {{- include "capsule.webhooks.service" (dict "path" "/convert" "ctx" $) | nindent 8 }}
+      conversionReviewVersions:
+        - v1beta1
+        - v1beta2

charts/capsule/crds/capsuleconfiguration-crd.yaml

@@ -1,119 +0,0 @@
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  name: capsuleconfigurations.capsule.clastix.io
-spec:
-  conversion:
-    strategy: Webhook
-    webhook:
-      clientConfig:
-        service:
-          name: capsule-webhook-service
-          namespace: capsule-system
-          path: /convert
-      conversionReviewVersions:
-        - v1beta1
-        - v1beta2
-  group: capsule.clastix.io
-  names:
-    kind: CapsuleConfiguration
-    listKind: CapsuleConfigurationList
-    plural: capsuleconfigurations
-    singular: capsuleconfiguration
-  scope: Cluster
-  versions:
-    - name: v1beta2
-      schema:
-        openAPIV3Schema:
-          description: CapsuleConfiguration is the Schema for the Capsule configuration API.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: CapsuleConfigurationSpec defines the Capsule configuration.
-              properties:
-                enableTLSReconciler:
-                  default: true
-                  description: Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
-                  type: boolean
-                forceTenantPrefix:
-                  default: false
-                  description: Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
-                  type: boolean
-                nodeMetadata:
-                  description: Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant. This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
-                  properties:
-                    forbiddenAnnotations:
-                      description: Define the annotations that a Tenant Owner cannot set for their nodes.
-                      properties:
-                        denied:
-                          items:
-                            type: string
-                          type: array
-                        deniedRegex:
-                          type: string
-                      type: object
-                    forbiddenLabels:
-                      description: Define the labels that a Tenant Owner cannot set for their nodes.
-                      properties:
-                        denied:
-                          items:
-                            type: string
-                          type: array
-                        deniedRegex:
-                          type: string
-                      type: object
-                  required:
-                    - forbiddenAnnotations
-                    - forbiddenLabels
-                  type: object
-                overrides:
-                  default:
-                    TLSSecretName: capsule-tls
-                    mutatingWebhookConfigurationName: capsule-mutating-webhook-configuration
-                    validatingWebhookConfigurationName: capsule-validating-webhook-configuration
-                  description: Allows to set different name rather than the canonical one for the Capsule configuration objects, such as webhook secret or configurations.
-                  properties:
-                    TLSSecretName:
-                      default: capsule-tls
-                      description: Defines the Secret name used for the webhook server. Must be in the same Namespace where the Capsule Deployment is deployed.
-                      type: string
-                    mutatingWebhookConfigurationName:
-                      default: capsule-mutating-webhook-configuration
-                      description: Name of the MutatingWebhookConfiguration which contains the dynamic admission controller paths and resources.
-                      type: string
-                    validatingWebhookConfigurationName:
-                      default: capsule-validating-webhook-configuration
-                      description: Name of the ValidatingWebhookConfiguration which contains the dynamic admission controller paths and resources.
-                      type: string
-                  required:
-                    - TLSSecretName
-                    - mutatingWebhookConfigurationName
-                    - validatingWebhookConfigurationName
-                  type: object
-                protectedNamespaceRegex:
-                  description: Disallow creation of namespaces, whose name matches this regexp
-                  type: string
-                userGroups:
-                  default:
-                    - capsule.clastix.io
-                  description: Names of the groups for Capsule users.
-                  items:
-                    type: string
-                  type: array
-              required:
-                - enableTLSReconciler
-              type: object
-          type: object
-      served: true
-      storage: true

charts/capsule/crds/globaltenantresources-crd.yaml

@@ -1,222 +0,0 @@
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  creationTimestamp: null
-  name: globaltenantresources.capsule.clastix.io
-spec:
-  group: capsule.clastix.io
-  names:
-    kind: GlobalTenantResource
-    listKind: GlobalTenantResourceList
-    plural: globaltenantresources
-    singular: globaltenantresource
-  scope: Cluster
-  versions:
-    - name: v1beta2
-      schema:
-        openAPIV3Schema:
-          description: GlobalTenantResource allows to propagate resource replications to a specific subset of Tenant resources.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: GlobalTenantResourceSpec defines the desired state of GlobalTenantResource.
-              properties:
-                pruningOnDelete:
-                  default: true
-                  description: When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted. Disable this to keep replicated resources although the deletion of the replication manifest.
-                  type: boolean
-                resources:
-                  description: Defines the rules to select targeting Namespace, along with the objects that must be replicated.
-                  items:
-                    properties:
-                      additionalMetadata:
-                        description: Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be added to the replicated resources.
-                        properties:
-                          annotations:
-                            additionalProperties:
-                              type: string
-                            type: object
-                          labels:
-                            additionalProperties:
-                              type: string
-                            type: object
-                        type: object
-                      namespaceSelector:
-                        description: Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated. In case of nil value, all the Tenant Namespaces are targeted.
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespacedItems:
-                        description: List of the resources already existing in other Namespaces that must be replicated.
-                        items:
-                          properties:
-                            apiVersion:
-                              description: API version of the referent.
-                              type: string
-                            kind:
-                              description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                              type: string
-                            namespace:
-                              description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                              type: string
-                            selector:
-                              description: Label selector used to select the given resources in the given Namespace.
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                      - key
-                                      - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          required:
-                            - kind
-                            - namespace
-                            - selector
-                          type: object
-                        type: array
-                      rawItems:
-                        description: List of raw resources that must be replicated.
-                        items:
-                          type: object
-                          x-kubernetes-embedded-resource: true
-                          x-kubernetes-preserve-unknown-fields: true
-                        type: array
-                    type: object
-                  type: array
-                resyncPeriod:
-                  default: 60s
-                  description: Define the period of time upon a second reconciliation must be invoked. Keep in mind that any change to the manifests will trigger a new reconciliation.
-                  type: string
-                tenantSelector:
-                  description: Defines the Tenant selector used target the tenants on which resources must be propagated.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                      items:
-                        description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies to.
-                            type: string
-                          operator:
-                            description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                            type: string
-                          values:
-                            description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                            items:
-                              type: string
-                            type: array
-                        required:
-                          - key
-                          - operator
-                        type: object
-                      type: array
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                      type: object
-                  type: object
-                  x-kubernetes-map-type: atomic
-              required:
-                - resources
-                - resyncPeriod
-              type: object
-            status:
-              description: GlobalTenantResourceStatus defines the observed state of GlobalTenantResource.
-              properties:
-                processedItems:
-                  description: List of the replicated resources for the given TenantResource.
-                  items:
-                    properties:
-                      apiVersion:
-                        description: API version of the referent.
-                        type: string
-                      kind:
-                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                        type: string
-                      name:
-                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                        type: string
-                      namespace:
-                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                        type: string
-                    required:
-                      - kind
-                      - name
-                      - namespace
-                    type: object
-                  type: array
-                selectedTenants:
-                  description: List of Tenants addressed by the GlobalTenantResource.
-                  items:
-                    type: string
-                  type: array
-              required:
-                - processedItems
-                - selectedTenants
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}

