mirror of
https://github.com/projectcapsule/capsule.git
synced 2026-02-21 21:41:04 +00:00
Compare commits
157 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
4b2c86be65 | ||
|
|
72c0cd0199 | ||
|
|
3ef3e1f137 | ||
|
|
a55154ea56 | ||
|
|
8df833116c | ||
|
|
cfdd812d21 | ||
|
|
aaca9ca1b6 | ||
|
|
b630aa7671 | ||
|
|
2cb6100d24 | ||
|
|
6f8563f7e8 | ||
|
|
c51e4cac9a | ||
|
|
08331211d1 | ||
|
|
075f3a8385 | ||
|
|
c20272c8b9 | ||
|
|
e7640ec584 | ||
|
|
360d0dc48b | ||
|
|
e808118b43 | ||
|
|
b7a2072b0f | ||
|
|
fa06d8d6ae | ||
|
|
887f4adc01 | ||
|
|
e6e35fff2f | ||
|
|
c22044016a | ||
|
|
21022f35dd | ||
|
|
e1bfdc0d6e | ||
|
|
da064dafcd | ||
|
|
6e80052847 | ||
|
|
5dc7965530 | ||
|
|
0a46fcb912 | ||
|
|
9f6356c3a8 | ||
|
|
07b5bcafd3 | ||
|
|
d829378ce1 | ||
|
|
a03ce238b7 | ||
|
|
e7adc8dc95 | ||
|
|
d5786e5aa6 | ||
|
|
c9dbeac2f3 | ||
|
|
0cbc96ab25 | ||
|
|
426fc11bd5 | ||
|
|
34e2c7729c | ||
|
|
2d01f345b2 | ||
|
|
7b34fc457d | ||
|
|
aa9b6ab378 | ||
|
|
41a626cdc4 | ||
|
|
4ec2ff1d44 | ||
|
|
93cbe205f4 | ||
|
|
12b254c622 | ||
|
|
49fb307529 | ||
|
|
ace0d74c23 | ||
|
|
b74095be25 | ||
|
|
8ba9e9af1b | ||
|
|
7d7adf9c58 | ||
|
|
46a4e0dba1 | ||
|
|
8083cb59c9 | ||
|
|
ed9e1d4c47 | ||
|
|
20807ad8f3 | ||
|
|
7ecc6346f3 | ||
|
|
7d5eb0117c | ||
|
|
4be8566b79 | ||
|
|
2120e6d33e | ||
|
|
fcf58371d5 | ||
|
|
0a17c2ae7f | ||
|
|
1eef6fbb95 | ||
|
|
ee02e24d96 | ||
|
|
d07904ce03 | ||
|
|
59cb9694c0 | ||
|
|
8d498bb925 | ||
|
|
da66f40462 | ||
|
|
462ff47ed0 | ||
|
|
007cdd1c2d | ||
|
|
d0dbda7958 | ||
|
|
b923ce053c | ||
|
|
c695f480ff | ||
|
|
1d53811c48 | ||
|
|
c9b006fe97 | ||
|
|
6ff9d4b38a | ||
|
|
375643ab06 | ||
|
|
8a0be8a639 | ||
|
|
633263ace7 | ||
|
|
1e767be94d | ||
|
|
258300686e | ||
|
|
f82c2f468b | ||
|
|
5143c5cedc | ||
|
|
e6f7031128 | ||
|
|
3dc74c8791 | ||
|
|
f077028bdb | ||
|
|
8ff1044c47 | ||
|
|
df2bf1c98a | ||
|
|
aade294e78 | ||
|
|
f3b9728963 | ||
|
|
6278febf86 | ||
|
|
fd80e5c339 | ||
|
|
55c010c96e | ||
|
|
7a74268fc1 | ||
|
|
a75d7ab0ba | ||
|
|
650d535f67 | ||
|
|
7894300cce | ||
|
|
6184ff0499 | ||
|
|
4916b8f3ec | ||
|
|
b8636974a0 | ||
|
|
2b29fa7a08 | ||
|
|
cbcab2f08d | ||
|
|
a4b88d3b46 | ||
|
|
62e5e856b3 | ||
|
|
d49fcb7609 | ||
|
|
d86c8efd02 | ||
|
|
4dd46dd407 | ||
|
|
630f9e281f | ||
|
|
1659987274 | ||
|
|
93f7ebbc49 | ||
|
|
5df2add177 | ||
|
|
0394cc3e72 | ||
|
|
6313467dd1 | ||
|
|
2ca0043588 | ||
|
|
855d80ea62 | ||
|
|
f24b6b1b43 | ||
|
|
a7814af471 | ||
|
|
99d24da9ee | ||
|
|
6d03aa7305 | ||
|
|
2763fb77fa | ||
|
|
59e5ace956 | ||
|
|
f5bbeef2cb | ||
|
|
da478fcaeb | ||
|
|
3f5bc4a885 | ||
|
|
fd24ae82fb | ||
|
|
65030a1d7d | ||
|
|
48eab4e4cd | ||
|
|
a49c57bb5b | ||
|
|
d620b0457d | ||
|
|
1d9fcc7a0d | ||
|
|
2ed12d2f45 | ||
|
|
4b6864c155 | ||
|
|
34c4b94b7b | ||
|
|
db9107a3aa | ||
|
|
a089714625 | ||
|
|
b0bb26cd3e | ||
|
|
414cebd15f | ||
|
|
8930090dc6 | ||
|
|
eb7a77a920 | ||
|
|
9af5913086 | ||
|
|
26309d7992 | ||
|
|
8116434c66 | ||
|
|
0590624289 | ||
|
|
1a11a6c4a5 | ||
|
|
c657b55da9 | ||
|
|
58540b52bd | ||
|
|
323ac75c06 | ||
|
|
3de52e8139 | ||
|
|
d58fd0f2d7 | ||
|
|
00af2860fc | ||
|
|
3dd20349b6 | ||
|
|
9e4068850c | ||
|
|
446b8ea744 | ||
|
|
cfb2c6cddf | ||
|
|
0df02dbcb8 | ||
|
|
6b9e763f10 | ||
|
|
fb4f0cfe42 | ||
|
|
5a34c09447 | ||
|
|
c26f68efff |
2
.github/actions/exists/action.yaml
vendored
2
.github/actions/exists/action.yaml
vendored
@@ -18,4 +18,4 @@ runs:
|
||||
- shell: bash
|
||||
id: check
|
||||
run: |
|
||||
echo "result=${{ inputs.value != '' }}" >> $GITHUB_OUTPUT
|
||||
echo "result=${{ inputs.value != '' }}" >> $GITHUB_OUTPUT
|
||||
|
||||
6
.github/actions/setup-caches/action.yaml
vendored
6
.github/actions/setup-caches/action.yaml
vendored
@@ -9,12 +9,12 @@ inputs:
|
||||
runs:
|
||||
using: composite
|
||||
steps:
|
||||
- uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
|
||||
- uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
|
||||
with:
|
||||
path: ~/go/pkg/mod
|
||||
key: ${{ runner.os }}-go-pkg-mod-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
|
||||
- uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
|
||||
- uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
|
||||
if: ${{ inputs.build-cache-key }}
|
||||
with:
|
||||
path: ~/.cache/go-build
|
||||
key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
|
||||
key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
|
||||
|
||||
2
.github/configs/ct.yaml
vendored
2
.github/configs/ct.yaml
vendored
@@ -4,7 +4,7 @@ chart-dirs:
|
||||
- charts
|
||||
chart-repos:
|
||||
- capsule=https://projectcapsule.github.io/charts/
|
||||
helm-extra-args: "--timeout 600s"
|
||||
helm-extra-args: "--timeout 600s"
|
||||
validate-chart-schema: false
|
||||
validate-maintainers: false
|
||||
validate-yaml: true
|
||||
|
||||
10
.github/configs/lintconf.yaml
vendored
10
.github/configs/lintconf.yaml
vendored
@@ -1,6 +1,12 @@
|
||||
|
||||
---
|
||||
ignore:
|
||||
- config/
|
||||
- charts/*/templates/
|
||||
- charts/**/templates/
|
||||
rules:
|
||||
truthy:
|
||||
level: warning
|
||||
check-keys: false
|
||||
braces:
|
||||
min-spaces-inside: 0
|
||||
max-spaces-inside: 0
|
||||
@@ -39,5 +45,3 @@ rules:
|
||||
new-lines:
|
||||
type: unix
|
||||
trailing-spaces: enable
|
||||
truthy:
|
||||
level: warning
|
||||
|
||||
16
.github/dependabot.yml
vendored
16
.github/dependabot.yml
vendored
@@ -1,16 +0,0 @@
|
||||
version: 2
|
||||
updates:
|
||||
- package-ecosystem: gomod
|
||||
directory: /
|
||||
schedule:
|
||||
interval: daily
|
||||
rebase-strategy: disabled
|
||||
commit-message:
|
||||
prefix: "feat(deps)"
|
||||
- package-ecosystem: github-actions
|
||||
directory: /
|
||||
schedule:
|
||||
interval: daily
|
||||
rebase-strategy: disabled
|
||||
commit-message:
|
||||
prefix: "ci(deps)"
|
||||
11
.github/workflows/check-actions.yml
vendored
11
.github/workflows/check-actions.yml
vendored
@@ -3,7 +3,8 @@ permissions: {}
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches: [ "main" ]
|
||||
branches:
|
||||
- "*"
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
@@ -14,11 +15,11 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- name: Ensure SHA pinned actions
|
||||
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@74606c30450304eee8660aae751818321754feb1 # v3.0.9
|
||||
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@6eb1abde32fed00453b0d03497f4ba4fecba146d # v3.0.21
|
||||
with:
|
||||
# slsa-github-generator requires using a semver tag for reusable workflows.
|
||||
# slsa-github-generator requires using a semver tag for reusable workflows.
|
||||
# See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
|
||||
allowlist: |
|
||||
slsa-framework/slsa-github-generator
|
||||
slsa-framework/slsa-github-generator
|
||||
|
||||
15
.github/workflows/check-commit.yml
vendored
15
.github/workflows/check-commit.yml
vendored
@@ -3,21 +3,20 @@ permissions: {}
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "*" ]
|
||||
branches:
|
||||
- "*"
|
||||
pull_request:
|
||||
branches: [ "*" ]
|
||||
branches:
|
||||
- "*"
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
commit_lint:
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- uses: wagoid/commitlint-github-action@7f0a61df502599e1f1f50880aaa7ec1e2c0592f2 #v6.0.1
|
||||
with:
|
||||
firstParent: true
|
||||
- uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1
|
||||
|
||||
2
.github/workflows/check-pr.yml
vendored
2
.github/workflows/check-pr.yml
vendored
@@ -15,7 +15,7 @@ jobs:
|
||||
name: Validate PR title
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: amannn/action-semantic-pull-request@cfb60706e18bc85e8aec535e3c577abe8f70378e
|
||||
- uses: amannn/action-semantic-pull-request@40166f00814508ec3201fc8595b393d451c8cd80
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
with:
|
||||
|
||||
38
.github/workflows/codecov.yml
vendored
38
.github/workflows/codecov.yml
vendored
@@ -1,38 +0,0 @@
|
||||
name: Codecov
|
||||
permissions: {}
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches: [ "main" ]
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
codecov:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
continue-on-error: true
|
||||
with:
|
||||
build-cache-key: codecov
|
||||
- name: Check secret
|
||||
id: checksecret
|
||||
uses: ./.github/actions/exists
|
||||
with:
|
||||
value: ${{ secrets.CODECOV_TOKEN }}
|
||||
- name: Generate Code Coverage Report
|
||||
if: steps.checksecret.outputs.result == 'true'
|
||||
run: make test
|
||||
- name: Upload Report to Codecov
|
||||
if: steps.checksecret.outputs.result == 'true'
|
||||
uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
|
||||
with:
|
||||
file: ./coverage.out
|
||||
fail_ci_if_error: true
|
||||
verbose: true
|
||||
86
.github/workflows/coverage.yml
vendored
Normal file
86
.github/workflows/coverage.yml
vendored
Normal file
@@ -0,0 +1,86 @@
|
||||
name: Coverage
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- "main"
|
||||
pull_request:
|
||||
types: [opened, reopened, synchronize]
|
||||
branches:
|
||||
- "main"
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
compliance:
|
||||
name: "License Compliance"
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: "Checkout Code"
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- name: Check secret
|
||||
id: checksecret
|
||||
uses: ./.github/actions/exists
|
||||
with:
|
||||
value: ${{ secrets.FOSSA_API_KEY }}
|
||||
- name: "Run FOSSA Scan"
|
||||
if: steps.checksecret.outputs.result == 'true'
|
||||
uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
|
||||
with:
|
||||
api-key: ${{ secrets.FOSSA_API_KEY }}
|
||||
- name: "Run FOSSA Test"
|
||||
if: steps.checksecret.outputs.result == 'true'
|
||||
uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
|
||||
with:
|
||||
api-key: ${{ secrets.FOSSA_API_KEY }}
|
||||
run-tests: true
|
||||
sast:
|
||||
name: "SAST"
|
||||
runs-on: ubuntu-24.04
|
||||
env:
|
||||
GO111MODULE: on
|
||||
permissions:
|
||||
security-events: write
|
||||
actions: read
|
||||
contents: read
|
||||
steps:
|
||||
- name: Checkout Source
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
||||
with:
|
||||
go-version-file: 'go.mod'
|
||||
- name: Run Gosec Security Scanner
|
||||
uses: securego/gosec@e0cca6fe95306b7e7790d6f1bf6a7bec6d622459 # v2.22.0
|
||||
with:
|
||||
args: '-no-fail -fmt sarif -out gosec.sarif ./...'
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@0a35e8f6866a39b001e5f7ad1d0daf9836786896
|
||||
with:
|
||||
sarif_file: gosec.sarif
|
||||
unit_tests:
|
||||
name: "Unit tests"
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
||||
with:
|
||||
go-version-file: 'go.mod'
|
||||
- name: Unit Test
|
||||
run: make test
|
||||
- name: Check secret
|
||||
id: checksecret
|
||||
uses: ./.github/actions/exists
|
||||
with:
|
||||
value: ${{ secrets.CODECOV_TOKEN }}
|
||||
- name: Upload Report to Codecov
|
||||
if: ${{ steps.checksecret.outputs.result == 'true' }}
|
||||
uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
|
||||
with:
|
||||
token: ${{ secrets.CODECOV_TOKEN }}
|
||||
slug: projectcapsule/capsule
|
||||
files: ./coverage.out
|
||||
fail_ci_if_error: true
|
||||
verbose: true
|
||||
31
.github/workflows/diff.yml
vendored
31
.github/workflows/diff.yml
vendored
@@ -1,31 +0,0 @@
|
||||
name: Diff checks
|
||||
permissions: {}
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "*" ]
|
||||
pull_request:
|
||||
branches: [ "*" ]
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
diff:
|
||||
name: diff
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
|
||||
with:
|
||||
go-version-file: 'go.mod'
|
||||
- run: make manifests
|
||||
- name: Checking if YAML installer file is not aligned
|
||||
run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> Untracked generated files have not been committed" && git --no-pager diff && exit 1; fi
|
||||
- name: Checking if YAML installer generated untracked files
|
||||
run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
|
||||
- name: Checking if source code is not formatted
|
||||
run: test -z "$(git diff 2> /dev/null)"
|
||||
45
.github/workflows/docker-build.yml
vendored
Normal file
45
.github/workflows/docker-build.yml
vendored
Normal file
@@ -0,0 +1,45 @@
|
||||
name: Build images
|
||||
permissions: {}
|
||||
on:
|
||||
pull_request:
|
||||
branches:
|
||||
- "*"
|
||||
paths:
|
||||
- '.github/workflows/docker-*.yml'
|
||||
- 'api/**'
|
||||
- 'controllers/**'
|
||||
- 'pkg/**'
|
||||
- 'e2e/*'
|
||||
- '.ko.yaml'
|
||||
- 'go.*'
|
||||
- 'main.go'
|
||||
- 'Makefile'
|
||||
|
||||
jobs:
|
||||
build-images:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
security-events: write
|
||||
actions: read
|
||||
contents: read
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- name: ko build
|
||||
run: VERSION=${{ github.sha }} make ko-build-all
|
||||
- name: Trivy Scan Image
|
||||
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
ignore-unfixed: true
|
||||
format: 'sarif'
|
||||
output: 'trivy-results.sarif'
|
||||
severity: 'CRITICAL,HIGH'
|
||||
env:
|
||||
# Trivy is returning TOOMANYREQUESTS
|
||||
# See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
|
||||
TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@0a35e8f6866a39b001e5f7ad1d0daf9836786896
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
16
.github/workflows/docker-publish.yml
vendored
16
.github/workflows/docker-publish.yml
vendored
@@ -15,12 +15,12 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
packages: write
|
||||
id-token: write
|
||||
id-token: write
|
||||
outputs:
|
||||
capsule-digest: ${{ steps.publish-capsule.outputs.digest }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
@@ -28,7 +28,7 @@ jobs:
|
||||
with:
|
||||
build-cache-key: publish-images
|
||||
- name: Run Trivy vulnerability (Repo)
|
||||
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
|
||||
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
ignore-unfixed: true
|
||||
@@ -36,10 +36,10 @@ jobs:
|
||||
output: 'trivy-results.sarif'
|
||||
severity: 'CRITICAL,HIGH'
|
||||
- name: Install Cosign
|
||||
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
|
||||
uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
|
||||
- name: Publish Capsule
|
||||
id: publish-capsule
|
||||
uses: peak-scale/github-actions/make-ko-publish@38322faabccd75abfa581c435e367d446b6d2c3b # v0.1.0
|
||||
uses: peak-scale/github-actions/make-ko-publish@a441cca016861c546ab7e065277e40ce41a3eb84 # v0.2.0
|
||||
with:
|
||||
makefile-target: ko-publish-capsule
|
||||
registry: ghcr.io
|
||||
@@ -49,8 +49,8 @@ jobs:
|
||||
version: ${{ github.ref_name }}
|
||||
sign-image: true
|
||||
sbom-name: capsule
|
||||
sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
|
||||
signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
|
||||
sbom-repository: ghcr.io/${{ github.repository_owner }}/capsule
|
||||
signature-repository: ghcr.io/${{ github.repository_owner }}/capsule
|
||||
main-path: ./
|
||||
env:
|
||||
REPOSITORY: ${{ github.repository }}
|
||||
@@ -66,4 +66,4 @@ jobs:
|
||||
digest: "${{ needs.publish-images.outputs.capsule-digest }}"
|
||||
registry-username: ${{ github.actor }}
|
||||
secrets:
|
||||
registry-password: ${{ secrets.GITHUB_TOKEN }}
|
||||
registry-password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
12
.github/workflows/docs-lint.yml
vendored
12
.github/workflows/docs-lint.yml
vendored
@@ -3,12 +3,14 @@ permissions: {}
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "*" ]
|
||||
branches:
|
||||
- "*"
|
||||
paths:
|
||||
- '.github/workflows/docs-lint.yml'
|
||||
- 'docs/content/**'
|
||||
pull_request:
|
||||
branches: [ "*" ]
|
||||
branches:
|
||||
- "*"
|
||||
paths:
|
||||
- '.github/workflows/docs-lint.yml'
|
||||
- 'docs/content/**'
|
||||
@@ -22,10 +24,10 @@ jobs:
|
||||
name: Spell Check
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
|
||||
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
|
||||
with:
|
||||
node-version: 18
|
||||
- run: make docs-lint
|
||||
- run: make docs-lint
|
||||
|
||||
48
.github/workflows/e2e.yml
vendored
48
.github/workflows/e2e.yml
vendored
@@ -2,20 +2,9 @@ name: e2e
|
||||
permissions: {}
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "*" ]
|
||||
paths:
|
||||
- '.github/workflows/e2e.yml'
|
||||
- 'api/**'
|
||||
- 'controllers/**'
|
||||
- 'pkg/**'
|
||||
- 'e2e/*'
|
||||
- 'Dockerfile'
|
||||
- 'go.*'
|
||||
- 'main.go'
|
||||
- 'Makefile'
|
||||
pull_request:
|
||||
branches: [ "*" ]
|
||||
branches:
|
||||
- "*"
|
||||
paths:
|
||||
- '.github/workflows/e2e.yml'
|
||||
- 'api/**'
|
||||
@@ -32,26 +21,27 @@ concurrency:
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
kind:
|
||||
name: Kubernetes
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ 'v1.22.4', 'v1.23.6', 'v1.24.7', 'v1.25.3', 'v1.26.3', 'v1.27.2', 'v1.28.0', 'v1.29.0']
|
||||
runs-on: ubuntu-20.04
|
||||
e2e:
|
||||
name: E2E Testing
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
|
||||
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
||||
with:
|
||||
go-version-file: 'go.mod'
|
||||
- uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
|
||||
with:
|
||||
skipClusterCreation: true
|
||||
version: v0.14.0
|
||||
- uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v3
|
||||
- uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4
|
||||
with:
|
||||
version: v3.14.2
|
||||
- name: e2e testing
|
||||
run: make e2e/${{ matrix.k8s-version }}
|
||||
- name: unit tracing
|
||||
run: sudo make trace-unit
|
||||
- name: e2e tracing
|
||||
run: sudo make trace-e2e
|
||||
- name: build seccomp profile
|
||||
run: make seccomp
|
||||
- name: upload artifact
|
||||
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
|
||||
with:
|
||||
name: capsule-seccomp
|
||||
path: capsule-seccomp.json
|
||||
|
||||
35
.github/workflows/fossa.yml
vendored
35
.github/workflows/fossa.yml
vendored
@@ -1,35 +0,0 @@
|
||||
name: FOSSA
|
||||
permissions: {}
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "*" ]
|
||||
pull_request:
|
||||
branches: [ "*" ]
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
fossa-scan:
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: "Checkout Code"
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Check secret
|
||||
id: checksecret
|
||||
uses: ./.github/actions/exists
|
||||
with:
|
||||
value: ${{ secrets.FOSSA_API_KEY }}
|
||||
- name: "Run FOSSA Scan"
|
||||
if: steps.checksecret.outputs.result == 'true'
|
||||
uses: fossas/fossa-action@47ef11b1e1e3812e88dae436ccbd2d0cbd1adab0 # v1.3.3
|
||||
with:
|
||||
api-key: ${{ secrets.FOSSA_API_KEY }}
|
||||
- name: "Run FOSSA Test"
|
||||
if: steps.checksecret.outputs.result == 'true'
|
||||
uses: fossas/fossa-action@47ef11b1e1e3812e88dae436ccbd2d0cbd1adab0 # v1.3.3
|
||||
with:
|
||||
api-key: ${{ secrets.FOSSA_API_KEY }}
|
||||
run-tests: true
|
||||
33
.github/workflows/gosec.yml
vendored
33
.github/workflows/gosec.yml
vendored
@@ -1,33 +0,0 @@
|
||||
name: CI gosec
|
||||
permissions:
|
||||
actions: read
|
||||
on:
|
||||
push:
|
||||
branches: [ "*" ]
|
||||
pull_request:
|
||||
branches: [ "*" ]
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
tests:
|
||||
runs-on: ubuntu-20.04
|
||||
env:
|
||||
GO111MODULE: on
|
||||
steps:
|
||||
- name: Checkout Source
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
|
||||
with:
|
||||
go-version-file: 'go.mod'
|
||||
- name: Run Gosec Security Scanner
|
||||
uses: securego/gosec@6fbd381238e97e1d1f3358f0d6d65de78dcf9245 # v2.20.0
|
||||
with:
|
||||
args: '-no-fail -fmt sarif -out gosec.sarif ./...'
