From dcc5f3eda31e81ccea8fd2e3aaf9b7b4ae1c6b04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20B=C3=A4hler?= Date: Mon, 27 May 2024 19:04:10 +0200 Subject: [PATCH 1/4] chore: name change for webhook names MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Oliver Bähler --- pkg/webhook/route/cordoning.go | 2 +- pkg/webhook/route/defaults.go | 6 +++--- pkg/webhook/route/ingresses.go | 2 +- pkg/webhook/route/namespaces.go | 2 +- pkg/webhook/route/networkpolicies.go | 2 +- pkg/webhook/route/node.go | 2 +- pkg/webhook/route/ownerreference.go | 2 +- pkg/webhook/route/pods.go | 2 +- pkg/webhook/route/pvc.go | 2 +- pkg/webhook/route/services.go | 2 +- pkg/webhook/route/tenantresource_objs.go | 2 +- pkg/webhook/route/tenants.go | 2 +- 12 files changed, 14 insertions(+), 14 deletions(-) diff --git a/pkg/webhook/route/cordoning.go b/pkg/webhook/route/cordoning.go index 484be45b..172e9e32 100644 --- a/pkg/webhook/route/cordoning.go +++ b/pkg/webhook/route/cordoning.go @@ -7,7 +7,7 @@ import ( capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" ) -// +kubebuilder:webhook:path=/cordoning,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="*",resources="*",verbs=create;update;delete,versions="*",name=cordoning.tenant.capsule.clastix.io +// +kubebuilder:webhook:path=/cordoning,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="*",resources="*",verbs=create;update;delete,versions="*",name=cordoning.tenant.projectcapsule.dev type cordoning struct { handlers []capsulewebhook.Handler diff --git a/pkg/webhook/route/defaults.go b/pkg/webhook/route/defaults.go index 46d810e0..8b30891f 100644 --- a/pkg/webhook/route/defaults.go +++ b/pkg/webhook/route/defaults.go @@ -7,9 +7,9 @@ import ( capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" ) -// +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=pods,verbs=create,versions=v1,name=pod.defaults.capsule.clastix.io -// +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=persistentvolumeclaims,verbs=create,versions=v1,name=storage.defaults.capsule.clastix.io -// +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups=networking.k8s.io,resources=ingresses,verbs=create;update,versions=v1beta1;v1,name=ingress.defaults.capsule.clastix.io +// +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=pods,verbs=create,versions=v1,name=pod.defaults.projectcapsule.dev +// +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=persistentvolumeclaims,verbs=create,versions=v1,name=storage.defaults.projectcapsule.dev +// +kubebuilder:webhook:path=/defaults,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups=networking.k8s.io,resources=ingresses,verbs=create;update,versions=v1beta1;v1,name=ingress.defaults.projectcapsule.dev type defaults struct { handlers []capsulewebhook.Handler diff --git a/pkg/webhook/route/ingresses.go b/pkg/webhook/route/ingresses.go index f190abb0..3cc2d12e 100644 --- a/pkg/webhook/route/ingresses.go +++ b/pkg/webhook/route/ingresses.go @@ -7,7 +7,7 @@ import ( capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" ) -// +kubebuilder:webhook:path=/ingresses,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups=networking.k8s.io;extensions,resources=ingresses,verbs=create;update,versions=v1beta1;v1,name=ingress.capsule.clastix.io +// +kubebuilder:webhook:path=/ingresses,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups=networking.k8s.io;extensions,resources=ingresses,verbs=create;update,versions=v1beta1;v1,name=ingress.projectcapsule.dev type ingress struct { handlers []capsulewebhook.Handler diff --git a/pkg/webhook/route/namespaces.go b/pkg/webhook/route/namespaces.go index d6e78e6a..072ea1e6 100644 --- a/pkg/webhook/route/namespaces.go +++ b/pkg/webhook/route/namespaces.go @@ -7,7 +7,7 @@ import ( capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" ) -// +kubebuilder:webhook:path=/namespaces,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=namespaces,verbs=create;update;delete,versions=v1,name=namespaces.capsule.clastix.io +// +kubebuilder:webhook:path=/namespaces,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=namespaces,verbs=create;update;delete,versions=v1,name=namespaces.projectcapsule.dev type namespace struct { handlers []capsulewebhook.Handler diff --git a/pkg/webhook/route/networkpolicies.go b/pkg/webhook/route/networkpolicies.go index d4fcfc66..09746d69 100644 --- a/pkg/webhook/route/networkpolicies.go +++ b/pkg/webhook/route/networkpolicies.go @@ -7,7 +7,7 @@ import ( capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" ) -// +kubebuilder:webhook:path=/networkpolicies,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="networking.k8s.io",resources=networkpolicies,verbs=update;delete,versions=v1,name=networkpolicies.capsule.clastix.io +// +kubebuilder:webhook:path=/networkpolicies,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="networking.k8s.io",resources=networkpolicies,verbs=update;delete,versions=v1,name=networkpolicies.projectcapsule.dev type networkPolicy struct { handlers []capsulewebhook.Handler diff --git a/pkg/webhook/route/node.go b/pkg/webhook/route/node.go index 61f4590a..673edf3f 100644 --- a/pkg/webhook/route/node.go +++ b/pkg/webhook/route/node.go @@ -7,7 +7,7 @@ import ( capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" ) -// +kubebuilder:webhook:path=/nodes,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=nodes,verbs=update,versions=v1,name=nodes.capsule.clastix.io +// +kubebuilder:webhook:path=/nodes,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=nodes,verbs=update,versions=v1,name=nodes.projectcapsule.dev type node struct { handlers []capsulewebhook.Handler diff --git a/pkg/webhook/route/ownerreference.go b/pkg/webhook/route/ownerreference.go index 037e6464..09511e0b 100644 --- a/pkg/webhook/route/ownerreference.go +++ b/pkg/webhook/route/ownerreference.go @@ -7,7 +7,7 @@ import ( capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" ) -// +kubebuilder:webhook:path=/namespace-owner-reference,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=namespaces,verbs=create;update,versions=v1,name=owner.namespace.capsule.clastix.io +// +kubebuilder:webhook:path=/namespace-owner-reference,mutating=true,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=namespaces,verbs=create;update,versions=v1,name=owner.namespace.projectcapsule.dev type webhook struct { handlers []capsulewebhook.Handler diff --git a/pkg/webhook/route/pods.go b/pkg/webhook/route/pods.go index 81bcdd23..1c23a797 100644 --- a/pkg/webhook/route/pods.go +++ b/pkg/webhook/route/pods.go @@ -7,7 +7,7 @@ import ( capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" ) -// +kubebuilder:webhook:path=/pods,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=pods,verbs=create;update,versions=v1,name=pods.capsule.clastix.io +// +kubebuilder:webhook:path=/pods,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=pods,verbs=create;update,versions=v1,name=pods.projectcapsule.dev type pod struct { handlers []capsulewebhook.Handler diff --git a/pkg/webhook/route/pvc.go b/pkg/webhook/route/pvc.go index 53f667d8..924d6b4c 100644 --- a/pkg/webhook/route/pvc.go +++ b/pkg/webhook/route/pvc.go @@ -7,7 +7,7 @@ import ( capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" ) -// +kubebuilder:webhook:path=/persistentvolumeclaims,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=persistentvolumeclaims,verbs=create,versions=v1,name=pvc.capsule.clastix.io +// +kubebuilder:webhook:path=/persistentvolumeclaims,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=persistentvolumeclaims,verbs=create,versions=v1,name=pvc.projectcapsule.dev type pvc struct { handlers []capsulewebhook.Handler diff --git a/pkg/webhook/route/services.go b/pkg/webhook/route/services.go index 4440f0c5..89ef42e4 100644 --- a/pkg/webhook/route/services.go +++ b/pkg/webhook/route/services.go @@ -7,7 +7,7 @@ import ( capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" ) -// +kubebuilder:webhook:path=/services,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=services,verbs=create;update,versions=v1,name=services.capsule.clastix.io +// +kubebuilder:webhook:path=/services,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="",resources=services,verbs=create;update,versions=v1,name=services.projectcapsule.dev type service struct { handlers []capsulewebhook.Handler diff --git a/pkg/webhook/route/tenantresource_objs.go b/pkg/webhook/route/tenantresource_objs.go index 9f928284..3f353eb1 100644 --- a/pkg/webhook/route/tenantresource_objs.go +++ b/pkg/webhook/route/tenantresource_objs.go @@ -7,7 +7,7 @@ import ( capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" ) -// +kubebuilder:webhook:path=/tenantresource-objects,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="*",resources="*",verbs=update;delete,versions="*",name=resource-objects.tenant.capsule.clastix.io +// +kubebuilder:webhook:path=/tenantresource-objects,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="*",resources="*",verbs=update;delete,versions="*",name=resource-objects.tenant.projectcapsule.dev type tntResourceObjs struct { handlers []capsulewebhook.Handler diff --git a/pkg/webhook/route/tenants.go b/pkg/webhook/route/tenants.go index 3e77f30c..71784d0e 100644 --- a/pkg/webhook/route/tenants.go +++ b/pkg/webhook/route/tenants.go @@ -7,7 +7,7 @@ import ( capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" ) -// +kubebuilder:webhook:path=/tenants,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="capsule.clastix.io",resources=tenants,verbs=create;update;delete,versions=v1beta2,name=tenants.capsule.clastix.io +// +kubebuilder:webhook:path=/tenants,mutating=false,sideEffects=None,admissionReviewVersions=v1,failurePolicy=fail,groups="capsule.clastix.io",resources=tenants,verbs=create;update;delete,versions=v1beta2,name=tenants.projectcapsule.dev type tenant struct { handlers []capsulewebhook.Handler From 06ed3b85f84a8b31e904e27cebe76f56040776c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20B=C3=A4hler?= Date: Mon, 27 May 2024 19:04:49 +0200 Subject: [PATCH 2/4] chore: remove apidocs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Oliver Bähler --- .github/workflows/diff.yml | 5 +-- .goreleaser.yml | 1 + Makefile | 81 ++++++++------------------------------ 3 files changed, 18 insertions(+), 69 deletions(-) diff --git a/.github/workflows/diff.yml b/.github/workflows/diff.yml index 1870c50a..5dc839dc 100644 --- a/.github/workflows/diff.yml +++ b/.github/workflows/diff.yml @@ -22,12 +22,9 @@ jobs: - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version-file: 'go.mod' - - run: make installer + - run: make manifests - name: Checking if YAML installer file is not aligned run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> Untracked generated files have not been committed" && git --no-pager diff && exit 1; fi - - run: make apidoc - - name: Checking if the CRDs documentation is not aligned - run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> CRDs generated documentation have not been committed" && git --no-pager diff && exit 1; fi - name: Checking if YAML installer generated untracked files run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)" - name: Checking if source code is not formatted diff --git a/.goreleaser.yml b/.goreleaser.yml index 9205d189..0f575573 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -44,6 +44,7 @@ release: - `ghcr.io/projectcapsule/charts/{{ .ProjectName }}:{{ .Version }}` + [Review the Major Changes section first before upgrading to a new version](https://artifacthub.io/packages/helm/projectcapsule/capsule/{{ .Version }}#major-changes) checksum: name_template: 'checksums.txt' changelog: diff --git a/Makefile b/Makefile index 1fb58222..69c53e8f 100644 --- a/Makefile +++ b/Makefile @@ -52,40 +52,14 @@ manager: generate golint run: generate manifests go run . -# Creates the single file to install Capsule without any external dependency -installer: manifests kustomize - cd config/manager && $(KUSTOMIZE) edit set image controller=${CAPSULE_IMG} - $(KUSTOMIZE) build config/default > config/install.yaml - -# Install CRDs into a cluster -install: installer - $(KUSTOMIZE) build config/crd | kubectl apply -f - - -# Uninstall CRDs from a cluster -uninstall: installer - $(KUSTOMIZE) build config/crd | kubectl delete -f - - -# Deploy controller in the configured Kubernetes cluster in ~/.kube/config -deploy: installer - kubectl apply -f config/install.yaml - -# Remove controller in the configured Kubernetes cluster in ~/.kube/config -remove: installer - kubectl delete -f config/install.yaml - kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found - kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found - # Generate manifests e.g. CRD, RBAC etc. manifests: controller-gen - $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases + $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=charts/capsule/crds # Generate code generate: controller-gen $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." -apidoc: apidocs-gen - $(APIDOCS_GEN) crdoc --resources config/crd/bases --output docs/content/general/crds-apis.md --template docs/template/reference-cr.tmpl - # Helm SRC_ROOT = $(shell git rev-parse --show-toplevel) @@ -137,7 +111,7 @@ IP.1 = $(LAPTOP_HOST_IP) endef export TLS_CNF dev-setup: - kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0 + kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0 || true mkdir -p /tmp/k8s-webhook-server/serving-certs echo "$${TLS_CNF}" > _tls.cnf openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \ @@ -149,35 +123,19 @@ dev-setup: rm -f _tls.cnf export WEBHOOK_URL="https://$${LAPTOP_HOST_IP}:9443"; \ export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`; \ - kubectl patch MutatingWebhookConfiguration capsule-mutating-webhook-configuration \ - --type='json' -p="[\ - {'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/defaults\",'caBundle':\"$${CA_BUNDLE}\"}},\ - {'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/defaults\",'caBundle':\"$${CA_BUNDLE}\"}},\ - {'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/defaults\",'caBundle':\"$${CA_BUNDLE}\"}},\ - {'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/namespace-owner-reference\",'caBundle':\"$${CA_BUNDLE}\"}}\ - ]" && \ - kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \ - --type='json' -p="[\ - {'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/cordoning\",'caBundle':\"$${CA_BUNDLE}\"}},\ - {'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/ingresses\",'caBundle':\"$${CA_BUNDLE}\"}},\ - {'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/namespaces\",'caBundle':\"$${CA_BUNDLE}\"}},\ - {'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/networkpolicies\",'caBundle':\"$${CA_BUNDLE}\"}},\ - {'op': 'replace', 'path': '/webhooks/4/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/nodes\",'caBundle':\"$${CA_BUNDLE}\"}},\ - {'op': 'replace', 'path': '/webhooks/5/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/pods\",'caBundle':\"$${CA_BUNDLE}\"}},\ - {'op': 'replace', 'path': '/webhooks/6/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/persistentvolumeclaims\",'caBundle':\"$${CA_BUNDLE}\"}},\ - {'op': 'replace', 'path': '/webhooks/7/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/services\",'caBundle':\"$${CA_BUNDLE}\"}},\ - {'op': 'replace', 'path': '/webhooks/8/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/tenantresource-objects\",'caBundle':\"$${CA_BUNDLE}\"}},\ - {'op': 'replace', 'path': '/webhooks/9/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/tenants\",'caBundle':\"$${CA_BUNDLE}\"}}\ - ]" && \ - kubectl patch crd tenants.capsule.clastix.io \ - --type='json' -p="[\ - {'op': 'replace', 'path': '/spec/conversion/webhook/clientConfig', 'value':{'url': \"$${WEBHOOK_URL}\", 'caBundle': \"$${CA_BUNDLE}\"}}\ - ]" && \ - kubectl patch crd capsuleconfigurations.capsule.clastix.io \ - --type='json' -p="[\ - {'op': 'replace', 'path': '/spec/conversion/webhook/clientConfig', 'value':{'url': \"$${WEBHOOK_URL}\", 'caBundle': \"$${CA_BUNDLE}\"}}\ - ]"; - + helm upgrade \ + --dependency-update \ + --debug \ + --install \ + --namespace capsule-system \ + --create-namespace \ + --set 'crds.install=true' \ + --set 'crds.exclusive=true'\ + --set "webhooks.exclusive=true"\ + --set "webhooks.service.url=$${WEBHOOK_URL}" \ + --set "webhooks.service.caBundle=$${CA_BUNDLE}" \ + capsule \ + ./charts/capsule #################### # -- Docker @@ -237,11 +195,6 @@ CONTROLLER_GEN_VERSION := v0.15.0 controller-gen: ## Download controller-gen locally if necessary. $(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION)) -APIDOCS_GEN := $(shell pwd)/bin/crdoc -APIDOCS_GEN_VERSION := latest -apidocs-gen: ## Download crdoc locally if necessary. - $(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@$(APIDOCS_GEN_VERSION)) - GINKGO := $(shell pwd)/bin/ginkgo GINGKO_VERSION := v2.17.2 ginkgo: ## Download ginkgo locally if necessary. @@ -321,11 +274,10 @@ e2e/%: ginkgo e2e-build/%: kind create cluster --wait=60s --name capsule --image=kindest/node:$* - make e2e-load-image make e2e-install .PHONY: e2e-install -e2e-install: +e2e-install: e2e-load-image helm upgrade \ --dependency-update \ --debug \ @@ -337,7 +289,6 @@ e2e-install: --set "manager.image.tag=$(VERSION)" \ --set 'manager.livenessProbe.failureThreshold=10' \ --set 'manager.readinessProbe.failureThreshold=10' \ - --set 'podSecurityContext.seccompProfile=null' \ capsule \ ./charts/capsule From 842eb3bdabb2af77b4b633b50121c6c1c389f212 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20B=C3=A4hler?= Date: Mon, 27 May 2024 19:15:28 +0200 Subject: [PATCH 3/4] feat(helm): implement crd lifecycle and values consistency MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Oliver Bähler --- charts/capsule/Chart.yaml | 12 +- charts/capsule/README.md | 129 +- charts/capsule/README.md.gotmpl | 43 +- ...ule.clastix.io_capsuleconfigurations.patch | 14 + ...sule.clastix.io_capsuleconfigurations.yaml | 132 ++ ...sule.clastix.io_globaltenantresources.yaml | 298 ++++ .../capsule.clastix.io_tenantresources.yaml | 246 +++ .../crds/capsule.clastix.io_tenants.patch | 14 + ...d.yaml => capsule.clastix.io_tenants.yaml} | 1463 ++++++++--------- .../crds/capsuleconfiguration-crd.yaml | 119 -- .../crds/globaltenantresources-crd.yaml | 222 --- charts/capsule/crds/tenantresources-crd.yaml | 185 --- charts/capsule/templates/_helpers.tpl | 29 + charts/capsule/templates/certificate.yaml | 4 +- charts/capsule/templates/certs.yaml | 10 +- .../templates/configuration-default.yaml | 2 + .../templates/crd-lifecycle/_helpers.tpl | 20 + .../capsule/templates/crd-lifecycle/crds.tpl | 56 + .../capsule/templates/crd-lifecycle/job.yaml | 96 ++ .../capsule/templates/crd-lifecycle/rbac.yaml | 52 + .../crd-lifecycle/serviceaccount.yaml | 14 + charts/capsule/templates/daemonset.yaml | 4 +- charts/capsule/templates/deployment.yaml | 4 +- charts/capsule/templates/metrics-service.yaml | 2 + .../mutatingwebhookconfiguration.yaml | 60 +- .../capsule/templates/podsecuritypolicy.yaml | 58 - .../capsule/templates/post-install-job.yaml | 55 - .../templates/post-install/_helpers.tpl | 15 + .../capsule/templates/post-install/job.yaml | 78 + .../capsule/templates/post-install/rbac.yaml | 44 + .../post-install/serviceaccount.yaml | 15 + charts/capsule/templates/pre-delete-job.yaml | 56 - .../capsule/templates/pre-delete/_helpers.tpl | 15 + charts/capsule/templates/pre-delete/job.yaml | 82 + charts/capsule/templates/pre-delete/rbac.yaml | 90 + .../templates/pre-delete/serviceaccount.yaml | 14 + charts/capsule/templates/rbac.yaml | 8 +- charts/capsule/templates/serviceaccount.yaml | 8 +- charts/capsule/templates/servicemonitor.yaml | 4 +- .../validatingwebhookconfiguration.yaml | 181 +- charts/capsule/templates/webhook-service.yaml | 2 + charts/capsule/values.yaml | 179 +- config/webhook/manifests.yaml | 28 +- 43 files changed, 2407 insertions(+), 1755 deletions(-) create mode 100644 charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.patch create mode 100644 charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.yaml create mode 100644 charts/capsule/crds/capsule.clastix.io_globaltenantresources.yaml create mode 100644 charts/capsule/crds/capsule.clastix.io_tenantresources.yaml create mode 100644 charts/capsule/crds/capsule.clastix.io_tenants.patch rename charts/capsule/crds/{tenant-crd.yaml => capsule.clastix.io_tenants.yaml} (58%) delete mode 100644 charts/capsule/crds/capsuleconfiguration-crd.yaml delete mode 100644 charts/capsule/crds/globaltenantresources-crd.yaml delete mode 100644 charts/capsule/crds/tenantresources-crd.yaml create mode 100644 charts/capsule/templates/crd-lifecycle/_helpers.tpl create mode 100644 charts/capsule/templates/crd-lifecycle/crds.tpl create mode 100644 charts/capsule/templates/crd-lifecycle/job.yaml