Skip to content

Commit 041eb86

Browse files
fix: consider capsuleconfiguration status users (#1046)
* feat(deps): bump golang 1.26.4 Signed-off-by: Oliver Baehler <oliver@sudo-i.net> * fix: consider capsuleconfiguration status users Signed-off-by: Oliver Baehler <oliver@sudo-i.net> --------- Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
1 parent 9276c82 commit 041eb86

9 files changed

Lines changed: 113 additions & 20 deletions

File tree

.golangci.yml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@ run:
55
linters:
66
enable:
77
- wsl_v5
8-
- gomodguard_v2
98
default: all
109
disable:
1110
- wsl

Makefile

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -290,6 +290,84 @@ install: manifests ## Install CRDs into the K8s cluster specified in ~/.kube/con
290290
uninstall: manifests ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
291291
kubectl delete -f charts/capsule-proxy/crds
292292

293+
294+
####################
295+
# -- Enterprise Release
296+
####################
297+
298+
ENTERPRISE_VERSION ?= "dirty"
299+
ENTERPRISE_REGISTRY ?= "registry.projectcapsule.dev"
300+
301+
.PHONY: enterprise-release
302+
enterprise-release:
303+
mkdir -p ./builds
304+
$(MAKE) CAPSULE_PROXY_IMG=$(ENTERPRISE_REGISTRY)/enterprise/capsule-proxy VERSION=v$(ENTERPRISE_VERSION) ko-publish-capsule-proxy
305+
$(HELM) package ./charts/capsule-proxy --app-version=$(ENTERPRISE_VERSION) --version=$(ENTERPRISE_VERSION) --destination ./builds/
306+
$(HELM) push ./builds/capsule-proxy-$(ENTERPRISE_VERSION).tgz oci://$(ENTERPRISE_REGISTRY)/charts/
307+
$(MAKE) deploy-enterprise
308+
rm -rf ./builds
309+
310+
.PHONY: deploy-enterprise
311+
deploy-enterprise:
312+
@echo ""
313+
@echo "Deploying Capsule-Proxy (Enterprise) $(ENTERPRISE_VERSION)"
314+
@echo ""
315+
@echo "1) Create image pull secret (Change the credentials with the ones provided to you):"
316+
@echo ""
317+
@echo "kubectl create secret docker-registry capsule-enterprise -n capsule-system \\"
318+
@echo " --docker-username='robot\$$name' \\"
319+
@echo " --docker-password='serviceaccount-password' \\"
320+
@echo " --docker-server='$(ENTERPRISE_REGISTRY)'"
321+
@echo ""
322+
@echo "2) Deploy Capsule-Proxy:"
323+
@echo ""
324+
@echo "helm upgrade --install capsule-proxy \\"
325+
@echo " oci://$(ENTERPRISE_REGISTRY)/charts/capsule-proxy \\"
326+
@echo " --namespace capsule-system \\"
327+
@echo " --version $(ENTERPRISE_VERSION) \\"
328+
@echo " --reuse-values \\"
329+
@echo " --set image.registry=$(ENTERPRISE_REGISTRY) \\"
330+
@echo " --set image.repository=enterprise/capsule-proxy \\"
331+
@echo " --set 'serviceAccount.imagePullSecrets={capsule-enterprise}'"
332+
@echo ""
333+
334+
.PHONY: enterprise-prerelease
335+
enterprise-prerelease:
336+
mkdir -p ./builds
337+
$(MAKE) CAPSULE_PROXY_IMG=$(ENTERPRISE_REGISTRY)/prereleases/capsule-proxy VERSION=v$(ENTERPRISE_VERSION) ko-publish-capsule-proxy
338+
$(HELM) package ./charts/capsule-proxy --app-version=$(ENTERPRISE_VERSION) --version=$(ENTERPRISE_VERSION) --destination ./builds/
339+
$(HELM) push ./builds/capsule-proxy-$(ENTERPRISE_VERSION).tgz oci://$(ENTERPRISE_REGISTRY)/charts/prereleases/
340+
$(MAKE) deploy-enterprise-prerelease
341+
rm -rf ./builds
342+
343+
.PHONY: deploy-enterprise-prerelease
344+
deploy-enterprise-prerelease:
345+
@echo ""
346+
@echo "Deploying Capsule-Proxy Prerelease (Enterprise) $(ENTERPRISE_VERSION)"
347+
@echo ""
348+
@echo "1) Create image pull secret (Change the credentials with the ones provided to you):"
349+
@echo ""
350+
@echo "kubectl create secret docker-registry capsule-enterprise -n capsule-system \\"
351+
@echo " --docker-username='robot\$$name' \\"
352+
@echo " --docker-password='serviceaccount-password' \\"
353+
@echo " --docker-server='$(ENTERPRISE_REGISTRY)'"
354+
@echo ""
355+
@echo "2) Deploy Capsule-Proxy:"
356+
@echo ""
357+
@echo "helm upgrade --install capsule-proxy \\"
358+
@echo " oci://$(ENTERPRISE_REGISTRY)/charts/prereleases/capsule-proxy \\"
359+
@echo " --namespace capsule-system \\"
360+
@echo " --version $(ENTERPRISE_VERSION) \\"
361+
@echo " --reuse-values \\"
362+
@echo " --set image.registry=$(ENTERPRISE_REGISTRY) \\"
363+
@echo " --set image.repository=prereleases/capsule-proxy \\"
364+
@echo " --set image.tag=v$(ENTERPRISE_VERSION) \\"
365+
@echo " --set image.pullPolicy=Always \\"
366+
@echo " --set 'serviceAccount.imagePullSecrets={capsule-enterprise}'"
367+
@echo ""
368+
369+
370+
293371
####################
294372
# -- Helpers
295373
####################

