chore: minor fixes in repository (#1310)

* chore: remove kind action and use local kind

Signed-off-by: Oliver Bähler <[email protected]>

* chore: remove go dependency group

Signed-off-by: Oliver Bähler <[email protected]>

* chore: fix documentation links

Signed-off-by: Oliver Bähler <[email protected]>

* fix(helm): added scope for mutating webhook configurations

Signed-off-by: Oliver Bähler <[email protected]>

* feat(helm): align webhooks and job values

Signed-off-by: Oliver Bähler <[email protected]>

---------

Signed-off-by: Oliver Bähler <[email protected]>

.github/workflows/e2e.yml

@@ -46,12 +46,8 @@ jobs:
       - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
-      - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
-        with:
-          skipClusterCreation: true
-          version: v0.14.0
       - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4
         with:
           version: v3.14.2
       - name: e2e testing
-        run: make e2e/${{ matrix.k8s-version }}
+        run: KIND_K8S_VERSION=${{ matrix.k8s-version }} make e2e

Makefile

@@ -71,12 +71,12 @@ helm-lint: docker
 	@docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:$(CT_VERSION) -c "cd /workdir; ct lint --config .github/configs/ct.yaml  --lint-conf .github/configs/lintconf.yaml  --all --debug"
 
 helm-test: kind ct ko-build-all
-	@kind create cluster --wait=60s --name capsule-charts
+	@$(KIND) create cluster --wait=60s --name capsule-charts --image kindest/node:$${KIND_K8S_VERSION:-v1.27.0}
 	@make helm-test-exec
-	@kind delete cluster --name capsule-charts
+	@$(KIND) delete cluster --name capsule-charts
 
-helm-test-exec:
-	@kind load docker-image --name capsule-charts $(CAPSULE_IMG):$(VERSION)
+helm-test-exec: kind
+	@$(KIND) load docker-image --name capsule-charts $(CAPSULE_IMG):$(VERSION)
 	@kubectl create ns capsule-system || true
 	@kubectl apply --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
 	@kubectl apply --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
@@ -271,11 +271,11 @@ golint: golangci-lint
 
 # Running e2e tests in a KinD instance
 .PHONY: e2e
-e2e/%: ginkgo
-	$(MAKE) e2e-build/$* && $(MAKE) e2e-exec && $(MAKE) e2e-destroy
-
-e2e-build/%:
-	kind create cluster --wait=60s --name capsule --image=kindest/node:$*
+e2e: ginkgo
+	$(MAKE) e2e-build && $(MAKE) e2e-exec && $(MAKE) e2e-destroy
+    
+e2e-build: kind
+	$(KIND) create cluster --wait=60s --name capsule --image kindest/node:$${KIND_K8S_VERSION:-v1.27.0}
 	$(MAKE) e2e-install
 
 .PHONY: e2e-install
@@ -295,16 +295,16 @@ e2e-install: e2e-load-image
 		./charts/capsule
 
 .PHONY: e2e-load-image
-e2e-load-image: ko-build-all
-	kind load docker-image --nodes capsule-control-plane --name capsule $(CAPSULE_IMG):$(VERSION)
+e2e-load-image: kind ko-build-all
+	$(KIND) load docker-image --nodes capsule-control-plane --name capsule $(CAPSULE_IMG):$(VERSION)
 
 .PHONY: e2e-exec
 e2e-exec: ginkgo
 	$(GINKGO) -v -tags e2e ./e2e
 
 .PHONY: e2e-destroy
-e2e-destroy:
-	kind delete cluster --name capsule
+e2e-destroy: kind
+	$(KIND) delete cluster --name capsule
 
 SPELL_CHECKER = npx spellchecker-cli
 docs-lint:

README.md

@@ -40,9 +40,9 @@ Kubernetes introduces the _Namespace_ object type to create logical partitions o
 
 # Entering Capsule
 
-Capsule takes a different approach. In a single cluster, the Capsule Controller aggregates multiple namespaces in a lightweight abstraction called _Tenant_, basically a grouping of Kubernetes Namespaces. Within each tenant, users are free to create their namespaces and share all the assigned resources. 
+Capsule takes a different approach. In a single cluster, the Capsule Controller aggregates multiple namespaces in a lightweight abstraction called _Tenant_, basically a grouping of Kubernetes Namespaces. Within each tenant, users are free to create their namespaces and share all the assigned resources.
 
