Compare commits

..

281 Commits

Author SHA1 Message Date
Oliver Bähler
203ae61072 chore(yamllint): fix yaml comments
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2025-04-29 18:55:58 +02:00
renovate[bot]
7495eba74f chore(deps): update github/codeql-action digest to ed51cb5 (#1427)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-29 16:40:42 +02:00
renovate[bot]
bb3b7fee48 chore(deps): update amannn/action-semantic-pull-request digest to 3352882 (#1426)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-29 16:14:40 +02:00
renovate[bot]
e2af0dc493 chore(deps): update capsule-proxy docker tag to v0.9.3 (#1410)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-26 07:35:21 +02:00
renovate[bot]
535c0e127d chore(deps): update github/codeql-action digest to f843d94 (#1419)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-26 07:30:46 +02:00
renovate[bot]
2f70e92df8 chore(deps): update anchore/sbom-action digest to 9f73021 (#1422)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-25 08:22:25 +02:00
renovate[bot]
73746ad885 chore(deps): update all-ci-updates (#1418)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-25 08:20:16 +02:00
Oliver Bähler
a6b3895756 chore: bump crds to ctrl-tools v0.17.3 (#1420)
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2025-04-24 15:31:30 +02:00
renovate[bot]
72012c19e6 chore(deps): update dependency kubernetes-sigs/controller-tools to v0.17.3 (#1411)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-14 15:59:37 +02:00
Hristo Hristov
a440a59435 fix(tenantresources): nil pointer for additionalmetadata (#1413)
* fix(tenantresources): nil pointer for additionalmetadata

Signed-off-by: Hristo Hristov <me@hhristov.info>

* fix(ci): make harpoon binary executable

Signed-off-by: Hristo Hristov <me@hhristov.info>

---------

Signed-off-by: Hristo Hristov <me@hhristov.info>
2025-04-11 11:17:47 +02:00
renovate[bot]
6fcc9de3b1 chore(deps): update github/codeql-action digest to 4c3e536 (#1416)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-11 08:22:29 +02:00
Hristo Hristov
f5a621174a fix(ci): make harpoon binary executable (#1415)
Signed-off-by: Hristo Hristov <me@hhristov.info>
2025-04-09 15:44:47 +02:00
Oliver Bähler
dbc1502d20 fix(ci): remove harpoon from workflow
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2025-04-08 14:11:02 +02:00
renovate[bot]
76016fba71 chore(deps): update azure/setup-helm digest to b9e5190 (#1380)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-08 13:01:40 +02:00
renovate[bot]
c9af3fcad1 chore(deps): update all-ci-updates (#1394)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-08 12:46:22 +02:00
renovate[bot]
d3c79538e0 chore(deps): update github/codeql-action digest to d26c46a (#1395)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-08 12:45:52 +02:00
renovate[bot]
9127bdb66a chore(deps): update amannn/action-semantic-pull-request digest to 04501d4 (#1406)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-08 12:45:28 +02:00
All_Existence
45a46d7337 docs: improving grammar in documentation (#1412)
Signed-off-by: Rishabh <imrishabh27@gmail.com>
Co-authored-by: rishabh <imrishabh27@gmail.com>
2025-04-08 12:44:18 +02:00
renovate[bot]
f5c7cffb82 chore(deps): update anchore/sbom-action digest to 5aeee89 (#1409)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-02 18:28:35 +02:00
Pedro Parra Ortega
e52539bed6 chore(docs): add enreach to adopters (#1389)
Signed-off-by: Pedro Parra Ortega <pedro.parraortega@enreach.com>
2025-04-01 07:55:28 +02:00
renovate[bot]
9bd7bbf274 chore(deps): update dependency adrienverge/yamllint to v1.37.0 (#1404)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-03-31 09:37:34 +02:00
renovate[bot]
2e6c26c982 chore(deps): update dependency adrienverge/yamllint to v1.36.2 (#1398)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-03-18 17:28:42 +01:00
renovate[bot]
cbc1fea680 chore(deps): update dependency alessandrojcm/commitlint-pre-commit-hook to v9.22.0 (#1399)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-03-18 17:26:46 +01:00
Zadkiel AHARONIAN
a1d89711b0 chore: Square Fit capsule SVG logo (#1400)
Signed-off-by: GitHub <noreply@github.com>
2025-03-18 17:26:23 +01:00
Zadkiel AHARONIAN
7b985fcb6e chore: use capsule svg logo in readme (#1401)
Signed-off-by: GitHub <noreply@github.com>
2025-03-18 17:25:52 +01:00
renovate[bot]
a783bd69fa chore(deps): update all-ci-updates (#1385)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-03-04 08:39:12 +01:00
renovate[bot]
35f11679b1 chore(deps): update github/codeql-action digest to 80f9930 (#1388)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-03-04 08:38:47 +01:00
renovate[bot]
063788c8af chore(deps): update github/codeql-action digest to a8849fb (#1384)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-25 16:25:35 +01:00
renovate[bot]
4be73f2d52 chore(deps): update github/codeql-action digest to d38c6e6 (#1381)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-20 10:57:04 +01:00
renovate[bot]
bd53884e23 chore(deps): update actions/cache action to v4.2.1 (#1382)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-20 10:56:44 +01:00
renovate[bot]
4eca6ca5b1 chore(deps): update dependency kubernetes-sigs/kind to v0.27.0 (#1376)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-18 14:43:37 +01:00
renovate[bot]
93ed1c7171 chore(deps): update dependency golangci/golangci-lint to v1.64.5 (#1375)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-18 14:43:15 +01:00
renovate[bot]
97a4dccc42 chore(deps): update dependency alessandrojcm/commitlint-pre-commit-hook to v9.21.0 (#1377)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-18 14:42:52 +01:00
renovate[bot]
0ef6733d67 chore(deps): update github/codeql-action digest to 1bb15d0 (#1369)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-18 14:42:27 +01:00
renovate[bot]
80538d6344 chore(deps): update all-ci-updates (#1374)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-18 14:42:08 +01:00
renovate[bot]
8e0b5b9413 chore(deps): update goreleaser/goreleaser-action action to v6.2.1 (#1370)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-13 07:32:22 +01:00
renovate[bot]
14679921d0 chore(deps): update dependency golangci/golangci-lint to v1.64.4 (#1371)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-13 07:31:32 +01:00
renovate[bot]
4b2c86be65 chore(deps): update dependency kubernetes-sigs/controller-tools to v0.17.2 (#1368)
* chore(deps): update dependency kubernetes-sigs/controller-tools to v0.17.2

* chore(ci): fix coverage and seccomp

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(ci): use ghcr for seccomp image

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Oliver Bähler <oliverbaehler@hotmail.com>
2025-02-10 16:46:36 +01:00
renovate[bot]
72c0cd0199 chore(deps): update dependency alegrey91/harpoon to v0.9.6 (#1362)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-10 16:44:58 +01:00
renovate[bot]
3ef3e1f137 chore(deps): update github/codeql-action digest to 0a35e8f (#1364)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-10 14:48:07 +01:00
renovate[bot]
a55154ea56 chore(deps): update all-ci-updates (#1365)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-10 14:47:45 +01:00
renovate[bot]
8df833116c chore(deps): update capsule-proxy docker tag to v0.9.1 (#1367)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-10 14:47:21 +01:00
Oliver Bähler
cfdd812d21 chore(repo): removing lts support (#1361)
* chore(repo): removing lts support

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2025-02-07 10:39:10 +01:00
renovate[bot]
aaca9ca1b6 chore(deps): update dependency kubernetes-sigs/controller-tools to v0.17.1 (#1356)
* chore(deps): update dependency kubernetes-sigs/controller-tools to v0.17.1

* chore(manifests): bump controller-gen annotations

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Oliver Bähler <oliverbaehler@hotmail.com>
2025-02-07 09:06:48 +01:00
renovate[bot]
b630aa7671 chore(deps): update dependency fybrik/crdoc to v0.6.4 (#1352)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-06 19:33:26 +01:00
renovate[bot]
2cb6100d24 chore(deps): update dependency helm/chart-testing to v3.12.0 (#1355)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-06 19:32:44 +01:00
renovate[bot]
6f8563f7e8 chore(deps): update dependency kubernetes-sigs/kind to v0.26.0 (#1357)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-06 19:23:07 +01:00
renovate[bot]
c51e4cac9a chore(deps): update dependency alegrey91/harpoon to v0.9.5 (#1351)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-06 19:22:14 +01:00
renovate[bot]
08331211d1 chore(deps): update dependency pre-commit/pre-commit-hooks to v5 (#1359)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-06 18:29:57 +01:00
renovate[bot]
075f3a8385 chore(deps): update github/codeql-action digest to 24e1c2d (#1348)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-06 18:29:35 +01:00
renovate[bot]
c20272c8b9 chore(deps): update actions/setup-go action to v5.3.0 (#1349)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-06 18:29:14 +01:00
renovate[bot]
e7640ec584 chore(deps): update dependency adrienverge/yamllint to v1.35.1 (#1353)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-06 18:28:45 +01:00
renovate[bot]
360d0dc48b chore(deps): update dependency google/ko to v0.17.1 (#1354)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-06 18:27:56 +01:00
Oliver Bähler
e808118b43 chore: add remaining chart improvements (#1347)
* chore(repo): rework makefile and add renovate mangers for pre-commit and makefile binaries

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(repo): add renovate managers

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2025-02-06 17:31:31 +01:00
Alessio Greggi
b7a2072b0f ci: generate seccomp profile within pipeline (#1325)
Signed-off-by: Alessio Greggi <ale_grey_91@hotmail.it>
2025-02-06 12:44:08 +01:00
Oliver Bähler
fa06d8d6ae sec(release): release sboms and signatures in same repository as artefact (#1346)
* chore(repo): add pre-commit

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(helm): add schema

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* sec(release): release sboms and signatures in same repository as artefact

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2025-02-05 14:52:32 +01:00
renovate[bot]
887f4adc01 chore(deps): update golang docker tag to v1.23.6 (#1323)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-05 12:16:43 +01:00
Oliver Bähler
e6e35fff2f chore(repo): add pre-commit (#1345)
* chore(repo): add pre-commit

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(helm): add schema

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2025-02-05 11:23:20 +01:00
Casper Thygesen
c22044016a chore: update errors.go with spelling error fixes (#1340)
Signed-off-by: Casper Thygesen <cth@trifork.com>
2025-02-05 02:41:06 +01:00
renovate[bot]
21022f35dd chore(deps): update sigstore/cosign-installer action to v3.8.0 (#1344)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-05 02:25:32 +01:00
renovate[bot]
e1bfdc0d6e fix(deps): update module golang.org/x/sync to v0.11.0 (#1343)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-05 02:18:09 +01:00
renovate[bot]
da064dafcd chore(deps): update github/codeql-action digest to 08bc0cf (#1341)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-05 02:17:45 +01:00
renovate[bot]
6e80052847 chore(deps): update all-ci-updates (#1342)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-02-05 02:17:19 +01:00
renovate[bot]
5dc7965530 chore(deps): update github/codeql-action digest to 0701025 (#1338)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-31 10:11:08 +01:00
renovate[bot]
0a46fcb912 fix(deps): update module github.com/spf13/pflag to v1.0.6 (#1337)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-30 08:23:40 +01:00
renovate[bot]
9f6356c3a8 chore(deps): update capsule-proxy docker tag to v0.9.0 (#1308)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-30 08:12:37 +01:00
renovate[bot]
07b5bcafd3 chore(deps): update github/codeql-action action to v3.28.8 (#1336)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-30 08:11:43 +01:00
renovate[bot]
d829378ce1 chore(deps): update github/codeql-action digest to e9987ad (#1334)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-30 08:11:27 +01:00
renovate[bot]
a03ce238b7 chore(deps): update github/codeql-action action to v3.28.6 (#1335)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-30 07:58:30 +01:00
dependabot[bot]
e7adc8dc95 chore(deps): Bump golang.org/x/net from 0.28.0 to 0.33.0 (#1327)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.28.0 to 0.33.0.
- [Commits](https://github.com/golang/net/compare/v0.28.0...v0.33.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-01-25 20:04:30 +01:00
renovate[bot]
d5786e5aa6 chore(deps): update anchore/sbom-action digest to 79202ae (#1330)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-25 20:03:05 +01:00
renovate[bot]
c9dbeac2f3 chore(deps): update github/codeql-action digest to e7c0c9d (#1328)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-25 20:02:41 +01:00
renovate[bot]
0cbc96ab25 chore(deps): update all-ci-updates (#1331)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-25 20:02:08 +01:00
renovate[bot]
426fc11bd5 chore(deps): update all-ci-updates (#1329)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-23 14:56:58 +01:00
renovate[bot]
34e2c7729c chore(deps): update github/codeql-action digest to d90e07f (#1320)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-21 10:11:13 +01:00
renovate[bot]
2d01f345b2 chore(deps): update all-ci-updates (#1322)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-21 10:10:44 +01:00
renovate[bot]
7b34fc457d chore(deps): update github/codeql-action digest to 93da9f2 (#1306)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-16 09:48:01 +01:00
renovate[bot]
aa9b6ab378 chore(deps): update wagoid/commitlint-github-action action to v6.2.1 (#1312)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-16 09:47:38 +01:00
renovate[bot]
41a626cdc4 fix(deps): update module sigs.k8s.io/controller-runtime to v0.19.4 (#1313)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-16 09:47:14 +01:00
renovate[bot]
4ec2ff1d44 fix(deps): update module github.com/stretchr/testify to v1.10.0 (#1317)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-16 09:46:42 +01:00
renovate[bot]
93cbe205f4 fix(deps): update module golang.org/x/sync to v0.10.0 (#1318)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-16 09:46:15 +01:00
Oliver Bähler
12b254c622 chore: minor fixes in repository (#1310)
* chore: remove kind action and use local kind

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: remove go dependency group

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: fix documentation links

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* fix(helm): added scope for mutating webhook configurations

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(helm): align webhooks and job values

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2025-01-15 14:52:14 +01:00
renovate[bot]
49fb307529 chore(deps): update all-ci-updates (#1307)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-13 15:24:06 +01:00
renovate[bot]
ace0d74c23 chore(deps): update all-ci-updates (#1295)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-10 02:12:06 +01:00
renovate[bot]
b74095be25 chore(deps): update all-ci-updates (#1282)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-05 09:39:59 +01:00
renovate[bot]
8ba9e9af1b fix(deps): update k8s.io/utils digest to 24370be (#1294)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-02 22:51:42 +01:00
renovate[bot]
7d7adf9c58 chore(deps): update capsule-proxy docker tag to v0.8.1 (#1304)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-02 22:51:04 +01:00
renovate[bot]
46a4e0dba1 chore(deps): update github/codeql-action digest to 5b6e617 (#1293)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-02 22:50:34 +01:00
renovate[bot]
8083cb59c9 chore(deps): update anchore/sbom-action digest to df80a98 (#1296)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-01-02 22:50:09 +01:00
Travis Holton
ed9e1d4c47 feat: Allow additional SANS for web certificate (#1303)
This makes it possible to include extra variants of the service-name that aren't captured by the {{ include "capsule.fullname" }} macro

Co-authored-by: Travis Holton <heytrav@proton.me>
Co-authored-by: Dario Tranchitella <dario@tranchitella.eu>
2024-12-24 08:05:20 +01:00
renovate[bot]
20807ad8f3 fix(deps): update k8s.io/utils digest to 6fe5fd8 (#1271)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-12-07 18:04:46 +01:00
renovate[bot]
7ecc6346f3 chore(deps): update all-ci-updates (#1274)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-12-07 18:03:01 +01:00
renovate[bot]
7d5eb0117c chore(deps): update github/codeql-action digest to 6f9e628 (#1291)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-12-07 18:02:17 +01:00
Dario Tranchitella
4be8566b79 chore(renovate): ignore docs folder (#1290)
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
2024-12-07 18:01:29 +01:00
renovate[bot]
2120e6d33e chore(deps): update golang docker tag to v1.23.4 (#1279)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-12-05 04:36:40 +01:00
renovate[bot]
fcf58371d5 chore(deps): update anchore/sbom-action digest to a5bbe18 (#1289)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-12-05 04:36:06 +01:00
renovate[bot]
0a17c2ae7f chore(deps): update azure/setup-helm digest to 5119fcb (#1269)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-12-05 04:32:56 +01:00
renovate[bot]
1eef6fbb95 chore(deps): update github/codeql-action digest (#1270)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-12-05 04:31:23 +01:00
renovate[bot]
ee02e24d96 chore(deps): update capsule-proxy docker tag to v0.8.0 (#1275)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-12-05 04:30:55 +01:00
renovate[bot]
d07904ce03 chore(deps): update amannn/action-semantic-pull-request digest to 40166f0 (#1268)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-12-05 04:30:16 +01:00
Oliver Bähler
59cb9694c0 feat: use renovate instead of dependabot (#1261)
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-12-04 22:07:22 +01:00
Dario Tranchitella
8d498bb925 fix: concurrent map writes when replicating namespaced objects (#1264)
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
2024-12-04 12:41:29 +01:00
Samir Tahir
da66f40462 feat(api): Add forceTenantPrefix option to Tenant spec (#1244)
Signed-off-by: samir-tahir <samirtahir91@gmail.com>
2024-12-04 06:45:05 +01:00
dependabot[bot]
462ff47ed0 feat(deps): bump sigs.k8s.io/controller-runtime from 0.19.0 to 0.19.2 (#1259)
Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.19.0 to 0.19.2.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.19.0...v0.19.2)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-11-29 11:34:29 +01:00
dependabot[bot]
007cdd1c2d ci(deps): bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 (#1252)
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.28.0 to 0.29.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](915b19bbe7...18f2510ee3)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-11-29 11:30:56 +01:00
dependabot[bot]
d0dbda7958 ci(deps): bump codecov/codecov-action from 5.0.2 to 5.0.7 (#1254)
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.0.2 to 5.0.7.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](5c47607acb...015f24e681)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-11-29 11:30:42 +01:00
dependabot[bot]
b923ce053c ci(deps): bump anchore/sbom-action from 0.17.7 to 0.17.8 (#1260)
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.7 to 0.17.8.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md)
- [Commits](fc46e51fd3...55dc4ee224)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-11-29 11:28:27 +01:00
dependabot[bot]
c695f480ff ci(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#1262)
Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 3.0.16 to 3.0.17.
- [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases)
- [Commits](38608ef4fb...5d6ac37a4c)

---
updated-dependencies:
- dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-11-29 11:28:03 +01:00
dependabot[bot]
1d53811c48 ci(deps): Bump actions/checkout from 4.2.1 to 4.2.2 (#1236)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.1 to 4.2.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](eef61447b9...11bd71901b)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-11-20 04:09:18 +01:00
dependabot[bot]
c9b006fe97 ci(deps): Bump goreleaser/goreleaser-action from 6.0.0 to 6.1.0 (#1248)
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 6.0.0 to 6.1.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](286f3b13b1...9ed2f89a66)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-11-20 04:08:48 +01:00
dependabot[bot]
6ff9d4b38a ci(deps): Bump codecov/codecov-action from 4.6.0 to 5.0.2 (#1250)
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.6.0 to 5.0.2.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](b9fd7d16f6...5c47607acb)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-11-20 04:08:29 +01:00
dependabot[bot]
375643ab06 ci(deps): Bump anchore/sbom-action from 0.17.6 to 0.17.7 (#1247)
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.6 to 0.17.7.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md)
- [Commits](251a468eed...fc46e51fd3)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-11-07 08:52:15 +01:00
dependabot[bot]
8a0be8a639 ci(deps): Bump zgosalvez/github-actions-ensure-sha-pinned-actions (#1245)
Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 3.0.15 to 3.0.16.
- [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases)
- [Commits](ed00f72a3c...38608ef4fb)

---
updated-dependencies:
- dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-11-05 13:12:13 +01:00
dependabot[bot]
633263ace7 ci(deps): Bump actions/setup-node from 4.0.4 to 4.1.0 (#1237)
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.0.4 to 4.1.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](0a44ba7841...39370e3970)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-11-05 13:11:38 +01:00
dependabot[bot]
1e767be94d ci(deps): Bump actions/setup-go from 5.0.2 to 5.1.0 (#1238)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.0.2 to 5.1.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](0a12ed9d6a...41dfa10bad)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-11-04 08:43:12 +01:00
dependabot[bot]
258300686e ci(deps): Bump anchore/sbom-action from 0.17.5 to 0.17.6 (#1242)
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.5 to 0.17.6.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md)
- [Commits](1ca97d9028...251a468eed)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-11-04 08:42:48 +01:00
Oliver Bähler
f82c2f468b feat(api): add tenant funcs to retrieve subjects based on clusterrole bindings (#1231)
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-10-23 11:17:23 +02:00
dependabot[bot]
5143c5cedc ci(deps): Bump zgosalvez/github-actions-ensure-sha-pinned-actions (#1228)
Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 3.0.14 to 3.0.15.
- [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases)
- [Commits](40ba2d51b6...ed00f72a3c)

---
updated-dependencies:
- dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-23 08:36:56 +02:00
dependabot[bot]
e6f7031128 ci(deps): Bump anchore/sbom-action from 0.17.4 to 0.17.5 (#1229)
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.4 to 0.17.5.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md)
- [Commits](8d0a6505bf...1ca97d9028)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-23 08:36:32 +02:00
dependabot[bot]
3dc74c8791 ci(deps): Bump anchore/sbom-action from 0.17.3 to 0.17.4 (#1224)
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.3 to 0.17.4.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md)
- [Commits](f5e124a5e5...8d0a6505bf)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-19 13:08:21 +02:00
dependabot[bot]
f077028bdb ci(deps): Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 (#1225)
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.27.0 to 0.28.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](5681af892c...915b19bbe7)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-19 13:08:05 +02:00
dependabot[bot]
8ff1044c47 feat(deps): bump github.com/prometheus/client_golang (#1223)
Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.20.4 to 1.20.5.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/v1.20.5/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.20.4...v1.20.5)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-15 17:44:35 +02:00
dependabot[bot]
df2bf1c98a ci(deps): bump anchore/sbom-action from 0.17.2 to 0.17.3 (#1222)
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.2 to 0.17.3.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md)
- [Commits](61119d458a...f5e124a5e5)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-15 11:52:54 +02:00
dependabot[bot]
aade294e78 feat(deps): bump sigs.k8s.io/cluster-api from 1.8.3 to 1.8.4 (#1219)
Bumps [sigs.k8s.io/cluster-api](https://github.com/kubernetes-sigs/cluster-api) from 1.8.3 to 1.8.4.
- [Release notes](https://github.com/kubernetes-sigs/cluster-api/releases)
- [Commits](https://github.com/kubernetes-sigs/cluster-api/compare/v1.8.3...v1.8.4)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/cluster-api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-11 22:42:44 +02:00
dependabot[bot]
f3b9728963 ci(deps): bump aquasecurity/trivy-action from 0.26.0 to 0.27.0 (#1221)
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.26.0 to 0.27.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](a20de5420d...5681af892c)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-11 22:42:17 +02:00
dependabot[bot]
6278febf86 ci(deps): bump aquasecurity/trivy-action from 0.25.0 to 0.26.0 (#1217)
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.25.0 to 0.26.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](f781cce5aa...a20de5420d)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-11 09:12:28 +02:00
dependabot[bot]
fd80e5c339 ci(deps): bump actions/upload-artifact from 4.4.1 to 4.4.3 (#1220)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.4.1 to 4.4.3.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](604373da63...b4b15b8c7c)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-11 09:12:00 +02:00
dependabot[bot]
55c010c96e ci(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#1211)
Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 3.0.13 to 3.0.14.
- [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases)
- [Commits](b8f9a25a51...40ba2d51b6)

---
updated-dependencies:
- dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-09 07:23:43 +02:00
dependabot[bot]
7a74268fc1 ci(deps): bump actions/checkout from 4.2.0 to 4.2.1 (#1215)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.0 to 4.2.1.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](d632683dd7...eef61447b9)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-09 07:23:23 +02:00
dependabot[bot]
a75d7ab0ba ci(deps): bump aquasecurity/trivy-action from 0.24.0 to 0.25.0 (#1214)
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.24.0 to 0.25.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](6e7b7d1fd3...f781cce5aa)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-09 07:23:03 +02:00
dependabot[bot]
650d535f67 ci(deps): bump actions/upload-artifact from 4.4.0 to 4.4.1 (#1216)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.4.0 to 4.4.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](50769540e7...604373da63)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-09 07:22:30 +02:00
dependabot[bot]
7894300cce ci(deps): bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 (#1212)
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 6.1.0 to 6.1.1.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](aaa42aa062...971e284b60)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-08 11:24:53 +02:00
dependabot[bot]
6184ff0499 ci(deps): bump sigstore/cosign-installer from 3.6.0 to 3.7.0 (#1210)
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.6.0 to 3.7.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](4959ce089c...dc72c7d5c4)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-07 15:37:35 +02:00
dependabot[bot]
4916b8f3ec feat(deps): bump k8s.io/client-go from 0.31.0 to 0.31.1 (#1194)
Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.31.0 to 0.31.1.
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.31.0...v0.31.1)

---
updated-dependencies:
- dependency-name: k8s.io/client-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-05 10:37:24 +02:00
NikolayMarusenko
b8636974a0 chore(adopters): align kuberocketci as adopter (#1205)
Signed-off-by: Mykola Marusenko <mykola_marusenko@epam.com>
2024-10-05 10:36:29 +02:00
dependabot[bot]
2b29fa7a08 ci(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#1208)
Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 3.0.12 to 3.0.13.
- [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases)
- [Commits](0901cf7b71...b8f9a25a51)

---
updated-dependencies:
- dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-05 10:35:48 +02:00
dependabot[bot]
cbcab2f08d feat(deps): bump go.uber.org/automaxprocs from 1.5.3 to 1.6.0 (#1204)
Bumps [go.uber.org/automaxprocs](https://github.com/uber-go/automaxprocs) from 1.5.3 to 1.6.0.
- [Release notes](https://github.com/uber-go/automaxprocs/releases)
- [Changelog](https://github.com/uber-go/automaxprocs/blob/master/CHANGELOG.md)
- [Commits](https://github.com/uber-go/automaxprocs/compare/v1.5.3...v1.6.0)

---
updated-dependencies:
- dependency-name: go.uber.org/automaxprocs
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-05 10:35:00 +02:00
dependabot[bot]
a4b88d3b46 ci(deps): bump actions/setup-node from 4.0.3 to 4.0.4 (#1202)
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.0.3 to 4.0.4.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](1e60f620b9...0a44ba7841)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-05 10:33:56 +02:00
dependabot[bot]
62e5e856b3 ci(deps): bump securego/gosec from 2.21.2 to 2.21.4 (#1207)
Bumps [securego/gosec](https://github.com/securego/gosec) from 2.21.2 to 2.21.4.
- [Release notes](https://github.com/securego/gosec/releases)
- [Changelog](https://github.com/securego/gosec/blob/master/.goreleaser.yml)
- [Commits](abfe8cfd6d...d4617f51ba)

---
updated-dependencies:
- dependency-name: securego/gosec
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-05 10:33:19 +02:00
dependabot[bot]
d49fcb7609 ci(deps): bump actions/checkout from 4.1.7 to 4.2.0 (#1206)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.7 to 4.2.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](692973e3d9...d632683dd7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-05 10:32:27 +02:00
dependabot[bot]
d86c8efd02 ci(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0 (#1209)
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.5.0 to 4.6.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](e28ff129e5...b9fd7d16f6)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-05 10:31:56 +02:00
dependabot[bot]
4dd46dd407 feat(deps): bump k8s.io/apimachinery from 0.31.0 to 0.31.1 (#1195)
Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.31.0 to 0.31.1.
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.31.0...v0.31.1)

---
updated-dependencies:
- dependency-name: k8s.io/apimachinery
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-18 16:00:07 +02:00
dependabot[bot]
630f9e281f feat(deps): bump k8s.io/api from 0.31.0 to 0.31.1 (#1192)
Bumps [k8s.io/api](https://github.com/kubernetes/api) from 0.31.0 to 0.31.1.
- [Commits](https://github.com/kubernetes/api/compare/v0.31.0...v0.31.1)

---
updated-dependencies:
- dependency-name: k8s.io/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-18 15:59:14 +02:00
dependabot[bot]
1659987274 feat(deps): bump github.com/prometheus/client_golang (#1200)
Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.20.3 to 1.20.4.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.20.3...v1.20.4)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-18 15:58:44 +02:00
dependabot[bot]
93f7ebbc49 feat(deps): bump sigs.k8s.io/cluster-api from 1.8.2 to 1.8.3 (#1190)
Bumps [sigs.k8s.io/cluster-api](https://github.com/kubernetes-sigs/cluster-api) from 1.8.2 to 1.8.3.
- [Release notes](https://github.com/kubernetes-sigs/cluster-api/releases)
- [Commits](https://github.com/kubernetes-sigs/cluster-api/compare/v1.8.2...v1.8.3)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/cluster-api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-18 08:08:04 +02:00
dependabot[bot]
5df2add177 ci(deps): bump securego/gosec from 2.20.0 to 2.21.2 (#1189)
Bumps [securego/gosec](https://github.com/securego/gosec) from 2.20.0 to 2.21.2.
- [Release notes](https://github.com/securego/gosec/releases)
- [Changelog](https://github.com/securego/gosec/blob/master/.goreleaser.yml)
- [Commits](6fbd381238...abfe8cfd6d)

---
updated-dependencies:
- dependency-name: securego/gosec
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-18 08:07:35 +02:00
Dario Tranchitella
0394cc3e72 chore(adopters): seeweb is a capsule adopter (#1191)
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
2024-09-11 15:44:57 +02:00
dependabot[bot]
6313467dd1 ci(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#1188)
Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 3.0.11 to 3.0.12.
- [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases)
- [Commits](3c16e895bb...0901cf7b71)

---
updated-dependencies:
- dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-09 18:45:41 +02:00
dependabot[bot]
2ca0043588 feat(deps): bump github.com/prometheus/client_golang (#1185)
Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.20.2 to 1.20.3.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/v1.20.3/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.20.2...v1.20.3)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-06 22:48:22 +02:00
dependabot[bot]
855d80ea62 feat(deps): bump sigs.k8s.io/cluster-api from 1.8.1 to 1.8.2 (#1186)
Bumps [sigs.k8s.io/cluster-api](https://github.com/kubernetes-sigs/cluster-api) from 1.8.1 to 1.8.2.
- [Release notes](https://github.com/kubernetes-sigs/cluster-api/releases)
- [Commits](https://github.com/kubernetes-sigs/cluster-api/compare/v1.8.1...v1.8.2)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/cluster-api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-06 22:47:42 +02:00
Oliver Bähler
f24b6b1b43 fix(controller): use typed structs for watches (#1169)
* fix(controller): use typed structs for watches