charts/capsule-proxy/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,7 @@ If you only need to make minor customizations, you can specify them on the comma
164164
| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"enabled":true,"readOnlyRootFilesystem":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Security context for the capsule-proxy container. |
165165
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
166166
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
167+
| serviceAccount.imagePullSecrets | list | `[]` | Pullsecrets mounted to the service account, used to pull images from private registries. |
167168
| serviceAccount.name | string | `capsule-proxy` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
168169
| tolerations | list | `[]` | Set list of tolerations for the capsule-proxy pod. |
169170
| topologySpreadConstraints | list | `[]` | Topology Spread Constraints for the capsule-proxy pod. |

charts/capsule-proxy/templates/serviceaccount.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,4 +12,10 @@ metadata:
1212
annotations:
1313
{{- toYaml . | nindent 4 }}
1414
{{- end }}
15+
{{- with .Values.serviceAccount.imagePullSecrets }}
16+
imagePullSecrets:
17+
{{- range . }}
18+
- name: {{ . | quote }}
19+
{{- end }}
20+
{{- end }}
1521
{{- end }}

charts/capsule-proxy/values.schema.json

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1093,6 +1093,10 @@
10931093
"description": "Specifies whether a service account should be created.",
10941094
"type": "boolean"
10951095
},
1096+
"imagePullSecrets": {
1097+
"description": "Pullsecrets mounted to the service account, used to pull images from private registries.",
1098+
"type": "array"
1099+
},
10961100
"name": {
10971101
"description": "The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template",
10981102
"type": "string"

charts/capsule-proxy/values.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -390,6 +390,9 @@ serviceAccount:
390390
# -- The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template
391391
# @default -- `capsule-proxy`
392392
name: ""
393+
# -- Pullsecrets mounted to the service account, used to pull images from private registries.
394+
imagePullSecrets: []
395+
# just string array [ "sec-1", "sec-2" ]
393396

394397
# HorizontalPodAutoscaler
395398
autoscaling:

go.mod

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
module github.com/projectcapsule/capsule-proxy
22