-On the other side, the Capsule Policy Engine keeps the different tenants isolated from each other. _Network and Security Policies_, _Resource Quota_, _Limit Ranges_, _RBAC_, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator. 
+On the other side, the Capsule Policy Engine keeps the different tenants isolated from each other. _Network and Security Policies_, _Resource Quota_, _Limit Ranges_, _RBAC_, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator.
 
 # Features
 
@@ -76,7 +76,7 @@ Assign to tenants a dedicated set of compute, storage, and network resources and
 
 # Documentation
 
-Please, check the project [documentation](https://capsule.clastix.io) for the cool things you can do with Capsule.
+Please, check the project [documentation](https://projectcapsule.dev) for the cool things you can do with Capsule.
 
 # Contributions
 
@@ -110,18 +110,14 @@ Please read the [code of conduct](CODE_OF_CONDUCT.md).
 
 See the [ADOPTERS.md](ADOPTERS.md) file for a list of companies that are using Capsule.
 
-# Governance
+# Project Governance
 
-You can find how the Capsule project is governed [here](https://capsule.clastix.io/docs/contributing/governance).
+You can find how the Capsule project is governed [here](https://projectcapsule.dev/project/governance/).
 
 ## Maintainers
 
 Please, refer to the maintainers file available [here](.github/maintainers.yaml).
 
-## Release process
-
-Please, refer to the [documentation page](https://capsule.clastix.io/docs/contributing/release).
-
 ### Changelog
 
 Read how we log changes [here](CHANGELOG.md)

SECURITY.md

@@ -6,7 +6,6 @@ The Capsule community has adopted this security disclosures and response policy
 
 For information regarding the security of this project please join our [slack channel](https://kubernetes.slack.com/archives/C03GETTJQRL).
 
-
 ## Covered Repositories and Issues
 
 When we say "a security vulnerability in capsule" we mean a security issue

charts/capsule/Chart.yaml

@@ -40,7 +40,7 @@ annotations:
     - name: Documentation
       url: https://projectcapsule.dev/
   artifacthub.io/changes: |
-    - kind: added
-      description: bundled crd lifecycle
+    - kind: fixed
+      description: added scope for mutating webhook configurations
     - kind: changed
-      description: removed PodSecurityPolicy support
+      description: moved job configuration from jobs to global.jobs.kubectl

charts/capsule/README.md

@@ -93,6 +93,28 @@ Here the values you can override:
 | crds.install | bool | `true` | Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations) |
 | crds.labels | object | `{}` | Extra Labels for CRDs |
 
+### Global Parameters
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| global.jobs.kubectl.affinity | object | `{}` | Set affinity rules |
+| global.jobs.kubectl.annotations | object | `{}` | Annotations to add to the certgen job. |
+| global.jobs.kubectl.backoffLimit | int | `4` | Backofflimit for jobs |
+| global.jobs.kubectl.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job |
+| global.jobs.kubectl.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job |
+| global.jobs.kubectl.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job |
+| global.jobs.kubectl.image.tag | string | `""` | Set the image tag of the helm chart job |
+| global.jobs.kubectl.imagePullSecrets | list | `[]` | ImagePullSecrets |
+| global.jobs.kubectl.nodeSelector | object | `{}` | Set the node selector |
+| global.jobs.kubectl.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the job pods. |
+| global.jobs.kubectl.priorityClassName | string | `""` | Set a pod priorityClassName |
+| global.jobs.kubectl.resources | object | `{}` | Job resources |
+| global.jobs.kubectl.restartPolicy | string | `"Never"` | Set the restartPolicy |
+| global.jobs.kubectl.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Security context for the job containers. |
+| global.jobs.kubectl.tolerations | list | `[]` | Set list of tolerations |
+| global.jobs.kubectl.topologySpreadConstraints | list | `[]` | Set Topology Spread Constraints |
+| global.jobs.kubectl.ttlSecondsAfterFinished | int | `60` | Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete. |
+
 ### General Parameters
 