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(dep): bump controller-gen

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(ci): support kubernetes 1.31 and fix linting

* chore: resolve conflicts

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-09-05 18:19:06 +02:00
dependabot[bot]
a7814af471 feat(deps): bump github.com/prometheus/client_golang (#1184)
Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.20.1 to 1.20.2.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.20.1...v1.20.2)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-05 18:18:14 +02:00
dependabot[bot]
99d24da9ee feat(deps): bump github.com/onsi/gomega from 1.34.1 to 1.34.2 (#1178)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.34.1 to 1.34.2.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.34.1...v1.34.2)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-05 13:40:56 +02:00
dependabot[bot]
6d03aa7305 ci(deps): bump wagoid/commitlint-github-action from 6.1.1 to 6.1.2 (#1182)
Bumps [wagoid/commitlint-github-action](https://github.com/wagoid/commitlint-github-action) from 6.1.1 to 6.1.2.
- [Changelog](https://github.com/wagoid/commitlint-github-action/blob/master/CHANGELOG.md)
- [Commits](a2bc521d74...3d28780bbf)

---
updated-dependencies:
- dependency-name: wagoid/commitlint-github-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-05 13:40:14 +02:00
dependabot[bot]
2763fb77fa ci(deps): bump actions/upload-artifact from 4.3.6 to 4.4.0 (#1180)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.6 to 4.4.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](834a144ee9...50769540e7)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-04 13:14:50 +02:00
dependabot[bot]
59e5ace956 feat(deps): bump sigs.k8s.io/cluster-api from 1.7.4 to 1.8.1 (#1160)
Bumps [sigs.k8s.io/cluster-api](https://github.com/kubernetes-sigs/cluster-api) from 1.7.4 to 1.8.1.
- [Release notes](https://github.com/kubernetes-sigs/cluster-api/releases)
- [Commits](https://github.com/kubernetes-sigs/cluster-api/compare/v1.7.4...v1.8.1)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/cluster-api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-08-29 21:34:14 +02:00
dependabot[bot]
f5bbeef2cb feat(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#1175)
Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 3.0.10 to 3.0.11.
- [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases)
- [Commits](b88cd0aad2...3c16e895bb)

---
updated-dependencies:
- dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-08-29 21:33:06 +02:00
dependabot[bot]
da478fcaeb feat(deps): bump github.com/onsi/ginkgo/v2 from 2.20.0 to 2.20.2 (#1177)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.20.0 to 2.20.2.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.20.0...v2.20.2)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-08-29 21:25:20 +02:00
Dario Tranchitella
3f5bc4a885 chore(style): golangci-lint required changes (#1173)
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
2024-08-25 19:51:06 +02:00
dependabot[bot]
fd24ae82fb ci(deps): bump wagoid/commitlint-github-action from 6.0.2 to 6.1.1 (#1170)
Bumps [wagoid/commitlint-github-action](https://github.com/wagoid/commitlint-github-action) from 6.0.2 to 6.1.1.
- [Changelog](https://github.com/wagoid/commitlint-github-action/blob/master/CHANGELOG.md)
- [Commits](baa1b236f9...a2bc521d74)

---
updated-dependencies:
- dependency-name: wagoid/commitlint-github-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-08-24 12:22:22 +02:00
dependabot[bot]
65030a1d7d feat(deps): bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1
Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.19.1 to 1.20.1.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/v1.20.1/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.19.1...v1.20.1)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-08-24 12:22:09 +02:00
dependabot[bot]
48eab4e4cd feat(deps): bump anchore/sbom-action from 0.17.1 to 0.17.2 (#1172)
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.1 to 0.17.2.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Commits](ab9d16d4b4...61119d458a)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-08-24 12:21:19 +02:00
Dario Tranchitella
a49c57bb5b feat: runtimeclass default support (#1165)
* fix(makefile): no need specifying ginkgo version

Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>

* fix(chore): referring to make using shortcut

Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>

* feat: default runtimeclass webhook

Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>

* feat(helm): default runtimeclass spec

Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>

---------

Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
2024-08-20 10:50:26 +02:00
Oliver Bähler
d620b0457d Merge commit from fork
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-08-20 10:19:14 +02:00
boettluSICKAG
1d9fcc7a0d fix(helm): remove duplicate restartpolicy (#1152)
Signed-off-by: Lukas Boettcher <lukas.boettcher@sick.de>
2024-08-20 10:02:55 +02:00
dependabot[bot]
2ed12d2f45 ci(deps): bump actions/upload-artifact from 4.3.4 to 4.3.6 (#1154)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.4 to 4.3.6.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](0b2256b8c0...834a144ee9)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-08-17 18:24:02 +02:00
dependabot[bot]
4b6864c155 ci(deps): bump fossas/fossa-action from 1.3.3 to 1.4.0 (#1153)
Bumps [fossas/fossa-action](https://github.com/fossas/fossa-action) from 1.3.3 to 1.4.0.
- [Release notes](https://github.com/fossas/fossa-action/releases)
- [Commits](47ef11b1e1...09bcf127dc)

---
updated-dependencies:
- dependency-name: fossas/fossa-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-08-17 18:23:48 +02:00
dependabot[bot]
34c4b94b7b ci(deps): bump wagoid/commitlint-github-action from 6.0.1 to 6.0.2 (#1149)
Bumps [wagoid/commitlint-github-action](https://github.com/wagoid/commitlint-github-action) from 6.0.1 to 6.0.2.
- [Changelog](https://github.com/wagoid/commitlint-github-action/blob/master/CHANGELOG.md)
- [Commits](7f0a61df50...baa1b236f9)

---
updated-dependencies:
- dependency-name: wagoid/commitlint-github-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-08-17 18:23:34 +02:00
dependabot[bot]
db9107a3aa feat(deps): bump golang.org/x/sync from 0.7.0 to 0.8.0 (#1151)
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.7.0 to 0.8.0.
- [Commits](https://github.com/golang/sync/compare/v0.7.0...v0.8.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sync
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-08-17 18:23:19 +02:00
dependabot[bot]
a089714625 feat(deps): bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.20.0 (#1155)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.19.0 to 2.20.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.19.0...v2.20.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-08-17 18:23:04 +02:00
dependabot[bot]
b0bb26cd3e ci(deps): bump anchore/sbom-action from 0.17.0 to 0.17.1 (#1161)
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.0 to 0.17.1.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Commits](d94f46e13c...ab9d16d4b4)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-08-17 18:22:52 +02:00
dependabot[bot]
414cebd15f ci(deps): bump sigstore/cosign-installer from 3.5.0 to 3.6.0 (#1156)
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.5.0 to 3.6.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](59acb6260d...4959ce089c)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-08-17 18:22:39 +02:00
Max Fedotov
8930090dc6 fix(helm): don't render capsuleconfiguration if crds.exclusive is set (#1148)
Signed-off-by: Max Fedotov <m.a.fedotov@gmail.com>
2024-08-01 17:54:50 +02:00
beforetech
eb7a77a920 chore: fix some comments (#1146)
Signed-off-by: beforetech <mail@before.tech>
Co-authored-by: Dario Tranchitella <dario@tranchitella.eu>
2024-08-01 17:46:06 +02:00
dependabot[bot]
9af5913086 ci(deps): bump ossf/scorecard-action from 2.3.3 to 2.4.0 (#1142)
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.3 to 2.4.0.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](dc50aa9510...62b2cac7ed)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-30 22:58:24 +02:00
dependabot[bot]
26309d7992 feat(deps): bump github.com/onsi/gomega from 1.33.1 to 1.34.1 (#1144)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.33.1 to 1.34.1.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.33.1...v1.34.1)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-30 22:58:05 +02:00
dependabot[bot]
8116434c66 ci(deps): bump golangci/golangci-lint-action from 6.0.1 to 6.1.0 (#1145)
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 6.0.1 to 6.1.0.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](a4f60bb28d...aaa42aa062)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-30 22:57:57 +02:00
dependabot[bot]
0590624289 ci(deps): bump anchore/sbom-action from 0.16.1 to 0.17.0 (#1133)
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.16.1 to 0.17.0.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Commits](95b086ac30...d94f46e13c)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-22 12:38:36 +02:00
dependabot[bot]
1a11a6c4a5 feat(deps): bump k8s.io/client-go from 0.30.2 to 0.30.3 (#1139)
Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.30.2 to 0.30.3.
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.30.2...v0.30.3)

---
updated-dependencies:
- dependency-name: k8s.io/client-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-22 12:38:02 +02:00
Massimiliano Giovagnoli
c657b55da9 chore(config): remove single manifest installer
Signed-off-by: Massimiliano Giovagnoli <me@maxgio.it>
2024-07-15 10:06:37 +00:00
Massimiliano Giovagnoli
58540b52bd docs: cleanup single manifest installation
Signed-off-by: Massimiliano Giovagnoli <me@maxgio.it>
2024-07-15 10:06:37 +00:00
dependabot[bot]
323ac75c06 ci(deps): bump actions/setup-go from 5.0.1 to 5.0.2 (#1132)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.0.1 to 5.0.2.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](cdcb360436...0a12ed9d6a)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-11 13:43:55 +02:00
dependabot[bot]
3de52e8139 feat(deps): bump sigs.k8s.io/cluster-api from 1.7.3 to 1.7.4 (#1130)
Bumps [sigs.k8s.io/cluster-api](https://github.com/kubernetes-sigs/cluster-api) from 1.7.3 to 1.7.4.
- [Release notes](https://github.com/kubernetes-sigs/cluster-api/releases)
- [Commits](https://github.com/kubernetes-sigs/cluster-api/compare/v1.7.3...v1.7.4)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/cluster-api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-11 13:42:58 +02:00
dependabot[bot]
d58fd0f2d7 ci(deps): bump anchore/sbom-action from 0.16.0 to 0.16.1 (#1129)
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.16.0 to 0.16.1.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Commits](e8d2a6937e...95b086ac30)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-11 13:42:29 +02:00
dependabot[bot]
00af2860fc ci(deps): bump actions/setup-node from 4.0.2 to 4.0.3 (#1128)
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.0.2 to 4.0.3.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](60edb5dd54...1e60f620b9)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-11 13:42:16 +02:00
dependabot[bot]
3dd20349b6 ci(deps): bump aquasecurity/trivy-action from 0.23.0 to 0.24.0 (#1127)
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.23.0 to 0.24.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](7c2007bcb5...6e7b7d1fd3)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-09 13:41:52 +02:00
Dario Tranchitella
9e4068850c chore(ci): fixing code scanning (#1126)
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
2024-07-09 11:56:42 +02:00
Oliver Bähler
446b8ea744 fix(dev): correct dev-environment setups
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-07-09 11:09:18 +02:00
dependabot[bot]
cfb2c6cddf ci(deps): bump actions/upload-artifact from 4.3.3 to 4.3.4
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.3 to 4.3.4.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](65462800fd...0b2256b8c0)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-09 11:08:59 +02:00
maxgio92
0df02dbcb8 docs(guides): document fluxcd addon (#1120)
This commit adds a quickstart section to setup and how to use
the integration both as a platform administrator and a tenant owner.

Signed-off-by: Massimiliano Giovagnoli <me@maxgio.it>
2024-07-08 09:53:32 +02:00
dependabot[bot]
6b9e763f10 ci(deps): bump amannn/action-semantic-pull-request from 5.5.2 to 5.5.3 (#1118)
Bumps [amannn/action-semantic-pull-request](https://github.com/amannn/action-semantic-pull-request) from 5.5.2 to 5.5.3.
- [Release notes](https://github.com/amannn/action-semantic-pull-request/releases)
- [Changelog](https://github.com/amannn/action-semantic-pull-request/blob/main/CHANGELOG.md)
- [Commits](cfb60706e1...0723387faa)

---
updated-dependencies:
- dependency-name: amannn/action-semantic-pull-request
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-08 09:51:16 +02:00
dependabot[bot]
fb4f0cfe42 ci(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#1121)
Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 3.0.9 to 3.0.10.
- [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases)
- [Commits](74606c3045...b88cd0aad2)

---
updated-dependencies:
- dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-08 09:50:58 +02:00
Dario Tranchitella
5a34c09447 chore: upgrade go toolchain to v1.22.5 (#1123)
* chore(go): toolchain upgrade to v1.22.5

Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>

* chore(ci): enforcing go version upon release

Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>

---------

Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
2024-07-08 09:50:41 +02:00
Dario Tranchitella
c26f68efff chore(adopters): department of defense is a capsule adopter (#1117)
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
2024-06-26 19:05:45 +02:00
Oliver Bähler
206ce71ec6 chore: fix goreleaser (#1116)
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-06-26 09:11:12 +02:00
Daniel S
b408d53cb7 chore(helm): make capsule configuration name configurable via helm (#1103)
* feat(helm): capsuleconfiguration name configurable

Signed-off-by: Daniel S. <sybnex@gmail.com>

* feat(helm): capsuleconfiguration name configurable

Signed-off-by: Daniel S. <sybnex@gmail.com>

* ci(gosec): fix sarif upload

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(helm): capsuleconfiguration name configurable

Signed-off-by: Daniel S. <sybnex@gmail.com>

---------

Signed-off-by: Daniel S. <sybnex@gmail.com>
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Co-authored-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-06-24 09:33:20 +02:00
dependabot[bot]
a5f544a10b ci(deps): bump codecov/codecov-action from 4.4.1 to 4.5.0 (#1109)
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.4.1 to 4.5.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](125fc84a9a...e28ff129e5)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-24 09:31:27 +02:00
dependabot[bot]
78c631b4f5 ci(deps): bump actions/checkout from 4.1.6 to 4.1.7 (#1108)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.6 to 4.1.7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](a5ac7e51b4...692973e3d9)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-24 09:31:10 +02:00
dependabot[bot]
3096e2f55d ci(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#1114)
Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 3.0.7 to 3.0.9.
- [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases)
- [Commits](76d1d8e0b0...74606c3045)

---
updated-dependencies:
- dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-24 09:30:44 +02:00
dependabot[bot]
532e880de0 feat(deps): bump k8s.io/apiextensions-apiserver from 0.30.1 to 0.30.2 (#1113)
Bumps [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) from 0.30.1 to 0.30.2.
- [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases)
- [Commits](https://github.com/kubernetes/apiextensions-apiserver/compare/v0.30.1...v0.30.2)

---
updated-dependencies:
- dependency-name: k8s.io/apiextensions-apiserver
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-24 09:30:22 +02:00
dependabot[bot]
913b9e83b9 ci(deps): bump aquasecurity/trivy-action from 0.22.0 to 0.23.0 (#1115)
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.22.0 to 0.23.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](595be6a0f6...7c2007bcb5)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-24 09:29:58 +02:00
Oliver Bähler
9ebbbed785 feat(helm): introduce new installation and CRD lifecycle (#1065)
* chore: name change for webhook names

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: remove apidocs

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(helm): implement crd lifecycle and values consistency

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: change default group name

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-06-12 19:36:01 +02:00
dependabot[bot]
7d78f5f488 feat(deps): bump sigs.k8s.io/cluster-api from 1.7.2 to 1.7.3 (#1107)
Bumps [sigs.k8s.io/cluster-api](https://github.com/kubernetes-sigs/cluster-api) from 1.7.2 to 1.7.3.
- [Release notes](https://github.com/kubernetes-sigs/cluster-api/releases)
- [Commits](https://github.com/kubernetes-sigs/cluster-api/compare/v1.7.2...v1.7.3)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/cluster-api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-12 10:26:21 +02:00
dependabot[bot]
e06054e500 ci(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#1106)
Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 3.0.6 to 3.0.7.
- [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases)
- [Commits](2f2ebc6d91...76d1d8e0b0)

---
updated-dependencies:
- dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-11 09:22:45 +02:00
dependabot[bot]
3905f5dea6 feat(deps): bump github.com/prometheus/client_golang (#1102)
Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.19.0 to 1.19.1.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.19.0...v1.19.1)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-11 09:22:27 +02:00
dependabot[bot]
b1a2eeb875 ci(deps): bump aquasecurity/trivy-action from 0.21.0 to 0.22.0 (#1104)
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.21.0 to 0.22.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](fd25fed697...595be6a0f6)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-11 09:18:09 +02:00
Oliver Bähler
44365e6cc6 ci(gosec): fix sarif upload
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-06-09 19:58:48 +02:00
dependabot[bot]
22451b51eb feat(deps): bump sigs.k8s.io/controller-runtime from 0.18.2 to 0.18.4
Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.18.2 to 0.18.4.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.18.2...v0.18.4)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-06 15:17:26 +02:00
dependabot[bot]
874de7339b ci(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#1098)
Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 3.0.5 to 3.0.6.
- [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases)
- [Commits](40e45e738b...2f2ebc6d91)

---
updated-dependencies:
- dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-06 11:01:53 +02:00
dependabot[bot]
337aa779fb ci(deps): bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 (#1099)
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 5.1.0 to 6.0.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](5742e2a039...286f3b13b1)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-06 11:01:30 +02:00
dependabot[bot]
4ba1d28fb5 feat(deps): bump github.com/onsi/ginkgo/v2 from 2.18.0 to 2.19.0 (#1097)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.18.0 to 2.19.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.18.0...v2.19.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-02 10:55:26 +02:00
lukasboettcher
5efb4fbfcf feat(metrics): provide metrics for tenant quotas (#1094)
Signed-off-by: Lukas Boettcher <1340215+lukasboettcher@users.noreply.github.com>
2024-05-27 16:38:25 +02:00
Oliver Bähler
4afcfbbb27 fix(controller): use ownerreferences without controller owner relation (#1095)
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-05-27 14:33:34 +02:00
Oliver Bähler
82995a3e66 fix(controller): change managed network policy label check (#1062)
* fix(controller): change managed network policy label check

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* fix(controller): change managed network policy label check

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-05-27 10:33:46 +02:00
dependabot[bot]
0571e419a3 feat(deps): bump github.com/onsi/ginkgo/v2 from 2.17.3 to 2.18.0
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-23 15:06:31 +02:00
dependabot[bot]
3bfa02e929 feat(deps): bump github.com/go-logr/logr from 1.4.1 to 1.4.2
updated-dependencies:
- dependency-name: github.com/go-logr/logr
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-23 15:02:49 +02:00
dependabot[bot]
dc44eaabf7 feat(deps): bump sigs.k8s.io/cluster-api from 1.7.1 to 1.7.2
Bumps [sigs.k8s.io/cluster-api](https://github.com/kubernetes-sigs/cluster-api) from 1.7.1 to 1.7.2.
- [Release notes](https://github.com/kubernetes-sigs/cluster-api/releases)
- [Commits](https://github.com/kubernetes-sigs/cluster-api/compare/v1.7.1...v1.7.2)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/cluster-api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-23 15:02:22 +02:00
dependabot[bot]
a42097512c feat(deps): bump k8s.io/apiextensions-apiserver from 0.30.0 to 0.30.1
Bumps [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) from 0.30.0 to 0.30.1.
- [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases)
- [Commits](https://github.com/kubernetes/apiextensions-apiserver/compare/v0.30.0...v0.30.1)

---
updated-dependencies:
- dependency-name: k8s.io/apiextensions-apiserver
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-23 15:01:33 +02:00
dependabot[bot]
e6695478cb feat(deps): bump codecov/codecov-action from 4.4.0 to 4.4.1
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-23 14:48:07 +02:00
dependabot[bot]
2250e38903 feat(deps): bump anchore/sbom-action from 0.15.11 to 0.16.0
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-23 14:47:47 +02:00
dependabot[bot]
d6962218c4 feat(deps): bump k8s.io/client-go from 0.30.0 to 0.30.1
Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.30.0 to 0.30.1.
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.30.0...v0.30.1)

---
updated-dependencies:
- dependency-name: k8s.io/client-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-23 14:46:36 +02:00
guangwu
df80539a3c fix(test): feature test name typo
Signed-off-by: guoguangwu <guoguangwug@gmail.com>
2024-05-23 14:43:39 +02:00
dependabot[bot]
cb924972b1 ci(deps): bump aquasecurity/trivy-action from 0.20.0 to 0.21.0
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.20.0 to 0.21.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](b2933f565d...fd25fed697)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-23 14:38:23 +02:00
lukasboettcher
b16bcda8fb fix(resourcequotas): Update namespace-specific hard quota calculation logic (#1088)
Signed-off-by: Lukas Boettcher <1340215+lukasboettcher@users.noreply.github.com>
2024-05-23 08:08:51 +02:00
dependabot[bot]
915e493b4a ci(deps): bump securego/gosec from 2.19.0 to 2.20.0 (#1080)
Bumps [securego/gosec](https://github.com/securego/gosec) from 2.19.0 to 2.20.0.
- [Release notes](https://github.com/securego/gosec/releases)
- [Changelog](https://github.com/securego/gosec/blob/master/.goreleaser.yml)
- [Commits](26e57d6b34...6fbd381238)

---
updated-dependencies:
- dependency-name: securego/gosec
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-17 22:51:32 +02:00
dependabot[bot]
79e4c72385 ci(deps): bump codecov/codecov-action from 4.3.1 to 4.4.0 (#1081)
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.3.1 to 4.4.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](5ecb98a3c6...6d798873df)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-17 22:51:10 +02:00
dependabot[bot]
c6c3a1b00b feat(deps): bump k8s.io/api from 0.30.0 to 0.30.1 (#1085)
Bumps [k8s.io/api](https://github.com/kubernetes/api) from 0.30.0 to 0.30.1.
- [Commits](https://github.com/kubernetes/api/compare/v0.30.0...v0.30.1)

---
updated-dependencies:
- dependency-name: k8s.io/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-17 22:50:34 +02:00
dependabot[bot]
4828729c80 ci(deps): bump actions/checkout from 4.1.5 to 4.1.6 (#1087)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.5 to 4.1.6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](44c2b7a8a4...a5ac7e51b4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-17 22:50:05 +02:00
dependabot[bot]
daa28b4cbb feat(deps): bump sigs.k8s.io/controller-runtime from 0.18.1 to 0.18.2 (#1071)
Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.18.1 to 0.18.2.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.18.1...v0.18.2)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-14 23:12:18 +02:00
dependabot[bot]
55bd0b4453 ci(deps): bump actions/checkout from 4.1.4 to 4.1.5 (#1073)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.4 to 4.1.5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](0ad4b8fada...44c2b7a8a4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-14 23:11:56 +02:00
dependabot[bot]
448dabe8b7 ci(deps): bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 (#1074)
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 5.3.0 to 6.0.1.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](38e1018663...a4f60bb28d)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-14 23:11:32 +02:00
dependabot[bot]
661476c8c1 ci(deps): bump aquasecurity/trivy-action from 0.19.0 to 0.20.0 (#1075)
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.19.0 to 0.20.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](d710430a67...b2933f565d)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-14 23:11:10 +02:00
dependabot[bot]
e068b57e60 feat(deps): bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.17.3 (#1076)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.17.2 to 2.17.3.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.17.2...v2.17.3)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-14 23:10:51 +02:00
dependabot[bot]
cdfc2ccc9b ci(deps): bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 (#1078)
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 5.0.0 to 5.1.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](7ec5c2b0c6...5742e2a039)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-14 23:10:23 +02:00
dependabot[bot]
419eb8f6fa ci(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.3 (#1077)
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.1 to 2.3.3.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](0864cf1902...dc50aa9510)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-14 10:38:50 +02:00
dependabot[bot]
65043821b4 ci(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#1067)
Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases)
- [Commits](19ebcb0bab...40e45e738b)

---
updated-dependencies:
- dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-06 18:02:34 +02:00
dependabot[bot]
859fbf8316 ci(deps): bump actions/setup-go from 5.0.0 to 5.0.1 (#1068)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.0.0 to 5.0.1.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v5...cdcb36043654635271a94b9a6d1392de5bb323a7)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-06 17:59:08 +02:00
dependabot[bot]
f78dbaf06e ci(deps): bump golangci/golangci-lint-action from 5.1.0 to 5.3.0 (#1069)
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 5.1.0 to 5.3.0.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](9d1e0624a7...38e1018663)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-06 17:58:43 +02:00
dependabot[bot]
07202d06ba ci(deps): update github/codeql-action requirement to c4fb451437765abf5018c6fbf22cce1a7da1e5cc (#1070)
Updates the requirements on [github/codeql-action](https://github.com/github/codeql-action) to permit the latest version.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](c4fb451437)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-06 17:57:16 +02:00
dependabot[bot]
7dec7be15b ci(deps): bump actions/setup-go from 5.0.0 to 5.0.1 (#1066)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.0.0 to 5.0.1.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](0c52d547c9...cdcb360436)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-05 23:33:51 +02:00
dependabot[bot]
d972c2fd30 ci(deps): bump codecov/codecov-action from 4.3.0 to 4.3.1 (#1064)
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.3.0 to 4.3.1.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](84508663e9...5ecb98a3c6)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-05 23:33:24 +02:00
dependabot[bot]
00b59fa843 feat(deps): bump sigs.k8s.io/controller-runtime from 0.17.3 to 0.18.0 (#1061)
* feat(deps): update kubernetes components to 1.30

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* ci(deps): update kubernetes components to 1.30

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(makefile): update binaries and improve building

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(deps): remove multierror dependency

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(ci): use go.mod as go version

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Co-authored-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-05-03 14:48:45 +02:00
Oliver Bähler
e418f74e34 fix(controller): ensure iteration on capsule ownerreferences (#1059)
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-05-02 11:55:51 +02:00
dependabot[bot]
c2f3694808 ci(deps): bump golangci/golangci-lint-action from 5.0.0 to 5.1.0 (#1060)
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 5.0.0 to 5.1.0.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](82d40c283a...9d1e0624a7)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-01 14:41:09 +02:00
Oliver Bähler
c0d5d6fcb2 fix(controller): add boolean defaults (#1056)
* fix(controller): add boolean defaults

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* fix(helm): add boolean defaults

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* fix(docs): add boolean defaults

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* fix(installer): add boolean defaults

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-05-01 11:00:09 +02:00
dependabot[bot]
9a3a8b0cac feat(deps): bump sigs.k8s.io/cluster-api from 1.6.3 to 1.7.1 (#1050)
Bumps [sigs.k8s.io/cluster-api](https://github.com/kubernetes-sigs/cluster-api) from 1.6.3 to 1.7.1.
- [Release notes](https://github.com/kubernetes-sigs/cluster-api/releases)
- [Commits](https://github.com/kubernetes-sigs/cluster-api/compare/v1.6.3...v1.7.1)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/cluster-api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-05-01 01:10:43 +02:00
dependabot[bot]
2a6fb1eb30 feat(deps): bump golang.org/x/net from 0.20.0 to 0.23.0 (#1044)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.20.0 to 0.23.0.
- [Commits](https://github.com/golang/net/compare/v0.20.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-01 00:23:18 +02:00
dependabot[bot]
b1fcb28878 ci(deps): bump azure/setup-helm from 4.1.0 to 4.2.0 (#1047)
Bumps [azure/setup-helm](https://github.com/azure/setup-helm) from 4.1.0 to 4.2.0.
- [Release notes](https://github.com/azure/setup-helm/releases)
- [Changelog](https://github.com/Azure/setup-helm/blob/main/CHANGELOG.md)
- [Commits](b7246b12e7...fe7b79cd5e)

---
updated-dependencies:
- dependency-name: azure/setup-helm
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-30 23:30:16 +02:00
dependabot[bot]
6594a3bade ci(deps): bump actions/upload-artifact from 4.3.2 to 4.3.3 (#1048)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.2 to 4.3.3.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](1746f4ab65...65462800fd)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-30 23:29:49 +02:00
dependabot[bot]
894a42c258 ci(deps): bump actions/checkout from 4.1.2 to 4.1.4 (#1054)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.2 to 4.1.4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](9bb56186c3...0ad4b8fada)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-30 23:29:24 +02:00
dependabot[bot]
d81185bcbc ci(deps): bump slsa-framework/slsa-github-generator from 1.10.0 to 2.0.0 (#1049)
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.10.0 to 2.0.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.10.0...v2.0.0)

---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-30 23:28:58 +02:00
dependabot[bot]
8fe29e89af ci(deps): bump anchore/sbom-action from 0.15.10 to 0.15.11 (#1057)
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.15.10 to 0.15.11.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Commits](ab5d7b5f48...7ccf588e3c)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-30 23:28:20 +02:00
dependabot[bot]
44af534fc5 ci(deps): bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 (#1055)
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 4.0.0 to 5.0.0.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](3cfe3a4abb...82d40c283a)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-28 00:01:01 +02:00
dependabot[bot]
a8dbd0c7a4 ci(deps): bump amannn/action-semantic-pull-request from 5.4.0 to 5.5.2 (#1053)
* ci(deps): bump amannn/action-semantic-pull-request from 5.4.0 to 5.5.2

Bumps [amannn/action-semantic-pull-request](https://github.com/amannn/action-semantic-pull-request) from 5.4.0 to 5.5.2.
- [Release notes](https://github.com/amannn/action-semantic-pull-request/releases)
- [Changelog](https://github.com/amannn/action-semantic-pull-request/blob/main/CHANGELOG.md)
- [Commits](e9fabac35e...cfb60706e1)

---
updated-dependencies:
- dependency-name: amannn/action-semantic-pull-request
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore(repo): fix commitlint config

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-04-25 14:45:01 +02:00
dependabot[bot]
85fe29159b ci(deps): bump codecov/codecov-action from 4.2.0 to 4.3.0 (#1030)
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.2.0 to 4.3.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](7afa10ed9b...84508663e9)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-22 08:29:30 +02:00
dependabot[bot]
06d6903abf ci(deps): bump wagoid/commitlint-github-action from 5.4.5 to 6.0.1 (#1031)
Bumps [wagoid/commitlint-github-action](https://github.com/wagoid/commitlint-github-action) from 5.4.5 to 6.0.1.
- [Changelog](https://github.com/wagoid/commitlint-github-action/blob/master/CHANGELOG.md)
- [Commits](5ce82f5d81...7f0a61df50)

---
updated-dependencies:
- dependency-name: wagoid/commitlint-github-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-22 08:28:40 +02:00
dependabot[bot]
ffa2b15da4 ci(deps): bump sigstore/cosign-installer from 3.4.0 to 3.5.0 (#1032)
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.4.0 to 3.5.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](e1523de757...59acb6260d)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-22 08:27:43 +02:00
dependabot[bot]
0323488f41 ci(deps): bump azure/setup-helm from 3.5 to 4 (#1033)
Bumps [azure/setup-helm](https://github.com/azure/setup-helm) from 3.5 to 4.
- [Release notes](https://github.com/azure/setup-helm/releases)
- [Changelog](https://github.com/Azure/setup-helm/blob/main/CHANGELOG.md)
- [Commits](5119fcb908...b7246b12e7)

