feat: add minor improvements (#965)

* feat: add logger middleware

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* fix(proxy): fix matching of core api groups and remove regexp

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat: add strict rbac for proxy

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat: use cert-manager as default issuer

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat: add optiona gangplank instance

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: merge commit

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: bump controller-runtime

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: upgrade fluxcd to 2.7.5

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

Author: oliverbaehler

Makefile

@@ -183,51 +183,58 @@ ifeq ($(CAPSULE_PROXY_MODE),http)
 		--set "options.enableSSL=false" \
 		--set "options.logLevel=10" \
 		--set "options.pprof=true" \
+		--set "options.leaderElection=true" \
 		--set "service.type=NodePort" \
 		--set "kind=DaemonSet" \
 		--set "daemonset.hostNetwork=true" \
 		--set "serviceMonitor.enabled=false" \
 		--set "options.generateCertificates=false" \
-		--set "webhooks.enabled=true" \
+		--set "certManager.generateCertificates=false" \
 		--set "options.extraArgs={--feature-gates=ProxyClusterScoped=true,--feature-gates=ProxyAllNamespaced=true}"
 else
 	@echo "Running in HTTPS mode"
-	@echo "capsule proxy certificates..."
-	cd hack && $(MKCERT) -install && $(MKCERT) 127.0.0.1  \
-		&& kubectl --namespace capsule-system delete secret capsule-proxy || true \
-		&& kubectl --namespace capsule-system create secret generic capsule-proxy --from-file=tls.key=./127.0.0.1-key.pem --from-file=tls.crt=./127.0.0.1.pem --from-literal=ca=$$(cat $(ROOTCA) | base64 |tr -d '\n')
-	@echo "kubeconfig configurations..."
-	@cd hack \
-		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- alice oil projectcapsule.dev,capsule.clastix.io \
-		&& mv alice-oil.kubeconfig alice.kubeconfig \
-		&& KUBECONFIG=alice.kubeconfig kubectl config set clusters.kind-capsule.certificate-authority-data $$(cat $(ROOTCA) | base64 |tr -d '\n') \
-		&& KUBECONFIG=alice.kubeconfig kubectl config set clusters.kind-capsule.server https://127.0.0.1:9001 \
-		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- bob gas projectcapsule.dev,capsule.clastix.io \
-		&& mv bob-gas.kubeconfig bob.kubeconfig \
-		&& KUBECONFIG=bob.kubeconfig kubectl config set clusters.kind-capsule.certificate-authority-data $$(cat $(ROOTCA) | base64 |tr -d '\n') \
-		&& KUBECONFIG=bob.kubeconfig kubectl config set clusters.kind-capsule.server https://127.0.0.1:9001 \
-		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- joe gas projectcapsule.dev,capsule.clastix.io,foo.clastix.io \
-		&& mv joe-gas.kubeconfig foo.clastix.io.kubeconfig \
-		&& KUBECONFIG=foo.clastix.io.kubeconfig kubectl config set clusters.kind-capsule.certificate-authority-data $$(cat $(ROOTCA) | base64 |tr -d '\n') \
-		&& KUBECONFIG=foo.clastix.io.kubeconfig kubectl config set clusters.kind-capsule.server https://127.0.0.1:9001 \
