v0.1.2-rc1

• 261876b docs: documenting new support for dynamic tenant owners clusterrole
• ab75014 refactor: support for rfc 1123 for tenant owners cluster roles overrides
• e237249 feat: improve chart documentation
• e15191c refactor: sentinel error for running in out of cluster mode
• 741db52 chore(gh): adding 1.24 to the e2e test matrix
• 7b3f850 chore(gh): disabling fail fast for e2e
• 7273341 fix(docs): helm example was wrong when customizing value
• cac2920 feat: grant global patch privileges and add patch handler
• e0b339d fix(tests): cleaning up protected tenant upon test success
• 4f55dd8 refactor: removing unrequired verb for clusterrole namespace deleter
• fd73834 docs: fix typos
• fce1658 chore: remove unused CASecretNameAnnotation constant
• 93547c1 build(helm): revert bumping chart version
• f1dc028 feat: generate TLS certificates before starting controllers
• 3738118 build(helm): refactor capsule TLS certificates management
• 82b58d7 feat: refactor capsule TLS certificates management
• 60e826d docs: update tenant owner default cluster documentation
• 6e8ddd1 build(deps): bump eventsource from 1.1.0 to 1.1.1 in /docs
• b64aaeb docs: referring to docker hub image
• 9a85631 chore(yaml): using docker hub image
• 51ed429 chore(helm): using docker hub image
• cf313d4 chore(make): using docker hub image
• 526a605 docs: documenting charmed operator (#572)
• 0dd13a9 chore(yaml): aligning to v0.1.2-rc0 image
• 1c8a5d8 docs(proxy): documenting retrieval of a single namespace
• b9fc508 style: removing unused struct field
• 29d29cc feat(ci): added docker.io repository
• f207546 docs(readme.md): add slack link

v0.1.2-rc0

• deb0858 build(helm): support cert-manager for generating tls and ca
• 1af56b7 feat: support cert-manager for generating tls and ca
• 3c9228d fix: protectedHandler OnDelete get tenant using client
• bf6760f docs: documenting protected tenants annotation
• 23564f8 feat: protected tenant annotation
• a8b84c8 fix: using sentinel error for non limited custom resource
• 8c0c8c6 docs: documenting proxysetting crd use cases in capsule-proxy
• ec89f5d docs(readme.md): add links to community repo and governance doc
• 68956a0 chore(ci): pinning golangci-lint version
• c036fee docs(general/proxy): remove duplicated doc about nodes
• 9f6883d fix: formatting error message for service-related objects
• e7227d2 build(helm): alignement with latest changes
• f168137 build(installer): alignement with latest changes
• 49e76f7 style: linters refactoring
• 9d69770 style: fixing linters issues
• f4ac85d refactor: using k8s client scheme
• cb4289d refactor: using kubernetes tls secret key names
• 0119789 refactor: optimizing watchers predicates
• 3458366 refactor: avoiding using background context
• 69a6394 build(deps): bump async from 2.6.3 to 2.6.4 in /docs
• a3495cf chore: go 1.18 support
• 7662c3d docs: aligning to dynamic tenant owner roles
• 137b0f0 test: aligning to new rolebindings sync policies
• 9fd18db feat: dynamic cluster roles for tenant owners
• 364adf7 style: using constant for rbac group
• cb3ce37 fix: ensuring ca bundle replication upon helm upgrade
• 59d81c2 chore(build): makefile for building local binary
• 85861ee build(deps): bump moment from 2.29.1 to 2.29.2 in /docs
• ed88606 build(deps): bump minimist from 1.2.5 to 1.2.6 in /docs
• afae361 fix(helm): jobs in capsule helm chart should use the same tolerations as deployment
• 535ef74 chore(ci): force use of go 1.16
• f373deb fix: fixing the helm chart
• 569d803 fix: using configuration for mutating and validating webhooks
• 7b3b0d6 fix: using configuration for tls and ca secret names
• 0bfca6b (tag: helm-v0.1.7) fix(helm): avoiding overwriting secrets upon helm upgrade
• fdc1b3f fix(docs): capsule-proxy chart url
• f7bc2e2 chore: description for limit ranges and update doc
• d302163 Docs update (#530)
• 7fefe4f build(deps): bump url-parse from 1.5.7 to 1.5.10 in /docs
• 302bb19 build(deps): bump prismjs from 1.25.0 to 1.27.0 in /docs
• 27a7792 build(deps): bump simple-get from 3.1.0 to 3.1.1 in /docs
• 1a60e83 docs: misc typo fixes in various places
• 632268d fix(docs): adding missing validatingwebhookconfiguration patch for nodes endpoint
• 4e07de3 build(deps): bump url-parse from 1.5.3 to 1.5.7 in /docs
• 1d10bca test(e2e): tenant regex forbidden namespace labels and annotations
• d4a5f3b fix: validate regex patterns in annotations #510
• cd56eab fix: object count resource quotas not working when using Tenant scope
• 6cee5b7 build(deps-dev): bump postcss from 7.0.39 to 8.2.13 in /docs
• 8e7325a build(deps): bump nanoid from 3.1.29 to 3.2.0 in /docs
• be26783 docs: clarify usage of serviceaccount as tenant owner (#503)
• 0b199f4 fix: modify jobs.image.tag for eks