charts/capsule/crds/tenantresources-crd.yaml

@@ -1,185 +0,0 @@
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  creationTimestamp: null
-  name: tenantresources.capsule.clastix.io
-spec:
-  group: capsule.clastix.io
-  names:
-    kind: TenantResource
-    listKind: TenantResourceList
-    plural: tenantresources
-    singular: tenantresource
-  scope: Namespaced
-  versions:
-    - name: v1beta2
-      schema:
-        openAPIV3Schema:
-          description: TenantResource allows a Tenant Owner, if enabled with proper RBAC, to propagate resources in its Namespace. The object must be deployed in a Tenant Namespace, and cannot reference object living in non-Tenant namespaces. For such cases, the GlobalTenantResource must be used.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: TenantResourceSpec defines the desired state of TenantResource.
-              properties:
-                pruningOnDelete:
-                  default: true
-                  description: When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted. Disable this to keep replicated resources although the deletion of the replication manifest.
-                  type: boolean
-                resources:
-                  description: Defines the rules to select targeting Namespace, along with the objects that must be replicated.
-                  items:
-                    properties:
-                      additionalMetadata:
-                        description: Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be added to the replicated resources.
-                        properties:
-                          annotations:
-                            additionalProperties:
-                              type: string
-                            type: object
-                          labels:
-                            additionalProperties:
-                              type: string
-                            type: object
-                        type: object
-                      namespaceSelector:
-                        description: Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated. In case of nil value, all the Tenant Namespaces are targeted.
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespacedItems:
-                        description: List of the resources already existing in other Namespaces that must be replicated.
-                        items:
-                          properties:
-                            apiVersion:
-                              description: API version of the referent.
-                              type: string
-                            kind:
-                              description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                              type: string
-                            namespace:
-                              description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                              type: string
-                            selector:
-                              description: Label selector used to select the given resources in the given Namespace.
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                      - key
-                                      - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          required:
-                            - kind
-                            - namespace
-                            - selector
-                          type: object
-                        type: array
-                      rawItems:
-                        description: List of raw resources that must be replicated.
-                        items:
-                          type: object
-                          x-kubernetes-embedded-resource: true
-                          x-kubernetes-preserve-unknown-fields: true
-                        type: array
-                    type: object
-                  type: array
-                resyncPeriod:
-                  default: 60s
-                  description: Define the period of time upon a second reconciliation must be invoked. Keep in mind that any change to the manifests will trigger a new reconciliation.
-                  type: string
-              required:
-                - resources
-                - resyncPeriod
-              type: object
-            status:
-              description: TenantResourceStatus defines the observed state of TenantResource.
-              properties:
-                processedItems:
-                  description: List of the replicated resources for the given TenantResource.
-                  items:
-                    properties:
-                      apiVersion:
-                        description: API version of the referent.
-                        type: string
-                      kind:
-                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                        type: string
-                      name:
-                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                        type: string
-                      namespace:
-                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                        type: string
-                    required:
-                      - kind
-                      - name
-                      - namespace
-                    type: object
-                  type: array
-              required:
-                - processedItems
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}

charts/capsule/templates/_helpers.tpl

@@ -105,10 +105,12 @@ Determine the Kubernetes version to use for jobsFullyQualifiedDockerImage tag
 Create the jobs fully-qualified Docker image to use
 */}}
 {{- define "capsule.jobsFullyQualifiedDockerImage" -}}
-{{- if .Values.jobs.image.tag }}
-{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository .Values.jobs.image.tag -}}
+{{- $Values := mergeOverwrite $.Values.global.jobs.kubectl $.Values.jobs -}}
+
+{{- if $Values.image.tag }}
+{{- printf "%s/%s:%s" $Values.image.registry $Values.image.repository $Values.image.tag -}}
 {{- else }}
-{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
+{{- printf "%s/%s:%s" $Values.image.registry $Values.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
 {{- end }}
 {{- end }}
 
@@ -125,3 +127,30 @@ Create the Capsule TLS Secret name to use
 {{- define "capsule.secretTlsName" -}}
 {{ default ( printf "%s-tls" ( include "capsule.fullname" . ) ) .Values.tls.name }}
 {{- end }}
+
+
+{{/*
+Capsule Webhook service (Called with $.Path)
+
+*/}}
+{{- define "capsule.webhooks.service" -}}
+  {{- include "capsule.webhooks.cabundle" $.ctx | nindent 0 }}
+  {{- if $.ctx.Values.webhooks.service.url }}
+url: {{ printf "%s/%s" (trimSuffix "/" $.ctx.Values.webhooks.service.url ) (trimPrefix "/" (required "Path is required for the function" $.path)) }}
+  {{- else }}
+service:
+  name: {{ default (printf "%s-webhook-service" (include "capsule.fullname" $.ctx)) $.ctx.Values.webhooks.service.name }}
+  namespace: {{ default $.ctx.Release.Namespace $.ctx.Values.webhooks.service.namespace }}
+  port: {{ default 443 $.ctx.Values.webhooks.service.port }}
+  path: {{ required "Path is required for the function" $.path }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Capsule Webhook endpoint CA Bundle
+*/}}
+{{- define "capsule.webhooks.cabundle" -}}
+  {{- if $.Values.webhooks.service.caBundle -}}
+caBundle: {{ $.Values.webhooks.service.caBundle -}}
+  {{- end -}}
+{{- end -}}

charts/capsule/templates/certificate.yaml

@@ -1,4 +1,5 @@
-{{- if .Values.certManager.generateCertificates }}
+{{- if not $.Values.crds.exclusive }}
+  {{- if .Values.certManager.generateCertificates }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -26,6 +27,9 @@ spec:
   dnsNames:
   - {{ include "capsule.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc
   - {{ include "capsule.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
+  {{- range  .Values.certManager.additionalSANS }}
+  - {{ toYaml . }}
+  {{- end }}
   issuerRef:
     kind: Issuer
     name: {{ include "capsule.fullname" . }}-webhook-selfsigned
@@ -33,4 +37,5 @@ spec:
   subject:
     organizations:
       - clastix.io
+  {{- end }}
 {{- end }}