---
updated-dependencies:
- dependency-name: azure/setup-helm
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-22 08:27:13 +02:00
dependabot[bot]
883122829f ci(deps): bump actions/upload-artifact from 4.3.1 to 4.3.2 (#1043)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.1 to 4.3.2.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](5d5d22a312...1746f4ab65)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-22 08:26:15 +02:00
dependabot[bot]
a529910bba feat(deps): bump sigs.k8s.io/controller-runtime from 0.16.5 to 0.17.3 (#1027)
Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.16.5 to 0.17.3.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.16.5...v0.17.3)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-10 00:44:44 +02:00
dependabot[bot]
537f25cbdf ci(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#1028)
Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases)
- [Commits](ba37328d4e...19ebcb0bab)

---
updated-dependencies:
- dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-10 00:43:50 +02:00
dependabot[bot]
a3079668d7 feat(deps): bump github.com/onsi/gomega from 1.31.1 to 1.32.0 (#1016)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.31.1 to 1.32.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.31.1...v1.32.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-05 23:55:31 +02:00
dependabot[bot]
97874c2a7e ci(deps): bump codecov/codecov-action from 4.1.1 to 4.2.0 (#1025)
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.1.1 to 4.2.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](c16abc29c9...7afa10ed9b)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-05 23:54:57 +02:00
dependabot[bot]
0a07c0565b feat(deps): bump golang.org/x/sync from 0.6.0 to 0.7.0 (#1026)
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.6.0 to 0.7.0.
- [Commits](https://github.com/golang/sync/compare/v0.6.0...v0.7.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sync
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-05 23:54:22 +02:00
dependabot[bot]
9c1b9487d9 feat(deps): bump k8s.io/apiextensions-apiserver from 0.28.4 to 0.29.3 (#1008)
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
Co-authored-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-03-28 21:14:03 +01:00
dependabot[bot]
9e85e1592f feat(deps): bump github.com/onsi/ginkgo/v2 from 2.15.0 to 2.17.1 (#1017)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.15.0 to 2.17.1.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.15.0...v2.17.1)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-28 20:40:52 +01:00
dependabot[bot]
c35cf71402 feat(deps): bump sigs.k8s.io/cluster-api from 1.6.2 to 1.6.3 (#1006)
Bumps [sigs.k8s.io/cluster-api](https://github.com/kubernetes-sigs/cluster-api) from 1.6.2 to 1.6.3.
- [Release notes](https://github.com/kubernetes-sigs/cluster-api/releases)
- [Commits](https://github.com/kubernetes-sigs/cluster-api/compare/v1.6.2...v1.6.3)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/cluster-api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-28 20:33:01 +01:00
dependabot[bot]
74cd6cea1a ci(deps): bump anchore/sbom-action from 0.15.9 to 0.15.10 (#1020)
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.15.9 to 0.15.10.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Commits](9fece9e200...ab5d7b5f48)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-28 20:30:56 +01:00
dependabot[bot]
6b25dbe2d7 ci(deps): bump codecov/codecov-action from 4.1.0 to 4.1.1 (#1019)
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](54bcd8715e...c16abc29c9)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-28 20:30:35 +01:00
dependabot[bot]
0d5f2dfc70 ci(deps): bump aquasecurity/trivy-action from 0.18.0 to 0.19.0 (#1021)
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.18.0 to 0.19.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](062f259268...d710430a67)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-28 20:30:09 +01:00
dependabot[bot]
7e8ae2320c feat(deps): bump k8s.io/apimachinery from 0.29.2 to 0.29.3 (#1009)
Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.29.2 to 0.29.3.
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.29.2...v0.29.3)

---
updated-dependencies:
- dependency-name: k8s.io/apimachinery
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-22 13:42:28 +01:00
dependabot[bot]
c334b2afe8 ci(deps): bump slsa-framework/slsa-github-generator from 1.9.0 to 1.10.0 (#1011)
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.9.0 to 1.10.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.10.0)

---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-22 13:41:53 +01:00
dependabot[bot]
3ef5af6bc6 ci(deps): bump actions/checkout from 4.1.1 to 4.1.2 (#1005)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.1.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](b4ffde65f4...9bb56186c3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-12 15:13:54 +01:00
dependabot[bot]
297e5c7674 ci(deps): bump anchore/sbom-action from 0.15.8 to 0.15.9 (#1004)
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.15.8 to 0.15.9.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Commits](b6a39da807...9fece9e200)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-06 14:02:19 +01:00
Oliver Bähler
e5ec492da4 feat(chart): add capsule-proxy 0.6.0 as optional dependency (#999)
* feat(helm): add capsule 0.6.0 as optional dependency

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore(helm): version updates and liniting improvements

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-03-05 18:42:15 +01:00
dependabot[bot]
f343623b30 feat(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#1001)
Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.4 to 1.9.0.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](https://github.com/stretchr/testify/compare/v1.8.4...v1.9.0)

---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-03 13:00:56 +01:00
dependabot[bot]
c8e2b7488c ci(deps): bump aquasecurity/trivy-action from 0.17.0 to 0.18.0 (#1000)
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.17.0 to 0.18.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](84384bd6e7...062f259268)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-03 13:00:11 +01:00
Adriano Pezzuto
e983c19473 chore: document project governance (#997)
Signed-off-by: bsctl <adriano@clastix.io>
2024-02-27 23:44:18 +01:00
Oliver Bähler
c5808ef036 chore(ci): correct goreleaser template 2024-02-27 14:48:29 +01:00
Oliver Bähler
559287cef5 ci(release): use same tag for helm release (#994)
Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2024-02-27 14:05:39 +01:00
dependabot[bot]
1bdb9f2879 ci(deps): Bump codecov/codecov-action from 4.0.2 to 4.1.0 (#996)
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.0.2 to 4.1.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](0cfda1dd0a...54bcd8715e)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-27 13:23:36 +01:00
275 changed files with 6266 additions and 11905 deletions

View File

@@ -9,7 +9,7 @@ assignees: ''
<!--
Thanks for taking time reporting a Capsule bug!
-->
# Bug description

View File

@@ -32,4 +32,4 @@ How would the new interaction with Capsule look like? E.g.
Feel free to add a diagram if that helps explain things.
# Expected behavior
A clear and concise description of what you expect to happen.
A clear and concise description of what you expect to happen.

View File

@@ -18,4 +18,4 @@ runs:
- shell: bash
id: check
run: |
echo "result=${{ inputs.value != '' }}" >> $GITHUB_OUTPUT
echo "result=${{ inputs.value != '' }}" >> $GITHUB_OUTPUT

View File

@@ -9,12 +9,12 @@ inputs:
runs:
using: composite
steps:
- uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
- uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-pkg-mod-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
- uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
- uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
if: ${{ inputs.build-cache-key }}
with:
path: ~/.cache/go-build
key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}

View File

@@ -2,7 +2,9 @@ remote: origin
target-branch: main
chart-dirs:
- charts
helm-extra-args: "--timeout 600s"
chart-repos:
- capsule=https://projectcapsule.github.io/charts/
helm-extra-args: "--timeout 600s"
validate-chart-schema: false
validate-maintainers: false
validate-yaml: true

View File

@@ -1,6 +1,17 @@
---
ignore:
- config/
- charts/*/templates/
- charts/**/templates/
rules:
truthy:
level: warning
allowed-values:
- "true"
- "false"
- "on"
- "off"
check-keys: false
braces:
min-spaces-inside: 0
max-spaces-inside: 0
@@ -39,5 +50,3 @@ rules:
new-lines:
type: unix
trailing-spaces: enable
truthy:
level: warning

View File

@@ -1,16 +0,0 @@
version: 2
updates:
- package-ecosystem: gomod
directory: /
schedule:
interval: daily
rebase-strategy: disabled
commit-message:
prefix: "feat(deps)"
- package-ecosystem: github-actions
directory: /
schedule:
interval: daily
rebase-strategy: disabled
commit-message:
prefix: "ci(deps)"

View File

@@ -3,7 +3,8 @@ permissions: {}
on:
pull_request:
branches: [ "main" ]
branches:
- "*"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,11 +15,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Ensure SHA pinned actions
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@ba37328d4ea95eaf8b3bd6c6cef308f709a5f2ec # v3.0.3
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@4830be28ce81da52ec70d65c552a7403821d98d4 # v3.0.23
with:
# slsa-github-generator requires using a semver tag for reusable workflows.
# slsa-github-generator requires using a semver tag for reusable workflows.
# See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
allowlist: |
slsa-framework/slsa-github-generator
slsa-framework/slsa-github-generator

View File

@@ -3,21 +3,20 @@ permissions: {}
on:
push:
branches: [ "*" ]
branches:
- "*"
pull_request:
branches: [ "*" ]
branches:
- "*"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
commit_lint:
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- uses: wagoid/commitlint-github-action@5ce82f5d814d4010519d15f0552aec4f17a1e1fe #v5.4.5
with:
firstParent: true
- uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1

View File

@@ -15,7 +15,7 @@ jobs:
name: Validate PR title
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f
- uses: amannn/action-semantic-pull-request@335288255954904a41ddda8947c8f2c844b8bfeb
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:

View File

@@ -1,38 +0,0 @@
name: Codecov
permissions: {}
on:
pull_request:
branches: [ "main" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
codecov:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup caches
uses: ./.github/actions/setup-caches
timeout-minutes: 5
continue-on-error: true
with:
build-cache-key: codecov
- name: Check secret
id: checksecret
uses: ./.github/actions/exists
with:
value: ${{ secrets.CODECOV_TOKEN }}
- name: Generate Code Coverage Report
if: steps.checksecret.outputs.result == 'true'
run: make test
- name: Upload Report to Codecov
if: steps.checksecret.outputs.result == 'true'
uses: codecov/codecov-action@0cfda1dd0a4ad9efc75517f399d859cd1ea4ced1 # v4.0.2
with:
file: ./coverage.out
fail_ci_if_error: true
verbose: true

64
.github/workflows/coverage.yml vendored Normal file
View File

@@ -0,0 +1,64 @@
name: Coverage
on:
push:
branches:
- "main"
pull_request:
types: [opened, reopened, synchronize]
branches:
- "main"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
sast:
name: "SAST"
runs-on: ubuntu-24.04
env:
GO111MODULE: on
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout Source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
with:
go-version-file: 'go.mod'
- name: Run Gosec Security Scanner
uses: securego/gosec@955a68d0d19f4afb7503068f95059f7d0c529017 # v2.22.3
with:
args: '-no-fail -fmt sarif -out gosec.sarif ./...'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@ed51cb5abd90d0e898e492d5e3f24423da71c2fb
with:
sarif_file: gosec.sarif
unit_tests:
name: "Unit tests"
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
with:
go-version-file: 'go.mod'
- name: Unit Test
run: make test
- name: Check secret
id: checksecret
uses: ./.github/actions/exists
with:
value: ${{ secrets.CODECOV_TOKEN }}
- name: Upload Report to Codecov
if: ${{ steps.checksecret.outputs.result == 'true' }}
uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
with:
token: ${{ secrets.CODECOV_TOKEN }}
slug: projectcapsule/capsule
files: ./coverage.out
fail_ci_if_error: true
verbose: true

View File

@@ -1,34 +0,0 @@
name: Diff checks
permissions: {}
on:
push:
branches: [ "*" ]
pull_request:
branches: [ "*" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
diff:
name: diff
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: '1.21'
- run: make installer
- name: Checking if YAML installer file is not aligned
run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> Untracked generated files have not been committed" && git --no-pager diff && exit 1; fi
- run: make apidoc
- name: Checking if the CRDs documentation is not aligned
run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> CRDs generated documentation have not been committed" && git --no-pager diff && exit 1; fi
- name: Checking if YAML installer generated untracked files
run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
- name: Checking if source code is not formatted
run: test -z "$(git diff 2> /dev/null)"

45
.github/workflows/docker-build.yml vendored Normal file
View File

@@ -0,0 +1,45 @@
name: Build images
permissions: {}
on:
pull_request:
branches:
- "*"
paths:
- '.github/workflows/docker-*.yml'
- 'api/**'
- 'controllers/**'
- 'pkg/**'
- 'e2e/*'
- '.ko.yaml'
- 'go.*'
- 'main.go'
- 'Makefile'
jobs:
build-images:
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: ko build
run: VERSION=${{ github.sha }} make ko-build-all
- name: Trivy Scan Image
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
env:
# Trivy is returning TOOMANYREQUESTS
# See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@ed51cb5abd90d0e898e492d5e3f24423da71c2fb
with:
sarif_file: 'trivy-results.sarif'

View File

@@ -15,12 +15,12 @@ jobs:
runs-on: ubuntu-latest
permissions:
packages: write
id-token: write
id-token: write
outputs:
capsule-digest: ${{ steps.publish-capsule.outputs.digest }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup caches
uses: ./.github/actions/setup-caches
timeout-minutes: 5
@@ -28,7 +28,7 @@ jobs:
with:
build-cache-key: publish-images
- name: Run Trivy vulnerability (Repo)
uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # v0.17.0
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
with:
scan-type: 'fs'
ignore-unfixed: true
@@ -36,10 +36,10 @@ jobs:
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Install Cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
- name: Publish Capsule
id: publish-capsule
uses: peak-scale/github-actions/make-ko-publish@38322faabccd75abfa581c435e367d446b6d2c3b # v0.1.0
uses: peak-scale/github-actions/make-ko-publish@a441cca016861c546ab7e065277e40ce41a3eb84 # v0.2.0
with:
makefile-target: ko-publish-capsule
registry: ghcr.io
@@ -49,8 +49,8 @@ jobs:
version: ${{ github.ref_name }}
sign-image: true
sbom-name: capsule
sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
sbom-repository: ghcr.io/${{ github.repository_owner }}/capsule
signature-repository: ghcr.io/${{ github.repository_owner }}/capsule
main-path: ./
env:
REPOSITORY: ${{ github.repository }}
@@ -60,10 +60,10 @@ jobs:
id-token: write # To sign the provenance.
packages: write # To upload assets to release.
actions: read # To read the workflow path.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
with:
image: ghcr.io/${{ github.repository_owner }}/capsule
digest: "${{ needs.publish-images.outputs.capsule-digest }}"
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
registry-password: ${{ secrets.GITHUB_TOKEN }}

View File

@@ -3,12 +3,14 @@ permissions: {}
on:
push:
branches: [ "*" ]
branches:
- "*"
paths:
- '.github/workflows/docs-lint.yml'
- 'docs/content/**'
pull_request:
branches: [ "*" ]
branches:
- "*"
paths:
- '.github/workflows/docs-lint.yml'
- 'docs/content/**'
@@ -22,10 +24,10 @@ jobs:
name: Spell Check
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 18
- run: make docs-lint
- run: make docs-lint

View File

@@ -2,20 +2,9 @@ name: e2e
permissions: {}
on:
push:
branches: [ "*" ]
paths:
- '.github/workflows/e2e.yml'
- 'api/**'
- 'controllers/**'
- 'pkg/**'
- 'e2e/*'
- 'Dockerfile'
- 'go.*'
- 'main.go'
- 'Makefile'
pull_request:
branches: [ "*" ]
branches:
- "*"
paths:
- '.github/workflows/e2e.yml'
- 'api/**'
@@ -32,31 +21,18 @@ concurrency:
cancel-in-progress: true
jobs:
kind:
name: Kubernetes
strategy:
fail-fast: false
matrix:
k8s-version: [ 'v1.22.4', 'v1.23.6', 'v1.24.7', 'v1.25.3', 'v1.26.3', 'v1.27.2', 'v1.28.0', 'v1.29.0']
runs-on: ubuntu-20.04
e2e:
name: E2E Testing
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
with:
go-version: '1.21'
- run: make manifests
- name: Checking if manifests are disaligned
run: test -z "$(git diff 2> /dev/null)"
- name: Checking if manifests generated untracked files
run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
- uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
go-version-file: 'go.mod'
- uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4
with:
skipClusterCreation: true
version: v0.14.0
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
version: 3.3.4
version: v3.14.2
- name: e2e testing
run: make e2e/${{ matrix.k8s-version }}
run: make e2e

View File

@@ -1,35 +0,0 @@
name: FOSSA
permissions: {}
on:
push:
branches: [ "*" ]
pull_request:
branches: [ "*" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
fossa-scan:
runs-on: ubuntu-20.04
steps:
- name: "Checkout Code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Check secret
id: checksecret
uses: ./.github/actions/exists
with:
value: ${{ secrets.FOSSA_API_KEY }}
- name: "Run FOSSA Scan"
if: steps.checksecret.outputs.result == 'true'
uses: fossas/fossa-action@47ef11b1e1e3812e88dae436ccbd2d0cbd1adab0 # v1.3.3
with:
api-key: ${{ secrets.FOSSA_API_KEY }}
- name: "Run FOSSA Test"
if: steps.checksecret.outputs.result == 'true'
uses: fossas/fossa-action@47ef11b1e1e3812e88dae436ccbd2d0cbd1adab0 # v1.3.3
with:
api-key: ${{ secrets.FOSSA_API_KEY }}
run-tests: true

View File

@@ -1,24 +0,0 @@
name: CI gosec
permissions: {}
on:
push:
branches: [ "*" ]
pull_request:
branches: [ "*" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
tests:
runs-on: ubuntu-20.04
env:
GO111MODULE: on
steps:
- name: Checkout Source
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run Gosec Security Scanner
uses: securego/gosec@26e57d6b340778c2983cd61775bc7e8bb41d002a # v2.19.0
with:
args: ./...

View File

@@ -1,8 +1,10 @@
name: Publish charts
permissions: read-all
on:
push:
tags: [ "helm-v*" ]
tags:
- 'v*'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -12,9 +14,9 @@ jobs:
publish-helm:
# Skip this Release on forks
if: github.repository_owner == 'projectcapsule'
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: "Extract Version"
id: extract_version
run: |
@@ -27,6 +29,7 @@ jobs:
token: "${{ secrets.HELM_CHARTS_PUSH_TOKEN }}"
linting: off
chart_version: ${{ steps.extract_version.outputs.version }}
app_version: ${{ steps.extract_version.outputs.version }}
charts_dir: charts
charts_url: https://${{ github.repository_owner }}.github.io/charts
owner: ${{ github.repository_owner }}
@@ -34,7 +37,7 @@ jobs:
branch: gh-pages
commit_username: ${{ github.actor }}
publish-helm-oci:
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
permissions:
contents: write
id-token: write
@@ -42,8 +45,8 @@ jobs:
outputs:
chart-digest: ${{ steps.helm_publish.outputs.digest }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
- name: "Extract Version"
id: extract_version
run: |
@@ -52,24 +55,25 @@ jobs:
echo "version=$(echo $VERSION)" >> $GITHUB_OUTPUT
- name: Helm | Publish
id: helm_publish
uses: peak-scale/github-actions/helm-oci-chart@38322faabccd75abfa581c435e367d446b6d2c3b # v0.1.0
uses: peak-scale/github-actions/helm-oci-chart@a441cca016861c546ab7e065277e40ce41a3eb84 # v0.2.0
with:
registry: ghcr.io
repository: ${{ github.repository_owner }}/charts
name: "capsule"
version: ${{ steps.extract_version.outputs.version }}
app-version: ${{ steps.extract_version.outputs.version }}
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.GITHUB_TOKEN }}
update-dependencies: 'true' # Defaults to false
sign-image: 'true'
signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
signature-repository: ghcr.io/${{ github.repository_owner }}/charts/capsule
helm-provenance:
needs: publish-helm-oci
permissions:
id-token: write # To sign the provenance.
packages: write # To upload assets to release.
actions: read # To read the workflow path.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
with:
image: ghcr.io/${{ github.repository_owner }}/charts/capsule
digest: "${{ needs.publish-helm-oci.outputs.chart-digest }}"

View File

@@ -3,34 +3,43 @@ permissions: {}
on:
pull_request:
branches: [ "main" ]
branches:
- "main"
paths:
- '.github/configs/**'
- '.github/workflows/helm-*.yml'
- 'charts/**'
- 'Makefile'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
lint:
runs-on: ubuntu-20.04
linter-artifacthub:
runs-on: ubuntu-latest
container:
image: artifacthub/ah
options: --user root
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Run ah lint
working-directory: ./charts/
run: ah lint
lint:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
- uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4
- name: Linting Chart
run: helm lint ./charts/capsule
- name: Setup Chart Linting
id: lint
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
- name: Run chart-testing (list-changed)
id: list-changed
run: |
changed=$(ct list-changed --config ./.github/configs/ct.yaml)
if [[ -n "$changed" ]]; then
echo "::set-output name=changed::true"
fi
- name: Run chart-testing (lint)
run: ct lint --debug --config ./.github/configs/ct.yaml --lint-conf ./.github/configs/lintconf.yaml
run: make helm-lint
- name: Run docs-testing (helm-docs)
id: helm-docs
run: |
@@ -42,7 +51,16 @@ jobs:
else
echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
fi
- name: Run schema-testing (helm-schema)
id: helm-schema
run: |
make helm-schema
if [[ $(git diff --stat) != '' ]]; then
echo -e '\033[0;31mSchema outdated! (Run make helm-schema locally and commit)\033[0m ❌'
git diff --color
exit 1
else
echo -e '\033[0;32mSchema up to date\033[0m ✔'
fi
- name: Run chart-testing (install)
run: make helm-test
if: steps.list-changed.outputs.changed == 'true'
run: HELM_KIND_CONFIG="./hack/kind-cluster.yml" make helm-test

View File

@@ -1,28 +1,52 @@
name: Linting
permissions: {}
on:
push:
branches: [ "*" ]
branches:
- "*"
pull_request:
branches: [ "*" ]
branches:
- "*"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
manifests:
name: diff
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
with:
go-version-file: 'go.mod'
- name: Generate manifests
run: |
make manifests
if [[ $(git diff --stat) != '' ]]; then
echo -e '\033[0;31mManifests outdated! (Run make manifests locally and commit)\033[0m ❌'
git diff --color
exit 1
else
echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
fi
yamllint:
name: yamllint
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install yamllint
run: pip install yamllint
- name: Lint YAML files
run: yamllint -c=.github/configs/lintconf.yaml .
golangci:
name: lint
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
with:
go-version: '1.21'
go-version-file: 'go.mod'
- name: Run golangci-lint
uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
with:
version: v1.56.2
only-new-issues: false
args: --timeout 5m --config .golangci.yml
run: make golint

View File

@@ -11,28 +11,70 @@ concurrency:
cancel-in-progress: true
jobs:
# seccomp-generation:
# name: Seccomp Generation
# strategy:
# fail-fast: false
# matrix:
# # differently from the e2e workflow
# # we don't need all the versions of kubernetes
# # to generate the seccomp profile.
# k8s-version:
# - "v1.30.0"
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# with:
# fetch-depth: 0
# - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
# with:
# go-version-file: 'go.mod'
# - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4
# with:
# version: v3.14.2
# - name: unit tracing
# run: sudo make trace-unit
# - name: e2e tracing
# run: sudo KIND_K8S_VERSION=${{ matrix.k8s-version }} make trace-e2e
# - name: build seccomp profile
# run: make seccomp
# - name: upload artifact
# uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
# with:
# name: capsule-seccomp
# path: capsule-seccomp.json
create-release:
# needs: seccomp-generation
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Install Go
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
with:
go-version-file: 'go.mod'
- name: Setup caches
uses: ./.github/actions/setup-caches
timeout-minutes: 5
continue-on-error: true
- uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
- uses: anchore/sbom-action/download-syft@b6a39da80722a2cb0ef5d197531764a89b5d48c3
- uses: anchore/sbom-action/download-syft@9f7302141466aa6482940f15371237e9d9f4c34a
- name: Install Cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
# - name: download artifact
# uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
# with:
# name: capsule-seccomp
# path: ./capsule-seccomp.json
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
with:
version: latest
args: release --clean --timeout 90m --debug
args: release --clean --timeout 90m
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

View File

@@ -20,23 +20,23 @@ jobs:
id-token: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Run analysis
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
with:
results_file: results.sarif
results_format: sarif
repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
publish_results: true
- name: Upload artifact
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: SARIF file
path: results.sarif
retention-days: 5
- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
with:
sarif_file: results.sarif
sarif_file: results.sarif

1
.gitignore vendored
View File

@@ -31,3 +31,4 @@ dist/
.DS_Store
*.tgz
kind.yaml
capsule-seccomp.json

View File

@@ -1,7 +1,4 @@
linters-settings:
govet:
check-shadowing: true
dupl:
threshold: 100
goconst:
@@ -33,40 +30,31 @@ linters-settings:
linters:
enable-all: true
disable:
- err113
- depguard
- perfsprint
- funlen
- gochecknoinits
- lll
- exhaustivestruct
- maligned
- interfacer
- scopelint
- golint
- gochecknoglobals
- goerr113
- gomnd
- mnd
- nilnil
- recvcheck
- unparam
- paralleltest
- ireturn
- testpackage
- varnamelen
- wrapcheck
- exhaustruct
- varcheck
- structcheck
- nosnakecase
- deadcode
- ifshort
- nonamedreturns
service:
golangci-lint-version: 1.56.x
run:
timeout: 3m
go: '1.21'
skip-files:
issues:
exclude-files:
- "zz_.*\\.go$"
- ".+\\.generated.go"
- ".+_test.go"
- ".+_test_.+.go"
run:
timeout: 3m
allow-parallel-runners: true
tests: false

View File

@@ -31,13 +31,33 @@ builds:
release:
prerelease: auto
footer: |
Thanks to all the contributors!
**Full Changelog**: https://github.com/projectcapsule/{{ .ProjectName }}/compare/{{ .PreviousTag }}...{{ .Tag }}
**Docker Images**
- `ghcr.io/projectcapsule/{{ .ProjectName }}:{{ .Tag }}`
- `ghcr.io/projectcapsule/{{ .ProjectName }}:{{ .Version }}`
- `ghcr.io/projectcapsule/{{ .ProjectName }}:latest`
**Helm Chart**
View this release on [Artifact Hub](https://artifacthub.io/packages/helm/projectcapsule/capsule/{{ .Version }}) or use the OCI helm chart:
- `ghcr.io/projectcapsule/charts/{{ .ProjectName }}:{{ .Version }}`
[Review the Major Changes section first before upgrading to a new version](https://artifacthub.io/packages/helm/projectcapsule/capsule/{{ .Version }}#major-changes)
**Kubernetes compatibility**
[!IMPORTANT]
Note that the Capsule project offers support only for the latest minor version of Kubernetes.
Backwards compatibility with older versions of Kubernetes and OpenShift is [offered by vendors](https://projectcapsule.dev/support/).
| Kubernetes version | Minimum required |
|--------------------|------------------|
| `v1.31` | `>= 1.31.0` |
Thanks to all the contributors! 🚀 🦄
# extra_files:
# - glob: ./capsule-seccomp.json
checksum:
name_template: 'checksums.txt'
changelog:
@@ -83,4 +103,4 @@ signs:
- "--output-signature=${signature}"
- "${artifact}"
- "--yes"
artifacts: all
artifacts: all

View File

@@ -6,4 +6,4 @@ builds:
- id: capsule
main: ./
ldflags:
- '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}'
- '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}'

42
.pre-commit-config.yaml Normal file
View File

@@ -0,0 +1,42 @@
repos:
- repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
rev: v9.22.0
hooks:
- id: commitlint
stages: [commit-msg]
additional_dependencies: ['@commitlint/config-conventional', 'commitlint-plugin-function-rules']
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0
hooks:
- id: check-executables-have-shebangs
- id: check-yaml
- id: double-quote-string-fixer
- id: end-of-file-fixer
- id: trailing-whitespace
- repo: https://github.com/adrienverge/yamllint
rev: v1.37.0
hooks:
- id: yamllint
args: [-c=.github/configs/lintconf.yaml]
- repo: local
hooks:
- id: run-helm-docs
name: Execute helm-docs
entry: make helm-docs
language: system
files: ^charts/
- id: run-helm-schema
name: Execute helm-schema
entry: make helm-schema
language: system
files: ^charts/
- id: run-helm-lint
name: Execute helm-lint
entry: make helm-lint
language: system
files: ^charts/
- id: golangci-lint
name: Execute golangci-lint
entry: make golint
language: system
files: \.go$

View File

@@ -7,8 +7,14 @@ This is a list of companies that have adopted Capsule, feel free to open a Pull-
### [Bedag Informatik AG](https://www.bedag.ch/)
![Bedag](https://www.bedag.ch/wGlobal/wGlobal/layout/images/logo.svg)
### [EPAM Delivery Platform](https://epam.github.io/edp-install/)
![EPAM Delivery Platform](https://raw.githubusercontent.com/epam/edp-install/master/docs/assets/edp-logo-150x150-black.png)
### [Begasoft AG](https://www.begasoft.ch)
![Begasoft](./assets/adopters/begasoft.png)
### [Department of Defense](https://www.defense.gov/)
![United States Department of Defense](https://www.access-board.gov/images/dod-seal.png)
### [KubeRocketCI](https://docs.kuberocketci.io/)
![KubeRocketCI](https://raw.githubusercontent.com/epam/edp-install/master/docs/assets/krci-logo-267×150-white.png)
### [Fastweb](https://www.fastweb.it/)
![Fastweb](https://www.fastweb.it/grandi-aziende/gfx/common/logo-fastweb-header.svg)
@@ -25,6 +31,9 @@ This is a list of companies that have adopted Capsule, feel free to open a Pull-
### [Reevo](https://www.reevo.it/)
![Reevo Cloud and CyberSecurity](https://www.dropbox.com/s/x3q6r0oqstgvtdr/Logo_ReeVo_270x200px.svg)
### [Seeweb](https://seeweb.it/en)
![Seeweb x Serverless GPU](https://www.seeweb.it/assets/images/logo-seeweb.svg)
### [University of Torino](https://www.unito.it)
![University of Torino](https://www.unito.it/sites/all/themes/bsunito/img/logo_new_2022.svg)
@@ -33,3 +42,6 @@ This is a list of companies that have adopted Capsule, feel free to open a Pull-
### [Wargaming.net](https://www.wargaming.net/)
![Wargaming.net](https://static-cspbe-eu.wargaming.net/images/logo@2x.png)
### [Enreach](https://www.enreach.com/)
![Enreach](https://campaigns.enreach.com/hubfs/Global/logos/Enreach-logo-vertical-indigo.svg)

View File

@@ -7,4 +7,4 @@ See the [Releases](https://github.com/projectcapsule/capsule/releases)
## Helm Chart
For the helm chart, a dedicated changelog is created based on the chart's annotations ([See](./DEVELOPMENT.md#helm-changelog)).
For the helm chart, a dedicated changelog is created based on the chart's annotations ([See](./DEVELOPMENT.md#helm-changelog)).