create mode 100644 charts/capsule/templates/crd-lifecycle/rbac.yaml create mode 100644 charts/capsule/templates/crd-lifecycle/serviceaccount.yaml delete mode 100644 charts/capsule/templates/podsecuritypolicy.yaml delete mode 100644 charts/capsule/templates/post-install-job.yaml create mode 100644 charts/capsule/templates/post-install/_helpers.tpl create mode 100644 charts/capsule/templates/post-install/job.yaml create mode 100644 charts/capsule/templates/post-install/rbac.yaml create mode 100644 charts/capsule/templates/post-install/serviceaccount.yaml delete mode 100644 charts/capsule/templates/pre-delete-job.yaml create mode 100644 charts/capsule/templates/pre-delete/_helpers.tpl create mode 100644 charts/capsule/templates/pre-delete/job.yaml create mode 100644 charts/capsule/templates/pre-delete/rbac.yaml create mode 100644 charts/capsule/templates/pre-delete/serviceaccount.yaml diff --git a/charts/capsule/Chart.yaml b/charts/capsule/Chart.yaml index 8d4300cb..b1f70c47 100644 --- a/charts/capsule/Chart.yaml +++ b/charts/capsule/Chart.yaml @@ -38,9 +38,9 @@ annotations: email: cncf-capsule-maintainers@lists.cncf.io artifacthub.io/links: | - name: Documentation - url: https://capsule.clastix.io/ -# artifacthub.io/changes: | -# - kind: added -# description: artifacthub annotations -# - kind: changed -# description: maintainers contact + url: https://projectcapsule.dev/ + artifacthub.io/changes: | + - kind: added + description: bundled crd lifecycle + - kind: changed + description: removed PodSecurityPolicy support diff --git a/charts/capsule/README.md b/charts/capsule/README.md index c8a95b09..dd6fe95f 100644 --- a/charts/capsule/README.md +++ b/charts/capsule/README.md @@ -16,21 +16,39 @@ Use the Capsule Operator for easily implementing, managing, and maintaining mult * A [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file accessing the Kubernetes cluster with cluster admin permissions. -## Quick Start +## Major Changes +In the following sections you see actions which are required when you are upgrading to a specific version. + +### Upgrading to 0.7.x + +Introduces a new methode to manage all capsule CRDs and their lifecycle. We are no longer relying on the [native CRD hook with the Helm Chart](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). The hook only allows to manage CRDs on install and uninstall but we can't deliver updates to the CRDs. +When you newly install the chart we recommend to set `crds.install` to `true`. This will manage the CRDs with the Helm Chart. This behavior is the new default. + +#### Changed Values + +The following Values have changed key or Value: + + * All values from previous releases under `webhooks` have moved to `webhooks.hooks`. + * `mutatingWebhooksTimeoutSeconds` has moved to `webhooks.mutatingWebhooksTimeoutSeconds` + * `validatingWebhooksTimeoutSeconds` has moved to `webhooks.validatingWebhooksTimeoutSeconds` + +## Installation + +The Capsule Operator requires it's CRDs to be installed before the operator itself. Since the Helm CRD lifecycle has limitations, we recommend to install the CRDs separately. Our chart supports the installation of crds via a dedicated Release. The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster. 1. Add this repository: $ helm repo add projectcapsule https://projectcapsule.github.io/charts -2. Install the Chart: +2. Install Capsule: - $ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace + $ helm install capsule projectcapsule/capsule --version 0.7.0 -n capsule-system --create-namespace or - $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6 -n capsule-system --create-namespace + $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.7.0 -n capsule-system --create-namespace 3. Show the status: @@ -58,7 +76,7 @@ Specify your overrides file when you install the chart: $ helm install capsule capsule-helm-chart --values myvalues.yaml -n capsule-system -The values in your overrides file `myvalues.yaml` will override their counterparts in the chart’s values.yaml file. Any values in `values.yaml` that weren’t overridden will keep their defaults. +The values in your overrides file `myvalues.yaml` will override their counterparts in the chart's values.yaml file. Any values in `values.yaml` that weren’t overridden will keep their defaults. If you only need to make minor customizations, you can specify them on the command line by using the `--set` option. For example: @@ -66,6 +84,15 @@ If you only need to make minor customizations, you can specify them on the comma Here the values you can override: +### CustomResourceDefinition Lifecycle + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| crds.annnotations | object | `{}` | Extra Annotations for CRDs | +| crds.exclusive | bool | `false` | Only install the CRDs, no other primitives | +| crds.install | bool | `true` | Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations) | +| crds.labels | object | `{}` | Extra Labels for CRDs | + ### General Parameters | Key | Type | Default | Description | @@ -75,28 +102,36 @@ Here the values you can override: | customAnnotations | object | `{}` | Additional annotations which will be added to all resources created by Capsule helm chart | | customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart | | imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. | +| jobs.affinity | object | `{}` | Set affinity rules | +| jobs.annotations | object | `{"helm.sh/hook-delete-policy":"before-hook-creation,hook-succeeded"}` | Annotations to add to the certgen job. | | jobs.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job | | jobs.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job | | jobs.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job | | jobs.image.tag | string | `""` | Set the image tag of the helm chart job | -| mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks | +| jobs.nodeSelector | object | `{}` | Set the node selector | +| jobs.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the job pods. | +| jobs.priorityClassName | string | `""` | Set a pod priorityClassName | +| jobs.resources | object | `{}` | Job resources | +| jobs.restartPolicy | string | `"Never"` | Set the restartPolicy | +| jobs.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Security context for the job containers. | +| jobs.tolerations | list | `[]` | Set list of tolerations | +| jobs.topologySpreadConstraints | list | `[]` | Set Topology Spread Constraints | +| jobs.ttlSecondsAfterFinished | int | `60` | Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete. | | nodeSelector | object | `{}` | Set the node selector for the Capsule pod | | podAnnotations | object | `{}` | Annotations to add to the capsule pod. | | podSecurityContext | object | `{"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002,"seccompProfile":{"type":"RuntimeDefault"}}` | Set the securityContext for the Capsule pod | -| podSecurityPolicy.enabled | bool | `false` | Specify if a Pod Security Policy must be created | | priorityClassName | string | `""` | Set the priority class name of the Capsule pod | | proxy.enabled | bool | `false` | Enable Installation of Capsule Proxy | | replicaCount | int | `1` | Set the replica count for capsule pod | | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | Set the securityContext for the Capsule container | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | -| serviceAccount.name | string | `"capsule"` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template | +| serviceAccount.name | string | `""` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template | | tls.create | bool | `true` | When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion. | | tls.enableController | bool | `true` | Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. | | tls.name | string | `""` | Override name of the Capsule TLS Secret name when externally managed. | | tolerations | list | `[]` | Set list of tolerations for the Capsule pod | | topologySpreadConstraints | list | `[]` | Set topology spread constraints for the Capsule pod | -| validatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for validating webhooks | ### Manager Parameters @@ -109,7 +144,7 @@ Here the values you can override: | manager.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | manager.kind | string | `"Deployment"` | Set the controller deployment mode as `Deployment` or `DaemonSet`. | | manager.livenessProbe | object | `{"httpGet":{"path":"/healthz","port":10080}}` | Configure the liveness probe using Deployment probe spec | -| manager.options.capsuleUserGroups | list | `["capsule.clastix.io"]` | Override the Capsule user groups | +| manager.options.capsuleUserGroups | list | `["projectcapsule.dev"]` | Override the Capsule user groups | | manager.options.forceTenantPrefix | bool | `false` | Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash | | manager.options.generateCertificates | bool | `true` | Specifies whether capsule webhooks certificates should be generated by capsule operator | | manager.options.logLevel | string | `"4"` | Set the log verbosity of the capsule with a value from 1 to 10 | @@ -137,42 +172,50 @@ Here the values you can override: | serviceMonitor.namespace | string | `""` | Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one) | | serviceMonitor.targetLabels | list | `[]` | Set targetLabels for the serviceMonitor | -### Webhook Parameters +### Webhooks Parameters | Key | Type | Default | Description | |-----|------|---------|-------------| -| webhooks.cordoning.failurePolicy | string | `"Fail"` | | -| webhooks.cordoning.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | -| webhooks.cordoning.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | -| webhooks.defaults.ingress.failurePolicy | string | `"Fail"` | | -| webhooks.defaults.ingress.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | -| webhooks.defaults.ingress.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | -| webhooks.defaults.pods.failurePolicy | string | `"Fail"` | | -| webhooks.defaults.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | -| webhooks.defaults.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | -| webhooks.defaults.pvc.failurePolicy | string | `"Fail"` | | -| webhooks.defaults.pvc.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | -| webhooks.defaults.pvc.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | -| webhooks.ingresses.failurePolicy | string | `"Fail"` | | -| webhooks.ingresses.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | -| webhooks.ingresses.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | -| webhooks.namespaceOwnerReference.failurePolicy | string | `"Fail"` | | -| webhooks.namespaces.failurePolicy | string | `"Fail"` | | -| webhooks.networkpolicies.failurePolicy | string | `"Fail"` | | -| webhooks.networkpolicies.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | -| webhooks.networkpolicies.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | -| webhooks.nodes.failurePolicy | string | `"Fail"` | | -| webhooks.persistentvolumeclaims.failurePolicy | string | `"Fail"` | | -| webhooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | -| webhooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | -| webhooks.pods.failurePolicy | string | `"Fail"` | | -| webhooks.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | -| webhooks.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | -| webhooks.services.failurePolicy | string | `"Fail"` | | -| webhooks.services.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | -| webhooks.services.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | -| webhooks.tenantResourceObjects.failurePolicy | string | `"Fail"` | | -| webhooks.tenants.failurePolicy | string | `"Fail"` | | +| webhooks.exclusive | bool | `false` | When `crds.exclusive` is `true` the webhooks will be installed | +| webhooks.hooks.cordoning.failurePolicy | string | `"Fail"` | | +| webhooks.hooks.cordoning.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | +| webhooks.hooks.cordoning.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | +| webhooks.hooks.defaults.ingress.failurePolicy | string | `"Fail"` | | +| webhooks.hooks.defaults.ingress.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | +| webhooks.hooks.defaults.ingress.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | +| webhooks.hooks.defaults.pods.failurePolicy | string | `"Fail"` | | +| webhooks.hooks.defaults.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | +| webhooks.hooks.defaults.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | +| webhooks.hooks.defaults.pvc.failurePolicy | string | `"Fail"` | | +| webhooks.hooks.defaults.pvc.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | +| webhooks.hooks.defaults.pvc.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | +| webhooks.hooks.ingresses.failurePolicy | string | `"Fail"` | | +| webhooks.hooks.ingresses.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | +| webhooks.hooks.ingresses.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | +| webhooks.hooks.namespaceOwnerReference.failurePolicy | string | `"Fail"` | | +| webhooks.hooks.namespaces.failurePolicy | string | `"Fail"` | | +| webhooks.hooks.networkpolicies.failurePolicy | string | `"Fail"` | | +| webhooks.hooks.networkpolicies.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | +| webhooks.hooks.networkpolicies.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | +| webhooks.hooks.nodes.failurePolicy | string | `"Fail"` | | +| webhooks.hooks.persistentvolumeclaims.failurePolicy | string | `"Fail"` | | +| webhooks.hooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | +| webhooks.hooks.persistentvolumeclaims.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | +| webhooks.hooks.pods.failurePolicy | string | `"Fail"` | | +| webhooks.hooks.pods.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | +| webhooks.hooks.pods.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | +| webhooks.hooks.services.failurePolicy | string | `"Fail"` | | +| webhooks.hooks.services.namespaceSelector.matchExpressions[0].key | string | `"capsule.clastix.io/tenant"` | | +| webhooks.hooks.services.namespaceSelector.matchExpressions[0].operator | string | `"Exists"` | | +| webhooks.hooks.tenantResourceObjects.failurePolicy | string | `"Fail"` | | +| webhooks.hooks.tenants.failurePolicy | string | `"Fail"` | | +| webhooks.mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks | +| webhooks.service.caBundle | string | `""` | CABundle for the webhook service | +| webhooks.service.name | string | `""` | Custom service name for the webhook service | +| webhooks.service.namespace | string | `""` | Custom service namespace for the webhook service | +| webhooks.service.port | string | `nil` | Custom service port for the webhook service | +| webhooks.service.url | string | `""` | The URL where the capsule webhook services are running (Overwrites cluster scoped service definition) | +| webhooks.validatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for validating webhooks | ## Created resources diff --git a/charts/capsule/README.md.gotmpl b/charts/capsule/README.md.gotmpl index 377491a9..9fb2f807 100644 --- a/charts/capsule/README.md.gotmpl +++ b/charts/capsule/README.md.gotmpl @@ -16,21 +16,40 @@ Use the Capsule Operator for easily implementing, managing, and maintaining mult * A [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file accessing the Kubernetes cluster with cluster admin permissions. -## Quick Start +## Major Changes +In the following sections you see actions which are required when you are upgrading to a specific version. + +### Upgrading to 0.7.x + +Introduces a new methode to manage all capsule CRDs and their lifecycle. We are no longer relying on the [native CRD hook with the Helm Chart](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). The hook only allows to manage CRDs on install and uninstall but we can't deliver updates to the CRDs. +When you newly install the chart we recommend to set `crds.install` to `true`. This will manage the CRDs with the Helm Chart. This behavior is the new default. + +#### Changed Values + +The following Values have changed key or Value: + + * All values from previous releases under `webhooks` have moved to `webhooks.hooks`. + * `mutatingWebhooksTimeoutSeconds` has moved to `webhooks.mutatingWebhooksTimeoutSeconds` + * `validatingWebhooksTimeoutSeconds` has moved to `webhooks.validatingWebhooksTimeoutSeconds` + + +## Installation + +The Capsule Operator requires it's CRDs to be installed before the operator itself. Since the Helm CRD lifecycle has limitations, we recommend to install the CRDs separately. Our chart supports the installation of crds via a dedicated Release. The Capsule Operator Chart can be used to instantly deploy the Capsule Operator on your Kubernetes cluster. 1. Add this repository: $ helm repo add projectcapsule https://projectcapsule.github.io/charts -2. Install the Chart: +2. Install Capsule: - $ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace + $ helm install capsule projectcapsule/capsule --version 0.7.0 -n capsule-system --create-namespace or - $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6 -n capsule-system --create-namespace + $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.7.0 -n capsule-system --create-namespace 3. Show the status: @@ -58,7 +77,7 @@ Specify your overrides file when you install the chart: $ helm install capsule capsule-helm-chart --values myvalues.yaml -n capsule-system -The values in your overrides file `myvalues.yaml` will override their counterparts in the chart’s values.yaml file. Any values in `values.yaml` that weren’t overridden will keep their defaults. +The values in your overrides file `myvalues.yaml` will override their counterparts in the chart's values.yaml file. Any values in `values.yaml` that weren’t overridden will keep their defaults. If you only need to make minor customizations, you can specify them on the command line by using the `--set` option. For example: @@ -66,13 +85,23 @@ If you only need to make minor customizations, you can specify them on the comma Here the values you can override: +### CustomResourceDefinition Lifecycle + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .Values }} + {{- if (hasPrefix "crds" .Key) }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | + {{- end }} +{{- end }} + ### General Parameters | Key | Type | Default | Description | |-----|------|---------|-------------| {{- range .Values }} - {{- if not (or (hasPrefix "manager" .Key) (hasPrefix "serviceMonitor" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) ) }} + {{- if not (or (hasPrefix "manager" .Key) (hasPrefix "crds" .Key) (hasPrefix "serviceMonitor" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) ) }} | {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | {{- end }} {{- end }} @@ -97,7 +126,7 @@ Here the values you can override: {{- end }} {{- end }} -### Webhook Parameters +### Webhooks Parameters | Key | Type | Default | Description | |-----|------|---------|-------------| diff --git a/charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.patch b/charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.patch new file mode 100644 index 00000000..1fbdd74a --- /dev/null +++ b/charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.patch @@ -0,0 +1,14 @@ +metadata: + annotations: + {{- if $.Values.certManager.generateCertificates }} + cert-manager.io/inject-ca-from: {{ $.Release.Namespace }}/{{ include "capsule.fullname" $ }}-webhook-cert + {{- end }} +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + {{- include "capsule.webhooks.service" (dict "path" "/convert" "ctx" $) | nindent 8 }} + conversionReviewVersions: + - v1beta1 + - v1beta2 \ No newline at end of file diff --git a/charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.yaml b/charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.yaml new file mode 100644 index 00000000..c95f5c4d --- /dev/null +++ b/charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.yaml @@ -0,0 +1,132 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: capsuleconfigurations.capsule.clastix.io +spec: + group: capsule.clastix.io + names: + kind: CapsuleConfiguration + listKind: CapsuleConfigurationList + plural: capsuleconfigurations + singular: capsuleconfiguration + scope: Cluster + versions: + - name: v1beta2 + schema: + openAPIV3Schema: + description: CapsuleConfiguration is the Schema for the Capsule configuration + API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: CapsuleConfigurationSpec defines the Capsule configuration. + properties: + enableTLSReconciler: + default: true + description: |- + Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks + when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager. + type: boolean + forceTenantPrefix: + default: false + description: |- + Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, + separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment. + type: boolean + nodeMetadata: + description: |- + Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant. + This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes. + properties: + forbiddenAnnotations: + description: Define the annotations that a Tenant Owner cannot + set for their nodes. + properties: + denied: + items: + type: string + type: array + deniedRegex: + type: string + type: object + forbiddenLabels: + description: Define the labels that a Tenant Owner cannot set + for their nodes. + properties: + denied: + items: + type: string + type: array + deniedRegex: + type: string + type: object + required: + - forbiddenAnnotations + - forbiddenLabels + type: object + overrides: + default: + TLSSecretName: capsule-tls + mutatingWebhookConfigurationName: capsule-mutating-webhook-configuration + validatingWebhookConfigurationName: capsule-validating-webhook-configuration + description: |- + Allows to set different name rather than the canonical one for the Capsule configuration objects, + such as webhook secret or configurations. + properties: + TLSSecretName: + default: capsule-tls + description: |- + Defines the Secret name used for the webhook server. + Must be in the same Namespace where the Capsule Deployment is deployed. + type: string + mutatingWebhookConfigurationName: + default: capsule-mutating-webhook-configuration + description: Name of the MutatingWebhookConfiguration which contains + the dynamic admission controller paths and resources. + type: string + validatingWebhookConfigurationName: + default: capsule-validating-webhook-configuration + description: Name of the ValidatingWebhookConfiguration which + contains the dynamic admission controller paths and resources. + type: string + required: + - TLSSecretName + - mutatingWebhookConfigurationName + - validatingWebhookConfigurationName + type: object + protectedNamespaceRegex: + description: Disallow creation of namespaces, whose name matches this + regexp + type: string + userGroups: + default: + - capsule.clastix.io + description: Names of the groups for Capsule users. + items: + type: string + type: array + required: + - enableTLSReconciler + type: object + type: object + served: true + storage: true diff --git a/charts/capsule/crds/capsule.clastix.io_globaltenantresources.yaml b/charts/capsule/crds/capsule.clastix.io_globaltenantresources.yaml new file mode 100644 index 00000000..8ae724fa --- /dev/null +++ b/charts/capsule/crds/capsule.clastix.io_globaltenantresources.yaml @@ -0,0 +1,298 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: globaltenantresources.capsule.clastix.io +spec: + group: capsule.clastix.io + names: + kind: GlobalTenantResource + listKind: GlobalTenantResourceList + plural: globaltenantresources + singular: globaltenantresource + scope: Cluster + versions: + - name: v1beta2 + schema: + openAPIV3Schema: + description: GlobalTenantResource allows to propagate resource replications + to a specific subset of Tenant resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GlobalTenantResourceSpec defines the desired state of GlobalTenantResource. + properties: + pruningOnDelete: + default: true + description: |- + When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted. + Disable this to keep replicated resources although the deletion of the replication manifest. + type: boolean + resources: + description: Defines the rules to select targeting Namespace, along + with the objects that must be replicated. + items: + properties: + additionalMetadata: + description: |- + Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be + added to the replicated resources. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + namespaceSelector: + description: |- + Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated. + In case of nil value, all the Tenant Namespaces are targeted. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespacedItems: + description: List of the resources already existing in other + Namespaces that must be replicated. + items: + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + selector: + description: Label selector used to select the given resources + in the given Namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - kind + - namespace + - selector + type: object + type: array + rawItems: + description: List of raw resources that must be replicated. + items: + type: object + x-kubernetes-embedded-resource: true + x-kubernetes-preserve-unknown-fields: true + type: array + type: object + type: array + resyncPeriod: + default: 60s + description: |- + Define the period of time upon a second reconciliation must be invoked. + Keep in mind that any change to the manifests will trigger a new reconciliation. + type: string + tenantSelector: + description: Defines the Tenant selector used target the tenants on + which resources must be propagated. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - resources + - resyncPeriod + type: object + status: + description: GlobalTenantResourceStatus defines the observed state of + GlobalTenantResource. + properties: + processedItems: + description: List of the replicated resources for the given TenantResource. + items: + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + required: + - kind + - name + - namespace + type: object + type: array + selectedTenants: + description: List of Tenants addressed by the GlobalTenantResource. + items: + type: string + type: array + required: + - processedItems + - selectedTenants + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/capsule/crds/capsule.clastix.io_tenantresources.yaml b/charts/capsule/crds/capsule.clastix.io_tenantresources.yaml new file mode 100644 index 00000000..4e48c0ef --- /dev/null +++ b/charts/capsule/crds/capsule.clastix.io_tenantresources.yaml @@ -0,0 +1,246 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: tenantresources.capsule.clastix.io +spec: + group: capsule.clastix.io + names: + kind: TenantResource + listKind: TenantResourceList + plural: tenantresources + singular: tenantresource + scope: Namespaced + versions: + - name: v1beta2 + schema: + openAPIV3Schema: + description: |- + TenantResource allows a Tenant Owner, if enabled with proper RBAC, to propagate resources in its Namespace. + The object must be deployed in a Tenant Namespace, and cannot reference object living in non-Tenant namespaces. + For such cases, the GlobalTenantResource must be used. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TenantResourceSpec defines the desired state of TenantResource. + properties: + pruningOnDelete: + default: true + description: |- + When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted. + Disable this to keep replicated resources although the deletion of the replication manifest. + type: boolean + resources: + description: Defines the rules to select targeting Namespace, along + with the objects that must be replicated. + items: + properties: + additionalMetadata: + description: |- + Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be + added to the replicated resources. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + namespaceSelector: + description: |- + Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated. + In case of nil value, all the Tenant Namespaces are targeted. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespacedItems: + description: List of the resources already existing in other + Namespaces that must be replicated. + items: + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + selector: + description: Label selector used to select the given resources + in the given Namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - kind + - namespace + - selector + type: object + type: array + rawItems: + description: List of raw resources that must be replicated. + items: + type: object + x-kubernetes-embedded-resource: true + x-kubernetes-preserve-unknown-fields: true + type: array + type: object + type: array + resyncPeriod: + default: 60s + description: |- + Define the period of time upon a second reconciliation must be invoked. + Keep in mind that any change to the manifests will trigger a new reconciliation. + type: string + required: + - resources + - resyncPeriod + type: object + status: + description: TenantResourceStatus defines the observed state of TenantResource. + properties: + processedItems: + description: List of the replicated resources for the given TenantResource. + items: + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + required: + - kind + - name + - namespace + type: object + type: array + required: + - processedItems + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/capsule/crds/capsule.clastix.io_tenants.patch b/charts/capsule/crds/capsule.clastix.io_tenants.patch new file mode 100644 index 00000000..9da6b07e --- /dev/null +++ b/charts/capsule/crds/capsule.clastix.io_tenants.patch @@ -0,0 +1,14 @@ +metadata: + annotations: + {{- if $.Values.certManager.generateCertificates }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "capsule.fullname" . }}-webhook-cert + {{- end }} +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + {{- include "capsule.webhooks.service" (dict "path" "/convert" "ctx" $) | nindent 8 }} + conversionReviewVersions: + - v1beta1 + - v1beta2 \ No newline at end of file diff --git a/charts/capsule/crds/tenant-crd.yaml b/charts/capsule/crds/capsule.clastix.io_tenants.yaml similarity index 58% rename from charts/capsule/crds/tenant-crd.yaml rename to charts/capsule/crds/capsule.clastix.io_tenants.yaml index 50ad93ab..c073502f 100644 --- a/charts/capsule/crds/tenant-crd.yaml +++ b/charts/capsule/crds/capsule.clastix.io_tenants.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.15.0 name: tenants.capsule.clastix.io spec: group: capsule.clastix.io @@ -44,14 +43,19 @@ spec: description: Tenant is the Schema for the tenants API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -69,31 +73,28 @@ spec: subjects: description: kubebuilder:validation:Minimum=1 items: - description: Subject contains a reference to the object or - user identities a role binding applies to. This can either - hold a direct API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and - Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined - by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, - the Authorizer should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the - object kind is non-namespace, such as "User" or "Group", - and this value is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -161,15 +162,20 @@ spec: type: object hostnameCollisionScope: default: Disabled - description: "Defines the scope of hostname collision check performed - when Tenant Owners create Ingress with allowed hostnames. \n - - Cluster: disallow the creation of an Ingress if the pair hostname - and path is already used across the Namespaces managed by Capsule. - \n - Tenant: disallow the creation of an Ingress if the pair - hostname and path is already used across the Namespaces of the - Tenant. \n - Namespace: disallow the creation of an Ingress - if the pair hostname and path is already used in the Ingress - Namespace. \n Optional." + description: |- + Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames. + + + - Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule. + + + - Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant. + + + - Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace. + + + Optional. enum: - Cluster - Tenant @@ -256,6 +262,7 @@ spec: - type type: object type: array + x-kubernetes-list-type: atomic required: - limits type: object @@ -300,464 +307,421 @@ spec: a NetworkPolicy properties: egress: - description: egress is a list of egress rules to be applied - to the selected pods. Outgoing traffic is allowed if there - are no NetworkPolicies selecting the pod (and cluster - policy otherwise allows the traffic), OR if the traffic - matches at least one egress rule across all of the NetworkPolicy - objects whose podSelector matches the pod. If this field - is empty then this NetworkPolicy limits all outgoing traffic - (and serves solely to ensure that the pods it selects - are isolated by default). This field is beta-level in - 1.8 + description: |- + egress is a list of egress rules to be applied to the selected pods. Outgoing traffic + is allowed if there are no NetworkPolicies selecting the pod (and cluster policy + otherwise allows the traffic), OR if the traffic matches at least one egress rule + across all of the NetworkPolicy objects whose podSelector matches the pod. If + this field is empty then this NetworkPolicy limits all outgoing traffic (and serves + solely to ensure that the pods it selects are isolated by default). + This field is beta-level in 1.8 items: - description: NetworkPolicyEgressRule describes a particular - set of traffic that is allowed out of pods matched by - a NetworkPolicySpec's podSelector. The traffic must - match both ports and to. This type is beta-level in - 1.8 + description: |- + NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods + matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. + This type is beta-level in 1.8 properties: ports: - description: ports is a list of destination ports - for outgoing traffic. Each item in this list is - combined using a logical OR. If this field is empty - or missing, this rule matches all ports (traffic - not restricted by port). If this field is present - and contains at least one item, then this rule allows - traffic only if the traffic matches at least one - port in the list. + description: |- + ports is a list of destination ports for outgoing traffic. + Each item in this list is combined using a logical OR. If this field is + empty or missing, this rule matches all ports (traffic not restricted by port). + If this field is present and contains at least one item, then this rule allows + traffic only if the traffic matches at least one port in the list. items: description: NetworkPolicyPort describes a port to allow traffic on properties: endPort: - description: endPort indicates that the range - of ports from port to endPort if set, inclusive, - should be allowed by the policy. This field - cannot be defined if the port field is not - defined or if the port field is defined as - a named (string) port. The endPort must be - equal or greater than port. + description: |- + endPort indicates that the range of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field cannot be defined if the port field + is not defined or if the port field is defined as a named (string) port. + The endPort must be equal or greater than port. format: int32 type: integer port: anyOf: - type: integer - type: string - description: port represents the port on the - given protocol. This can either be a numerical - or named port on a pod. If this field is not - provided, this matches all port names and - numbers. If present, only traffic on the specified - protocol AND port will be matched. + description: |- + port represents the port on the given protocol. This can either be a numerical or named + port on a pod. If this field is not provided, this matches all port names and + numbers. + If present, only traffic on the specified protocol AND port will be matched. x-kubernetes-int-or-string: true protocol: default: TCP - description: protocol represents the protocol - (TCP, UDP, or SCTP) which traffic must match. + description: |- + protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. type: string type: object type: array + x-kubernetes-list-type: atomic to: - description: to is a list of destinations for outgoing - traffic of pods selected for this rule. Items in - this list are combined using a logical OR operation. - If this field is empty or missing, this rule matches - all destinations (traffic not restricted by destination). - If this field is present and contains at least one - item, this rule allows traffic only if the traffic - matches at least one item in the to list. + description: |- + to is a list of destinations for outgoing traffic of pods selected for this rule. + Items in this list are combined using a logical OR operation. If this field is + empty or missing, this rule matches all destinations (traffic not restricted by + destination). If this field is present and contains at least one item, this rule + allows traffic only if the traffic matches at least one item in the to list. items: - description: NetworkPolicyPeer describes a peer - to allow traffic to/from. Only certain combinations - of fields are allowed + description: |- + NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of + fields are allowed properties: ipBlock: - description: ipBlock defines policy on a particular - IPBlock. If this field is set then neither - of the other fields can be. + description: |- + ipBlock defines policy on a particular IPBlock. If this field is set then + neither of the other fields can be. properties: cidr: - description: cidr is a string representing - the IPBlock Valid examples are "192.168.1.0/24" - or "2001:db8::/64" + description: |- + cidr is a string representing the IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" type: string except: - description: except is a slice of CIDRs - that should not be included within an - IPBlock Valid examples are "192.168.1.0/24" - or "2001:db8::/64" Except values will - be rejected if they are outside the cidr - range + description: |- + except is a slice of CIDRs that should not be included within an IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + Except values will be rejected if they are outside the cidr range items: type: string type: array + x-kubernetes-list-type: atomic required: - cidr type: object namespaceSelector: - description: "namespaceSelector selects namespaces - using cluster-scoped labels. This field follows - standard label selector semantics; if present - but empty, it selects all namespaces. \n If - podSelector is also set, then the NetworkPolicyPeer - as a whole selects the pods matching podSelector - in the namespaces selected by namespaceSelector. - Otherwise it selects all pods in the namespaces - selected by namespaceSelector." + description: |- + namespaceSelector selects namespaces using cluster-scoped labels. This field follows + standard label selector semantics; if present but empty, it selects all namespaces. + + + If podSelector is also set, then the NetworkPolicyPeer as a whole selects + the pods matching podSelector in the namespaces selected by namespaceSelector. + Otherwise it selects all pods in the namespaces selected by namespaceSelector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic podSelector: - description: "podSelector is a label selector - which selects pods. This field follows standard - label selector semantics; if present but empty, - it selects all pods. \n If namespaceSelector - is also set, then the NetworkPolicyPeer as - a whole selects the pods matching podSelector - in the Namespaces selected by NamespaceSelector. - Otherwise it selects the pods matching podSelector - in the policy's own namespace." + description: |- + podSelector is a label selector which selects pods. This field follows standard label + selector semantics; if present but empty, it selects all pods. + + + If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects + the pods matching podSelector in the Namespaces selected by NamespaceSelector. + Otherwise it selects the pods matching podSelector in the policy's own namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object type: array + x-kubernetes-list-type: atomic type: object type: array + x-kubernetes-list-type: atomic ingress: - description: ingress is a list of ingress rules to be applied - to the selected pods. Traffic is allowed to a pod if there - are no NetworkPolicies selecting the pod (and cluster - policy otherwise allows the traffic), OR if the traffic - source is the pod's local node, OR if the traffic matches - at least one ingress rule across all of the NetworkPolicy - objects whose podSelector matches the pod. If this field - is empty then this NetworkPolicy does not allow any traffic - (and serves solely to ensure that the pods it selects - are isolated by default) + description: |- + ingress is a list of ingress rules to be applied to the selected pods. + Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod + (and cluster policy otherwise allows the traffic), OR if the traffic source is + the pod's local node, OR if the traffic matches at least one ingress rule + across all of the NetworkPolicy objects whose podSelector