charts/capsule/templates/certs.yaml

@@ -1,12 +1,14 @@
-{{- if or (not .Values.certManager.generateCertificates) (.Values.tls.create) }}
+{{- if not $.Values.crds.exclusive }}
+  {{- if or (not .Values.certManager.generateCertificates) (.Values.tls.create) }}
 apiVersion: v1
 kind: Secret
 metadata:
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
-  {{- with .Values.customAnnotations }}
+    {{- with .Values.customAnnotations }}
   annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "capsule.secretTlsName" . }}
+  {{- end }}
 {{- end }}

charts/capsule/templates/configuration-default.yaml

@@ -1,3 +1,4 @@
+{{- if not $.Values.crds.exclusive }}
 apiVersion: capsule.clastix.io/v1beta2
 kind: CapsuleConfiguration
 metadata:
@@ -24,3 +25,4 @@ spec:
   nodeMetadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+{{- end }}

charts/capsule/templates/crd-lifecycle/_helpers.tpl

@@ -0,0 +1,15 @@
+{{- define "capsule.crds.name" -}}
+{{- printf "%s-crds" (include "capsule.name" $) -}}
+{{- end }}
+
+{{- define "capsule.crds.annotations" -}}
+"helm.sh/hook": "pre-install,pre-upgrade"
+{{- end }}
+
+{{- define "capsule.crds.component" -}}
+crd-install-hook
+{{- end }}
+
+{{- define "capsule.crds.regexReplace" -}}
+{{- printf "%s" ($ | base | trimSuffix ".yaml" | regexReplaceAll "[_.]" "-") -}}
+{{- end }}

charts/capsule/templates/crd-lifecycle/crds.tpl

@@ -0,0 +1,56 @@
+{{/* CustomResources Lifecycle */}}
+{{- if $.Values.crds.install }}
+  {{ range $path, $_ :=  .Files.Glob "crds/**.yaml" }}
+    {{- with $ }}
+      {{- $content := (tpl (.Files.Get $path) $) -}}
+      {{- $p := (fromYaml $content) -}}
+      {{- if $p.Error }}
+        {{- fail (printf "found YAML error in file %s - %s - raw:\n\n%s" $path $p.Error $content) -}}
+      {{- end -}}
+
+
+      {{/* Add Common Lables */}}
+      {{- $_ := set $p.metadata "labels" (mergeOverwrite (default dict (get $p.metadata "labels")) (default dict $.Values.crds.labels) (fromYaml (include "capsule.labels" $))) -}}
+
+
+      {{/* Add Common Lables */}}
+      {{- $_ := set $p.metadata "annotations" (mergeOverwrite (default dict (get $p.metadata "annotations")) (default dict $.Values.crds.annotations)) -}}
+
+      {{/* Add Keep annotation to CRDs */}}
+      {{- if $.Values.crds.keep }}
+        {{- $_ := set $p.metadata.annotations "helm.sh/resource-policy" "keep" -}}
+      {{- end }}
+
+      {{/* Add Spec Patches for the CRD */}}
+      {{- $patchFile := $path | replace ".yaml" ".patch" }}
+      {{- $patchRawContent := (tpl (.Files.Get $patchFile) $) -}}
+      {{- if $patchRawContent -}}
+        {{- $patchContent := (fromYaml $patchRawContent) -}}
+        {{- if $patchContent.Error }}
+          {{- fail (printf "found YAML error in patch file %s - %s - raw:\n\n%s" $patchFile $patchContent.Error $patchRawContent) -}}
+        {{- end -}}
+        {{- $tmp := deepCopy $p | mergeOverwrite $patchContent -}}
+        {{- $p = $tmp -}}
+      {{- end -}}
+      {{- if $p }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "capsule.crds.name" . }}-{{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$"  }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-5"
+    {{- include "capsule.crds.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+data:
+  content: |
+    {{- printf "---\n%s" (toYaml $p) | nindent 4 }}
+
+      {{- end }}
+    {{ end }}
+  {{- end }}
+{{- end }}

charts/capsule/templates/crd-lifecycle/job.yaml

@@ -0,0 +1,101 @@
+{{/* Backwards compatibility */}}
+{{- $Values := mergeOverwrite $.Values.global.jobs.kubectl $.Values.jobs -}}
+
+{{- if .Values.crds.install }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "capsule.crds.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-1"
+    {{- include "capsule.crds.annotations" . | nindent 4 }}
+    {{- with $Values.annotations }}
+      {{- . | toYaml | nindent 4 }}
+    {{- end }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+spec:
+  backoffLimit: {{ $Values.backoffLimit }}
+  {{- if ge $Values.ttlSecondsAfterFinished 0.0 }}
+  ttlSecondsAfterFinished: {{ $Values.ttlSecondsAfterFinished }}
+  {{- end }}
+  template:
+    metadata:
+      name: "{{ include "capsule.crds.name" . }}"
+      labels:
+        app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
+        {{- include "capsule.selectorLabels" . | nindent 8 }}
+    spec:
+      restartPolicy: {{ $Values.restartPolicy }}
+      {{- with $Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
+      {{- with $Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "capsule.crds.name" . }}
+      containers:
+      - name: crds-hook
+        image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
+        imagePullPolicy: {{ $Values.image.pullPolicy }}
+        {{- with $Values.securityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        command:
+        - sh
+        - -c
+        - |
+          set -o errexit ; set -o xtrace ; set -o nounset
+
+          # piping stderr to stdout means kubectl's errors are surfaced
+          # in the pod's logs.
+
+          kubectl apply --server-side=true --overwrite=true --force-conflicts=true -f /data/ 2>&1
+        volumeMounts:
+{{- range $path, $_ := .Files.Glob "crds/**.yaml" }}
+        - name: {{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }}
+          mountPath: /data/{{ $path | base }}
+          subPath: {{ $path | base }}
+{{- end }}
+        {{- with $Values.resources }}
+        resources:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+      volumes:
+{{ $currentScope := . }}
+{{- range $path, $_ := .Files.Glob "crds/**.yaml" }}
+    {{- with $currentScope }}
+      - name: {{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }}
+        configMap:
+          name: {{ include "capsule.crds.name" $ }}-{{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }}
+          items:
+          - key: content
+            path: {{ $path | base }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/capsule/templates/crd-lifecycle/rbac.yaml

