projectcapsule
diff --git a/‎.github/workflows/e2e.yml‎
Lines changed: 2 additions & 11 deletions b/‎.github/workflows/e2e.yml‎
Lines changed: 2 additions & 11 deletions
diff --git a/‎.github/workflows/releaser.yml‎
Lines changed: 0 additions & 39 deletions b/‎.github/workflows/releaser.yml‎
Lines changed: 0 additions & 39 deletions
diff --git a/‎.goreleaser.yml‎
Lines changed: 1 addition & 3 deletions b/‎.goreleaser.yml‎
Lines changed: 1 addition & 3 deletions
diff --git a/‎charts/capsule/README.md‎
Lines changed: 10 additions & 1 deletion b/‎charts/capsule/README.md‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎charts/capsule/crds/capsule.clastix.io_tenants.yaml‎
Lines changed: 6 additions & 10 deletions b/‎charts/capsule/crds/capsule.clastix.io_tenants.yaml‎
Lines changed: 6 additions & 10 deletions
diff --git a/‎charts/capsule/templates/_pod.tpl‎
Lines changed: 110 additions & 0 deletions b/‎charts/capsule/templates/_pod.tpl‎
Lines changed: 110 additions & 0 deletions
diff --git a/‎charts/capsule/templates/crd-lifecycle/job.yaml‎
Lines changed: 16 additions & 0 deletions b/‎charts/capsule/templates/crd-lifecycle/job.yaml‎
Lines changed: 16 additions & 0 deletions
@@ -35,14 +35,5 @@ jobs:
       - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4
         with:
           version: v3.14.2
-      - name: unit tracing
-        run: sudo make trace-unit
-      - name: e2e tracing
-        run: sudo make trace-e2e
-      - name: build seccomp profile
-        run: make seccomp
-      - name: upload artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: capsule-seccomp
-          path: capsule-seccomp.json
+      - name: e2e
+        run: sudo make e2e
@@ -11,41 +11,7 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  seccomp-generation:
-    name: Seccomp Generation
-    strategy:
-      fail-fast: false
-      matrix:
-        # differently from the e2e workflow
-        # we don't need all the versions of kubernetes
-        # to generate the seccomp profile.
-        k8s-version:
-          - "v1.30.0"
-    runs-on: ubuntu-latest-8-cores
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          fetch-depth: 0
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
-        with:
-          go-version-file: 'go.mod'
-      - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4
-        with:
-          version: v3.14.2
-      - name: unit tracing
-        run: sudo make trace-unit
-      - name: e2e tracing
-        run: sudo KIND_K8S_VERSION=${{ matrix.k8s-version }} make trace-e2e
-      - name: build seccomp profile
-        run: make seccomp
-      - name: upload artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: capsule-seccomp
-          path: capsule-seccomp.json
-
   create-release:
-    needs: seccomp-generation
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -67,11 +33,6 @@ jobs:
       - uses: anchore/sbom-action/download-syft@da167eac915b4e86f08b264dbdbc867b61be6f0c
       - name: Install Cosign
         uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
-      - name: download artifact
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
-        with:
-          name: capsule-seccomp
-          path: ./capsule-seccomp.json
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
 
@@ -73,12 +73,10 @@ release:
     >
     > | Kubernetes version | Minimum required |
     > |--------------------|------------------|
-    > | `v1.33`            | `>= 1.33.0`      |
+    > | `v1.34`            | `>= 1.34.0`      |
 
 
     Thanks to all the contributors! 🚀 🦄
-  extra_files:
-    - glob: ./capsule-seccomp.json
 checksum:
   name_template: 'checksums.txt'
 changelog:
 
