feat(controller): add globalproxysettings crd

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

Makefile

@@ -129,10 +129,14 @@ helm-destroy:
 .PHONY: e2e
 e2e: e2e-build e2e-install e2e-exec
 
-.PHONY: e2e-exec
-e2e-exec:
+.PHONY: e2e-legacy-exec
+e2e-legacy-exec:
 	@./e2e/run.bash $${CLIENT_TEST:-kubectl}-$${CAPSULE_PROXY_MODE:-https}
 
+.PHONY: e2e-exec
+e2e-exec: ginkgo
+	$(GINKGO) -v -tags e2e ./e2e
+
 .PHONY: e2e-build
 e2e-build:
 	@echo "Building kubernetes env using Kind $${KIND_K8S_VERSION:-v1.27.0}..."
@@ -151,7 +155,7 @@ e2e-install: install-capsule install-capsule-proxy rbac-fix
 .PHONY: e2e-load-image
 e2e-load-image: ko-build-all
 	@echo "Loading Docker image..."
-	@kind load docker-image --name capsule --nodes capsule-worker $(CAPSULE_PROXY_IMG):$(VERSION)
+	@kind load docker-image --name capsule $(CAPSULE_PROXY_IMG):$(VERSION)
 
 .PHONY: e2e-destroy
 e2e-destroy:
@@ -185,7 +189,8 @@ ifeq ($(CAPSULE_PROXY_MODE),http)
 		--set "kind=DaemonSet" \
 		--set "daemonset.hostNetwork=true" \
 		--set "serviceMonitor.enabled=false" \
-		--set "options.generateCertificates=false"
+		--set "options.generateCertificates=false" \
+		--set "options.extraArgs={--feature-gates=ProxyClusterScoped=true,--feature-gates=ProxyAllNamespaced=true}"
 else
 	@echo "Running in HTTPS mode"
 	@echo "capsule proxy certificates..."
@@ -194,19 +199,19 @@ else
 		&& kubectl --namespace capsule-system create secret generic capsule-proxy --from-file=tls.key=./127.0.0.1-key.pem --from-file=tls.crt=./127.0.0.1.pem --from-literal=ca=$$(cat $(ROOTCA) | base64 |tr -d '\n')
 	@echo "kubeconfig configurations..."
 	@cd hack \
-		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- alice oil capsule.clastix.io \
+		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- alice oil projectcapsule.dev,capsule.clastix.io \
 		&& mv alice-oil.kubeconfig alice.kubeconfig \
 		&& KUBECONFIG=alice.kubeconfig kubectl config set clusters.kind-capsule.certificate-authority-data $$(cat $(ROOTCA) | base64 |tr -d '\n') \
 		&& KUBECONFIG=alice.kubeconfig kubectl config set clusters.kind-capsule.server https://127.0.0.1:9001 \
-		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- bob gas capsule.clastix.io \
+		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- bob gas projectcapsule.dev,capsule.clastix.io \
 		&& mv bob-gas.kubeconfig bob.kubeconfig \
 		&& KUBECONFIG=bob.kubeconfig kubectl config set clusters.kind-capsule.certificate-authority-data $$(cat $(ROOTCA) | base64 |tr -d '\n') \
 		&& KUBECONFIG=bob.kubeconfig kubectl config set clusters.kind-capsule.server https://127.0.0.1:9001 \
-		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- joe gas capsule.clastix.io,foo.clastix.io \
+		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- joe gas projectcapsule.dev,capsule.clastix.io,foo.clastix.io \
 		&& mv joe-gas.kubeconfig foo.clastix.io.kubeconfig \
 		&& KUBECONFIG=foo.clastix.io.kubeconfig kubectl config set clusters.kind-capsule.certificate-authority-data $$(cat $(ROOTCA) | base64 |tr -d '\n') \
 		&& KUBECONFIG=foo.clastix.io.kubeconfig kubectl config set clusters.kind-capsule.server https://127.0.0.1:9001 \
-		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- dave soil capsule.clastix.io,bar.clastix.io \
+		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- dave soil projectcapsule.dev,capsule.clastix.io,bar.clastix.io \
 		&& mv dave-soil.kubeconfig dave.kubeconfig \
 		&& kubectl --kubeconfig=dave.kubeconfig config set clusters.kind-capsule.certificate-authority-data $$(cat $(ROOTCA) | base64 |tr -d '\n') \
 		&& kubectl --kubeconfig=dave.kubeconfig config set clusters.kind-capsule.server https://127.0.0.1:9001
@@ -219,8 +224,10 @@ else
 		--set "service.nodePort=" \
 		--set "kind=DaemonSet" \
 		--set "daemonset.hostNetwork=true" \
-		--set "serviceMonitor.enabled=false"
+		--set "serviceMonitor.enabled=false" \
+		--set "options.extraArgs={--feature-gates=ProxyClusterScoped=true,--feature-gates=ProxyAllNamespaced=true}"
 endif
+	@kubectl rollout restart ds capsule-proxy -n capsule-system || true
 
 rbac-fix:
 	@echo "RBAC customization..."
@@ -258,6 +265,11 @@ CONTROLLER_GEN_VERSION = v0.8.0
 controller-gen: ## Download controller-gen locally if necessary.
 	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
 
