feat(chart): add capsule-proxy 0.6.0 as optional dependency

.github/configs/ct.yaml

@@ -2,6 +2,8 @@ remote: origin
 target-branch: main
 chart-dirs:
   - charts
+chart-repos:
+  - capsule=https://projectcapsule.github.io/charts/
 helm-extra-args: "--timeout 600s"  
 validate-chart-schema: false
 validate-maintainers: false

.github/workflows/e2e.yml

@@ -57,6 +57,6 @@ jobs:
           version: v0.14.0
       - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
         with:
-          version: 3.3.4
+          version: v3.14.2
       - name: e2e testing
         run: make e2e/${{ matrix.k8s-version }}

.github/workflows/helm-test.yml

@@ -17,6 +17,8 @@ jobs:
         with:
           fetch-depth: 0
       - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
+        with:
+          version: v3.14.2
       - name: Linting Chart
         run: helm lint ./charts/capsule
       - name: Setup Chart Linting

Makefile

@@ -87,26 +87,24 @@ apidoc: apidocs-gen
 # Helm
 SRC_ROOT = $(shell git rev-parse --show-toplevel)
 
-helm-controller-version:
-	$(eval VERSION := $(shell grep 'appVersion:' charts/capsule/Chart.yaml | awk '{print "v"$$2}'))
-	$(eval KO_TAGS := $(shell grep 'appVersion:' charts/capsule/Chart.yaml | awk '{print "v"$$2}'))
-
 helm-docs: HELMDOCS_VERSION := v1.11.0
 helm-docs: docker
 	@docker run -v "$(SRC_ROOT):/helm-docs" jnorwood/helm-docs:$(HELMDOCS_VERSION) --chart-search-root /helm-docs
 
-helm-lint: CT_VERSION := v3.3.1
 helm-lint: docker
 	@docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:$(CT_VERSION) -c "cd /workdir; ct lint --config .github/configs/ct.yaml  --lint-conf .github/configs/lintconf.yaml  --all --debug"
 
-helm-test: helm-controller-version kind ct ko-build-all
+helm-test: kind ct ko-build-all
 	@kind create cluster --wait=60s --name capsule-charts
+	@make helm-test-exec
+	@kind delete cluster --name capsule-charts
+
+helm-test-exec:
 	@kind load docker-image --name capsule-charts $(CAPSULE_IMG):$(VERSION)
-	@kubectl create ns capsule-system
-	@kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
-	@kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
+	@kubectl create ns capsule-system || true
+	@kubectl apply --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
+	@kubectl apply --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
 	@ct install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
-	@kind delete cluster --name capsule-charts
 
 docker:
 	@hash docker 2>/dev/null || {\
@@ -247,7 +245,7 @@ ginkgo: ## Download ginkgo locally if necessary.
 	$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo@$(GINGKO_VERSION))
 
 CT         := $(shell pwd)/bin/ct
-CT_VERSION := v3.7.1
+CT_VERSION := v3.10.1
 ct: ## Download ct locally if necessary.
 	$(call go-install-tool,$(CT),github.com/helm/chart-testing/v3/ct@$(CT_VERSION))
 
@@ -326,6 +324,7 @@ e2e-build/%:
 .PHONY: e2e-install
 e2e-install:
 	helm upgrade \
+	    --dependency-update \
 		--debug \
 		--install \
 		--namespace capsule-system \

charts/capsule/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: capsule-proxy
+  repository: oci://ghcr.io/projectcapsule/charts
+  version: 0.6.0
+digest: sha256:4cf05b352f1c38a821081cc01ac5f2a84ed7d68514a5b98e63edba5ab1c7b19e
+generated: "2024-03-05T17:09:58.383699+01:00"