@@ -35,14 +35,17 @@ The following Values have changed key or Value:
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | global.jobs.kubectl.affinity | object | `{}` | Set affinity rules |
-| global.jobs.kubectl.annotations | object | `{}` | Annotations to add to the certgen job. |
+| global.jobs.kubectl.annotations | object | `{}` | Annotations to add to the job. |
 | global.jobs.kubectl.backoffLimit | int | `4` | Backofflimit for jobs |
 | global.jobs.kubectl.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job |
 | global.jobs.kubectl.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job |
 | global.jobs.kubectl.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job |
 | global.jobs.kubectl.image.tag | string | `""` | Set the image tag of the helm chart job |
 | global.jobs.kubectl.imagePullSecrets | list | `[]` | ImagePullSecrets |
+| global.jobs.kubectl.labels | object | `{}` | Labels to add to the job. |
 | global.jobs.kubectl.nodeSelector | object | `{}` | Set the node selector |
+| global.jobs.kubectl.podAnnotations | object | `{}` | Annotations to add to the job pod |
+| global.jobs.kubectl.podLabels | object | `{}` | Labels to add to the job pod |
 | global.jobs.kubectl.podSecurityContext | object | `{"enabled":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the job pods. |
 | global.jobs.kubectl.priorityClassName | string | `""` | Set a pod priorityClassName |
 | global.jobs.kubectl.resources | object | `{}` | Job resources |
@@ -65,6 +68,7 @@ The following Values have changed key or Value:
 | jobs | object | `{}` | Deprecated, use .global.jobs.kubectl instead |
 | nodeSelector | object | `{}` | Set the node selector for the Capsule pod |
 | podAnnotations | object | `{}` | Annotations to add to the capsule pod. |
+| podLabels | object | `{}` | Labels to add to the capsule pod. |
 | podSecurityContext | object | `{"enabled":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002,"seccompProfile":{"type":"RuntimeDefault"}}` | Set the securityContext for the Capsule pod |
 | ports | list | `[]` | Set additional ports for the deployment |
 | priorityClassName | string | `""` | Set the priority class name of the Capsule pod |
@@ -88,8 +92,13 @@ The following Values have changed key or Value:
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| manager.daemonsetStrategy | object | `{"type":"RollingUpdate"}` | [Daemonset Strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#creating-a-daemonset-with-rollingupdate-update-strategy) |
+| manager.deploymentStrategy | object | `{"type":"RollingUpdate"}` | [Deployment Strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) |
+| manager.env | list | `[]` | Additional Environment Variables |
+| manager.extraArgs | list | `["--enable-leader-election=true"]` | A list of extra arguments for the capsule controller |
 | manager.hostNetwork | bool | `false` | Specifies if the container should be started in hostNetwork mode.  Required for use in some managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working |
 | manager.hostPID | bool | `false` | Specifies if the container should be started in hostPID mode. |
+| manager.hostUsers | bool | `true` | Don't use Host Users (User Namespaces) |
 | manager.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy. |
 | manager.image.registry | string | `"ghcr.io"` | Set the image registry of capsule. |
 | manager.image.repository | string | `"projectcapsule/capsule"` | Set the image repository of capsule. |
 
@@ -700,11 +700,11 @@ spec:
                         podSelector:
                           description: |-
                             podSelector selects the pods to which this NetworkPolicy object applies.
-                            The array of ingress rules is applied to any pods selected by this field.
+                            The array of rules is applied to any pods selected by this field. An empty
+                            selector matches all pods in the policy's namespace.
                             Multiple network policies can select the same set of pods. In this case,
                             the ingress rules for each are combined additively.
-                            This field is NOT optional and follows standard label selector semantics.
-                            An empty podSelector matches all pods in this namespace.
+                            This field is optional. If it is not specified, it defaults to an empty selector.
                           properties:
                             matchExpressions:
                               description: matchExpressions is a list of label selector
@@ -768,8 +768,6 @@ spec:
                             type: string
                           type: array
                           x-kubernetes-list-type: atomic
-                      required:
-                      - podSelector
                       type: object
                     type: array
                 type: object
@@ -1928,11 +1926,11 @@ spec:
                         podSelector:
                           description: |-
                             podSelector selects the pods to which this NetworkPolicy object applies.
-                            The array of ingress rules is applied to any pods selected by this field.
+                            The array of rules is applied to any pods selected by this field. An empty
+                            selector matches all pods in the policy's namespace.
                             Multiple network policies can select the same set of pods. In this case,
                             the ingress rules for each are combined additively.
-                            This field is NOT optional and follows standard label selector semantics.
-                            An empty podSelector matches all pods in this namespace.
+                            This field is optional. If it is not specified, it defaults to an empty selector.
                           properties:
                             matchExpressions:
                               description: matchExpressions is a list of label selector
@@ -1996,8 +1994,6 @@ spec:
                             type: string
                           type: array
                           x-kubernetes-list-type: atomic
-                      required:
-                      - podSelector
                       type: object
                     type: array
                 type: object
 