|
||||
- name: Upload SARIF file
|
||||
uses: github/codeql-action/upload-sarif@c4fb451437765abf5018c6fbf22cce1a7da1e5cc
|
||||
with:
|
||||
sarif_file: gosec.sarif
|
||||
|
||||
15
.github/workflows/helm-publish.yml
vendored
15
.github/workflows/helm-publish.yml
vendored
@@ -1,5 +1,6 @@
|
||||
name: Publish charts
|
||||
permissions: read-all
|
||||
|
||||
on:
|
||||
push:
|
||||
tags:
|
||||
@@ -13,9 +14,9 @@ jobs:
|
||||
publish-helm:
|
||||
# Skip this Release on forks
|
||||
if: github.repository_owner == 'projectcapsule'
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- name: "Extract Version"
|
||||
id: extract_version
|
||||
run: |
|
||||
@@ -36,7 +37,7 @@ jobs:
|
||||
branch: gh-pages
|
||||
commit_username: ${{ github.actor }}
|
||||
publish-helm-oci:
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
permissions:
|
||||
contents: write
|
||||
id-token: write
|
||||
@@ -44,8 +45,8 @@ jobs:
|
||||
outputs:
|
||||
chart-digest: ${{ steps.helm_publish.outputs.digest }}
|
||||
steps:
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
|
||||
- name: "Extract Version"
|
||||
id: extract_version
|
||||
run: |
|
||||
@@ -54,7 +55,7 @@ jobs:
|
||||
echo "version=$(echo $VERSION)" >> $GITHUB_OUTPUT
|
||||
- name: Helm | Publish
|
||||
id: helm_publish
|
||||
uses: peak-scale/github-actions/helm-oci-chart@38322faabccd75abfa581c435e367d446b6d2c3b # v0.1.0
|
||||
uses: peak-scale/github-actions/helm-oci-chart@a441cca016861c546ab7e065277e40ce41a3eb84 # v0.2.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
repository: ${{ github.repository_owner }}/charts
|
||||
@@ -65,7 +66,7 @@ jobs:
|
||||
registry-password: ${{ secrets.GITHUB_TOKEN }}
|
||||
update-dependencies: 'true' # Defaults to false
|
||||
sign-image: 'true'
|
||||
signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
|
||||
signature-repository: ghcr.io/${{ github.repository_owner }}/charts/capsule
|
||||
helm-provenance:
|
||||
needs: publish-helm-oci
|
||||
permissions:
|
||||
|
||||
56
.github/workflows/helm-test.yml
vendored
56
.github/workflows/helm-test.yml
vendored
@@ -3,34 +3,43 @@ permissions: {}
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches: [ "main" ]
|
||||
branches:
|
||||
- "main"
|
||||
paths:
|
||||
- '.github/configs/**'
|
||||
- '.github/workflows/helm-*.yml'
|
||||
- 'charts/**'
|
||||
- 'Makefile'
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
lint:
|
||||
runs-on: ubuntu-20.04
|
||||
linter-artifacthub:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: artifacthub/ah
|
||||
options: --user root
|
||||
steps:
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- name: Run ah lint
|
||||
working-directory: ./charts/
|
||||
run: ah lint
|
||||
lint:
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v3
|
||||
- uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4
|
||||
- name: Linting Chart
|
||||
run: helm lint ./charts/capsule
|
||||
- name: Setup Chart Linting
|
||||
id: lint
|
||||
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
|
||||
- name: Run chart-testing (list-changed)
|
||||
id: list-changed
|
||||
run: |
|
||||
changed=$(ct list-changed --config ./.github/configs/ct.yaml)
|
||||
if [[ -n "$changed" ]]; then
|
||||
echo "::set-output name=changed::true"
|
||||
fi
|
||||
|
||||
- name: Run chart-testing (lint)
|
||||
run: ct lint --debug --config ./.github/configs/ct.yaml --lint-conf ./.github/configs/lintconf.yaml
|
||||
run: make helm-lint
|
||||
|
||||
- name: Run docs-testing (helm-docs)
|
||||
id: helm-docs
|
||||
run: |
|
||||
@@ -42,7 +51,16 @@ jobs:
|
||||
else
|
||||
echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
|
||||
fi
|
||||
|
||||
- name: Run schema-testing (helm-schema)
|
||||
id: helm-schema
|
||||
run: |
|
||||
make helm-schema
|
||||
if [[ $(git diff --stat) != '' ]]; then
|
||||
echo -e '\033[0;31mSchema outdated! (Run make helm-schema locally and commit)\033[0m ❌'
|
||||
git diff --color
|
||||
exit 1
|
||||
else
|
||||
echo -e '\033[0;32mSchema up to date\033[0m ✔'
|
||||
fi
|
||||
- name: Run chart-testing (install)
|
||||
run: make helm-test
|
||||
if: steps.list-changed.outputs.changed == 'true'
|
||||
run: HELM_KIND_CONFIG="./hack/kind-cluster.yml" make helm-test
|
||||
|
||||
50
.github/workflows/lint.yml
vendored
50
.github/workflows/lint.yml
vendored
@@ -1,28 +1,52 @@
|
||||
name: Linting
|
||||
permissions: {}
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "*" ]
|
||||
branches:
|
||||
- "*"
|
||||
pull_request:
|
||||
branches: [ "*" ]
|
||||
|
||||
branches:
|
||||
- "*"
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
manifests:
|
||||
name: diff
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
||||
with:
|
||||
go-version-file: 'go.mod'
|
||||
- name: Generate manifests
|
||||
run: |
|
||||
make manifests
|
||||
if [[ $(git diff --stat) != '' ]]; then
|
||||
echo -e '\033[0;31mManifests outdated! (Run make manifests locally and commit)\033[0m ❌'
|
||||
git diff --color
|
||||
exit 1
|
||||
else
|
||||
echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
|
||||
fi
|
||||
yamllint:
|
||||
name: yamllint
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- name: Install yamllint
|
||||
run: pip install yamllint
|
||||
- name: Lint YAML files
|
||||
run: yamllint -c=.github/configs/lintconf.yaml .
|
||||
golangci:
|
||||
name: lint
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-24.04
|
||||
steps:
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
||||
with:
|
||||
go-version-file: 'go.mod'
|
||||
- name: Run golangci-lint
|
||||
uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
|
||||
with:
|
||||
version: v1.56.2
|
||||
only-new-issues: false
|
||||
args: --timeout 5m --config .golangci.yml
|
||||
run: make golint
|
||||
|
||||
51
.github/workflows/releaser.yml
vendored
51
.github/workflows/releaser.yml
vendored
@@ -11,26 +11,69 @@ concurrency:
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
seccomp-generation:
|
||||
name: Seccomp Generation
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
# differently from the e2e workflow
|
||||
# we don't need all the versions of kubernetes
|
||||
# to generate the seccomp profile.
|
||||
k8s-version:
|
||||
- "v1.30.0"
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
||||
with:
|
||||
go-version-file: 'go.mod'
|
||||
- uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4
|
||||
with:
|
||||
version: v3.14.2
|
||||
- name: unit tracing
|
||||
run: sudo make trace-unit
|
||||
- name: e2e tracing
|
||||
run: sudo KIND_K8S_VERSION=${{ matrix.k8s-version }} make trace-e2e
|
||||
- name: build seccomp profile
|
||||
run: make seccomp
|
||||
- name: upload artifact
|
||||
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
|
||||
with:
|
||||
name: capsule-seccomp
|
||||
path: capsule-seccomp.json
|
||||
|
||||
create-release:
|
||||
needs: seccomp-generation
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: write
|
||||
id-token: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: Install Go
|
||||
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
||||
with:
|
||||
go-version-file: 'go.mod'
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
continue-on-error: true
|
||||
- uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
|
||||
- uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751
|
||||
- uses: anchore/sbom-action/download-syft@79202aee38a39bd2039be442e58d731b63baf740
|
||||
- name: Install Cosign
|
||||
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
|
||||
uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
|
||||
- name: download artifact
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
with:
|
||||
name: capsule-seccomp
|
||||
path: ./capsule-seccomp.json
|
||||
- name: Run GoReleaser
|
||||
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
|
||||
uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
|
||||
with:
|
||||
version: latest
|
||||
args: release --clean --timeout 90m
|
||||
|
||||
10
.github/workflows/scorecard.yml
vendored
10
.github/workflows/scorecard.yml
vendored
@@ -20,23 +20,23 @@ jobs:
|
||||
id-token: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
with:
|
||||
persist-credentials: false
|
||||
- name: Run analysis
|
||||
uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
|
||||
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
|
||||
with:
|
||||
results_file: results.sarif
|
||||
results_format: sarif
|
||||
repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
|
||||
publish_results: true
|
||||
- name: Upload artifact
|
||||
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
|
||||
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
|
||||
with:
|
||||
name: SARIF file
|
||||
path: results.sarif
|
||||
retention-days: 5
|
||||
- name: Upload to code-scanning
|
||||
uses: github/codeql-action/upload-sarif@c4fb451437765abf5018c6fbf22cce1a7da1e5cc # v2.13.4
|
||||
uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
sarif_file: results.sarif
|
||||
|
||||
1
.gitignore
vendored
1
.gitignore
vendored
@@ -31,3 +31,4 @@ dist/
|
||||
.DS_Store
|
||||
*.tgz
|
||||
kind.yaml
|
||||
capsule-seccomp.json
|
||||
|
||||
@@ -1,7 +1,4 @@
|
||||
|
||||
linters-settings:
|
||||
govet:
|
||||
check-shadowing: true
|
||||
dupl:
|
||||
threshold: 100
|
||||
goconst:
|
||||
@@ -33,40 +30,31 @@ linters-settings:
|
||||
linters:
|
||||
enable-all: true
|
||||
disable:
|
||||
- err113
|
||||
- depguard
|
||||
- perfsprint
|
||||
- funlen
|
||||
- gochecknoinits
|
||||
- lll
|
||||
- exhaustivestruct
|
||||
- maligned
|
||||
- interfacer
|
||||
- scopelint
|
||||
- golint
|
||||
- gochecknoglobals
|
||||
- goerr113
|
||||
- gomnd
|
||||
- mnd
|
||||
- nilnil
|
||||
- recvcheck
|
||||
- unparam
|
||||
- paralleltest
|
||||
- ireturn
|
||||
- testpackage
|
||||
- varnamelen
|
||||
- wrapcheck
|
||||
- exhaustruct
|
||||
- varcheck
|
||||
- structcheck
|
||||
- nosnakecase
|
||||
- deadcode
|
||||
- ifshort
|
||||
- nonamedreturns
|
||||
|
||||
service:
|
||||
golangci-lint-version: 1.56.x
|
||||
|
||||
run:
|
||||
timeout: 3m
|
||||
go: '1.21'
|
||||
skip-files:
|
||||
issues:
|
||||
exclude-files:
|
||||
- "zz_.*\\.go$"
|
||||
- ".+\\.generated.go"
|
||||
- ".+_test.go"
|
||||
- ".+_test_.+.go"
|
||||
run:
|
||||
timeout: 3m
|
||||
allow-parallel-runners: true
|
||||
tests: false
|
||||
|
||||
@@ -31,10 +31,8 @@ builds:
|
||||
release:
|
||||
prerelease: auto
|
||||
footer: |
|
||||
Thanks to all the contributors!
|
||||
|
||||
**Full Changelog**: https://github.com/projectcapsule/{{ .ProjectName }}/compare/{{ .PreviousTag }}...{{ .Tag }}
|
||||
|
||||
|
||||
**Docker Images**
|
||||
- `ghcr.io/projectcapsule/{{ .ProjectName }}:{{ .Version }}`
|
||||
- `ghcr.io/projectcapsule/{{ .ProjectName }}:latest`
|
||||
@@ -45,6 +43,21 @@ release:
|
||||
- `ghcr.io/projectcapsule/charts/{{ .ProjectName }}:{{ .Version }}`
|
||||
|
||||
[Review the Major Changes section first before upgrading to a new version](https://artifacthub.io/packages/helm/projectcapsule/capsule/{{ .Version }}#major-changes)
|
||||
|
||||
**Kubernetes compatibility**
|
||||
|
||||
[!IMPORTANT]
|
||||
Note that the Capsule project offers support only for the latest minor version of Kubernetes.
|
||||
Backwards compatibility with older versions of Kubernetes and OpenShift is [offered by vendors](https://projectcapsule.dev/support/).
|
||||
|
||||
| Kubernetes version | Minimum required |
|
||||
|--------------------|------------------|
|
||||
| `v1.31` | `>= 1.31.0` |
|
||||
|
||||
|
||||
Thanks to all the contributors! 🚀 🦄
|
||||
extra_files:
|
||||
- glob: ./capsule-seccomp.json
|
||||
checksum:
|
||||
name_template: 'checksums.txt'
|
||||
changelog:
|
||||
|
||||
2
.ko.yaml
2
.ko.yaml
@@ -6,4 +6,4 @@ builds:
|
||||
- id: capsule
|
||||
main: ./
|
||||
ldflags:
|
||||
- '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}'
|
||||
- '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}'
|
||||
|
||||
58
.pre-commit-config.yaml
Normal file
58
.pre-commit-config.yaml
Normal file
@@ -0,0 +1,58 @@
|
||||
repos:
|
||||
- repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
|
||||
rev: v9.20.0
|
||||
hooks:
|
||||
- id: commitlint
|
||||
stages: [commit-msg]
|
||||
additional_dependencies: ['@commitlint/config-conventional', 'commitlint-plugin-function-rules']
|
||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||
rev: v5.0.0
|
||||
hooks:
|
||||
- id: check-executables-have-shebangs
|
||||
- id: check-yaml
|
||||
- id: double-quote-string-fixer
|
||||
- id: end-of-file-fixer
|
||||
- id: trailing-whitespace
|
||||
- repo: https://github.com/adrienverge/yamllint
|
||||
rev: v1.35.1
|
||||
hooks:
|
||||
- id: yamllint
|
||||
args: [-c=.github/configs/lintconf.yaml]
|
||||
- repo: local
|
||||
hooks:
|
||||
- id: run-helm-docs
|
||||
name: Execute helm-docs
|
||||
entry: make helm-docs
|
||||
language: system
|
||||
files: ^charts/
|
||||
- id: run-helm-schema
|
||||
name: Execute helm-schema
|
||||
entry: make helm-schema
|
||||
language: system
|
||||
files: ^charts/
|
||||
- id: run-helm-lint
|
||||
name: Execute helm-lint
|
||||
entry: make helm-lint
|
||||
language: system
|
||||
files: ^charts/
|
||||
# Currently too slow smw
|
||||
# - id: golangci-lint
|
||||
# name: Execute golangci-lint
|
||||
# entry: make golint
|
||||
# language: system
|
||||
# files: \.go$
|
||||
# - repo: https://github.com/tekwizely/pre-commit-golang
|
||||
# rev: v1.0.0-rc.1
|
||||
# hooks:
|
||||
# - id: go-vet
|
||||
# - id: go-vet-mod
|
||||
# - id: go-vet-pkg
|
||||
# - id: go-vet-repo-mod
|
||||
# - id: go-vet-repo-pkg
|
||||
# - id: go-revive
|
||||
# - id: go-revive-mod
|
||||
# - id: go-revive-repo-mod
|
||||
# - id: go-sec-mod
|
||||
# - id: go-sec-pkg
|
||||
# - id: go-sec-repo-mod
|
||||
# - id: go-sec-repo-pkg
|
||||
10
ADOPTERS.md
10
ADOPTERS.md
@@ -7,8 +7,11 @@ This is a list of companies that have adopted Capsule, feel free to open a Pull-
|
||||
### [Bedag Informatik AG](https://www.bedag.ch/)
|
||||

|
||||
|
||||
### [EPAM Delivery Platform](https://epam.github.io/edp-install/)
|
||||

|
||||
### [Department of Defense](https://www.defense.gov/)
|
||||

|
||||
|
||||
### [KubeRocketCI](https://docs.kuberocketci.io/)
|
||||

|
||||
|
||||
### [Fastweb](https://www.fastweb.it/)
|
||||

|
||||
@@ -25,6 +28,9 @@ This is a list of companies that have adopted Capsule, feel free to open a Pull-
|
||||
### [Reevo](https://www.reevo.it/)
|
||||

|
||||
|
||||
### [Seeweb](https://seeweb.it/en)
|
||||

|
||||
|
||||
### [University of Torino](https://www.unito.it)
|
||||

|
||||
|
||||
|
||||
@@ -70,7 +70,7 @@ git clone https://hostname/YOUR-USERNAME/YOUR-REPOSITORY
|
||||
|
||||
2. **Create a branch:**
|
||||
|
||||
Create a new brach and navigate to the branch using this command.
|
||||
Create a new branch and navigate to it using this command.
|
||||
|
||||
```sh
|
||||
git checkout -b <new-branch>
|
||||
@@ -180,7 +180,7 @@ The semantics should indicate the change and it's impact. The general format for
|
||||
The following types are allowed for commits and pull requests:
|
||||
|
||||
* `chore`: housekeeping changes, no production code change
|
||||
* `ci`: changes to buillding process/workflows
|
||||
* `ci`: changes to building process/workflows
|
||||
* `docs`: changes to documentation
|
||||
* `feat`: new features
|
||||
* `fix`: bug fixes
|
||||
|
||||
40
Dockerfile
40
Dockerfile
@@ -1,40 +0,0 @@
|
||||
# Build the manager binary
|
||||
FROM golang:1.20.10 as builder
|
||||
|
||||
WORKDIR /workspace
|
||||
# Copy the Go Modules manifests
|
||||
COPY go.mod go.mod
|
||||
COPY go.sum go.sum
|
||||
# cache deps before building and copying source so that we don't need to re-download as much
|
||||
# and so that source changes don't invalidate our downloaded layer
|
||||
RUN go mod download
|
||||
|
||||
ARG TARGETARCH
|
||||
ARG GIT_HEAD_COMMIT
|
||||
ARG GIT_TAG_COMMIT
|
||||
ARG GIT_LAST_TAG
|
||||
ARG GIT_MODIFIED
|
||||
ARG GIT_REPO
|
||||
ARG BUILD_DATE
|
||||
|
||||
# Copy the go source
|
||||
COPY main.go main.go
|
||||
COPY version.go version.go
|
||||
COPY api/ api/
|
||||
COPY controllers/ controllers/
|
||||
COPY pkg/ pkg/
|
||||
|
||||
# Build
|
||||
RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on go build \
|
||||
-gcflags "-N -l" \
|
||||
-ldflags "-X main.GitRepo=$GIT_REPO -X main.GitTag=$GIT_LAST_TAG -X main.GitCommit=$GIT_HEAD_COMMIT -X main.GitDirty=$GIT_MODIFIED -X main.BuildTime=$BUILD_DATE" \
|
||||
-o manager
|
||||
|
||||
# Use distroless as minimal base image to package the manager binary
|
||||
# Refer to https://github.com/GoogleContainerTools/distroless for more details
|
||||
FROM gcr.io/distroless/static:nonroot
|
||||
WORKDIR /
|
||||
COPY --from=builder /workspace/manager .