3-
go 1.26.3
3+
go 1.26.4
44

55
require (
66
github.com/go-logr/logr v1.4.3
@@ -10,7 +10,7 @@ require (
1010
github.com/onsi/ginkgo/v2 v2.29.0
1111
github.com/onsi/gomega v1.41.0
1212
github.com/pkg/errors v0.9.1
13-
github.com/projectcapsule/capsule v0.13.0
13+
github.com/projectcapsule/capsule v0.13.2
1414
github.com/prometheus/client_golang v1.23.2
1515
github.com/prometheus/client_model v0.6.2
1616
github.com/spf13/pflag v1.0.10
@@ -46,7 +46,7 @@ require (
4646
github.com/fxamacker/cbor/v2 v2.9.2 // indirect
4747
github.com/go-logr/zapr v1.3.0 // indirect
4848
github.com/go-openapi/jsonpointer v0.23.1 // indirect
49-
github.com/go-openapi/jsonreference v0.21.5 // indirect
49+
github.com/go-openapi/jsonreference v0.21.6 // indirect
5050
github.com/go-openapi/swag v0.26.0 // indirect
5151
github.com/go-openapi/swag/cmdutils v0.26.0 // indirect
5252
github.com/go-openapi/swag/conv v0.26.0 // indirect
@@ -72,7 +72,7 @@ require (
7272
github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
7373
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
7474
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
75-
github.com/prometheus/common v0.67.5 // indirect
75+
github.com/prometheus/common v0.68.1 // indirect
7676
github.com/prometheus/procfs v0.20.1 // indirect
7777
github.com/spf13/cast v1.10.0 // indirect
7878
github.com/valyala/bytebufferpool v1.0.0 // indirect
@@ -97,7 +97,7 @@ require (
9797
gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
9898
gopkg.in/inf.v0 v0.9.1 // indirect
9999
k8s.io/klog/v2 v2.140.0 // indirect
100-
k8s.io/kube-openapi v0.0.0-20260520065146-aa012df4f4af // indirect
100+
k8s.io/kube-openapi v0.0.0-20260603220949-865597e52e25 // indirect
101101
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
102102
sigs.k8s.io/randfill v1.0.0 // indirect
103103
sigs.k8s.io/structured-merge-diff/v6 v6.4.0 // indirect

go.sum

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
2222
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
2323
github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
2424
github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
25+
github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
2526
github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
2627
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
2728
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -71,6 +72,8 @@ github.com/go-openapi/jsonpointer v0.23.1 h1:1HBACs7XIwR2RcmItfdSFlALhGbe6S92p0r
7172
github.com/go-openapi/jsonpointer v0.23.1/go.mod h1:iWRmZTrGn7XwYhtPt/fvdSFj1OfNBngqRT2UG3BxSqY=
7273
github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe+pJyVWRdiE=
7374
github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw=
75+
github.com/go-openapi/jsonreference v0.21.6 h1:NZ5nGfnaM1n4I43Xjm1e5/M2GjOwQwndQz22uhxwD+Y=
76+
github.com/go-openapi/jsonreference v0.21.6/go.mod h1:xzbgtQ3ZbWxvET3AxdzCJlJt6vkovbf+IfSPJjD0tUY=
7477
github.com/go-openapi/swag v0.26.0 h1:GVDXCmfvhfu1BxiHo8/FA+BbKmhecHnG3varjON5/RI=
7578
github.com/go-openapi/swag v0.26.0/go.mod h1:82g3193sZJRbocs7bNCqGfIgq8pkuwVwCfhKIRlEQF0=
7679
github.com/go-openapi/swag/cmdutils v0.26.0 h1:iowihOcvq7y4egO8cOq0dmfohz6wfeQ63U1EnuhO2TU=
@@ -101,6 +104,7 @@ github.com/go-openapi/testify/enable/yaml/v2 v2.4.2 h1:5zRca5jw7lzVREKCZVNBpysDN
101104
github.com/go-openapi/testify/enable/yaml/v2 v2.4.2/go.mod h1:XVevPw5hUXuV+5AkI1u1PeAm27EQVrhXTTCPAF85LmE=
102105
github.com/go-openapi/testify/v2 v2.4.2 h1:tiByHpvE9uHrrKjOszax7ZvKB7QOgizBWGBLuq0ePx4=
103106
github.com/go-openapi/testify/v2 v2.4.2/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw=
107+
github.com/go-openapi/testify/v2 v2.5.1 h1:TMdhCaw8fUNraVSf3Omoob1dO/AzBfhtFAPW0an6sBo=
104108
github.com/go-sprout/sprout v1.0.3 h1:LLuz0D3aYazgbVTOwCVuMor3LOUVYinipXRIdjA/D+I=
105109
github.com/go-sprout/sprout v1.0.3/go.mod h1:cFFzpnyGGry3cmN0UNCAM1f7AGok6vPVabeYQzBMBZY=
106110
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
@@ -205,6 +209,8 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
205209
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
206210
github.com/projectcapsule/capsule v0.13.0 h1:Ucf1eEykHKd/+ldQU+mupaLlgUiWX4RJwBlyHicWkBI=
207211
github.com/projectcapsule/capsule v0.13.0/go.mod h1:31bHFA3xRYeh8n+uV5nmVzGu1GYkREhajY3hYe7wqYQ=
212+
github.com/projectcapsule/capsule v0.13.2 h1:MvSGvwszQWg6WrJud+USeHjeBnai0JXbrUifFaTOvY4=
213+
github.com/projectcapsule/capsule v0.13.2/go.mod h1:QuNfwc1IkAhWZyWvWTL58P/PYjpPeAf6wqKzysWNLG0=
208214
github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
209215
github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
210216
github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
@@ -217,6 +223,8 @@ github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7q
217223
github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
218224
github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=
219225
github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=
226+
github.com/prometheus/common v0.68.1 h1:omjRRl4QP4komogpXuhfeOiisQg7xdy8VM1UY+pStaY=
227+
github.com/prometheus/common v0.68.1/go.mod h1:ZzL3f6u94qUxh9p+tJTrF+FvBS1XXbbRAZCQkytAL0Y=
220228
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
221229
github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
222230
github.com/prometheus/procfs v0.20.1 h1:XwbrGOIplXW/AU3YhIhLODXMJYyC1isLFfYCsTEycfc=
@@ -382,6 +390,8 @@ k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc=
382390
k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0=
383391
k8s.io/kube-openapi v0.0.0-20260520065146-aa012df4f4af h1:zLXA2Irn14q2/06WMkxViyr7YCPUO2lJ0QYE9Juy5vA=
384392
k8s.io/kube-openapi v0.0.0-20260520065146-aa012df4f4af/go.mod h1:V/QaCUYDa+0QpcHhVVc5l99Uz56wEMEXBSj9oCDkNDY=
393+
k8s.io/kube-openapi v0.0.0-20260603220949-865597e52e25 h1:mPMaPMpBij2V1Wv/fR+HW124vVGXXvOSS9ver/9yjWs=
394+
k8s.io/kube-openapi v0.0.0-20260603220949-865597e52e25/go.mod h1:V/QaCUYDa+0QpcHhVVc5l99Uz56wEMEXBSj9oCDkNDY=
385395
k8s.io/kubectl v0.36.1 h1:96HqS9twIdHM0MlJLTwbo14b9kUKPkOzZ4tlRDLv4qI=
386396
k8s.io/kubectl v0.36.1/go.mod h1:/DGPAIewKsFWF9VFgGvkPhao2Ev4SNuE3BioZo8yPbk=
387397
k8s.io/utils v0.0.0-20260507154919-ff6756f316d2 h1:wU4tMEhLGgIbLvXQb1cfN+EcM0wf7zC6CPF+C79jroc=