v0.1.1

v0.1.1 (2022-01-11)

Per Aspera ad Astra, 2022.

Docker images are hosted on quay.io and can be pulled with the following command:

docker pull quay.io/clastix/capsule:v0.1.1

Enhancement

• Avoid polluting logs with not found errors in ServiceLabels reconciler (#493)
• Automatic discovery of Kubernetes client version in the Helm post-install job (#462)
• Allowing image pull secret for Helm hooks jobs (#486)
• Enhanced documentation (#480, #449, #433)
• Avoiding race condition on Helm Chart build step in GitHub Actions (#459)
• More options for the local development environment (#429)
• Support additional webhook configuration in helm charts (#427)
• JQ is required for user creation (#418)

Hotfix

• Allowing ArgoCD to deal with Capsule Helm Chart (#438)
• Restoring Multi-Tenant Benchmark document (#488)
• Fixing conversion issue related LimitRanges from v1alpha1 to v1beta1 (#440)
• Error handling for RoleBinding drops in case of errors (#453)
• Fixing regex not allowing to limit registries from Azure container registry (#452)
• NetworkPolicies not synced after Tenant update (#465)
• Support for underscore in the Container Registry regex (#460)
• Hard-coded namespace in the webhook configuration (#455, #448)
• Avoid CRD reinstall from e2e test suite (#444)
• Invalid YAML default values w/ v0.1.1 Helm Chart (#441)
• Automatic discovery of supported API version (#415)
• Tenant condoning checks capsuleUserGroup membership rather than tenant owners (#421)
• Avoiding nil pointer with non-well-formed ServiceAccount Tenant owners (#412)
• Supporting start-up in HA of the Capsule controller (#410)

Features

• Support for Kubernetes 1.23 (#495)
• Documenting how to migrate from v1alpha1 to v1beta1 (#408)
• Limiting amount of custom resources per Tenant (#365)
• Support for Namespace labeling by Tenant Owners (#407)
• Programmable deny of wildcard hostnames (#219)

More features are on their way and planned here.