@@ -0,0 +1,52 @@
+{{- if .Values.crds.install }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "capsule.crds.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-3"
+    {{- include "capsule.crds.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+  - delete
+  - get
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "capsule.crds.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-2"
+    {{- include "capsule.crds.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "capsule.crds.name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "capsule.crds.name" . }}
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}

charts/capsule/templates/crd-lifecycle/serviceaccount.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.crds.install }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "capsule.crds.name" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-4"
+    {{- include "capsule.crds.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+{{- end }}

charts/capsule/templates/daemonset.yaml

@@ -1,4 +1,5 @@
-{{- if eq .Values.manager.kind "DaemonSet" }}
+{{- if not $.Values.crds.exclusive }}
+  {{- if eq .Values.manager.kind "DaemonSet" }}
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -63,7 +64,7 @@ spec:
           - --webhook-port={{ .Values.manager.webhookPort }}
           - --enable-leader-election
           - --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
-          - --configuration-name=default
+          - --configuration-name={{ .Values.manager.options.capsuleConfiguration }}
           image: {{ include "capsule.managerFullyQualifiedDockerImage" . }}
           imagePullPolicy: {{ .Values.manager.image.pullPolicy }}
           env:
@@ -90,4 +91,5 @@ spec:
             {{- toYaml .Values.manager.resources | nindent 12 }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
+  {{- end }}
 {{- end }}

charts/capsule/templates/deployment.yaml

@@ -1,4 +1,5 @@
-{{- if eq .Values.manager.kind "Deployment" }}
+{{- if not $.Values.crds.exclusive }}
+  {{- if eq .Values.manager.kind "Deployment" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -36,6 +37,11 @@ spec:
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
       {{- end }}
+      {{- if .Values.manager.hostPID }}
+      hostPID: {{ .Values.manager.hostPID }}
+      {{- else }}
+      hostPID: false
+      {{- end }}
       priorityClassName: {{ .Values.priorityClassName }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
@@ -58,13 +64,16 @@ spec:
           secret:
             defaultMode: 420
             secretName: {{ include "capsule.secretTlsName" . }}
+        {{- if .Values.manager.volumes }}
+        {{- toYaml .Values.manager.volumes | nindent 8 }}
+        {{- end }}
       containers:
         - name: manager
           args:
-          - --webhook-port={{ .Values.manager.webhookPort }}
-          - --enable-leader-election
-          - --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
-          - --configuration-name=default
+            - --webhook-port={{ .Values.manager.webhookPort }}
+            - --enable-leader-election
+            - --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
+            - --configuration-name={{ .Values.manager.options.capsuleConfiguration }}
           image: {{ include "capsule.managerFullyQualifiedDockerImage" . }}
           imagePullPolicy: {{ .Values.manager.image.pullPolicy }}
           env:
@@ -73,22 +82,35 @@ spec:
               fieldRef:
                 fieldPath: metadata.namespace
           ports:
+            {{- if not (.Values.manager.hostNetwork) }}
             - name: webhook-server
               containerPort: {{ .Values.manager.webhookPort }}
               protocol: TCP
             - name: metrics
               containerPort: 8080
               protocol: TCP
+            {{- end }}
+            {{- with .Values.manager.ports }}
+              {{- . | nindent 12 }}
+            {{- end }}
           livenessProbe:
             {{- toYaml .Values.manager.livenessProbe | nindent 12}}
           readinessProbe:
             {{- toYaml .Values.manager.readinessProbe | nindent 12}}
           volumeMounts:
-          - mountPath: /tmp/k8s-webhook-server/serving-certs
-            name: cert
-            readOnly: true
+            - mountPath: /tmp/k8s-webhook-server/serving-certs
+              name: cert
+              readOnly: true
+          {{- if .Values.manager.volumeMounts }}
+          {{- toYaml .Values.manager.volumeMounts | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.manager.resources | nindent 12 }}
           securityContext:
+            {{- if .Values.manager.securityContext }}
+            {{- toYaml .Values.manager.securityContext | nindent 12 }}
+            {{- else }}
             {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- end }}
+  {{- end }}
 {{- end }}

charts/capsule/templates/metrics-service.yaml

@@ -1,3 +1,4 @@
+{{- if not $.Values.crds.exclusive }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -18,3 +19,4 @@ spec:
     {{- include "capsule.selectorLabels" . | nindent 4 }}
   sessionAffinity: None
   type: ClusterIP
+{{- end }}

