From e4bdfd81ac8627286384d3e811a45a6adc8822c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20B=C3=A4hler?= Date: Tue, 5 Mar 2024 18:19:35 +0100 Subject: [PATCH 1/2] feat(helm): add capsule 0.6.0 as optional dependency MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Oliver Bähler --- charts/capsule/Chart.lock | 6 ++++++ charts/capsule/Chart.yaml | 11 ++++++++--- charts/capsule/README.md | 6 ++---- charts/capsule/values.yaml | 14 +++++++------- 4 files changed, 23 insertions(+), 14 deletions(-) create mode 100644 charts/capsule/Chart.lock diff --git a/charts/capsule/Chart.lock b/charts/capsule/Chart.lock new file mode 100644 index 00000000..a8ee078f --- /dev/null +++ b/charts/capsule/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: capsule-proxy + repository: oci://ghcr.io/projectcapsule/charts + version: 0.6.0 +digest: sha256:4cf05b352f1c38a821081cc01ac5f2a84ed7d68514a5b98e63edba5ab1c7b19e +generated: "2024-03-05T17:09:58.383699+01:00" diff --git a/charts/capsule/Chart.yaml b/charts/capsule/Chart.yaml index 1ff89c78..8d4300cb 100644 --- a/charts/capsule/Chart.yaml +++ b/charts/capsule/Chart.yaml @@ -4,6 +4,12 @@ description: A Helm chart to deploy the Capsule Operator for easily implementing managing, and maintaining mutitenancy and access control in Kubernetes. home: https://github.com/projectcapsule/capsule icon: https://github.com/projectcapsule/capsule/raw/main/assets/logo/capsule_small.png +dependencies: + - name: capsule-proxy + version: 0.6.0 + repository: "oci://ghcr.io/projectcapsule/charts" + condition: proxy.enabled + alias: proxy keywords: - kubernetes - operator @@ -18,10 +24,9 @@ maintainers: name: capsule sources: - https://github.com/projectcapsule/capsule -# The version is overwritten by the release workflow. +# Note: The version is overwritten by the release workflow. version: 0.6.0 -# This is the version number of the application being deployed. -# This version number should be incremented each time you make changes to the application. +# Note: The version is overwritten by the release workflow. appVersion: 0.5.0 annotations: artifacthub.io/operator: "true" diff --git a/charts/capsule/README.md b/charts/capsule/README.md index ffc7c61e..c8a95b09 100644 --- a/charts/capsule/README.md +++ b/charts/capsule/README.md @@ -85,6 +85,7 @@ Here the values you can override: | podSecurityContext | object | `{"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002,"seccompProfile":{"type":"RuntimeDefault"}}` | Set the securityContext for the Capsule pod | | podSecurityPolicy.enabled | bool | `false` | Specify if a Pod Security Policy must be created | | priorityClassName | string | `""` | Set the priority class name of the Capsule pod | +| proxy.enabled | bool | `false` | Enable Installation of Capsule Proxy | | replicaCount | int | `1` | Set the replica count for capsule pod | | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | Set the securityContext for the Capsule container | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. | @@ -118,10 +119,7 @@ Here the values you can override: | manager.rbac.existingClusterRoles | list | `[]` | Specifies further cluster roles to be added to the Capsule manager service account. | | manager.rbac.existingRoles | list | `[]` | Specifies further cluster roles to be added to the Capsule manager service account. | | manager.readinessProbe | object | `{"httpGet":{"path":"/readyz","port":10080}}` | Configure the readiness probe using Deployment probe spec | -| manager.resources.limits.cpu | string | `"200m"` | | -| manager.resources.limits.memory | string | `"128Mi"` | | -| manager.resources.requests.cpu | string | `"200m"` | | -| manager.resources.requests.memory | string | `"128Mi"` | | +| manager.resources | object | `{}` | Set the resource requests/limits for the Capsule manager container | | manager.webhookPort | int | `9443` | Set an alternative to the default container port. Useful for use in some kubernetes clusters (such as GKE Private) with aggregator routing turned on, because pod ports have to be opened manually on the firewall side | ### ServiceMonitor Parameters diff --git a/charts/capsule/values.yaml b/charts/capsule/values.yaml index f86f1c31..e7578147 100644 --- a/charts/capsule/values.yaml +++ b/charts/capsule/values.yaml @@ -11,6 +11,11 @@ tls: # -- Override name of the Capsule TLS Secret name when externally managed. name: "" +# Capsule Proxy +proxy: + # -- Enable Installation of Capsule Proxy + enabled: false + # Manager Options manager: @@ -85,13 +90,8 @@ manager: path: /readyz port: 10080 - resources: - limits: - cpu: 200m - memory: 128Mi - requests: - cpu: 200m - memory: 128Mi + # -- Set the resource requests/limits for the Capsule manager container + resources: {} # -- Configuration for `imagePullSecrets` so that you can use a private images registry. imagePullSecrets: [] From 6cb560a6d2c054e5aff81283fd97e77cbdfd1fbd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20B=C3=A4hler?