Thanks

As usual, we're proud of the community behind Capsule and this release has been possible thanks to all the contributors and newcomer feature requesters or issuers: @93lucasp, @adrianhernandez-stratio, @oliverbaehler, @mendrugory, @MaxFedotov, @nodefourtytwo, @alegrey91, @RixTmobilender, @ptx96, @brightzheng100, @slushysnowman, @bsctl, @titansmc, and @viveksyngh!

v0.1.1-rc1

• 5c7804e fix: add rolebinding validation against rfc-1123 dns for sa subjects
• c4481f2 docs: additions to dev-guide
• ec715d2 fix: do not register tenant controller\webhook\indexer until CA is created
• 0aeaf89 fix(docs): broken links and style, deleted command code from MD file
• 3d31ddb docs: instructions on how to develop the docs website
• e83f344 feat(docs): removed meta robots and added meta og:url
• da83a87 style(docs): added blockquote style
• 43a944a feat(docs): created 404 default page
• 0acc2d2 feat(docs): setup Gridsome for the website
• 14f9686 Forbidden node labels and annotations (#464)
• 6ba9826 chore(linters): no more need of duplicate check
• bd58084 docs!: container registry enforcement required fqci
• 3a5e508 test: fqci is required for containar registry enforcement
• e2768da fix!: forcing to use fqci and container registries with no repositories
• b97c231 fix: duplicate release for helm chart this commit remote helm release workflow trigger on create which triggers duplicate event as push
• fa8e805 build(ci): triggering e2e also for nested files
• 8df66fc test: resources are no more pointers
• c221891 fix: pointer doesn't trigger resources pruning
• e361e2d fix: allowing regex underscore for container registry enforcement
• 260b60d build(helm): bumping up to new Helm version
• e0d5e6f Refactor helper script to create a Capsule user (#454)
• 0784dc7 docs: add service account group to Capsule group (#450)
• b17c6c4 fix(helm): do not hardcode namespace forwebhook configs
• 52cf597 docs: use one patch for each webhook
• b8dcded docs: add dev env diagram
• 6a175e9 docs: explicitly add the contribution section
• 3c609f8 docs: tune the dev setup process
• 7c3a59c feat: ignore vscode
• d3e3b8a docs: review and enhance dev guide
• 7a8148b docs: add dev guide
• 405d3ac docs: move and refactor contributing.md
• f92acf9 fix: correct the make run issue
• bbb7b85 fix: avoid CRD reinstall
• 0f7284d fix(helm): remove matchExpressions selector from ingresses webhook
• 7db263b fix(documentation): add link to use case velero backup restoration
• 0a8f50f docs(operator): add documentation for deny wildcard hostnames
• 7a66e8e ci: limit e2e tests to specific paths
• b5eb03e chore: adding auto-generated code
• 681b514 ci: allowing tag creation as trigger to push helm chart

v0.1.1-rc0

• b28b98a feat: namespace labeling for tenant owners. fix linting issues
• f6bf0ca build(installer): namespace labeling for tenant owners
• 1081bad docs: namespace labeling for tenant owners
• 79372c7 build(helm): namespace labeling for tenant owners
• 4e8faaf build(kustomize): namespace labeling for tenant owners
• d1b0089 test(e2e): namespace labeling for tenant owners
• a14c760 feat: namespace labeling for tenant owners
• 03456c0 (tag: helm-v0.1.1) fix(ci): allowing tag creation as trigger to push helm chart
• ddfe221 build(helm): update chart version
• 6b68363 build(helm): additional webhook configuration in chart
• 357834c refactor(test): switch from kubernetes version control to NoKindMatchError
• 085d9f6 test(e2e): disabled Ingress wildcard annotation
• 196e3c9 feat: add deny-wildcard annotation
• 0039c91 docs: fix doc minor issues
• 26965a5 fix: skipping indexer if error is a NoKindMatch
• 422b659 fix: check if user is a member of capsuleUserGroup instead of tenantOwner when cordoning a tenant
• 61e6ab4 fix(hack): jq installation checking
• 94c6a64 fix: validating Tenant owner name when is a ServiceAccount
• 75ebb57 fix(chore): ignoring Helm tags
• 8f3b3ea fix: deleting Pods upon TLS update for HA installations

v0.1.0

v0.1.0 (2021-08-23)

Welcome to the first minor release of Capsule full of new features!

⚠️ Warning: this release contains breaking changes!