-		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- dave soil projectcapsule.dev,capsule.clastix.io,bar.clastix.io \
-		&& mv dave-soil.kubeconfig dave.kubeconfig \
-		&& kubectl --kubeconfig=dave.kubeconfig config set clusters.kind-capsule.certificate-authority-data $$(cat $(ROOTCA) | base64 |tr -d '\n') \
-		&& kubectl --kubeconfig=dave.kubeconfig config set clusters.kind-capsule.server https://127.0.0.1:9001
 	@echo "Installing Capsule-Proxy using HELM..."
 	@helm upgrade --install capsule-proxy ./charts/capsule-proxy -n capsule-system \
 		--set "image.pullPolicy=Never" \
 		--set "image.tag=$(VERSION)" \
 		--set "options.logLevel=10" \
 		--set "options.pprof=true" \
+		--set "options.leaderElection=true" \
 		--set "service.type=NodePort" \
 		--set "kind=DaemonSet" \
 		--set "daemonset.hostNetwork=true" \
 		--set "serviceMonitor.enabled=false" \
-		--set "webhooks.enabled=true" \
+		--set "options.generateCertificates=false" \
+		--set "certManager.certificate.ipAddresses={127.0.0.1}" \
 		--set "options.extraArgs={--feature-gates=ProxyClusterScoped=true,--feature-gates=ProxyAllNamespaced=true}"
 endif
 	@kubectl rollout restart ds capsule-proxy -n capsule-system || true
+	$(MAKE) generate-kubeconfigs
+
+generate-kubeconfigs:
+	CA_B64=$$(kubectl -n capsule-system get secret capsule-proxy-root-secret -o jsonpath='{.data.ca\.crt}') ; \
+	if [ -z "$$CA_B64" ]; then \
+	  echo "ERROR: secret capsule-system/capsule-proxy-root-secret missing .data[ca.crt]" ; \
+	  exit 1 ; \
+	fi;
+	@cd hack \
+		&& CA_B64=$$(kubectl -n capsule-system get secret capsule-proxy-root-secret -o jsonpath='{.data.ca\.crt}') \
+		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- alice oil projectcapsule.dev,capsule.clastix.io \
+		&& mv alice-oil.kubeconfig alice.kubeconfig \
+		&& KUBECONFIG=alice.kubeconfig kubectl config set clusters.kind-capsule.certificate-authority-data "$$CA_B64"  \
+		&& KUBECONFIG=alice.kubeconfig kubectl config set clusters.kind-capsule.server https://127.0.0.1:9001 \
+		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- bob gas projectcapsule.dev,capsule.clastix.io \
+		&& mv bob-gas.kubeconfig bob.kubeconfig \
+		&& KUBECONFIG=bob.kubeconfig kubectl config set clusters.kind-capsule.certificate-authority-data "$$CA_B64" \
+		&& KUBECONFIG=bob.kubeconfig kubectl config set clusters.kind-capsule.server https://127.0.0.1:9001 \
+		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- joe gas projectcapsule.dev,capsule.clastix.io,foo.clastix.io \
+		&& mv joe-gas.kubeconfig foo.clastix.io.kubeconfig \
+		&& KUBECONFIG=foo.clastix.io.kubeconfig kubectl config set clusters.kind-capsule.certificate-authority-data "$$CA_B64" \
+		&& KUBECONFIG=foo.clastix.io.kubeconfig kubectl config set clusters.kind-capsule.server https://127.0.0.1:9001 \
+		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- dave soil projectcapsule.dev,capsule.clastix.io,bar.clastix.io \
+		&& mv dave-soil.kubeconfig dave.kubeconfig \
+		&& kubectl --kubeconfig=dave.kubeconfig config set clusters.kind-capsule.certificate-authority-data "$$CA_B64" \
+		&& kubectl --kubeconfig=dave.kubeconfig config set clusters.kind-capsule.server https://127.0.0.1:9001
 