@@ -0,0 +1,110 @@
+{{- define "capsule.pod" -}}
+metadata:
+  {{- with .Values.podAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "capsule.labels" . | nindent 4 }}
+    {{- with .Values.podLabels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- with .Values.imagePullSecrets }}
+  imagePullSecrets:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  serviceAccountName: {{ include "capsule.serviceAccountName" . }}
+  {{- if .Values.podSecurityContext.enabled }}
+  securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 4 }}
+  {{- end }}
+  hostUsers: {{ .Values.manager.hostUsers }}
+  {{- if .Values.manager.hostNetwork }}
+  hostNetwork: true
+  dnsPolicy: ClusterFirstWithHostNet
+  {{- end }}
+  {{- if .Values.manager.hostPID }}
+  hostPID: {{ .Values.manager.hostPID }}
+  {{- else }}
+  hostPID: false
+  {{- end }}
+  priorityClassName: {{ .Values.priorityClassName }}
+  {{- with .Values.nodeSelector }}
+  nodeSelector:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.tolerations }}
+  tolerations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.affinity }}
+  affinity:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.topologySpreadConstraints }}
+  topologySpreadConstraints:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  volumes:
+    - name: cert
+      secret:
+        defaultMode: 420
+        secretName: {{ include "capsule.secretTlsName" . }}
+    {{- if .Values.manager.volumes }}
+      {{- toYaml .Values.manager.volumes | nindent 4 }}
+    {{- end }}
+  containers:
+    - name: manager
+      args:
+        - --webhook-port={{ .Values.manager.webhookPort }}
+        - --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
+        - --configuration-name={{ .Values.manager.options.capsuleConfiguration }}
+        {{- with .Values.manager.extraArgs }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      image: {{ include "capsule.managerFullyQualifiedDockerImage" . }}
+      imagePullPolicy: {{ .Values.manager.image.pullPolicy }}
+      env:
+      - name: NAMESPACE
+        valueFrom:
+          fieldRef:
+            fieldPath: metadata.namespace
+      {{- with .Values.manager.env }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      ports:
+        {{- if not (.Values.manager.hostNetwork) }}
+        - name: webhook-server
+          containerPort: {{ .Values.manager.webhookPort }}
+          protocol: TCP
+        - name: metrics
+          containerPort: 8080
+          protocol: TCP
+        - name: health-api
+          containerPort: 10080
+          protocol: TCP
+        {{- end }}
+        {{- with .Values.manager.ports }}
+          {{- . | nindent 8 }}
+        {{- end }}
+      livenessProbe:
+        {{- toYaml .Values.manager.livenessProbe | nindent 8 }}
+      readinessProbe:
+        {{- toYaml .Values.manager.readinessProbe | nindent 8 }}
+      volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
+        {{- if .Values.manager.volumeMounts }}
+          {{- toYaml .Values.manager.volumeMounts | nindent 8 }}
+        {{- end }}
+      resources:
+        {{- toYaml .Values.manager.resources | nindent 8 }}
+      {{- if .Values.manager.securityContext }}
+      securityContext:
+        {{- omit .Values.manager.securityContext "enabled" | toYaml | nindent 8 }}
+      {{- else if .Values.securityContext.enabled }}
+      securityContext:
+        {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+{{- end -}}
@@ -17,15 +17,31 @@ metadata:
   labels:
     app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
     {{- include "capsule.labels" . | nindent 4 }}
+    {{- with $Values.labels }}
+      {{- . | toYaml | nindent 4 }}
+    {{- end }}
 spec:
   backoffLimit: {{ $Values.backoffLimit }}
   ttlSecondsAfterFinished: {{ $Values.ttlSecondsAfterFinished }}
   template:
     metadata:
       name: "{{ include "capsule.crds.name" . }}"
+      annotations:
+        {{- with $Values.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with $.Values.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
       labels:
         app.kubernetes.io/component: {{ include "capsule.crds.component" . | quote }}
         {{- include "capsule.selectorLabels" . | nindent 8 }}
+        {{- with $Values.podLabels }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with $.Values.podLabels }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       restartPolicy: {{ $Values.restartPolicy }}
       {{- if $Values.podSecurityContext.enabled }}