Docker images are hosted on quay.io and can be pulled with the following command:

docker pull quay.io/clastix/capsule:v0.1.0

Enhancement

• Use more comprehensive variables in the code-base (#164)
• Releasing Helm chart release upon tag (#250)
• Use multiple groups as capsule-user-group (#258)
• Support of Capsule Chart for ArgoCD (#266 #264)
• ⚠️ Webhook refactoring (#297)
• Optimizing reconciliations for RoleBinding (#315)
• Refactoring of the Tenbant controller (#363)

Breaking changes

• ⚠️ Removing the RBAC Proxy sidecar container for metrics exposure (#246)
• ⚠️ Capsule configuration using the CapsuleConfiguration CRD (#122)
• ⚠️ Dropping for v1beta1 additionalPrinterColumns regarding tenant ownership (#331)
• ⚠️ Preventing ingress hostname collision by default (#218 #207)

Hotfix

• Using an arbitrary name for capsule namespace generates errors during webhook calls (#247)
• Check for KUBECONFIG env variable during user creation (#298)
• ⚠️ Wrong package name for the config controller (#373)
• Documenting Helm Namespace creation (#359)
• Documenting Capsule installation on AWS EKS (#306)

Features

• Support for armv7/arm64 (#244)
• Emitting events for policy violations and other events (#173)
• Support for ImagePullPolicy enforcement at Tenant level (#271)
• Tenant cordoning (#243)
• Grafana dashboard (#150)
• Single YAML file installer (#347)
• Support for Service type enforcement at Tenant level (#339 #390)
• Support for PriorityClass enforcement at Tenant level (#257)
• ResourceQuota scope configurable at Tenant level (#50)
• Support up to Kubernetes 1.22 (#335)
• Addressing the multi-tenancy benchmark requirements (#68)
• Ingress hostname collision scope, evaluating Ingress paths (#358)
• New Capsule v1beta1 API version (#286)
• Support for multiple Tenant owners (#276)
• Tenant backup and restore of a Tenant using bash script (#320 #338)

More features are on their way and planned here.

Thanks

For our biggest release, many kudos to the great effort showed by @MaxFedotov, @alegrey91, @ptx96, @spagno, @viveksyngh, @sftim, @xphoniex, @ruzickap, @ludusrusso, and @bsctl.

v0.1.0-rc6

This is a pre-release, some of the planned features may not be yet implemented or misbehaving.