View File

@@ -45,7 +45,7 @@ Prereleases are marked as `-rc.x` (release candidate) and may refere to any type
The pull request title is checked according to the described [semantics](#semantics) (pull requests don't require a scope). However pull requests are currently not used to generate the changelog. Check if your pull requests body meets the following criteria:
- reference a previously opened issue: https://docs.github.com/en/github/writing-on-github/autolinked-references-and-urls#issues-and-pull-requests
- reference a previously opened issue: https://docs.github.com/en/github/writing-on-github/autolinked-references-and-urls#issues-and-pull-requests
- splitting changes into several and documented small commits
- limit the git subject to 50 characters and write as the continuation of the
sentence "If applied, this commit will ..."
@@ -70,7 +70,7 @@ git clone https://hostname/YOUR-USERNAME/YOUR-REPOSITORY
2. **Create a branch:**
Create a new brach and navigate to the branch using this command.
Create a new branch and navigate to it using this command.
```sh
git checkout -b <new-branch>
@@ -104,7 +104,7 @@ To reorganise your commits, do the following (or use your way of doing it):
1. Pull upstream changes
```bash
git remote add upstream git@github.com:projectcapsule/capsule.git
git pull upstream main
@@ -180,10 +180,9 @@ The semantics should indicate the change and it's impact. The general format for
The following types are allowed for commits and pull requests:
* `chore`: housekeeping changes, no production code change
* `ci`: changes to buillding process/workflows
* `ci`: changes to building process/workflows
* `docs`: changes to documentation
* `feat`: new features
* `fix`: bug fixes
* `test`: test related changes
* `sec`: security related changes

View File

@@ -23,10 +23,10 @@ Capsule maintainers must follow these guidelines when consuming third-party pack
When adding a new third-party package to Capsule, maintainers must follow these steps:
1. Evaluate the need for the package. Is it necessary for the functionality of Capsule?
2. Research the package. Is it well-maintained? Does it have a good reputation?
3. Choose a version of the package. Use the latest version whenever possible.
4. Pin the package to the specific version in the Capsule codebase.
1. Evaluate the need for the package. Is it necessary for the functionality of Capsule?
2. Research the package. Is it well-maintained? Does it have a good reputation?
3. Choose a version of the package. Use the latest version whenever possible.
4. Pin the package to the specific version in the Capsule codebase.
5. Update the Capsule documentation to reflect the new dependency.
## Archive/Deprecation

View File

@@ -60,7 +60,7 @@ To achieve that, there are some necessary steps we need to walk through, which h
So the TL;DR answer is:
**Make sure a *KinD* cluster is running on your laptop, and then run `make dev-setup` to setup the dev environment.**. This is not done in the `make dev-setup` setup.
**Make sure a *KinD* cluster is running on your laptop, and then run `make dev-setup` to setup the dev environment.**. This is not done in the `make dev-setup` setup.
```bash
# If you haven't installed or run `make deploy` before, do it first
@@ -222,12 +222,12 @@ time="2023-10-23T13:45:08Z" level=info msg="Found Chart directories [charts/caps
time="2023-10-23T13:45:08Z" level=info msg="Generating README Documentation for chart /helm-docs/charts/capsule"
```
This will update the documentation for the chart in the `README.md` file.
This will update the documentation for the chart in the `README.md` file.
### Helm Changelog
### Helm Changelog
The `version` of the chart does not require a bump, since it's driven by our release process. The `appVersion` of the chart is the version of the Capsule project. This is the version that should be bumped when a new Capsule version is released. This will be done by the maintainers.
To create the proper changelog for the helm chart, all changes which affect the helm chart must be documented as chart annotation. See all the available [chart annotations](https://artifacthub.io/docs/topics/annotations/helm/).
This annotation can be provided using two different formats: using a plain list of strings with the description of the change or using a list of objects with some extra structured information (see example below). Please feel free to use the one that better suits your needs. The UI experience will be slightly different depending on the choice. When using the list of objects option the valid supported kinds are `added`, `changed`, `deprecated`, `removed`, `fixed` and `security`.
This annotation can be provided using two different formats: using a plain list of strings with the description of the change or using a list of objects with some extra structured information (see example below). Please feel free to use the one that better suits your needs. The UI experience will be slightly different depending on the choice. When using the list of objects option the valid supported kinds are `added`, `changed`, `deprecated`, `removed`, `fixed` and `security`.

View File

@@ -1,40 +0,0 @@
# Build the manager binary
FROM golang:1.20.10 as builder
WORKDIR /workspace
# Copy the Go Modules manifests
COPY go.mod go.mod
COPY go.sum go.sum
# cache deps before building and copying source so that we don't need to re-download as much
# and so that source changes don't invalidate our downloaded layer
RUN go mod download
ARG TARGETARCH
ARG GIT_HEAD_COMMIT
ARG GIT_TAG_COMMIT
ARG GIT_LAST_TAG
ARG GIT_MODIFIED
ARG GIT_REPO
ARG BUILD_DATE
# Copy the go source
COPY main.go main.go
COPY version.go version.go
COPY api/ api/
COPY controllers/ controllers/
COPY pkg/ pkg/
# Build
RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on go build \
-gcflags "-N -l" \
-ldflags "-X main.GitRepo=$GIT_REPO -X main.GitTag=$GIT_LAST_TAG -X main.GitCommit=$GIT_HEAD_COMMIT -X main.GitDirty=$GIT_MODIFIED -X main.BuildTime=$BUILD_DATE" \
-o manager
# Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
FROM gcr.io/distroless/static:nonroot
WORKDIR /
COPY --from=builder /workspace/manager .
USER nonroot:nonroot
ENTRYPOINT ["/manager"]

17
Dockerfile.tracing Normal file
View File

@@ -0,0 +1,17 @@
# Target Binary
ARG TARGET_IMAGE
FROM ${TARGET_IMAGE} AS target
# Inject Harpoon Image
FROM ghcr.io/alegrey91/harpoon:latest
WORKDIR /
COPY --from=target /ko-app/capsule ./manager
RUN chmod +x ./harpoon
ENTRYPOINT ["/harpoon", \
"capture", \
"-f", "main.main", \
"-E", "NAMESPACE=capsule-system", \
"-i", "2", \
"-c", "-e", \
"-S", "-D", "/tmp/results/", \
"--", "/manager"]

133
GOVERNANCE.md Normal file
View File

@@ -0,0 +1,133 @@
# Capsule Project Governance
The **Capsule** project is dedicated to creating a multi-tenancy and policy-based framework for Kubernetes. This governance explains how the project is run.
- [Values](#values)
- [Maintainers](#maintainers)
- [Becoming a Maintainer](#becoming-a-maintainer)
- [Meetings](#meetings)
- [CNCF Resources](#cncf-resources)
- [Code of Conduct Enforcement](#code-of-conduct)
- [Security Response Team](#security-response-team)
- [Voting](#voting)
- [Modifications](#modifying-this-charter)
## Values
The Capsule and its leadership embrace the following values:
* Openness: Communication and decision-making happens in the open and is discoverable for future
reference. As much as possible, all discussions and work take place in public
Slack channels and open repositories.
* Fairness: All stakeholders have the opportunity to provide feedback and submit
contributions, which will be considered on their merits.
* Community over Product or Company: Sustaining and growing our community takes
priority over shipping code or sponsors' organizational goals. Each
contributor participates in the project as an individual.
* Community Before Individual Demand: As a community-driven open source project, we emphasize
the importance of collaboration and contribution. Maintainers and contributors work together towards the project's growth, not to serve unilateral user demands. Users pretending features or enhancements for their sole benefit without contributing to the effort are not aligned with our community values.
* Inclusivity: We innovate through different perspectives and skill sets, which
can only be accomplished in a welcoming and respectful environment.
* Participation: Responsibilities within the project are earned through
participation, and there is a clear path up the contributor ladder into leadership
positions.
## Maintainers
Capsule Maintainers have write access to the [project GitHub repository](https://github.com/orgs/projectcapsule). They can merge their own patches or patches from others. The current maintainers
can be found in [MAINTAINERS.md](./MAINTAINERS.md). Maintainers collectively manage the project's
resources and contributors.
This privilege is granted with some expectation of responsibility: maintainers
are people who care about the Capsule project and want to help it grow and
improve. A maintainer is not just someone who can make changes, but someone who
has demonstrated their ability to collaborate with the team, get the most
knowledgeable people to review code and docs.
A maintainer is a contributor to the project's success and a citizen helping
the project succeed. The collective team of all Maintainers is known as the Maintainer Council, which
is the governing body for the project.
### Becoming a Maintainer
To become a Maintainer you need to demonstrate the following:
* commitment to the project:
* participate in discussions, contributions, code and documentation reviews,
* perform reviews for non-trivial pull requests,
* contribute non-trivial pull requests and have them merged,
* ability to write quality code and/or documentation,
* ability to collaborate with the team,
* understanding of how the team works (policies, processes for testing and code review, etc),
* understanding of the project's purpose, code base and coding and documentation style.
A new Maintainer must be proposed by an existing maintainer by sending a message to all the other existing Maintainers. A simple majority vote of existing Maintainers
approves the application. Maintainers nominations will be evaluated without prejudice
to employer or demographics.
Maintainers who are selected will be granted the necessary GitHub rights.
### Removing a Maintainer
Maintainers may resign at any time if they feel that they will not be able to
continue fulfilling their project duties.
Maintainers may also be removed after being inactive, failure to fulfill their
Maintainer responsibilities, violating the Code of Conduct, or other reasons.
A Maintainer may be removed at any time by a 2/3 vote of the remaining maintainers.
Depending on the reason for removal, a Maintainer may be converted to Emeritus
status. Emeritus Maintainers will still be consulted on some project matters,
and can be rapidly returned to Maintainer status if their availability changes.
## Meetings
Time zones permitting, Maintainers are expected to participate in the public
developer meeting and/or public discussions.
Maintainers will also have closed meetings in order to discuss security reports
or Code of Conduct violations. Such meetings should be scheduled by any
Maintainer on receipt of a security issue or CoC report. All current Maintainers
must be invited to such closed meetings, except for any Maintainer who is
accused of a CoC violation.
## CNCF Resources
Any Maintainer may suggest a request for CNCF resources. A simple majority of Maintainers
approves the request. The Maintainers may also choose to delegate working with the CNCF to non-Maintainer community members, who will then be added to the [CNCF's Maintainer List](https://github.com/cncf/foundation/blob/main/project-maintainers.csv) for that purpose.
## Code of Conduct
[Code of Conduct](./CODE_OF_CONDUCT.md)
violations by community members will be discussed and resolved in private Maintainer meetings. If a Maintainer is directly involved in the report, the Maintainers will instead designate two Maintainers to work with the CNCF Code of Conduct Committee in resolving it.
## Security Response Team
The Maintainers will appoint a Security Response Team to handle security reports.
This committee may simply consist of the Maintainer Council themselves. If this
responsibility is delegated, the Maintainers will appoint a team of at least two
contributors to handle it. The Maintainers will review who is assigned to this
at least once a year.
The Security Response Team is responsible for handling all reports of security
holes and breaches according to the [security policy](TODO:Link to security.md).
## Voting
While most business in Capsule Project is conducted by "[lazy consensus](https://community.apache.org/committers/lazyConsensus.html)",
periodically the Maintainers may need to vote on specific actions or changes.
Any Maintainer may demand a vote be taken.
Most votes require a simple majority of all Maintainers to succeed, except where
otherwise noted. Two-thirds majority votes mean at least two-thirds of all
existing maintainers.
## Modifying this Charter
Changes to this Governance and its supporting documents may be approved by
a 2/3 vote of the Maintainers.

13
MAINTAINERS.md Normal file
View File

@@ -0,0 +1,13 @@
The current Maintainers Group for the [TODO: Projectname] Project consists of:
| Name | Employer | Responsibilities |
| ------------------------- | ----------- | ---------------- |
| Adriano Pezzuto | Clastix | Maintainer |
| Dario Tranchitella | Clastix | Maintainer |
| Maksim Fedotov | Wargaming | Maintainer |
| Oliver Bähler | Peak Scale | Maintainer |
| Massimiliano Giovagnoli | Proximus | Maintainer |
This list must be kept in sync with the [CNCF Project Maintainers list](https://github.com/cncf/foundation/blob/master/project-maintainers.csv).
See [the project Governance](GOVERNANCE.md) for how maintainers are selected and replaced.

375
Makefile
View File

@@ -1,6 +1,8 @@
# Version
GIT_HEAD_COMMIT ?= $(shell git rev-parse --short HEAD)
VERSION ?= $(or $(shell git describe --abbrev=0 --tags --match "v*" 2>/dev/null),$(GIT_HEAD_COMMIT))
GOOS ?= $(shell go env GOOS)
GOARCH ?= $(shell go env GOARCH)
# Defaults
REGISTRY ?= ghcr.io
@@ -14,6 +16,14 @@ BUILD_DATE ?= $(shell git log -1 --format="%at" | xargs -I{} sh -c 'if [ "$
IMG_BASE ?= $(REPOSITORY)
IMG ?= $(IMG_BASE):$(VERSION)
CAPSULE_IMG ?= $(REGISTRY)/$(IMG_BASE)
CLUSTER_NAME ?= capsule
## Kubernetes Version Support
KUBERNETES_SUPPORTED_VERSION ?= "v1.31.0"
## Tool Binaries
KUBECTL ?= kubectl
HELM ?= helm
# Options for 'bundle-build'
ifneq ($(origin CHANNELS), undefined)
@@ -50,40 +60,14 @@ manager: generate golint
run: generate manifests
go run .
# Creates the single file to install Capsule without any external dependency
installer: manifests kustomize
cd config/manager && $(KUSTOMIZE) edit set image controller=${CAPSULE_IMG}
$(KUSTOMIZE) build config/default > config/install.yaml
# Install CRDs into a cluster
install: installer
$(KUSTOMIZE) build config/crd | kubectl apply -f -
# Uninstall CRDs from a cluster
uninstall: installer
$(KUSTOMIZE) build config/crd | kubectl delete -f -
# Deploy controller in the configured Kubernetes cluster in ~/.kube/config
deploy: installer
kubectl apply -f config/install.yaml
# Remove controller in the configured Kubernetes cluster in ~/.kube/config
remove: installer
kubectl delete -f config/install.yaml
kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
# Generate manifests e.g. CRD, RBAC etc.
manifests: controller-gen
$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
manifests: generate
$(CONTROLLER_GEN) crd paths="./..." output:crd:artifacts:config=charts/capsule/crds
# Generate code
generate: controller-gen
$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
apidoc: apidocs-gen
$(APIDOCS_GEN) crdoc --resources config/crd/bases --output docs/content/general/crds-apis.md --template docs/template/reference-cr.tmpl
# Helm
SRC_ROOT = $(shell git rev-parse --show-toplevel)
@@ -91,31 +75,33 @@ helm-controller-version:
$(eval VERSION := $(shell grep 'appVersion:' charts/capsule/Chart.yaml | awk '{print "v"$$2}'))
$(eval KO_TAGS := $(shell grep 'appVersion:' charts/capsule/Chart.yaml | awk '{print "v"$$2}'))
helm-docs: HELMDOCS_VERSION := v1.11.0
helm-docs: docker
@docker run -v "$(SRC_ROOT):/helm-docs" jnorwood/helm-docs:$(HELMDOCS_VERSION) --chart-search-root /helm-docs
helm-docs: helm-doc
$(HELM_DOCS) --chart-search-root ./charts
helm-lint: CT_VERSION := v3.3.1
helm-lint: docker
@docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:$(CT_VERSION) -c "cd /workdir; ct lint --config .github/configs/ct.yaml --lint-conf .github/configs/lintconf.yaml --all --debug"
helm-lint: ct
@$(CT) lint --config .github/configs/ct.yaml --validate-yaml=false --all --debug
helm-test: helm-controller-version kind ct ko-build-all
@kind create cluster --wait=60s --name capsule-charts
@kind load docker-image --name capsule-charts $(CAPSULE_IMG):$(VERSION)
@kubectl create ns capsule-system
@kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
@kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
@ct install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
@kind delete cluster --name capsule-charts
helm-schema: helm-plugin-schema
cd charts/capsule && $(HELM) schema -output values.schema.json
docker:
@hash docker 2>/dev/null || {\
echo "You need docker" &&\
exit 1;\
}
helm-test: HELM_KIND_CONFIG ?= ""
helm-test: kind
@mkdir -p /tmp/results || true
@$(KIND) create cluster --wait=60s --name capsule-charts --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION) --config $(HELM_KIND_CONFIG)
@make helm-test-exec
@$(KIND) delete cluster --name capsule-charts
helm-test-exec: ct helm-controller-version ko-build-all
$(MAKE) docker-build-capsule-trace
$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=v0.0.0
$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=tracing
@$(KUBECTL) create ns capsule-system || true
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
@$(CT) install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
# Setup development env
# Usage:
# Usage:
# LAPTOP_HOST_IP=<YOUR_LAPTOP_IP> make dev-setup
# For example:
# LAPTOP_HOST_IP=192.168.10.101 make dev-setup
@@ -137,7 +123,6 @@ IP.1 = $(LAPTOP_HOST_IP)
endef
export TLS_CNF
dev-setup:
kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0
mkdir -p /tmp/k8s-webhook-server/serving-certs
echo "$${TLS_CNF}" > _tls.cnf
openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
@@ -146,43 +131,32 @@ dev-setup:
-config _tls.cnf \
-keyout /tmp/k8s-webhook-server/serving-certs/tls.key \
-out /tmp/k8s-webhook-server/serving-certs/tls.crt
rm -f _tls.cnf
$(KUBECTL) create secret tls capsule-tls -n capsule-system \
--cert=/tmp/k8s-webhook-server/serving-certs/tls.crt\
--key=/tmp/k8s-webhook-server/serving-certs/tls.key || true
rm -f _tls.cnf
export WEBHOOK_URL="https://$${LAPTOP_HOST_IP}:9443"; \
export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`; \
kubectl patch MutatingWebhookConfiguration capsule-mutating-webhook-configuration \
--type='json' -p="[\
{'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/defaults\",'caBundle':\"$${CA_BUNDLE}\"}},\
{'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/defaults\",'caBundle':\"$${CA_BUNDLE}\"}},\
{'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/defaults\",'caBundle':\"$${CA_BUNDLE}\"}},\
{'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/namespace-owner-reference\",'caBundle':\"$${CA_BUNDLE}\"}}\
]" && \
kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \
--type='json' -p="[\
{'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/cordoning\",'caBundle':\"$${CA_BUNDLE}\"}},\
{'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/ingresses\",'caBundle':\"$${CA_BUNDLE}\"}},\
{'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/namespaces\",'caBundle':\"$${CA_BUNDLE}\"}},\
{'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/networkpolicies\",'caBundle':\"$${CA_BUNDLE}\"}},\
{'op': 'replace', 'path': '/webhooks/4/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/nodes\",'caBundle':\"$${CA_BUNDLE}\"}},\
{'op': 'replace', 'path': '/webhooks/5/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/pods\",'caBundle':\"$${CA_BUNDLE}\"}},\
{'op': 'replace', 'path': '/webhooks/6/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/persistentvolumeclaims\",'caBundle':\"$${CA_BUNDLE}\"}},\
{'op': 'replace', 'path': '/webhooks/7/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/services\",'caBundle':\"$${CA_BUNDLE}\"}},\
{'op': 'replace', 'path': '/webhooks/8/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/tenantresource-objects\",'caBundle':\"$${CA_BUNDLE}\"}},\
{'op': 'replace', 'path': '/webhooks/9/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/tenants\",'caBundle':\"$${CA_BUNDLE}\"}}\
]" && \
kubectl patch crd tenants.capsule.clastix.io \
--type='json' -p="[\
{'op': 'replace', 'path': '/spec/conversion/webhook/clientConfig', 'value':{'url': \"$${WEBHOOK_URL}\", 'caBundle': \"$${CA_BUNDLE}\"}}\
]" && \
kubectl patch crd capsuleconfigurations.capsule.clastix.io \
--type='json' -p="[\
{'op': 'replace', 'path': '/spec/conversion/webhook/clientConfig', 'value':{'url': \"$${WEBHOOK_URL}\", 'caBundle': \"$${CA_BUNDLE}\"}}\
]";
$(HELM) upgrade \
--dependency-update \
--debug \
--install \
--namespace capsule-system \
--create-namespace \
--set 'crds.install=true' \
--set 'crds.exclusive=true'\
--set "webhooks.exclusive=true"\
--set "webhooks.service.url=$${WEBHOOK_URL}" \
--set "webhooks.service.caBundle=$${CA_BUNDLE}" \
capsule \
./charts/capsule
$(KUBECTL) -n capsule-system scale deployment capsule-controller-manager --replicas=0 || true
####################
# -- Docker
####################
KO_PLATFORM ?= linux/$(GOARCH)
KOCACHE ?= /tmp/ko-cache
KO_REGISTRY := ko.local
KO_TAGS ?= "latest"
@@ -202,13 +176,21 @@ LD_FLAGS := "-X main.Version=$(VERSION) \
.PHONY: ko-build-capsule
ko-build-capsule: ko
@echo Building Capsule $(KO_TAGS) >&2
@echo Building Capsule $(KO_TAGS) for $(KO_PLATFORM) >&2
@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(CAPSULE_IMG) \
$(KO) build ./ --bare --tags=$(KO_TAGS) --push=false --local
$(KO) build ./ --bare --tags=$(KO_TAGS) --push=false --local --platform=$(KO_PLATFORM)
.PHONY: ko-build-all
ko-build-all: ko-build-capsule
.PHONY: docker-build-capsule-trace
docker-build-capsule-trace: ko-build-capsule
@docker build \
--no-cache \
--build-arg TARGET_IMAGE=$(CAPSULE_IMG):$(VERSION) \
-t $(CAPSULE_IMG):tracing \
-f Dockerfile.tracing .
# Docker Image Publish
# ------------------
@@ -227,105 +209,30 @@ ko-publish-capsule: ko-login ## Build and publish kyvernopre image (with ko)
.PHONY: ko-publish-all
ko-publish-all: ko-publish-capsule
####################
# -- Binaries
####################
CONTROLLER_GEN := $(shell pwd)/bin/controller-gen
CONTROLLER_GEN_VERSION := v0.10.0
controller-gen: ## Download controller-gen locally if necessary.
$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
APIDOCS_GEN := $(shell pwd)/bin/crdoc
APIDOCS_GEN_VERSION := latest
apidocs-gen: ## Download crdoc locally if necessary.
$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@$(APIDOCS_GEN_VERSION))
GINKGO := $(shell pwd)/bin/ginkgo
GINGKO_VERSION := v2.15.0
ginkgo: ## Download ginkgo locally if necessary.
$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo@$(GINGKO_VERSION))
CT := $(shell pwd)/bin/ct
CT_VERSION := v3.7.1
ct: ## Download ct locally if necessary.
$(call go-install-tool,$(CT),github.com/helm/chart-testing/v3/ct@$(CT_VERSION))
KIND := $(shell pwd)/bin/kind
KIND_VERSION := v0.17.0
kind: ## Download kind locally if necessary.
$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@$(KIND_VERSION))
KUSTOMIZE := $(shell pwd)/bin/kustomize
KUSTOMIZE_VERSION := 3.8.7
kustomize: ## Download kustomize locally if necessary.
$(call install-kustomize,$(KUSTOMIZE),$(KUSTOMIZE_VERSION))
KO = $(shell pwd)/bin/ko
KO_VERSION = v0.14.1
ko:
$(call go-install-tool,$(KO),github.com/google/ko@$(KO_VERSION))
####################
# -- Helpers
####################
pull-upstream:
git remote add upstream https://github.com/capsuleproject/capsule.git
git fetch --all && git pull upstream
define install-kustomize
@[ -f $(1) ] || { \
set -e ;\
echo "Installing v$(2)" ;\
cd bin ;\
wget "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" ;\
bash ./install_kustomize.sh $(2) ;\
}
endef
# go-install-tool will 'go install' any package $2 and install it to $1.
PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
define go-install-tool
@[ -f $(1) ] || { \
set -e ;\
GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
}
endef
# Generate bundle manifests and metadata, then validate generated files.
bundle: manifests
operator-sdk generate kustomize manifests -q
kustomize build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
operator-sdk bundle validate ./bundle
# Sorting imports
.PHONY: goimports
goimports:
goimports -w -l -local "github.com/projectcapsule/capsule" .
GOLANGCI_LINT = $(shell pwd)/bin/golangci-lint
GOLANGCI_LINT_VERSION = v1.56.2
golangci-lint: ## Download golangci-lint locally if necessary.
$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION))
# Linting code as PR is expecting
.PHONY: golint
golint: golangci-lint
$(GOLANGCI_LINT) run -c .golangci.yml
$(GOLANGCI_LINT) run -c .golangci.yml --verbose --fix
# Running e2e tests in a KinD instance
.PHONY: e2e
e2e/%: ginkgo
$(MAKE) e2e-build/$* && $(MAKE) e2e-exec && $(MAKE) e2e-destroy
e2e: ginkgo
$(MAKE) e2e-build && $(MAKE) e2e-exec && $(MAKE) e2e-destroy
e2e-build/%:
kind create cluster --wait=60s --name capsule --image=kindest/node:$*
make e2e-load-image
make e2e-install
e2e-build: kind
$(KIND) create cluster --wait=60s --name $(CLUSTER_NAME) --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION)
$(MAKE) e2e-install
.PHONY: e2e-install
e2e-install:
helm upgrade \
e2e-install: ko-build-all
$(MAKE) e2e-load-image CLUSTER_NAME=$(CLUSTER_NAME) IMAGE=$(CAPSULE_IMG) VERSION=$(VERSION)
$(HELM) upgrade \
--dependency-update \
--debug \
--install \
--namespace capsule-system \
@@ -335,23 +242,147 @@ e2e-install:
--set "manager.image.tag=$(VERSION)" \
--set 'manager.livenessProbe.failureThreshold=10' \
--set 'manager.readinessProbe.failureThreshold=10' \
--set 'podSecurityContext.seccompProfile=null' \
capsule \
./charts/capsule
.PHONY: trace-install
trace-install:
helm upgrade \
--dependency-update \
--debug \
--install \
--namespace capsule-system \
--create-namespace \
--set 'manager.resources=null'\
--set 'manager.livenessProbe.failureThreshold=10' \
--set 'manager.readinessProbe.failureThreshold=10' \
--values charts/capsule/ci/tracing-values.yaml \
capsule \
./charts/capsule
.PHONY: trace-e2e
trace-e2e: kind
$(MAKE) docker-build-capsule-trace
$(KIND) create cluster --wait=60s --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION) --config hack/kind-cluster.yml
$(MAKE) e2e-load-image CLUSTER_NAME=capsule-tracing IMAGE=$(CAPSULE_IMG) VERSION=tracing
$(MAKE) trace-install
$(MAKE) e2e-exec
$(KIND) delete cluster --name capsule-tracing
.PHONY: trace-unit
trace-unit: harpoon
$(HARPOON) analyze -e .git/ -e assets/ -e charts/ -e config/ -e docs/ -e e2e/ -e hack/ --directory /tmp/artifacts/ --save
$(HARPOON) hunt -D /tmp/results -F harpoon-report.yml --include-cmd-stdout --save
.PHONY: seccomp
seccomp:
$(HARPOON) build --add-syscall-sets=dynamic,docker -D /tmp/results --name capsule-seccomp.json --save
.PHONY: e2e-load-image
e2e-load-image: ko-build-all
kind load docker-image --nodes capsule-control-plane --name capsule $(CAPSULE_IMG):$(VERSION)
e2e-load-image: kind
$(KIND) load docker-image $(IMAGE):$(VERSION) --name $(CLUSTER_NAME)
.PHONY: e2e-exec
e2e-exec: ginkgo
$(GINKGO) -v -tags e2e ./e2e
.PHONY: e2e-destroy
e2e-destroy:
kind delete cluster --name capsule
e2e-destroy: kind
$(KIND) delete cluster --name capsule
SPELL_CHECKER = npx spellchecker-cli
docs-lint:
cd docs/content && $(SPELL_CHECKER) -f "*.md" "*/*.md" -d dictionary.txt
cd docs/content && $(SPELL_CHECKER) -f "*.md" "*/*.md" "!general/crds-apis.md" -d dictionary.txt
####################
# -- Helpers
####################
pull-upstream:
git remote add upstream https://github.com/capsuleproject/capsule.git
git fetch --all && git pull upstream
## Location to install dependencies to
LOCALBIN ?= $(shell pwd)/bin
$(LOCALBIN):
mkdir -p $(LOCALBIN)
####################
# -- Helm Plugins
####################
HELM_SCHEMA_VERSION := ""
helm-plugin-schema:
@$(HELM) plugin install https://github.com/losisin/helm-values-schema-json.git --version $(HELM_SCHEMA_VERSION) || true
HELM_DOCS := $(LOCALBIN)/helm-docs
HELM_DOCS_VERSION := v1.14.1
HELM_DOCS_LOOKUP := norwoodj/helm-docs
helm-doc:
@test -s $(HELM_DOCS) || \
$(call go-install-tool,$(HELM_DOCS),github.com/$(HELM_DOCS_LOOKUP)/cmd/helm-docs@$(HELM_DOCS_VERSION))
####################
# -- Tools
####################
CONTROLLER_GEN := $(LOCALBIN)/controller-gen
CONTROLLER_GEN_VERSION ?= v0.17.3
CONTROLLER_GEN_LOOKUP := kubernetes-sigs/controller-tools
controller-gen:
@test -s $(CONTROLLER_GEN) && $(CONTROLLER_GEN) --version | grep -q $(CONTROLLER_GEN_VERSION) || \
$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
GINKGO := $(LOCALBIN)/ginkgo
ginkgo:
$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo)
CT := $(LOCALBIN)/ct
CT_VERSION := v3.12.0
CT_LOOKUP := helm/chart-testing
ct:
@test -s $(CT) && $(CT) version | grep -q $(CT_VERSION) || \
$(call go-install-tool,$(CT),github.com/$(CT_LOOKUP)/v3/ct@$(CT_VERSION))
KIND := $(LOCALBIN)/kind
KIND_VERSION := v0.27.0
KIND_LOOKUP := kubernetes-sigs/kind
kind:
@test -s $(KIND) && $(KIND) --version | grep -q $(KIND_VERSION) || \
$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@$(KIND_VERSION))
KO := $(LOCALBIN)/ko
KO_VERSION := v0.17.1
KO_LOOKUP := google/ko
ko:
@test -s $(KO) && $(KO) -h | grep -q $(KO_VERSION) || \
$(call go-install-tool,$(KO),github.com/$(KO_LOOKUP)@$(KO_VERSION))
GOLANGCI_LINT := $(LOCALBIN)/golangci-lint
GOLANGCI_LINT_VERSION := v1.64.5
GOLANGCI_LINT_LOOKUP := golangci/golangci-lint
golangci-lint: ## Download golangci-lint locally if necessary.
@test -s $(GOLANGCI_LINT) && $(GOLANGCI_LINT) -h | grep -q $(GOLANGCI_LINT_VERSION) || \
$(call go-install-tool,$(GOLANGCI_LINT),github.com/$(GOLANGCI_LINT_LOOKUP)/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION))
APIDOCS_GEN := $(LOCALBIN)/crdoc
APIDOCS_GEN_VERSION := v0.6.4
APIDOCS_GEN_LOOKUP := fybrik/crdoc
apidocs-gen: ## Download crdoc locally if necessary.
@test -s $(APIDOCS_GEN) && $(APIDOCS_GEN) --version | grep -q $(APIDOCS_GEN_VERSION) || \
$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@$(APIDOCS_GEN_VERSION))
HARPOON := $(LOCALBIN)/harpoon
HARPOON_VERSION := v0.9.6
HARPOON_LOOKUP := alegrey91/harpoon
harpoon:
@mkdir $(LOCALBIN)
@curl -s https://raw.githubusercontent.com/alegrey91/harpoon/main/install | \
sudo bash -s -- --install-version $(HARPOON_VERSION) --install-dir $(LOCALBIN)
# go-install-tool will 'go install' any package $2 and install it to $1.
PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
define go-install-tool
[ -f $(1) ] || { \
set -e ;\
GOBIN=$(LOCALBIN) go install $(2) ;\
}
endef

