Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

First implementation for label selector for Ingress, Storage and Priority classes #673

Merged
merged 17 commits into from
Dec 27, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
21d3bd3
refactor: abstracting types used by several api versions
prometherion Sep 27, 2022
817d34e
chore(helm)!: release of v0.2.0
prometherion Oct 13, 2022
1a110fd
feat(api): promoting v1beta2 as storage version
prometherion Dec 22, 2022
2165b5c
chore(kustomize): promoting v1beta2 as storage version
prometherion Dec 22, 2022
c1d3ce7
chore(helm): promoting v1beta2 as storage version
prometherion Dec 22, 2022
64a80e7
refactor(api): switching to v1beta2 as storage version
prometherion Dec 23, 2022
3fa1fac
refactor(e2e): switching to v1beta2 as storage version
prometherion Dec 23, 2022
cb09f73
chore(kustomize): switching to v1beta2 as storage version
prometherion Dec 23, 2022
9a68432
chore(helm): switching to v1beta2 as storage version
prometherion Dec 23, 2022
b27e1af
docs(api): aligning to latest changes for capsule configuration
prometherion Dec 23, 2022
afbef60
feat(api): label selector for storage, ingress, podpriority classes
prometherion Dec 23, 2022
e6ed491
refactor(e2e): label selector for storage, ingress, podpriority classes
prometherion Dec 23, 2022
f9c6746
chore(kustomize): label selector for storage, ingress, podpriority cl…
prometherion Dec 23, 2022
559ab07
chore(helm): label selector for storage, ingress, podpriority classes
prometherion Dec 23, 2022
c842a27
docs(api): label selector for storage, ingress, podpriority classes
prometherion Dec 23, 2022
8216112
fix: avoiding nil pointer when empty map for labels and annotations
prometherion Dec 23, 2022
6493ecf
feat: ct install performs locally & ci loads current capsule build
oliverbaehler Dec 27, 2022
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 23 additions & 15 deletions .github/workflows/helm.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,23 +42,31 @@ jobs:
else
echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
fi
# Create KIND Cluster
- name: Create kind cluster
uses: helm/[email protected]
if: steps.list-changed.outputs.changed == 'true'
# Install Required Operators/CRDs
- name: Prepare Cluster Operators/CRDs
run: |
# Cert-Manager CRDs
kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml

# Prometheus CRDs
kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
if: steps.list-changed.outputs.changed == 'true'
# Install Charts

# ATTENTION: This is a workaround for the upcoming ApiVersion Conversions for the capsule CRDs
# With this workflow the current docker image is build and loaded into kind, otherwise the install fails
# In the future this must be removed and the chart-testing-action must be used
- name: Run chart-testing (install)
run: ct install --debug --config ./.github/configs/ct.yaml
run: make helm-test
if: steps.list-changed.outputs.changed == 'true'

## Create KIND Cluster
#- name: Create kind cluster
# uses: helm/[email protected]
# if: steps.list-changed.outputs.changed == 'true'
## Install Required Operators/CRDs
#- name: Prepare Cluster Operators/CRDs
# run: |
# # Cert-Manager CRDs
# kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
#
# # Prometheus CRDs
# kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
# if: steps.list-changed.outputs.changed == 'true'
## Install Charts
#- name: Run chart-testing (install)
# run: ct install --debug --config ./.github/configs/ct.yaml
# if: steps.list-changed.outputs.changed == 'true'
release:
if: startsWith(github.ref, 'refs/tags/helm-v')
runs-on: ubuntu-latest
Expand Down
3 changes: 0 additions & 3 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,3 @@ bin
**/*.key
.DS_Store
*.tgz

capsule

19 changes: 17 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -86,8 +86,15 @@ helm-docs: HELMDOCS_VERSION := v1.11.0
helm-docs: docker
@docker run -v "$(SRC_ROOT):/helm-docs" jnorwood/helm-docs:$(HELMDOCS_VERSION) --chart-search-root /helm-docs

helm-lint: docker
@docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:v3.3.1 -c "cd /workdir && ct lint --config .github/configs/ct.yaml --lint-conf .github/configs/lintconf.yaml --all --debug"
helm-lint: ct
@ct lint --config $(SRC_ROOT)/.github/configs/ct.yaml --lint-conf $(SRC_ROOT)/.github/configs/lintconf.yaml --all --debug

helm-test: kind ct docker-build
@kind create cluster --wait=60s --name capsule-charts
@kind load docker-image --name capsule-charts ${IMG}
@kubectl create ns capsule-system
@ct install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
@kind delete cluster --name capsule-charts

docker:
@hash docker 2>/dev/null || {\
Expand Down Expand Up @@ -172,6 +179,14 @@ GINKGO = $(shell pwd)/bin/ginkgo
ginkgo: ## Download ginkgo locally if necessary.
$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/[email protected])