• a2fda44 fix: NewIngressHostnameCollision is returning pointer for error parsing
• 06330cf fix: example was wrong due to missing porting of NamespaceOptions
• 1ec9936 docs: hostname collision is now managed at Tenant level
• 694b519 build(helm): hostname collision is now managed at Tenant level
• 0b34f04 build(helm): removing deprecated collision values
• a702ef2 docs(helm): deprecating hostname collision
• 04d91af build(kustomize): hostname collision is now managed at Tenant level
• 8949be7 test(e2e): scoped Ingress hostname and path collision
• df08c9e refactor: hostname collision is now managed at Tenant level
• 07daffd build(helm): Ingress hostname collision scope at Tenant level
• 3a42b90 build(kustomize): Ingress hostname collision scope at Tenant level
• 09277e9 feat: Ingress hostname collision scope at Tenant level
• 47794c0 style: no need of nolint here
• e24394f refactor: avoiding init functions for direct registration
• 01053d5 refactor: renaming struct field names for allowed hostnames and classes
• b749e34 refactor: grouping Ingress options into defined struct
• 82480f3 docs: fix minor issues
• 88a9c24 docs: update links in documentation
• 651c62f docs: add further test cases
• dcb8b78 docs: additional test cases
• 7a69863 docs: additional test cases
• 894ea50 docs: add few test cases
• e4e3283 build(helm): Tenant status enums must be capitalized
• 007f008 build(kustomize): Tenant status enums must be capitalized
• bc6fc92 fix: Tenant status enums must be capitalized
• 01b511b test(e2e): fixing flakiness for Service and EP metadata
• 6223b1c chore(github): forcing Go 1.16 and removing caching
• d5158f0 chore(github): updating Kubernetes supported matrix
• 047f4a0 build(helm): aligning descriptions for v1.22.0
• 71cdb45 build(kustomize): aligning descriptions for v1.22.0
• 9182895 refactor:EndpointSlice v1beta1 deprecated for v1
• 2eceb09 chore(gomod): updating Kubernetes deps to 1.22
• 8ead555 docs: reference to admissionregistration.k8s.io/v1 for local debugging
• 57bf3d1 feat: skipping Ingress indexer setup for deprecated APIs
• bb58e90 test(e2e): skipping ingress class tests if running on Kubernetes 1.22
• f8fa87a chore(hack)!: upgrading to certificates.k8s.io/v1
• b3658b7 refactor AdditionalMetadataSpec struct. Remove Additional prefix from labels and annotations fields (#379)
• 54d0201 test(e2e): fix linting issues for NamespaceOptions tests
• 44ffe0d build(installer): CRD update for v1beta1 NamespaceOptions
• 491ab71 build(helm): CRD update for v1beta1 NamespaceOptions
• 4e9dbf8 build(kustomize): CRD update for v1beta1 NamespaceOptions
• 3461401 test(e2e): aligning tests to use new NamespaceOptions structure
• 737fb26 refactor: use NamespaceOptions struct to store namespace-related tenant configurations
• b560159 chore(gh): using build-args
• ddb9ffd (issues/365) refactor: split tenant controller to separate files
• cae65c9 fix: capsuleconfiguration controller package name should be config instead of rbac
• befcf65 feat: adding webhook and rest client latency per endpoint
• e1d9833 chore(gh): updating e2e workflow
• 848c6d9 refactor: using goroutines per Namespace for each resource Kind reconciliation
• bd12068 fix: handling multiple resources for hard ResourceQuota resources
• 4604e44 build(helm): Tenant or Namespace scope for resource quota budgets
• 31863b5 build(kustomize): Tenant or Namespace scope for resource quota budgets
• 7a055fc fix(test): matching upon reconciliation, not retrieval
• 29ab5ca test: Tenant or Namespace scope for resource quota budgets
• c52f784 feat: Tenant or Namespace scope for resource quota budgets
• 9244122 docs (helm): added namespace creation
• f883e7b fix: wrong description of Service external IPs
• 2f5f31b test(e2e): allowed external IPs is grouped in ServiceOptions
• e7ef964 build(helm): allowed external IPs is grouped in ServiceOptions
• 34f73af build(kustomize): allowed external IPs is grouped in ServiceOptions
• 18912a0 feat: allowed external IPs is grouped in ServiceOptions
• d43ad2f build(kustomize): updating to v0.1.0-rc5
• 9a59587 docs: update capsule-proxy docs

v0.1.0-rc5

This is a pre-release, some of the planned features may not be yet implemented or misbehaving.

• c0d4aab build(helm): CRD update for PriorityClass enum
• 6761fb9 build(kustomize): CRD update for PriorityClass enum
• bf9e0f6 test: PriorityClass proxy operations conversion
• f937942 feat: capsule-proxy operations for PriorityClass resources
• 89d7f30 build(helm): CRD update for v1beta1 service options
• 2a6ff09 build(kustomize): CRD update for v1beta1 service options
• 35f4810 test(e2e): aligning tests to new v1beta1 structure and ExternalName case
• 7aa62b6 test: conversion for new Service options
• 58645f3 chore(samples): example for ServiceOptions
• 0e55823 feat: toggling ExternalName service

v0.1.0-rc4

This is a pre-release, some of the planned features may not be yet implemented or misbehaving.