View File

@@ -23,7 +23,7 @@
</p>
<p align="center">
<img src="assets/logo/capsule_medium.png" />
<img src="assets/logo/capsule.svg" height=560 />
</p>
---
@@ -40,9 +40,9 @@ Kubernetes introduces the _Namespace_ object type to create logical partitions o
# Entering Capsule
Capsule takes a different approach. In a single cluster, the Capsule Controller aggregates multiple namespaces in a lightweight abstraction called _Tenant_, basically a grouping of Kubernetes Namespaces. Within each tenant, users are free to create their namespaces and share all the assigned resources.
Capsule takes a different approach. In a single cluster, the Capsule Controller aggregates multiple namespaces in a lightweight abstraction called _Tenant_, basically a grouping of Kubernetes Namespaces. Within each tenant, users are free to create their namespaces and share all the assigned resources.
On the other side, the Capsule Policy Engine keeps the different tenants isolated from each other. _Network and Security Policies_, _Resource Quota_, _Limit Ranges_, _RBAC_, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator.
On the other side, the Capsule Policy Engine keeps the different tenants isolated from each other. _Network and Security Policies_, _Resource Quota_, _Limit Ranges_, _RBAC_, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator.
# Features
@@ -76,30 +76,12 @@ Assign to tenants a dedicated set of compute, storage, and network resources and
# Documentation
Please, check the project [documentation](https://capsule.clastix.io) for the cool things you can do with Capsule.
Please check the project [documentation](https://projectcapsule.dev) for the cool things you can do with Capsule.
# Contributions
Capsule is Open Source with Apache 2 license and any contribution is welcome.
## Chart Development
### Chart Linting
The chart is linted with [ct](https://github.com/helm/chart-testing). You can run the linter locally with this command:
```
make helm-lint
```
### Chart Documentation
The documentation for each chart is done with [helm-docs](https://github.com/norwoodj/helm-docs). This way we can ensure that values are consistent with the chart documentation. Run this anytime you make changes to a `values.yaml` file:
```
make helm-docs
```
## Community meeting
Join the community, share and learn from it. You can find all the resources to how to contribute code and docs, connect with people in the [community repository](https://github.com/projectcapsule/capsule-community).
@@ -110,17 +92,19 @@ Please read the [code of conduct](CODE_OF_CONDUCT.md).
See the [ADOPTERS.md](ADOPTERS.md) file for a list of companies that are using Capsule.
# Governance
# Project Governance
You can find how the Capsule project is governed [here](https://capsule.clastix.io/docs/contributing/governance).
You can find how the Capsule project is governed [here](https://projectcapsule.dev/project/governance/).
## Maintainers
Please, refer to the maintainers file available [here](.github/maintainers.yaml).
Please refer to the maintainers file available [here](.github/maintainers.yaml).
## Release process
## CLOMonitor
Please, refer to the [documentation page](https://capsule.clastix.io/docs/contributing/release).
CLOMonitor is a tool that periodically checks open source project repositories to verify they meet certain project health best practices.
[![CloMonitor report summary](https://clomonitor.io/api/projects/cncf/capsule/report-summary?theme=light)](https://clomonitor.io/projects/cncf/capsule)
### Changelog
@@ -128,22 +112,22 @@ Read how we log changes [here](CHANGELOG.md)
### Software Bill of Materials
All OCI release artifacts include a Software Bill of Materials (SBOM) in CycloneDX JSON format. More information on this is available [here](SECURITY.md#software-bill-of-materials-sbom)
All OCI release artifacts include a Software Bill of Materials (SBOM) in CycloneDX JSON format. More information about this is available [here](SECURITY.md#software-bill-of-materials-sbom)
# FAQ
- Q. How to pronounce Capsule?
- Q. How do you pronounce Capsule?
A. It should be pronounced as `/ˈkæpsjuːl/`.
- Q. Is it production grade?
A. Although under frequent development and improvements, Capsule is ready to be used in production environments as currently, people are using it in public and private deployments. Check out the [release](https://github.com/projectcapsule/capsule/releases) page for a detailed list of available versions.
A. Although under frequent development and improvement, Capsule is ready to be used in production environments as currently, people are using it in public and private deployments. Check out the [release](https://github.com/projectcapsule/capsule/releases) page for a detailed list of available versions.
- Q. Does it work with my Kubernetes XYZ distribution?
A. We tested Capsule with vanilla Kubernetes 1.16+ on private environments and public clouds. We expect it to work smoothly on any other Kubernetes distribution. Please, let us know if you find it doesn't.
A. We tested Capsule with vanilla Kubernetes 1.16+ on private environments and public clouds. We expect it to work smoothly on any other Kubernetes distribution. Please let us know if you find it doesn't.
- Q. Do you provide commercial support?
A. Yes, we're available to help and provide commercial support. [Clastix](https://clastix.io) is the company behind Capsule. Please, contact us for a quote.
A. Yes, we're available to help and provide commercial support. [Clastix](https://clastix.io) is the company behind Capsule. Please, contact us for a quote.

View File

@@ -1,3 +1,3 @@
# Roadmap
future features and fixes are planned with [release milestones on GitHub](https://github.com/projectcapsule/capsule/milestones?direction=asc&sort=due_date&state=open). You can influence the roadmap by opening issues or joining our community meetings.
future features and fixes are planned with [release milestones on GitHub](https://github.com/projectcapsule/capsule/milestones?direction=asc&sort=due_date&state=open). You can influence the roadmap by opening issues or joining our community meetings.

View File

@@ -57,4 +57,3 @@ security-contacts:
- type: email
value: cncf-capsule-maintainers@lists.cncf.io
primary: true

View File

@@ -6,7 +6,6 @@ The Capsule community has adopted this security disclosures and response policy
For information regarding the security of this project please join our [slack channel](https://kubernetes.slack.com/archives/C03GETTJQRL).
## Covered Repositories and Issues
When we say "a security vulnerability in capsule" we mean a security issue
@@ -35,7 +34,7 @@ To report a security issue or vulnerability, [submit a private vulnerability rep
Describe the issue in English, ideally with some example configuration or code which allows the issue to be reproduced. Explain why you believe this to be a security issue in capsule, if that's not obvious. should contain the following:
* description of the problem
* precise and detailed steps (include screenshots)
* precise and detailed steps (include screenshots)
* the affected version(s). This may also include environment relevant versions.
* any possible mitigations
@@ -55,19 +54,23 @@ Response times could be affected by weekends, holidays, breaks or time zone diff
## Verifing
To verify artifacts you need to have [cosign installed](https://github.com/sigstore/cosign#installation). This guide assumes you are using v2.x of cosign. All of the signatures are created using [keyless signing](https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect). We have a seperate repository for all the signatures for all the artifacts released under the projectcapsule - `ghcr.io/projectcapsule/signatures`. You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
To verify artifacts you need to have [cosign installed](https://github.com/sigstore/cosign#installation). This guide assumes you are using v2.x of cosign. All of the signatures are created using [keyless signing](https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect). You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
export COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures
# Docker Image
export COSIGN_REPOSITORY=ghcr.io/projectcapsule/capsule
# Helm Chart
export COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule
To verify the signature of the docker image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/capsule):
COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures cosign verify ghcr.io/projectcapsule/capsule:<release_tag> \
COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule cosign verify ghcr.io/projectcapsule/capsule:<release_tag> \
--certificate-identity-regexp="https://github.com/projectcapsule/capsule/.github/workflows/docker-publish.yml@refs/tags/*" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq
To verify the signature of the helm image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/charts%2Fcapsule):
COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures cosign verify ghcr.io/projectcapsule/charts/capsule:<release_tag> \
COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule cosign verify ghcr.io/projectcapsule/charts/capsule:<release_tag> \
--certificate-identity-regexp="https://github.com/projectcapsule/capsule/.github/workflows/helm-publish.yml@refs/tags/*" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq
@@ -96,19 +99,23 @@ cosign verify-attestation --type slsaprovenance \
## Software Bill of Materials (SBOM)
An SBOM (Software Bill of Materials) in CycloneDX JSON format is published for each Kyverno release, including pre-releases. Like signatures, SBOMs are stored in a separate repository at `ghcr.io/projectcapsule/sbom`. You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
An SBOM (Software Bill of Materials) in CycloneDX JSON format is published for each release, including pre-releases. You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
# Docker Image
export COSIGN_REPOSITORY=ghcr.io/projectcapsule/capsule
# Helm Chart
export COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule
export COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom
To inspect the SBOM of the docker image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/capsule):
COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom cosign download sbom ghcr.io/projectcapsule/capsule:<release_tag>
COSIGN_REPOSITORY=ghcr.io/projectcapsule/capsule cosign download sbom ghcr.io/projectcapsule/capsule:<release_tag>
To inspect the SBOM of the helm image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/charts%2Fcapsule):
COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom cosign download sbom ghcr.io/projectcapsule/charts/capsule:<release_tag>
COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule cosign download sbom ghcr.io/projectcapsule/charts/capsule:<release_tag>
# Credits

View File

@@ -81,7 +81,7 @@ Capsule was accepted as a CNCF sandbox project in December 2022.
It's the Operator which provides all the multi-tenant capabilities offered by Capsule.
It's made of two internal components, such as the webhooks server (known as _policy engine_), and the _tenant controller_.
**Capsule Tenant Controller**
**Capsule Tenant Controller**
The controller is responsible for managing the tenants by reconciling the required objects at the Namespace level, such as _Network Policy_, _LimitRange_, _ResourceQuota_, _Role Binding_, as well as labelling the Namespace objects belonging to a Tenant according to their desired metadata.
It is responsible for binding Namespaces to the selected Tenant, and managing their lifecycle.
@@ -90,10 +90,10 @@ Furthermore, the manager can replicate objects thanks to the **Tenant Resource**
The replicated resources are dynamically created, and replicated by Capsule itself, as well as preserving the deletion of these objects by the Tenant owner.
**Capsule Tenant Controller (Policy Engine)**
**Capsule Tenant Controller (Policy Engine)**
Policies are defined on a Tenant basis: therefore the policy engine is enforcing these policies on the tenants's Namespaces and their children's resources.
The Policy Engine is currently not a dedicated component, but a part of the Capsule Tenant Controller.
The Policy Engine is currently not a dedicated component, but a part of the Capsule Tenant Controller.
The webhook server, also known as the policy engine, interpolates the Tenant rules and takes full advantage of the dynamic admission controllers offered by Kubernetes itself (such as `ValidatingWebhookConfiguration` and `MutatingWebhookConfiguration`).
Thanks to the _policy engine_ the cluster administrators can enforce specific rules such as preventing _Pod_ objects from untrusted registries to run or preventing the creation of _PersistentVolumeClaim_ resources using a non-allowed _StorageClass_, etc.
@@ -152,7 +152,7 @@ This is a further abstraction from having cluster defaults (eg. default `Storage
**General**
* **Control Plane**: Capsule can't mimic for each tenant a feeling of a dedicated control plane.
* **Control Plane**: Capsule can't mimic for each tenant a feeling of a dedicated control plane.
* **Custom Resource Definitions**: Capsule doesn't want to provide virtual cluster capabilities and it's sticking to the native Kubernetes user experience and design; rather, its focus is to provide a governance solution by focusing on resource optimization and security lockdown.

View File

@@ -1,5 +1,4 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0

View File

@@ -4,9 +4,13 @@
package v1beta2
import (
"slices"
"sort"
corev1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
"github.com/projectcapsule/capsule/pkg/api"
)
func (in *Tenant) IsFull() bool {
@@ -36,3 +40,128 @@ func (in *Tenant) AssignNamespaces(namespaces []corev1.Namespace) {
func (in *Tenant) GetOwnerProxySettings(name string, kind OwnerKind) []ProxySettings {
return in.Spec.Owners.FindOwner(name, kind).ProxyOperations
}
// GetClusterRolePermissions returns a map where the clusterRole is the key
// and the value is a list of permission subjects (kind and name) that reference that role.
// These mappings are gathered from the owners and additionalRolebindings spec.
func (in *Tenant) GetSubjectsByClusterRoles(ignoreOwnerKind []OwnerKind) (rolePerms map[string][]rbacv1.Subject) {
rolePerms = make(map[string][]rbacv1.Subject)
// Helper to add permissions for a given clusterRole
addPermission := func(clusterRole string, permission rbacv1.Subject) {
if _, exists := rolePerms[clusterRole]; !exists {
rolePerms[clusterRole] = []rbacv1.Subject{}
}
rolePerms[clusterRole] = append(rolePerms[clusterRole], permission)
}
// Helper to check if a kind is in the ignoreOwnerKind list
isIgnoredKind := func(kind string) bool {
for _, ignored := range ignoreOwnerKind {
if kind == ignored.String() {
return true
}
}
return false
}
// Process owners
for _, owner := range in.Spec.Owners {
if !isIgnoredKind(owner.Kind.String()) {
for _, clusterRole := range owner.ClusterRoles {
perm := rbacv1.Subject{
Name: owner.Name,
Kind: owner.Kind.String(),
}
addPermission(clusterRole, perm)
}
}
}
// Process additional role bindings
for _, role := range in.Spec.AdditionalRoleBindings {
for _, subject := range role.Subjects {
if !isIgnoredKind(subject.Kind) {
perm := rbacv1.Subject{
Name: subject.Name,
Kind: subject.Kind,
}
addPermission(role.ClusterRoleName, perm)
}
}
}
return
}
// Get the permissions for a tenant ordered by groups and users.
func (in *Tenant) GetClusterRolesBySubject(ignoreOwnerKind []OwnerKind) (maps map[string]map[string]api.TenantSubjectRoles) {
maps = make(map[string]map[string]api.TenantSubjectRoles)
// Initialize a nested map for kind ("User", "Group") and name
initNestedMap := func(kind string) {
if _, exists := maps[kind]; !exists {
maps[kind] = make(map[string]api.TenantSubjectRoles)
}
}
// Helper to check if a kind is in the ignoreOwnerKind list
isIgnoredKind := func(kind string) bool {
for _, ignored := range ignoreOwnerKind {
if kind == ignored.String() {
return true
}
}
return false
}
// Process owners
for _, owner := range in.Spec.Owners {
if !isIgnoredKind(owner.Kind.String()) {
initNestedMap(owner.Kind.String())
if perm, exists := maps[owner.Kind.String()][owner.Name]; exists {
// If the permission entry already exists, append cluster roles
perm.ClusterRoles = append(perm.ClusterRoles, owner.ClusterRoles...)
maps[owner.Kind.String()][owner.Name] = perm
} else {
// Create a new permission entry
maps[owner.Kind.String()][owner.Name] = api.TenantSubjectRoles{
ClusterRoles: owner.ClusterRoles,
}
}
}
}
// Process additional role bindings
for _, role := range in.Spec.AdditionalRoleBindings {
for _, subject := range role.Subjects {
if !isIgnoredKind(subject.Kind) {
initNestedMap(subject.Kind)
if perm, exists := maps[subject.Kind][subject.Name]; exists {
// If the permission entry already exists, append cluster roles
perm.ClusterRoles = append(perm.ClusterRoles, role.ClusterRoleName)
maps[subject.Kind][subject.Name] = perm
} else {
// Create a new permission entry
maps[subject.Kind][subject.Name] = api.TenantSubjectRoles{
ClusterRoles: []string{role.ClusterRoleName},
}
}
}
}
}
// Remove duplicates from cluster roles in both maps
for kind, nameMap := range maps {
for name, perm := range nameMap {
perm.ClusterRoles = slices.Compact(perm.ClusterRoles)
maps[kind][name] = perm
}
}
return maps
}

View File

@@ -0,0 +1,192 @@
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
package v1beta2
import (
"reflect"
"testing"
"github.com/projectcapsule/capsule/pkg/api"
rbacv1 "k8s.io/api/rbac/v1"
)
var tenant = &Tenant{
Spec: TenantSpec{
Owners: []OwnerSpec{
{
Kind: "User",
Name: "user1",
ClusterRoles: []string{"cluster-admin", "read-only"},
},
{
Kind: "Group",
Name: "group1",
ClusterRoles: []string{"edit"},
},
{
Kind: ServiceAccountOwner,
Name: "service",
ClusterRoles: []string{"read-only"},
},
},
AdditionalRoleBindings: []api.AdditionalRoleBindingsSpec{
{
ClusterRoleName: "developer",
Subjects: []rbacv1.Subject{
{Kind: "User", Name: "user2"},
{Kind: "Group", Name: "group1"},
},
},
{
ClusterRoleName: "cluster-admin",
Subjects: []rbacv1.Subject{
{
Kind: "User",
Name: "user3",
},
{
Kind: "Group",
Name: "group1",
},
},
},
{
ClusterRoleName: "deployer",
Subjects: []rbacv1.Subject{
{
Kind: "ServiceAccount",
Name: "system:serviceaccount:argocd:argo-operator",
},
},
},
},
},
}
// TestGetClusterRolePermissions tests the GetClusterRolePermissions function
func TestGetSubjectsByClusterRoles(t *testing.T) {
expected := map[string][]rbacv1.Subject{
"cluster-admin": {
{Kind: "User", Name: "user1"},
{Kind: "User", Name: "user3"},
{Kind: "Group", Name: "group1"},
},
"read-only": {
{Kind: "User", Name: "user1"},
{Kind: "ServiceAccount", Name: "service"},
},
"edit": {
{Kind: "Group", Name: "group1"},
},
"developer": {
{Kind: "User", Name: "user2"},
{Kind: "Group", Name: "group1"},
},
"deployer": {
{Kind: "ServiceAccount", Name: "system:serviceaccount:argocd:argo-operator"},
},
}
// Call the function to test
permissions := tenant.GetSubjectsByClusterRoles(nil)
if !reflect.DeepEqual(permissions, expected) {
t.Errorf("Expected %v, but got %v", expected, permissions)
}
// Ignore SubjectTypes (Ignores ServiceAccounts)
ignored := tenant.GetSubjectsByClusterRoles([]OwnerKind{"ServiceAccount"})
expectedIgnored := map[string][]rbacv1.Subject{
"cluster-admin": {
{Kind: "User", Name: "user1"},
{Kind: "User", Name: "user3"},
{Kind: "Group", Name: "group1"},
},
"read-only": {
{Kind: "User", Name: "user1"},
},
"edit": {
{Kind: "Group", Name: "group1"},
},
"developer": {
{Kind: "User", Name: "user2"},
{Kind: "Group", Name: "group1"},
},
}
if !reflect.DeepEqual(ignored, expectedIgnored) {
t.Errorf("Expected %v, but got %v", expectedIgnored, ignored)
}
}
func TestGetClusterRolesBySubject(t *testing.T) {
expected := map[string]map[string]api.TenantSubjectRoles{
"User": {
"user1": {
ClusterRoles: []string{"cluster-admin", "read-only"},
},
"user2": {
ClusterRoles: []string{"developer"},
},
"user3": {
ClusterRoles: []string{"cluster-admin"},
},
},
"Group": {
"group1": {
ClusterRoles: []string{"edit", "developer", "cluster-admin"},
},
},
"ServiceAccount": {
"service": {
ClusterRoles: []string{"read-only"},
},
"system:serviceaccount:argocd:argo-operator": {
ClusterRoles: []string{"deployer"},
},
},
}
permissions := tenant.GetClusterRolesBySubject(nil)
if !reflect.DeepEqual(permissions, expected) {
t.Errorf("Expected %v, but got %v", expected, permissions)
}
delete(expected, "ServiceAccount")
ignored := tenant.GetClusterRolesBySubject([]OwnerKind{"ServiceAccount"})
if !reflect.DeepEqual(ignored, expected) {
t.Errorf("Expected %v, but got %v", expected, ignored)
}
}
// Helper function to run tests
func TestMain(t *testing.M) {
t.Run()
}
// permissionsEqual checks the equality of two TenantPermission structs.
func permissionsEqual(a, b api.TenantSubjectRoles) bool {
if a.Kind != b.Kind {
return false
}
if len(a.ClusterRoles) != len(b.ClusterRoles) {
return false
}
// Create a map to count occurrences of cluster roles
counts := make(map[string]int)
for _, role := range a.ClusterRoles {
counts[role]++
}
for _, role := range b.ClusterRoles {
counts[role]--
if counts[role] < 0 {
return false // More occurrences in b than in a
}
}
return true
}

View File

@@ -43,17 +43,28 @@ type TenantSpec struct {
// Specifies the allowed RuntimeClasses assigned to the Tenant.
// Capsule assures that all Pods resources created in the Tenant can use only one of the allowed RuntimeClasses.
// Optional.
RuntimeClasses *api.SelectorAllowedListSpec `json:"runtimeClasses,omitempty"`
RuntimeClasses *api.DefaultAllowedListSpec `json:"runtimeClasses,omitempty"`
// Specifies the allowed priorityClasses assigned to the Tenant.
// Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses.
// A default value can be specified, and all the Pod resources created will inherit the declared class.
// Optional.
PriorityClasses *api.DefaultAllowedListSpec `json:"priorityClasses,omitempty"`
// Toggling the Tenant resources cordoning, when enable resources cannot be deleted.
//+kubebuilder:default:=false
Cordoned bool `json:"cordoned,omitempty"`
// Prevent accidental deletion of the Tenant.
// When enabled, the deletion request will be declined.
//+kubebuilder:default:=false
PreventDeletion bool `json:"preventDeletion,omitempty"`
// Use this if you want to disable/enable the Tenant name prefix to specific Tenants, overriding global forceTenantPrefix in CapsuleConfiguration.
// When set to 'true', it enforces Namespaces created for this Tenant to be named with the Tenant name prefix,
// separated by a dash (i.e. for Tenant 'foo', namespace names must be prefixed with 'foo-'),
// this is useful to avoid Namespace name collision.
// When set to 'false', it allows Namespaces created for this Tenant to be named anything.
// Overrides CapsuleConfiguration global forceTenantPrefix for the Tenant only.
// If unset, Tenant uses CapsuleConfiguration's forceTenantPrefix
// Optional
ForceTenantPrefix *bool `json:"forceTenantPrefix,omitempty"`
}
// +kubebuilder:object:root=true

View File

@@ -1,5 +1,4 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0
@@ -756,7 +755,7 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
}
if in.RuntimeClasses != nil {
in, out := &in.RuntimeClasses, &out.RuntimeClasses
*out = new(api.SelectorAllowedListSpec)
*out = new(api.DefaultAllowedListSpec)
(*in).DeepCopyInto(*out)
}
if in.PriorityClasses != nil {
@@ -764,6 +763,11 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
*out = new(api.DefaultAllowedListSpec)
(*in).DeepCopyInto(*out)
}
if in.ForceTenantPrefix != nil {
in, out := &in.ForceTenantPrefix, &out.ForceTenantPrefix
*out = new(bool)
**out = **in
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantSpec.

Binary file not shown.