matches the pod. If + this field is empty then this NetworkPolicy does not allow any traffic (and serves + solely to ensure that the pods it selects are isolated by default) items: - description: NetworkPolicyIngressRule describes a particular - set of traffic that is allowed to the pods matched by - a NetworkPolicySpec's podSelector. The traffic must - match both ports and from. + description: |- + NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods + matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from. properties: from: - description: from is a list of sources which should - be able to access the pods selected for this rule. - Items in this list are combined using a logical - OR operation. If this field is empty or missing, - this rule matches all sources (traffic not restricted - by source). If this field is present and contains - at least one item, this rule allows traffic only - if the traffic matches at least one item in the - from list. + description: |- + from is a list of sources which should be able to access the pods selected for this rule. + Items in this list are combined using a logical OR operation. If this field is + empty or missing, this rule matches all sources (traffic not restricted by + source). If this field is present and contains at least one item, this rule + allows traffic only if the traffic matches at least one item in the from list. items: - description: NetworkPolicyPeer describes a peer - to allow traffic to/from. Only certain combinations - of fields are allowed + description: |- + NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of + fields are allowed properties: ipBlock: - description: ipBlock defines policy on a particular - IPBlock. If this field is set then neither - of the other fields can be. + description: |- + ipBlock defines policy on a particular IPBlock. If this field is set then + neither of the other fields can be. properties: cidr: - description: cidr is a string representing - the IPBlock Valid examples are "192.168.1.0/24" - or "2001:db8::/64" + description: |- + cidr is a string representing the IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" type: string except: - description: except is a slice of CIDRs - that should not be included within an - IPBlock Valid examples are "192.168.1.0/24" - or "2001:db8::/64" Except values will - be rejected if they are outside the cidr - range + description: |- + except is a slice of CIDRs that should not be included within an IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + Except values will be rejected if they are outside the cidr range items: type: string type: array + x-kubernetes-list-type: atomic required: - cidr type: object namespaceSelector: - description: "namespaceSelector selects namespaces - using cluster-scoped labels. This field follows - standard label selector semantics; if present - but empty, it selects all namespaces. \n If - podSelector is also set, then the NetworkPolicyPeer - as a whole selects the pods matching podSelector - in the namespaces selected by namespaceSelector. - Otherwise it selects all pods in the namespaces - selected by namespaceSelector." + description: |- + namespaceSelector selects namespaces using cluster-scoped labels. This field follows + standard label selector semantics; if present but empty, it selects all namespaces. + + + If podSelector is also set, then the NetworkPolicyPeer as a whole selects + the pods matching podSelector in the namespaces selected by namespaceSelector. + Otherwise it selects all pods in the namespaces selected by namespaceSelector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic podSelector: - description: "podSelector is a label selector - which selects pods. This field follows standard - label selector semantics; if present but empty, - it selects all pods. \n If namespaceSelector - is also set, then the NetworkPolicyPeer as - a whole selects the pods matching podSelector - in the Namespaces selected by NamespaceSelector. - Otherwise it selects the pods matching podSelector - in the policy's own namespace." + description: |- + podSelector is a label selector which selects pods. This field follows standard label + selector semantics; if present but empty, it selects all pods. + + + If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects + the pods matching podSelector in the Namespaces selected by NamespaceSelector. + Otherwise it selects the pods matching podSelector in the policy's own namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object type: array + x-kubernetes-list-type: atomic ports: - description: ports is a list of ports which should - be made accessible on the pods selected for this - rule. Each item in this list is combined using a - logical OR. If this field is empty or missing, this - rule matches all ports (traffic not restricted by - port). If this field is present and contains at - least one item, then this rule allows traffic only - if the traffic matches at least one port in the - list. + description: |- + ports is a list of ports which should be made accessible on the pods selected for + this rule. Each item in this list is combined using a logical OR. If this field is + empty or missing, this rule matches all ports (traffic not restricted by port). + If this field is present and contains at least one item, then this rule allows + traffic only if the traffic matches at least one port in the list. items: description: NetworkPolicyPort describes a port to allow traffic on properties: endPort: - description: endPort indicates that the range - of ports from port to endPort if set, inclusive, - should be allowed by the policy. This field - cannot be defined if the port field is not - defined or if the port field is defined as - a named (string) port. The endPort must be - equal or greater than port. + description: |- + endPort indicates that the range of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field cannot be defined if the port field + is not defined or if the port field is defined as a named (string) port. + The endPort must be equal or greater than port. format: int32 type: integer port: anyOf: - type: integer - type: string - description: port represents the port on the - given protocol. This can either be a numerical - or named port on a pod. If this field is not - provided, this matches all port names and - numbers. If present, only traffic on the specified - protocol AND port will be matched. + description: |- + port represents the port on the given protocol. This can either be a numerical or named + port on a pod. If this field is not provided, this matches all port names and + numbers. + If present, only traffic on the specified protocol AND port will be matched. x-kubernetes-int-or-string: true protocol: default: TCP - description: protocol represents the protocol - (TCP, UDP, or SCTP) which traffic must match. + description: |- + protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. type: string type: object type: array + x-kubernetes-list-type: atomic type: object type: array + x-kubernetes-list-type: atomic podSelector: - description: podSelector selects the pods to which this - NetworkPolicy object applies. The array of ingress rules - is applied to any pods selected by this field. Multiple - network policies can select the same set of pods. In this - case, the ingress rules for each are combined additively. - This field is NOT optional and follows standard label - selector semantics. An empty podSelector matches all pods - in this namespace. + description: |- + podSelector selects the pods to which this NetworkPolicy object applies. + The array of ingress rules is applied to any pods selected by this field. + Multiple network policies can select the same set of pods. In this case, + the ingress rules for each are combined additively. + This field is NOT optional and follows standard label selector semantics. + An empty podSelector matches all pods in this namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -765,56 +729,55 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, - NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists - or DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field - is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic policyTypes: - description: policyTypes is a list of rule types that the - NetworkPolicy relates to. Valid options are ["Ingress"], - ["Egress"], or ["Ingress", "Egress"]. If this field is - not specified, it will default based on the existence - of ingress or egress rules; policies that contain an egress - section are assumed to affect egress, and all policies - (whether or not they contain an ingress section) are assumed - to affect ingress. If you want to write an egress-only - policy, you must explicitly specify policyTypes [ "Egress" - ]. Likewise, if you want to write a policy that specifies - that no egress is allowed, you must specify a policyTypes - value that include "Egress" (since such a policy would - not include an egress section and would otherwise default - to just [ "Ingress" ]). This field is beta-level in 1.8 + description: |- + policyTypes is a list of rule types that the NetworkPolicy relates to. + Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. + If this field is not specified, it will default based on the existence of ingress or egress rules; + policies that contain an egress section are assumed to affect egress, and all policies + (whether or not they contain an ingress section) are assumed to affect ingress. + If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. + Likewise, if you want to write a policy that specifies that no egress is allowed, + you must specify a policyTypes value that include "Egress" (since such a policy would not include + an egress section and would otherwise default to just [ "Ingress" ]). + This field is beta-level in 1.8 items: - description: PolicyType string describes the NetworkPolicy - type This type is beta-level in 1.8 + description: |- + PolicyType string describes the NetworkPolicy type + This type is beta-level in 1.8 type: string type: array + x-kubernetes-list-type: atomic required: - podSelector type: object @@ -905,59 +868,61 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'hard is the set of desired hard limits for - each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' + description: |- + hard is the set of desired hard limits for each named resource. + More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ type: object scopeSelector: - description: scopeSelector is also a collection of filters - like scopes that must match each object tracked by a quota - but expressed using ScopeSelectorOperator in combination - with possible values. For a resource to match, both scopes - AND scopeSelector (if specified in spec), must be matched. + description: |- + scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota + but expressed using ScopeSelectorOperator in combination with possible values. + For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. properties: matchExpressions: description: A list of scope selector requirements by scope of the resources. items: - description: A scoped-resource selector requirement - is a selector that contains values, a scope name, - and an operator that relates the scope name and - values. + description: |- + A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator + that relates the scope name and values. properties: operator: - description: Represents a scope's relationship - to a set of values. Valid operators are In, - NotIn, Exists, DoesNotExist. + description: |- + Represents a scope's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. type: string scopeName: description: The name of the scope that the selector applies to. type: string values: - description: An array of string values. If the - operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. + This array is replaced during a strategic merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - operator - scopeName type: object type: array + x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic scopes: - description: A collection of filters that must match each - object tracked by a quota. If not specified, the quota - matches all objects. + description: |- + A collection of filters that must match each object tracked by a quota. + If not specified, the quota matches all objects. items: description: A ResourceQuotaScope defines a filter that must match each object tracked by a quota type: string type: array + x-kubernetes-list-type: atomic type: object type: array scope: @@ -1113,14 +1078,19 @@ spec: description: Tenant is the Schema for the tenants API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1138,31 +1108,28 @@ spec: subjects: description: kubebuilder:validation:Minimum=1 items: - description: Subject contains a reference to the object or - user identities a role binding applies to. This can either - hold a direct API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and - Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined - by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, - the Authorizer should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the - object kind is non-namespace, such as "User" or "Group", - and this value is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1212,11 +1179,11 @@ spec: in a Tenant to have a hostname wildcard. type: boolean allowedClasses: - description: Specifies the allowed IngressClasses assigned to - the Tenant. Capsule assures that all Ingress resources created - in the Tenant can use only one of the allowed IngressClasses. - A default value can be specified, and all the Ingress resources - created will inherit the declared class. Optional. + description: |- + Specifies the allowed IngressClasses assigned to the Tenant. + Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. + A default value can be specified, and all the Ingress resources created will inherit the declared class. + Optional. properties: allowed: items: @@ -1230,41 +1197,42 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1283,15 +1251,20 @@ spec: type: object hostnameCollisionScope: default: Disabled - description: "Defines the scope of hostname collision check performed - when Tenant Owners create Ingress with allowed hostnames. \n - - Cluster: disallow the creation of an Ingress if the pair hostname - and path is already used across the Namespaces managed by Capsule. - \n - Tenant: disallow the creation of an Ingress if the pair - hostname and path is already used across the Namespaces of the - Tenant. \n - Namespace: disallow the creation of an Ingress - if the pair hostname and path is already used in the Ingress - Namespace. \n Optional." + description: |- + Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames. + + + - Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule. + + + - Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant. + + + - Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace. + + + Optional. enum: - Cluster - Tenant @@ -1378,6 +1351,7 @@ spec: - type type: object type: array + x-kubernetes-list-type: atomic required: - limits type: object @@ -1444,464 +1418,421 @@ spec: a NetworkPolicy properties: egress: - description: egress is a list of egress rules to be applied - to the selected pods. Outgoing traffic is allowed if there - are no NetworkPolicies selecting the pod (and cluster - policy otherwise allows the traffic), OR if the traffic - matches at least one egress rule across all of the NetworkPolicy - objects whose podSelector matches the pod. If this field - is empty then this NetworkPolicy limits all outgoing traffic - (and serves solely to ensure that the pods it selects - are isolated by default). This field is beta-level in - 1.8 + description: |- + egress is a list of egress rules to be applied to the selected pods. Outgoing traffic + is allowed if there are no NetworkPolicies selecting the pod (and cluster policy + otherwise allows the traffic), OR if the traffic matches at least one egress rule + across all of the NetworkPolicy objects whose podSelector matches the pod. If + this field is empty then this NetworkPolicy limits all outgoing traffic (and serves + solely to ensure that the pods it selects are isolated by default). + This field is beta-level in 1.8 items: - description: NetworkPolicyEgressRule describes a particular - set of traffic that is allowed out of pods matched by - a NetworkPolicySpec's podSelector. The traffic must - match both ports and to. This type is beta-level in - 1.8 + description: |- + NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods + matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. + This type is beta-level in 1.8 properties: ports: - description: ports is a list of destination ports - for outgoing traffic. Each item in this list is - combined using a logical OR. If this field is empty - or missing, this rule matches all ports (traffic - not restricted by port). If this field is present - and contains at least one item, then this rule allows - traffic only if the traffic matches at least one - port in the list. + description: |- + ports is a list of destination ports for outgoing traffic. + Each item in this list is combined using a logical OR. If this field is + empty or missing, this rule matches all ports (traffic not restricted by port). + If this field is present and contains at least one item, then this rule allows + traffic only if the traffic matches at least one port in the list. items: description: NetworkPolicyPort describes a port to allow traffic on properties: endPort: - description: endPort indicates that the range - of ports from port to endPort if set, inclusive, - should be allowed by the policy. This field - cannot be defined if the port field is not - defined or if the port field is defined as - a named (string) port. The endPort must be - equal or greater than port. + description: |- + endPort indicates that the range of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field cannot be defined if the port field + is not defined or if the port field is defined as a named (string) port. + The endPort must be equal or greater than port. format: int32 type: integer port: anyOf: - type: integer - type: string - description: port represents the port on the - given protocol. This can either be a numerical - or named port on a pod. If this field is not - provided, this matches all port names and - numbers. If present, only traffic on the specified - protocol AND port will be matched. + description: |- + port represents the port on the given protocol. This can either be a numerical or named + port on a pod. If this field is not provided, this matches all port names and + numbers. + If present, only traffic on the specified protocol AND port will be matched. x-kubernetes-int-or-string: true protocol: default: TCP - description: protocol represents the protocol - (TCP, UDP, or SCTP) which traffic must match. + description: |- + protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. type: string type: object type: array + x-kubernetes-list-type: atomic to: - description: to is a list of destinations for outgoing - traffic of pods selected for this rule. Items in - this list are combined using a logical OR operation. - If this field is empty or missing, this rule matches - all destinations (traffic not restricted by destination). - If this field is present and contains at least one - item, this rule allows traffic only if the traffic - matches at least one item in the to list. + description: |- + to is a list of destinations for outgoing traffic of pods selected for this rule. + Items in this list are combined using a logical OR operation. If this field is + empty or missing, this rule matches all destinations (traffic not restricted by + destination). If this field is present and contains at least one item, this rule + allows traffic only if the traffic matches at least one item in the to list. items: - description: NetworkPolicyPeer describes a peer - to allow traffic to/from. Only certain combinations - of fields are allowed + description: |- + NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of + fields are allowed properties: ipBlock: - description: ipBlock defines policy on a particular - IPBlock. If this field is set then neither - of the other fields can be. + description: |- + ipBlock defines policy on a particular IPBlock. If this field is set then + neither of the other fields can be. properties: cidr: - description: cidr is a string representing - the IPBlock Valid examples are "192.168.1.0/24" - or "2001:db8::/64" + description: |- + cidr is a string representing the IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" type: string except: - description: except is a slice of CIDRs - that should not be included within an - IPBlock Valid examples are "192.168.1.0/24" - or "2001:db8::/64" Except values will - be rejected if they are outside the cidr - range + description: |- + except is a slice of CIDRs that should not be included within an IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + Except values will be rejected if they are outside the cidr range items: type: string type: array + x-kubernetes-list-type: atomic required: - cidr type: object namespaceSelector: - description: "namespaceSelector selects namespaces - using cluster-scoped labels. This field follows - standard label selector semantics; if present - but empty, it selects all namespaces. \n If - podSelector is also set, then the NetworkPolicyPeer - as a whole selects the pods matching podSelector - in the namespaces selected by namespaceSelector. - Otherwise it selects all pods in the namespaces - selected by namespaceSelector." + description: |- + namespaceSelector selects namespaces using cluster-scoped labels. This field follows + standard label selector semantics; if present but empty, it selects all namespaces. + + + If podSelector is also set, then the NetworkPolicyPeer as a whole selects + the pods matching podSelector in the namespaces selected by namespaceSelector. + Otherwise it selects all pods in the namespaces selected by namespaceSelector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic podSelector: - description: "podSelector is a label selector - which selects pods. This field follows standard - label selector semantics; if present but empty, - it selects all pods. \n If namespaceSelector - is also set, then the NetworkPolicyPeer as - a whole selects the pods matching podSelector - in the Namespaces selected by NamespaceSelector. - Otherwise it selects the pods matching podSelector - in the policy's own namespace." + description: |- + podSelector is a label selector which selects pods. This field follows standard label + selector semantics; if present but empty, it selects all pods. + + + If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects + the pods matching podSelector in the Namespaces selected by NamespaceSelector. + Otherwise it selects the pods matching podSelector in the policy's own namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object type: array + x-kubernetes-list-type: atomic type: object type: array + x-kubernetes-list-type: atomic ingress: - description: ingress is a list of ingress rules to be applied - to the selected pods. Traffic is allowed to a pod if there - are no NetworkPolicies selecting the pod (and cluster - policy otherwise allows the traffic), OR if the traffic - source is the pod's local node, OR if the traffic matches - at least one ingress rule across all of the NetworkPolicy - objects whose podSelector matches the pod. If this field - is empty then this NetworkPolicy does not allow any traffic - (and serves solely to ensure that the pods it selects - are isolated by default) + description: |- + ingress is a list of ingress rules to be applied to the selected pods. + Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod + (and cluster policy otherwise allows the traffic), OR if the traffic source is + the pod's local node, OR if the traffic matches at least one ingress rule + across all of the NetworkPolicy objects whose podSelector matches the pod. If + this field is empty then this NetworkPolicy does not allow any traffic (and serves + solely to ensure that the pods it selects are isolated by default) items: - description: NetworkPolicyIngressRule describes a particular - set of traffic that is allowed to the pods matched by - a NetworkPolicySpec's podSelector. The traffic must - match both ports and from. + description: |- + NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods + matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from. properties: from: - description: from is a list of sources which should - be able to access the pods selected for this rule. - Items in this list are combined using a logical - OR operation. If this field is empty or missing, - this rule matches all sources (traffic not restricted - by source). If this field is present and contains - at least one item, this rule allows traffic only - if the traffic matches at least one item in the - from list. + description: |- + from is a list of sources which should be able to access the pods selected for this rule. + Items in this list are combined using a logical OR operation. If this field is + empty or missing, this rule matches all sources (traffic not restricted by + source). If this field is present and contains at least one item, this rule + allows traffic only if the traffic matches at least one item in the from list. items: - description: NetworkPolicyPeer describes a peer - to allow traffic to/from. Only certain combinations - of fields are allowed + description: |- + NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of + fields are allowed properties: ipBlock: - description: ipBlock defines policy on a particular - IPBlock. If this field is set then neither - of the other fields can be. + description: |- + ipBlock defines policy on a particular IPBlock. If this field is set then + neither of the other fields can be. properties: cidr: - description: cidr is a string representing - the IPBlock Valid examples are "192.168.1.0/24" - or "2001:db8::/64" + description: |- + cidr is a string representing the IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" type: string except: - description: except is a slice of CIDRs - that should not be included within an - IPBlock Valid examples are "192.168.1.0/24" - or "2001:db8::/64" Except values will - be rejected if they are outside the cidr - range + description: |- + except is a slice of CIDRs that should not be included within an IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + Except values will be rejected if they are outside the cidr range items: type: string type: array + x-kubernetes-list-type: atomic required: - cidr type: object namespaceSelector: - description: "namespaceSelector selects namespaces - using cluster-scoped labels. This field follows - standard label selector semantics; if present - but empty, it selects all namespaces. \n If - podSelector is also set, then the NetworkPolicyPeer - as a whole selects the pods matching podSelector - in the namespaces selected by namespaceSelector. - Otherwise it selects all pods in the namespaces - selected by namespaceSelector." + description: |- + namespaceSelector selects namespaces using cluster-scoped labels. This field follows + standard label selector semantics; if present but empty, it selects all namespaces. + + + If podSelector is also set, then the NetworkPolicyPeer as a whole selects + the pods matching podSelector in the namespaces selected by namespaceSelector. + Otherwise it selects all pods in the namespaces selected by namespaceSelector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic podSelector: - description: "podSelector is a label selector - which selects pods. This field follows standard - label selector semantics; if present but empty, - it selects all pods. \n If namespaceSelector - is also set, then the NetworkPolicyPeer as - a whole selects the pods matching podSelector - in the Namespaces selected by NamespaceSelector. - Otherwise it selects the pods matching podSelector - in the policy's own namespace." + description: |- + podSelector is a label selector which selects pods. This field follows standard label + selector semantics; if present but empty, it selects all pods. + + + If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects + the pods matching podSelector in the Namespaces selected by NamespaceSelector. + Otherwise it selects the pods matching podSelector in the policy's own namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object type: array + x-kubernetes-list-type: atomic ports: - description: ports is a list of ports which should - be made accessible on the pods selected for this - rule. Each item in this list is combined using a - logical OR. If this field is empty or missing, this - rule matches all ports (traffic not restricted by - port). If this field is present and contains at - least one item, then this rule allows traffic only - if the traffic matches at least one port in the - list. + description: |- + ports is a list of ports which should be made accessible on the pods selected for + this rule. Each item in this list is combined using a logical OR. If this field is + empty or missing, this rule matches all ports (traffic not restricted by port). + If this field is present and contains at least one item, then this rule allows + traffic only if the traffic matches at least one port in the list. items: description: NetworkPolicyPort describes a port to allow traffic on properties: endPort: - description: endPort indicates that the range - of ports from port to endPort if set, inclusive, - should be allowed by the policy. This field - cannot be defined if the port field is not - defined or if the port field is defined as - a named (string) port. The endPort must be - equal or greater than port. + description: |- + endPort indicates that the range of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field cannot be defined if the port field + is not defined or if the port field is defined as a named (string) port. + The endPort must be equal or greater than port. format: int32 type: integer port: anyOf: - type: integer - type: string - description: port represents the port on the - given protocol. This can either be a numerical - or named port on a pod. If this field is not - provided, this matches all port names and - numbers. If present, only traffic on the specified - protocol AND port will be matched. + description: |- + port represents the port on the given protocol. This can either be a numerical or named + port on a pod. If this field is not provided, this matches all port names and + numbers. + If present, only traffic on the specified protocol AND port will be matched. x-kubernetes-int-or-string: true protocol: default: TCP - description: protocol represents the protocol - (TCP, UDP, or SCTP) which traffic must match. + description: |- + protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. type: string type: object type: array + x-kubernetes-list-type: atomic type: object type: array + x-kubernetes-list-type: atomic podSelector: - description: podSelector selects the pods to which this - NetworkPolicy object applies. The array of ingress rules - is applied to any pods selected by this field. Multiple - network policies can select the same set of pods. In this - case, the ingress rules for each are combined additively. - This field is NOT optional and follows standard label - selector semantics. An empty podSelector matches all pods - in this namespace. + description: |- + podSelector selects the pods to which this NetworkPolicy object applies. + The array of ingress rules is applied to any pods selected by this field. + Multiple network policies can select the same set of pods. In this case, + the ingress rules for each are combined additively. + This field is NOT optional and follows standard label selector semantics. + An empty podSelector matches all pods in this namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1909,56 +1840,55 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, - NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists - or DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field - is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic policyTypes: - description: policyTypes is a list of rule types that the - NetworkPolicy relates to. Valid options are ["Ingress"], - ["Egress"], or ["Ingress", "Egress"]. If this field is - not specified, it will default based on the existence - of ingress or egress rules; policies that contain an egress - section are assumed to affect egress, and all policies - (whether or not they contain an ingress section) are assumed - to affect ingress. If you want to write an egress-only - policy, you must explicitly specify policyTypes [ "Egress" - ]. Likewise, if you want to write a policy that specifies - that no egress is allowed, you must specify a policyTypes - value that include "Egress" (since such a policy would - not include an egress section and would otherwise default - to just [ "Ingress" ]). This field is beta-level in 1.8 + description: |- + policyTypes is a list of rule types that the NetworkPolicy relates to. + Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. + If this field is not specified, it will default based on the existence of ingress or egress rules; + policies that contain an egress section are assumed to affect egress, and all policies + (whether or not they contain an ingress section) are assumed to affect ingress. + If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. + Likewise, if you want to write a policy that specifies that no egress is allowed, + you must specify a policyTypes value that include "Egress" (since such a policy would not include + an egress section and would otherwise default to just [ "Ingress" ]). + This field is beta-level in 1.8 items: - description: PolicyType string describes the NetworkPolicy - type This type is beta-level in 1.8 + description: |- + PolicyType string describes the NetworkPolicy type + This type is beta-level in 1.8 type: string type: array + x-kubernetes-list-type: atomic required: - podSelector type: object @@ -2048,15 +1978,16 @@ spec: type: object preventDeletion: default: false - description: Prevent accidental deletion of the Tenant. When enabled, - the deletion request will be declined. + description: |- + Prevent accidental deletion of the Tenant. + When enabled, the deletion request will be declined. type: boolean priorityClasses: - description: Specifies the allowed priorityClasses assigned to the - Tenant. Capsule assures that all Pods resources created in the Tenant - can use only one of the allowed PriorityClasses. A default value - can be specified, and all the Pod resources created will inherit - the declared class. Optional. + description: |- + Specifies the allowed priorityClasses assigned to the Tenant. + Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses. + A default value can be specified, and all the Pod resources created will inherit the declared class. + Optional. properties: allowed: items: @@ -2070,41 +2001,42 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2128,59 +2060,61 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'hard is the set of desired hard limits for - each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' + description: |- + hard is the set of desired hard limits for each named resource. + More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ type: object scopeSelector: - description: scopeSelector is also a collection of filters - like scopes that must match each object tracked by a quota - but expressed using ScopeSelectorOperator in combination - with possible values. For a resource to match, both scopes - AND scopeSelector (if specified in spec), must be matched. + description: |- + scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota + but expressed using ScopeSelectorOperator in combination with possible values. + For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. properties: matchExpressions: description: A list of scope selector requirements by scope of the resources. items: - description: A scoped-resource selector requirement - is a selector that contains values, a scope name, - and an operator that relates the scope name and - values. + description: |- + A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator + that relates the scope name and values. properties: operator: - description: Represents a scope's relationship - to a set of values. Valid operators are In, - NotIn, Exists, DoesNotExist. + description: |- + Represents a scope's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. type: string scopeName: description: The name of the scope that the selector applies to. type: string values: - description: An array of string values. If the - operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. + This array is replaced during a strategic merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - operator - scopeName type: object type: array + x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic scopes: - description: A collection of filters that must match each - object tracked by a quota. If not specified, the quota - matches all objects. + description: |- + A collection of filters that must match each object tracked by a quota. + If not specified, the quota matches all objects. items: description: A ResourceQuotaScope defines a filter that must match each object tracked by a quota type: string type: array + x-kubernetes-list-type: atomic type: object type: array scope: @@ -2194,9 +2128,10 @@ spec: type: string type: object runtimeClasses: - description: Specifies the allowed RuntimeClasses assigned to the - Tenant. Capsule assures that all Pods resources created in the Tenant - can use only one of the allowed RuntimeClasses. Optional. + description: |- + Specifies the allowed RuntimeClasses assigned to the Tenant. + Capsule assures that all Pods resources created in the Tenant can use only one of the allowed RuntimeClasses. + Optional. properties: allowed: items: @@ -2208,41 +2143,42 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2319,11 +2255,11 @@ spec: type: object type: object storageClasses: - description: Specifies the allowed StorageClasses assigned to the - Tenant. Capsule assures that all PersistentVolumeClaim resources - created in the Tenant can use only one of the allowed StorageClasses. - A default value can be specified, and all the PersistentVolumeClaim - resources created will inherit the declared class. Optional. + description: |- + Specifies the allowed StorageClasses assigned to the Tenant. + Capsule assures that all PersistentVolumeClaim resources created in the Tenant can use only one of the allowed StorageClasses. + A default value can be specified, and all the PersistentVolumeClaim resources created will inherit the declared class. + Optional. properties: allowed: items: @@ -2337,41 +2273,42 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic diff --git a/charts/capsule/crds/capsuleconfiguration-crd.yaml b/charts/capsule/crds/capsuleconfiguration-crd.yaml deleted file mode 100644 index e14e585c..00000000 --- a/charts/capsule/crds/capsuleconfiguration-crd.yaml +++ /dev/null @@ -1,119 +0,0 @@ - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - name: capsuleconfigurations.capsule.clastix.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: capsule-webhook-service - namespace: capsule-system - path: /convert - conversionReviewVersions: - - v1beta1 - - v1beta2 - group: capsule.clastix.io - names: - kind: CapsuleConfiguration - listKind: CapsuleConfigurationList - plural: capsuleconfigurations - singular: capsuleconfiguration - scope: Cluster - versions: - - name: v1beta2 - schema: - openAPIV3Schema: - description: CapsuleConfiguration is the Schema for the Capsule configuration API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: CapsuleConfigurationSpec defines the Capsule configuration. - properties: - enableTLSReconciler: - default: true - description: Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager. - type: boolean - forceTenantPrefix: - default: false - description: Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment. - type: boolean - nodeMetadata: - description: Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant. This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes. - properties: - forbiddenAnnotations: - description: Define the annotations that a Tenant Owner cannot set for their nodes. - properties: - denied: - items: - type: string - type: array - deniedRegex: - type: string - type: object - forbiddenLabels: - description: Define the labels that a Tenant Owner cannot set for their nodes. - properties: - denied: - items: - type: string - type: array - deniedRegex: - type: string - type: object - required: - - forbiddenAnnotations - - forbiddenLabels - type: object - overrides: - default: - TLSSecretName: capsule-tls - mutatingWebhookConfigurationName: capsule-mutating-webhook-configuration - validatingWebhookConfigurationName: capsule-validating-webhook-configuration - description: Allows to set different name rather than the canonical one for the Capsule configuration objects, such as webhook secret or configurations. - properties: - TLSSecretName: - default: capsule-tls - description: Defines the Secret name used for the webhook server. Must be in the same Namespace where the Capsule Deployment is deployed. - type: string - mutatingWebhookConfigurationName: - default: capsule-mutating-webhook-configuration - description: Name of the MutatingWebhookConfiguration which contains the dynamic admission controller paths and resources. - type: string - validatingWebhookConfigurationName: - default: capsule-validating-webhook-configuration - description: Name of the ValidatingWebhookConfiguration which contains the dynamic admission controller paths and resources. - type: string - required: - - TLSSecretName - - mutatingWebhookConfigurationName - - validatingWebhookConfigurationName - type: object - protectedNamespaceRegex: - description: Disallow creation of namespaces, whose name matches this regexp - type: string - userGroups: - default: - - capsule.clastix.io - description: Names of the groups for Capsule users. - items: - type: string - type: array - required: - - enableTLSReconciler - type: object - type: object - served: true - storage: true diff --git a/charts/capsule/crds/globaltenantresources-crd.yaml b/charts/capsule/crds/globaltenantresources-crd.yaml deleted file mode 100644 index 5519a4b6..00000000 --- a/charts/capsule/crds/globaltenantresources-crd.yaml +++ /dev/null @@ -1,222 +0,0 @@ - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null - name: globaltenantresources.capsule.clastix.io -spec: - group: capsule.clastix.io - names: - kind: GlobalTenantResource - listKind: GlobalTenantResourceList - plural: globaltenantresources - singular: globaltenantresource - scope: Cluster - versions: - - name: v1beta2 - schema: - openAPIV3Schema: - description: GlobalTenantResource allows to propagate resource replications to a specific subset of Tenant resources. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GlobalTenantResourceSpec defines the desired state of GlobalTenantResource. - properties: - pruningOnDelete: - default: true - description: When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted. Disable this to keep replicated resources although the deletion of the replication manifest. - type: boolean - resources: - description: Defines the rules to select targeting Namespace, along with the objects that must be replicated. - items: - properties: - additionalMetadata: - description: Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be added to the replicated resources. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - namespaceSelector: - description: Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated. In case of nil value, all the Tenant Namespaces are targeted. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespacedItems: - description: List of the resources already existing in other Namespaces that must be replicated. - items: - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - selector: - description: Label selector used to select the given resources in the given Namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - kind - - namespace - - selector - type: object - type: array - rawItems: - description: List of raw resources that must be replicated. - items: - type: object - x-kubernetes-embedded-resource: true - x-kubernetes-preserve-unknown-fields: true - type: array - type: object - type: array - resyncPeriod: - default: 60s - description: Define the period of time upon a second reconciliation must be invoked. Keep in mind that any change to the manifests will trigger a new reconciliation. - type: string - tenantSelector: - description: Defines the Tenant selector used target the tenants on which resources must be propagated. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - resources - - resyncPeriod - type: object - status: - description: GlobalTenantResourceStatus defines the observed state of GlobalTenantResource. - properties: - processedItems: - description: List of the replicated resources for the given TenantResource. - items: - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - required: - - kind - - name - - namespace - type: object - type: array - selectedTenants: - description: List of Tenants addressed by the GlobalTenantResource. - items: - type: string - type: array - required: - - processedItems - - selectedTenants - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/capsule/crds/tenantresources-crd.yaml b/charts/capsule/crds/tenantresources-crd.yaml deleted file mode 100644 index c1d2a4c7..00000000 --- a/charts/capsule/crds/tenantresources-crd.yaml +++ /dev/null @@ -1,185 +0,0 @@ - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null - name: tenantresources.capsule.clastix.io -spec: - group: capsule.clastix.io - names: - kind: TenantResource - listKind: TenantResourceList - plural: tenantresources - singular: tenantresource - scope: Namespaced - versions: - - name: v1beta2 - schema: - openAPIV3Schema: - description: TenantResource allows a Tenant Owner, if enabled with proper RBAC, to propagate resources in its Namespace. The object must be deployed in a Tenant Namespace, and cannot reference object living in non-Tenant namespaces. For such cases, the GlobalTenantResource must be used. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: TenantResourceSpec defines the desired state of TenantResource. - properties: - pruningOnDelete: - default: true - description: When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted. Disable this to keep replicated resources although the deletion of the replication manifest. - type: boolean - resources: - description: Defines the rules to select targeting Namespace, along with the objects that must be replicated. - items: - properties: - additionalMetadata: - description: Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be added to the replicated resources. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - namespaceSelector: - description: Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated. In case of nil value, all the Tenant Namespaces are targeted. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespacedItems: - description: List of the resources already existing in other Namespaces that must be replicated. - items: - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - selector: - description: Label selector used to select the given resources in the given Namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - kind - - namespace - - selector - type: object - type: array - rawItems: - description: List of raw resources that must be replicated. - items: - type: object - x-kubernetes-embedded-resource: true - x-kubernetes-preserve-unknown-fields: true - type: array - type: object - type: array - resyncPeriod: - default: 60s - description: Define the period of time upon a second reconciliation must be invoked. Keep in mind that any change to the manifests will trigger a new reconciliation. - type: string - required: - - resources - - resyncPeriod - type: object - status: - description: TenantResourceStatus defines the observed state of TenantResource. - properties: - processedItems: - description: List of the replicated resources for the given TenantResource. - items: - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - required: - - kind - - name - - namespace - type: object - type: array - required: - - processedItems - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/capsule/templates/_helpers.tpl b/charts/capsule/templates/_helpers.tpl index 64680fdc..9863a6a4 100644 --- a/charts/capsule/templates/_helpers.tpl +++ b/charts/capsule/templates/_helpers.tpl @@ -125,3 +125,32 @@ Create the Capsule TLS Secret name to use {{- define "capsule.secretTlsName" -}} {{ default ( printf "%s-tls" ( include "capsule.fullname" . ) ) .Values.tls.name }} {{- end }} + + +{{/* +Capsule Webhook service (Called with $.Path) + +*/}} +{{- define "capsule.webhooks.service" -}} + {{- include "capsule.webhooks.cabundle" $.ctx | nindent 0 }} + {{- if $.ctx.Values.webhooks.service.url }} +url: {{ printf "%s/%s" (trimSuffix "/" $.ctx.Values.webhooks.service.url ) (trimPrefix "/" (required "Path is required for the function" $.path)) }} + {{- else }} +service: + name: {{ default (printf "%s-webhook-service" (include "capsule.fullname" $.ctx)) $.ctx.Values.webhooks.service.name }} + namespace: {{ default $.ctx.Release.Namespace $.ctx.Values.webhooks.service.namespace }} + port: {{ default 443 $.ctx.Values.webhooks.service.port }} + path: {{ required "Path is required for the function" $.path }} + {{- end }} +{{- end }} + +{{/* +Capsule Webhook endpoint CA Bundle +*/}} +{{- define "capsule.webhooks.cabundle" -}} + {{- if $.Values.webhooks.service.caBundle -}} +caBundle: {{ $.Values.webhooks.service.caBundle -}} + {{- end -}} +{{- end -}} + + diff --git a/charts/capsule/templates/certificate.yaml b/charts/capsule/templates/certificate.yaml index e24275ce..29d6ff4d 100644 --- a/charts/capsule/templates/certificate.yaml +++ b/charts/capsule/templates/certificate.yaml @@ -1,4 +1,5 @@ -{{- if .Values.certManager.generateCertificates }} +{{- if not $.Values.crds.exclusive }} + {{- if .Values.certManager.generateCertificates }} apiVersion: cert-manager.io/v1 kind: Issuer metadata: @@ -33,4 +34,5 @@ spec: subject: organizations: - clastix.io + {{- end }} {{- end }} diff --git a/charts/capsule/templates/certs.yaml b/charts/capsule/templates/certs.yaml index 4488bbfd..6662f865 100644 --- a/charts/capsule/templates/certs.yaml +++ b/charts/capsule/templates/certs.yaml @@ -1,12 +1,14 @@ -{{- if or (not .Values.certManager.generateCertificates) (.Values.tls.create) }} +{{- if not $.Values.crds.exclusive }} + {{- if or (not .Values.certManager.generateCertificates) (.Values.tls.create) }} apiVersion: v1 kind: Secret metadata: labels: {{- include "capsule.labels" . | nindent 4 }} - {{- with .Values.customAnnotations }} + {{- with .Values.customAnnotations }} annotations: - {{- toYaml . | nindent 4 }} - {{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} name: {{ include "capsule.secretTlsName" . }} + {{- end }} {{- end }} diff --git a/charts/capsule/templates/configuration-default.yaml b/charts/capsule/templates/configuration-default.yaml index bd5b6513..3cc5422c 100644 --- a/charts/capsule/templates/configuration-default.yaml +++ b/charts/capsule/templates/configuration-default.yaml @@ -1,3 +1,4 @@ +{{- if not $.Values.crds.exclusive }} apiVersion: capsule.clastix.io/v1beta2 kind: CapsuleConfiguration metadata: @@ -24,3 +25,4 @@ spec: nodeMetadata: {{- toYaml . | nindent 4 }} {{- end }} +{{- end }} diff --git a/charts/capsule/templates/crd-lifecycle/_helpers.tpl b/charts/capsule/templates/crd-lifecycle/_helpers.tpl new file mode 100644 index 00000000..e5991823 --- /dev/null +++ b/charts/capsule/templates/crd-lifecycle/_helpers.tpl @@ -0,0 +1,20 @@ +{{- define "capsule.crds.name" -}} +{{- printf "%s-crds" (include "capsule.name" $) -}} +{{- end }} + +{{- define "capsule.crds.annotations" -}} +"helm.sh/hook": "pre-install,pre-upgrade" + {{- with $.Values.jobs.annotations }} + {{- . | toYaml | nindent 0 }} + {{- end }} +{{- end }} + +{{- define "capsule.crds.component" -}} +crd-install-hook +{{- end }} + +{{- define "capsule.crds.regexReplace" -}} +{{- printf "%s" ($ | base | trimSuffix ".yaml" | regexReplaceAll "[_.]" "-") -}} +{{- end }} + + diff --git a/charts/capsule/templates/crd-lifecycle/crds.tpl b/charts/capsule/templates/crd-lifecycle/crds.tpl new file mode 100644 index 00000000..7432561f --- /dev/null +++ b/charts/capsule/templates/crd-lifecycle/crds.tpl @@ -0,0 +1,56 @@ +{{/* CustomResources Lifecycle */}} +{{- if $.Values.crds.install }} + {{ range $path, $_ := .Files.Glob "crds/**.yaml" }} + {{- with $ }} + {{- $content := (tpl (.Files.Get $path) $) -}} + {{- $p := (fromYaml $content) -}} + {{- if $p.Error }} + {{- fail (printf "found YAML error in file %s - %s - raw:\n\n%s" $path $p.Error $content) -}} + {{- end -}} + + + {{/* Add Common Lables */}} + {{- $_ := set $p.metadata "labels" (mergeOverwrite (default dict (get $p.metadata "labels")) (default dict $.Values.crds.labels) (fromYaml (include "capsule.labels" $))) -}} + + + {{/* Add Common Lables */}} + {{- $_ := set $p.metadata "annotations" (mergeOverwrite (default dict (get $p.metadata "annotations")) (default dict $.Values.crds.annotations)) -}} + + {{/* Add Keep annotation to CRDs */}} + {{- if $.Values.crds.keep }} + {{- $_ := set $p.metadata.annotations "helm.sh/resource-policy" "keep" -}} + {{- end }} + + {{/* Add Spec Patches for the CRD */}} + {{- $patchFile := $path | replace ".yaml" ".patch" }} + {{- $patchRawContent := (tpl (.Files.Get $patchFile) $) -}} + {{- if $patchRawContent -}} + {{- $patchContent := (fromYaml $patchRawContent) -}} + {{- if $patchContent.Error }} + {{- fail (printf "found YAML error in patch file %s - %s - raw:\n\n%s" $patchFile $patchContent.Error $patchRawContent) -}} + {{- end -}} + {{- $tmp := deepCopy $p | mergeOverwrite $patchContent -}} + {{- $p = $tmp -}} + {{- end -}} + {{- if $p }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "capsule.crds.name" . }}-{{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }} + namespace: {{ .Release.Namespace | quote }} + annotations: + # create hook dependencies in the right order + "helm.sh/hook-weight": "-5" + {{- include "capsule.crds.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }} + {{- include "capsule.labels" . | nindent 4 }} +data: + content: | + {{- printf "---\n%s" (toYaml $p) | nindent 4 }} + + {{- end }} + {{ end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/capsule/templates/crd-lifecycle/job.yaml b/charts/capsule/templates/crd-lifecycle/job.yaml new file mode 100644 index 00000000..8ab54e96 --- /dev/null +++ b/charts/capsule/templates/crd-lifecycle/job.yaml @@ -0,0 +1,96 @@ +{{- if .Values.crds.install }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "capsule.crds.name" . }} + namespace: {{ .Release.Namespace | quote }} + annotations: + # create hook dependencies in the right order + "helm.sh/hook-weight": "-1" + {{- include "capsule.crds.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }} + {{- include "capsule.labels" . | nindent 4 }} +spec: + {{- if ge .Values.jobs.ttlSecondsAfterFinished 0.0 }} + ttlSecondsAfterFinished: {{ .Values.jobs.ttlSecondsAfterFinished }} + {{- end }} + template: + metadata: + name: "{{ include "capsule.crds.name" . }}" + labels: + app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }} + {{- include "capsule.selectorLabels" . | nindent 8 }} + spec: + restartPolicy: {{ $.Values.jobs.restartPolicy }} + {{- with $.Values.jobs.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.jobs.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.jobs.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.jobs.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.jobs.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.jobs.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "capsule.crds.name" . }} + containers: + - name: crds-hook + image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }} + imagePullPolicy: {{ .Values.jobs.image.pullPolicy }} + {{- with $.Values.jobs.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + command: + - sh + - -c + - | + set -o errexit ; set -o xtrace ; set -o nounset + + # piping stderr to stdout means kubectl's errors are surfaced + # in the pod's logs. + + kubectl apply --server-side=true --overwrite=true --force-conflicts=true -f /data/ 2>&1 + volumeMounts: +{{- range $path, $_ := .Files.Glob "crds/**.yaml" }} + - name: {{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }} + mountPath: /data/{{ $path | base }} + subPath: {{ $path | base }} +{{- end }} + {{- with .Values.jobs.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: +{{ $currentScope := . }} +{{- range $path, $_ := .Files.Glob "crds/**.yaml" }} + {{- with $currentScope }} + - name: {{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }} + configMap: + name: {{ include "capsule.crds.name" $ }}-{{ $path | base | trimSuffix ".yaml" | regexFind "[^_]+$" }} + items: + - key: content + path: {{ $path | base }} +{{- end }} +{{- end }} + restartPolicy: Never + backoffLimit: 4 +{{- end }} \ No newline at end of file diff --git a/charts/capsule/templates/crd-lifecycle/rbac.yaml b/charts/capsule/templates/crd-lifecycle/rbac.yaml new file mode 100644 index 00000000..a7ae80d3 --- /dev/null +++ b/charts/capsule/templates/crd-lifecycle/rbac.yaml @@ -0,0 +1,52 @@ +{{- if .Values.crds.install }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "capsule.crds.name" . }} + namespace: {{ .Release.Namespace | quote }} + annotations: + # create hook dependencies in the right order + "helm.sh/hook-weight": "-3" + {{- include "capsule.crds.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }} + {{- include "capsule.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - jobs + verbs: + - create + - delete +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - delete + - get + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "capsule.crds.name" . }} + namespace: {{ .Release.Namespace | quote }} + annotations: + # create hook dependencies in the right order + "helm.sh/hook-weight": "-2" + {{- include "capsule.crds.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }} + {{- include "capsule.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "capsule.crds.name" . }} +subjects: + - kind: ServiceAccount + name: {{ include "capsule.crds.name" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/capsule/templates/crd-lifecycle/serviceaccount.yaml b/charts/capsule/templates/crd-lifecycle/serviceaccount.yaml new file mode 100644 index 00000000..64b4d6a6 --- /dev/null +++ b/charts/capsule/templates/crd-lifecycle/serviceaccount.yaml @@ -0,0 +1,14 @@ +{{- if .Values.crds.install }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "capsule.crds.name" . }} + namespace: {{ .Release.Namespace }} + annotations: + # create hook dependencies in the right order + "helm.sh/hook-weight": "-4" + {{- include "capsule.crds.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }} + {{- include "capsule.labels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/capsule/templates/daemonset.yaml b/charts/capsule/templates/daemonset.yaml index 9266070e..2b515744 100644 --- a/charts/capsule/templates/daemonset.yaml +++ b/charts/capsule/templates/daemonset.yaml @@ -1,4 +1,5 @@ -{{- if eq .Values.manager.kind "DaemonSet" }} +{{- if not $.Values.crds.exclusive }} + {{- if eq .Values.manager.kind "DaemonSet" }} apiVersion: apps/v1 kind: DaemonSet metadata: @@ -90,4 +91,5 @@ spec: {{- toYaml .Values.manager.resources | nindent 12 }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} {{- end }} diff --git a/charts/capsule/templates/deployment.yaml b/charts/capsule/templates/deployment.yaml index d20cb20d..2e2e3eb8 100644 --- a/charts/capsule/templates/deployment.yaml +++ b/charts/capsule/templates/deployment.yaml @@ -1,4 +1,5 @@ -{{- if eq .Values.manager.kind "Deployment" }} +{{- if not $.Values.crds.exclusive }} + {{- if eq .Values.manager.kind "Deployment" }} apiVersion: apps/v1 kind: Deployment metadata: @@ -91,4 +92,5 @@ spec: {{- toYaml .Values.manager.resources | nindent 12 }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} {{- end }} diff --git a/charts/capsule/templates/metrics-service.yaml b/charts/capsule/templates/metrics-service.yaml index 56db020a..bd205050 100644 --- a/charts/capsule/templates/metrics-service.yaml +++ b/charts/capsule/templates/metrics-service.yaml @@ -1,3 +1,4 @@ +{{- if not $.Values.crds.exclusive }} apiVersion: v1 kind: Service metadata: @@ -18,3 +19,4 @@ spec: {{- include "capsule.selectorLabels" . | nindent 4 }} sessionAffinity: None type: ClusterIP +{{- end }} diff --git a/charts/capsule/templates/mutatingwebhookconfiguration.yaml b/charts/capsule/templates/mutatingwebhookconfiguration.yaml index 0d396ee8..7364097e 100644 --- a/charts/capsule/templates/mutatingwebhookconfiguration.yaml +++ b/charts/capsule/templates/mutatingwebhookconfiguration.yaml @@ -1,3 +1,4 @@ +{{- if or (not $.Values.crds.exclusive) ($.Values.webhooks.exclusive) }} apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: @@ -12,19 +13,13 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} webhooks: -{{- with .Values.webhooks.defaults.pods }} +{{- with .Values.webhooks.hooks.defaults.pods }} - admissionReviewVersions: - v1 clientConfig: - {{- if not $.Values.certManager.generateCertificates }} - caBundle: Cg== - {{- end }} - service: - name: {{ include "capsule.fullname" $ }}-webhook-service - namespace: {{ $.Release.Namespace }} - path: /defaults + {{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }} failurePolicy: {{ .failurePolicy }} - name: pod.defaults.capsule.clastix.io + name: pod.defaults.projectcapsule.dev rules: - apiGroups: - "" @@ -37,20 +32,15 @@ webhooks: namespaceSelector: {{- toYaml .namespaceSelector | nindent 4}} sideEffects: None + timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }} {{- end }} -{{- with .Values.webhooks.defaults.pvc }} +{{- with .Values.webhooks.hooks.defaults.pvc }} - admissionReviewVersions: - v1 clientConfig: - {{- if not $.Values.certManager.generateCertificates }} - caBundle: Cg== - {{- end }} - service: - name: {{ include "capsule.fullname" $ }}-webhook-service - namespace: {{ $.Release.Namespace }} - path: /defaults + {{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }} failurePolicy: {{ .failurePolicy }} - name: storage.defaults.capsule.clastix.io + name: storage.defaults.projectcapsule.dev rules: - apiGroups: - "" @@ -63,20 +53,15 @@ webhooks: namespaceSelector: {{- toYaml .namespaceSelector | nindent 4}} sideEffects: None + timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }} {{- end }} -{{- with .Values.webhooks.defaults.ingress }} +{{- with .Values.webhooks.hooks.defaults.ingress }} - admissionReviewVersions: - v1 clientConfig: - {{- if not $.Values.certManager.generateCertificates }} - caBundle: Cg== - {{- end }} - service: - name: {{ include "capsule.fullname" $ }}-webhook-service - namespace: {{ $.Release.Namespace }} - path: /defaults + {{- include "capsule.webhooks.service" (dict "path" "/defaults" "ctx" $) | nindent 4 }} failurePolicy: {{ .failurePolicy }} - name: ingress.defaults.capsule.clastix.io + name: ingress.defaults.projectcapsule.dev rules: - apiGroups: - networking.k8s.io @@ -91,22 +76,17 @@ webhooks: namespaceSelector: {{- toYaml .namespaceSelector | nindent 4}} sideEffects: None -{{- end }} + timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }} +{{- end }} +{{- with .Values.webhooks.hooks.namespaceOwnerReference }} - admissionReviewVersions: - v1 - v1beta1 clientConfig: -{{- if not .Values.certManager.generateCertificates }} - caBundle: Cg== -{{- end }} - service: - name: {{ include "capsule.fullname" . }}-webhook-service - namespace: {{ .Release.Namespace }} - path: /namespace-owner-reference - port: 443 - failurePolicy: {{ .Values.webhooks.namespaceOwnerReference.failurePolicy }} + {{- include "capsule.webhooks.service" (dict "path" "/namespace-owner-reference" "ctx" $) | nindent 4 }} + failurePolicy: {{ .failurePolicy }} matchPolicy: Equivalent - name: owner.namespace.capsule.clastix.io + name: owner.namespace.projectcapsule.dev namespaceSelector: {} objectSelector: {} reinvocationPolicy: Never @@ -122,4 +102,6 @@ webhooks: - namespaces scope: '*' sideEffects: NoneOnDryRun - timeoutSeconds: {{ .Values.mutatingWebhooksTimeoutSeconds }} + timeoutSeconds: {{ $.Values.webhooks.mutatingWebhooksTimeoutSeconds }} +{{- end }} +{{- end }} diff --git a/charts/capsule/templates/podsecuritypolicy.yaml b/charts/capsule/templates/podsecuritypolicy.yaml deleted file mode 100644 index 114d9302..00000000 --- a/charts/capsule/templates/podsecuritypolicy.