• ba69048 refactor: use OwnerListSpec to store tenant owners information
• faa2306 chore: support multiple groups in create-{user}/{user-openshift}.sh scripts
• c1448c8 build(installer): add description fields in CRD
• 776a56b build(helm): add description fields in CRD
• e4883bb build(kustomize): add description fields in CRD
• e70afb5 feat: add description fields in CRD
• ee7af18 docs: bare installation of Capsule using kubectl
• ac7de3b chore(github): updating steps for single YAML file installer diffs
• 8883b15 chore: single YAML file installer
• e23132c chore(kustomize): using single YAML file to install Capsule
• bec59a5 build(kustomize): updating to v0.1.0-rc3
• 9c649ac chore(kustomize): adding v1beta1 Tenant
• 3455aed fix(samples): Tenant v1beta1 example
• ad1edf5 fix(samples): removing empty file
• d64dcb5 fix: preserving v1alpha1 enable node ports false value avoiding CRD default
• 76d7697 docs: minor improvements
• 96f4f31 docs(velero): add brief explanation about new cli flag
• c3f9dfe feat(velero): improve usage function
• 502e9a5 feat(velero): add possibility to specify a tenant list by cli
• 6f208a6 fix(velero): fix wrong argument behaviour
• 1fb5200 fix(velero): add possibility to fix also apiVersion parameter
• 98e1640 fix: avoid nil slice during resource conversion

v0.1.0-rc3

This is a pre-release, some of the planned features may not be yet implemented or misbehaving.

• eb19a7a chore: fix linting issues
• db8b8ac test(e2e): support multiple tenant owners(add applications to act as tenant owners)
• 663ce93 build(helm): support multiple tenant owners(add applications to act as tenant owners)
• a6408f2 feat: support multiple tenant owners(add applications to act as tenant owners)
• 1aa026c chore(github): no need of fundings
• 6008373 bug: ensuring to update the conversion webhook CA bundle
• 414c03a feat: reconciliation for Tenant state
• 4d34a9e build(helm): support for Tenant state
• cb9b560 build(kustomize): support for Tenant state
• ef75d04 feat(api): Tenant state
• e1e75a0 docs(velero): add documentation about velero-restore script
• 80143ff feat(velero): add script to manage velero backup restoration
• 3d54810 chore: bump-up to latest version
• 09dfe33 bug(kustomize): fixing JSON path for kustomize-based installation
• 01ea36b chore: updating kustomize
• bd448d8 test(e2e): avoiding flaky tests for ingress hostnames collision
• b58ca3a chore: v1beta1 goimports and formatting
• 52fb094 feat(v1beta1): add conversion webhook
• 1b0fa58 chore: remove unused functions for v1alpha1 version
• 92655f1 build(helm): update crds to use v1beta1 version
• 44bf846 test(e2e): update tests to use v1beta1 version
• e6b433d feat(v1beta1): update code to use v1beta1 version
• 3e0882d refactor: domains is now API utils
• 4166093 feat(v1beta1): tenant spec
• 3d714dc build(kustomize)!: adding the conversion endpoint for v1beta1
• bd01881 feat(v1beta1): scaffolding the Convertible interface
• ac6af13 feat(v1beta1): registering conversion webhook
• 8fb4b7d feat: scaffolding v1beta1 Tenant version
• d4280b8 chore(makefile): ensure validation for each version
• 6e39b17 chore(operatorsdk): required scaffolding for v1alpha2
• b1a9603 fix: ensuring single reconciliation for Capsule RoleBinding resources
• 0d4201a docs(helm): update documentation about hostNetwork
• 1734c90 build(helm): add hostNetwork for manager pod
• 184f054 test(e2e): adding further tests for collisions
• 126449b build(helm): fixing pairing between values and collision CRD keys
• 284e7da build(helm): support for admission review version to v1
• 99e1589 build(helm)!: using multiple handlers per webhook
• 7cc2c3f build(kustomize)!: using multiple handlers per webhook
• ba07f99 refactor!: using multiple handers per route
• d799726 docs: Amazon EKS documentation