charts/capsule/templates/mutatingwebhookconfiguration.yaml

@@ -1,3 +1,4 @@
+{{- if or (not $.Values.crds.exclusive) ($.Values.webhooks.exclusive) }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
@@ -12,19 +13,13 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 webhooks:
-{{- with .Values.webhooks.defaults.pods }}
+{{- with .Values.webhooks.hooks.defaults.pods }}
 - admissionReviewVersions:
   - v1
   clientConfig:
-  {{- if not $.Values.certManager.generateCertificates }}
-    caBundle: Cg==
-  {{- end }}
-    service:
-      name: {{ include "capsule.fullname" $ }}-webhook-service
-      namespace: {{ $.Release.Namespace }}
-      path: /defaults
+    {{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }}
   failurePolicy: {{ .failurePolicy }}
-  name: pod.defaults.capsule.clastix.io
+  name: pod.defaults.projectcapsule.dev
   rules:
   - apiGroups:
     - ""
@@ -34,23 +29,19 @@ webhooks:
     - CREATE
     resources:
     - pods
+    scope: "Namespaced"
   namespaceSelector:
-  {{- toYaml .namespaceSelector | nindent 4}} 
+  {{- toYaml .namespaceSelector | nindent 4}}
   sideEffects: None
+  timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
 {{- end }}
-{{- with .Values.webhooks.defaults.pvc }}
+{{- with .Values.webhooks.hooks.defaults.pvc }}
 - admissionReviewVersions:
   - v1
   clientConfig:
-  {{- if not $.Values.certManager.generateCertificates }}
-    caBundle: Cg==
-  {{- end }}
-    service:
-      name: {{ include "capsule.fullname" $ }}-webhook-service
-      namespace: {{ $.Release.Namespace }}
-      path: /defaults
+    {{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }}
   failurePolicy: {{ .failurePolicy }}
-  name: storage.defaults.capsule.clastix.io
+  name: storage.defaults.projectcapsule.dev
   rules:
   - apiGroups:
     - ""
@@ -60,23 +51,19 @@ webhooks:
     - CREATE
     resources:
     - persistentvolumeclaims
+    scope: "Namespaced"
   namespaceSelector:
-  {{- toYaml .namespaceSelector | nindent 4}}  
+  {{- toYaml .namespaceSelector | nindent 4}}
   sideEffects: None
+  timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
 {{- end }}
-{{- with .Values.webhooks.defaults.ingress }}  
+{{- with .Values.webhooks.hooks.defaults.ingress }}
 - admissionReviewVersions:
   - v1
   clientConfig:
-  {{- if not $.Values.certManager.generateCertificates }}
-    caBundle: Cg==
-  {{- end }}
-    service:
-      name: {{ include "capsule.fullname" $ }}-webhook-service
-      namespace: {{ $.Release.Namespace }}
-      path: /defaults
+    {{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }}
   failurePolicy: {{ .failurePolicy }}
-  name: ingress.defaults.capsule.clastix.io
+  name: ingress.defaults.projectcapsule.dev
   rules:
   - apiGroups:
     - networking.k8s.io
@@ -88,25 +75,21 @@ webhooks:
     - UPDATE
     resources:
     - ingresses
+    scope: "Namespaced"
   namespaceSelector:
   {{- toYaml .namespaceSelector | nindent 4}}
   sideEffects: None
-{{- end }}  
+  timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
+{{- end }}
+{{- with .Values.webhooks.hooks.namespaceOwnerReference }}
 - admissionReviewVersions:
     - v1
     - v1beta1
   clientConfig:
-{{- if not .Values.certManager.generateCertificates }}
-    caBundle: Cg==
-{{- end }}
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /namespace-owner-reference
-      port: 443
-  failurePolicy: {{ .Values.webhooks.namespaceOwnerReference.failurePolicy }}
+    {{- include "capsule.webhooks.service" (dict "path" "/namespace-owner-reference" "ctx" $) | nindent 4 }}
+  failurePolicy: {{ .failurePolicy }}
   matchPolicy: Equivalent
-  name: owner.namespace.capsule.clastix.io
+  name: owner.namespace.projectcapsule.dev
   namespaceSelector: {}
   objectSelector: {}
   reinvocationPolicy: Never
@@ -122,4 +105,6 @@ webhooks:
       - namespaces
       scope: '*'
   sideEffects: NoneOnDryRun
-  timeoutSeconds: {{ .Values.mutatingWebhooksTimeoutSeconds }}
+  timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
+{{- end }}
+{{- end }}

charts/capsule/templates/podsecuritypolicy.yaml

@@ -1,58 +0,0 @@
-{{- if .Values.podSecurityPolicy.enabled }}
-kind: PodSecurityPolicy
-apiVersion: policy/v1beta1
-metadata:
-  name: {{ include "capsule.fullname" . }}
-  labels:
-    {{- include "capsule.labels" . | nindent 4 }}
-  {{- with .Values.customAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  fsGroup:
-    rule: RunAsAny
-  hostPorts:
-  - max: 0
-    min: 0
-  runAsUser:
-    rule: RunAsAny
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  volumes:
-  - secret
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "capsule.fullname" . }}-use-psp
-  labels:
-    {{- include "capsule.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - extensions
-  resources:
-  - podsecuritypolicies
-  resourceNames:
-  - {{ include "capsule.fullname" . }}
-  verbs:
-  - use
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "capsule.fullname" . }}-use-psp
-  labels:
-    {{- include "capsule.labels" . | nindent 4 }}
-  namespace: {{ .Release.Namespace }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ include "capsule.fullname" . }}-use-psp
-subjects:
-- apiGroup: ""
-  kind: ServiceAccount
-  name: {{ include "capsule.serviceAccountName" . }}
-{{- end }}

charts/capsule/templates/post-install-job.yaml

@@ -1,55 +0,0 @@
-{{- if .Values.tls.create }}
-{{- $cmd := printf "while [ -z $$(kubectl -n $NAMESPACE get secret %s -o jsonpath='{.data.tls\\\\.crt}') ];" (include "capsule.secretTlsName" .) -}}
-{{- $cmd = printf "%s do echo 'waiting Capsule to be up and running...' && sleep 5;" $cmd -}}
-{{- $cmd = printf "%s done" $cmd -}}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: "{{ .Release.Name }}-waiting-certs"
-  labels:
-    {{- include "capsule.labels" . | nindent 4 }}
-  annotations:
-    # This is what defines this resource as a hook. Without this line, the
-    # job is considered part of the release.
-    "helm.sh/hook": post-install
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": hook-succeeded
-  {{- with .Values.customAnnotations }}
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  template:
-    metadata:
-      name: "{{ .Release.Name }}"
-      labels:
-        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-        app.kubernetes.io/instance: {{ .Release.Name | quote }}
-        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      restartPolicy: Never
-      containers:
-      - name: post-install-job
-        image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
-        imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
-        command: ["sh", "-c", "{{ $cmd }}"]
-        env:
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-      serviceAccountName: {{ include "capsule.serviceAccountName" . }}
-      {{- with .Values.podSecurityContext }}
-      securityContext:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

charts/capsule/templates/post-install/_helpers.tpl

@@ -0,0 +1,11 @@
+{{- define "capsule.post-install.name" -}}
+{{- printf "%s-post-install" (include "capsule.name" $) -}}
+{{- end }}
+
+{{- define "capsule.post-install.annotations" -}}
+"helm.sh/hook": post-install
+{{- end }}
+
+{{- define "capsule.post-install.component" -}}
+post-install-hook
+{{- end }}