+GINKGO         := $(shell pwd)/bin/ginkgo
+GINKGO_VERSION = 2.19.0
+ginkgo: ## Download ginkgo locally if necessary.
+	$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo@$(GINKGO_VERSION))
+
 MKCERT = $(shell pwd)/bin/mkcert
 MKCERT_VERSION = v1.4.4
 mkcert: ## Download mkcert locally if necessary.

PROJECT

@@ -1,3 +1,7 @@
+# Code generated by tool. DO NOT EDIT.
+# This file is used to track the info used to scaffold your project
+# and allow the plugins properly work.
+# More info: https://book.kubebuilder.io/reference/project-config.html
 domain: clastix.io
 layout:
 - go.kubebuilder.io/v3
@@ -16,4 +20,11 @@ resources:
   kind: ProxySettings
   path: github.com/projectcapsule/capsule-proxy/api/v1beta1
   version: v1beta1
+- api:
+    crdVersion: v1
+  domain: clastix.io
+  group: capsule
+  kind: GlobalProxySettings
+  path: github.com/projectcapsule/capsule-proxy/api/v1beta1
+  version: v1beta1
 version: "3"

api/v1beta1/clusterresoure.go

@@ -26,5 +26,6 @@ type ClusterResource struct {
 	Operations []ClusterResourceOperation `json:"operations"`
 
 	// Select all cluster scoped resources with the given label selector.
+	// Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists).
 	Selector *metav1.LabelSelector `json:"selector"`
 }

api/v1beta1/globalproxysettings_types.go

@@ -0,0 +1,60 @@
+// Copyright 2020-2023 Project Capsule Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import (
+	"github.com/projectcapsule/capsule/api/v1beta2"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
+type GlobalProxySettingsSpec struct {
+	// Subjects that should receive additional permissions.
+	// The subjects are selected based on the oncoming requests. They don't have to relate to an existing tenant.
+	// However they must be part of the capsule-user groups.
+	// +kubebuilder:validation:MinItems=1
+	Rules []GlobalSubjectSpec `json:"rules"`
+}
+
+type GlobalSubjectSpec struct {
+	// Subjects that should receive additional permissions.
+	// The subjects are selected based on the oncoming requests. They don't have to relate to an existing tenant.
+	// However they must be part of the capsule-user groups.
+	Subjects []GlobalSubject `json:"subjects"`
+	// Cluster Resources for tenant Owner.
+	ClusterResources []ClusterResource `json:"clusterResources,omitempty"`
+}
+
+type GlobalSubject struct {
+	// Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount".
+	Kind v1beta2.OwnerKind `json:"kind"`
+	// Name of tenant owner.
+	Name string `json:"name"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+//+kubebuilder:resource:scope=Cluster
+
+// GlobalProxySettings is the Schema for the globalproxysettings API.
+type GlobalProxySettings struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec GlobalProxySettingsSpec `json:"spec,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// GlobalProxySettingsList contains a list of GlobalProxySettings.
+type GlobalProxySettingsList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []GlobalProxySettings `json:"items"`
+}
+
+//nolint:gochecknoinits
+func init() {
+	SchemeBuilder.Register(&GlobalProxySettings{}, &GlobalProxySettingsList{})
+}

charts/capsule-proxy/README.md

@@ -79,8 +79,10 @@ If you only need to make minor customizations, you can specify them on the comma
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| crds.install | bool | `false` | Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations) |
+| crds.annnotations | object | `{}` | Extra Annotations for CRDs |
+| crds.install | bool | `true` | Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations) |
 | crds.keep | bool | `true` | Keep the CustomResourceDefinitions (when the chart is deleted) |
+| crds.labels | object | `{}` | Extra Labels for CRDs |
 
 ### Global Parameters
 
@@ -121,8 +123,10 @@ If you only need to make minor customizations, you can specify them on the comma
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Set affinity rules for the capsule-proxy pod. |
-| crds.install | bool | `false` | Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations) |
+| crds.annnotations | object | `{}` | Extra Annotations for CRDs |
+| crds.install | bool | `true` | Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations) |
 | crds.keep | bool | `true` | Keep the CustomResourceDefinitions (when the chart is deleted) |
+| crds.labels | object | `{}` | Extra Labels for CRDs |
 | daemonset.hostNetwork | bool | `false` | Use the host network namespace for capsule-proxy pod. |
 | daemonset.hostPort | bool | `false` | Binding the capsule-proxy listening port to the host port. |
 | env | list | `[]` | Additional environment variables |