|
||||
USER nonroot:nonroot
|
||||
|
||||
ENTRYPOINT ["/manager"]
|
||||
17
Dockerfile.tracing
Normal file
17
Dockerfile.tracing
Normal file
@@ -0,0 +1,17 @@
|
||||
# Target Binary
|
||||
ARG TARGET_IMAGE
|
||||
FROM ${TARGET_IMAGE} AS target
|
||||
|
||||
# Inject Harpoon Image
|
||||
FROM ghcr.io/alegrey91/harpoon:latest
|
||||
WORKDIR /
|
||||
COPY --from=target /ko-app/capsule ./manager
|
||||
|
||||
ENTRYPOINT ["/harpoon", \
|
||||
"capture", \
|
||||
"-f", "main.main", \
|
||||
"-E", "NAMESPACE=capsule-system", \
|
||||
"-i", "2", \
|
||||
"-c", "-e", \
|
||||
"-S", "-D", "/tmp/results/", \
|
||||
"--", "/manager"]
|
||||
296
Makefile
296
Makefile
@@ -16,6 +16,14 @@ BUILD_DATE ?= $(shell git log -1 --format="%at" | xargs -I{} sh -c 'if [ "$
|
||||
IMG_BASE ?= $(REPOSITORY)
|
||||
IMG ?= $(IMG_BASE):$(VERSION)
|
||||
CAPSULE_IMG ?= $(REGISTRY)/$(IMG_BASE)
|
||||
CLUSTER_NAME ?= capsule
|
||||
|
||||
## Kubernetes Version Support
|
||||
KUBERNETES_SUPPORTED_VERSION ?= "v1.31.0"
|
||||
|
||||
## Tool Binaries
|
||||
KUBECTL ?= kubectl
|
||||
HELM ?= helm
|
||||
|
||||
# Options for 'bundle-build'
|
||||
ifneq ($(origin CHANNELS), undefined)
|
||||
@@ -53,8 +61,8 @@ run: generate manifests
|
||||
go run .
|
||||
|
||||
# Generate manifests e.g. CRD, RBAC etc.
|
||||
manifests: controller-gen
|
||||
$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=charts/capsule/crds
|
||||
manifests: generate
|
||||
$(CONTROLLER_GEN) crd paths="./..." output:crd:artifacts:config=charts/capsule/crds
|
||||
|
||||
# Generate code
|
||||
generate: controller-gen
|
||||
@@ -63,33 +71,37 @@ generate: controller-gen
|
||||
# Helm
|
||||
SRC_ROOT = $(shell git rev-parse --show-toplevel)
|
||||
|
||||
helm-docs: HELMDOCS_VERSION := v1.11.0
|
||||
helm-docs: docker
|
||||
@docker run -v "$(SRC_ROOT):/helm-docs" jnorwood/helm-docs:$(HELMDOCS_VERSION) --chart-search-root /helm-docs
|
||||
helm-controller-version:
|
||||
$(eval VERSION := $(shell grep 'appVersion:' charts/capsule/Chart.yaml | awk '{print "v"$$2}'))
|
||||
$(eval KO_TAGS := $(shell grep 'appVersion:' charts/capsule/Chart.yaml | awk '{print "v"$$2}'))
|
||||
|
||||
helm-lint: docker
|
||||
@docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:$(CT_VERSION) -c "cd /workdir; ct lint --config .github/configs/ct.yaml --lint-conf .github/configs/lintconf.yaml --all --debug"
|
||||
helm-docs: helm-doc
|
||||
$(HELM_DOCS) --chart-search-root ./charts
|
||||
|
||||
helm-test: kind ct ko-build-all
|
||||
@kind create cluster --wait=60s --name capsule-charts
|
||||
helm-lint: ct
|
||||
@$(CT) lint --config .github/configs/ct.yaml --validate-yaml=false --all --debug
|
||||
|
||||
helm-schema: helm-plugin-schema
|
||||
cd charts/capsule && $(HELM) schema -output values.schema.json
|
||||
|
||||
helm-test: HELM_KIND_CONFIG ?= ""
|
||||
helm-test: kind
|
||||
@mkdir -p /tmp/results || true
|
||||
@$(KIND) create cluster --wait=60s --name capsule-charts --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION) --config $(HELM_KIND_CONFIG)
|
||||
@make helm-test-exec
|
||||
@kind delete cluster --name capsule-charts
|
||||
@$(KIND) delete cluster --name capsule-charts
|
||||
|
||||
helm-test-exec:
|
||||
@kind load docker-image --name capsule-charts $(CAPSULE_IMG):$(VERSION)
|
||||
@kubectl create ns capsule-system || true
|
||||
@kubectl apply --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
|
||||
@kubectl apply --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
|
||||
@ct install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
|
||||
|
||||
docker:
|
||||
@hash docker 2>/dev/null || {\
|
||||
echo "You need docker" &&\
|
||||
exit 1;\
|
||||
}
|
||||
helm-test-exec: ct helm-controller-version ko-build-all
|
||||
$(MAKE) docker-build-capsule-trace
|
||||
$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=v0.0.0
|
||||
$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=tracing
|
||||
@$(KUBECTL) create ns capsule-system || true
|
||||
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
|
||||
@$(KUBECTL) apply --force-conflicts --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
|
||||
@$(CT) install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
|
||||
|
||||
# Setup development env
|
||||
# Usage:
|
||||
# Usage:
|
||||
# LAPTOP_HOST_IP=<YOUR_LAPTOP_IP> make dev-setup
|
||||
# For example:
|
||||
# LAPTOP_HOST_IP=192.168.10.101 make dev-setup
|
||||
@@ -111,7 +123,6 @@ IP.1 = $(LAPTOP_HOST_IP)
|
||||
endef
|
||||
export TLS_CNF
|
||||
dev-setup:
|
||||
kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0 || true
|
||||
mkdir -p /tmp/k8s-webhook-server/serving-certs
|
||||
echo "$${TLS_CNF}" > _tls.cnf
|
||||
openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
|
||||
@@ -120,10 +131,13 @@ dev-setup:
|
||||
-config _tls.cnf \
|
||||
-keyout /tmp/k8s-webhook-server/serving-certs/tls.key \
|
||||
-out /tmp/k8s-webhook-server/serving-certs/tls.crt
|
||||
rm -f _tls.cnf
|
||||
$(KUBECTL) create secret tls capsule-tls -n capsule-system \
|
||||
--cert=/tmp/k8s-webhook-server/serving-certs/tls.crt\
|
||||
--key=/tmp/k8s-webhook-server/serving-certs/tls.key || true
|
||||
rm -f _tls.cnf
|
||||
export WEBHOOK_URL="https://$${LAPTOP_HOST_IP}:9443"; \
|
||||
export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`; \
|
||||
helm upgrade \
|
||||
$(HELM) upgrade \
|
||||
--dependency-update \
|
||||
--debug \
|
||||
--install \
|
||||
@@ -136,6 +150,7 @@ dev-setup:
|
||||
--set "webhooks.service.caBundle=$${CA_BUNDLE}" \
|
||||
capsule \
|
||||
./charts/capsule
|
||||
$(KUBECTL) -n capsule-system scale deployment capsule-controller-manager --replicas=0 || true
|
||||
|
||||
####################
|
||||
# -- Docker
|
||||
@@ -168,6 +183,14 @@ ko-build-capsule: ko
|
||||
.PHONY: ko-build-all
|
||||
ko-build-all: ko-build-capsule
|
||||
|
||||
.PHONY: docker-build-capsule-trace
|
||||
docker-build-capsule-trace: ko-build-capsule
|
||||
@docker build \
|
||||
--no-cache \
|
||||
--build-arg TARGET_IMAGE=$(CAPSULE_IMG):$(VERSION) \
|
||||
-t $(CAPSULE_IMG):tracing \
|
||||
-f Dockerfile.tracing .
|
||||
|
||||
# Docker Image Publish
|
||||
# ------------------
|
||||
|
||||
@@ -186,99 +209,29 @@ ko-publish-capsule: ko-login ## Build and publish kyvernopre image (with ko)
|
||||
.PHONY: ko-publish-all
|
||||
ko-publish-all: ko-publish-capsule
|
||||
|
||||
####################
|
||||
# -- Binaries
|
||||
####################
|
||||
|
||||
CONTROLLER_GEN := $(shell pwd)/bin/controller-gen
|
||||
CONTROLLER_GEN_VERSION := v0.15.0
|
||||
controller-gen: ## Download controller-gen locally if necessary.
|
||||
$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
|
||||
|
||||
GINKGO := $(shell pwd)/bin/ginkgo
|
||||
GINGKO_VERSION := v2.17.2
|
||||
ginkgo: ## Download ginkgo locally if necessary.
|
||||
$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo@$(GINGKO_VERSION))
|
||||
|
||||
CT := $(shell pwd)/bin/ct
|
||||
CT_VERSION := v3.10.1
|
||||
ct: ## Download ct locally if necessary.
|
||||
$(call go-install-tool,$(CT),github.com/helm/chart-testing/v3/ct@$(CT_VERSION))
|
||||
|
||||
KIND := $(shell pwd)/bin/kind
|
||||
KIND_VERSION := v0.17.0
|
||||
kind: ## Download kind locally if necessary.
|
||||
$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@$(KIND_VERSION))
|
||||
|
||||
KUSTOMIZE := $(shell pwd)/bin/kustomize
|
||||
KUSTOMIZE_VERSION := 3.8.7
|
||||
kustomize: ## Download kustomize locally if necessary.
|
||||
$(call install-kustomize,$(KUSTOMIZE),$(KUSTOMIZE_VERSION))
|
||||
|
||||
KO = $(shell pwd)/bin/ko
|
||||
KO_VERSION = v0.14.1
|
||||
ko:
|
||||
$(call go-install-tool,$(KO),github.com/google/ko@$(KO_VERSION))
|
||||
|
||||
####################
|
||||
# -- Helpers
|
||||
####################
|
||||
pull-upstream:
|
||||
git remote add upstream https://github.com/capsuleproject/capsule.git
|
||||
git fetch --all && git pull upstream
|
||||
|
||||
define install-kustomize
|
||||
@[ -f $(1) ] || { \
|
||||
set -e ;\
|
||||
echo "Installing v$(2)" ;\
|
||||
cd bin ;\
|
||||
wget "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" ;\
|
||||
bash ./install_kustomize.sh $(2) ;\
|
||||
}
|
||||
endef
|
||||
|
||||
# go-install-tool will 'go install' any package $2 and install it to $1.
|
||||
PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
|
||||
define go-install-tool
|
||||
@[ -f $(1) ] || { \
|
||||
set -e ;\
|
||||
GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
|
||||
}
|
||||
endef
|
||||
|
||||
# Generate bundle manifests and metadata, then validate generated files.
|
||||
bundle: manifests
|
||||
operator-sdk generate kustomize manifests -q
|
||||
kustomize build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
|
||||
operator-sdk bundle validate ./bundle
|
||||
|
||||
# Sorting imports
|
||||
.PHONY: goimports
|
||||
goimports:
|
||||
goimports -w -l -local "github.com/projectcapsule/capsule" .
|
||||
|
||||
GOLANGCI_LINT = $(shell pwd)/bin/golangci-lint
|
||||
GOLANGCI_LINT_VERSION = v1.56.2
|
||||
golangci-lint: ## Download golangci-lint locally if necessary.
|
||||
$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION))
|
||||
|
||||
# Linting code as PR is expecting
|
||||
.PHONY: golint
|
||||
golint: golangci-lint
|
||||
$(GOLANGCI_LINT) run -c .golangci.yml
|
||||
$(GOLANGCI_LINT) run -c .golangci.yml --verbose --fix
|
||||
|
||||
# Running e2e tests in a KinD instance
|
||||
.PHONY: e2e
|
||||
e2e/%: ginkgo
|
||||
$(MAKE) e2e-build/$* && $(MAKE) e2e-exec && $(MAKE) e2e-destroy
|
||||
e2e: ginkgo
|
||||
$(MAKE) e2e-build && $(MAKE) e2e-exec && $(MAKE) e2e-destroy
|
||||
|
||||
e2e-build/%:
|
||||
kind create cluster --wait=60s --name capsule --image=kindest/node:$*
|
||||
make e2e-install
|
||||
e2e-build: kind
|
||||
$(KIND) create cluster --wait=60s --name $(CLUSTER_NAME) --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION)
|
||||
$(MAKE) e2e-install
|
||||
|
||||
.PHONY: e2e-install
|
||||
e2e-install: e2e-load-image
|
||||
helm upgrade \
|
||||
e2e-install: ko-build-all
|
||||
$(MAKE) e2e-load-image CLUSTER_NAME=$(CLUSTER_NAME) IMAGE=$(CAPSULE_IMG) VERSION=$(VERSION)
|
||||
$(HELM) upgrade \
|
||||
--dependency-update \
|
||||
--debug \
|
||||
--install \
|
||||
@@ -292,19 +245,144 @@ e2e-install: e2e-load-image
|
||||
capsule \
|
||||
./charts/capsule
|
||||
|
||||
.PHONY: trace-install
|
||||
trace-install:
|
||||
helm upgrade \
|
||||
--dependency-update \
|
||||
--debug \
|
||||
--install \
|
||||
--namespace capsule-system \
|
||||
--create-namespace \
|
||||
--set 'manager.resources=null'\
|
||||
--set 'manager.livenessProbe.failureThreshold=10' \
|
||||
--set 'manager.readinessProbe.failureThreshold=10' \
|
||||
--values charts/capsule/ci/tracing-values.yaml \
|
||||
capsule \
|
||||
./charts/capsule
|
||||
|
||||
.PHONY: trace-e2e
|
||||
trace-e2e: kind
|
||||
$(MAKE) docker-build-capsule-trace
|
||||
$(KIND) create cluster --wait=60s --image kindest/node:$(KUBERNETES_SUPPORTED_VERSION) --config hack/kind-cluster.yml
|
||||
$(MAKE) e2e-load-image CLUSTER_NAME=capsule-tracing IMAGE=$(CAPSULE_IMG) VERSION=tracing
|
||||
$(MAKE) trace-install
|
||||
$(MAKE) e2e-exec
|
||||
$(KIND) delete cluster --name capsule-tracing
|
||||
|
||||
.PHONY: trace-unit
|
||||
trace-unit: harpoon
|
||||
$(HARPOON) analyze -e .git/ -e assets/ -e charts/ -e config/ -e docs/ -e e2e/ -e hack/ --directory /tmp/artifacts/ --save
|
||||
$(HARPOON) hunt -D /tmp/results -F harpoon-report.yml --include-cmd-stdout --save
|
||||
|
||||
.PHONY: seccomp
|
||||
seccomp:
|
||||
$(HARPOON) build --add-syscall-sets=dynamic,docker -D /tmp/results --name capsule-seccomp.json --save
|
||||
|
||||
.PHONY: e2e-load-image
|
||||
e2e-load-image: ko-build-all
|
||||
kind load docker-image --nodes capsule-control-plane --name capsule $(CAPSULE_IMG):$(VERSION)
|
||||
e2e-load-image: kind
|
||||
$(KIND) load docker-image $(IMAGE):$(VERSION) --name $(CLUSTER_NAME)
|
||||
|
||||
.PHONY: e2e-exec
|
||||
e2e-exec: ginkgo
|
||||
$(GINKGO) -v -tags e2e ./e2e
|
||||
|
||||
.PHONY: e2e-destroy
|
||||
e2e-destroy:
|
||||
kind delete cluster --name capsule
|
||||
e2e-destroy: kind
|
||||
$(KIND) delete cluster --name capsule
|
||||
|
||||
SPELL_CHECKER = npx spellchecker-cli
|
||||
docs-lint:
|
||||
cd docs/content && $(SPELL_CHECKER) -f "*.md" "*/*.md" "!general/crds-apis.md" -d dictionary.txt
|
||||
|
||||
####################
|
||||
# -- Helpers
|
||||
####################
|
||||
pull-upstream:
|
||||
git remote add upstream https://github.com/capsuleproject/capsule.git
|
||||
git fetch --all && git pull upstream
|
||||
|
||||
## Location to install dependencies to
|
||||
LOCALBIN ?= $(shell pwd)/bin
|
||||
$(LOCALBIN):
|
||||
mkdir -p $(LOCALBIN)
|
||||
|
||||
####################
|
||||
# -- Helm Plugins
|
||||
####################
|
||||
|
||||
HELM_SCHEMA_VERSION := ""
|
||||
helm-plugin-schema:
|
||||
@$(HELM) plugin install https://github.com/losisin/helm-values-schema-json.git --version $(HELM_SCHEMA_VERSION) || true
|
||||
|
||||
HELM_DOCS := $(LOCALBIN)/helm-docs
|
||||
HELM_DOCS_VERSION := v1.14.1
|
||||
HELM_DOCS_LOOKUP := norwoodj/helm-docs
|
||||
helm-doc:
|
||||
@test -s $(HELM_DOCS) || \
|
||||
$(call go-install-tool,$(HELM_DOCS),github.com/$(HELM_DOCS_LOOKUP)/cmd/helm-docs@$(HELM_DOCS_VERSION))
|
||||
|
||||
####################
|
||||
# -- Tools
|
||||
####################
|
||||
CONTROLLER_GEN := $(LOCALBIN)/controller-gen
|
||||
CONTROLLER_GEN_VERSION ?= v0.17.2
|
||||
CONTROLLER_GEN_LOOKUP := kubernetes-sigs/controller-tools
|
||||
controller-gen:
|
||||
@test -s $(CONTROLLER_GEN) && $(CONTROLLER_GEN) --version | grep -q $(CONTROLLER_GEN_VERSION) || \
|
||||
$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
|
||||
|
||||
GINKGO := $(LOCALBIN)/ginkgo
|
||||
ginkgo:
|
||||
$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo)
|
||||
|
||||
CT := $(LOCALBIN)/ct
|
||||
CT_VERSION := v3.12.0
|
||||
CT_LOOKUP := helm/chart-testing
|
||||
ct:
|
||||
@test -s $(CT) && $(CT) version | grep -q $(CT_VERSION) || \
|
||||
$(call go-install-tool,$(CT),github.com/$(CT_LOOKUP)/v3/ct@$(CT_VERSION))
|
||||
|
||||
KIND := $(LOCALBIN)/kind
|
||||
KIND_VERSION := v0.26.0
|
||||
KIND_LOOKUP := kubernetes-sigs/kind
|
||||
kind:
|
||||
@test -s $(KIND) && $(KIND) --version | grep -q $(KIND_VERSION) || \
|
||||
$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/kind@$(KIND_VERSION))
|
||||
|
||||
KO := $(LOCALBIN)/ko
|
||||
KO_VERSION := v0.17.1
|
||||
KO_LOOKUP := google/ko
|
||||
ko:
|
||||
@test -s $(KO) && $(KO) -h | grep -q $(KO_VERSION) || \
|
||||
$(call go-install-tool,$(KO),github.com/$(KO_LOOKUP)@$(KO_VERSION))
|
||||
|
||||
GOLANGCI_LINT := $(LOCALBIN)/golangci-lint
|
||||
GOLANGCI_LINT_VERSION := v1.63.4
|
||||
GOLANGCI_LINT_LOOKUP := golangci/golangci-lint
|
||||
golangci-lint: ## Download golangci-lint locally if necessary.
|
||||
@test -s $(GOLANGCI_LINT) && $(GOLANGCI_LINT) -h | grep -q $(GOLANGCI_LINT_VERSION) || \
|
||||
$(call go-install-tool,$(GOLANGCI_LINT),github.com/$(GOLANGCI_LINT_LOOKUP)/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION))
|
||||
|
||||
APIDOCS_GEN := $(LOCALBIN)/crdoc
|
||||
APIDOCS_GEN_VERSION := v0.6.4
|
||||
APIDOCS_GEN_LOOKUP := fybrik/crdoc
|
||||
apidocs-gen: ## Download crdoc locally if necessary.