charts/capsule/templates/post-install/job.yaml

@@ -0,0 +1,84 @@
+{{- $Values := mergeOverwrite $.Values.global.jobs.kubectl $.Values.jobs -}}
+
+{{- if .Values.tls.create }}
+  {{- if not $.Values.crds.exclusive }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ include "capsule.post-install.name" . }}"
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook-weight": "-1"
+    {{- include "capsule.post-install.annotations" . | nindent 4 }}
+    {{- with $Values.annotations }}
+      {{- . | toYaml | nindent 4 }}
+    {{- end }}
+spec:
+  backoffLimit: {{ $Values.backoffLimit }}
+  {{- if ge $Values.ttlSecondsAfterFinished 0.0 }}
+  ttlSecondsAfterFinished: {{ $Values.ttlSecondsAfterFinished }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
+        {{- include "capsule.selectorLabels" . | nindent 8 }}
+    spec:
+      restartPolicy: {{ $Values.restartPolicy }}
+      {{- with $Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
+      {{- with $Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "capsule.post-install.name" . }}
+      containers:
+      - name: post-install
+        image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
+        imagePullPolicy: {{ $Values.image.pullPolicy }}
+        command:
+        - "sh"
+        - "-c"
+        - |
+          set -o errexit ; set -o nounset
+          while [ -z $(kubectl -n $NAMESPACE get secret {{ include "capsule.secretTlsName" $ }} -o jsonpath='{.data.tls\.crt}') ]; do
+            echo 'waiting Capsule to be up and running...' && sleep 5;
+          done
+        env:
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- with $Values.securityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with $Values.resources }}
+        resources:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+  {{- end }}
+{{- end }}

charts/capsule/templates/post-install/rbac.yaml

@@ -0,0 +1,44 @@
+{{- if .Values.tls.create }}
+  {{- if not $.Values.crds.exclusive }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "capsule.post-install.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-3"
+    {{- include "capsule.post-install.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "capsule.post-install.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-2"
+    {{- include "capsule.post-install.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "capsule.post-install.name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "capsule.post-install.name" . }}
+    namespace: {{ .Release.Namespace | quote }}
+  {{- end }}
+{{- end }}

charts/capsule/templates/post-install/serviceaccount.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.tls.create }}
+  {{- if not $.Values.crds.exclusive }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "capsule.post-install.name" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook-weight": "-4"
+    {{- include "capsule.post-install.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/capsule/templates/pre-delete-job.yaml

@@ -1,56 +0,0 @@
-{{- $cmd := ""}}
-{{- if or (.Values.tls.create) (.Values.certManager.generateCertificates) }}
-{{- $cmd = printf "%s kubectl delete secret -n $NAMESPACE %s --ignore-not-found &&" $cmd (include "capsule.secretTlsName" .) -}}
-{{- end }}
-{{- $cmd = printf "%s kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found &&" $cmd -}}
-{{- $cmd = printf "%s kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found" $cmd -}}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: "{{ .Release.Name }}-rbac-cleaner"
-  labels:
-    {{- include "capsule.labels" . | nindent 4 }}
-  annotations:
-    # This is what defines this resource as a hook. Without this line, the
-    # job is considered part of the release.
-    "helm.sh/hook": pre-delete
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": hook-succeeded
-  {{- with .Values.customAnnotations }}
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  template:
-    metadata:
-      name: "{{ .Release.Name }}"
-      labels:
-        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-        app.kubernetes.io/instance: {{ .Release.Name | quote }}
-        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      restartPolicy: Never
-      containers:
-        - name: pre-delete-job
-          image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
-          imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
-          command: [ "sh", "-c",  "{{ $cmd }}"]
-          env:
-            - name: NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-      serviceAccountName: {{ include "capsule.serviceAccountName" . }}
-      {{- with .Values.podSecurityContext }}
-      securityContext:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}

charts/capsule/templates/pre-delete/_helpers.tpl

@@ -0,0 +1,14 @@
+{{- define "capsule.pre-delete.name" -}}
+{{- printf "%s-pre-delete" (include "capsule.name" $) -}}
+{{- end }}
+
+{{- define "capsule.pre-delete.annotations" -}}
+"helm.sh/hook": pre-delete
+  {{- with $.Values.jobs.annotations }}
+    {{- . | toYaml | nindent 0 }}
+  {{- end }}
+{{- end }}
+
+{{- define "capsule.pre-delete.component" -}}
+pre-delete-hook
+{{- end }}

charts/capsule/templates/pre-delete/job.yaml

@@ -0,0 +1,85 @@
+{{- $Values := mergeOverwrite $.Values.global.jobs.kubectl $.Values.jobs -}}
+
+{{- if not $.Values.crds.exclusive }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ include "capsule.pre-delete.name" $ }}"
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook-weight": "-1"
+    {{- include "capsule.pre-delete.annotations" . | nindent 4 }}
+    {{- with $Values.annotations }}
+      {{- . | toYaml | nindent 4 }}
+    {{- end }}
+spec:
+  backoffLimit: {{ $Values.backoffLimit }}
+  {{- if ge $Values.ttlSecondsAfterFinished 0.0 }}
+  ttlSecondsAfterFinished: {{ $Values.ttlSecondsAfterFinished }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
+        {{- include "capsule.selectorLabels" . | nindent 8 }}
+    spec:
+      restartPolicy: {{ $Values.restartPolicy }}
+      {{- with $Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
+      {{- with $Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "capsule.pre-delete.name" . }}
+      containers:
+        - name: pre-delete-job
+          image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
+          imagePullPolicy: {{ $Values.image.pullPolicy }}
+          command:
+          - "/bin/sh"
+          - "-c"
+          - |
+              set -o errexit ; set -o xtrace ; set -o nounset
+          {{- if or (.Values.tls.create) (.Values.certManager.generateCertificates) }}
+              kubectl delete secret -n $NAMESPACE {{ include "capsule.secretTlsName" $ }} --ignore-not-found
+          {{- end }}
+              kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
+              kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          {{- with $Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with $Values.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+{{- end }}

charts/capsule/templates/pre-delete/rbac.yaml

@@ -0,0 +1,90 @@
+{{- if not $.Values.crds.exclusive }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "capsule.pre-delete.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-3"
+    {{- include "capsule.pre-delete.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resourceNames:
+  - capsule-namespace-deleter
+  - capsule-namespace-provisioner
+  resources:
+  - clusterroles
+  - clusterrolebindings
+  verbs:
+  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "capsule.pre-delete.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-3"
+    {{- include "capsule.pre-delete.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - delete
+  resourceNames:
+  - {{ include "capsule.secretTlsName" $ }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "capsule.pre-delete.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-2"
+    {{- include "capsule.pre-delete.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "capsule.pre-delete.name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "capsule.pre-delete.name" . }}
+    namespace: {{ .Release.Namespace | quote }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "capsule.pre-delete.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    # create hook dependencies in the right order
+    "helm.sh/hook-weight": "-2"
+    {{- include "capsule.pre-delete.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "capsule.pre-delete.name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "capsule.pre-delete.name" . }}
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}