 install-dependencies:
 	@$(KUBECTL) kustomize e2e/distro/flux/ | kubectl apply --force-conflicts --server-side=true -f -
@@ -305,7 +312,7 @@ helm-doc:
 # -- Tools
 ####################
 CONTROLLER_GEN         := $(LOCALBIN)/controller-gen
-CONTROLLER_GEN_VERSION ?= v0.19.0
+CONTROLLER_GEN_VERSION ?= v0.20.0
 CONTROLLER_GEN_LOOKUP  := kubernetes-sigs/controller-tools
 controller-gen:
 	@test -s $(CONTROLLER_GEN) && $(CONTROLLER_GEN) --version | grep -q $(CONTROLLER_GEN_VERSION) || \

charts/capsule-proxy/README.md

@@ -95,7 +95,7 @@ If you only need to make minor customizations, you can specify them on the comma
 | global.jobs.certs.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the post install certgen job |
 | global.jobs.certs.image.registry | string | `"registry.k8s.io"` | Set the image repository of the post install certgen job |
 | global.jobs.certs.image.repository | string | `"ingress-nginx/kube-webhook-certgen"` | Set the image repository of the post install certgen job |
-| global.jobs.certs.image.tag | string | `"v1.6.5"` | Set the image tag of the post install certgen job |
+| global.jobs.certs.image.tag | string | `"v1.6.7"` | Set the image tag of the post install certgen job |
 | global.jobs.certs.nodeSelector | object | `{}` | Set the node selector |
 | global.jobs.certs.podSecurityContext | object | `{"enabled":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the job pods. |
 | global.jobs.certs.priorityClassName | string | `""` | Set a pod priorityClassName |
@@ -137,6 +137,7 @@ If you only need to make minor customizations, you can specify them on the comma
 | daemonset.hostPort | bool | `false` | Binding the capsule-proxy listening port to the host port. |
 | env | list | `[]` | Additional environment variables |
 | hostNetwork | bool | `false` | When deployed as DaemonSet use |
+| hostUsers | bool | `true` | Don't use Host Users (User Namespaces) |
 | image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy. |
 | image.registry | string | `"ghcr.io"` | Set the image registry for capsule-proxy |
 | image.repository | string | `"projectcapsule/capsule-proxy"` | Set the image repository for capsule-proxy. |
@@ -150,7 +151,7 @@ If you only need to make minor customizations, you can specify them on the comma
 | podLabels | object | `{}` | Labels to add to the capsule-proxy pod. |
 | podSecurityContext | object | `{"enabled":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the capsule-proxy pod. |
 | priorityClassName | string | `""` | Specifies PriorityClass of the capsule-proxy pod. |
-| rbac.clusterRole | string | `"cluster-admin"` | Controller ClusterRole |
+| rbac.clusterRole | string | `""` | Controller ClusterRole |
 | rbac.enabled | bool | `true` | Enable Creation of ClusterRoles |
 | readinessProbe | object | `{"enabled":true,"httpGet":{"path":"/readyz/","port":"probe","scheme":"HTTP"},"initialDelaySeconds":5}` | Proxy Readyness-Probe |
 | replicaCount | int | `1` | Set the replica count for capsule-proxy pod. |
@@ -184,7 +185,7 @@ If you only need to make minor customizations, you can specify them on the comma
 | options.disableCaching | bool | `false` | Disable the go-client caching to hit directly the Kubernetes API Server, it disables any local caching as the rolebinding reflector. |
 | options.enableSSL | bool | `true` | Specify if capsule-proxy will use SSL |
 | options.extraArgs | list | `[]` | A list of extra arguments to add to the capsule-proxy. |
-| options.generateCertificates | bool | `true` | Specify if capsule-proxy will generate self-signed SSL certificates |
+| options.generateCertificates | bool | `false` | Specify if capsule-proxy will generate self-signed SSL certificates |
 | options.ignoredUserGroups | list | `[]` | Define which groups must be ignored while proxying requests |
 | options.leaderElection | bool | `false` | Set leader election to true if you are running n-replicas |
 | options.listeningPort | int | `9001` | Set the listening port of the capsule-proxy |
@@ -207,7 +208,7 @@ You can manage the certificate with the help of [cert-manager](https://cert-mana
 | certManager.certificate.uris | list | `[]` | Additional URIs to include in certificate |
 | certManager.externalCA.enabled | bool | `false` | Set if want cert manager to sign certificates with an external CA |
 | certManager.externalCA.secretName | string | `""` |  |
-| certManager.generateCertificates | bool | `false` | Set if the cert manager will generate SSL certificates (self-signed or CA-signed) |
+| certManager.generateCertificates | bool | `true` | Set if the cert manager will generate SSL certificates (self-signed or CA-signed) |
 | certManager.issuer.kind | string | `"Issuer"` | Set if the cert manager will generate either self-signed or CA signed SSL certificates. Its value will be either Issuer or ClusterIssuer |
 | certManager.issuer.name | string | `""` | Set the name of the ClusterIssuer if issuer kind is ClusterIssuer and if cert manager will generate CA signed SSL certificates |
 
@@ -280,6 +281,51 @@ You can manage the certificate with the help of [cert-manager](https://cert-mana
 | serviceMonitor.serviceAccount.namespace | string | `""` |  |
 | serviceMonitor.targetLabels | list | `[]` | Set targetLabels for the serviceMonitor |
 