|
||||
@test -s $(APIDOCS_GEN) && $(APIDOCS_GEN) --version | grep -q $(APIDOCS_GEN_VERSION) || \
|
||||
$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@$(APIDOCS_GEN_VERSION))
|
||||
|
||||
HARPOON := $(LOCALBIN)/harpoon
|
||||
HARPOON_VERSION := v0.9.6
|
||||
HARPOON_LOOKUP := alegrey91/harpoon
|
||||
harpoon:
|
||||
@mkdir $(LOCALBIN)
|
||||
@curl -s https://raw.githubusercontent.com/alegrey91/harpoon/main/install | \
|
||||
sudo bash -s -- --install-version $(HARPOON_VERSION) --install-dir $(LOCALBIN)
|
||||
|
||||
# go-install-tool will 'go install' any package $2 and install it to $1.
|
||||
PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
|
||||
define go-install-tool
|
||||
[ -f $(1) ] || { \
|
||||
set -e ;\
|
||||
GOBIN=$(LOCALBIN) go install $(2) ;\
|
||||
}
|
||||
endef
|
||||
|
||||
36
README.md
36
README.md
@@ -40,9 +40,9 @@ Kubernetes introduces the _Namespace_ object type to create logical partitions o
|
||||
|
||||
# Entering Capsule
|
||||
|
||||
Capsule takes a different approach. In a single cluster, the Capsule Controller aggregates multiple namespaces in a lightweight abstraction called _Tenant_, basically a grouping of Kubernetes Namespaces. Within each tenant, users are free to create their namespaces and share all the assigned resources.
|
||||
Capsule takes a different approach. In a single cluster, the Capsule Controller aggregates multiple namespaces in a lightweight abstraction called _Tenant_, basically a grouping of Kubernetes Namespaces. Within each tenant, users are free to create their namespaces and share all the assigned resources.
|
||||
|
||||
On the other side, the Capsule Policy Engine keeps the different tenants isolated from each other. _Network and Security Policies_, _Resource Quota_, _Limit Ranges_, _RBAC_, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator.
|
||||
On the other side, the Capsule Policy Engine keeps the different tenants isolated from each other. _Network and Security Policies_, _Resource Quota_, _Limit Ranges_, _RBAC_, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator.
|
||||
|
||||
# Features
|
||||
|
||||
@@ -76,30 +76,12 @@ Assign to tenants a dedicated set of compute, storage, and network resources and
|
||||
|
||||
# Documentation
|
||||
|
||||
Please, check the project [documentation](https://capsule.clastix.io) for the cool things you can do with Capsule.
|
||||
Please, check the project [documentation](https://projectcapsule.dev) for the cool things you can do with Capsule.
|
||||
|
||||
# Contributions
|
||||
|
||||
Capsule is Open Source with Apache 2 license and any contribution is welcome.
|
||||
|
||||
## Chart Development
|
||||
|
||||
### Chart Linting
|
||||
|
||||
The chart is linted with [ct](https://github.com/helm/chart-testing). You can run the linter locally with this command:
|
||||
|
||||
```
|
||||
make helm-lint
|
||||
```
|
||||
|
||||
### Chart Documentation
|
||||
|
||||
The documentation for each chart is done with [helm-docs](https://github.com/norwoodj/helm-docs). This way we can ensure that values are consistent with the chart documentation. Run this anytime you make changes to a `values.yaml` file:
|
||||
|
||||
```
|
||||
make helm-docs
|
||||
```
|
||||
|
||||
## Community meeting
|
||||
|
||||
Join the community, share and learn from it. You can find all the resources to how to contribute code and docs, connect with people in the [community repository](https://github.com/projectcapsule/capsule-community).
|
||||
@@ -110,17 +92,19 @@ Please read the [code of conduct](CODE_OF_CONDUCT.md).
|
||||
|
||||
See the [ADOPTERS.md](ADOPTERS.md) file for a list of companies that are using Capsule.
|
||||
|
||||
# Governance
|
||||
# Project Governance
|
||||
|
||||
You can find how the Capsule project is governed [here](https://capsule.clastix.io/docs/contributing/governance).
|
||||
You can find how the Capsule project is governed [here](https://projectcapsule.dev/project/governance/).
|
||||
|
||||
## Maintainers
|
||||
|
||||
Please, refer to the maintainers file available [here](.github/maintainers.yaml).
|
||||
|
||||
## Release process
|
||||
## CLOMonitor
|
||||
|
||||
Please, refer to the [documentation page](https://capsule.clastix.io/docs/contributing/release).
|
||||
CLOMonitor is a tool that periodically checks open source projects repositories to verify they meet certain project health best practices.
|
||||
|
||||
[](https://clomonitor.io/projects/cncf/capsule)
|
||||
|
||||
### Changelog
|
||||
|
||||
@@ -146,4 +130,4 @@ All OCI release artifacts include a Software Bill of Materials (SBOM) in Cyclone
|
||||
|
||||
- Q. Do you provide commercial support?
|
||||
|
||||
A. Yes, we're available to help and provide commercial support. [Clastix](https://clastix.io) is the company behind Capsule. Please, contact us for a quote.
|
||||
A. Yes, we're available to help and provide commercial support. [Clastix](https://clastix.io) is the company behind Capsule. Please, contact us for a quote.
|
||||
|
||||
@@ -57,4 +57,3 @@ security-contacts:
|
||||
- type: email
|
||||
value: cncf-capsule-maintainers@lists.cncf.io
|
||||
primary: true
|
||||
|
||||
|
||||
31
SECURITY.md
31
SECURITY.md
@@ -6,7 +6,6 @@ The Capsule community has adopted this security disclosures and response policy
|
||||
|
||||
For information regarding the security of this project please join our [slack channel](https://kubernetes.slack.com/archives/C03GETTJQRL).
|
||||
|
||||
|
||||
## Covered Repositories and Issues
|
||||
|
||||
When we say "a security vulnerability in capsule" we mean a security issue
|
||||
@@ -35,7 +34,7 @@ To report a security issue or vulnerability, [submit a private vulnerability rep
|
||||
Describe the issue in English, ideally with some example configuration or code which allows the issue to be reproduced. Explain why you believe this to be a security issue in capsule, if that's not obvious. should contain the following:
|
||||
|
||||
* description of the problem
|
||||
* precise and detailed steps (include screenshots)
|
||||
* precise and detailed steps (include screenshots)
|
||||
* the affected version(s). This may also include environment relevant versions.
|
||||
* any possible mitigations
|
||||
|
||||
@@ -55,19 +54,23 @@ Response times could be affected by weekends, holidays, breaks or time zone diff
|
||||
|
||||
## Verifing
|
||||
|
||||
To verify artifacts you need to have [cosign installed](https://github.com/sigstore/cosign#installation). This guide assumes you are using v2.x of cosign. All of the signatures are created using [keyless signing](https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect). We have a seperate repository for all the signatures for all the artifacts released under the projectcapsule - `ghcr.io/projectcapsule/signatures`. You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
|
||||
To verify artifacts you need to have [cosign installed](https://github.com/sigstore/cosign#installation). This guide assumes you are using v2.x of cosign. All of the signatures are created using [keyless signing](https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect). You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
|
||||
|
||||
export COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures
|
||||
# Docker Image
|
||||
export COSIGN_REPOSITORY=ghcr.io/projectcapsule/capsule
|
||||
|
||||
# Helm Chart
|
||||
export COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule
|
||||
|
||||
To verify the signature of the docker image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/capsule):
|
||||
|
||||
COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures cosign verify ghcr.io/projectcapsule/capsule:<release_tag> \
|
||||
COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule cosign verify ghcr.io/projectcapsule/capsule:<release_tag> \
|
||||
--certificate-identity-regexp="https://github.com/projectcapsule/capsule/.github/workflows/docker-publish.yml@refs/tags/*" \
|
||||
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq
|
||||
|
||||
To verify the signature of the helm image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/charts%2Fcapsule):
|
||||
|
||||
COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures cosign verify ghcr.io/projectcapsule/charts/capsule:<release_tag> \
|
||||
COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule cosign verify ghcr.io/projectcapsule/charts/capsule:<release_tag> \
|
||||
--certificate-identity-regexp="https://github.com/projectcapsule/capsule/.github/workflows/helm-publish.yml@refs/tags/*" \
|
||||
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq
|
||||
|
||||
@@ -96,19 +99,23 @@ cosign verify-attestation --type slsaprovenance \
|
||||
|
||||
## Software Bill of Materials (SBOM)
|
||||
|
||||
An SBOM (Software Bill of Materials) in CycloneDX JSON format is published for each Kyverno release, including pre-releases. Like signatures, SBOMs are stored in a separate repository at `ghcr.io/projectcapsule/sbom`. You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
|
||||
An SBOM (Software Bill of Materials) in CycloneDX JSON format is published for each release, including pre-releases. You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
|
||||
|
||||
# Docker Image
|
||||
export COSIGN_REPOSITORY=ghcr.io/projectcapsule/capsule
|
||||
|
||||
# Helm Chart
|
||||
export COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule
|
||||
|
||||
export COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom
|
||||
|
||||
To inspect the SBOM of the docker image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/capsule):
|
||||
|
||||
|
||||
COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom cosign download sbom ghcr.io/projectcapsule/capsule:<release_tag>
|
||||
|
||||
COSIGN_REPOSITORY=ghcr.io/projectcapsule/capsule cosign download sbom ghcr.io/projectcapsule/capsule:<release_tag>
|
||||
|
||||
To inspect the SBOM of the helm image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/charts%2Fcapsule):
|
||||
|
||||
COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom cosign download sbom ghcr.io/projectcapsule/charts/capsule:<release_tag>
|
||||
|
||||
COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule cosign download sbom ghcr.io/projectcapsule/charts/capsule:<release_tag>
|
||||
|
||||
# Credits
|
||||
|
||||
|
||||
@@ -4,9 +4,13 @@
|
||||
package v1beta2
|
||||
|
||||
import (
|
||||
"slices"
|
||||
"sort"
|
||||
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
|
||||
"github.com/projectcapsule/capsule/pkg/api"
|
||||
)
|
||||
|
||||
func (in *Tenant) IsFull() bool {
|
||||
@@ -36,3 +40,128 @@ func (in *Tenant) AssignNamespaces(namespaces []corev1.Namespace) {
|
||||
func (in *Tenant) GetOwnerProxySettings(name string, kind OwnerKind) []ProxySettings {
|
||||
return in.Spec.Owners.FindOwner(name, kind).ProxyOperations
|
||||
}
|
||||
|
||||
// GetClusterRolePermissions returns a map where the clusterRole is the key
|
||||
// and the value is a list of permission subjects (kind and name) that reference that role.
|
||||
// These mappings are gathered from the owners and additionalRolebindings spec.
|
||||
func (in *Tenant) GetSubjectsByClusterRoles(ignoreOwnerKind []OwnerKind) (rolePerms map[string][]rbacv1.Subject) {
|
||||
rolePerms = make(map[string][]rbacv1.Subject)
|
||||
|
||||
// Helper to add permissions for a given clusterRole
|
||||
addPermission := func(clusterRole string, permission rbacv1.Subject) {
|
||||
if _, exists := rolePerms[clusterRole]; !exists {
|
||||
rolePerms[clusterRole] = []rbacv1.Subject{}
|
||||
}
|
||||
|
||||
rolePerms[clusterRole] = append(rolePerms[clusterRole], permission)
|
||||
}
|
||||
|
||||
// Helper to check if a kind is in the ignoreOwnerKind list
|
||||
isIgnoredKind := func(kind string) bool {
|
||||
for _, ignored := range ignoreOwnerKind {
|
||||
if kind == ignored.String() {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
// Process owners
|
||||
for _, owner := range in.Spec.Owners {
|
||||
if !isIgnoredKind(owner.Kind.String()) {
|
||||
for _, clusterRole := range owner.ClusterRoles {
|
||||
perm := rbacv1.Subject{
|
||||
Name: owner.Name,
|
||||
Kind: owner.Kind.String(),
|
||||
}
|
||||
addPermission(clusterRole, perm)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Process additional role bindings
|
||||
for _, role := range in.Spec.AdditionalRoleBindings {
|
||||
for _, subject := range role.Subjects {
|
||||
if !isIgnoredKind(subject.Kind) {
|
||||
perm := rbacv1.Subject{
|
||||
Name: subject.Name,
|
||||
Kind: subject.Kind,
|
||||
}
|
||||
addPermission(role.ClusterRoleName, perm)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// Get the permissions for a tenant ordered by groups and users.
|
||||
func (in *Tenant) GetClusterRolesBySubject(ignoreOwnerKind []OwnerKind) (maps map[string]map[string]api.TenantSubjectRoles) {
|
||||
maps = make(map[string]map[string]api.TenantSubjectRoles)
|
||||
|
||||
// Initialize a nested map for kind ("User", "Group") and name
|
||||
initNestedMap := func(kind string) {
|
||||
if _, exists := maps[kind]; !exists {
|
||||
maps[kind] = make(map[string]api.TenantSubjectRoles)
|
||||
}
|
||||
}
|
||||
// Helper to check if a kind is in the ignoreOwnerKind list
|
||||
isIgnoredKind := func(kind string) bool {
|
||||
for _, ignored := range ignoreOwnerKind {
|
||||
if kind == ignored.String() {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
// Process owners
|
||||
for _, owner := range in.Spec.Owners {
|
||||
if !isIgnoredKind(owner.Kind.String()) {
|
||||
initNestedMap(owner.Kind.String())
|
||||
|
||||
if perm, exists := maps[owner.Kind.String()][owner.Name]; exists {
|
||||
// If the permission entry already exists, append cluster roles
|
||||
perm.ClusterRoles = append(perm.ClusterRoles, owner.ClusterRoles...)
|
||||
maps[owner.Kind.String()][owner.Name] = perm
|
||||
} else {
|
||||
// Create a new permission entry
|
||||
maps[owner.Kind.String()][owner.Name] = api.TenantSubjectRoles{
|
||||
ClusterRoles: owner.ClusterRoles,
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Process additional role bindings
|
||||
for _, role := range in.Spec.AdditionalRoleBindings {
|
||||
for _, subject := range role.Subjects {
|
||||
if !isIgnoredKind(subject.Kind) {
|
||||
initNestedMap(subject.Kind)
|
||||
|
||||
if perm, exists := maps[subject.Kind][subject.Name]; exists {
|
||||
// If the permission entry already exists, append cluster roles
|
||||
perm.ClusterRoles = append(perm.ClusterRoles, role.ClusterRoleName)
|
||||
maps[subject.Kind][subject.Name] = perm
|
||||
} else {
|
||||
// Create a new permission entry
|
||||
maps[subject.Kind][subject.Name] = api.TenantSubjectRoles{
|
||||
ClusterRoles: []string{role.ClusterRoleName},
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Remove duplicates from cluster roles in both maps
|
||||
for kind, nameMap := range maps {
|
||||
for name, perm := range nameMap {
|
||||
perm.ClusterRoles = slices.Compact(perm.ClusterRoles)
|
||||
maps[kind][name] = perm
|
||||
}
|
||||
}
|
||||
|
||||
return maps
|
||||
}
|
||||
|
||||
192
api/v1beta2/tenant_func_test.go
Normal file
192
api/v1beta2/tenant_func_test.go
Normal file
@@ -0,0 +1,192 @@
|
||||
// Copyright 2020-2023 Project Capsule Authors.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package v1beta2
|
||||
|
||||
import (
|
||||
"reflect"
|
||||
"testing"
|
||||
|
||||
"github.com/projectcapsule/capsule/pkg/api"
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
)
|
||||
|
||||
var tenant = &Tenant{
|
||||
Spec: TenantSpec{
|
||||
Owners: []OwnerSpec{
|
||||
{
|
||||
Kind: "User",
|
||||
Name: "user1",
|
||||
ClusterRoles: []string{"cluster-admin", "read-only"},
|
||||
},
|
||||
{
|
||||
Kind: "Group",
|
||||
Name: "group1",
|
||||
ClusterRoles: []string{"edit"},
|
||||
},
|
||||
{
|
||||
Kind: ServiceAccountOwner,
|
||||
Name: "service",
|
||||
ClusterRoles: []string{"read-only"},
|
||||
},
|
||||
},
|
||||
AdditionalRoleBindings: []api.AdditionalRoleBindingsSpec{
|
||||
{
|
||||
ClusterRoleName: "developer",
|
||||
Subjects: []rbacv1.Subject{
|
||||
{Kind: "User", Name: "user2"},
|
||||
{Kind: "Group", Name: "group1"},
|
||||
},
|
||||
},
|
||||
{
|
||||
ClusterRoleName: "cluster-admin",
|
||||
Subjects: []rbacv1.Subject{
|
||||
{
|
||||
Kind: "User",
|
||||
Name: "user3",
|
||||
},
|
||||
{
|
||||
Kind: "Group",
|
||||
Name: "group1",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
ClusterRoleName: "deployer",
|
||||
Subjects: []rbacv1.Subject{
|
||||
{
|
||||
Kind: "ServiceAccount",
|
||||
Name: "system:serviceaccount:argocd:argo-operator",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
// TestGetClusterRolePermissions tests the GetClusterRolePermissions function
|
||||
func TestGetSubjectsByClusterRoles(t *testing.T) {
|
||||
expected := map[string][]rbacv1.Subject{
|
||||
"cluster-admin": {
|
||||
{Kind: "User", Name: "user1"},
|
||||
{Kind: "User", Name: "user3"},
|
||||
{Kind: "Group", Name: "group1"},
|
||||
},
|
||||
"read-only": {
|
||||
{Kind: "User", Name: "user1"},
|
||||
{Kind: "ServiceAccount", Name: "service"},
|
||||
},
|
||||
"edit": {
|
||||
{Kind: "Group", Name: "group1"},
|
||||
},
|
||||
"developer": {
|
||||
{Kind: "User", Name: "user2"},
|
||||
{Kind: "Group", Name: "group1"},
|
||||
},
|
||||
"deployer": {
|
||||
{Kind: "ServiceAccount", Name: "system:serviceaccount:argocd:argo-operator"},
|
||||
},
|
||||
}
|
||||
|
||||
// Call the function to test
|
||||
permissions := tenant.GetSubjectsByClusterRoles(nil)
|
||||
|
||||
if !reflect.DeepEqual(permissions, expected) {
|
||||
t.Errorf("Expected %v, but got %v", expected, permissions)
|
||||
}
|
||||
|
||||
// Ignore SubjectTypes (Ignores ServiceAccounts)
|
||||
ignored := tenant.GetSubjectsByClusterRoles([]OwnerKind{"ServiceAccount"})
|
||||
expectedIgnored := map[string][]rbacv1.Subject{
|
||||
"cluster-admin": {
|
||||
{Kind: "User", Name: "user1"},
|
||||
{Kind: "User", Name: "user3"},
|
||||
{Kind: "Group", Name: "group1"},
|
||||
},
|
||||
"read-only": {
|
||||
{Kind: "User", Name: "user1"},
|
||||
},
|
||||
"edit": {
|
||||
{Kind: "Group", Name: "group1"},
|
||||
},
|
||||
"developer": {
|
||||
{Kind: "User", Name: "user2"},
|
||||
{Kind: "Group", Name: "group1"},
|
||||
},
|
||||
}
|
||||
|
||||
if !reflect.DeepEqual(ignored, expectedIgnored) {
|
||||
t.Errorf("Expected %v, but got %v", expectedIgnored, ignored)
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
func TestGetClusterRolesBySubject(t *testing.T) {
|
||||
|
||||
expected := map[string]map[string]api.TenantSubjectRoles{
|
||||
"User": {
|
||||
"user1": {
|
||||
ClusterRoles: []string{"cluster-admin", "read-only"},
|
||||
},
|
||||
"user2": {
|
||||
ClusterRoles: []string{"developer"},
|
||||
},
|
||||
"user3": {
|
||||
ClusterRoles: []string{"cluster-admin"},
|
||||
},
|
||||
},
|
||||
"Group": {
|
||||
"group1": {
|
||||
ClusterRoles: []string{"edit", "developer", "cluster-admin"},
|
||||
},
|
||||
},
|
||||
"ServiceAccount": {
|
||||
"service": {
|
||||
ClusterRoles: []string{"read-only"},
|
||||
},
|
||||
"system:serviceaccount:argocd:argo-operator": {
|
||||
ClusterRoles: []string{"deployer"},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
permissions := tenant.GetClusterRolesBySubject(nil)
|
||||
if !reflect.DeepEqual(permissions, expected) {
|
||||
t.Errorf("Expected %v, but got %v", expected, permissions)
|
||||
}
|
||||
|
||||
delete(expected, "ServiceAccount")
|
||||
ignored := tenant.GetClusterRolesBySubject([]OwnerKind{"ServiceAccount"})
|
||||
|
||||
if !reflect.DeepEqual(ignored, expected) {
|
||||
t.Errorf("Expected %v, but got %v", expected, ignored)
|
||||
}
|
||||
}
|
||||
|
||||
// Helper function to run tests
|
||||
func TestMain(t *testing.M) {
|
||||
t.Run()
|
||||
}
|
||||
|
||||
// permissionsEqual checks the equality of two TenantPermission structs.