 | Key | Type | Default | Description |
@@ -103,21 +125,7 @@ Here the values you can override:
 | customAnnotations | object | `{}` | Additional annotations which will be added to all resources created by Capsule helm chart |
 | customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart |
 | imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. |
-| jobs.affinity | object | `{}` | Set affinity rules |
-| jobs.annotations | object | `{"helm.sh/hook-delete-policy":"before-hook-creation,hook-succeeded"}` | Annotations to add to the certgen job. |
-| jobs.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job |
-| jobs.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job |
-| jobs.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job |
-| jobs.image.tag | string | `""` | Set the image tag of the helm chart job |
-| jobs.nodeSelector | object | `{}` | Set the node selector |
-| jobs.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the job pods. |
-| jobs.priorityClassName | string | `""` | Set a pod priorityClassName |
-| jobs.resources | object | `{}` | Job resources |
-| jobs.restartPolicy | string | `"Never"` | Set the restartPolicy |
-| jobs.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Security context for the job containers. |
-| jobs.tolerations | list | `[]` | Set list of tolerations |
-| jobs.topologySpreadConstraints | list | `[]` | Set Topology Spread Constraints |
-| jobs.ttlSecondsAfterFinished | int | `60` | Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete. |
+| jobs | object | `{}` | Deprecated, use .global.jobs.kubectl instead |
 | nodeSelector | object | `{}` | Set the node selector for the Capsule pod |
 | podAnnotations | object | `{}` | Annotations to add to the capsule pod. |
 | podSecurityContext | object | `{"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002,"seccompProfile":{"type":"RuntimeDefault"}}` | Set the securityContext for the Capsule pod |

charts/capsule/README.md.gotmpl

@@ -95,13 +95,22 @@ Here the values you can override:
   {{- end }}
 {{- end }}
 
+### Global Parameters
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+{{- range .Values }}
+  {{- if (hasPrefix "global" .Key)  }}
+| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
+  {{- end }}
+{{- end }}
 
 ### General Parameters
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 {{- range .Values }}
-  {{- if not (or (hasPrefix "manager" .Key) (hasPrefix "crds" .Key) (hasPrefix "serviceMonitor" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) )  }}
+  {{- if not (or (hasPrefix "global" .Key) (hasPrefix "manager" .Key) (hasPrefix "crds" .Key) (hasPrefix "serviceMonitor" .Key) (hasPrefix "webhook" .Key) (hasPrefix "capsule-proxy" .Key) )  }}
 | {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
   {{- end }}
 {{- end }}

charts/capsule/templates/_helpers.tpl

@@ -105,10 +105,12 @@ Determine the Kubernetes version to use for jobsFullyQualifiedDockerImage tag
 Create the jobs fully-qualified Docker image to use
 */}}
 {{- define "capsule.jobsFullyQualifiedDockerImage" -}}
-{{- if .Values.jobs.image.tag }}
-{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository .Values.jobs.image.tag -}}
+{{- $Values := mergeOverwrite $.Values.global.jobs.kubectl $.Values.jobs -}}
+
+{{- if $Values.image.tag }}
+{{- printf "%s/%s:%s" $Values.image.registry $Values.image.repository $Values.image.tag -}}
 {{- else }}
-{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
+{{- printf "%s/%s:%s" $Values.image.registry $Values.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
 {{- end }}
 {{- end }}
 

charts/capsule/templates/crd-lifecycle/_helpers.tpl

@@ -4,9 +4,6 @@
 
 {{- define "capsule.crds.annotations" -}}
 "helm.sh/hook": "pre-install,pre-upgrade"
-  {{- with $.Values.jobs.annotations }}
-    {{- . | toYaml | nindent 0 }}
-  {{- end }}
 {{- end }}
 