charts/capsule/templates/pre-delete/serviceaccount.yaml

@@ -0,0 +1,14 @@
+{{- if not $.Values.crds.exclusive }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "capsule.pre-delete.name" . }}
+  namespace: {{ $.Release.Namespace }}
+  annotations:
+    "helm.sh/hook-weight": "-4"
+    {{- include "capsule.pre-delete.annotations" . | nindent 4 }}
+  labels:
+    app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
+    {{- include "capsule.labels" . | nindent 4 }}
+{{- end }}

charts/capsule/templates/rbac.yaml

@@ -1,4 +1,5 @@
-{{- if $.Values.manager.rbac.create }}
+{{- if not $.Values.crds.exclusive }}
+  {{- if $.Values.manager.rbac.create }}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -18,8 +19,8 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "capsule.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
-{{- end }}
-{{- range $_, $cr := $.Values.manager.rbac.existingClusterRoles }}
+  {{- end }}
+  {{- range $_, $cr := $.Values.manager.rbac.existingClusterRoles }}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -60,4 +61,5 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "capsule.serviceAccountName" $ }}
   namespace: {{ $.Release.Namespace }}
+  {{- end }}
 {{- end }}

charts/capsule/templates/serviceaccount.yaml

@@ -1,12 +1,14 @@
-{{- if .Values.serviceAccount.create -}}
+{{- if not $.Values.crds.exclusive }}
+  {{- if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "capsule.serviceAccountName" . }}
   labels:
     {{- include "capsule.labels" . | nindent 4 }}
-  {{- if or (.Values.serviceAccount.annotations) (.Values.customAnnotations)  }}
+    {{- if or (.Values.serviceAccount.annotations) (.Values.customAnnotations)  }}
   annotations:
-    {{- include "capsule.serviceAccountAnnotations" . | nindent 4 }}
+      {{- include "capsule.serviceAccountAnnotations" . | nindent 4 }}
+    {{- end }}
   {{- end }}
 {{- end }}

charts/capsule/templates/servicemonitor.yaml

@@ -1,4 +1,5 @@
-{{- if .Values.serviceMonitor.enabled }}
+{{- if not $.Values.crds.exclusive }}
+  {{- if .Values.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
@@ -28,7 +29,7 @@ spec:
     {{- with .relabelings }}
     relabelings: {{- toYaml . | nindent 6 }}
     {{- end }}
-  {{- end }}  
+  {{- end }}
   jobLabel: app.kubernetes.io/name
   {{- with .Values.serviceMonitor.targetLabels }}
   targetLabels: {{- toYaml . | nindent 4 }}
@@ -43,5 +44,5 @@ spec:
   namespaceSelector:
     matchNames:
       - {{ .Release.Namespace }}
+  {{- end }}
 {{- end }}
-