|
||||
func permissionsEqual(a, b api.TenantSubjectRoles) bool {
|
||||
if a.Kind != b.Kind {
|
||||
return false
|
||||
}
|
||||
if len(a.ClusterRoles) != len(b.ClusterRoles) {
|
||||
return false
|
||||
}
|
||||
|
||||
// Create a map to count occurrences of cluster roles
|
||||
counts := make(map[string]int)
|
||||
for _, role := range a.ClusterRoles {
|
||||
counts[role]++
|
||||
}
|
||||
for _, role := range b.ClusterRoles {
|
||||
counts[role]--
|
||||
if counts[role] < 0 {
|
||||
return false // More occurrences in b than in a
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
@@ -43,7 +43,7 @@ type TenantSpec struct {
|
||||
// Specifies the allowed RuntimeClasses assigned to the Tenant.
|
||||
// Capsule assures that all Pods resources created in the Tenant can use only one of the allowed RuntimeClasses.
|
||||
// Optional.
|
||||
RuntimeClasses *api.SelectorAllowedListSpec `json:"runtimeClasses,omitempty"`
|
||||
RuntimeClasses *api.DefaultAllowedListSpec `json:"runtimeClasses,omitempty"`
|
||||
// Specifies the allowed priorityClasses assigned to the Tenant.
|
||||
// Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses.
|
||||
// A default value can be specified, and all the Pod resources created will inherit the declared class.
|
||||
@@ -56,6 +56,15 @@ type TenantSpec struct {
|
||||
// When enabled, the deletion request will be declined.
|
||||
//+kubebuilder:default:=false
|
||||
PreventDeletion bool `json:"preventDeletion,omitempty"`
|
||||
// Use this if you want to disable/enable the Tenant name prefix to specific Tenants, overriding global forceTenantPrefix in CapsuleConfiguration.
|
||||
// When set to 'true', it enforces Namespaces created for this Tenant to be named with the Tenant name prefix,
|
||||
// separated by a dash (i.e. for Tenant 'foo', namespace names must be prefixed with 'foo-'),
|
||||
// this is useful to avoid Namespace name collision.
|
||||
// When set to 'false', it allows Namespaces created for this Tenant to be named anything.
|
||||
// Overrides CapsuleConfiguration global forceTenantPrefix for the Tenant only.
|
||||
// If unset, Tenant uses CapsuleConfiguration's forceTenantPrefix
|
||||
// Optional
|
||||
ForceTenantPrefix *bool `json:"forceTenantPrefix,omitempty"`
|
||||
}
|
||||
|
||||
// +kubebuilder:object:root=true
|
||||
|
||||
@@ -755,7 +755,7 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
|
||||
}
|
||||
if in.RuntimeClasses != nil {
|
||||
in, out := &in.RuntimeClasses, &out.RuntimeClasses
|
||||
*out = new(api.SelectorAllowedListSpec)
|
||||
*out = new(api.DefaultAllowedListSpec)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
if in.PriorityClasses != nil {
|
||||
@@ -763,6 +763,11 @@ func (in *TenantSpec) DeepCopyInto(out *TenantSpec) {
|
||||
*out = new(api.DefaultAllowedListSpec)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
if in.ForceTenantPrefix != nil {
|
||||
in, out := &in.ForceTenantPrefix, &out.ForceTenantPrefix
|
||||
*out = new(bool)
|
||||
**out = **in
|
||||
}
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantSpec.
|
||||
|
||||
@@ -22,3 +22,4 @@
|
||||
*.tmproj
|
||||
.vscode/
|
||||
README.md.gotmpl
|
||||
artifacthub-repo.yml
|
||||
|
||||
4
charts/capsule/.schema.yaml
Normal file
4
charts/capsule/.schema.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
input:
|
||||
- values.yaml
|
||||
- ci/test-values.yaml
|
||||
- ci/proxy-values.yaml
|
||||
@@ -1,6 +1,6 @@
|
||||
dependencies:
|
||||
- name: capsule-proxy
|
||||
repository: oci://ghcr.io/projectcapsule/charts
|
||||
version: 0.6.0
|
||||
digest: sha256:4cf05b352f1c38a821081cc01ac5f2a84ed7d68514a5b98e63edba5ab1c7b19e
|
||||
generated: "2024-03-05T17:09:58.383699+01:00"
|
||||
version: 0.9.1
|
||||
digest: sha256:509f9d3d3c0181d9e5a410524d4767a687d8176620d24f7e460f354f18c0a5f8
|
||||
generated: "2025-02-10T13:33:33.19014368Z"
|
||||
|
||||
@@ -6,7 +6,7 @@ home: https://github.com/projectcapsule/capsule
|
||||
icon: https://github.com/projectcapsule/capsule/raw/main/assets/logo/capsule_small.png
|
||||
dependencies:
|
||||
- name: capsule-proxy
|
||||
version: 0.6.0
|
||||
version: 0.9.1
|
||||
repository: "oci://ghcr.io/projectcapsule/charts"
|
||||
condition: proxy.enabled
|
||||
alias: proxy
|
||||
@@ -25,9 +25,9 @@ name: capsule
|
||||
sources:
|
||||
- https://github.com/projectcapsule/capsule
|
||||
# Note: The version is overwritten by the release workflow.
|
||||
version: 0.6.0
|
||||
version: 0.0.0
|
||||
# Note: The version is overwritten by the release workflow.
|
||||
appVersion: 0.5.0
|
||||
appVersion: 0.0.0
|
||||
annotations:
|
||||
artifacthub.io/operator: "true"
|
||||
artifacthub.io/prerelease: "false"
|
||||
@@ -41,6 +41,4 @@ annotations:
|
||||
url: https://projectcapsule.dev/
|
||||
artifacthub.io/changes: |
|
||||
- kind: added
|
||||
description: bundled crd lifecycle
|
||||
- kind: changed
|
||||
description: removed PodSecurityPolicy support
|
||||
description: oci chart reference
|
||||
|
||||
@@ -35,6 +35,8 @@ The following Values have changed key or Value:
|
||||
|
||||
## Installation
|
||||
|
||||
**When using OCI we recommend our dedicated [OCI Repository](https://artifacthub.io/packages/helm/capsule/capsule) for this chart**
|
||||
|
||||
The Capsule Operator requires it's CRDs to be installed before the operator itself. Since the Helm CRD lifecycle has limitations, we recommend to install the CRDs separately. Our chart supports the installation of crds via a dedicated Release.
|
||||
The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster.
|
||||
|
||||
@@ -93,33 +95,43 @@ Here the values you can override:
|
||||
| crds.install | bool | `true` | Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations) |
|
||||
| crds.labels | object | `{}` | Extra Labels for CRDs |
|
||||
|
||||
### Global Parameters
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| global.jobs.kubectl.affinity | object | `{}` | Set affinity rules |
|
||||
| global.jobs.kubectl.annotations | object | `{}` | Annotations to add to the certgen job. |
|
||||
| global.jobs.kubectl.backoffLimit | int | `4` | Backofflimit for jobs |
|
||||
| global.jobs.kubectl.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job |
|
||||
| global.jobs.kubectl.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job |
|
||||
| global.jobs.kubectl.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job |
|
||||
| global.jobs.kubectl.image.tag | string | `""` | Set the image tag of the helm chart job |
|
||||
| global.jobs.kubectl.imagePullSecrets | list | `[]` | ImagePullSecrets |
|
||||
| global.jobs.kubectl.nodeSelector | object | `{}` | Set the node selector |
|
||||
| global.jobs.kubectl.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the job pods. |
|
||||
| global.jobs.kubectl.priorityClassName | string | `""` | Set a pod priorityClassName |
|
||||
| global.jobs.kubectl.resources | object | `{}` | Job resources |
|
||||
| global.jobs.kubectl.restartPolicy | string | `"Never"` | Set the restartPolicy |
|
||||
| global.jobs.kubectl.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Security context for the job containers. |
|
||||
| global.jobs.kubectl.tolerations | list | `[]` | Set list of tolerations |
|
||||
| global.jobs.kubectl.topologySpreadConstraints | list | `[]` | Set Topology Spread Constraints |
|
||||
| global.jobs.kubectl.ttlSecondsAfterFinished | int | `60` | Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete. |
|
||||
|
||||
### General Parameters
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| affinity | object | `{}` | Set affinity rules for the Capsule pod |
|
||||
| certManager.additionalSANS | list | `[]` | Specify additional SANS to add to the certificate |
|
||||
| certManager.generateCertificates | bool | `false` | Specifies whether capsule webhooks certificates should be generated using cert-manager |
|
||||
| customAnnotations | object | `{}` | Additional annotations which will be added to all resources created by Capsule helm chart |
|
||||
| customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart |
|
||||
| imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. |
|
||||
| jobs.affinity | object | `{}` | Set affinity rules |
|
||||
| jobs.annotations | object | `{"helm.sh/hook-delete-policy":"before-hook-creation,hook-succeeded"}` | Annotations to add to the certgen job. |
|
||||
| jobs.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job |
|
||||
| jobs.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job |
|
||||
| jobs.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job |
|
||||
| jobs.image.tag | string | `""` | Set the image tag of the helm chart job |
|
||||
| jobs.nodeSelector | object | `{}` | Set the node selector |
|
||||
| jobs.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the job pods. |
|
||||
| jobs.priorityClassName | string | `""` | Set a pod priorityClassName |
|
||||
| jobs.resources | object | `{}` | Job resources |
|
||||
| jobs.restartPolicy | string | `"Never"` | Set the restartPolicy |
|
||||
| jobs.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Security context for the job containers. |
|
||||
| jobs.tolerations | list | `[]` | Set list of tolerations |
|
||||
| jobs.topologySpreadConstraints | list | `[]` | Set Topology Spread Constraints |
|
||||
| jobs.ttlSecondsAfterFinished | int | `60` | Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete. |
|
||||
| jobs | object | `{}` | Deprecated, use .global.jobs.kubectl instead |
|
||||
| nodeSelector | object | `{}` | Set the node selector for the Capsule pod |
|
||||
| podAnnotations | object | `{}` | Annotations to add to the capsule pod. |
|
||||
| podSecurityContext | object | `{"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002,"seccompProfile":{"type":"RuntimeDefault"}}` | Set the securityContext for the Capsule pod |
|
||||
| ports | list | `[]` | Set additional ports for the deployment |
|
||||
| priorityClassName | string | `""` | Set the priority class name of the Capsule pod |
|
||||
| proxy.enabled | bool | `false` | Enable Installation of Capsule Proxy |
|
||||
| replicaCount | int | `1` | Set the replica count for capsule pod |
|
||||
@@ -138,6 +150,7 @@ Here the values you can override:
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| manager.hostNetwork | bool | `false` | Specifies if the container should be started in hostNetwork mode. Required for use in some managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working |
|
||||
| manager.hostPID | bool | `false` | Specifies if the container should be started in hostPID mode. |
|
||||
| manager.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy. |
|
||||
| manager.image.registry | string | `"ghcr.io"` | Set the image registry of capsule. |
|
||||
| manager.image.repository | string | `"projectcapsule/capsule"` | Set the image repository of capsule. |
|
||||
@@ -156,6 +169,9 @@ Here the values you can override:
|
||||
| manager.rbac.existingRoles | list | `[]` | Specifies further cluster roles to be added to the Capsule manager service account. |
|
||||
| manager.readinessProbe | object | `{"httpGet":{"path":"/readyz","port":10080}}` | Configure the readiness probe using Deployment probe spec |
|
||||
| manager.resources | object | `{}` | Set the resource requests/limits for the Capsule manager container |
|
||||
| manager.securityContext | object | `{}` | Set the securityContext for the Capsule container |
|
||||
| manager.volumeMounts | list | `[]` | Set the additional volumeMounts needed for the Capsule manager container |
|
||||
| manager.volumes | list | `[]` | Set the additional volumes needed for the Capsule manager container |
|
||||
| manager.webhookPort | int | `9443` | Set an alternative to the default container port. Useful for use in some kubernetes clusters (such as GKE Private) with aggregator routing turned on, because pod ports have to be opened manually on the firewall side |
|
||||
|
||||
### ServiceMonitor Parameters
|
||||
|
||||
@@ -16,7 +16,7 @@ Use the Capsule Operator for easily implementing, managing, and maintaining mult
|
||||
|
||||
* A [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file accessing the Kubernetes cluster with cluster admin permissions.
|
||||
|
||||
## Major Changes
|
||||
## Major Changes
|
||||
|
||||
In the following sections you see actions which are required when you are upgrading to a specific version.
|
||||
|
||||
@@ -25,7 +25,7 @@ In the following sections you see actions which are required when you are upgrad
|
||||
Introduces a new methode to manage all capsule CRDs and their lifecycle. We are no longer relying on the [native CRD hook with the Helm Chart](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). The hook only allows to manage CRDs on install and uninstall but we can't deliver updates to the CRDs.
|
||||
When you newly install the chart we recommend to set `crds.install` to `true`. This will manage the CRDs with the Helm Chart. This behavior is the new default.
|
||||
|
||||
#### Changed Values
|
||||
#### Changed Values
|
||||
|
||||
The following Values have changed key or Value:
|
||||
|
||||
@@ -36,6 +36,8 @@ The following Values have changed key or Value:
|
||||
|
||||
## Installation
|
||||
|
||||
**When using OCI we recommend our dedicated [OCI Repository](https://artifacthub.io/packages/helm/capsule/capsule) for this chart**
|
||||
|
||||
The Capsule Operator requires it's CRDs to be installed before the operator itself. Since the Helm CRD lifecycle has limitations, we recommend to install the CRDs separately. Our chart supports the installation of crds via a dedicated Release.
|
||||
The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster.
|
||||
|
||||
@@ -95,13 +97,22 @@ Here the values you can override:
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
### Global Parameters
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
{{- range .Values }}
|
||||
{{- if (hasPrefix "global" .Key) }}
|
||||
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
### General Parameters
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
{{- range .Values }}
|
||||
{{- if not (or (hasPrefix "manager" .Key) (hasPrefix "crds" .Key) (hasPrefix "serviceMonitor" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) ) }}
|
||||
{{- if not (or (hasPrefix "global" .Key) (hasPrefix "manager" .Key) (hasPrefix "crds" .Key) (hasPrefix "serviceMonitor" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) ) }}
|
||||
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
4
charts/capsule/artifacthub-repo.yml
Normal file
4
charts/capsule/artifacthub-repo.yml
Normal file
@@ -0,0 +1,4 @@
|
||||
repositoryID: 783775bb-96c2-4915-8c7d-ba4a1118323c
|
||||
owners:
|
||||
- name: capsule-maintainers
|
||||
email: cncf-capsule-maintainers@lists.cncf.io
|
||||
38
charts/capsule/ci/tracing-values.yaml
Normal file
38
charts/capsule/ci/tracing-values.yaml
Normal file
@@ -0,0 +1,38 @@
|
||||
# Custome values for capsule tracing.
|
||||
# This is a YAML-formatted file.
|
||||
# Declare variables to be passed into your templates.
|
||||
manager:
|
||||
image:
|
||||
registry: ghcr.io
|
||||
repository: projectcapsule/capsule
|
||||
pullPolicy: Never
|
||||
tag: tracing
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
volumes:
|
||||
- name: debugfs
|
||||
hostPath:
|
||||
path: /sys/kernel/debug
|
||||
type: Directory
|
||||
- name: data
|
||||
hostPath:
|
||||
path: /tmp/results
|
||||
type: Directory
|
||||
volumeMounts:
|
||||
- name: debugfs
|
||||
mountPath: /sys/kernel/debug
|
||||
- mountPath: /tmp/results
|
||||
name: data
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- NET_ADMIN
|
||||
- PERFOM
|
||||
privileged: true
|
||||
podSecurityContext:
|
||||
seccompProfile:
|
||||
type: "Unconfined"
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
runAsUser: 0
|
||||
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.15.0
|
||||
controller-gen.kubebuilder.io/version: v0.17.2
|
||||
name: capsuleconfigurations.capsule.clastix.io
|
||||
spec:
|
||||
group: capsule.clastix.io
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.15.0
|
||||
controller-gen.kubebuilder.io/version: v0.17.2
|
||||
name: globaltenantresources.capsule.clastix.io
|
||||
spec:
|
||||
group: capsule.clastix.io
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.15.0
|
||||
controller-gen.kubebuilder.io/version: v0.17.2
|
||||
name: tenantresources.capsule.clastix.io
|
||||
spec:
|
||||
group: capsule.clastix.io
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.15.0
|
||||
controller-gen.kubebuilder.io/version: v0.17.2
|
||||
name: tenants.capsule.clastix.io
|
||||
spec:
|
||||
group: capsule.clastix.io
|
||||
@@ -165,16 +165,12 @@ spec:
|
||||
description: |-
|
||||
Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames.
|
||||
|
||||
|
||||
- Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule.
|
||||
|
||||
|
||||
- Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant.
|
||||
|
||||
|
||||
- Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace.
|
||||
|
||||
|
||||
Optional.
|
||||
enum:
|
||||
- Cluster
|
||||
@@ -351,7 +347,6 @@ spec:
|
||||
If present, only traffic on the specified protocol AND port will be matched.
|
||||
x-kubernetes-int-or-string: true
|
||||
protocol:
|
||||
default: TCP
|
||||
description: |-
|
||||
protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
|
||||
If not specified, this field defaults to TCP.
|
||||
@@ -398,7 +393,6 @@ spec:
|
||||
namespaceSelector selects namespaces using cluster-scoped labels. This field follows
|
||||
standard label selector semantics; if present but empty, it selects all namespaces.
|
||||
|
||||
|
||||
If podSelector is also set, then the NetworkPolicyPeer as a whole selects
|
||||
the pods matching podSelector in the namespaces selected by namespaceSelector.
|
||||
Otherwise it selects all pods in the namespaces selected by namespaceSelector.
|
||||
@@ -452,7 +446,6 @@ spec:
|
||||
podSelector is a label selector which selects pods. This field follows standard label
|
||||
selector semantics; if present but empty, it selects all pods.
|
||||
|
||||
|
||||
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
|
||||
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
|
||||
Otherwise it selects the pods matching podSelector in the policy's own namespace.
|
||||
@@ -560,7 +553,6 @@ spec:
|
||||
namespaceSelector selects namespaces using cluster-scoped labels. This field follows
|
||||
standard label selector semantics; if present but empty, it selects all namespaces.
|
||||
|
||||
|
||||
If podSelector is also set, then the NetworkPolicyPeer as a whole selects
|
||||
the pods matching podSelector in the namespaces selected by namespaceSelector.
|
||||
Otherwise it selects all pods in the namespaces selected by namespaceSelector.
|
||||
@@ -614,7 +606,6 @@ spec:
|
||||
podSelector is a label selector which selects pods. This field follows standard label
|
||||
selector semantics; if present but empty, it selects all pods.
|
||||
|
||||
|
||||
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
|
||||
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
|
||||
Otherwise it selects the pods matching podSelector in the policy's own namespace.
|
||||
@@ -696,7 +687,6 @@ spec:
|
||||
If present, only traffic on the specified protocol AND port will be matched.
|
||||
x-kubernetes-int-or-string: true
|
||||
protocol:
|
||||
default: TCP
|
||||
description: |-
|
||||
protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
|
||||
If not specified, this field defaults to TCP.
|
||||
@@ -1159,6 +1149,17 @@ spec:
|
||||
description: Toggling the Tenant resources cordoning, when enable
|
||||
resources cannot be deleted.
|
||||
type: boolean
|
||||
forceTenantPrefix:
|
||||
description: |-
|
||||
Use this if you want to disable/enable the Tenant name prefix to specific Tenants, overriding global forceTenantPrefix in CapsuleConfiguration.
|
||||
When set to 'true', it enforces Namespaces created for this Tenant to be named with the Tenant name prefix,
|
||||
separated by a dash (i.e. for Tenant 'foo', namespace names must be prefixed with 'foo-'),
|
||||
this is useful to avoid Namespace name collision.
|
||||
When set to 'false', it allows Namespaces created for this Tenant to be named anything.
|
||||
Overrides CapsuleConfiguration global forceTenantPrefix for the Tenant only.
|
||||
If unset, Tenant uses CapsuleConfiguration's forceTenantPrefix
|
||||
Optional
|
||||
type: boolean
|
||||
imagePullPolicies:
|
||||
description: Specify the allowed values for the imagePullPolicies
|
||||
option in Pod resources. Capsule assures that all Pod resources
|
||||
@@ -1254,16 +1255,12 @@ spec:
|
||||
description: |-
|
||||
Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames.
|
||||
|
||||
|
||||
- Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule.