 {{- define "capsule.crds.component" -}}

charts/capsule/templates/crd-lifecycle/job.yaml

@@ -1,3 +1,6 @@
+{{/* Backwards compatibility */}}
+{{- $Values := mergeOverwrite $.Values.global.jobs.kubectl $.Values.jobs -}}
+
 {{- if .Values.crds.install }}
 apiVersion: batch/v1
 kind: Job
@@ -8,12 +11,16 @@ metadata:
     # create hook dependencies in the right order
     "helm.sh/hook-weight": "-1"
     {{- include "capsule.crds.annotations" . | nindent 4 }}
+    {{- with $Values.annotations }}
+      {{- . | toYaml | nindent 4 }}
+    {{- end }}
   labels:
     app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
     {{- include "capsule.labels" . | nindent 4 }}
 spec:
-  {{- if ge .Values.jobs.ttlSecondsAfterFinished 0.0 }}
-  ttlSecondsAfterFinished: {{ .Values.jobs.ttlSecondsAfterFinished }}
+  backoffLimit: {{ $Values.backoffLimit }}
+  {{- if ge $Values.ttlSecondsAfterFinished 0.0 }}
+  ttlSecondsAfterFinished: {{ $Values.ttlSecondsAfterFinished }}
   {{- end }}
   template:
     metadata:
@@ -22,40 +29,40 @@ spec:
         app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
         {{- include "capsule.selectorLabels" . | nindent 8 }}
     spec:
-      restartPolicy: {{ $.Values.jobs.restartPolicy }}
-      {{- with $.Values.jobs.podSecurityContext }}
+      restartPolicy: {{ $Values.restartPolicy }}
+      {{- with $Values.podSecurityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.jobs.nodeSelector }}
+      {{- with $Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.jobs.affinity }}
+      {{- with $Values.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.jobs.tolerations }}
+      {{- with $Values.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.jobs.topologySpreadConstraints }}
+      {{- with $Values.topologySpreadConstraints }}
       topologySpreadConstraints: 
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.jobs.priorityClassName }}
+      {{- with $Values.priorityClassName }}
       priorityClassName: {{ . }}
       {{- end }}
-      {{- with .Values.imagePullSecrets }}
+      {{- with $Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}  
       serviceAccountName: {{ include "capsule.crds.name" . }}
       containers:
       - name: crds-hook
         image: {{ include "capsule.jobsFullyQualifiedDockerImage" . }}
-        imagePullPolicy: {{ .Values.jobs.image.pullPolicy }}
-        {{- with $.Values.jobs.securityContext }}
+        imagePullPolicy: {{ $Values.image.pullPolicy }}
+        {{- with $Values.securityContext }}
         securityContext:
           {{- toYaml . | nindent 10 }}
         {{- end }}
@@ -75,7 +82,7 @@ spec:
           mountPath: /data/{{ $path | base }}
           subPath: {{ $path | base }}
 {{- end }}
-        {{- with .Values.jobs.resources }}
+        {{- with $Values.resources }}
         resources:
           {{- toYaml . | nindent 10 }}
         {{- end }}
@@ -91,5 +98,4 @@ spec:
             path: {{ $path | base }}
 {{- end }}
 {{- end }}
-  backoffLimit: 4
 {{- end }}

charts/capsule/templates/mutatingwebhookconfiguration.yaml

@@ -29,6 +29,7 @@ webhooks:
     - CREATE
     resources:
     - pods
+    scope: "Namespaced"
   namespaceSelector:
   {{- toYaml .namespaceSelector | nindent 4}} 
   sideEffects: None
@@ -50,6 +51,7 @@ webhooks:
     - CREATE
     resources:
     - persistentvolumeclaims
+    scope: "Namespaced"
   namespaceSelector:
   {{- toYaml .namespaceSelector | nindent 4}}  
   sideEffects: None
@@ -73,6 +75,7 @@ webhooks:
     - UPDATE
     resources:
     - ingresses
+    scope: "Namespaced"
   namespaceSelector:
   {{- toYaml .namespaceSelector | nindent 4}}
   sideEffects: None

charts/capsule/templates/post-install/_helpers.tpl

@@ -4,9 +4,6 @@
 
 {{- define "capsule.post-install.annotations" -}}
 "helm.sh/hook": post-install
-  {{- with $.Values.jobs.annotations }}
-    {{- . | toYaml | nindent 0 }}
-  {{- end }}
 {{- end }}
 
 {{- define "capsule.post-install.component" -}}