After

Width:  |  Height:  |  Size: 38 KiB

View File

@@ -1,101 +1,13 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 24.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.1" id="Livello_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
viewBox="0 0 595.28 841.89" style="enable-background:new 0 0 595.28 841.89;" xml:space="preserve">
<style type="text/css">
.st0{fill:#274872;}
.st1{fill:#314A70;}
.st2{fill:#5783AB;}
.st3{fill:#EAECEC;}
</style>
<path class="st0" d="M243.53,178.65c-0.06-4.5-0.37-9.02,0-13.49c0.1-1.22,2.13-3.09,3.45-3.25c6.99-0.88,14.03-1.47,21.07-1.8
c2.43-0.12,3.48-1.05,4.29-3.12c2-5.14,4.08-10.25,6.32-15.29c0.86-1.93,0.56-2.83-1.2-4.09c-4.42-3.15-4.97-8.41-1.6-12.08
c3.7-4.04,8.88-4.09,12.65-0.12c3.5,3.68,3.07,8.88-1.39,12.08c-1.93,1.39-2.08,2.44-1.22,4.44c2.19,5.06,3.96,10.31,6.33,15.27
c0.65,1.37,2.73,2.73,4.28,2.89c7.57,0.77,15.19,1.17,22.79,1.64c2.69,0.16,4.13,1.28,4.21,4.15c0.1,3.95,0.43,7.89,0.66,11.84
c-1.51,0.05-3.03,0.22-4.53,0.13c-12.54-0.76-37.47-2.65-37.47-2.65S254.81,177.52,243.53,178.65z"/>
<g>
<path class="st1" d="M73.32,483.91c-5.2-2.69-9.26-6.43-12.18-11.22c-2.92-4.78-4.38-10.21-4.38-16.28c0-6.07,1.46-11.5,4.38-16.28
c2.92-4.78,6.98-8.52,12.18-11.22c5.2-2.69,11.06-4.04,17.59-4.04c6.45,0,12.09,1.35,16.91,4.04c4.82,2.7,8.33,6.55,10.53,11.56
l-13.78,7.4c-3.19-5.62-7.78-8.43-13.78-8.43c-4.63,0-8.47,1.52-11.5,4.55c-3.04,3.04-4.55,7.17-4.55,12.41
c0,5.24,1.52,9.38,4.55,12.41c3.04,3.04,6.87,4.55,11.5,4.55c6.07,0,10.66-2.81,13.78-8.43l13.78,7.52
c-2.2,4.86-5.71,8.65-10.53,11.39c-4.82,2.73-10.46,4.1-16.91,4.1C84.38,487.95,78.52,486.6,73.32,483.91z"/>
<path class="st1" d="M175.17,431.64c5.08,4.52,7.63,11.33,7.63,20.44v34.96h-16.62v-7.63c-3.34,5.69-9.56,8.54-18.67,8.54
c-4.71,0-8.79-0.8-12.24-2.39c-3.46-1.59-6.09-3.79-7.91-6.6c-1.82-2.81-2.73-6-2.73-9.56c0-5.69,2.14-10.17,6.43-13.44
c4.29-3.26,10.91-4.9,19.87-4.9h14.12c0-3.87-1.18-6.85-3.53-8.94c-2.35-2.09-5.88-3.13-10.59-3.13c-3.26,0-6.47,0.51-9.62,1.54
c-3.15,1.03-5.83,2.41-8.03,4.16l-6.38-12.41c3.34-2.35,7.34-4.17,12.01-5.47c4.67-1.29,9.47-1.94,14.4-1.94
C162.8,424.87,170.08,427.13,175.17,431.64z M160.03,473.89c2.35-1.4,4.02-3.47,5.01-6.21v-6.26h-12.18
c-7.29,0-10.93,2.39-10.93,7.17c0,2.28,0.89,4.08,2.68,5.41c1.78,1.33,4.23,1.99,7.34,1.99
C154.98,475.99,157.67,475.29,160.03,473.89z"/>
<path class="st1" d="M250.6,428.8c4.67,2.62,8.33,6.3,10.99,11.04c2.66,4.75,3.99,10.27,3.99,16.57s-1.33,11.82-3.99,16.57
c-2.66,4.75-6.32,8.43-10.99,11.04s-9.85,3.93-15.54,3.93c-7.82,0-13.97-2.47-18.45-7.4v28.58h-17.76v-83.35h16.97v7.06
c4.4-5.31,10.82-7.97,19.24-7.97C240.76,424.87,245.94,426.18,250.6,428.8z M243.2,468.76c2.92-3.07,4.38-7.19,4.38-12.35
s-1.46-9.28-4.38-12.35c-2.92-3.07-6.66-4.61-11.22-4.61s-8.29,1.54-11.22,4.61c-2.92,3.07-4.38,7.19-4.38,12.35
s1.46,9.28,4.38,12.35c2.92,3.07,6.66,4.61,11.22,4.61S240.28,471.84,243.2,468.76z"/>
<path class="st1" d="M283.11,486.07c-4.86-1.25-8.73-2.83-11.61-4.73l5.92-12.75c2.73,1.75,6.03,3.17,9.91,4.27
c3.87,1.1,7.67,1.65,11.39,1.65c7.51,0,11.27-1.86,11.27-5.58c0-1.75-1.03-3-3.07-3.76c-2.05-0.76-5.2-1.4-9.45-1.94
c-5.01-0.76-9.15-1.63-12.41-2.62c-3.26-0.99-6.09-2.73-8.48-5.24s-3.59-6.07-3.59-10.7c0-3.87,1.12-7.3,3.36-10.3
c2.24-3,5.5-5.33,9.79-7c4.29-1.67,9.35-2.5,15.2-2.5c4.33,0,8.63,0.48,12.92,1.42c4.29,0.95,7.84,2.26,10.65,3.93l-5.92,12.64
c-5.39-3.04-11.27-4.55-17.65-4.55c-3.8,0-6.64,0.53-8.54,1.59c-1.9,1.06-2.85,2.43-2.85,4.1c0,1.9,1.02,3.23,3.07,3.99
c2.05,0.76,5.31,1.48,9.79,2.16c5.01,0.84,9.11,1.73,12.3,2.68c3.19,0.95,5.96,2.68,8.31,5.18c2.35,2.5,3.53,6,3.53,10.48
c0,3.8-1.14,7.17-3.42,10.13c-2.28,2.96-5.6,5.26-9.96,6.89c-4.37,1.63-9.55,2.45-15.54,2.45
C292.94,487.95,287.97,487.32,283.11,486.07z"/>
<path class="st1" d="M399.59,425.78v61.26h-16.85v-7.29c-2.35,2.66-5.16,4.69-8.43,6.09c-3.26,1.4-6.79,2.11-10.59,2.11
c-8.05,0-14.42-2.31-19.13-6.95c-4.71-4.63-7.06-11.5-7.06-20.61v-34.61h17.76v32c0,9.87,4.14,14.8,12.41,14.8
c4.25,0,7.67-1.38,10.25-4.16c2.58-2.77,3.87-6.89,3.87-12.35v-30.29H399.59z"/>
<path class="st1" d="M416.1,402.55h17.76v84.49H416.1V402.55z"/>
<path class="st1" d="M510.04,461.42H463.7c0.83,3.8,2.81,6.79,5.92,9c3.11,2.2,6.98,3.3,11.61,3.3c3.19,0,6.01-0.47,8.48-1.42
c2.47-0.95,4.76-2.45,6.89-4.5l9.45,10.25c-5.77,6.6-14.2,9.91-25.28,9.91c-6.91,0-13.02-1.35-18.33-4.04
c-5.31-2.69-9.41-6.43-12.3-11.22c-2.89-4.78-4.33-10.21-4.33-16.28c0-6,1.42-11.4,4.27-16.23c2.85-4.82,6.76-8.58,11.73-11.27
c4.97-2.69,10.53-4.04,16.68-4.04c6,0,11.42,1.29,16.28,3.87c4.86,2.58,8.67,6.28,11.44,11.1c2.77,4.82,4.16,10.42,4.16,16.79
C510.38,456.86,510.27,458.46,510.04,461.42z M468.48,441.72c-2.73,2.28-4.4,5.39-5.01,9.34h30.17c-0.61-3.87-2.28-6.96-5.01-9.28
c-2.73-2.31-6.07-3.47-10.02-3.47C474.59,438.3,471.21,439.44,468.48,441.72z"/>
</g>
<g>
<g>
<path class="st2" d="M144.97,316.25c2.88-4.14,5.7-8.31,8.68-12.38c0.84-1.14,2.13-1.94,3.22-2.9c8.67,2.77,17.24,5.98,26.06,8.18
c7.28,1.81,7.49,1.33,11.08-5.55c9.52-18.28,18.99-36.58,28.42-54.91c3.55-6.9,7.04-13.85,10.34-20.87c1.87-3.99,1-5.28-3.27-5.1
c-5.07,0.21-10.13,0.68-15.19,1.04c1.72-2.35,3.24-4.87,5.2-7.01c4.47-4.88,9.14-9.57,13.74-14.34c1.84-0.03,3.68,0.02,5.52-0.1
c14.62-1.03,29.24-2.1,43.86-3.16c-0.08,0.84-0.24,1.68-0.24,2.52c0.01,48.41,0.03,96.83,0.05,145.24
c-15.73,0.85-30.48,0.97-47.48-0.65c-16.01-1.04-30.66-3.54-46.6-5.49c-13.64-1.67-26.85-5.2-39.21-11.4
c-4.77-2.4-5.86-5.41-4.24-10.45C145.16,318.1,144.96,317.14,144.97,316.25z"/>
<path class="st3" d="M282.42,346.9c-0.02-48.41-0.04-96.83-0.05-145.24c0-0.84,0.05-1.64,0.04-2.48
c5.63,0.1,11.47-0.06,17.08,0.32c11.35,0.78,22.67,1.83,34.01,2.77c2.69,3.09,5.47,6.1,8.05,9.28c3.38,4.17,6.61,8.47,9.9,12.71
c-6.04-0.52-12.07-1.2-18.13-1.49c-4.12-0.2-4.91,1.24-3.08,4.81c9.87,19.27,19.73,38.54,29.65,57.78
c4.02,7.79,8.22,15.49,12.24,23.29c1.46,2.83,3.6,3.9,6.61,3.17c11.52-2.81,23.03-5.68,34.54-8.52c1.8,3.04,3.52,6.13,5.42,9.1
c0.89,1.39,2.13,2.56,3.21,3.83c0,0.56-0.19,1.22,0.04,1.66c3.28,6.31-0.16,9.95-5.82,12.53c-14.18,6.44-29.11,9.85-44.52,11.41
c-12.89,1.31-25.79,2.51-38.68,3.77c-6.24,0.61-12.47,1.45-18.72,1.79c-4.58,0.24-9.2-0.17-13.81-0.3
c-5.95-0.04-11.9-0.08-17.85-0.12L282.42,346.9z"/>
<path class="st2" d="M413.28,303.3c-11.51,2.84-23.02,5.71-34.54,8.52c-3.01,0.74-5.15-0.34-6.61-3.17
c-4.02-7.79-8.22-15.49-12.24-23.29c-9.92-19.24-19.79-38.51-29.65-57.78c-1.83-3.57-1.04-5.01,3.08-4.81
c6.05,0.29,12.09,0.97,18.13,1.49c1.89,0.4,2.54,0.15,5.06,3.74c17.1,24.41,37.01,47.73,54.85,71.62
C412.17,300.72,412.64,302.07,413.28,303.3z"/>
<path class="st3" d="M155.06,302.38c11.51,2.84,22.26,5.47,33.78,8.28c3.01,0.74,5.15-0.34,6.61-3.17
c4.02-7.79,8.22-15.49,12.24-23.29c9.92-19.24,17.3-37.26,26.37-56.7c1.83-3.57,0.68-4.95-3.44-4.75
c-6.05,0.29-10.08,0.42-16.13,0.94c-2.11,1.25-2.46,1.66-3.84,3.47c-18.01,23.75-35.83,47.64-53.67,71.53
C156.18,299.79,155.7,301.14,155.06,302.38z"/>
<path class="st0" d="M421.92,316.24c0,0.56-0.19,1.22,0.04,1.66c3.28,6.31-0.16,9.95-5.82,12.53
c-14.18,6.44-29.11,9.85-44.52,11.41c-12.89,1.31-25.79,2.51-38.68,3.77c-6.24,0.61-12.94,1.22-18.94,1.29
c-4.59,0.05-8.98,0.32-13.59,0.2c-5.95-0.04-11.9-0.08-17.85-0.12c0,0-0.12-0.08-0.12-0.08c-15.36,0.35-28.73,0.35-46.17-1.19
c-15.98-1.41-31.97-2.99-47.91-4.95c-13.64-1.67-26.85-5.2-39.21-11.4c-4.77-2.4-5.86-5.41-4.24-10.45
c0.26-0.81,0.06-1.77,0.07-2.66c-6.55,2.47-11.33,6.45-12.86,13.75c-1.74,8.28,0.69,15.31,5.77,21.67
c1.43,1.79,2.4,3.22,0.07,5.22c-0.71,0.61-0.81,3.27-0.15,3.89c6.36,6.04,13.89,10.11,22.37,12.36c2.35,0.62,4.12,0.02,4.62-2.85
c0.11-0.64,1.63-1.63,2.27-1.49c8.66,1.96,17.26,4.13,25.91,6.14c1.98,0.46,2.73,1,1.52,3.01c-1.45,2.4-0.41,3.92,2,4.93
c8.64,3.63,17.82,3.98,26.97,4.34c2.18,0.08,4.54-0.9,3.51-3.88c-1.11-3.22,0.45-3.2,2.83-2.99c8.57,0.73,17.14,1.44,25.72,1.95
c3.13,0.19,3.98,1.04,2.41,3.98c-1.6,2.98-0.26,4.76,2.9,4.77c14.82,0.08,29.65,0.17,44.46-0.08c4.59-0.08,5.1-1.29,3.36-5.63
c-0.84-2.1-0.97-2.87,1.76-3.02c9.16-0.52,18.32-1.21,27.45-2.12c2.5-0.25,3.06,0.34,2.55,2.56c-0.53,2.31,0.05,4.05,2.72,4.11
c9.52,0.21,18.91-0.53,27.82-4.34c1.95-0.83,3.09-2.06,1.71-4.23c-1.72-2.71-0.09-3.15,2.17-3.67c8.24-1.87,16.46-3.83,24.64-5.93
c1.82-0.47,3-0.77,3.21,1.6c0.26,2.99,2.1,3.32,4.53,2.61c8.11-2.36,15.55-5.98,21.6-11.99c0.69-0.69,1.03-2.99,0.55-3.39
c-3.18-2.71-1.41-4.64,0.51-6.95C437.87,340.92,439.33,322.67,421.92,316.24z"/>
</g>
</g>
<path class="st3" d="M324.35,192.94c-6.72-0.27-13.4-0.35-20.23-0.52c-7.13-0.17-18.9-0.51-18.9-0.51s-1.27,0.04-2.44,0
c0,0-0.63-0.01-0.63,0.18c-0.01-5.67,0.01-11.83,0-17.5c12.58,0.95,24.65,1.94,37.19,2.72c1.5,0.09,3.29-0.07,4.8-0.12
C324.19,182.43,324.33,187.69,324.35,192.94z"/>
<path class="st2" d="M243.35,193.45c6.72-0.27,10.02-0.35,16.86-0.52c7.13-0.17,18.9-0.51,18.9-0.51s1.27,0.04,2.44,0
c0,0,0.63-0.53,0.63-0.34c0.01-5.67-0.01-11.83,0-17.5c-12.58,0.95-21.28,1.94-33.82,2.72c-1.5,0.09-3.29-0.07-4.8-0.12
C243.51,182.43,243.38,188.21,243.35,193.45z"/>
<path class="st0" d="M327.57,193.15c-1.31-0.1-2.62-0.17-3.93-0.26c-13.33-0.32-26.66-0.63-39.99-0.95v0c-0.03,0-0.06,0-0.1,0
c-0.03,0-0.06,0-0.1,0v0c-13.33,0.32-26.66,0.63-39.99,0.95c-1.31,0.08-2.62,0.15-3.93,0.26c-6.26,0.5-6.88,1.16-6.73,7.17
c0.02,0.7,0.18,1.39,0.27,2.09c1.91-0.03,3.82,0.02,5.72-0.1c14.92-1.02,28.65-2.07,43.57-3.11c14.92,1.04,31.01,2.1,45.93,3.11
c1.9,0.13,3.81,0.07,5.72,0.1c0.09-0.7,0.25-1.39,0.27-2.09C334.45,194.31,333.82,193.65,327.57,193.15z"/>
<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" id="Livello_1" x="0" y="0" version="1.1" viewBox="36.76 68.993 493.611 493.611">
<style>.st0{fill:#274872}.st2{fill:#5783ab}.st3{fill:#eaecec}</style>
<path d="M243.53 178.65c-.06-4.5-.37-9.02 0-13.49.1-1.22 2.13-3.09 3.45-3.25 6.99-.88 14.03-1.47 21.07-1.8 2.43-.12 3.48-1.05 4.29-3.12 2-5.14 4.08-10.25 6.32-15.29.86-1.93.56-2.83-1.2-4.09-4.42-3.15-4.97-8.41-1.6-12.08 3.7-4.04 8.88-4.09 12.65-.12 3.5 3.68 3.07 8.88-1.39 12.08-1.93 1.39-2.08 2.44-1.22 4.44 2.19 5.06 3.96 10.31 6.33 15.27.65 1.37 2.73 2.73 4.28 2.89 7.57.77 15.19 1.17 22.79 1.64 2.69.16 4.13 1.28 4.21 4.15.1 3.95.43 7.89.66 11.84-1.51.05-3.03.22-4.53.13-12.54-.76-37.47-2.65-37.47-2.65s-27.36 2.32-38.64 3.45z" class="st0"/>
<path fill="#314a70" d="M73.32 483.91c-5.2-2.69-9.26-6.43-12.18-11.22-2.92-4.78-4.38-10.21-4.38-16.28s1.46-11.5 4.38-16.28c2.92-4.78 6.98-8.52 12.18-11.22 5.2-2.69 11.06-4.04 17.59-4.04 6.45 0 12.09 1.35 16.91 4.04 4.82 2.7 8.33 6.55 10.53 11.56l-13.78 7.4c-3.19-5.62-7.78-8.43-13.78-8.43-4.63 0-8.47 1.52-11.5 4.55-3.04 3.04-4.55 7.17-4.55 12.41s1.52 9.38 4.55 12.41c3.04 3.04 6.87 4.55 11.5 4.55 6.07 0 10.66-2.81 13.78-8.43l13.78 7.52c-2.2 4.86-5.71 8.65-10.53 11.39-4.82 2.73-10.46 4.1-16.91 4.1-6.53.01-12.39-1.34-17.59-4.03zm101.85-52.27c5.08 4.52 7.63 11.33 7.63 20.44v34.96h-16.62v-7.63c-3.34 5.69-9.56 8.54-18.67 8.54-4.71 0-8.79-.8-12.24-2.39-3.46-1.59-6.09-3.79-7.91-6.6-1.82-2.81-2.73-6-2.73-9.56 0-5.69 2.14-10.17 6.43-13.44 4.29-3.26 10.91-4.9 19.87-4.9h14.12c0-3.87-1.18-6.85-3.53-8.94-2.35-2.09-5.88-3.13-10.59-3.13-3.26 0-6.47.51-9.62 1.54-3.15 1.03-5.83 2.41-8.03 4.16l-6.38-12.41c3.34-2.35 7.34-4.17 12.01-5.47 4.67-1.29 9.47-1.94 14.4-1.94 9.49 0 16.77 2.26 21.86 6.77zm-15.14 42.25c2.35-1.4 4.02-3.47 5.01-6.21v-6.26h-12.18c-7.29 0-10.93 2.39-10.93 7.17 0 2.28.89 4.08 2.68 5.41 1.78 1.33 4.23 1.99 7.34 1.99 3.03 0 5.72-.7 8.08-2.1zm90.57-45.09c4.67 2.62 8.33 6.3 10.99 11.04 2.66 4.75 3.99 10.27 3.99 16.57s-1.33 11.82-3.99 16.57-6.32 8.43-10.99 11.04-9.85 3.93-15.54 3.93c-7.82 0-13.97-2.47-18.45-7.4v28.58h-17.76v-83.35h16.97v7.06c4.4-5.31 10.82-7.97 19.24-7.97 5.7 0 10.88 1.31 15.54 3.93zm-7.4 39.96c2.92-3.07 4.38-7.19 4.38-12.35s-1.46-9.28-4.38-12.35c-2.92-3.07-6.66-4.61-11.22-4.61s-8.29 1.54-11.22 4.61c-2.92 3.07-4.38 7.19-4.38 12.35s1.46 9.28 4.38 12.35c2.92 3.07 6.66 4.61 11.22 4.61s8.3-1.53 11.22-4.61zm39.91 17.31c-4.86-1.25-8.73-2.83-11.61-4.73l5.92-12.75c2.73 1.75 6.03 3.17 9.91 4.27 3.87 1.1 7.67 1.65 11.39 1.65 7.51 0 11.27-1.86 11.27-5.58 0-1.75-1.03-3-3.07-3.76-2.05-.76-5.2-1.4-9.45-1.94-5.01-.76-9.15-1.63-12.41-2.62-3.26-.99-6.09-2.73-8.48-5.24s-3.59-6.07-3.59-10.7c0-3.87 1.12-7.3 3.36-10.3 2.24-3 5.5-5.33 9.79-7 4.29-1.67 9.35-2.5 15.2-2.5 4.33 0 8.63.48 12.92 1.42 4.29.95 7.84 2.26 10.65 3.93l-5.92 12.64c-5.39-3.04-11.27-4.55-17.65-4.55-3.8 0-6.64.53-8.54 1.59-1.9 1.06-2.85 2.43-2.85 4.1 0 1.9 1.02 3.23 3.07 3.99 2.05.76 5.31 1.48 9.79 2.16 5.01.84 9.11 1.73 12.3 2.68 3.19.95 5.96 2.68 8.31 5.18 2.35 2.5 3.53 6 3.53 10.48 0 3.8-1.14 7.17-3.42 10.13-2.28 2.96-5.6 5.26-9.96 6.89-4.37 1.63-9.55 2.45-15.54 2.45-5.09-.01-10.06-.64-14.92-1.89zm116.48-60.29v61.26h-16.85v-7.29a23.4 23.4 0 0 1-8.43 6.09c-3.26 1.4-6.79 2.11-10.59 2.11-8.05 0-14.42-2.31-19.13-6.95-4.71-4.63-7.06-11.5-7.06-20.61v-34.61h17.76v32c0 9.87 4.14 14.8 12.41 14.8 4.25 0 7.67-1.38 10.25-4.16 2.58-2.77 3.87-6.89 3.87-12.35v-30.29h17.77zm16.51-23.23h17.76v84.49H416.1v-84.49zm93.94 58.87H463.7c.83 3.8 2.81 6.79 5.92 9 3.11 2.2 6.98 3.3 11.61 3.3 3.19 0 6.01-.47 8.48-1.42 2.47-.95 4.76-2.45 6.89-4.5l9.45 10.25c-5.77 6.6-14.2 9.91-25.28 9.91-6.91 0-13.02-1.35-18.33-4.04-5.31-2.69-9.41-6.43-12.3-11.22-2.89-4.78-4.33-10.21-4.33-16.28 0-6 1.42-11.4 4.27-16.23 2.85-4.82 6.76-8.58 11.73-11.27 4.97-2.69 10.53-4.04 16.68-4.04 6 0 11.42 1.29 16.28 3.87 4.86 2.58 8.67 6.28 11.44 11.1 2.77 4.82 4.16 10.42 4.16 16.79.01.22-.1 1.82-.33 4.78zm-41.56-19.7c-2.73 2.28-4.4 5.39-5.01 9.34h30.17c-.61-3.87-2.28-6.96-5.01-9.28-2.73-2.31-6.07-3.47-10.02-3.47-4.02-.01-7.4 1.13-10.13 3.41z"/>
<path d="M144.97 316.25c2.88-4.14 5.7-8.31 8.68-12.38.84-1.14 2.13-1.94 3.22-2.9 8.67 2.77 17.24 5.98 26.06 8.18 7.28 1.81 7.49 1.33 11.08-5.55 9.52-18.28 18.99-36.58 28.42-54.91 3.55-6.9 7.04-13.85 10.34-20.87 1.87-3.99 1-5.28-3.27-5.1-5.07.21-10.13.68-15.19 1.04 1.72-2.35 3.24-4.87 5.2-7.01 4.47-4.88 9.14-9.57 13.74-14.34 1.84-.03 3.68.02 5.52-.1 14.62-1.03 29.24-2.1 43.86-3.16-.08.84-.24 1.68-.24 2.52.01 48.41.03 96.83.05 145.24-15.73.85-30.48.97-47.48-.65-16.01-1.04-30.66-3.54-46.6-5.49-13.64-1.67-26.85-5.2-39.21-11.4-4.77-2.4-5.86-5.41-4.24-10.45.25-.82.05-1.78.06-2.67z" class="st2"/>
<path d="M282.42 346.9c-.02-48.41-.04-96.83-.05-145.24 0-.84.05-1.64.04-2.48 5.63.1 11.47-.06 17.08.32 11.35.78 22.67 1.83 34.01 2.77 2.69 3.09 5.47 6.1 8.05 9.28 3.38 4.17 6.61 8.47 9.9 12.71-6.04-.52-12.07-1.2-18.13-1.49-4.12-.2-4.91 1.24-3.08 4.81 9.87 19.27 19.73 38.54 29.65 57.78 4.02 7.79 8.22 15.49 12.24 23.29 1.46 2.83 3.6 3.9 6.61 3.17 11.52-2.81 23.03-5.68 34.54-8.52 1.8 3.04 3.52 6.13 5.42 9.1.89 1.39 2.13 2.56 3.21 3.83 0 .56-.19 1.22.04 1.66 3.28 6.31-.16 9.95-5.82 12.53-14.18 6.44-29.11 9.85-44.52 11.41-12.89 1.31-25.79 2.51-38.68 3.77-6.24.61-12.47 1.45-18.72 1.79-4.58.24-9.2-.17-13.81-.3l-17.85-.12-.13-.07z" class="st3"/>
<path d="M413.28 303.3c-11.51 2.84-23.02 5.71-34.54 8.52-3.01.74-5.15-.34-6.61-3.17-4.02-7.79-8.22-15.49-12.24-23.29-9.92-19.24-19.79-38.51-29.65-57.78-1.83-3.57-1.04-5.01 3.08-4.81 6.05.29 12.09.97 18.13 1.49 1.89.4 2.54.15 5.06 3.74 17.1 24.41 37.01 47.73 54.85 71.62.81 1.1 1.28 2.45 1.92 3.68z" class="st2"/>
<path d="M155.06 302.38c11.51 2.84 22.26 5.47 33.78 8.28 3.01.74 5.15-.34 6.61-3.17 4.02-7.79 8.22-15.49 12.24-23.29 9.92-19.24 17.3-37.26 26.37-56.7 1.83-3.57.68-4.95-3.44-4.75-6.05.29-10.08.42-16.13.94-2.11 1.25-2.46 1.66-3.84 3.47-18.01 23.75-35.83 47.64-53.67 71.53-.8 1.1-1.28 2.45-1.92 3.69z" class="st3"/>
<path d="M421.92 316.24c0 .56-.19 1.22.04 1.66 3.28 6.31-.16 9.95-5.82 12.53-14.18 6.44-29.11 9.85-44.52 11.41-12.89 1.31-25.79 2.51-38.68 3.77-6.24.61-12.94 1.22-18.94 1.29-4.59.05-8.98.32-13.59.2l-17.85-.12-.12-.08c-15.36.35-28.73.35-46.17-1.19-15.98-1.41-31.97-2.99-47.91-4.95-13.64-1.67-26.85-5.2-39.21-11.4-4.77-2.4-5.86-5.41-4.24-10.45.26-.81.06-1.77.07-2.66-6.55 2.47-11.33 6.45-12.86 13.75-1.74 8.28.69 15.31 5.77 21.67 1.43 1.79 2.4 3.22.07 5.22-.71.61-.81 3.27-.15 3.89 6.36 6.04 13.89 10.11 22.37 12.36 2.35.62 4.12.02 4.62-2.85.11-.64 1.63-1.63 2.27-1.49 8.66 1.96 17.26 4.13 25.91 6.14 1.98.46 2.73 1 1.52 3.01-1.45 2.4-.41 3.92 2 4.93 8.64 3.63 17.82 3.98 26.97 4.34 2.18.08 4.54-.9 3.51-3.88-1.11-3.22.45-3.2 2.83-2.99 8.57.73 17.14 1.44 25.72 1.95 3.13.19 3.98 1.04 2.41 3.98-1.6 2.98-.26 4.76 2.9 4.77 14.82.08 29.65.17 44.46-.08 4.59-.08 5.1-1.29 3.36-5.63-.84-2.1-.97-2.87 1.76-3.02 9.16-.52 18.32-1.21 27.45-2.12 2.5-.25 3.06.34 2.55 2.56-.53 2.31.05 4.05 2.72 4.11 9.52.21 18.91-.53 27.82-4.34 1.95-.83 3.09-2.06 1.71-4.23-1.72-2.71-.09-3.15 2.17-3.67 8.24-1.87 16.46-3.83 24.64-5.93 1.82-.47 3-.77 3.21 1.6.26 2.99 2.1 3.32 4.53 2.61 8.11-2.36 15.55-5.98 21.6-11.99.69-.69 1.03-2.99.55-3.39-3.18-2.71-1.41-4.64.51-6.95 7.99-9.66 9.45-27.91-7.96-34.34z" class="st0"/>
<path d="M324.35 192.94c-6.72-.27-13.4-.35-20.23-.52-7.13-.17-18.9-.51-18.9-.51s-1.27.04-2.44 0c0 0-.63-.01-.63.18-.01-5.67.01-11.83 0-17.5 12.58.95 24.65 1.94 37.19 2.72 1.5.09 3.29-.07 4.8-.12.05 5.24.19 10.5.21 15.75z" class="st3"/>
<path d="M243.35 193.45c6.72-.27 10.02-.35 16.86-.52 7.13-.17 18.9-.51 18.9-.51s1.27.04 2.44 0c0 0 .63-.53.63-.34.01-5.67-.01-11.83 0-17.5-12.58.95-21.28 1.94-33.82 2.72-1.5.09-3.29-.07-4.8-.12-.05 5.25-.18 11.03-.21 16.27z" class="st2"/>
<path d="M327.57 193.15c-1.31-.1-2.62-.17-3.93-.26-13.33-.32-26.66-.63-39.99-.95h-.2c-13.33.32-26.66.63-39.99.95-1.31.08-2.62.15-3.93.26-6.26.5-6.88 1.16-6.73 7.17.02.7.18 1.39.27 2.09 1.91-.03 3.82.02 5.72-.1 14.92-1.02 28.65-2.07 43.57-3.11 14.92 1.04 31.01 2.1 45.93 3.11 1.9.13 3.81.07 5.72.1.09-.7.25-1.39.27-2.09.17-6.01-.46-6.67-6.71-7.17z" class="st0"/>
</svg>

Before

Width:  |  Height:  |  Size: 9.4 KiB

After

Width:  |  Height:  |  Size: 7.9 KiB

View File

@@ -22,3 +22,4 @@
*.tmproj
.vscode/
README.md.gotmpl
artifacthub-repo.yml

View File

@@ -0,0 +1,4 @@
input:
- values.yaml
- ci/test-values.yaml
- ci/proxy-values.yaml

View File

@@ -0,0 +1,6 @@
dependencies:
- name: capsule-proxy
repository: oci://ghcr.io/projectcapsule/charts
version: 0.9.3
digest: sha256:057afc3b971a7ffe5ada7d358d759ab3383ffca61aed07e224f3f6c4338568ee
generated: "2025-04-26T05:29:13.486605681Z"

View File

@@ -4,6 +4,12 @@ description: A Helm chart to deploy the Capsule Operator for easily implementing
managing, and maintaining mutitenancy and access control in Kubernetes.
home: https://github.com/projectcapsule/capsule
icon: https://github.com/projectcapsule/capsule/raw/main/assets/logo/capsule_small.png
dependencies:
- name: capsule-proxy
version: 0.9.3
repository: "oci://ghcr.io/projectcapsule/charts"
condition: proxy.enabled
alias: proxy
keywords:
- kubernetes
- operator
@@ -18,11 +24,10 @@ maintainers:
name: capsule
sources:
- https://github.com/projectcapsule/capsule
# The version is overwritten by the release workflow.
version: 0.6.0
# This is the version number of the application being deployed.
# This version number should be incremented each time you make changes to the application.
appVersion: 0.5.0
# Note: The version is overwritten by the release workflow.
version: 0.0.0
# Note: The version is overwritten by the release workflow.
appVersion: 0.0.0
annotations:
artifacthub.io/operator: "true"
artifacthub.io/prerelease: "false"
@@ -33,9 +38,7 @@ annotations:
email: cncf-capsule-maintainers@lists.cncf.io
artifacthub.io/links: |
- name: Documentation
url: https://capsule.clastix.io/
# artifacthub.io/changes: |
# - kind: added
# description: artifacthub annotations
# - kind: changed
# description: maintainers contact
url: https://projectcapsule.dev/
artifacthub.io/changes: |
- kind: added
description: oci chart reference