|
||||
|
||||
|
||||
- Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant.
|
||||
|
||||
|
||||
- Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace.
|
||||
|
||||
|
||||
Optional.
|
||||
enum:
|
||||
- Cluster
|
||||
@@ -1462,7 +1459,6 @@ spec:
|
||||
If present, only traffic on the specified protocol AND port will be matched.
|
||||
x-kubernetes-int-or-string: true
|
||||
protocol:
|
||||
default: TCP
|
||||
description: |-
|
||||
protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
|
||||
If not specified, this field defaults to TCP.
|
||||
@@ -1509,7 +1505,6 @@ spec:
|
||||
namespaceSelector selects namespaces using cluster-scoped labels. This field follows
|
||||
standard label selector semantics; if present but empty, it selects all namespaces.
|
||||
|
||||
|
||||
If podSelector is also set, then the NetworkPolicyPeer as a whole selects
|
||||
the pods matching podSelector in the namespaces selected by namespaceSelector.
|
||||
Otherwise it selects all pods in the namespaces selected by namespaceSelector.
|
||||
@@ -1563,7 +1558,6 @@ spec:
|
||||
podSelector is a label selector which selects pods. This field follows standard label
|
||||
selector semantics; if present but empty, it selects all pods.
|
||||
|
||||
|
||||
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
|
||||
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
|
||||
Otherwise it selects the pods matching podSelector in the policy's own namespace.
|
||||
@@ -1671,7 +1665,6 @@ spec:
|
||||
namespaceSelector selects namespaces using cluster-scoped labels. This field follows
|
||||
standard label selector semantics; if present but empty, it selects all namespaces.
|
||||
|
||||
|
||||
If podSelector is also set, then the NetworkPolicyPeer as a whole selects
|
||||
the pods matching podSelector in the namespaces selected by namespaceSelector.
|
||||
Otherwise it selects all pods in the namespaces selected by namespaceSelector.
|
||||
@@ -1725,7 +1718,6 @@ spec:
|
||||
podSelector is a label selector which selects pods. This field follows standard label
|
||||
selector semantics; if present but empty, it selects all pods.
|
||||
|
||||
|
||||
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
|
||||
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
|
||||
Otherwise it selects the pods matching podSelector in the policy's own namespace.
|
||||
@@ -1807,7 +1799,6 @@ spec:
|
||||
If present, only traffic on the specified protocol AND port will be matched.
|
||||
x-kubernetes-int-or-string: true
|
||||
protocol:
|
||||
default: TCP
|
||||
description: |-
|
||||
protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
|
||||
If not specified, this field defaults to TCP.
|
||||
@@ -2139,6 +2130,8 @@ spec:
|
||||
type: array
|
||||
allowedRegex:
|
||||
type: string
|
||||
default:
|
||||
type: string
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector requirements.
|
||||
The requirements are ANDed.
|
||||
|
||||
@@ -105,10 +105,12 @@ Determine the Kubernetes version to use for jobsFullyQualifiedDockerImage tag
|
||||
Create the jobs fully-qualified Docker image to use
|
||||
*/}}
|
||||
{{- define "capsule.jobsFullyQualifiedDockerImage" -}}
|
||||
{{- if .Values.jobs.image.tag }}
|
||||
{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository .Values.jobs.image.tag -}}
|
||||
{{- $Values := mergeOverwrite $.Values.global.jobs.kubectl $.Values.jobs -}}
|
||||
|
||||
{{- if $Values.image.tag }}
|
||||
{{- printf "%s/%s:%s" $Values.image.registry $Values.image.repository $Values.image.tag -}}
|
||||
{{- else }}
|
||||
{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
|
||||
{{- printf "%s/%s:%s" $Values.image.registry $Values.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
|
||||
@@ -27,6 +27,9 @@ spec:
|
||||
dnsNames:
|
||||
- {{ include "capsule.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc
|
||||
- {{ include "capsule.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
|
||||
{{- range .Values.certManager.additionalSANS }}
|
||||
- {{ toYaml . }}
|
||||
{{- end }}
|
||||
issuerRef:
|
||||
kind: Issuer
|
||||
name: {{ include "capsule.fullname" . }}-webhook-selfsigned
|
||||
|
||||
@@ -26,3 +26,4 @@ spec:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
|
||||
@@ -4,9 +4,6 @@
|
||||
|
||||
{{- define "capsule.crds.annotations" -}}
|
||||
"helm.sh/hook": "pre-install,pre-upgrade"
|
||||
{{- with $.Values.jobs.annotations }}
|
||||
{{- . | toYaml | nindent 0 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "capsule.crds.component" -}}
|
||||
|
||||
@@ -1,3 +1,6 @@
|
||||
{{/* Backwards compatibility */}}
|
||||
{{- $Values := mergeOverwrite $.Values.global.jobs.kubectl $.Values.jobs -}}
|
||||
|
||||
{{- if .Values.crds.install }}
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
@@ -8,12 +11,16 @@ metadata:
|
||||
# create hook dependencies in the right order
|
||||
"helm.sh/hook-weight": "-1"
|
||||
{{- include "capsule.crds.annotations" . | nindent 4 }}
|
||||
{{- with $Values.annotations }}
|
||||
{{- . | toYaml | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
|
||||
{{- include "capsule.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- if ge .Values.jobs.ttlSecondsAfterFinished 0.0 }}
|
||||
ttlSecondsAfterFinished: {{ .Values.jobs.ttlSecondsAfterFinished }}
|
||||
backoffLimit: {{ $Values.backoffLimit }}
|
||||
{{- if ge $Values.ttlSecondsAfterFinished 0.0 }}
|
||||
ttlSecondsAfterFinished: {{ $Values.ttlSecondsAfterFinished }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
@@ -22,31 +29,31 @@ spec:
|
||||
app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
|
||||
{{- include "capsule.selectorLabels" . | nindent 8 }}
|
||||
spec:
|
||||
restartPolicy: {{ $.Values.jobs.restartPolicy }}
|
||||
{{- with $.Values.jobs.podSecurityContext }}
|
||||
restartPolicy: {{ $Values.restartPolicy }}
|
||||
{{- with $Values.podSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobs.nodeSelector }}
|
||||
{{- with $Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobs.affinity }}
|
||||
{{- with $Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobs.tolerations }}
|
||||
{{- with $Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobs.topologySpreadConstraints }}
|
||||
{{- with $Values.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobs.priorityClassName }}
|
||||
{{- with $Values.priorityClassName }}
|
||||
priorityClassName: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
{{- with $Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
@@ -54,8 +61,8 @@ spec:
|
||||
containers:
|
||||
- name: crds-hook
|
||||
image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
|
||||
imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
|
||||
{{- with $.Values.jobs.securityContext }}
|
||||
imagePullPolicy: {{ $Values.image.pullPolicy }}
|
||||
{{- with $Values.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
@@ -75,7 +82,7 @@ spec:
|
||||
mountPath: /data/{{ $path | base }}
|
||||
subPath: {{ $path | base }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobs.resources }}
|
||||
{{- with $Values.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
@@ -91,6 +98,4 @@ spec:
|
||||
path: {{ $path | base }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
restartPolicy: Never
|
||||
backoffLimit: 4
|
||||
{{- end }}
|
||||
@@ -37,6 +37,11 @@ spec:
|
||||
hostNetwork: true
|
||||
dnsPolicy: ClusterFirstWithHostNet
|
||||
{{- end }}
|
||||
{{- if .Values.manager.hostPID }}
|
||||
hostPID: {{ .Values.manager.hostPID }}
|
||||
{{- else }}
|
||||
hostPID: false
|
||||
{{- end }}
|
||||
priorityClassName: {{ .Values.priorityClassName }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
@@ -59,13 +64,16 @@ spec:
|
||||
secret:
|
||||
defaultMode: 420
|
||||
secretName: {{ include "capsule.secretTlsName" . }}
|
||||
{{- if .Values.manager.volumes }}
|
||||
{{- toYaml .Values.manager.volumes | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: manager
|
||||
args:
|
||||
- --webhook-port={{ .Values.manager.webhookPort }}
|
||||
- --enable-leader-election
|
||||
- --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
|
||||
- --configuration-name={{ .Values.manager.options.capsuleConfiguration }}
|
||||
- --webhook-port={{ .Values.manager.webhookPort }}
|
||||
- --enable-leader-election
|
||||
- --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
|
||||
- --configuration-name={{ .Values.manager.options.capsuleConfiguration }}
|
||||
image: {{ include "capsule.managerFullyQualifiedDockerImage" . }}
|
||||
imagePullPolicy: {{ .Values.manager.image.pullPolicy }}
|
||||
env:
|
||||
@@ -74,23 +82,35 @@ spec:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
ports:
|
||||
{{- if not (.Values.manager.hostNetwork) }}
|
||||
- name: webhook-server
|
||||
containerPort: {{ .Values.manager.webhookPort }}
|
||||
protocol: TCP
|
||||
- name: metrics
|
||||
containerPort: 8080
|
||||
protocol: TCP
|
||||
{{- end }}
|
||||
{{- with .Values.manager.ports }}
|
||||
{{- . | nindent 12 }}
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
{{- toYaml .Values.manager.livenessProbe | nindent 12}}
|
||||
readinessProbe:
|
||||
{{- toYaml .Values.manager.readinessProbe | nindent 12}}
|
||||
volumeMounts:
|
||||
- mountPath: /tmp/k8s-webhook-server/serving-certs
|
||||
name: cert
|
||||
readOnly: true
|
||||
- mountPath: /tmp/k8s-webhook-server/serving-certs
|
||||
name: cert
|
||||
readOnly: true
|
||||
{{- if .Values.manager.volumeMounts }}
|
||||
{{- toYaml .Values.manager.volumeMounts | nindent 12 }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- toYaml .Values.manager.resources | nindent 12 }}
|
||||
securityContext:
|
||||
{{- if .Values.manager.securityContext }}
|
||||
{{- toYaml .Values.manager.securityContext | nindent 12 }}
|
||||
{{- else }}
|
||||
{{- toYaml .Values.securityContext | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -29,6 +29,7 @@ webhooks:
|
||||
- CREATE
|
||||
resources:
|
||||
- pods
|
||||
scope: "Namespaced"
|
||||
namespaceSelector:
|
||||
{{- toYaml .namespaceSelector | nindent 4}}
|
||||
sideEffects: None
|
||||
@@ -50,6 +51,7 @@ webhooks:
|
||||
- CREATE
|
||||
resources:
|
||||
- persistentvolumeclaims
|
||||
scope: "Namespaced"
|
||||
namespaceSelector:
|
||||
{{- toYaml .namespaceSelector | nindent 4}}
|
||||
sideEffects: None
|
||||
@@ -73,6 +75,7 @@ webhooks:
|
||||
- UPDATE
|
||||
resources:
|
||||
- ingresses
|
||||
scope: "Namespaced"
|
||||
namespaceSelector:
|
||||
{{- toYaml .namespaceSelector | nindent 4}}
|
||||
sideEffects: None
|
||||
|
||||
@@ -4,9 +4,6 @@
|
||||
|
||||
{{- define "capsule.post-install.annotations" -}}
|
||||
"helm.sh/hook": post-install
|
||||
{{- with $.Values.jobs.annotations }}
|
||||
{{- . | toYaml | nindent 0 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "capsule.post-install.component" -}}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
{{- $Values := mergeOverwrite $.Values.global.jobs.kubectl $.Values.jobs -}}
|
||||
|
||||
{{- if .Values.tls.create }}
|
||||
{{- if not $.Values.crds.exclusive }}
|
||||
apiVersion: batch/v1
|
||||
@@ -10,41 +12,45 @@ metadata:
|
||||
annotations:
|
||||
"helm.sh/hook-weight": "-1"
|
||||
{{- include "capsule.post-install.annotations" . | nindent 4 }}
|
||||
{{- with .Values.customAnnotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- with $Values.annotations }}
|
||||
{{- . | toYaml | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
backoffLimit: {{ $Values.backoffLimit }}
|
||||
{{- if ge $Values.ttlSecondsAfterFinished 0.0 }}
|
||||
ttlSecondsAfterFinished: {{ $Values.ttlSecondsAfterFinished }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }}
|
||||
{{- include "capsule.selectorLabels" . | nindent 8 }}
|
||||
spec:
|
||||
restartPolicy: {{ $.Values.jobs.restartPolicy }}
|
||||
{{- with $.Values.jobs.podSecurityContext }}
|
||||
restartPolicy: {{ $Values.restartPolicy }}
|
||||
{{- with $Values.podSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobs.nodeSelector }}
|
||||
{{- with $Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobs.affinity }}
|
||||
{{- with $Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobs.tolerations }}
|
||||
{{- with $Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobs.topologySpreadConstraints }}
|
||||
{{- with $Values.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobs.priorityClassName }}
|
||||
{{- with $Values.priorityClassName }}
|
||||
priorityClassName: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
{{- with $Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
@@ -52,7 +58,7 @@ spec:
|
||||
containers:
|
||||
- name: post-install
|
||||
image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
|
||||
imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
|
||||
imagePullPolicy: {{ $Values.image.pullPolicy }}
|
||||
command:
|
||||
- "sh"
|
||||
- "-c"
|
||||
@@ -66,11 +72,11 @@ spec:
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- with $.Values.jobs.securityContext }}
|
||||
{{- with $Values.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobs.resources }}
|
||||
{{- with $Values.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
{{- $Values := mergeOverwrite $.Values.global.jobs.kubectl $.Values.jobs -}}
|
||||
|
||||
{{- if not $.Values.crds.exclusive }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
@@ -10,12 +12,13 @@ metadata:
|
||||
annotations:
|
||||
"helm.sh/hook-weight": "-1"
|
||||
{{- include "capsule.pre-delete.annotations" . | nindent 4 }}
|
||||
{{- with .Values.customAnnotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- with $Values.annotations }}
|
||||
{{- . | toYaml | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if ge .Values.jobs.ttlSecondsAfterFinished 0.0 }}
|
||||
ttlSecondsAfterFinished: {{ .Values.jobs.ttlSecondsAfterFinished }}
|
||||
backoffLimit: {{ $Values.backoffLimit }}
|
||||
{{- if ge $Values.ttlSecondsAfterFinished 0.0 }}
|
||||
ttlSecondsAfterFinished: {{ $Values.ttlSecondsAfterFinished }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
@@ -23,31 +26,31 @@ spec:
|
||||
app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }}
|
||||
{{- include "capsule.selectorLabels" . | nindent 8 }}
|
||||
spec:
|
||||
restartPolicy: {{ $.Values.jobs.restartPolicy }}
|
||||
{{- with $.Values.jobs.podSecurityContext }}
|
||||
restartPolicy: {{ $Values.restartPolicy }}
|
||||
{{- with $Values.podSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobs.nodeSelector }}
|
||||
{{- with $Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobs.affinity }}
|
||||
{{- with $Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobs.tolerations }}
|
||||
{{- with $Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobs.topologySpreadConstraints }}
|
||||
{{- with $Values.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobs.priorityClassName }}
|
||||
{{- with $Values.priorityClassName }}
|
||||
priorityClassName: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
{{- with $Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
@@ -55,7 +58,7 @@ spec:
|
||||
containers:
|
||||
- name: pre-delete-job
|
||||
image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
|
||||
imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
|
||||
imagePullPolicy: {{ $Values.image.pullPolicy }}
|
||||
command:
|
||||
- "/bin/sh"
|
||||
- "-c"
|
||||
@@ -71,11 +74,11 @@ spec:
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- with $.Values.jobs.securityContext }}
|
||||
{{- with $Values.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.jobs.resources }}
|
||||
{{- with $Values.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
|
||||
810
charts/capsule/values.schema.json
Normal file
810
charts/capsule/values.schema.json
Normal file
@@ -0,0 +1,810 @@
|
||||
{
|
||||
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
||||
"properties": {
|
||||
"affinity": {
|
||||
"properties": {},
|
||||
"type": "object"
|
||||
},
|
||||
"certManager": {
|
||||
"properties": {
|
||||
"additionalSANS": {
|
||||
"type": "array"
|
||||
},
|
||||
"generateCertificates": {
|
||||
"type": "boolean"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"crds": {
|
||||
"properties": {
|
||||
"annnotations": {
|
||||
"properties": {},
|
||||
"type": "object"
|
||||
},
|
||||
"exclusive": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"install": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"labels": {
|
||||
"properties": {},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"customAnnotations": {
|
||||
"properties": {},
|
||||
"type": "object"
|
||||
},
|
||||
"customLabels": {
|
||||
"properties": {},
|
||||
"type": "object"
|
||||
},
|
||||
"fullnameOverride": {
|
||||
"type": "string"
|
||||
},
|
||||
"global": {
|
||||
"properties": {
|
||||
"jobs": {
|
||||
"properties": {
|
||||
"kubectl": {
|
||||
"properties": {
|
||||
"affinity": {
|
||||
"properties": {},
|
||||
"type": "object"
|
||||
},
|
||||
"annotations": {
|
||||
"properties": {},
|
||||
"type": "object"
|
||||
},
|
||||
"backoffLimit": {
|
||||
"type": "integer"
|
||||
},
|
||||
"image": {
|
||||
"properties": {
|
||||
"pullPolicy": {
|
||||
"type": "string"
|
||||
},
|
||||
"registry": {
|
||||
"type": "string"
|
||||
},
|
||||
"repository": {
|
||||
"type": "string"
|
||||
},
|
||||
"tag": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"imagePullSecrets": {
|
||||
"type": "array"
|
||||
},
|
||||
"nodeSelector": {
|
||||
"properties": {},
|
||||
"type": "object"
|
||||
},
|
||||
"podSecurityContext": {
|
||||
"properties": {
|
||||
"seccompProfile": {
|
||||
"properties": {
|
||||
"type": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"priorityClassName": {
|
||||
"type": "string"
|
||||
},
|
||||
"resources": {
|
||||
"properties": {},
|
||||
"type": "object"
|
||||
},
|
||||
"restartPolicy": {
|
||||
"type": "string"
|
||||
},
|
||||
"securityContext": {
|
||||
"properties": {
|
||||
"allowPrivilegeEscalation": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"capabilities": {
|
||||
"properties": {
|
||||
"drop": {
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"type": "array"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"readOnlyRootFilesystem": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"runAsGroup": {
|
||||
"type": "integer"
|
||||
},
|
||||
"runAsNonRoot": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"runAsUser": {
|
||||
"type": "integer"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"tolerations": {
|
||||
"type": "array"
|
||||
},
|
||||
"topologySpreadConstraints": {
|
||||
"type": "array"
|
||||
},
|
||||
"ttlSecondsAfterFinished": {
|
||||
"type": "integer"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"imagePullSecrets": {
|
||||
"type": "array"
|
||||
},
|
||||
"jobs": {
|
||||
"properties": {},
|
||||
"type": "object"
|
||||
},
|
||||
"manager": {
|
||||
"properties": {
|
||||
"hostNetwork": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"hostPID": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"image": {
|
||||
"properties": {
|
||||
"pullPolicy": {
|
||||
"type": "string"
|
||||
},
|
||||
"registry": {
|
||||
"type": "string"
|
||||
},
|
||||
"repository": {
|
||||
"type": "string"
|
||||
},
|
||||
"tag": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"kind": {
|
||||
"type": "string"
|
||||
},
|
||||
"livenessProbe": {
|
||||
"properties": {
|
||||
"httpGet": {
|
||||
"properties": {
|
||||
"path": {
|
||||
"type": "string"
|
||||
},
|
||||
"port": {
|
||||
"type": "integer"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"options": {
|
||||
"properties": {
|
||||
"capsuleConfiguration": {
|
||||
"type": "string"
|
||||
},
|
||||
"capsuleUserGroups": {
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"type": "array"
|
||||
},
|
||||
"forceTenantPrefix": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"generateCertificates": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"logLevel": {
|
||||
"type": "string"
|
||||
},
|
||||
"nodeMetadata": {
|
||||
"properties": {
|
||||
"forbiddenAnnotations": {
|
||||
"properties": {
|
||||
"denied": {
|
||||
"type": "array"
|
||||
},
|
||||
"deniedRegex": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"forbiddenLabels": {
|
||||
"properties": {
|
||||
"denied": {
|
||||
"type": "array"
|
||||
},
|
||||
"deniedRegex": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"protectedNamespaceRegex": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"rbac": {
|
||||
"properties": {
|
||||
"create": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"existingClusterRoles": {
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"type": "array"
|
||||
},
|
||||
"existingRoles": {
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"type": "array"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"readinessProbe": {
|
||||
"properties": {
|
||||
"httpGet": {
|
||||
"properties": {
|
||||
"path": {
|
||||
"type": "string"
|
||||
},
|
||||
"port": {
|
||||
"type": "integer"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"resources": {
|
||||
"properties": {
|
||||
"requests": {
|
||||
"properties": {
|
||||
"cpu": {
|
||||
"type": "string"
|
||||
},
|
||||
"memory": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"securityContext": {
|
||||
"properties": {},
|
||||
"type": "object"
|
||||
},
|
||||
"volumeMounts": {
|
||||
"type": "array"
|
||||
},
|
||||
"volumes": {
|
||||
"type": "array"
|
||||
},
|
||||
"webhookPort": {
|
||||
"type": "integer"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"nodeSelector": {
|
||||
"properties": {},
|
||||
"type": "object"
|
||||
},
|
||||
"podAnnotations": {
|
||||
"properties": {},
|
||||
"type": "object"
|
||||
},
|
||||
"podSecurityContext": {
|
||||
"properties": {
|
||||
"runAsGroup": {
|
||||
"type": "integer"
|
||||
},
|
||||