charts/capsule/templates/validatingwebhookconfiguration.yaml

@@ -1,3 +1,4 @@
+{{- if or (not $.Values.crds.exclusive) ($.Values.webhooks.exclusive) }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
@@ -12,23 +13,17 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 webhooks:
+{{- with .Values.webhooks.hooks.cordoning }}
 - admissionReviewVersions:
     - v1
     - v1beta1
   clientConfig:
-{{- if not .Values.certManager.generateCertificates }}
-    caBundle: Cg==
-{{- end }}
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /cordoning
-      port: 443
-  failurePolicy: {{ .Values.webhooks.cordoning.failurePolicy }}
+    {{- include "capsule.webhooks.service" (dict "path" "/cordoning" "ctx" $) | nindent 4 }}
+  failurePolicy: {{ .failurePolicy }}
   matchPolicy: Equivalent
-  name: cordoning.tenant.capsule.clastix.io
+  name: cordoning.tenant.projectcapsule.dev
   namespaceSelector:
-  {{- toYaml .Values.webhooks.cordoning.namespaceSelector | nindent 4}}
+  {{- toYaml .namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -43,24 +38,19 @@ webhooks:
         - '*'
       scope: Namespaced
   sideEffects: None
-  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
+{{- end }}
+{{- with .Values.webhooks.hooks.ingresses }}
 - admissionReviewVersions:
     - v1
     - v1beta1
   clientConfig:
-{{- if not .Values.certManager.generateCertificates }}
-    caBundle: Cg==
-{{- end }}
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /ingresses
-      port: 443
-  failurePolicy: {{ .Values.webhooks.ingresses.failurePolicy }}
+    {{- include "capsule.webhooks.service" (dict "path" "/ingresses" "ctx" $) | nindent 4 }}
+  failurePolicy: {{ .failurePolicy }}
   matchPolicy: Equivalent
-  name: ingress.capsule.clastix.io
+  name: ingress.projectcapsule.dev
   namespaceSelector:
-  {{- toYaml .Values.webhooks.ingresses.namespaceSelector | nindent 4}}
+  {{- toYaml .namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -76,22 +66,17 @@ webhooks:
         - ingresses
       scope: Namespaced
   sideEffects: None
-  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
+{{- end }}
+{{ with .Values.webhooks.hooks.namespaces }}
 - admissionReviewVersions:
     - v1
     - v1beta1
   clientConfig:
-{{- if not .Values.certManager.generateCertificates }}
-    caBundle: Cg==
-{{- end }}
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /namespaces
-      port: 443
-  failurePolicy: {{ .Values.webhooks.namespaces.failurePolicy }}
+    {{- include "capsule.webhooks.service" (dict "path" "/namespaces" "ctx" $) | nindent 4 }}
+  failurePolicy: {{ .failurePolicy }}
   matchPolicy: Equivalent
-  name: namespaces.capsule.clastix.io
+  name: namespaces.projectcapsule.dev
   namespaceSelector: {}
   objectSelector: {}
   rules:
@@ -107,24 +92,19 @@ webhooks:
         - namespaces
       scope: '*'
   sideEffects: None
-  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
+{{- end }}
+{{- with .Values.webhooks.hooks.networkpolicies }}
 - admissionReviewVersions:
     - v1
     - v1beta1
   clientConfig:
-{{- if not .Values.certManager.generateCertificates }}
-    caBundle: Cg==
-{{- end }}
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /networkpolicies
-      port: 443
-  failurePolicy: {{ .Values.webhooks.networkpolicies.failurePolicy }}
+    {{- include "capsule.webhooks.service" (dict "path" "/networkpolicies" "ctx" $) | nindent 4 }}
+  failurePolicy: {{ .failurePolicy }}
   matchPolicy: Equivalent
-  name: networkpolicies.capsule.clastix.io
+  name: networkpolicies.projectcapsule.dev
   namespaceSelector:
-  {{- toYaml .Values.webhooks.networkpolicies.namespaceSelector | nindent 4}}
+  {{- toYaml .namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -138,21 +118,16 @@ webhooks:
         - networkpolicies
       scope: Namespaced
   sideEffects: None
-  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
+{{- end }}
+{{- with .Values.webhooks.hooks.nodes }}
 - admissionReviewVersions:
     - v1
     - v1beta1
   clientConfig:
-{{- if not .Values.certManager.generateCertificates }}
-    caBundle: Cg==
-{{- end }}
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /nodes
-      port: 443
-  failurePolicy: {{ .Values.webhooks.nodes.failurePolicy }}
-  name: nodes.capsule.clastix.io
+    {{- include "capsule.webhooks.service" (dict "path" "/nodes" "ctx" $) | nindent 4 }}
+  failurePolicy: {{ .failurePolicy }}
+  name: nodes.projectcapsule.dev
   matchPolicy: Exact
   namespaceSelector: {}
   objectSelector: {}
@@ -166,24 +141,19 @@ webhooks:
       resources:
         - nodes
   sideEffects: None
-  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
+{{- end }}
+{{- with .Values.webhooks.hooks.pods }}
 - admissionReviewVersions:
     - v1
     - v1beta1
   clientConfig:
-{{- if not .Values.certManager.generateCertificates }}
-    caBundle: Cg==
-{{- end }}
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /pods
-      port: 443
-  failurePolicy: {{ .Values.webhooks.pods.failurePolicy }}
+    {{- include "capsule.webhooks.service" (dict "path" "/pods" "ctx" $) | nindent 4 }}
+  failurePolicy: {{ .failurePolicy }}
   matchPolicy: Exact
-  name: pods.capsule.clastix.io
+  name: pods.projectcapsule.dev
   namespaceSelector:
-  {{- toYaml .Values.webhooks.pods.namespaceSelector | nindent 4}}
+  {{- toYaml .namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -197,22 +167,18 @@ webhooks:
         - pods
       scope: Namespaced
   sideEffects: None
-  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
+{{- end }}
+{{- with .Values.webhooks.hooks.persistentvolumeclaims }}
 - admissionReviewVersions:
     - v1
     - v1beta1
   clientConfig:
-{{- if not .Values.certManager.generateCertificates }}
-    caBundle: Cg==
-{{- end }}
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /persistentvolumeclaims
-  failurePolicy: {{ .Values.webhooks.persistentvolumeclaims.failurePolicy }}
-  name: pvc.capsule.clastix.io
+    {{- include "capsule.webhooks.service" (dict "path" "/persistentvolumeclaims" "ctx" $) | nindent 4 }}
+  failurePolicy: {{ .failurePolicy }}
+  name: pvc.projectcapsule.dev
   namespaceSelector:
-  {{- toYaml .Values.webhooks.persistentvolumeclaims.namespaceSelector | nindent 4}}
+  {{- toYaml .namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -225,24 +191,19 @@ webhooks:
         - persistentvolumeclaims
       scope: Namespaced
   sideEffects: None
-  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
+{{- end }}
+{{- with .Values.webhooks.hooks.services }}
 - admissionReviewVersions:
     - v1
     - v1beta1
   clientConfig:
-{{- if not .Values.certManager.generateCertificates }}
-    caBundle: Cg==
-{{- end }}
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /services
-      port: 443
-  failurePolicy: {{ .Values.webhooks.services.failurePolicy }}
+    {{- include "capsule.webhooks.service" (dict "path" "/services" "ctx" $) | nindent 4 }}
+  failurePolicy: {{ .failurePolicy }}
   matchPolicy: Exact
-  name: services.capsule.clastix.io
+  name: services.projectcapsule.dev
   namespaceSelector:
-  {{- toYaml .Values.webhooks.services.namespaceSelector | nindent 4}}
+  {{- toYaml .namespaceSelector | nindent 4}}
   objectSelector: {}
   rules:
     - apiGroups:
@@ -256,19 +217,15 @@ webhooks:
         - services
       scope: Namespaced
   sideEffects: None
-  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
+{{- end }}
+{{- with .Values.webhooks.hooks.tenantResourceObjects }}
 - admissionReviewVersions:
     - v1
   clientConfig:
-{{- if not .Values.certManager.generateCertificates }}
-    caBundle: Cg==
-{{- end }}
-    service:
-      name: capsule-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /tenantresource-objects
-  failurePolicy:  {{ .Values.webhooks.tenantResourceObjects.failurePolicy }}
-  name: resource-objects.tenant.capsule.clastix.io
+    {{- include "capsule.webhooks.service" (dict "path" "/tenantresource-objects" "ctx" $) | nindent 4 }}
+  failurePolicy:  {{ .failurePolicy }}
+  name: resource-objects.tenant.projectcapsule.dev
   namespaceSelector:
     matchExpressions:
       - key: capsule.clastix.io/tenant
@@ -289,21 +246,17 @@ webhooks:
         - '*'
       scope: Namespaced
   sideEffects: None
+  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
+{{- end }}
+{{- with .Values.webhooks.hooks.tenants }}
 - admissionReviewVersions:
     - v1
     - v1beta1
   clientConfig:
-{{- if not .Values.certManager.generateCertificates }}
-    caBundle: Cg==
-{{- end }}
-    service:
-      name: {{ include "capsule.fullname" . }}-webhook-service
-      namespace: {{ .Release.Namespace }}
-      path: /tenants
-      port: 443
-  failurePolicy:  {{ .Values.webhooks.tenants.failurePolicy }}
+    {{- include "capsule.webhooks.service" (dict "path" "/tenants" "ctx" $) | nindent 4 }}
+  failurePolicy:  {{ .failurePolicy }}
   matchPolicy: Exact
-  name: tenants.capsule.clastix.io
+  name: tenants.projectcapsule.dev
   namespaceSelector: {}
   objectSelector: {}
   rules:
@@ -319,4 +272,6 @@ webhooks:
         - tenants
       scope: '*'
   sideEffects: None
-  timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
+  timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
+{{- end }}
+{{- end }}

charts/capsule/templates/webhook-service.yaml

@@ -1,3 +1,4 @@
+{{- if not $.Values.crds.exclusive }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -18,3 +19,4 @@ spec:
     {{- include "capsule.selectorLabels" . | nindent 4 }}
   sessionAffinity: None
   type: ClusterIP
+{{- end }}