CT = $(shell pwd)/bin/ct
ct: ## Download ct locally if necessary.
$(call go-install-tool,$(CT),github.com/helm/chart-testing/v3/[email protected])

KIND = $(shell pwd)/bin/kind
kind: ## Download kind locally if necessary.
$(call go-install-tool,$(KIND),sigs.k8s.io/kind/cmd/[email protected])

KUSTOMIZE = $(shell pwd)/bin/kustomize
kustomize: ## Download kustomize locally if necessary.
$(call install-kustomize,$(KUSTOMIZE),3.8.7)
Expand Down
1 change: 0 additions & 1 deletion api/v1alpha1/capsuleconfiguration_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ type CapsuleConfigurationSpec struct {
ProtectedNamespaceRegexpString string `json:"protectedNamespaceRegex,omitempty"`
}

// +kubebuilder:storageversion
// +kubebuilder:object:root=true
// +kubebuilder:resource:scope=Cluster

Expand Down
21 changes: 21 additions & 0 deletions api/v1alpha1/capsuleconfiguration_webhook.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0

package v1alpha1

import (
"os"

ctrl "sigs.k8s.io/controller-runtime"
)

func (in *CapsuleConfiguration) SetupWebhookWithManager(mgr ctrl.Manager) error {
certData, _ := os.ReadFile("/tmp/k8s-webhook-server/serving-certs/tls.crt")
if len(certData) == 0 {
return nil
}

return ctrl.NewWebhookManagedBy(mgr).
For(in).
Complete()
}
16 changes: 9 additions & 7 deletions api/v1alpha1/conversion_hub_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,9 +61,11 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
Allowed: []api.AllowedIP{"192.168.0.1"},
},
}
v1beta1AllowedListSpec := &api.AllowedListSpec{
Exact: []string{"foo", "bar"},
Regex: "^foo*",
v1beta2AllowedListSpec := &api.SelectorAllowedListSpec{
AllowedListSpec: api.AllowedListSpec{
Exact: []string{"foo", "bar"},
Regex: "^foo*",
},
}
networkPolicies := []networkingv1.NetworkPolicySpec{
{
Expand Down Expand Up @@ -235,13 +237,13 @@ func generateTenantsSpecs() (Tenant, capsulev1beta1.Tenant) {
},
NamespaceOptions: v1beta1NamespaceOptions,
ServiceOptions: v1beta1ServiceOptions,
StorageClasses: v1beta1AllowedListSpec,
StorageClasses: &v1beta2AllowedListSpec.AllowedListSpec,
IngressOptions: capsulev1beta1.IngressOptions{
HostnameCollisionScope: api.HostnameCollisionScopeDisabled,
AllowedClasses: v1beta1AllowedListSpec,
AllowedHostnames: v1beta1AllowedListSpec,
AllowedClasses: &v1beta2AllowedListSpec.AllowedListSpec,
AllowedHostnames: &v1beta2AllowedListSpec.AllowedListSpec,
},
ContainerRegistries: v1beta1AllowedListSpec,
ContainerRegistries: &v1beta2AllowedListSpec.AllowedListSpec,
NodeSelector: nodeSelector,
NetworkPolicies: api.NetworkPolicySpec{
Items: networkPolicies,
Expand Down
8 changes: 0 additions & 8 deletions api/v1alpha1/tenant_func.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,6 @@ import (
corev1 "k8s.io/api/core/v1"
)

func (in *Tenant) IsCordoned() bool {
if v, ok := in.Labels["capsule.clastix.io/cordon"]; ok && v == "enabled" {
return true
}

return false
}

func (in *Tenant) IsFull() bool {
// we don't have limits on assigned Namespaces
if in.Spec.NamespaceQuota == nil {
Expand Down
16 changes: 8 additions & 8 deletions api/v1beta1/namespace_options.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,23 +18,23 @@ type NamespaceOptions struct {
}

func (in *Tenant) hasForbiddenNamespaceLabelsAnnotations() bool {
if _, ok := in.Annotations[ForbiddenNamespaceLabelsAnnotation]; ok {
if _, ok := in.Annotations[api.ForbiddenNamespaceLabelsAnnotation]; ok {
return true
}

if _, ok := in.Annotations[ForbiddenNamespaceLabelsRegexpAnnotation]; ok {
if _, ok := in.Annotations[api.ForbiddenNamespaceLabelsRegexpAnnotation]; ok {
return true
}

return false
}

func (in *Tenant) hasForbiddenNamespaceAnnotationsAnnotations() bool {
if _, ok := in.Annotations[ForbiddenNamespaceAnnotationsAnnotation]; ok {
if _, ok := in.Annotations[api.ForbiddenNamespaceAnnotationsAnnotation]; ok {
return true
}

if _, ok := in.Annotations[ForbiddenNamespaceAnnotationsRegexpAnnotation]; ok {
if _, ok := in.Annotations[api.ForbiddenNamespaceAnnotationsRegexpAnnotation]; ok {
return true
}