"runAsNonRoot": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"runAsUser": {
|
||||
"type": "integer"
|
||||
},
|
||||
"seccompProfile": {
|
||||
"properties": {
|
||||
"type": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"ports": {
|
||||
"type": "array"
|
||||
},
|
||||
"priorityClassName": {
|
||||
"type": "string"
|
||||
},
|
||||
"proxy": {
|
||||
"properties": {
|
||||
"enabled": {
|
||||
"type": "boolean"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"replicaCount": {
|
||||
"type": "integer"
|
||||
},
|
||||
"securityContext": {
|
||||
"properties": {
|
||||
"allowPrivilegeEscalation": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"capabilities": {
|
||||
"properties": {
|
||||
"drop": {
|
||||
"items": {
|
||||
"type": "string"
|
||||
},
|
||||
"type": "array"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"readOnlyRootFilesystem": {
|
||||
"type": "boolean"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"serviceAccount": {
|
||||
"properties": {
|
||||
"annotations": {
|
||||
"properties": {},
|
||||
"type": "object"
|
||||
},
|
||||
"create": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"serviceMonitor": {
|
||||
"properties": {
|
||||
"annotations": {
|
||||
"properties": {},
|
||||
"type": "object"
|
||||
},
|
||||
"enabled": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"endpoint": {
|
||||
"properties": {
|
||||
"interval": {
|
||||
"type": "string"
|
||||
},
|
||||
"metricRelabelings": {
|
||||
"type": "array"
|
||||
},
|
||||
"relabelings": {
|
||||
"type": "array"
|
||||
},
|
||||
"scrapeTimeout": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"labels": {
|
||||
"properties": {},
|
||||
"type": "object"
|
||||
},
|
||||
"matchLabels": {
|
||||
"properties": {},
|
||||
"type": "object"
|
||||
},
|
||||
"namespace": {
|
||||
"type": "string"
|
||||
},
|
||||
"targetLabels": {
|
||||
"type": "array"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"tls": {
|
||||
"properties": {
|
||||
"create": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"enableController": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"tolerations": {
|
||||
"type": "array"
|
||||
},
|
||||
"topologySpreadConstraints": {
|
||||
"type": "array"
|
||||
},
|
||||
"webhooks": {
|
||||
"properties": {
|
||||
"exclusive": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"hooks": {
|
||||
"properties": {
|
||||
"cordoning": {
|
||||
"properties": {
|
||||
"failurePolicy": {
|
||||
"type": "string"
|
||||
},
|
||||
"namespaceSelector": {
|
||||
"properties": {
|
||||
"matchExpressions": {
|
||||
"items": {
|
||||
"properties": {
|
||||
"key": {
|
||||
"type": "string"
|
||||
},
|
||||
"operator": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"type": "array"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"defaults": {
|
||||
"properties": {
|
||||
"ingress": {
|
||||
"properties": {
|
||||
"failurePolicy": {
|
||||
"type": "string"
|
||||
},
|
||||
"namespaceSelector": {
|
||||
"properties": {
|
||||
"matchExpressions": {
|
||||
"items": {
|
||||
"properties": {
|
||||
"key": {
|
||||
"type": "string"
|
||||
},
|
||||
"operator": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"type": "array"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"pods": {
|
||||
"properties": {
|
||||
"failurePolicy": {
|
||||
"type": "string"
|
||||
},
|
||||
"namespaceSelector": {
|
||||
"properties": {
|
||||
"matchExpressions": {
|
||||
"items": {
|
||||
"properties": {
|
||||
"key": {
|
||||
"type": "string"
|
||||
},
|
||||
"operator": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"type": "array"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"pvc": {
|
||||
"properties": {
|
||||
"failurePolicy": {
|
||||
"type": "string"
|
||||
},
|
||||
"namespaceSelector": {
|
||||
"properties": {
|
||||
"matchExpressions": {
|
||||
"items": {
|
||||
"properties": {
|
||||
"key": {
|
||||
"type": "string"
|
||||
},
|
||||
"operator": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"type": "array"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"ingresses": {
|
||||
"properties": {
|
||||
"failurePolicy": {
|
||||
"type": "string"
|
||||
},
|
||||
"namespaceSelector": {
|
||||
"properties": {
|
||||
"matchExpressions": {
|
||||
"items": {
|
||||
"properties": {
|
||||
"key": {
|
||||
"type": "string"
|
||||
},
|
||||
"operator": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"type": "array"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"namespaceOwnerReference": {
|
||||
"properties": {
|
||||
"failurePolicy": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"namespaces": {
|
||||
"properties": {
|
||||
"failurePolicy": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"networkpolicies": {
|
||||
"properties": {
|
||||
"failurePolicy": {
|
||||
"type": "string"
|
||||
},
|
||||
"namespaceSelector": {
|
||||
"properties": {
|
||||
"matchExpressions": {
|
||||
"items": {
|
||||
"properties": {
|
||||
"key": {
|
||||
"type": "string"
|
||||
},
|
||||
"operator": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"type": "array"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"nodes": {
|
||||
"properties": {
|
||||
"failurePolicy": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"persistentvolumeclaims": {
|
||||
"properties": {
|
||||
"failurePolicy": {
|
||||
"type": "string"
|
||||
},
|
||||
"namespaceSelector": {
|
||||
"properties": {
|
||||
"matchExpressions": {
|
||||
"items": {
|
||||
"properties": {
|
||||
"key": {
|
||||
"type": "string"
|
||||
},
|
||||
"operator": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"type": "array"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"pods": {
|
||||
"properties": {
|
||||
"failurePolicy": {
|
||||
"type": "string"
|
||||
},
|
||||
"namespaceSelector": {
|
||||
"properties": {
|
||||
"matchExpressions": {
|
||||
"items": {
|
||||
"properties": {
|
||||
"key": {
|
||||
"type": "string"
|
||||
},
|
||||
"operator": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"type": "array"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"services": {
|
||||
"properties": {
|
||||
"failurePolicy": {
|
||||
"type": "string"
|
||||
},
|
||||
"namespaceSelector": {
|
||||
"properties": {
|
||||
"matchExpressions": {
|
||||
"items": {
|
||||
"properties": {
|
||||
"key": {
|
||||
"type": "string"
|
||||
},
|
||||
"operator": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"type": "array"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"tenantResourceObjects": {
|
||||
"properties": {
|
||||
"failurePolicy": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"tenants": {
|
||||
"properties": {
|
||||
"failurePolicy": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"mutatingWebhooksTimeoutSeconds": {
|
||||
"type": "integer"
|
||||
},
|
||||
"service": {
|
||||
"properties": {
|
||||
"caBundle": {
|
||||
"type": "string"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
"namespace": {
|
||||
"type": "string"
|
||||
},
|
||||
"port": {
|
||||
"type": "null"
|
||||
},
|
||||
"url": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"validatingWebhooksTimeoutSeconds": {
|
||||
"type": "integer"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
@@ -2,6 +2,55 @@
|
||||
# This is a YAML-formatted file.
|
||||
# Declare variables to be passed into your templates.
|
||||
|
||||
global:
|
||||
jobs:
|
||||
kubectl:
|
||||
image:
|
||||
# -- Set the image repository of the helm chart job
|
||||
registry: docker.io
|
||||
# -- Set the image repository of the helm chart job
|
||||
repository: clastix/kubectl
|
||||
# -- Set the image pull policy of the helm chart job
|
||||
pullPolicy: IfNotPresent
|
||||
# -- Set the image tag of the helm chart job
|
||||
tag: ""
|
||||
# -- ImagePullSecrets
|
||||
imagePullSecrets: []
|
||||
# -- Annotations to add to the certgen job.
|
||||
annotations: {}
|
||||
# -- Set the restartPolicy
|
||||
restartPolicy: Never
|
||||
# -- Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete.
|
||||
ttlSecondsAfterFinished: 60
|
||||
# -- Security context for the job pods.
|
||||
podSecurityContext:
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
# -- Security context for the job containers.
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1002
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1002
|
||||
# -- Job resources
|
||||
resources: {}
|
||||
# -- Set the node selector
|
||||
nodeSelector: {}
|
||||
# -- Set list of tolerations
|
||||
tolerations: []
|
||||
# -- Set affinity rules
|
||||
affinity: {}
|
||||
# -- Set Topology Spread Constraints
|
||||
topologySpreadConstraints: []
|
||||
# -- Set a pod priorityClassName
|
||||
priorityClassName: ""
|
||||
# -- Backofflimit for jobs
|
||||
backoffLimit: 4
|
||||
|
||||
# Manage CRD Lifecycle
|
||||
crds:
|
||||
# -- Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations)
|
||||
@@ -61,6 +110,9 @@ manager:
|
||||
# with pods' IP CIDR and admission webhooks are not working
|
||||
hostNetwork: false
|
||||
|
||||
# -- Specifies if the container should be started in hostPID mode.
|
||||
hostPID: false
|
||||
|
||||
# -- Set an alternative to the default container port.
|
||||
#
|
||||
# Useful for use in some kubernetes clusters (such as GKE Private) with
|
||||
@@ -106,6 +158,15 @@ manager:
|
||||
# -- Set the resource requests/limits for the Capsule manager container
|
||||
resources: {}
|
||||
|
||||
# -- Set the additional volumes needed for the Capsule manager container
|
||||
volumes: []
|
||||
|
||||
# -- Set the additional volumeMounts needed for the Capsule manager container
|
||||
volumeMounts: []
|
||||
|
||||
# -- Set the securityContext for the Capsule container
|
||||
securityContext: {}
|
||||
|
||||
# -- Configuration for `imagePullSecrets` so that you can use a private images registry.
|
||||
imagePullSecrets: []
|
||||
|
||||
@@ -126,7 +187,6 @@ podSecurityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1002
|
||||
|
||||
|
||||
# -- Set the securityContext for the Capsule container
|
||||
securityContext:
|
||||
capabilities:
|
||||
@@ -149,56 +209,17 @@ tolerations: []
|
||||
# -- Set the replica count for capsule pod
|
||||
replicaCount: 1
|
||||
|
||||
# -- Set additional ports for the deployment
|
||||
ports: []
|
||||
|
||||
# -- Set affinity rules for the Capsule pod
|
||||
affinity: {}
|
||||
|
||||
# -- Set topology spread constraints for the Capsule pod
|
||||
topologySpreadConstraints: []
|
||||
|
||||
jobs:
|
||||
image:
|
||||
# -- Set the image repository of the helm chart job
|
||||
registry: docker.io
|
||||
# -- Set the image repository of the helm chart job
|
||||
repository: clastix/kubectl
|
||||
# -- Set the image pull policy of the helm chart job
|
||||
pullPolicy: IfNotPresent
|
||||
# -- Set the image tag of the helm chart job
|
||||
tag: ""
|
||||
# -- Annotations to add to the certgen job.
|
||||
annotations:
|
||||
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
|
||||
# -- Set the restartPolicy
|
||||
restartPolicy: Never
|
||||
# -- Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete.
|
||||
ttlSecondsAfterFinished: 60
|
||||
# -- Security context for the job pods.
|
||||
podSecurityContext:
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
# -- Security context for the job containers.
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1002
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1002
|
||||
# -- Job resources
|
||||
resources: {}
|
||||
# -- Set the node selector
|
||||
nodeSelector: {}
|
||||
# -- Set list of tolerations
|
||||
tolerations: []
|
||||
# -- Set affinity rules
|
||||
affinity: {}
|
||||
# -- Set Topology Spread Constraints
|
||||
topologySpreadConstraints: []
|
||||
# -- Set a pod priorityClassName
|
||||
priorityClassName: ""
|
||||
|
||||
# -- Deprecated, use .global.jobs.kubectl instead
|
||||
jobs: {}
|
||||
|
||||
# ServiceAccount
|
||||
serviceAccount:
|
||||
@@ -212,7 +233,8 @@ serviceAccount:
|
||||
certManager:
|
||||
# -- Specifies whether capsule webhooks certificates should be generated using cert-manager
|
||||
generateCertificates: false
|
||||
|
||||
# -- Specify additional SANS to add to the certificate
|
||||
additionalSANS: []
|
||||
# -- Additional labels which will be added to all resources created by Capsule helm chart
|
||||
customLabels: {}
|
||||
|
||||
|
||||
@@ -1,132 +0,0 @@
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.15.0
|
||||
name: capsuleconfigurations.capsule.clastix.io
|
||||
spec:
|
||||
group: capsule.clastix.io
|
||||
names:
|
||||
kind: CapsuleConfiguration
|
||||
listKind: CapsuleConfigurationList
|
||||
plural: capsuleconfigurations
|
||||
singular: capsuleconfiguration
|
||||
scope: Cluster
|
||||
versions:
|
||||
- name: v1beta2
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: CapsuleConfiguration is the Schema for the Capsule configuration
|
||||
API.
|
||||
properties:
|
||||
apiVersion:
|
||||
description: |-
|
||||
APIVersion defines the versioned schema of this representation of an object.
|
||||
Servers should convert recognized schemas to the latest internal value, and
|
||||
may reject unrecognized values.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||
type: string
|
||||
kind:
|
||||
description: |-
|
||||
Kind is a string value representing the REST resource this object represents.
|
||||
Servers may infer this from the endpoint the client submits requests to.
|
||||
Cannot be updated.
|
||||
In CamelCase.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: CapsuleConfigurationSpec defines the Capsule configuration.
|
||||
properties:
|
||||
enableTLSReconciler:
|
||||
default: true
|
||||
description: |-
|
||||
Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks
|
||||
when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
|
||||
type: boolean
|
||||
forceTenantPrefix:
|
||||
default: false
|
||||
description: |-
|
||||
Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,
|
||||
separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
|
||||
type: boolean
|
||||
nodeMetadata:
|
||||
description: |-
|
||||
Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.
|
||||
This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
|
||||
properties:
|
||||
forbiddenAnnotations:
|
||||
description: Define the annotations that a Tenant Owner cannot
|
||||
set for their nodes.
|
||||
properties:
|
||||
denied:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
deniedRegex:
|
||||
type: string
|
||||
type: object
|
||||
forbiddenLabels:
|
||||
description: Define the labels that a Tenant Owner cannot set
|
||||
for their nodes.
|
||||
properties:
|
||||
denied:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
deniedRegex:
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
- forbiddenAnnotations
|
||||
- forbiddenLabels
|
||||
type: object
|
||||
overrides:
|
||||
default:
|
||||
TLSSecretName: capsule-tls
|
||||
mutatingWebhookConfigurationName: capsule-mutating-webhook-configuration
|
||||
validatingWebhookConfigurationName: capsule-validating-webhook-configuration
|
||||
description: |-
|
||||
Allows to set different name rather than the canonical one for the Capsule configuration objects,
|
||||
such as webhook secret or configurations.
|
||||
properties:
|
||||
TLSSecretName:
|
||||
default: capsule-tls
|
||||
description: |-
|
||||
Defines the Secret name used for the webhook server.
|
||||
Must be in the same Namespace where the Capsule Deployment is deployed.
|
||||
type: string
|
||||
mutatingWebhookConfigurationName:
|
||||
default: capsule-mutating-webhook-configuration
|
||||
description: Name of the MutatingWebhookConfiguration which contains
|
||||
the dynamic admission controller paths and resources.
|
||||
type: string
|
||||
validatingWebhookConfigurationName:
|
||||
default: capsule-validating-webhook-configuration
|
||||
description: Name of the ValidatingWebhookConfiguration which
|
||||
contains the dynamic admission controller paths and resources.
|
||||
type: string
|
||||
required:
|
||||
- TLSSecretName
|
||||
- mutatingWebhookConfigurationName
|
||||
- validatingWebhookConfigurationName
|
||||
type: object
|
||||
protectedNamespaceRegex:
|
||||
description: Disallow creation of namespaces, whose name matches this
|
||||
regexp
|
||||
type: string
|
||||
userGroups:
|
||||
default:
|
||||
- capsule.clastix.io
|
||||
description: Names of the groups for Capsule users.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- enableTLSReconciler
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
@@ -1,298 +0,0 @@
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.15.0
|
||||
name: globaltenantresources.capsule.clastix.io
|
||||
spec:
|
||||
group: capsule.clastix.io
|
||||
names:
|
||||
kind: GlobalTenantResource
|
||||
listKind: GlobalTenantResourceList
|
||||
plural: globaltenantresources
|
||||
singular: globaltenantresource
|
||||
scope: Cluster
|
||||
versions:
|
||||
- name: v1beta2
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: GlobalTenantResource allows to propagate resource replications
|
||||
to a specific subset of Tenant resources.
|
||||
properties:
|
||||
apiVersion:
|
||||
description: |-
|
||||
APIVersion defines the versioned schema of this representation of an object.
|
||||
Servers should convert recognized schemas to the latest internal value, and
|
||||
may reject unrecognized values.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||
type: string
|
||||
kind:
|
||||
description: |-
|
||||
Kind is a string value representing the REST resource this object represents.
|
||||
Servers may infer this from the endpoint the client submits requests to.
|
||||
Cannot be updated.
|
||||
In CamelCase.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: GlobalTenantResourceSpec defines the desired state of GlobalTenantResource.
|
||||
properties:
|
||||
pruningOnDelete:
|
||||
default: true
|
||||
description: |-
|
||||
When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
|
||||
Disable this to keep replicated resources although the deletion of the replication manifest.
|
||||
type: boolean
|
||||
resources:
|
||||
description: Defines the rules to select targeting Namespace, along
|
||||
with the objects that must be replicated.
|
||||
items:
|
||||
properties:
|
||||
additionalMetadata:
|
||||
description: |-
|
||||
Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
|
||||
added to the replicated resources.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
type: object
|
||||
labels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
|
||||
In case of nil value, all the Tenant Namespaces are targeted.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespacedItems:
|
||||
description: List of the resources already existing in other
|
||||
Namespaces that must be replicated.
|
||||
items:
|
||||
properties:
|
||||
apiVersion:
|
||||
description: API version of the referent.
|
||||
type: string
|
||||
kind:
|
||||
description: |-
|
||||
Kind of the referent.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
Namespace of the referent.
|
||||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
||||
type: string
|
||||
selector:
|
||||
description: Label selector used to select the given resources
|
||||
in the given Namespace.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
required:
|
||||
- kind
|
||||
- namespace
|
||||
- selector
|
||||
type: object
|
||||
type: array
|
||||
rawItems:
|
||||
description: List of raw resources that must be replicated.
|
||||
items:
|
||||
type: object
|
||||
x-kubernetes-embedded-resource: true
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
resyncPeriod:
|
||||
default: 60s
|
||||
description: |-
|
||||
Define the period of time upon a second reconciliation must be invoked.
|
||||
Keep in mind that any change to the manifests will trigger a new reconciliation.
|
||||
type: string
|
||||
tenantSelector:
|
||||
description: Defines the Tenant selector used target the tenants on
|
||||
which resources must be propagated.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector requirements.
|
||||
The requirements are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector applies
|
||||
to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
required:
|
||||
- resources
|
||||
- resyncPeriod
|
||||
type: object
|
||||
status:
|
||||
description: GlobalTenantResourceStatus defines the observed state of
|
||||
GlobalTenantResource.
|
||||
properties:
|
||||
processedItems:
|
||||
description: List of the replicated resources for the given TenantResource.
|
||||
items:
|
||||
properties:
|
||||
apiVersion:
|
||||
description: API version of the referent.
|
||||
type: string
|
||||
kind:
|
||||
description: |-
|
||||
Kind of the referent.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
name:
|
||||
description: |-
|
||||
Name of the referent.
|
||||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
Namespace of the referent.
|
||||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
- namespace
|
||||
type: object
|
||||
type: array
|
||||
selectedTenants:
|
||||
description: List of Tenants addressed by the GlobalTenantResource.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- processedItems
|
||||
- selectedTenants
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
@@ -1,246 +0,0 @@
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.15.0
|
||||
name: tenantresources.capsule.clastix.io
|
||||
spec:
|
||||
group: capsule.clastix.io
|
||||
names:
|
||||
kind: TenantResource
|
||||
listKind: TenantResourceList
|
||||
plural: tenantresources
|
||||
singular: tenantresource
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v1beta2
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: |-
|
||||
TenantResource allows a Tenant Owner, if enabled with proper RBAC, to propagate resources in its Namespace.