+### Gangplank Parameters
+
+[Read More](https://projectcapsule.dev/docs/proxy/gangplank/)
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| gangplank.affinity | object | `{}` | Set affinity rules |
+| gangplank.config | object | `{"apiServerURL":"https://apiserver.example.test","authorizeURL":"https://oauth2provider.test/authorize","clientID":"client-id","clientSecret":"client-secret","clusterName":"cluster-name","redirectURL":"https://gangplank.example.test/callback","tokenURL":"https://oauth2provider.test/token"}` | Custom inline Gangplank configuration (ENV Styles) |
+| gangplank.enabled | bool | `false` | Enable Gangplank |
+| gangplank.envFrom | list | `[]` |  |
+| gangplank.envs | object | `{}` |  |
+| gangplank.hostUsers | bool | `true` | Don't use Host Users (User Namespaces) |
+| gangplank.image.pullPolicy | string | `"IfNotPresent"` |  |
+| gangplank.image.repository | string | `"registry.sighup.io/fury/gangplank"` |  |
+| gangplank.image.tag | string | `"1.1.1"` |  |
+| gangplank.imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. |
+| gangplank.ingress.annotations | object | `{}` |  |
+| gangplank.ingress.className | string | `""` |  |
+| gangplank.ingress.enabled | bool | `false` |  |
+| gangplank.ingress.hosts[0].host | string | `"chart-example.local"` |  |
+| gangplank.ingress.hosts[0].paths[0].path | string | `"/"` |  |
+| gangplank.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` |  |
+| gangplank.ingress.tls | list | `[]` |  |
+| gangplank.livenessProbe | object | `{"httpGet":{"path":"/","port":"http"}}` | Configure the liveness probe using Deployment probe specs |
+| gangplank.nodeSelector | object | `{}` | Set the node selector |
+| gangplank.podAnnotations | object | `{}` | Annotations to add to the pod. |
+| gangplank.podLabels | object | `{}` | Labels to add to the pod. |
+| gangplank.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Set the securityContext for the Pod |
+| gangplank.priorityClassName | string | `""` | Set a pod priorityClassName |
+| gangplank.readinessProbe | object | `{"httpGet":{"path":"/","port":"http"}}` | Configure the readiness probe using Deployment probe spec |
+| gangplank.replicaCount | int | `1` | Set the replica count |
+| gangplank.resources | object | `{}` | Set the resource requests/limits |
+| gangplank.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534}` | Set the securityContext for the Container |
+| gangplank.sensitiveEnvs | object | `{"GANGPLANK_CONFIG_SESSION_SECURITY_KEY":"session-security-key"}` | Environment variables (Secret) |
+| gangplank.service.port | int | `80` |  |
+| gangplank.service.type | string | `"ClusterIP"` |  |
+| gangplank.serviceAccount.annotations | object | `{}` |  |
+| gangplank.serviceAccount.automount | bool | `true` |  |
+| gangplank.serviceAccount.create | bool | `true` |  |
+| gangplank.serviceAccount.name | string | `""` |  |
+| gangplank.tolerations | list | `[]` | Set list of tolerations |
+| gangplank.topologySpreadConstraints | list | `[]` | Set topology spread constraints |
+| gangplank.volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition. |
+| gangplank.volumes | list | `[]` | Additional volumes on the output Deployment definition. |
+
 ## Created resources
 
 This Helm Chart cretes the following Kubernetes resources in the release namespace:

charts/capsule-proxy/README.md.gotmpl

@@ -103,7 +103,7 @@ If you only need to make minor customizations, you can specify them on the comma
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 {{- range .Values }}
-  {{- if not (or (hasPrefix "certManager" .Key) (hasPrefix "webhooks" .Key) (hasPrefix "global" .Key) (hasPrefix "options" .Key) (hasPrefix "service." .Key) (hasPrefix "ingress" .Key) (hasPrefix "autoscaling" .Key) (hasPrefix "serviceMonitor" .Key) )  }}
+  {{- if not (or (hasPrefix "gangplank" .Key)  (hasPrefix "certManager" .Key) (hasPrefix "webhooks" .Key) (hasPrefix "global" .Key) (hasPrefix "options" .Key) (hasPrefix "service." .Key) (hasPrefix "ingress" .Key) (hasPrefix "autoscaling" .Key) (hasPrefix "serviceMonitor" .Key) )  }}
 | {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
   {{- end }}
 {{- end }}
@@ -182,6 +182,18 @@ You can manage the certificate with the help of [cert-manager](https://cert-mana
   {{- end }}
 {{- end }}
 