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if .Values.podSecurityPolicy.enabled }} -kind: PodSecurityPolicy -apiVersion: policy/v1beta1 -metadata: - name: {{ include "capsule.fullname" . }} - labels: - {{- include "capsule.labels" . | nindent 4 }} - {{- with .Values.customAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - fsGroup: - rule: RunAsAny - hostPorts: - - max: 0 - min: 0 - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - secret ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "capsule.fullname" . }}-use-psp - labels: - {{- include "capsule.labels" . | nindent 4 }} -rules: -- apiGroups: - - extensions - resources: - - podsecuritypolicies - resourceNames: - - {{ include "capsule.fullname" . }} - verbs: - - use ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "capsule.fullname" . }}-use-psp - labels: - {{- include "capsule.labels" . | nindent 4 }} - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "capsule.fullname" . }}-use-psp -subjects: -- apiGroup: "" - kind: ServiceAccount - name: {{ include "capsule.serviceAccountName" . }} -{{- end }} diff --git a/charts/capsule/templates/post-install-job.yaml b/charts/capsule/templates/post-install-job.yaml deleted file mode 100644 index 58bb8786..00000000 --- a/charts/capsule/templates/post-install-job.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{- if .Values.tls.create }} -{{- $cmd := printf "while [ -z $$(kubectl -n $NAMESPACE get secret %s -o jsonpath='{.data.tls\\\\.crt}') ];" (include "capsule.secretTlsName" .) -}} -{{- $cmd = printf "%s do echo 'waiting Capsule to be up and running...' && sleep 5;" $cmd -}} -{{- $cmd = printf "%s done" $cmd -}} -apiVersion: batch/v1 -kind: Job -metadata: - name: "{{ .Release.Name }}-waiting-certs" - labels: - {{- include "capsule.labels" . | nindent 4 }} - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": post-install - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded - {{- with .Values.customAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - template: - metadata: - name: "{{ .Release.Name }}" - labels: - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/instance: {{ .Release.Name | quote }} - helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - restartPolicy: Never - containers: - - name: post-install-job - image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }} - imagePullPolicy: {{ .Values.jobs.image.pullPolicy }} - command: ["sh", "-c", "{{ $cmd }}"] - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - serviceAccountName: {{ include "capsule.serviceAccountName" . }} - {{- with .Values.podSecurityContext }} - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/charts/capsule/templates/post-install/_helpers.tpl b/charts/capsule/templates/post-install/_helpers.tpl new file mode 100644 index 00000000..924dd950 --- /dev/null +++ b/charts/capsule/templates/post-install/_helpers.tpl @@ -0,0 +1,15 @@ +{{- define "capsule.post-install.name" -}} +{{- printf "%s-post-install" (include "capsule.name" $) -}} +{{- end }} + +{{- define "capsule.post-install.annotations" -}} +"helm.sh/hook": post-install + {{- with $.Values.jobs.annotations }} + {{- . | toYaml | nindent 0 }} + {{- end }} +{{- end }} + +{{- define "capsule.post-install.component" -}} +post-install-hook +{{- end }} + diff --git a/charts/capsule/templates/post-install/job.yaml b/charts/capsule/templates/post-install/job.yaml new file mode 100644 index 00000000..64c61518 --- /dev/null +++ b/charts/capsule/templates/post-install/job.yaml @@ -0,0 +1,78 @@ +{{- if .Values.tls.create }} + {{- if not $.Values.crds.exclusive }} +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ include "capsule.post-install.name" . }}" + labels: + app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }} + {{- include "capsule.labels" . | nindent 4 }} + annotations: + "helm.sh/hook-weight": "-1" + {{- include "capsule.post-install.annotations" . | nindent 4 }} + {{- with .Values.customAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + template: + metadata: + labels: + app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }} + {{- include "capsule.selectorLabels" . | nindent 8 }} + spec: + restartPolicy: {{ $.Values.jobs.restartPolicy }} + {{- with $.Values.jobs.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.jobs.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.jobs.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.jobs.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.jobs.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.jobs.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "capsule.post-install.name" . }} + containers: + - name: post-install + image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }} + imagePullPolicy: {{ .Values.jobs.image.pullPolicy }} + command: + - "sh" + - "-c" + - | + set -o errexit ; set -o nounset + while [ -z $(kubectl -n $NAMESPACE get secret {{ include "capsule.secretTlsName" $ }} -o jsonpath='{.data.tls\.crt}') ]; do + echo 'waiting Capsule to be up and running...' && sleep 5; + done + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- with $.Values.jobs.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.jobs.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/capsule/templates/post-install/rbac.yaml b/charts/capsule/templates/post-install/rbac.yaml new file mode 100644 index 00000000..613b0789 --- /dev/null +++ b/charts/capsule/templates/post-install/rbac.yaml @@ -0,0 +1,44 @@ +{{- if .Values.tls.create }} + {{- if not $.Values.crds.exclusive }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "capsule.post-install.name" . }} + namespace: {{ .Release.Namespace | quote }} + annotations: + # create hook dependencies in the right order + "helm.sh/hook-weight": "-3" + {{- include "capsule.post-install.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }} + {{- include "capsule.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "capsule.post-install.name" . }} + namespace: {{ .Release.Namespace | quote }} + annotations: + # create hook dependencies in the right order + "helm.sh/hook-weight": "-2" + {{- include "capsule.post-install.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }} + {{- include "capsule.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "capsule.post-install.name" . }} +subjects: + - kind: ServiceAccount + name: {{ include "capsule.post-install.name" . }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/capsule/templates/post-install/serviceaccount.yaml b/charts/capsule/templates/post-install/serviceaccount.yaml new file mode 100644 index 00000000..420162e9 --- /dev/null +++ b/charts/capsule/templates/post-install/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.tls.create }} + {{- if not $.Values.crds.exclusive }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "capsule.post-install.name" . }} + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook-weight": "-4" + {{- include "capsule.post-install.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/component: {{ include "capsule.post-install.component" . | quote }} + {{- include "capsule.labels" . | nindent 4 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/capsule/templates/pre-delete-job.yaml b/charts/capsule/templates/pre-delete-job.yaml deleted file mode 100644 index fe3a9075..00000000 --- a/charts/capsule/templates/pre-delete-job.yaml +++ /dev/null @@ -1,56 +0,0 @@ -{{- $cmd := ""}} -{{- if or (.Values.tls.create) (.Values.certManager.generateCertificates) }} -{{- $cmd = printf "%s kubectl delete secret -n $NAMESPACE %s --ignore-not-found &&" $cmd (include "capsule.secretTlsName" .) -}} -{{- end }} -{{- $cmd = printf "%s kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found &&" $cmd -}} -{{- $cmd = printf "%s kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found" $cmd -}} -apiVersion: batch/v1 -kind: Job -metadata: - name: "{{ .Release.Name }}-rbac-cleaner" - labels: - {{- include "capsule.labels" . | nindent 4 }} - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded - {{- with .Values.customAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - template: - metadata: - name: "{{ .Release.Name }}" - labels: - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/instance: {{ .Release.Name | quote }} - helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - restartPolicy: Never - containers: - - name: pre-delete-job - image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }} - imagePullPolicy: {{ .Values.jobs.image.pullPolicy }} - command: [ "sh", "-c", "{{ $cmd }}"] - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - serviceAccountName: {{ include "capsule.serviceAccountName" . }} - {{- with .Values.podSecurityContext }} - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/capsule/templates/pre-delete/_helpers.tpl b/charts/capsule/templates/pre-delete/_helpers.tpl new file mode 100644 index 00000000..2ae818ea --- /dev/null +++ b/charts/capsule/templates/pre-delete/_helpers.tpl @@ -0,0 +1,15 @@ +{{- define "capsule.pre-delete.name" -}} +{{- printf "%s-pre-delete" (include "capsule.name" $) -}} +{{- end }} + +{{- define "capsule.pre-delete.annotations" -}} +"helm.sh/hook": pre-delete + {{- with $.Values.jobs.annotations }} + {{- . | toYaml | nindent 0 }} + {{- end }} +{{- end }} + +{{- define "capsule.pre-delete.component" -}} +pre-delete-hook +{{- end }} + diff --git a/charts/capsule/templates/pre-delete/job.yaml b/charts/capsule/templates/pre-delete/job.yaml new file mode 100644 index 00000000..a5d87efa --- /dev/null +++ b/charts/capsule/templates/pre-delete/job.yaml @@ -0,0 +1,82 @@ +{{- if not $.Values.crds.exclusive }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ include "capsule.pre-delete.name" $ }}" + labels: + app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }} + {{- include "capsule.labels" . | nindent 4 }} + annotations: + "helm.sh/hook-weight": "-1" + {{- include "capsule.pre-delete.annotations" . | nindent 4 }} + {{- with .Values.customAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if ge .Values.jobs.ttlSecondsAfterFinished 0.0 }} + ttlSecondsAfterFinished: {{ .Values.jobs.ttlSecondsAfterFinished }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }} + {{- include "capsule.selectorLabels" . | nindent 8 }} + spec: + restartPolicy: {{ $.Values.jobs.restartPolicy }} + {{- with $.Values.jobs.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.jobs.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.jobs.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.jobs.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.jobs.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.jobs.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "capsule.pre-delete.name" . }} + containers: + - name: pre-delete-job + image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }} + imagePullPolicy: {{ .Values.jobs.image.pullPolicy }} + command: + - "/bin/sh" + - "-c" + - | + set -o errexit ; set -o xtrace ; set -o nounset + {{- if or (.Values.tls.create) (.Values.certManager.generateCertificates) }} + kubectl delete secret -n $NAMESPACE {{ include "capsule.secretTlsName" $ }} --ignore-not-found + {{- end }} + kubectl delete clusterroles.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found + kubectl delete clusterrolebindings.rbac.authorization.k8s.io capsule-namespace-deleter capsule-namespace-provisioner --ignore-not-found + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- with $.Values.jobs.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.jobs.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/capsule/templates/pre-delete/rbac.yaml b/charts/capsule/templates/pre-delete/rbac.yaml new file mode 100644 index 00000000..3a6f3a33 --- /dev/null +++ b/charts/capsule/templates/pre-delete/rbac.yaml @@ -0,0 +1,90 @@ +{{- if not $.Values.crds.exclusive }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "capsule.pre-delete.name" . }} + namespace: {{ .Release.Namespace | quote }} + annotations: + # create hook dependencies in the right order + "helm.sh/hook-weight": "-3" + {{- include "capsule.pre-delete.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }} + {{- include "capsule.labels" . | nindent 4 }} +rules: +- apiGroups: + - rbac.authorization.k8s.io + resourceNames: + - capsule-namespace-deleter + - capsule-namespace-provisioner + resources: + - clusterroles + - clusterrolebindings + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "capsule.pre-delete.name" . }} + namespace: {{ .Release.Namespace | quote }} + annotations: + # create hook dependencies in the right order + "helm.sh/hook-weight": "-3" + {{- include "capsule.pre-delete.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }} + {{- include "capsule.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - delete + resourceNames: + - {{ include "capsule.secretTlsName" $ }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "capsule.pre-delete.name" . }} + namespace: {{ .Release.Namespace | quote }} + annotations: + # create hook dependencies in the right order + "helm.sh/hook-weight": "-2" + {{- include "capsule.pre-delete.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }} + {{- include "capsule.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "capsule.pre-delete.name" . }} +subjects: + - kind: ServiceAccount + name: {{ include "capsule.pre-delete.name" . }} + namespace: {{ .Release.Namespace | quote }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "capsule.pre-delete.name" . }} + namespace: {{ .Release.Namespace | quote }} + annotations: + # create hook dependencies in the right order + "helm.sh/hook-weight": "-2" + {{- include "capsule.pre-delete.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }} + {{- include "capsule.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "capsule.pre-delete.name" . }} +subjects: + - kind: ServiceAccount + name: {{ include "capsule.pre-delete.name" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/capsule/templates/pre-delete/serviceaccount.yaml b/charts/capsule/templates/pre-delete/serviceaccount.yaml new file mode 100644 index 00000000..19850986 --- /dev/null +++ b/charts/capsule/templates/pre-delete/serviceaccount.yaml @@ -0,0 +1,14 @@ +{{- if not $.Values.crds.exclusive }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "capsule.pre-delete.name" . }} + namespace: {{ $.Release.Namespace }} + annotations: + "helm.sh/hook-weight": "-4" + {{- include "capsule.pre-delete.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/component: {{ include "capsule.pre-delete.component" . | quote }} + {{- include "capsule.labels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/capsule/templates/rbac.yaml b/charts/capsule/templates/rbac.yaml index ed3a85ea..eec7c212 100644 --- a/charts/capsule/templates/rbac.yaml +++ b/charts/capsule/templates/rbac.yaml @@ -1,4 +1,5 @@ -{{- if $.Values.manager.rbac.create }} +{{- if not $.Values.crds.exclusive }} + {{- if $.Values.manager.rbac.create }} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -18,8 +19,8 @@ subjects: - kind: ServiceAccount name: {{ include "capsule.serviceAccountName" . }} namespace: {{ .Release.Namespace }} -{{- end }} -{{- range $_, $cr := $.Values.manager.rbac.existingClusterRoles }} + {{- end }} + {{- range $_, $cr := $.Values.manager.rbac.existingClusterRoles }} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -60,4 +61,5 @@ subjects: - kind: ServiceAccount name: {{ include "capsule.serviceAccountName" $ }} namespace: {{ $.Release.Namespace }} + {{- end }} {{- end }} diff --git a/charts/capsule/templates/serviceaccount.yaml b/charts/capsule/templates/serviceaccount.yaml index cba29a83..fa1b0133 100644 --- a/charts/capsule/templates/serviceaccount.yaml +++ b/charts/capsule/templates/serviceaccount.yaml @@ -1,12 +1,14 @@ -{{- if .Values.serviceAccount.create -}} +{{- if not $.Values.crds.exclusive }} + {{- if .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "capsule.serviceAccountName" . }} labels: {{- include "capsule.labels" . | nindent 4 }} - {{- if or (.Values.serviceAccount.annotations) (.Values.customAnnotations) }} + {{- if or (.Values.serviceAccount.annotations) (.Values.customAnnotations) }} annotations: - {{- include "capsule.serviceAccountAnnotations" . | nindent 4 }} + {{- include "capsule.serviceAccountAnnotations" . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/capsule/templates/servicemonitor.yaml b/charts/capsule/templates/servicemonitor.yaml index 2bf6f03c..41852edf 100644 --- a/charts/capsule/templates/servicemonitor.yaml +++ b/charts/capsule/templates/servicemonitor.yaml @@ -1,4 +1,5 @@ -{{- if .Values.serviceMonitor.enabled }} +{{- if not $.Values.crds.exclusive }} + {{- if .Values.serviceMonitor.