|
||||
The object must be deployed in a Tenant Namespace, and cannot reference object living in non-Tenant namespaces.
|
||||
For such cases, the GlobalTenantResource must be used.
|
||||
properties:
|
||||
apiVersion:
|
||||
description: |-
|
||||
APIVersion defines the versioned schema of this representation of an object.
|
||||
Servers should convert recognized schemas to the latest internal value, and
|
||||
may reject unrecognized values.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||
type: string
|
||||
kind:
|
||||
description: |-
|
||||
Kind is a string value representing the REST resource this object represents.
|
||||
Servers may infer this from the endpoint the client submits requests to.
|
||||
Cannot be updated.
|
||||
In CamelCase.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: TenantResourceSpec defines the desired state of TenantResource.
|
||||
properties:
|
||||
pruningOnDelete:
|
||||
default: true
|
||||
description: |-
|
||||
When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
|
||||
Disable this to keep replicated resources although the deletion of the replication manifest.
|
||||
type: boolean
|
||||
resources:
|
||||
description: Defines the rules to select targeting Namespace, along
|
||||
with the objects that must be replicated.
|
||||
items:
|
||||
properties:
|
||||
additionalMetadata:
|
||||
description: |-
|
||||
Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
|
||||
added to the replicated resources.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
type: object
|
||||
labels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
|
||||
In case of nil value, all the Tenant Namespaces are targeted.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespacedItems:
|
||||
description: List of the resources already existing in other
|
||||
Namespaces that must be replicated.
|
||||
items:
|
||||
properties:
|
||||
apiVersion:
|
||||
description: API version of the referent.
|
||||
type: string
|
||||
kind:
|
||||
description: |-
|
||||
Kind of the referent.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
Namespace of the referent.
|
||||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
||||
type: string
|
||||
selector:
|
||||
description: Label selector used to select the given resources
|
||||
in the given Namespace.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
required:
|
||||
- kind
|
||||
- namespace
|
||||
- selector
|
||||
type: object
|
||||
type: array
|
||||
rawItems:
|
||||
description: List of raw resources that must be replicated.
|
||||
items:
|
||||
type: object
|
||||
x-kubernetes-embedded-resource: true
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
resyncPeriod:
|
||||
default: 60s
|
||||
description: |-
|
||||
Define the period of time upon a second reconciliation must be invoked.
|
||||
Keep in mind that any change to the manifests will trigger a new reconciliation.
|
||||
type: string
|
||||
required:
|
||||
- resources
|
||||
- resyncPeriod
|
||||
type: object
|
||||
status:
|
||||
description: TenantResourceStatus defines the observed state of TenantResource.
|
||||
properties:
|
||||
processedItems:
|
||||
description: List of the replicated resources for the given TenantResource.
|
||||
items:
|
||||
properties:
|
||||
apiVersion:
|
||||
description: API version of the referent.
|
||||
type: string
|
||||
kind:
|
||||
description: |-
|
||||
Kind of the referent.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
name:
|
||||
description: |-
|
||||
Name of the referent.
|
||||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
Namespace of the referent.
|
||||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
- namespace
|
||||
type: object
|
||||
type: array
|
||||
required:
|
||||
- processedItems
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
File diff suppressed because it is too large
Load Diff
@@ -1,17 +0,0 @@
|
||||
# This kustomization.yaml is not intended to be run by itself,
|
||||
# since it depends on service name and namespace that are out of this kustomize package.
|
||||
# It should be run by config/default
|
||||
resources:
|
||||
- bases/capsule.clastix.io_tenants.yaml
|
||||
- bases/capsule.clastix.io_capsuleconfigurations.yaml
|
||||
- bases/capsule.clastix.io_tenantresources.yaml
|
||||
- bases/capsule.clastix.io_globaltenantresources.yaml
|
||||
# +kubebuilder:scaffold:crdkustomizeresource
|
||||
|
||||
# the following config is for teaching kustomize how to do kustomization for CRDs.
|
||||
configurations:
|
||||
- kustomizeconfig.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- patches/webhook_in_tenants.yaml
|
||||
- patches/webhook_in_capsuleconfiguration.yaml
|
||||
@@ -1,19 +0,0 @@
|
||||
# This file is for teaching kustomize how to substitute name and namespace reference in CRD
|
||||
nameReference:
|
||||
- kind: Service
|
||||
version: v1
|
||||
fieldSpecs:
|
||||
- kind: CustomResourceDefinition
|
||||
version: v1
|
||||
group: apiextensions.k8s.io
|
||||
path: spec/conversion/webhook/clientConfig/service/name
|
||||
|
||||
namespace:
|
||||
- kind: CustomResourceDefinition
|
||||
version: v1
|
||||
group: apiextensions.k8s.io
|
||||
path: spec/conversion/webhook/clientConfig/service/namespace
|
||||
create: false
|
||||
|
||||
varReference:
|
||||
- path: metadata/annotations
|
||||
@@ -1,7 +0,0 @@
|
||||
# The following patch adds a directive for certmanager to inject CA into the CRD
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
|
||||
name: globaltenantresources.capsule.clastix.io
|
||||
@@ -1,7 +0,0 @@
|
||||
# The following patch adds a directive for certmanager to inject CA into the CRD
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
|
||||
name: tenantresources.capsule.clastix.io
|
||||
@@ -1,17 +0,0 @@
|
||||
# The following patch enables a conversion webhook for the CRD
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: capsuleconfigurations.capsule.clastix.io
|
||||
spec:
|
||||
conversion:
|
||||
strategy: Webhook
|
||||
webhook:
|
||||
clientConfig:
|
||||
service:
|
||||
namespace: system
|
||||
name: webhook-service
|
||||
path: /convert
|
||||
conversionReviewVersions:
|
||||
- v1beta1
|
||||
- v1beta2
|
||||
@@ -1,16 +0,0 @@
|
||||
# The following patch enables a conversion webhook for the CRD
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: globaltenantresources.capsule.clastix.io
|
||||
spec:
|
||||
conversion:
|
||||
strategy: Webhook
|
||||
webhook:
|
||||
clientConfig:
|
||||
service:
|
||||
namespace: system
|
||||
name: webhook-service
|
||||
path: /convert
|
||||
conversionReviewVersions:
|
||||
- v1
|
||||
@@ -1,16 +0,0 @@
|
||||
# The following patch enables a conversion webhook for the CRD
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: tenantresources.capsule.clastix.io
|
||||
spec:
|
||||
conversion:
|
||||
strategy: Webhook
|
||||
webhook:
|
||||
clientConfig:
|
||||
service:
|
||||
namespace: system
|
||||
name: webhook-service
|
||||
path: /convert
|
||||
conversionReviewVersions:
|
||||
- v1
|
||||
@@ -1,17 +0,0 @@
|
||||
# The following patch enables a conversion webhook for the CRD
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: tenants.capsule.clastix.io
|
||||
spec:
|
||||
conversion:
|
||||
strategy: Webhook
|
||||
webhook:
|
||||
clientConfig:
|
||||
service:
|
||||
namespace: system
|
||||
name: webhook-service
|
||||
path: /convert
|
||||
conversionReviewVersions:
|
||||
- v1beta1
|
||||
- v1beta2
|
||||
@@ -1,25 +0,0 @@
|
||||
# Adds namespace to all resources.
|
||||
namespace: capsule-system
|
||||
|
||||
# Value of this field is prepended to the
|
||||
# names of all resources, e.g. a deployment named
|
||||
# "wordpress" becomes "alices-wordpress".
|
||||
# Note that it should also match with the prefix (text before '-') of the namespace
|
||||
# field above.
|
||||
namePrefix: capsule-
|
||||
|
||||
# Labels to add to all resources and selectors.
|
||||
#commonLabels:
|
||||
# someName: someValue
|
||||
|
||||
bases:
|
||||
- ../crd
|
||||
- ../rbac
|
||||
- ../manager
|
||||
- ../secret
|
||||
- ../webhook
|
||||
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
|
||||
#- ../prometheus
|
||||
|
||||
patchesStrategicMerge:
|
||||
- manager_webhook_patch.yaml
|
||||
@@ -1,26 +0,0 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: controller-manager
|
||||
namespace: system
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: manager
|
||||
ports:
|
||||
- containerPort: 9443
|
||||
name: webhook-server
|
||||
protocol: TCP
|
||||
- containerPort: 8080
|
||||
name: metrics
|
||||
protocol: TCP
|
||||
volumeMounts:
|
||||
- mountPath: /tmp/k8s-webhook-server/serving-certs
|
||||
name: cert
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: cert
|
||||
secret:
|
||||
defaultMode: 420
|
||||
secretName: capsule-tls
|
||||
File diff suppressed because it is too large
Load Diff
@@ -1,7 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
# label selector used by Grafana to load the dashboards from Config Maps
|
||||
grafana_dashboard: "1"
|
||||
name: capsule-grafana-dashboard
|
||||
@@ -1,8 +0,0 @@
|
||||
configMapGenerator:
|
||||
- name: capsule-grafana-dashboard
|
||||
files:
|
||||
- dashboard.json
|
||||
generatorOptions:
|
||||
disableNameSuffixHash: true
|
||||
patchesStrategicMerge:
|
||||
- dashboard.yaml
|
||||
3319
config/install.yaml
3319
config/install.yaml
File diff suppressed because it is too large
Load Diff
@@ -1,9 +0,0 @@
|
||||
apiVersion: capsule.clastix.io/v1beta2
|
||||
kind: CapsuleConfiguration
|
||||
metadata:
|
||||
name: default
|
||||
spec:
|
||||
userGroups: ["capsule.clastix.io"]
|
||||
forceTenantPrefix: false
|
||||
protectedNamespaceRegex: ""
|
||||
enableTLSReconciler: true
|
||||
@@ -1,9 +0,0 @@
|
||||
resources:
|
||||
- configuration.yaml
|
||||
- manager.yaml
|
||||
- metrics_service.yaml
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
images:
|
||||
- name: controller
|
||||
newName: ghcr.io/projectcapsule/capsule
|
||||
@@ -1,46 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
labels:
|
||||
control-plane: controller-manager
|
||||
name: system
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: controller-manager
|
||||
namespace: system
|
||||
labels:
|
||||
control-plane: controller-manager
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
control-plane: controller-manager
|
||||
replicas: 1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
control-plane: controller-manager
|
||||
spec:
|
||||
containers:
|
||||
- args:
|
||||
- --enable-leader-election
|
||||
- --zap-encoder=console
|
||||
- --zap-log-level=debug
|
||||
- --configuration-name=capsule-default
|
||||
env:
|
||||
- name: NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
image: controller
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: manager
|
||||
resources:
|
||||
limits:
|
||||
cpu: 200m
|
||||
memory: 128Mi
|
||||
requests:
|
||||
cpu: 200m
|
||||
memory: 128Mi
|
||||
terminationGracePeriodSeconds: 10
|
||||
@@ -1,14 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
control-plane: controller-manager
|
||||
name: controller-manager-metrics-service
|
||||
namespace: system
|
||||
spec:
|
||||
ports:
|
||||
- name: metrics
|
||||
port: 8080
|
||||
targetPort: metrics
|
||||
selector:
|
||||
control-plane: controller-manager
|
||||
@@ -1,2 +0,0 @@
|
||||
resources:
|
||||
- monitor.yaml
|
||||
@@ -1,18 +0,0 @@
|
||||
# Prometheus Monitor Service (Metrics)
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
labels:
|
||||
control-plane: controller-manager
|
||||
name: capsule-monitor
|
||||
namespace: system
|
||||
spec:
|
||||
endpoints:
|
||||
- interval: 15s
|
||||
path: /metrics
|
||||
port: metrics
|
||||
jobLabel: controller-manager
|
||||
namespaceSelector:
|
||||
selector:
|
||||
matchLabels:
|
||||
control-plane: controller-manager
|
||||
@@ -1,24 +0,0 @@
|
||||
# permissions for end users to edit globaltenantresources.
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: globaltenantresource-editor-role
|
||||
rules:
|
||||
- apiGroups:
|
||||
- capsule.clastix.io
|
||||
resources:
|
||||
- globaltenantresources
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- capsule.clastix.io
|
||||
resources:
|
||||
- globaltenantresources/status
|
||||
verbs:
|
||||
- get
|
||||
@@ -1,20 +0,0 @@
|
||||
# permissions for end users to view globaltenantresources.
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: globaltenantresource-viewer-role
|
||||
rules:
|
||||
- apiGroups:
|
||||
- capsule.clastix.io
|
||||
resources:
|
||||
- globaltenantresources
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- capsule.clastix.io
|
||||
resources:
|
||||
- globaltenantresources/status
|
||||
verbs:
|
||||
- get
|
||||
@@ -1,8 +0,0 @@
|
||||
resources:
|
||||
- role_binding.yaml
|
||||
# Uncomment the following 3 lines if you are running Capsule
|
||||
# in a cluster where [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
|
||||
# are enabled.
|
||||
# - psp_policy.yaml
|
||||
# - psp_role.yaml
|
||||
# - psp_role_binding.yaml
|
||||
@@ -1,18 +0,0 @@
|
||||
kind: PodSecurityPolicy
|
||||
apiVersion: policy/v1beta1
|
||||
metadata:
|
||||
name: capsule
|
||||
spec:
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
hostPorts:
|
||||
- max: 0
|
||||
min: 0
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- secret
|
||||
@@ -1,9 +0,0 @@
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: capsule-psp
|
||||
rules:
|
||||
- apiGroups: ['extensions']
|
||||
resources: ['podsecuritypolicies']
|
||||
resourceNames: ['capsule-psp']
|
||||
verbs: ['use']
|
||||
@@ -1,12 +0,0 @@
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: capsule-use-psp
|
||||
namespace: system
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: capsule-psp
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: default
|
||||
@@ -1,12 +0,0 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: manager-rolebinding
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: default
|
||||
namespace: system
|
||||
@@ -1,24 +0,0 @@
|
||||
# permissions for end users to edit tenantresources.
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: tenantresource-editor-role
|
||||
rules:
|
||||
- apiGroups:
|
||||
- capsule.clastix.io
|
||||
resources:
|
||||
- tenantresources
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- capsule.clastix.io
|
||||
resources:
|
||||
- tenantresources/status
|
||||
verbs:
|
||||
- get
|
||||
@@ -1,20 +0,0 @@
|
||||
# permissions for end users to view tenantresources.
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: tenantresource-viewer-role
|
||||
rules:
|
||||
- apiGroups:
|
||||
- capsule.clastix.io
|
||||
resources:
|
||||
- tenantresources
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- capsule.clastix.io
|
||||
resources:
|
||||
- tenantresources/status
|
||||
verbs:
|
||||
- get
|
||||
@@ -1,139 +0,0 @@
|
||||
---
|
||||
apiVersion: capsule.clastix.io/v1beta1
|
||||
kind: Tenant
|
||||
metadata:
|
||||
name: gas
|
||||
spec:
|
||||
additionalRoleBindings:
|
||||
-
|
||||
clusterRoleName: tenant-sample-viewer
|
||||
subjects:
|
||||
-
|
||||
kind: User
|
||||
name: bob
|
||||
containerRegistries:
|
||||
allowed:
|
||||
- docker.io
|
||||
- quay.io
|
||||
allowedRegex: ^\w+.gcr.io$
|
||||
serviceOptions:
|
||||
additionalMetadata:
|
||||
annotations:
|
||||
capsule.clastix.io/bgp: "true"
|
||||
labels:
|
||||
capsule.clastix.io/pool: gas
|
||||
allowedServices:
|
||||
nodePort: false
|
||||
externalName: false
|
||||
externalIPs:
|
||||
allowed:
|
||||
- 10.20.0.0/16
|
||||
- "10.96.42.42"
|
||||
imagePullPolicies:
|
||||
- Always
|
||||
ingressOptions:
|
||||
hostnameCollisionScope: Cluster
|
||||
allowedClasses:
|
||||
allowed:
|
||||
- default
|
||||
allowedRegex: ^\w+-lb$
|
||||
allowedHostnames:
|
||||
allowed:
|
||||
- gas.acmecorp.com
|
||||
allowedRegex: ^.*acmecorp.com$
|
||||
limitRanges:
|
||||
items:
|
||||
-
|
||||
limits:
|
||||
-
|
||||
max:
|
||||
cpu: "1"
|
||||
memory: 1Gi
|
||||
min:
|
||||
cpu: 50m
|
||||
memory: 5Mi
|
||||
type: Pod
|
||||
-
|
||||
default:
|
||||
cpu: 200m
|
||||
memory: 100Mi
|
||||
defaultRequest:
|
||||
cpu: 100m
|
||||
memory: 10Mi
|
||||
max:
|
||||
cpu: "1"
|
||||
memory: 1Gi
|
||||
min:
|
||||
cpu: 50m
|
||||
memory: 5Mi
|
||||
type: Container
|
||||
-
|
||||
max:
|
||||
storage: 10Gi
|
||||
min:
|
||||
storage: 1Gi
|
||||
type: PersistentVolumeClaim
|
||||
namespaceOptions:
|
||||
quota: 3
|
||||
additionalMetadata:
|
||||
annotations:
|
||||
capsule.clastix.io/backup: "false"
|
||||
labels:
|
||||
capsule.clastix.io/tenant: gas
|
||||
networkPolicies:
|
||||
items:
|
||||
-
|
||||
egress:
|
||||
-
|
||||
to:
|
||||
-
|
||||
ipBlock:
|
||||
cidr: 0.0.0.0/0
|
||||
except:
|
||||
- 192.168.0.0/12
|
||||
ingress:
|
||||
-
|
||||
from:
|
||||
-
|
||||
namespaceSelector:
|
||||
matchLabels:
|
||||
capsule.clastix.io/tenant: gas
|
||||
-
|
||||
podSelector: {}
|
||||
-
|
||||
ipBlock:
|
||||
cidr: 192.168.0.0/12
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
owners:
|
||||
-
|
||||
kind: User
|
||||
name: bob
|
||||
priorityClasses:
|
||||
allowed:
|
||||
- shared-nodes
|
||||
allowedRegex: ^\w-gas$
|
||||
resourceQuotas:
|
||||
items:
|
||||
-
|
||||
hard:
|
||||
limits.cpu: "8"
|
||||
limits.memory: 16Gi
|
||||
requests.cpu: "8"
|
||||
requests.memory: 16Gi
|
||||
scopes:
|
||||
- NotTerminating
|
||||
-
|
||||
hard:
|
||||
pods: "10"
|
||||
-
|
||||
hard:
|
||||
requests.storage: 100Gi
|
||||
storageClasses:
|
||||
allowed:
|
||||
- default
|
||||
allowedRegex: ^\w+fs$
|
||||
@@ -1,11 +0,0 @@
|
||||
---
|
||||
apiVersion: capsule.clastix.io/v1beta2
|
||||
kind: CapsuleConfiguration
|
||||
metadata:
|
||||
name: default
|
||||
spec:
|
||||
userGroups: ["capsule.clastix.io"]
|
||||
forceTenantPrefix: false
|
||||
protectedNamespaceRegex: ""
|
||||
enableTLSReconciler: true
|
||||
|
||||
@@ -1,39 +0,0 @@
|
||||
apiVersion: capsule.clastix.io/v1beta2
|
||||
kind: GlobalTenantResource
|
||||
metadata:
|
||||
name: green-production
|
||||
spec:
|
||||
tenantSelector:
|
||||
matchLabels:
|
||||
energy: green
|
||||
resyncPeriod: 60s
|
||||
pruningOnDelete: true
|
||||
resources:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
environment: production
|
||||
additionalMetadata:
|
||||
labels:
|
||||
labels.energy.io: green
|
||||
annotations:
|
||||
annotations.energy.io: green
|
||||
namespacedItems:
|
||||
- apiVersion: v1
|
||||
kind: Secret
|
||||
namespace: default
|
||||
selector:
|
||||
matchLabels:
|
||||
replicate: green
|
||||
rawItems:
|
||||
- apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: raw-secret-1
|
||||
- apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: raw-secret-2
|
||||
- apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: raw-secret-3
|
||||
@@ -1,36 +0,0 @@
|
||||
apiVersion: capsule.clastix.io/v1beta2
|
||||
kind: TenantResource
|
||||
metadata:
|
||||
name: wind-objects
|
||||
spec:
|
||||
resyncPeriod: 60s
|
||||
pruningOnDelete: true
|
||||
resources:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
environment: production
|
||||
additionalMetadata:
|
||||
labels:
|
||||
labels.energy.io: wind
|
||||
annotations:
|
||||
annotations.energy.io: wind
|
||||
namespacedItems:
|
||||
- apiVersion: v1
|
||||
kind: Secret
|
||||
namespace: wind-production
|
||||
selector:
|
||||
matchLabels:
|
||||
replicate: solar
|
||||
rawItems:
|
||||
- apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: wind-secret-1
|
||||
- apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: wind-secret-2
|
||||
- apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: wind-secret-3
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user