View File

@@ -16,21 +16,41 @@ Use the Capsule Operator for easily implementing, managing, and maintaining mult
* A [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file accessing the Kubernetes cluster with cluster admin permissions.
## Quick Start
## Major Changes
In the following sections you see actions which are required when you are upgrading to a specific version.
### Upgrading to 0.7.x
Introduces a new methode to manage all capsule CRDs and their lifecycle. We are no longer relying on the [native CRD hook with the Helm Chart](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). The hook only allows to manage CRDs on install and uninstall but we can't deliver updates to the CRDs.
When you newly install the chart we recommend to set `crds.install` to `true`. This will manage the CRDs with the Helm Chart. This behavior is the new default.
#### Changed Values
The following Values have changed key or Value:
* All values from previous releases under `webhooks` have moved to `webhooks.hooks`.
* `mutatingWebhooksTimeoutSeconds` has moved to `webhooks.mutatingWebhooksTimeoutSeconds`
* `validatingWebhooksTimeoutSeconds` has moved to `webhooks.validatingWebhooksTimeoutSeconds`
## Installation
**When using OCI we recommend our dedicated [OCI Repository](https://artifacthub.io/packages/helm/capsule/capsule) for this chart**
The Capsule Operator requires it's CRDs to be installed before the operator itself. Since the Helm CRD lifecycle has limitations, we recommend to install the CRDs separately. Our chart supports the installation of crds via a dedicated Release.
The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster.
1. Add this repository:
$ helm repo add projectcapsule https://projectcapsule.github.io/charts
2. Install the Chart:
2. Install Capsule:
$ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace
$ helm install capsule projectcapsule/capsule --version 0.7.0 -n capsule-system --create-namespace
or
$ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6 -n capsule-system --create-namespace
$ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.7.0 -n capsule-system --create-namespace
3. Show the status:
@@ -58,7 +78,7 @@ Specify your overrides file when you install the chart:
$ helm install capsule capsule-helm-chart --values myvalues.yaml -n capsule-system
The values in your overrides file `myvalues.yaml` will override their counterparts in the charts values.yaml file. Any values in `values.yaml` that werent overridden will keep their defaults.
The values in your overrides file `myvalues.yaml` will override their counterparts in the chart's values.yaml file. Any values in `values.yaml` that werent overridden will keep their defaults.
If you only need to make minor customizations, you can specify them on the command line by using the `--set` option. For example:
@@ -66,49 +86,79 @@ If you only need to make minor customizations, you can specify them on the comma
Here the values you can override:
### CustomResourceDefinition Lifecycle
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| crds.annnotations | object | `{}` | Extra Annotations for CRDs |
| crds.exclusive | bool | `false` | Only install the CRDs, no other primitives |
| crds.install | bool | `true` | Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations) |
| crds.labels | object | `{}` | Extra Labels for CRDs |
### Global Parameters
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| global.jobs.kubectl.affinity | object | `{}` | Set affinity rules |
| global.jobs.kubectl.annotations | object | `{}` | Annotations to add to the certgen job. |
| global.jobs.kubectl.backoffLimit | int | `4` | Backofflimit for jobs |
| global.jobs.kubectl.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job |
| global.jobs.kubectl.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job |
| global.jobs.kubectl.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job |
| global.jobs.kubectl.image.tag | string | `""` | Set the image tag of the helm chart job |
| global.jobs.kubectl.imagePullSecrets | list | `[]` | ImagePullSecrets |
| global.jobs.kubectl.nodeSelector | object | `{}` | Set the node selector |
| global.jobs.kubectl.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the job pods. |
| global.jobs.kubectl.priorityClassName | string | `""` | Set a pod priorityClassName |
| global.jobs.kubectl.resources | object | `{}` | Job resources |
| global.jobs.kubectl.restartPolicy | string | `"Never"` | Set the restartPolicy |
| global.jobs.kubectl.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Security context for the job containers. |
| global.jobs.kubectl.tolerations | list | `[]` | Set list of tolerations |
| global.jobs.kubectl.topologySpreadConstraints | list | `[]` | Set Topology Spread Constraints |
| global.jobs.kubectl.ttlSecondsAfterFinished | int | `60` | Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete. |
### General Parameters
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | Set affinity rules for the Capsule pod |
| certManager.additionalSANS | list | `[]` | Specify additional SANS to add to the certificate |
| certManager.generateCertificates | bool | `false` | Specifies whether capsule webhooks certificates should be generated using cert-manager |
| customAnnotations | object | `{}` | Additional annotations which will be added to all resources created by Capsule helm chart |
| customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart |
| imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. |
| jobs.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job |
| jobs.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job |
| jobs.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job |
| jobs.image.tag | string | `""` | Set the image tag of the helm chart job |
| mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks |
| jobs | object | `{}` | Deprecated, use .global.jobs.kubectl instead |
| nodeSelector | object | `{}` | Set the node selector for the Capsule pod |
| podAnnotations | object | `{}` | Annotations to add to the capsule pod. |
| podSecurityContext | object | `{"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002,"seccompProfile":{"type":"RuntimeDefault"}}` | Set the securityContext for the Capsule pod |
| podSecurityPolicy.enabled | bool | `false` | Specify if a Pod Security Policy must be created |
| ports | list | `[]` | Set additional ports for the deployment |
| priorityClassName | string | `""` | Set the priority class name of the Capsule pod |
| proxy.enabled | bool | `false` | Enable Installation of Capsule Proxy |
| replicaCount | int | `1` | Set the replica count for capsule pod |
| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | Set the securityContext for the Capsule container |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
| serviceAccount.name | string | `"capsule"` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
| tls.create | bool | `true` | When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion. |
| tls.enableController | bool | `true` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. |
| tls.name | string | `""` | Override name of the Capsule TLS Secret name when externally managed. |
| tolerations | list | `[]` | Set list of tolerations for the Capsule pod |
| topologySpreadConstraints | list | `[]` | Set topology spread constraints for the Capsule pod |
| validatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for validating webhooks |
### Manager Parameters
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| manager.hostNetwork | bool | `false` | Specifies if the container should be started in hostNetwork mode. Required for use in some managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working |
| manager.hostPID | bool | `false` | Specifies if the container should be started in hostPID mode. |
| manager.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy. |
| manager.image.registry | string | `"ghcr.io"` | Set the image registry of capsule. |
| manager.image.repository | string | `"projectcapsule/capsule"` | Set the image repository of capsule. |
| manager.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
| manager.kind | string | `"Deployment"` | Set the controller deployment mode as `Deployment` or `DaemonSet`. |
| manager.livenessProbe | object | `{"httpGet":{"path":"/healthz","port":10080}}` | Configure the liveness probe using Deployment probe spec |
| manager.options.capsuleUserGroups | list | `["capsule.clastix.io"]` | Override the Capsule user groups |
| manager.options.capsuleConfiguration | string | `"default"` | Change the default name of the capsule configuration name |
| manager.options.capsuleUserGroups | list | `["projectcapsule.dev"]` | Override the Capsule user groups |
| manager.options.forceTenantPrefix | bool | `false` | Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash |
| manager.options.generateCertificates | bool | `true` | Specifies whether capsule webhooks certificates should be generated by capsule operator |
| manager.options.logLevel | string | `"4"` | Set the log verbosity of the capsule with a value from 1 to 10 |
@@ -118,10 +168,10 @@ Here the values you can override:
| manager.rbac.existingClusterRoles | list | `[]` | Specifies further cluster roles to be added to the Capsule manager service account. |
| manager.rbac.existingRoles | list | `[]` | Specifies further cluster roles to be added to the Capsule manager service account. |
| manager.readinessProbe | object | `{"httpGet":{"path":"/readyz","port":10080}}` | Configure the readiness probe using Deployment probe spec |
| manager.resources.limits.cpu | string | `"200m"` | |
| manager.resources.limits.memory | string | `"128Mi"` | |
| manager.resources.requests.cpu | string | `"200m"` | |
| manager.resources.requests.memory | string | `"128Mi"` | |
| manager.resources | object | `{}` | Set the resource requests/limits for the Capsule manager container |
| manager.securityContext | object | `{}` | Set the securityContext for the Capsule container |
| manager.volumeMounts | list | `[]` | Set the additional volumeMounts needed for the Capsule manager container |
| manager.volumes | list | `[]` | Set the additional volumes needed for the Capsule manager container |
| manager.webhookPort | int | `9443` | Set an alternative to the default container port. Useful for use in some kubernetes clusters (such as GKE Private) with aggregator routing turned on, because pod ports have to be opened manually on the firewall side |
### ServiceMonitor Parameters
@@ -139,42 +189,50 @@ Here the values you can override:
| serviceMonitor.namespace | string | `""` | Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one) |
| serviceMonitor.targetLabels | list | `[]` | Set targetLabels for the serviceMonitor |
### Webhook Parameters
### Webhooks Parameters
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| webhooks.cordoning.failurePolicy | string | `"Fail"` | |
| webhooks.cordoning.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.cordoning.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.defaults.ingress.failurePolicy | string | `"Fail"` | |
| webhooks.defaults.ingress.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.defaults.ingress.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.defaults.pods.failurePolicy | string | `"Fail"` | |
| webhooks.defaults.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.defaults.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.defaults.pvc.failurePolicy | string | `"Fail"` | |
| webhooks.defaults.pvc.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.defaults.pvc.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.ingresses.failurePolicy | string | `"Fail"` | |
| webhooks.ingresses.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.ingresses.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.namespaceOwnerReference.failurePolicy | string | `"Fail"` | |
| webhooks.namespaces.failurePolicy | string | `"Fail"` | |
| webhooks.networkpolicies.failurePolicy | string | `"Fail"` | |
| webhooks.networkpolicies.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.networkpolicies.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.nodes.failurePolicy | string | `"Fail"` | |
| webhooks.persistentvolumeclaims.failurePolicy | string | `"Fail"` | |
| webhooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.pods.failurePolicy | string | `"Fail"` | |
| webhooks.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.services.failurePolicy | string | `"Fail"` | |
| webhooks.services.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.services.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.tenantResourceObjects.failurePolicy | string | `"Fail"` | |
| webhooks.tenants.failurePolicy | string | `"Fail"` | |
| webhooks.exclusive | bool | `false` | When `crds.exclusive` is `true` the webhooks will be installed |
| webhooks.hooks.cordoning.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.cordoning.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.hooks.cordoning.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.hooks.defaults.ingress.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.defaults.ingress.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.hooks.defaults.ingress.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.hooks.defaults.pods.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.defaults.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.hooks.defaults.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.hooks.defaults.pvc.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.defaults.pvc.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.hooks.defaults.pvc.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.hooks.ingresses.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.ingresses.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.hooks.ingresses.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.hooks.namespaceOwnerReference.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.namespaces.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.networkpolicies.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.networkpolicies.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.hooks.networkpolicies.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.hooks.nodes.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.persistentvolumeclaims.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.hooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.hooks.pods.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.hooks.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.hooks.services.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.services.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | |
| webhooks.hooks.services.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | |
| webhooks.hooks.tenantResourceObjects.failurePolicy | string | `"Fail"` | |
| webhooks.hooks.tenants.failurePolicy | string | `"Fail"` | |
| webhooks.mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks |
| webhooks.service.caBundle | string | `""` | CABundle for the webhook service |
| webhooks.service.name | string | `""` | Custom service name for the webhook service |
| webhooks.service.namespace | string | `""` | Custom service namespace for the webhook service |
| webhooks.service.port | string | `nil` | Custom service port for the webhook service |
| webhooks.service.url | string | `""` | The URL where the capsule webhook services are running (Overwrites cluster scoped service definition) |
| webhooks.validatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for validating webhooks |
## Created resources

View File

@@ -16,21 +16,42 @@ Use the Capsule Operator for easily implementing, managing, and maintaining mult
* A [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file accessing the Kubernetes cluster with cluster admin permissions.
## Quick Start
## Major Changes
In the following sections you see actions which are required when you are upgrading to a specific version.
### Upgrading to 0.7.x
Introduces a new methode to manage all capsule CRDs and their lifecycle. We are no longer relying on the [native CRD hook with the Helm Chart](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). The hook only allows to manage CRDs on install and uninstall but we can't deliver updates to the CRDs.
When you newly install the chart we recommend to set `crds.install` to `true`. This will manage the CRDs with the Helm Chart. This behavior is the new default.
#### Changed Values
The following Values have changed key or Value:
* All values from previous releases under `webhooks` have moved to `webhooks.hooks`.
* `mutatingWebhooksTimeoutSeconds` has moved to `webhooks.mutatingWebhooksTimeoutSeconds`
* `validatingWebhooksTimeoutSeconds` has moved to `webhooks.validatingWebhooksTimeoutSeconds`
## Installation
**When using OCI we recommend our dedicated [OCI Repository](https://artifacthub.io/packages/helm/capsule/capsule) for this chart**
The Capsule Operator requires it's CRDs to be installed before the operator itself. Since the Helm CRD lifecycle has limitations, we recommend to install the CRDs separately. Our chart supports the installation of crds via a dedicated Release.
The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster.
1. Add this repository:
$ helm repo add projectcapsule https://projectcapsule.github.io/charts
2. Install the Chart:
2. Install Capsule:
$ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace
$ helm install capsule projectcapsule/capsule --version 0.7.0 -n capsule-system --create-namespace
or
$ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6 -n capsule-system --create-namespace
$ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.7.0 -n capsule-system --create-namespace
3. Show the status:
@@ -58,7 +79,7 @@ Specify your overrides file when you install the chart:
$ helm install capsule capsule-helm-chart --values myvalues.yaml -n capsule-system
The values in your overrides file `myvalues.yaml` will override their counterparts in the charts values.yaml file. Any values in `values.yaml` that werent overridden will keep their defaults.
The values in your overrides file `myvalues.yaml` will override their counterparts in the chart's values.yaml file. Any values in `values.yaml` that werent overridden will keep their defaults.
If you only need to make minor customizations, you can specify them on the command line by using the `--set` option. For example:
@@ -66,13 +87,32 @@ If you only need to make minor customizations, you can specify them on the comma
Here the values you can override:
### CustomResourceDefinition Lifecycle
| Key | Type | Default | Description |
|-----|------|---------|-------------|
{{- range .Values }}
{{- if (hasPrefix "crds" .Key) }}
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
{{- end }}
{{- end }}
### Global Parameters
| Key | Type | Default | Description |
|-----|------|---------|-------------|
{{- range .Values }}
{{- if (hasPrefix "global" .Key) }}
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
{{- end }}
{{- end }}
### General Parameters
| Key | Type | Default | Description |
|-----|------|---------|-------------|
{{- range .Values }}
{{- if not (or (hasPrefix "manager" .Key) (hasPrefix "serviceMonitor" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) ) }}
{{- if not (or (hasPrefix "global" .Key) (hasPrefix "manager" .Key) (hasPrefix "crds" .Key) (hasPrefix "serviceMonitor" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) ) }}
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
{{- end }}
{{- end }}
@@ -97,7 +137,7 @@ Here the values you can override:
{{- end }}
{{- end }}
### Webhook Parameters
### Webhooks Parameters
| Key | Type | Default | Description |
|-----|------|---------|-------------|

View File

@@ -0,0 +1,4 @@
repositoryID: 783775bb-96c2-4915-8c7d-ba4a1118323c
owners:
- name: capsule-maintainers
email: cncf-capsule-maintainers@lists.cncf.io

View File

@@ -0,0 +1,7 @@
proxy:
enabled: true
manager:
resources:
requests:
cpu: 200m
memory: 128Mi

View File

@@ -1,16 +1,12 @@
fullnameOverride: capsule
manager:
# Manager RBAC
resources:
requests:
cpu: 200m
memory: 128Mi
rbac:
create: true
existingClusterRoles:
- "view"
existingRoles:
- "some-role"
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 200m
memory: 128Mi

View File

@@ -0,0 +1,38 @@
# Custome values for capsule tracing.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
manager:
image:
registry: ghcr.io
repository: projectcapsule/capsule
pullPolicy: Never
tag: tracing
hostNetwork: true
hostPID: true
volumes:
- name: debugfs
hostPath:
path: /sys/kernel/debug
type: Directory
- name: data
hostPath:
path: /tmp/results
type: Directory
volumeMounts:
- name: debugfs
mountPath: /sys/kernel/debug
- mountPath: /tmp/results
name: data
securityContext:
capabilities:
add:
- SYS_ADMIN
- NET_ADMIN
- PERFOM
privileged: true
podSecurityContext:
seccompProfile:
type: "Unconfined"
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0

View File

@@ -0,0 +1,14 @@
metadata:
annotations:
{{- if $.Values.certManager.generateCertificates }}
cert-manager.io/inject-ca-from: {{ $.Release.Namespace }}/{{ include "capsule.fullname" $ }}-webhook-cert
{{- end }}
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/convert" "ctx" $) | nindent 8 }}
conversionReviewVersions:
- v1beta1
- v1beta2

View File

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
creationTimestamp: null
controller-gen.kubebuilder.io/version: v0.17.3
name: capsuleconfigurations.capsule.clastix.io
spec:
group: capsule.clastix.io
@@ -22,14 +21,19 @@ spec:
API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -38,23 +42,20 @@ spec:
properties:
enableTLSReconciler:
default: true
description: Toggles the TLS reconciler, the controller that is able
to generate CA and certificates for the webhooks when not using
an already provided CA and certificate, or when these are managed
externally with Vault, or cert-manager.
description: |-
Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks
when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
type: boolean
forceTenantPrefix:
default: false
description: Enforces the Tenant owner, during Namespace creation,
to name it using the selected Tenant name as prefix, separated by
a dash. This is useful to avoid Namespace name collision in a public
CaaS environment.
description: |-
Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,
separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
type: boolean
nodeMetadata:
description: Allows to set the forbidden metadata for the worker nodes
that could be patched by a Tenant. This applies only if the Tenant
has an active NodeSelector, and the Owner have right to patch their
nodes.
description: |-
Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.
This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
properties:
forbiddenAnnotations:
description: Define the annotations that a Tenant Owner cannot
@@ -87,15 +88,15 @@ spec:
TLSSecretName: capsule-tls
mutatingWebhookConfigurationName: capsule-mutating-webhook-configuration
validatingWebhookConfigurationName: capsule-validating-webhook-configuration
description: Allows to set different name rather than the canonical
one for the Capsule configuration objects, such as webhook secret
or configurations.
description: |-
Allows to set different name rather than the canonical one for the Capsule configuration objects,
such as webhook secret or configurations.
properties:
TLSSecretName:
default: capsule-tls
description: Defines the Secret name used for the webhook server.
Must be in the same Namespace where the Capsule Deployment is
deployed.
description: |-
Defines the Secret name used for the webhook server.
Must be in the same Namespace where the Capsule Deployment is deployed.
type: string
mutatingWebhookConfigurationName:
default: capsule-mutating-webhook-configuration

View File

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
creationTimestamp: null
controller-gen.kubebuilder.io/version: v0.17.3
name: globaltenantresources.capsule.clastix.io
spec:
group: capsule.clastix.io
@@ -22,14 +21,19 @@ spec:
to a specific subset of Tenant resources.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -38,10 +42,9 @@ spec:
properties:
pruningOnDelete:
default: true
description: When the replicated resource manifest is deleted, all
the objects replicated so far will be automatically deleted. Disable
this to keep replicated resources although the deletion of the replication
manifest.
description: |-
When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
Disable this to keep replicated resources although the deletion of the replication manifest.
type: boolean
resources:
description: Defines the rules to select targeting Namespace, along
@@ -49,9 +52,9 @@ spec:
items:
properties:
additionalMetadata:
description: Besides the Capsule metadata required by TenantResource
controller, defines additional metadata that must be added
to the replicated resources.
description: |-
Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
added to the replicated resources.
properties:
annotations:
additionalProperties:
@@ -63,49 +66,50 @@ spec:
type: object
type: object
namespaceSelector:
description: Defines the Namespace selector to select the Tenant
Namespaces on which the resources must be propagated. In case
of nil value, all the Tenant Namespaces are targeted.
description: |-
Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
In case of nil value, all the Tenant Namespaces are targeted.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that relates
the key and values.
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn,
Exists and DoesNotExist.
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values array
must be non-empty. If the operator is Exists or
DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field is
"key", the operator is "In", and the values array contains
only "value". The requirements are ANDed.
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -118,10 +122,14 @@ spec:
description: API version of the referent.
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
selector:
description: Label selector used to select the given resources
@@ -131,8 +139,8 @@ spec:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
@@ -140,33 +148,33 @@ spec:
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In,
NotIn, Exists and DoesNotExist.
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values
array must be non-empty. If the operator is
Exists or DoesNotExist, the values array must
be empty. This array is replaced during a
strategic merge patch.
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field
is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -187,9 +195,9 @@ spec:
type: array
resyncPeriod:
default: 60s
description: Define the period of time upon a second reconciliation
must be invoked. Keep in mind that any change to the manifests will
trigger a new reconciliation.
description: |-
Define the period of time upon a second reconciliation must be invoked.
Keep in mind that any change to the manifests will trigger a new reconciliation.
type: string
tenantSelector:
description: Defines the Tenant selector used target the tenants on
@@ -199,41 +207,42 @@ spec:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -253,13 +262,19 @@ spec:
description: API version of the referent.
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
required:
- kind

View File

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
creationTimestamp: null
controller-gen.kubebuilder.io/version: v0.17.3
name: tenantresources.capsule.clastix.io
spec:
group: capsule.clastix.io
@@ -18,20 +17,25 @@ spec:
- name: v1beta2
schema:
openAPIV3Schema:
description: TenantResource allows a Tenant Owner, if enabled with proper
RBAC, to propagate resources in its Namespace. The object must be deployed
in a Tenant Namespace, and cannot reference object living in non-Tenant
namespaces. For such cases, the GlobalTenantResource must be used.
description: |-
TenantResource allows a Tenant Owner, if enabled with proper RBAC, to propagate resources in its Namespace.
The object must be deployed in a Tenant Namespace, and cannot reference object living in non-Tenant namespaces.
For such cases, the GlobalTenantResource must be used.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -40,10 +44,9 @@ spec:
properties:
pruningOnDelete:
default: true
description: When the replicated resource manifest is deleted, all
the objects replicated so far will be automatically deleted. Disable
this to keep replicated resources although the deletion of the replication
manifest.
description: |-
When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
Disable this to keep replicated resources although the deletion of the replication manifest.
type: boolean
resources:
description: Defines the rules to select targeting Namespace, along
@@ -51,9 +54,9 @@ spec:
items:
properties:
additionalMetadata:
description: Besides the Capsule metadata required by TenantResource
controller, defines additional metadata that must be added
to the replicated resources.
description: |-
Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
added to the replicated resources.
properties:
annotations:
additionalProperties:
@@ -65,49 +68,50 @@ spec:
type: object
type: object
namespaceSelector:
description: Defines the Namespace selector to select the Tenant
Namespaces on which the resources must be propagated. In case
of nil value, all the Tenant Namespaces are targeted.
description: |-
Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
In case of nil value, all the Tenant Namespaces are targeted.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that relates
the key and values.
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn,
Exists and DoesNotExist.
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values array
must be non-empty. If the operator is Exists or
DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field is
"key", the operator is "In", and the values array contains
only "value". The requirements are ANDed.
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -120,10 +124,14 @@ spec:
description: API version of the referent.
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
selector:
description: Label selector used to select the given resources
@@ -133,8 +141,8 @@ spec:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
@@ -142,33 +150,33 @@ spec:
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In,
NotIn, Exists and DoesNotExist.
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values
array must be non-empty. If the operator is
Exists or DoesNotExist, the values array must
be empty. This array is replaced during a
strategic merge patch.
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field
is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -189,9 +197,9 @@ spec:
type: array
resyncPeriod:
default: 60s
description: Define the period of time upon a second reconciliation
must be invoked. Keep in mind that any change to the manifests will
trigger a new reconciliation.
description: |-
Define the period of time upon a second reconciliation must be invoked.
Keep in mind that any change to the manifests will trigger a new reconciliation.
type: string
required:
- resources
@@ -208,13 +216,19 @@ spec:
description: API version of the referent.
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
required:
- kind

View File

@@ -0,0 +1,14 @@
metadata:
annotations:
{{- if $.Values.certManager.generateCertificates }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "capsule.fullname" . }}-webhook-cert
{{- end }}
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
{{- include "capsule.webhooks.service" (dict "path" "/convert" "ctx" $) | nindent 8 }}
conversionReviewVersions:
- v1beta1
- v1beta2

View File

@@ -1,119 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
name: capsuleconfigurations.capsule.clastix.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
name: capsule-webhook-service
namespace: capsule-system
path: /convert
conversionReviewVersions:
- v1beta1
- v1beta2
group: capsule.clastix.io
names:
kind: CapsuleConfiguration
listKind: CapsuleConfigurationList
plural: capsuleconfigurations
singular: capsuleconfiguration
scope: Cluster
versions:
- name: v1beta2
schema:
openAPIV3Schema:
description: CapsuleConfiguration is the Schema for the Capsule configuration API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: CapsuleConfigurationSpec defines the Capsule configuration.
properties:
enableTLSReconciler:
default: true
description: Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
type: boolean
forceTenantPrefix:
default: false
description: Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
type: boolean
nodeMetadata:
description: Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant. This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
properties:
forbiddenAnnotations:
description: Define the annotations that a Tenant Owner cannot set for their nodes.
properties:
denied:
items:
type: string
type: array
deniedRegex:
type: string
type: object
forbiddenLabels:
description: Define the labels that a Tenant Owner cannot set for their nodes.
properties:
denied:
items:
type: string
type: array
deniedRegex:
type: string
type: object
required:
- forbiddenAnnotations
- forbiddenLabels
type: object
overrides:
default:
TLSSecretName: capsule-tls
mutatingWebhookConfigurationName: capsule-mutating-webhook-configuration
validatingWebhookConfigurationName: capsule-validating-webhook-configuration
description: Allows to set different name rather than the canonical one for the Capsule configuration objects, such as webhook secret or configurations.
properties:
TLSSecretName:
default: capsule-tls
description: Defines the Secret name used for the webhook server. Must be in the same Namespace where the Capsule Deployment is deployed.
type: string
mutatingWebhookConfigurationName:
default: capsule-mutating-webhook-configuration
description: Name of the MutatingWebhookConfiguration which contains the dynamic admission controller paths and resources.
type: string
validatingWebhookConfigurationName:
default: capsule-validating-webhook-configuration
description: Name of the ValidatingWebhookConfiguration which contains the dynamic admission controller paths and resources.
type: string
required:
- TLSSecretName
- mutatingWebhookConfigurationName
- validatingWebhookConfigurationName
type: object
protectedNamespaceRegex:
description: Disallow creation of namespaces, whose name matches this regexp
type: string
userGroups:
default:
- capsule.clastix.io
description: Names of the groups for Capsule users.
items:
type: string
type: array
required:
- enableTLSReconciler
type: object
type: object
served: true
storage: true

View File

@@ -1,222 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
creationTimestamp: null
name: globaltenantresources.capsule.clastix.io
spec:
group: capsule.clastix.io
names:
kind: GlobalTenantResource
listKind: GlobalTenantResourceList
plural: globaltenantresources
singular: globaltenantresource
scope: Cluster
versions:
- name: v1beta2
schema:
openAPIV3Schema:
description: GlobalTenantResource allows to propagate resource replications to a specific subset of Tenant resources.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: GlobalTenantResourceSpec defines the desired state of GlobalTenantResource.
properties:
pruningOnDelete:
default: true
description: When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted. Disable this to keep replicated resources although the deletion of the replication manifest.
type: boolean
resources:
description: Defines the rules to select targeting Namespace, along with the objects that must be replicated.
items:
properties:
additionalMetadata:
description: Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be added to the replicated resources.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
namespaceSelector:
description: Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated. In case of nil value, all the Tenant Namespaces are targeted.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespacedItems:
description: List of the resources already existing in other Namespaces that must be replicated.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
selector:
description: Label selector used to select the given resources in the given Namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- kind
- namespace
- selector
type: object
type: array
rawItems:
description: List of raw resources that must be replicated.
items:
type: object
x-kubernetes-embedded-resource: true
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
type: array
resyncPeriod:
default: 60s
description: Define the period of time upon a second reconciliation must be invoked. Keep in mind that any change to the manifests will trigger a new reconciliation.
type: string
tenantSelector:
description: Defines the Tenant selector used target the tenants on which resources must be propagated.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- resources
- resyncPeriod
type: object
status:
description: GlobalTenantResourceStatus defines the observed state of GlobalTenantResource.
properties:
processedItems:
description: List of the replicated resources for the given TenantResource.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
required:
- kind
- name
- namespace
type: object
type: array
selectedTenants:
description: List of Tenants addressed by the GlobalTenantResource.
items:
type: string
type: array
required:
- processedItems
- selectedTenants
type: object
type: object
served: true
storage: true
subresources:
status: {}

File diff suppressed because it is too large Load Diff

View File

@@ -1,185 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
creationTimestamp: null
name: tenantresources.capsule.clastix.io
spec:
group: capsule.clastix.io
names:
kind: TenantResource
listKind: TenantResourceList
plural: tenantresources
singular: tenantresource
scope: Namespaced
versions:
- name: v1beta2
schema:
openAPIV3Schema:
description: TenantResource allows a Tenant Owner, if enabled with proper RBAC, to propagate resources in its Namespace. The object must be deployed in a Tenant Namespace, and cannot reference object living in non-Tenant namespaces. For such cases, the GlobalTenantResource must be used.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: TenantResourceSpec defines the desired state of TenantResource.
properties:
pruningOnDelete:
default: true
description: When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted. Disable this to keep replicated resources although the deletion of the replication manifest.
type: boolean
resources:
description: Defines the rules to select targeting Namespace, along with the objects that must be replicated.
items:
properties:
additionalMetadata:
description: Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be added to the replicated resources.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
namespaceSelector:
description: Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated. In case of nil value, all the Tenant Namespaces are targeted.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespacedItems:
description: List of the resources already existing in other Namespaces that must be replicated.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
selector:
description: Label selector used to select the given resources in the given Namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- kind
- namespace
- selector
type: object
type: array
rawItems:
description: List of raw resources that must be replicated.
items:
type: object
x-kubernetes-embedded-resource: true
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
type: array
resyncPeriod:
default: 60s
description: Define the period of time upon a second reconciliation must be invoked. Keep in mind that any change to the manifests will trigger a new reconciliation.
type: string
required:
- resources
- resyncPeriod
type: object
status:
description: TenantResourceStatus defines the observed state of TenantResource.
properties:
processedItems:
description: List of the replicated resources for the given TenantResource.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
required:
- kind
- name
- namespace
type: object
type: array
required:
- processedItems
type: object
type: object
served: true
storage: true
subresources:
status: {}

View File

@@ -105,10 +105,12 @@ Determine the Kubernetes version to use for jobsFullyQualifiedDockerImage tag
Create the jobs fully-qualified Docker image to use
*/}}
{{- define "capsule.jobsFullyQualifiedDockerImage" -}}
{{- if .Values.jobs.image.tag }}
{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository .Values.jobs.image.tag -}}
{{- $Values := mergeOverwrite $.Values.global.jobs.kubectl $.Values.jobs -}}
{{- if $Values.image.tag }}
{{- printf "%s/%s:%s" $Values.image.registry $Values.image.repository $Values.image.tag -}}
{{- else }}
{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
{{- printf "%s/%s:%s" $Values.image.registry $Values.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
{{- end }}
{{- end }}
@@ -125,3 +127,30 @@ Create the Capsule TLS Secret name to use
{{- define "capsule.secretTlsName" -}}
{{ default ( printf "%s-tls" ( include "capsule.fullname" . ) ) .Values.tls.name }}
{{- end }}
{{/*
Capsule Webhook service (Called with $.Path)
*/}}
{{- define "capsule.webhooks.service" -}}
{{- include "capsule.webhooks.cabundle" $.ctx | nindent 0 }}
{{- if $.ctx.Values.webhooks.service.url }}
url: {{ printf "%s/%s" (trimSuffix "/" $.ctx.Values.webhooks.service.url ) (trimPrefix "/" (required "Path is required for the function" $.path)) }}
{{- else }}
service:
name: {{ default (printf "%s-webhook-service" (include "capsule.fullname" $.ctx)) $.ctx.Values.webhooks.service.name }}
namespace: {{ default $.ctx.Release.Namespace $.ctx.Values.webhooks.service.namespace }}
port: {{ default 443 $.ctx.Values.webhooks.service.port }}
path: {{ required "Path is required for the function" $.path }}
{{- end }}
{{- end }}
{{/*
Capsule Webhook endpoint CA Bundle
*/}}
{{- define "capsule.webhooks.cabundle" -}}
{{- if $.Values.webhooks.service.caBundle -}}
caBundle: {{ $.Values.webhooks.service.caBundle -}}
{{- end -}}
{{- end -}}

View File

@@ -1,4 +1,5 @@
{{- if .Values.certManager.generateCertificates }}
{{- if not $.Values.crds.exclusive }}
{{- if .Values.certManager.generateCertificates }}
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
@@ -26,6 +27,9 @@ spec:
dnsNames:
- {{ include "capsule.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc
- {{ include "capsule.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
{{- range .Values.certManager.additionalSANS }}
- {{ toYaml . }}
{{- end }}
issuerRef:
kind: Issuer
name: {{ include "capsule.fullname" . }}-webhook-selfsigned
@@ -33,4 +37,5 @@ spec:
subject:
organizations:
- clastix.io
{{- end }}
{{- end }}