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: @@ -43,5 +44,6 @@ spec: namespaceSelector: matchNames: - {{ .Release.Namespace }} + {{- end }} {{- end }} diff --git a/charts/capsule/templates/validatingwebhookconfiguration.yaml b/charts/capsule/templates/validatingwebhookconfiguration.yaml index aa4101a9..d0f35b89 100644 --- a/charts/capsule/templates/validatingwebhookconfiguration.yaml +++ b/charts/capsule/templates/validatingwebhookconfiguration.yaml @@ -1,3 +1,4 @@ +{{- if or (not $.Values.crds.exclusive) ($.Values.webhooks.exclusive) }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -12,23 +13,17 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} webhooks: +{{- with .Values.webhooks.hooks.cordoning }} - admissionReviewVersions: - v1 - v1beta1 clientConfig: -{{- if not .Values.certManager.generateCertificates }} - caBundle: Cg== -{{- end }} - service: - name: {{ include "capsule.fullname" . }}-webhook-service - namespace: {{ .Release.Namespace }} - path: /cordoning - port: 443 - failurePolicy: {{ .Values.webhooks.cordoning.failurePolicy }} + {{- include "capsule.webhooks.service" (dict "path" "/cordoning" "ctx" $) | nindent 4 }} + failurePolicy: {{ .failurePolicy }} matchPolicy: Equivalent - name: cordoning.tenant.capsule.clastix.io + name: cordoning.tenant.projectcapsule.dev namespaceSelector: - {{- toYaml .Values.webhooks.cordoning.namespaceSelector | nindent 4}} + {{- toYaml .namespaceSelector | nindent 4}} objectSelector: {} rules: - apiGroups: @@ -43,24 +38,19 @@ webhooks: - '*' scope: Namespaced sideEffects: None - timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }} + timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }} +{{- end }} +{{- with .Values.webhooks.hooks.ingresses }} - admissionReviewVersions: - v1 - v1beta1 clientConfig: -{{- if not .Values.certManager.generateCertificates }} - caBundle: Cg== -{{- end }} - service: - name: {{ include "capsule.fullname" . }}-webhook-service - namespace: {{ .Release.Namespace }} - path: /ingresses - port: 443 - failurePolicy: {{ .Values.webhooks.ingresses.failurePolicy }} + {{- include "capsule.webhooks.service" (dict "path" "/ingresses" "ctx" $) | nindent 4 }} + failurePolicy: {{ .failurePolicy }} matchPolicy: Equivalent - name: ingress.capsule.clastix.io + name: ingress.projectcapsule.dev namespaceSelector: - {{- toYaml .Values.webhooks.ingresses.namespaceSelector | nindent 4}} + {{- toYaml .namespaceSelector | nindent 4}} objectSelector: {} rules: - apiGroups: @@ -76,22 +66,17 @@ webhooks: - ingresses scope: Namespaced sideEffects: None - timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }} + timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }} +{{- end }} +{{ with .Values.webhooks.hooks.namespaces }} - admissionReviewVersions: - v1 - v1beta1 clientConfig: -{{- if not .Values.certManager.generateCertificates }} - caBundle: Cg== -{{- end }} - service: - name: {{ include "capsule.fullname" . }}-webhook-service - namespace: {{ .Release.Namespace }} - path: /namespaces - port: 443 - failurePolicy: {{ .Values.webhooks.namespaces.failurePolicy }} + {{- include "capsule.webhooks.service" (dict "path" "/namespaces" "ctx" $) | nindent 4 }} + failurePolicy: {{ .failurePolicy }} matchPolicy: Equivalent - name: namespaces.capsule.clastix.io + name: namespaces.projectcapsule.dev namespaceSelector: {} objectSelector: {} rules: @@ -107,24 +92,19 @@ webhooks: - namespaces scope: '*' sideEffects: None - timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }} + timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }} +{{- end }} +{{- with .Values.webhooks.hooks.networkpolicies }} - admissionReviewVersions: - v1 - v1beta1 clientConfig: -{{- if not .Values.certManager.generateCertificates }} - caBundle: Cg== -{{- end }} - service: - name: {{ include "capsule.fullname" . }}-webhook-service - namespace: {{ .Release.Namespace }} - path: /networkpolicies - port: 443 - failurePolicy: {{ .Values.webhooks.networkpolicies.failurePolicy }} + {{- include "capsule.webhooks.service" (dict "path" "/networkpolicies" "ctx" $) | nindent 4 }} + failurePolicy: {{ .failurePolicy }} matchPolicy: Equivalent - name: networkpolicies.capsule.clastix.io + name: networkpolicies.projectcapsule.dev namespaceSelector: - {{- toYaml .Values.webhooks.networkpolicies.namespaceSelector | nindent 4}} + {{- toYaml .namespaceSelector | nindent 4}} objectSelector: {} rules: - apiGroups: @@ -138,21 +118,16 @@ webhooks: - networkpolicies scope: Namespaced sideEffects: None - timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }} + timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }} +{{- end }} +{{- with .Values.webhooks.hooks.nodes }} - admissionReviewVersions: - v1 - v1beta1 clientConfig: -{{- if not .Values.certManager.generateCertificates }} - caBundle: Cg== -{{- end }} - service: - name: {{ include "capsule.fullname" . }}-webhook-service - namespace: {{ .Release.Namespace }} - path: /nodes - port: 443 - failurePolicy: {{ .Values.webhooks.nodes.failurePolicy }} - name: nodes.capsule.clastix.io + {{- include "capsule.webhooks.service" (dict "path" "/nodes" "ctx" $) | nindent 4 }} + failurePolicy: {{ .failurePolicy }} + name: nodes.projectcapsule.dev matchPolicy: Exact namespaceSelector: {} objectSelector: {} @@ -166,24 +141,19 @@ webhooks: resources: - nodes sideEffects: None - timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }} + timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }} +{{- end }} +{{- with .Values.webhooks.hooks.pods }} - admissionReviewVersions: - v1 - v1beta1 clientConfig: -{{- if not .Values.certManager.generateCertificates }} - caBundle: Cg== -{{- end }} - service: - name: {{ include "capsule.fullname" . }}-webhook-service - namespace: {{ .Release.Namespace }} - path: /pods - port: 443 - failurePolicy: {{ .Values.webhooks.pods.failurePolicy }} + {{- include "capsule.webhooks.service" (dict "path" "/pods" "ctx" $) | nindent 4 }} + failurePolicy: {{ .failurePolicy }} matchPolicy: Exact - name: pods.capsule.clastix.io + name: pods.projectcapsule.dev namespaceSelector: - {{- toYaml .Values.webhooks.pods.namespaceSelector | nindent 4}} + {{- toYaml .namespaceSelector | nindent 4}} objectSelector: {} rules: - apiGroups: @@ -197,22 +167,18 @@ webhooks: - pods scope: Namespaced sideEffects: None - timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }} + timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }} +{{- end }} +{{- with .Values.webhooks.hooks.persistentvolumeclaims }} - admissionReviewVersions: - v1 - v1beta1 clientConfig: -{{- if not .Values.certManager.generateCertificates }} - caBundle: Cg== -{{- end }} - service: - name: {{ include "capsule.fullname" . }}-webhook-service - namespace: {{ .Release.Namespace }} - path: /persistentvolumeclaims - failurePolicy: {{ .Values.webhooks.persistentvolumeclaims.failurePolicy }} - name: pvc.capsule.clastix.io + {{- include "capsule.webhooks.service" (dict "path" "/persistentvolumeclaims" "ctx" $) | nindent 4 }} + failurePolicy: {{ .failurePolicy }} + name: pvc.projectcapsule.dev namespaceSelector: - {{- toYaml .Values.webhooks.persistentvolumeclaims.namespaceSelector | nindent 4}} + {{- toYaml .namespaceSelector | nindent 4}} objectSelector: {} rules: - apiGroups: @@ -225,24 +191,19 @@ webhooks: - persistentvolumeclaims scope: Namespaced sideEffects: None - timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }} + timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }} +{{- end }} +{{- with .Values.webhooks.hooks.services }} - admissionReviewVersions: - v1 - v1beta1 clientConfig: -{{- if not .Values.certManager.generateCertificates }} - caBundle: Cg== -{{- end }} - service: - name: {{ include "capsule.fullname" . }}-webhook-service - namespace: {{ .Release.Namespace }} - path: /services - port: 443 - failurePolicy: {{ .Values.webhooks.services.failurePolicy }} + {{- include "capsule.webhooks.service" (dict "path" "/services" "ctx" $) | nindent 4 }} + failurePolicy: {{ .failurePolicy }} matchPolicy: Exact - name: services.capsule.clastix.io + name: services.projectcapsule.dev namespaceSelector: - {{- toYaml .Values.webhooks.services.namespaceSelector | nindent 4}} + {{- toYaml .namespaceSelector | nindent 4}} objectSelector: {} rules: - apiGroups: @@ -256,19 +217,15 @@ webhooks: - services scope: Namespaced sideEffects: None - timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }} + timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }} +{{- end }} +{{- with .Values.webhooks.hooks.tenantResourceObjects }} - admissionReviewVersions: - v1 clientConfig: -{{- if not .Values.certManager.generateCertificates }} - caBundle: Cg== -{{- end }} - service: - name: capsule-webhook-service - namespace: {{ .Release.Namespace }} - path: /tenantresource-objects - failurePolicy: {{ .Values.webhooks.tenantResourceObjects.failurePolicy }} - name: resource-objects.tenant.capsule.clastix.io + {{- include "capsule.webhooks.service" (dict "path" "/tenantresource-objects" "ctx" $) | nindent 4 }} + failurePolicy: {{ .failurePolicy }} + name: resource-objects.tenant.projectcapsule.dev namespaceSelector: matchExpressions: - key: capsule.clastix.io/tenant @@ -289,21 +246,17 @@ webhooks: - '*' scope: Namespaced sideEffects: None + timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }} +{{- end }} +{{- with .Values.webhooks.hooks.tenants }} - admissionReviewVersions: - v1 - v1beta1 clientConfig: -{{- if not .Values.certManager.generateCertificates }} - caBundle: Cg== -{{- end }} - service: - name: {{ include "capsule.fullname" . }}-webhook-service - namespace: {{ .Release.Namespace }} - path: /tenants - port: 443 - failurePolicy: {{ .Values.webhooks.tenants.failurePolicy }} + {{- include "capsule.webhooks.service" (dict "path" "/tenants" "ctx" $) | nindent 4 }} + failurePolicy: {{ .failurePolicy }} matchPolicy: Exact - name: tenants.capsule.clastix.io + name: tenants.projectcapsule.dev namespaceSelector: {} objectSelector: {} rules: @@ -319,4 +272,6 @@ webhooks: - tenants scope: '*' sideEffects: None - timeoutSeconds: {{ .Values.validatingWebhooksTimeoutSeconds }} + timeoutSeconds: {{ $.Values.webhooks.validatingWebhooksTimeoutSeconds }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/capsule/templates/webhook-service.yaml b/charts/capsule/templates/webhook-service.yaml index c170e1cf..48e47040 100644 --- a/charts/capsule/templates/webhook-service.yaml +++ b/charts/capsule/templates/webhook-service.yaml @@ -1,3 +1,4 @@ +{{- if not $.Values.crds.exclusive }} apiVersion: v1 kind: Service metadata: @@ -18,3 +19,4 @@ spec: {{- include "capsule.selectorLabels" . | nindent 4 }} sessionAffinity: None type: ClusterIP +{{- end }} diff --git a/charts/capsule/values.yaml b/charts/capsule/values.yaml index e7578147..2d80489e 100644 --- a/charts/capsule/values.yaml +++ b/charts/capsule/values.yaml @@ -2,6 +2,17 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# Manage CRD Lifecycle +crds: + # -- Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations) + install: true + # -- Only install the CRDs, no other primitives + exclusive: false + # -- Extra Labels for CRDs + labels: {} + # -- Extra Annotations for CRDs + annnotations: {} + # Secret Options tls: # -- Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. @@ -64,7 +75,7 @@ manager: # -- Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash forceTenantPrefix: false # -- Override the Capsule user groups - capsuleUserGroups: ["capsule.clastix.io"] + capsuleUserGroups: ["projectcapsule.dev"] # -- If specified, disallows creation of namespaces matching the passed regexp protectedNamespaceRegex: "" # -- Specifies whether capsule webhooks certificates should be generated by capsule operator @@ -142,10 +153,6 @@ affinity: {} # -- Set topology spread constraints for the Capsule pod topologySpreadConstraints: [] -podSecurityPolicy: - # -- Specify if a Pod Security Policy must be created - enabled: false - jobs: image: # -- Set the image repository of the helm chart job @@ -156,6 +163,40 @@ jobs: pullPolicy: IfNotPresent # -- Set the image tag of the helm chart job tag: "" + # -- Annotations to add to the certgen job. + annotations: + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" + # -- Set the restartPolicy + restartPolicy: Never + # -- Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete. + ttlSecondsAfterFinished: 60 + # -- Security context for the job pods. + podSecurityContext: + seccompProfile: + type: "RuntimeDefault" + # -- Security context for the job containers. + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1002 + runAsNonRoot: true + runAsUser: 1002 + # -- Job resources + resources: {} + # -- Set the node selector + nodeSelector: {} + # -- Set list of tolerations + tolerations: [] + # -- Set affinity rules + affinity: {} + # -- Set Topology Spread Constraints + topologySpreadConstraints: [] + # -- Set a pod priorityClassName + priorityClassName: "" + # ServiceAccount serviceAccount: @@ -164,7 +205,7 @@ serviceAccount: # -- Annotations to add to the service account. annotations: {} # -- The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template - name: "capsule" + name: "" certManager: # -- Specifies whether capsule webhooks certificates should be generated using cert-manager @@ -178,60 +219,45 @@ customAnnotations: {} # Webhooks configurations webhooks: - namespaceOwnerReference: - failurePolicy: Fail - cordoning: - failurePolicy: Fail - namespaceSelector: - matchExpressions: - - key: capsule.clastix.io/tenant - operator: Exists - ingresses: - failurePolicy: Fail - namespaceSelector: - matchExpressions: - - key: capsule.clastix.io/tenant - operator: Exists - namespaces: - failurePolicy: Fail - networkpolicies: - failurePolicy: Fail - namespaceSelector: - matchExpressions: - - key: capsule.clastix.io/tenant - operator: Exists - pods: - failurePolicy: Fail - namespaceSelector: - matchExpressions: - - key: capsule.clastix.io/tenant - operator: Exists - persistentvolumeclaims: - failurePolicy: Fail - namespaceSelector: - matchExpressions: - - key: capsule.clastix.io/tenant - operator: Exists - tenants: - failurePolicy: Fail - tenantResourceObjects: - failurePolicy: Fail - services: - failurePolicy: Fail - namespaceSelector: - matchExpressions: - - key: capsule.clastix.io/tenant - operator: Exists - nodes: - failurePolicy: Fail - defaults: - ingress: + # -- When `crds.exclusive` is `true` the webhooks will be installed + exclusive: false + # -- Timeout in seconds for mutating webhooks + mutatingWebhooksTimeoutSeconds: 30 + # -- Timeout in seconds for validating webhooks + validatingWebhooksTimeoutSeconds: 30 + + # Configure custom webhook service + service: + # -- The URL where the capsule webhook services are running (Overwrites cluster scoped service definition) + url: "" + # -- CABundle for the webhook service + caBundle: "" + # -- Custom service name for the webhook service + name: "" + # -- Custom service namespace for the webhook service + namespace: "" + # -- Custom service port for the webhook service + port: + + # Hook Configuration + hooks: + namespaceOwnerReference: + failurePolicy: Fail + cordoning: failurePolicy: Fail namespaceSelector: matchExpressions: - key: capsule.clastix.io/tenant operator: Exists - pvc: + ingresses: + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: capsule.clastix.io/tenant + operator: Exists + namespaces: + failurePolicy: Fail + networkpolicies: failurePolicy: Fail namespaceSelector: matchExpressions: @@ -243,12 +269,43 @@ webhooks: matchExpressions: - key: capsule.clastix.io/tenant operator: Exists - - -# -- Timeout in seconds for mutating webhooks -mutatingWebhooksTimeoutSeconds: 30 -# -- Timeout in seconds for validating webhooks -validatingWebhooksTimeoutSeconds: 30 + persistentvolumeclaims: + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: capsule.clastix.io/tenant + operator: Exists + tenants: + failurePolicy: Fail + tenantResourceObjects: + failurePolicy: Fail + services: + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: capsule.clastix.io/tenant + operator: Exists + nodes: + failurePolicy: Fail + defaults: + ingress: + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: capsule.clastix.io/tenant + operator: Exists + pvc: + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: capsule.clastix.io/tenant + operator: Exists + pods: + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: capsule.clastix.io/tenant + operator: Exists # ServiceMonitor serviceMonitor: diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml index 02d011d2..f5944c8b 100644 --- a/config/webhook/manifests.yaml +++ b/config/webhook/manifests.yaml @@ -12,7 +12,7 @@ webhooks: namespace: system path: /defaults failurePolicy: Fail - name: ingress.defaults.capsule.clastix.io + name: ingress.defaults.projectcapsule.dev rules: - apiGroups: - networking.k8s.io @@ -33,7 +33,7 @@ webhooks: namespace: system path: /namespace-owner-reference failurePolicy: Fail - name: owner.namespace.capsule.clastix.io + name: owner.namespace.projectcapsule.dev rules: - apiGroups: - "" @@ -53,7 +53,7 @@ webhooks: namespace: system path: /defaults failurePolicy: Fail - name: pod.defaults.capsule.clastix.io + name: pod.defaults.projectcapsule.dev rules: - apiGroups: - "" @@ -72,7 +72,7 @@ webhooks: namespace: system path: /defaults failurePolicy: Fail - name: storage.defaults.capsule.clastix.io + name: storage.defaults.projectcapsule.dev rules: - apiGroups: - "" @@ -97,7 +97,7 @@ webhooks: namespace: system path: /cordoning failurePolicy: Fail - name: cordoning.tenant.capsule.clastix.io + name: cordoning.tenant.projectcapsule.dev rules: - apiGroups: - '*' @@ -118,7 +118,7 @@ webhooks: namespace: system path: /ingresses failurePolicy: Fail - name: ingress.capsule.clastix.io + name: ingress.projectcapsule.dev rules: - apiGroups: - networking.k8s.io @@ -140,7 +140,7 @@ webhooks: namespace: system path: /namespaces failurePolicy: Fail - name: namespaces.capsule.clastix.io + name: namespaces.projectcapsule.dev rules: - apiGroups: - "" @@ -161,7 +161,7 @@ webhooks: namespace: system path: /networkpolicies failurePolicy: Fail - name: networkpolicies.capsule.clastix.io + name: networkpolicies.projectcapsule.dev rules: - apiGroups: - networking.k8s.io @@ -181,7 +181,7 @@ webhooks: namespace: system path: /nodes failurePolicy: Fail - name: nodes.capsule.clastix.io + name: nodes.projectcapsule.dev rules: - apiGroups: - "" @@ -200,7 +200,7 @@ webhooks: namespace: system path: /pods failurePolicy: Fail - name: pods.capsule.clastix.io + name: pods.projectcapsule.dev rules: - apiGroups: - "" @@ -220,7 +220,7 @@ webhooks: namespace: system path: /persistentvolumeclaims failurePolicy: Fail - name: pvc.capsule.clastix.io + name: pvc.projectcapsule.dev rules: - apiGroups: - "" @@ -239,7 +239,7 @@ webhooks: namespace: system path: /tenantresource-objects failurePolicy: Fail - name: resource-objects.tenant.capsule.clastix.io + name: resource-objects.tenant.projectcapsule.dev rules: - apiGroups: - '*' @@ -259,7 +259,7 @@ webhooks: namespace: system path: /services failurePolicy: Fail - name: services.capsule.clastix.io + name: services.projectcapsule.dev rules: - apiGroups: - "" @@ -279,7 +279,7 @@ webhooks: namespace: system path: /tenants failurePolicy: Fail - name: tenants.capsule.clastix.io + name: tenants.projectcapsule.dev rules: - apiGroups: - capsule.clastix.io From ecb4035b4e5219bee55978e74bc871f9ec0504e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20B=C3=A4hler?= Date: Sun, 2 Jun 2024 11:13:37 +0200 Subject: [PATCH 4/4] chore: change default group name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Oliver Bähler --- e2e/custom_capsule_group_test.go | 2 +- e2e/suite_test.go | 2 +- hack/create-user-openshift.sh | 2 +- hack/create-user.sh | 2 +- pkg/configuration/client.go | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/e2e/custom_capsule_group_test.go b/e2e/custom_capsule_group_test.go index 03c93b0a..6f89544f 100644 --- a/e2e/custom_capsule_group_test.go +++ b/e2e/custom_capsule_group_test.go @@ -62,7 +62,7 @@ var _ = Describe("creating a Namespace as Tenant owner with custom --capsule-gro It("should succeed and be available in Tenant namespaces list with default single group", func() { ModifyCapsuleConfigurationOpts(func(configuration *capsulev1beta2.CapsuleConfiguration) { - configuration.Spec.UserGroups = []string{"capsule.clastix.io"} + configuration.Spec.UserGroups = []string{"projectcapsule.dev"} }) ns := NewNamespace("") diff --git a/e2e/suite_test.go b/e2e/suite_test.go index 5e016ecc..267ae0ce 100644 --- a/e2e/suite_test.go +++ b/e2e/suite_test.go @@ -68,7 +68,7 @@ var _ = AfterSuite(func() { func ownerClient(owner capsulev1beta2.OwnerSpec) (cs kubernetes.Interface) { c, err := config.GetConfig() Expect(err).ToNot(HaveOccurred()) - c.Impersonate.Groups = []string{capsulev1beta2.GroupVersion.Group, owner.Name} + c.Impersonate.Groups = []string{"projectcapsule.dev", owner.Name} c.Impersonate.UserName = owner.Name cs, err = kubernetes.NewForConfig(c) Expect(err).ToNot(HaveOccurred()) diff --git a/hack/create-user-openshift.sh b/hack/create-user-openshift.sh index 0fc7f5a1..80d31c3e 100755 --- a/hack/create-user-openshift.sh +++ b/hack/create-user-openshift.sh @@ -43,7 +43,7 @@ if [[ -z ${TENANT} ]]; then fi if [[ -z ${GROUP} ]]; then - GROUP=capsule.clastix.io + GROUP=projectcapsule.dev fi TMPDIR=$(mktemp -d) diff --git a/hack/create-user.sh b/hack/create-user.sh index 6ef609be..1a3b5073 100755 --- a/hack/create-user.sh +++ b/hack/create-user.sh @@ -38,7 +38,7 @@ if [[ -z ${TENANT} ]]; then fi if [[ -z ${GROUP} ]]; then - GROUP=capsule.clastix.io + GROUP=projectcapsule.dev fi diff --git a/pkg/configuration/client.go b/pkg/configuration/client.go index f2e032cc..b829c971 100644 --- a/pkg/configuration/client.go +++ b/pkg/configuration/client.go @@ -30,7 +30,7 @@ func NewCapsuleConfiguration(ctx context.Context, client client.Client, name str if apierrors.IsNotFound(err) { return &capsulev1beta2.CapsuleConfiguration{ Spec: capsulev1beta2.CapsuleConfigurationSpec{ - UserGroups: []string{"capsule.clastix.io"}, + UserGroups: []string{"projectcapsule.dev"}, ForceTenantPrefix: false, ProtectedNamespaceRegexpString: "", },