internal/controllers/capsule_configuration.go

Lines changed: 6 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -59,24 +59,16 @@ func (c *CapsuleConfiguration) Reconcile(ctx context.Context, request reconcile.
5959
panic(err)
6060
}
6161

62-
//nolint:staticcheck
63-
allGroups := append(
64-
append([]string{}, capsuleConfig.Spec.UserGroups...), // copy to avoid aliasing
65-
capsuleConfig.Spec.Users.GetByKinds(
66-
[]capsulerbac.OwnerKind{capsulerbac.GroupOwner},
67-
)...,
62+
allGroups := capsuleConfig.Status.Users.GetByKinds(
63+
[]capsulerbac.OwnerKind{capsulerbac.GroupOwner},
6864
)
6965

7066
CapsuleUserGroups = sets.New[string](allGroups...)
7167

72-
//nolint:staticcheck
73-
allUsers := append(
74-
append([]string{}, capsuleConfig.Spec.UserNames...), // copy base slice
75-
capsuleConfig.Spec.Users.GetByKinds([]capsulerbac.OwnerKind{
76-
capsulerbac.UserOwner,
77-
capsulerbac.ServiceAccountOwner,
78-
})...,
79-
)
68+
allUsers := capsuleConfig.Status.Users.GetByKinds([]capsulerbac.OwnerKind{
69+
capsulerbac.UserOwner,
70+
capsulerbac.ServiceAccountOwner,
71+
})
8072

8173
CapsuleUsers = sets.New[string](allUsers...)
8274

0 commit comments

Comments
 (0)