View File

@@ -1,12 +1,14 @@
{{- if or (not .Values.certManager.generateCertificates) (.Values.tls.create) }}
{{- if not $.Values.crds.exclusive }}
{{- if or (not .Values.certManager.generateCertificates) (.Values.tls.create) }}
apiVersion: v1
kind: Secret
metadata:
labels:
{{- include "capsule.labels" . | nindent 4 }}
{{- with .Values.customAnnotations }}
{{- with .Values.customAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "capsule.secretTlsName" . }}
{{- end }}
{{- end }}

View File

@@ -1,3 +1,4 @@
{{- if not $.Values.crds.exclusive }}
apiVersion: capsule.clastix.io/v1beta2
kind: CapsuleConfiguration
metadata:
@@ -24,3 +25,4 @@ spec:
nodeMetadata:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

View File

@@ -0,0 +1,15 @@
{{- define "capsule.crds.name" -}}
{{- printf "%s-crds" (include "capsule.name" $) -}}
{{- end }}
{{- define "capsule.crds.annotations" -}}
"helm.sh/hook": "pre-install,pre-upgrade"
{{- end }}
{{- define "capsule.crds.component" -}}
crd-install-hook
{{- end }}
{{- define "capsule.crds.regexReplace" -}}
{{- printf "%s" ($ | base | trimSuffix ".yaml" | regexReplaceAll "[_.]" "-") -}}
{{- end }}

View File

@@ -0,0 +1,56 @@
{{/* CustomResources Lifecycle */}}
{{- if $.Values.crds.install }}
{{ range $path, $_ := .Files.Glob "crds/**.yaml" }}
{{- with $ }}
{{- $content := (tpl (.Files.Get $path) $) -}}
{{- $p := (fromYaml $content) -}}
{{- if $p.Error }}
{{- fail (printf "found YAML error in file %s - %s - raw:\n\n%s" $path $p.Error $content) -}}
{{- end -}}
{{/* Add Common Lables */}}
{{- $_ := set $p.metadata "labels" (mergeOverwrite (default dict (get $p.metadata "labels")) (default dict $.Values.crds.labels) (fromYaml (include "capsule.labels" $))) -}}
{{/* Add Common Lables */}}
{{- $_ := set $p.metadata "annotations" (mergeOverwrite (default dict (get $p.metadata "annotations")) (default dict $.Values.crds.annotations)) -}}
{{/* Add Keep annotation to CRDs */}}
{{- if $.Values.crds.keep }}
{{- $_ := set $p.metadata.annotations "helm.sh/resource-policy" "keep" -}}
{{- end }}
{{/* Add Spec Patches for the CRD */}}
{{- $patchFile := $path | replace ".yaml" ".patch" }}
{{- $patchRawContent := (tpl (.Files.Get $patchFile) $) -}}
{{- if $patchRawContent -}}
{{- $patchContent := (fromYaml $patchRawContent) -}}
{{- if $patchContent.Error }}
{{- fail (printf "found YAML error in patch file %s - %s - raw:\n\n%s" $patchFile $patchContent.Error $patchRawContent) -}}
{{- end -}}
{{- $tmp := deepCopy $p | mergeOverwrite $patchContent -}}
{{- $p = $tmp -}}
{{- end -}}
{{- if $p }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "capsule.crds.name" . }}-{{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-5"
{{- include "capsule.crds.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
data:
content: |
{{- printf "---\n%s" (toYaml $p) | nindent 4 }}
{{- end }}
{{ end }}
{{- end }}
{{- end }}

View File

@@ -0,0 +1,101 @@
{{/* Backwards compatibility */}}
{{- $Values := mergeOverwrite $.Values.global.jobs.kubectl $.Values.jobs -}}
{{- if .Values.crds.install }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "capsule.crds.name" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-1"
{{- include "capsule.crds.annotations" . | nindent 4 }}
{{- with $Values.annotations }}
{{- . | toYaml | nindent 4 }}
{{- end }}
labels:
app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
spec:
backoffLimit: {{ $Values.backoffLimit }}
{{- if ge $Values.ttlSecondsAfterFinished 0.0 }}
ttlSecondsAfterFinished: {{ $Values.ttlSecondsAfterFinished }}
{{- end }}
template:
metadata:
name: "{{ include "capsule.crds.name" . }}"
labels:
app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
{{- include "capsule.selectorLabels" . | nindent 8 }}
spec:
restartPolicy: {{ $Values.restartPolicy }}
{{- with $Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- with $Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "capsule.crds.name" . }}
containers:
- name: crds-hook
image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
imagePullPolicy: {{ $Values.image.pullPolicy }}
{{- with $Values.securityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
command:
- sh
- -c
- |
set -o errexit ; set -o xtrace ; set -o nounset
# piping stderr to stdout means kubectl's errors are surfaced
# in the pod's logs.
kubectl apply --server-side=true --overwrite=true --force-conflicts=true -f /data/ 2>&1
volumeMounts:
{{- range $path, $_ := .Files.Glob "crds/**.yaml" }}
- name: {{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }}
mountPath: /data/{{ $path | base }}
subPath: {{ $path | base }}
{{- end }}
{{- with $Values.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
volumes:
{{ $currentScope := . }}
{{- range $path, $_ := .Files.Glob "crds/**.yaml" }}
{{- with $currentScope }}
- name: {{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }}
configMap:
name: {{ include "capsule.crds.name" $ }}-{{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }}
items:
- key: content
path: {{ $path | base }}
{{- end }}
{{- end }}
{{- end }}

View File

@@ -0,0 +1,52 @@
{{- if .Values.crds.install }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "capsule.crds.name" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-3"
{{- include "capsule.crds.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- jobs
verbs:
- create
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- delete
- get
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "capsule.crds.name" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-2"
{{- include "capsule.crds.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "capsule.crds.name" . }}
subjects:
- kind: ServiceAccount
name: {{ include "capsule.crds.name" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

View File

@@ -0,0 +1,14 @@
{{- if .Values.crds.install }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "capsule.crds.name" . }}
namespace: {{ .Release.Namespace }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-4"
{{- include "capsule.crds.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
{{- end }}

View File

@@ -1,4 +1,5 @@
{{- if eq .Values.manager.kind "DaemonSet" }}
{{- if not $.Values.crds.exclusive }}
{{- if eq .Values.manager.kind "DaemonSet" }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
@@ -63,7 +64,7 @@ spec:
- --webhook-port={{ .Values.manager.webhookPort }}
- --enable-leader-election
- --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
- --configuration-name=default
- --configuration-name={{ .Values.manager.options.capsuleConfiguration }}
image: {{ include "capsule.managerFullyQualifiedDockerImage" . }}
imagePullPolicy: {{ .Values.manager.image.pullPolicy }}
env:
@@ -90,4 +91,5 @@ spec:
{{- toYaml .Values.manager.resources | nindent 12 }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
{{- end }}

View File

@@ -1,4 +1,5 @@
{{- if eq .Values.manager.kind "Deployment" }}
{{- if not $.Values.crds.exclusive }}
{{- if eq .Values.manager.kind "Deployment" }}
apiVersion: apps/v1
kind: Deployment
metadata:
@@ -36,6 +37,11 @@ spec:
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
{{- end }}
{{- if .Values.manager.hostPID }}
hostPID: {{ .Values.manager.hostPID }}
{{- else }}
hostPID: false
{{- end }}
priorityClassName: {{ .Values.priorityClassName }}
{{- with .Values.nodeSelector }}
nodeSelector:
@@ -58,13 +64,16 @@ spec:
secret:
defaultMode: 420
secretName: {{ include "capsule.secretTlsName" . }}
{{- if .Values.manager.volumes }}
{{- toYaml .Values.manager.volumes | nindent 8 }}
{{- end }}
containers:
- name: manager
args:
- --webhook-port={{ .Values.manager.webhookPort }}
- --enable-leader-election
- --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
- --configuration-name=default
- --webhook-port={{ .Values.manager.webhookPort }}
- --enable-leader-election
- --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
- --configuration-name={{ .Values.manager.options.capsuleConfiguration }}
image: {{ include "capsule.managerFullyQualifiedDockerImage" . }}
imagePullPolicy: {{ .Values.manager.image.pullPolicy }}
env:
@@ -73,22 +82,35 @@ spec:
fieldRef:
fieldPath: metadata.namespace
ports:
{{- if not (.Values.manager.hostNetwork) }}
- name: webhook-server
containerPort: {{ .Values.manager.webhookPort }}
protocol: TCP
- name: metrics
containerPort: 8080
protocol: TCP
{{- end }}
{{- with .Values.manager.ports }}
{{- . | nindent 12 }}
{{- end }}
livenessProbe:
{{- toYaml .Values.manager.livenessProbe | nindent 12}}
readinessProbe:
{{- toYaml .Values.manager.readinessProbe | nindent 12}}
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
{{- if .Values.manager.volumeMounts }}
{{- toYaml .Values.manager.volumeMounts | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.manager.resources | nindent 12 }}
securityContext:
{{- if .Values.manager.securityContext }}
{{- toYaml .Values.manager.securityContext | nindent 12 }}
{{- else }}
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}

View File

@@ -1,3 +1,4 @@
{{- if not $.Values.crds.exclusive }}
apiVersion: v1
kind: Service
metadata:
@@ -18,3 +19,4 @@ spec:
{{- include "capsule.selectorLabels" . | nindent 4 }}
sessionAffinity: None
type: ClusterIP
{{- end }}

View File

@@ -1,3 +1,4 @@
{{- if or (not $.Values.crds.exclusive) ($.Values.webhooks.exclusive) }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
@@ -12,19 +13,13 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
{{- with .Values.webhooks.defaults.pods }}
{{- with .Values.webhooks.hooks.defaults.pods }}
- admissionReviewVersions:
- v1
clientConfig:
{{- if not $.Values.certManager.generateCertificates }}
caBundle: Cg==
{{- end }}
service:
name: {{ include "capsule.fullname" $ }}-webhook-service
namespace: {{ $.Release.Namespace }}
path: /defaults
{{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
name: pod.defaults.capsule.clastix.io
name: pod.defaults.projectcapsule.dev
rules:
- apiGroups:
- ""
@@ -34,23 +29,19 @@ webhooks:
- CREATE
resources:
- pods
scope: "Namespaced"
namespaceSelector:
{{- toYaml .namespaceSelector | nindent 4}}
{{- toYaml .namespaceSelector | nindent 4}}
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.defaults.pvc }}
{{- with .Values.webhooks.hooks.defaults.pvc }}
- admissionReviewVersions:
- v1
clientConfig:
{{- if not $.Values.certManager.generateCertificates }}
caBundle: Cg==
{{- end }}
service:
name: {{ include "capsule.fullname" $ }}-webhook-service
namespace: {{ $.Release.Namespace }}
path: /defaults
{{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
name: storage.defaults.capsule.clastix.io
name: storage.defaults.projectcapsule.dev
rules:
- apiGroups:
- ""
@@ -60,23 +51,19 @@ webhooks:
- CREATE
resources:
- persistentvolumeclaims
scope: "Namespaced"
namespaceSelector:
{{- toYaml .namespaceSelector | nindent 4}}
{{- toYaml .namespaceSelector | nindent 4}}
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.defaults.ingress }}
{{- with .Values.webhooks.hooks.defaults.ingress }}
- admissionReviewVersions:
- v1
clientConfig:
{{- if not $.Values.certManager.generateCertificates }}
caBundle: Cg==
{{- end }}
service:
name: {{ include "capsule.fullname" $ }}-webhook-service
namespace: {{ $.Release.Namespace }}
path: /defaults
{{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
name: ingress.defaults.capsule.clastix.io
name: ingress.defaults.projectcapsule.dev
rules:
- apiGroups:
- networking.k8s.io
@@ -88,25 +75,21 @@ webhooks:
- UPDATE
resources:
- ingresses
scope: "Namespaced"
namespaceSelector:
{{- toYaml .namespaceSelector | nindent 4}}
sideEffects: None
{{- end }}
timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.namespaceOwnerReference }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- if not .Values.certManager.generateCertificates }}
caBundle: Cg==
{{- end }}
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /namespace-owner-reference
port: 443
failurePolicy: {{ .Values.webhooks.namespaceOwnerReference.failurePolicy }}
{{- include "capsule.webhooks.service" (dict "path" "/namespace-owner-reference" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: Equivalent
name: owner.namespace.capsule.clastix.io
name: owner.namespace.projectcapsule.dev
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
@@ -122,4 +105,6 @@ webhooks:
- namespaces
scope: '*'
sideEffects: NoneOnDryRun
timeoutSeconds: {{ .Values.mutatingWebhooksTimeoutSeconds }}
timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }}
{{- end }}
{{- end }}

View File

@@ -1,58 +0,0 @@
{{- if .Values.podSecurityPolicy.enabled }}
kind: PodSecurityPolicy
apiVersion: policy/v1beta1
metadata:
name: {{ include "capsule.fullname" . }}
labels:
{{- include "capsule.labels" . | nindent 4 }}
{{- with .Values.customAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
fsGroup:
rule: RunAsAny
hostPorts:
- max: 0
min: 0
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- secret
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "capsule.fullname" . }}-use-psp
labels:
{{- include "capsule.labels" . | nindent 4 }}
rules:
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- {{ include "capsule.fullname" . }}
verbs:
- use
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "capsule.fullname" . }}-use-psp
labels:
{{- include "capsule.labels" . | nindent 4 }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "capsule.fullname" . }}-use-psp
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "capsule.serviceAccountName" . }}
{{- end }}

View File

@@ -1,55 +0,0 @@
{{- if .Values.tls.create }}
{{- $cmd := printf "while [ -z $$(kubectl -n $NAMESPACE get secret %s -o jsonpath='{.data.tls\\\\.crt}') ];" (include "capsule.secretTlsName" .) -}}
{{- $cmd = printf "%s do echo 'waiting Capsule to be up and running...' && sleep 5;" $cmd -}}
{{- $cmd = printf "%s done" $cmd -}}
apiVersion: batch/v1
kind: Job
metadata:
name: "{{ .Release.Name }}-waiting-certs"
labels:
{{- include "capsule.labels" . | nindent 4 }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": post-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded
{{- with .Values.customAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
template:
metadata:
name: "{{ .Release.Name }}"
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
restartPolicy: Never
containers:
- name: post-install-job
image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
command: ["sh", "-c", "{{ $cmd }}"]
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
serviceAccountName: {{ include "capsule.serviceAccountName" . }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

View File

@@ -0,0 +1,11 @@
{{- define "capsule.post-install.name" -}}
{{- printf "%s-post-install" (include "capsule.name" $) -}}
{{- end }}
{{- define "capsule.post-install.annotations" -}}
"helm.sh/hook": post-install
{{- end }}
{{- define "capsule.post-install.component" -}}
post-install-hook
{{- end }}

View File

@@ -0,0 +1,84 @@
{{- $Values := mergeOverwrite $.Values.global.jobs.kubectl $.Values.jobs -}}
{{- if .Values.tls.create }}
{{- if not $.Values.crds.exclusive }}
apiVersion: batch/v1
kind: Job
metadata:
name: "{{ include "capsule.post-install.name" . }}"
labels:
app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
annotations:
"helm.sh/hook-weight": "-1"
{{- include "capsule.post-install.annotations" . | nindent 4 }}
{{- with $Values.annotations }}
{{- . | toYaml | nindent 4 }}
{{- end }}
spec:
backoffLimit: {{ $Values.backoffLimit }}
{{- if ge $Values.ttlSecondsAfterFinished 0.0 }}
ttlSecondsAfterFinished: {{ $Values.ttlSecondsAfterFinished }}
{{- end }}
template:
metadata:
labels:
app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
{{- include "capsule.selectorLabels" . | nindent 8 }}
spec:
restartPolicy: {{ $Values.restartPolicy }}
{{- with $Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- with $Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "capsule.post-install.name" . }}
containers:
- name: post-install
image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
imagePullPolicy: {{ $Values.image.pullPolicy }}
command:
- "sh"
- "-c"
- |
set -o errexit ; set -o nounset
while [ -z $(kubectl -n $NAMESPACE get secret {{ include "capsule.secretTlsName" $ }} -o jsonpath='{.data.tls\.crt}') ]; do
echo 'waiting Capsule to be up and running...' && sleep 5;
done
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with $Values.securityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with $Values.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- end }}
{{- end }}

View File

@@ -0,0 +1,44 @@
{{- if .Values.tls.create }}
{{- if not $.Values.crds.exclusive }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "capsule.post-install.name" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-3"
{{- include "capsule.post-install.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "capsule.post-install.name" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-2"
{{- include "capsule.post-install.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "capsule.post-install.name" . }}
subjects:
- kind: ServiceAccount
name: {{ include "capsule.post-install.name" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
{{- end }}

View File

@@ -0,0 +1,15 @@
{{- if .Values.tls.create }}
{{- if not $.Values.crds.exclusive }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "capsule.post-install.name" . }}
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook-weight": "-4"
{{- include "capsule.post-install.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
{{- end }}
{{- end }}

View File

@@ -1,56 +0,0 @@
{{- $cmd := ""}}
{{- if or (.Values.tls.create) (.Values.certManager.generateCertificates) }}
{{- $cmd = printf "%s kubectl delete secret -n $NAMESPACE %s --ignore-not-found &&" $cmd (include "capsule.secretTlsName" .) -}}
{{- end }}
{{- $cmd = printf "%s kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found &&" $cmd -}}
{{- $cmd = printf "%s kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found" $cmd -}}
apiVersion: batch/v1
kind: Job
metadata:
name: "{{ .Release.Name }}-rbac-cleaner"
labels:
{{- include "capsule.labels" . | nindent 4 }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-delete
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded
{{- with .Values.customAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
template:
metadata:
name: "{{ .Release.Name }}"
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
restartPolicy: Never
containers:
- name: pre-delete-job
image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
command: [ "sh", "-c", "{{ $cmd }}"]
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
serviceAccountName: {{ include "capsule.serviceAccountName" . }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}

View File

@@ -0,0 +1,14 @@
{{- define "capsule.pre-delete.name" -}}
{{- printf "%s-pre-delete" (include "capsule.name" $) -}}
{{- end }}
{{- define "capsule.pre-delete.annotations" -}}
"helm.sh/hook": pre-delete
{{- with $.Values.jobs.annotations }}
{{- . | toYaml | nindent 0 }}
{{- end }}
{{- end }}
{{- define "capsule.pre-delete.component" -}}
pre-delete-hook
{{- end }}

View File

@@ -0,0 +1,85 @@
{{- $Values := mergeOverwrite $.Values.global.jobs.kubectl $.Values.jobs -}}
{{- if not $.Values.crds.exclusive }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: "{{ include "capsule.pre-delete.name" $ }}"
labels:
app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
annotations:
"helm.sh/hook-weight": "-1"
{{- include "capsule.pre-delete.annotations" . | nindent 4 }}
{{- with $Values.annotations }}
{{- . | toYaml | nindent 4 }}
{{- end }}
spec:
backoffLimit: {{ $Values.backoffLimit }}
{{- if ge $Values.ttlSecondsAfterFinished 0.0 }}
ttlSecondsAfterFinished: {{ $Values.ttlSecondsAfterFinished }}
{{- end }}
template:
metadata:
labels:
app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
{{- include "capsule.selectorLabels" . | nindent 8 }}
spec:
restartPolicy: {{ $Values.restartPolicy }}
{{- with $Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $Values.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- with $Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "capsule.pre-delete.name" . }}
containers:
- name: pre-delete-job
image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
imagePullPolicy: {{ $Values.image.pullPolicy }}
command:
- "/bin/sh"
- "-c"
- |
set -o errexit ; set -o xtrace ; set -o nounset
{{- if or (.Values.tls.create) (.Values.certManager.generateCertificates) }}
kubectl delete secret -n $NAMESPACE {{ include "capsule.secretTlsName" $ }} --ignore-not-found
{{- end }}
kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with $Values.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with $Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}

View File

@@ -0,0 +1,90 @@
{{- if not $.Values.crds.exclusive }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "capsule.pre-delete.name" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-3"
{{- include "capsule.pre-delete.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
rules:
- apiGroups:
- rbac.authorization.k8s.io
resourceNames:
- capsule-namespace-deleter
- capsule-namespace-provisioner
resources:
- clusterroles
- clusterrolebindings
verbs:
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "capsule.pre-delete.name" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-3"
{{- include "capsule.pre-delete.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- delete
resourceNames:
- {{ include "capsule.secretTlsName" $ }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "capsule.pre-delete.name" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-2"
{{- include "capsule.pre-delete.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "capsule.pre-delete.name" . }}
subjects:
- kind: ServiceAccount
name: {{ include "capsule.pre-delete.name" . }}
namespace: {{ .Release.Namespace | quote }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "capsule.pre-delete.name" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-2"
{{- include "capsule.pre-delete.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "capsule.pre-delete.name" . }}
subjects:
- kind: ServiceAccount
name: {{ include "capsule.pre-delete.name" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

View File

@@ -0,0 +1,14 @@
{{- if not $.Values.crds.exclusive }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "capsule.pre-delete.name" . }}
namespace: {{ $.Release.Namespace }}
annotations:
"helm.sh/hook-weight": "-4"
{{- include "capsule.pre-delete.annotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
{{- include "capsule.labels" . | nindent 4 }}
{{- end }}

View File

@@ -1,4 +1,5 @@
{{- if $.Values.manager.rbac.create }}
{{- if not $.Values.crds.exclusive }}
{{- if $.Values.manager.rbac.create }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -18,8 +19,8 @@ subjects:
- kind: ServiceAccount
name: {{ include "capsule.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- range $_, $cr := $.Values.manager.rbac.existingClusterRoles }}
{{- end }}
{{- range $_, $cr := $.Values.manager.rbac.existingClusterRoles }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -60,4 +61,5 @@ subjects:
- kind: ServiceAccount
name: {{ include "capsule.serviceAccountName" $ }}
namespace: {{ $.Release.Namespace }}
{{- end }}
{{- end }}

View File

@@ -1,12 +1,14 @@
{{- if .Values.serviceAccount.create -}}
{{- if not $.Values.crds.exclusive }}
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "capsule.serviceAccountName" . }}
labels:
{{- include "capsule.labels" . | nindent 4 }}
{{- if or (.Values.serviceAccount.annotations) (.Values.customAnnotations) }}
{{- if or (.Values.serviceAccount.annotations) (.Values.customAnnotations) }}
annotations:
{{- include "capsule.serviceAccountAnnotations" . | nindent 4 }}
{{- include "capsule.serviceAccountAnnotations" . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

View File

@@ -1,4 +1,5 @@
{{- if .Values.serviceMonitor.enabled }}
{{- if not $.Values.crds.exclusive }}
{{- if .Values.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
@@ -28,7 +29,7 @@ spec:
{{- with .relabelings }}
relabelings: {{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}
{{- end }}
jobLabel: app.kubernetes.io/name
{{- with .Values.serviceMonitor.targetLabels }}
targetLabels: {{- toYaml . | nindent 4 }}
@@ -43,5 +44,5 @@ spec:
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
{{- end }}
{{- end }}

View File

@@ -1,3 +1,4 @@
{{- if or (not $.Values.crds.exclusive) ($.Values.webhooks.exclusive) }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
@@ -12,23 +13,17 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
{{- with .Values.webhooks.hooks.cordoning }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- if not .Values.certManager.generateCertificates }}
caBundle: Cg==
{{- end }}
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /cordoning
port: 443
failurePolicy: {{ .Values.webhooks.cordoning.failurePolicy }}
{{- include "capsule.webhooks.service" (dict "path" "/cordoning" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: Equivalent
name: cordoning.tenant.capsule.clastix.io
name: cordoning.tenant.projectcapsule.dev
namespaceSelector:
{{- toYaml .Values.webhooks.cordoning.namespaceSelector | nindent 4}}
{{- toYaml .namespaceSelector | nindent 4}}
objectSelector: {}
rules:
- apiGroups:
@@ -43,24 +38,19 @@ webhooks:
- '*'
scope: Namespaced
sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.ingresses }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- if not .Values.certManager.generateCertificates }}
caBundle: Cg==
{{- end }}
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /ingresses
port: 443
failurePolicy: {{ .Values.webhooks.ingresses.failurePolicy }}
{{- include "capsule.webhooks.service" (dict "path" "/ingresses" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: Equivalent
name: ingress.capsule.clastix.io
name: ingress.projectcapsule.dev
namespaceSelector:
{{- toYaml .Values.webhooks.ingresses.namespaceSelector | nindent 4}}
{{- toYaml .namespaceSelector | nindent 4}}
objectSelector: {}
rules:
- apiGroups:
@@ -76,22 +66,17 @@ webhooks:
- ingresses
scope: Namespaced
sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{ with .Values.webhooks.hooks.namespaces }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- if not .Values.certManager.generateCertificates }}
caBundle: Cg==
{{- end }}
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /namespaces
port: 443
failurePolicy: {{ .Values.webhooks.namespaces.failurePolicy }}
{{- include "capsule.webhooks.service" (dict "path" "/namespaces" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: Equivalent
name: namespaces.capsule.clastix.io
name: namespaces.projectcapsule.dev
namespaceSelector: {}
objectSelector: {}
rules:
@@ -107,24 +92,19 @@ webhooks:
- namespaces
scope: '*'
sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.networkpolicies }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- if not .Values.certManager.generateCertificates }}
caBundle: Cg==
{{- end }}
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /networkpolicies
port: 443
failurePolicy: {{ .Values.webhooks.networkpolicies.failurePolicy }}
{{- include "capsule.webhooks.service" (dict "path" "/networkpolicies" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: Equivalent
name: networkpolicies.capsule.clastix.io
name: networkpolicies.projectcapsule.dev
namespaceSelector:
{{- toYaml .Values.webhooks.networkpolicies.namespaceSelector | nindent 4}}
{{- toYaml .namespaceSelector | nindent 4}}
objectSelector: {}
rules:
- apiGroups:
@@ -138,21 +118,16 @@ webhooks:
- networkpolicies
scope: Namespaced
sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.nodes }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- if not .Values.certManager.generateCertificates }}
caBundle: Cg==
{{- end }}
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /nodes
port: 443
failurePolicy: {{ .Values.webhooks.nodes.failurePolicy }}
name: nodes.capsule.clastix.io
{{- include "capsule.webhooks.service" (dict "path" "/nodes" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
name: nodes.projectcapsule.dev
matchPolicy: Exact
namespaceSelector: {}
objectSelector: {}
@@ -166,24 +141,19 @@ webhooks:
resources:
- nodes
sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.pods }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- if not .Values.certManager.generateCertificates }}
caBundle: Cg==
{{- end }}
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /pods
port: 443
failurePolicy: {{ .Values.webhooks.pods.failurePolicy }}
{{- include "capsule.webhooks.service" (dict "path" "/pods" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: Exact
name: pods.capsule.clastix.io
name: pods.projectcapsule.dev
namespaceSelector:
{{- toYaml .Values.webhooks.pods.namespaceSelector | nindent 4}}
{{- toYaml .namespaceSelector | nindent 4}}
objectSelector: {}
rules:
- apiGroups:
@@ -197,22 +167,18 @@ webhooks:
- pods
scope: Namespaced
sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.persistentvolumeclaims }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- if not .Values.certManager.generateCertificates }}
caBundle: Cg==
{{- end }}
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /persistentvolumeclaims
failurePolicy: {{ .Values.webhooks.persistentvolumeclaims.failurePolicy }}
name: pvc.capsule.clastix.io
{{- include "capsule.webhooks.service" (dict "path" "/persistentvolumeclaims" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
name: pvc.projectcapsule.dev
namespaceSelector:
{{- toYaml .Values.webhooks.persistentvolumeclaims.namespaceSelector | nindent 4}}
{{- toYaml .namespaceSelector | nindent 4}}
objectSelector: {}
rules:
- apiGroups:
@@ -225,24 +191,19 @@ webhooks:
- persistentvolumeclaims
scope: Namespaced
sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.services }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- if not .Values.certManager.generateCertificates }}
caBundle: Cg==
{{- end }}
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /services
port: 443
failurePolicy: {{ .Values.webhooks.services.failurePolicy }}
{{- include "capsule.webhooks.service" (dict "path" "/services" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: Exact
name: services.capsule.clastix.io
name: services.projectcapsule.dev
namespaceSelector:
{{- toYaml .Values.webhooks.services.namespaceSelector | nindent 4}}
{{- toYaml .namespaceSelector | nindent 4}}
objectSelector: {}
rules:
- apiGroups:
@@ -256,19 +217,15 @@ webhooks:
- services
scope: Namespaced
sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.tenantResourceObjects }}
- admissionReviewVersions:
- v1
clientConfig:
{{- if not .Values.certManager.generateCertificates }}
caBundle: Cg==
{{- end }}
service:
name: capsule-webhook-service
namespace: {{ .Release.Namespace }}
path: /tenantresource-objects
failurePolicy: {{ .Values.webhooks.tenantResourceObjects.failurePolicy }}
name: resource-objects.tenant.capsule.clastix.io
{{- include "capsule.webhooks.service" (dict "path" "/tenantresource-objects" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
name: resource-objects.tenant.projectcapsule.dev
namespaceSelector:
matchExpressions:
- key: capsule.clastix.io/tenant
@@ -289,21 +246,17 @@ webhooks:
- '*'
scope: Namespaced
sideEffects: None
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- with .Values.webhooks.hooks.tenants }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- if not .Values.certManager.generateCertificates }}
caBundle: Cg==
{{- end }}
service:
name: {{ include "capsule.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /tenants
port: 443
failurePolicy: {{ .Values.webhooks.tenants.failurePolicy }}
{{- include "capsule.webhooks.service" (dict "path" "/tenants" "ctx" $) | nindent 4 }}
failurePolicy: {{ .failurePolicy }}
matchPolicy: Exact
name: tenants.capsule.clastix.io
name: tenants.projectcapsule.dev
namespaceSelector: {}
objectSelector: {}
rules:
@@ -319,4 +272,6 @@ webhooks:
- tenants
scope: '*'
sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }}
timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }}
{{- end }}
{{- end }}

View File

@@ -1,3 +1,4 @@
{{- if not $.Values.crds.exclusive }}
apiVersion: v1
kind: Service
metadata:
@@ -18,3 +19,4 @@ spec:
{{- include "capsule.selectorLabels" . | nindent 4 }}
sessionAffinity: None
type: ClusterIP
{{- end }}

Some files were not shown because too many files have changed in this diff Show More