= Date: Tue, 5 Mar 2024 18:20:19 +0100 Subject: [PATCH 2/2] chore(helm): version updates and liniting improvements MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Oliver Bähler --- .github/configs/ct.yaml | 2 ++ .github/workflows/e2e.yml | 2 +- .github/workflows/helm-test.yml | 2 ++ Makefile | 21 ++++++++++----------- charts/capsule/ci/proxy-values.yaml | 7 +++++++ charts/capsule/ci/test-values.yaml | 12 ++++-------- 6 files changed, 26 insertions(+), 20 deletions(-) create mode 100644 charts/capsule/ci/proxy-values.yaml diff --git a/.github/configs/ct.yaml b/.github/configs/ct.yaml index af598575..7cf864bc 100644 --- a/.github/configs/ct.yaml +++ b/.github/configs/ct.yaml @@ -2,6 +2,8 @@ remote: origin target-branch: main chart-dirs: - charts +chart-repos: + - capsule=https://projectcapsule.github.io/charts/ helm-extra-args: "--timeout 600s" validate-chart-schema: false validate-maintainers: false diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index a858f131..4cd5f7b8 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -57,6 +57,6 @@ jobs: version: v0.14.0 - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3 with: - version: 3.3.4 + version: v3.14.2 - name: e2e testing run: make e2e/${{ matrix.k8s-version }} diff --git a/.github/workflows/helm-test.yml b/.github/workflows/helm-test.yml index 180cde5f..baa6dcd6 100644 --- a/.github/workflows/helm-test.yml +++ b/.github/workflows/helm-test.yml @@ -17,6 +17,8 @@ jobs: with: fetch-depth: 0 - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3 + with: + version: v3.14.2 - name: Linting Chart run: helm lint ./charts/capsule - name: Setup Chart Linting diff --git a/Makefile b/Makefile index 26e08db2..4e5b769c 100644 --- a/Makefile +++ b/Makefile @@ -87,26 +87,24 @@ apidoc: apidocs-gen # Helm SRC_ROOT = $(shell git rev-parse --show-toplevel) -helm-controller-version: - $(eval VERSION := $(shell grep 'appVersion:' charts/capsule/Chart.yaml | awk '{print "v"$$2}')) - $(eval KO_TAGS := $(shell grep 'appVersion:' charts/capsule/Chart.yaml | awk '{print "v"$$2}')) - helm-docs: HELMDOCS_VERSION := v1.11.0 helm-docs: docker @docker run -v "$(SRC_ROOT):/helm-docs" jnorwood/helm-docs:$(HELMDOCS_VERSION) --chart-search-root /helm-docs -helm-lint: CT_VERSION := v3.3.1 helm-lint: docker @docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:$(CT_VERSION) -c "cd /workdir; ct lint --config .github/configs/ct.yaml --lint-conf .github/configs/lintconf.yaml --all --debug" -helm-test: helm-controller-version kind ct ko-build-all +helm-test: kind ct ko-build-all @kind create cluster --wait=60s --name capsule-charts + @make helm-test-exec + @kind delete cluster --name capsule-charts + +helm-test-exec: @kind load docker-image --name capsule-charts $(CAPSULE_IMG):$(VERSION) - @kubectl create ns capsule-system - @kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml - @kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml + @kubectl create ns capsule-system || true + @kubectl apply --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml + @kubectl apply --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml @ct install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug - @kind delete cluster --name capsule-charts docker: @hash docker 2>/dev/null || {\ @@ -247,7 +245,7 @@ ginkgo: ## Download ginkgo locally if necessary. $(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo@$(GINGKO_VERSION)) CT := $(shell pwd)/bin/ct -CT_VERSION := v3.7.1 +CT_VERSION := v3.10.1 ct: ## Download ct locally if necessary. $(call go-install-tool,$(CT),github.com/helm/chart-testing/v3/ct@$(CT_VERSION)) @@ -326,6 +324,7 @@ e2e-build/%: .PHONY: e2e-install e2e-install: helm upgrade \ + --dependency-update \ --debug \ --install \ --namespace capsule-system \ diff --git a/charts/capsule/ci/proxy-values.yaml b/charts/capsule/ci/proxy-values.yaml new file mode 100644 index 00000000..33b580d1 --- /dev/null +++ b/charts/capsule/ci/proxy-values.yaml @@ -0,0 +1,7 @@ +proxy: + enabled: true +manager: + resources: + requests: + cpu: 200m + memory: 128Mi diff --git a/charts/capsule/ci/test-values.yaml b/charts/capsule/ci/test-values.yaml index ebac15e5..1bb39d51 100644 --- a/charts/capsule/ci/test-values.yaml +++ b/charts/capsule/ci/test-values.yaml @@ -1,16 +1,12 @@ fullnameOverride: capsule manager: - # Manager RBAC + resources: + requests: + cpu: 200m + memory: 128Mi rbac: create: true existingClusterRoles: - "view" existingRoles: - "some-role" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 200m - memory: 128Mi