charts/capsule/Chart.yaml

@@ -4,6 +4,12 @@ description: A Helm chart to deploy the Capsule Operator for easily implementing
   managing, and maintaining mutitenancy and access control in Kubernetes.
 home: https://github.com/projectcapsule/capsule
 icon: https://github.com/projectcapsule/capsule/raw/main/assets/logo/capsule_small.png
+dependencies:
+  - name: capsule-proxy
+    version: 0.6.0
+    repository: "oci://ghcr.io/projectcapsule/charts"
+    condition: proxy.enabled
+    alias: proxy
 keywords:
 - kubernetes
 - operator
@@ -18,10 +24,9 @@ maintainers:
 name: capsule
 sources:
 - https://github.com/projectcapsule/capsule
-# The version is overwritten by the release workflow.
+# Note: The version is overwritten by the release workflow.
 version: 0.6.0
-# This is the version number of the application being deployed.
-# This version number should be incremented each time you make changes to the application.
+# Note: The version is overwritten by the release workflow.
 appVersion: 0.5.0
 annotations:
   artifacthub.io/operator: "true"

charts/capsule/README.md

@@ -85,6 +85,7 @@ Here the values you can override:
 | podSecurityContext | object | `{"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002,"seccompProfile":{"type":"RuntimeDefault"}}` | Set the securityContext for the Capsule pod |
 | podSecurityPolicy.enabled | bool | `false` | Specify if a Pod Security Policy must be created |
 | priorityClassName | string | `""` | Set the priority class name of the Capsule pod |
+| proxy.enabled | bool | `false` | Enable Installation of Capsule Proxy |
 | replicaCount | int | `1` | Set the replica count for capsule pod |
 | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | Set the securityContext for the Capsule container |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
@@ -118,10 +119,7 @@ Here the values you can override:
 | manager.rbac.existingClusterRoles | list | `[]` | Specifies further cluster roles to be added to the Capsule manager service account. |
 | manager.rbac.existingRoles | list | `[]` | Specifies further cluster roles to be added to the Capsule manager service account. |
 | manager.readinessProbe | object | `{"httpGet":{"path":"/readyz","port":10080}}` | Configure the readiness probe using Deployment probe spec |
-| manager.resources.limits.cpu | string | `"200m"` |  |
-| manager.resources.limits.memory | string | `"128Mi"` |  |
-| manager.resources.requests.cpu | string | `"200m"` |  |
-| manager.resources.requests.memory | string | `"128Mi"` |  |
+| manager.resources | object | `{}` | Set the resource requests/limits for the Capsule manager container |
 | manager.webhookPort | int | `9443` | Set an alternative to the default container port.  Useful for use in some kubernetes clusters (such as GKE Private) with aggregator routing turned on, because pod ports have to be opened manually on the firewall side |
 
 ### ServiceMonitor Parameters

charts/capsule/ci/proxy-values.yaml

@@ -0,0 +1,7 @@
+proxy:
+  enabled: true
+manager:
+  resources:
+    requests:
+      cpu: 200m
+      memory: 128Mi

charts/capsule/ci/test-values.yaml

@@ -1,16 +1,12 @@
 fullnameOverride: capsule
 manager:
-    # Manager RBAC
+  resources:
+    requests:
+      cpu: 200m
+      memory: 128Mi
   rbac:
     create: true
     existingClusterRoles:
     - "view"
     existingRoles:
     - "some-role"
-  resources:
-    limits:
-      cpu: 500m
-      memory: 512Mi
-    requests:
-      cpu: 200m
-      memory: 128Mi

charts/capsule/values.yaml

@@ -11,6 +11,11 @@ tls:
   # -- Override name of the Capsule TLS Secret name when externally managed.
   name: ""
 
+# Capsule Proxy
+proxy:
+  # -- Enable Installation of Capsule Proxy
+  enabled: false
+
 # Manager Options
 manager:
 
@@ -85,13 +90,8 @@ manager:
       path: /readyz
       port: 10080
 
-  resources:
-    limits:
-      cpu: 200m
-      memory: 128Mi
-    requests:
-      cpu: 200m
-      memory: 128Mi
+  # -- Set the resource requests/limits for the Capsule manager container
+  resources: {}
 
 # -- Configuration for `imagePullSecrets` so that you can use a private images registry.
 imagePullSecrets: []