Expand All @@ -47,8 +47,8 @@ func (in *Tenant) ForbiddenUserNamespaceLabels() *api.ForbiddenListSpec {
}

return &api.ForbiddenListSpec{
Exact: strings.Split(in.Annotations[ForbiddenNamespaceLabelsAnnotation], ","),
Regex: in.Annotations[ForbiddenNamespaceLabelsRegexpAnnotation],
Exact: strings.Split(in.Annotations[api.ForbiddenNamespaceLabelsAnnotation], ","),
Regex: in.Annotations[api.ForbiddenNamespaceLabelsRegexpAnnotation],
}
}

Expand All @@ -58,7 +58,7 @@ func (in *Tenant) ForbiddenUserNamespaceAnnotations() *api.ForbiddenListSpec {
}

return &api.ForbiddenListSpec{
Exact: strings.Split(in.Annotations[ForbiddenNamespaceAnnotationsAnnotation], ","),
Regex: in.Annotations[ForbiddenNamespaceAnnotationsRegexpAnnotation],
Exact: strings.Split(in.Annotations[api.ForbiddenNamespaceAnnotationsAnnotation], ","),
Regex: in.Annotations[api.ForbiddenNamespaceAnnotationsRegexpAnnotation],
}
}
1 change: 0 additions & 1 deletion api/v1beta1/tenant_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,6 @@ type TenantSpec struct {

// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:storageversion
// +kubebuilder:resource:scope=Cluster,shortName=tnt
// +kubebuilder:printcolumn:name="State",type="string",JSONPath=".status.state",description="The actual state of the Tenant"
// +kubebuilder:printcolumn:name="Namespace quota",type="integer",JSONPath=".spec.namespaceOptions.quota",description="The max amount of Namespaces can be created"
Expand Down
21 changes: 21 additions & 0 deletions api/v1beta1/tenant_webhook.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0

package v1beta1

import (
"os"

ctrl "sigs.k8s.io/controller-runtime"
)

func (in *Tenant) SetupWebhookWithManager(mgr ctrl.Manager) error {
certData, _ := os.ReadFile("/tmp/k8s-webhook-server/serving-certs/tls.crt")
if len(certData) == 0 {
return nil
}

return ctrl.NewWebhookManagedBy(mgr).
For(in).
Complete()
}
6 changes: 4 additions & 2 deletions api/v1beta2/capsuleconfiguration_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,11 @@ type CapsuleConfigurationSpec struct {
ProtectedNamespaceRegexpString string `json:"protectedNamespaceRegex,omitempty"`
// Allows to set different name rather than the canonical one for the Capsule configuration objects,
// such as webhook secret or configurations.
CapsuleResources CapsuleResources `json:"overrides"`
// +kubebuilder:default={TLSSecretName:"capsule-tls",mutatingWebhookConfigurationName:"capsule-mutating-webhook-configuration",validatingWebhookConfigurationName:"capsule-validating-webhook-configuration"}
CapsuleResources CapsuleResources `json:"overrides,omitempty"`
// Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.
// This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
NodeMetadata *NodeMetadata `json:"nodeMetadata"`
NodeMetadata *NodeMetadata `json:"nodeMetadata,omitempty"`
// Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks
// when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
// +kubebuilder:default=true
Expand Down Expand Up @@ -54,6 +55,7 @@ type CapsuleResources struct {

// +kubebuilder:object:root=true
// +kubebuilder:resource:scope=Cluster
// +kubebuilder:storageversion

// CapsuleConfiguration is the Schema for the Capsule configuration API.
type CapsuleConfiguration struct {
Expand Down
2 changes: 1 addition & 1 deletion api/v1beta2/ingress_options.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ import (

type IngressOptions struct {
// Specifies the allowed IngressClasses assigned to the Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses. Optional.
AllowedClasses *api.AllowedListSpec `json:"allowedClasses,omitempty"`
AllowedClasses *api.SelectorAllowedListSpec `json:"allowedClasses,omitempty"`
// Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames.
//
//
Expand Down
17 changes: 17 additions & 0 deletions api/v1beta2/tenant_annotations.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
// Copyright 2020-2021 Clastix Labs
// SPDX-License-Identifier: Apache-2.0

package v1beta2

import (
"fmt"
"strings"
)

func UsedQuotaFor(resource fmt.Stringer) string {
return "quota.capsule.clastix.io/used-" + strings.ReplaceAll(resource.String(), "/", "_")
}

func HardQuotaFor(resource fmt.Stringer) string {
return "quota.capsule.clastix.io/hard-" + strings.ReplaceAll(resource.String(), "/", "_")
}
Loading