+### Gangplank Parameters
+
+[Read More](https://projectcapsule.dev/docs/proxy/gangplank/)
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+{{- range .Values }}
+  {{- if hasPrefix "gangplank" .Key }}
+| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
+  {{- end }}
+{{- end }}
+
 
 ## Created resources
 

charts/capsule-proxy/ci/gangplank-values.yaml

@@ -0,0 +1,2 @@
+gangplank:
+  enabled: true

charts/capsule-proxy/crds/capsule.clastix.io_globalproxysettings.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.19.0
+    controller-gen.kubebuilder.io/version: v0.20.0
   name: globalproxysettings.capsule.clastix.io
 spec:
   group: capsule.clastix.io

charts/capsule-proxy/crds/capsule.clastix.io_proxysettings.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.19.0
+    controller-gen.kubebuilder.io/version: v0.20.0
   name: proxysettings.capsule.clastix.io
 spec:
   group: capsule.clastix.io

charts/capsule-proxy/templates/_helpers.tpl

@@ -5,6 +5,10 @@ Expand the name of the chart.
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
+{{- define "gangplank.name" -}}
+{{- include "capsule-proxy.name" $ }}-gangplank
+{{- end }}
+
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
@@ -23,6 +27,10 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 {{- end }}
 
+{{- define "gangplank.fullname" -}}
+{{- include "capsule-proxy.fullname" $ }}-gangplank
+{{- end }}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@@ -40,6 +48,17 @@ helm.sh/chart: {{ include "capsule-proxy.chart" . }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/component: "proxy"
+{{- end }}
+
+{{- define "gangplank.labels" -}}
+helm.sh/chart: {{ include "capsule-proxy.chart" . }}
+{{ include "capsule-proxy.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/component: "gangplank"
 {{- end }}
 
 {{/*
@@ -48,8 +67,17 @@ Selector labels
 {{- define "capsule-proxy.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "capsule-proxy.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/component: "proxy"
+
+{{- end }}
+
+{{- define "gangplank.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "capsule-proxy.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/component: "gangplank"
 {{- end }}
 
+
 {{/*
 Create the name of the service account to use
 */}}
@@ -61,6 +89,14 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
+{{- define "gangplank.serviceAccountName" -}}
+{{- if .Values.gangplank.serviceAccount.create }}
+{{- default (include "gangplank.fullname" .) .Values.gangplank.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.gangplank.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
 {{/*
 Create the fully-qualified Docker image to use
 */}}

charts/capsule-proxy/templates/_pod.tpl

@@ -16,6 +16,9 @@ spec:
   dnsPolicy: ClusterFirstWithHostNet
     {{- end }}
   {{- end }}
+  {{- if not .Values.hostUsers }}
+  hostUsers: {{ .Values.hostUsers }}
+  {{- end }}
   {{- with .Values.imagePullSecrets }}
   imagePullSecrets:
     {{- toYaml . | nindent 4 }}

charts/capsule-proxy/templates/certgen-job.yaml

@@ -1,11 +1,12 @@
 {{/* Backwards compatibility */}}
 {{- $Values := mergeOverwrite $.Values.global.jobs.certs $.Values.jobs -}}
-
 {{- if and .Values.options.enableSSL .Values.options.generateCertificates -}}
+---
 apiVersion: batch/v1
 kind: Job
 metadata:
   name: {{ include "capsule-proxy.fullname" . }}-certgen
+  namespace: {{ $.Release.Namespace }}
   labels:
     {{- include "capsule-proxy.labels" . | nindent 4 }}
   {{- with $Values.annotations }}