feat(proxysetting): simplify proxy tenant handling (#980)

* feat(proxysetting): simplify proxy tenant handling

Signed-off-by: CorentinPtrl <pitrel.corentin@gmail.com>

* fix(e2e): remove feature gate ProxyClusterScoped

Signed-off-by: CorentinPtrl <pitrel.corentin@gmail.com>

* fix(lint): middleware, lease, pod, webserver

Signed-off-by: CorentinPtrl <pitrel.corentin@gmail.com>

* fix(lint): middleware gci

Signed-off-by: CorentinPtrl <pitrel.corentin@gmail.com>

* feat(proxysettings): deprecate ProxyClusterScoped feature

Signed-off-by: CorentinPtrl <pitrel.corentin@gmail.com>

* feat(proxysettings): remove ProxyClusterScoped from options

Signed-off-by: CorentinPtrl <pitrel.corentin@gmail.com>

---------

Signed-off-by: CorentinPtrl <pitrel.corentin@gmail.com>
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

Author: CorentinPtrl

Makefile

@@ -190,7 +190,7 @@ ifeq ($(CAPSULE_PROXY_MODE),http)
 		--set "serviceMonitor.enabled=false" \
 		--set "options.generateCertificates=false" \
 		--set "certManager.generateCertificates=false" \
-		--set "options.extraArgs={--feature-gates=ProxyClusterScoped=true,--feature-gates=ProxyAllNamespaced=true}"
+		--set "options.extraArgs={--feature-gates=ProxyAllNamespaced=true}"
 else
 	@echo "Running in HTTPS mode"
 	@echo "Installing Capsule-Proxy using HELM..."
@@ -206,7 +206,7 @@ else
 		--set "serviceMonitor.enabled=false" \
 		--set "options.generateCertificates=false" \
 		--set "certManager.certificate.ipAddresses={127.0.0.1}" \
-		--set "options.extraArgs={--feature-gates=ProxyClusterScoped=true,--feature-gates=ProxyAllNamespaced=true}"
+		--set "options.extraArgs={--feature-gates=ProxyAllNamespaced=true}"
 endif
 	@kubectl rollout restart ds capsule-proxy -n capsule-system || true
 	$(MAKE) generate-kubeconfigs

api/v1beta1/proxysettings_types.go

@@ -13,10 +13,12 @@ type OwnerSpec struct {
 	Kind capsuleapi.OwnerKind `json:"kind"`
 	// Name of tenant owner.
 	Name string `json:"name"`
-	// Proxy settings for tenant owner.
-	ProxyOperations []capsuleapi.ProxySettings `json:"proxySettings,omitempty"`
 	// Cluster Resources for tenant Owner.
 	ClusterResources []ClusterResource `json:"clusterResources,omitempty"`
+	// Deprecated: Use Global Proxy Settings instead (https://projectcapsule.dev/docs/proxy/proxysettings/#globalproxysettings)
+	//
+	// Proxy settings for tenant owner.
+	ProxyOperations []capsuleapi.ProxySettings `json:"proxySettings,omitempty"`
 }
 
 // ProxySettingSpec defines the additional Capsule Proxy settings for additional users of the Tenant.

api/v1beta1/zz_generated.deepcopy.go

@@ -142,7 +142,10 @@ spec:
                       description: Name of tenant owner.
                       type: string
                     proxySettings:
-                      description: Proxy settings for tenant owner.
+                      description: |-
+                        Deprecated: Use Global Proxy Settings instead (https://projectcapsule.dev/docs/proxy/proxysettings/#globalproxysettings)
+
+                        Proxy settings for tenant owner.
                       items:
                         properties:
                           kind:

charts/capsule-proxy/crds/capsule.clastix.io_proxysettings.yaml

@@ -12,7 +12,7 @@ import (
 	"github.com/projectcapsule/capsule-proxy/internal/tenant"
 )
 
-func MutateAuthorization(proxyClusterScoped bool, proxyTenants []*tenant.ProxyTenant, obj *runtime.Object, gvk schema.GroupVersionKind) error {
+func MutateAuthorization(proxyTenants []*tenant.ProxyTenant, obj *runtime.Object, gvk schema.GroupVersionKind) error {
 	switch gvk.Kind {
 	case "SelfSubjectAccessReview":
 		//nolint:forcetypeassert
@@ -21,10 +21,6 @@ func MutateAuthorization(proxyClusterScoped bool, proxyTenants []*tenant.ProxyTe
 			accessReview.Status.Allowed = true
 		}
 
-		if !proxyClusterScoped {
-			return nil
-		}
-
 		accessReviewGvk := schema.GroupVersionKind{
 			Group:   accessReview.Spec.ResourceAttributes.Group,
 			Version: accessReview.Spec.ResourceAttributes.Version,
@@ -48,11 +44,8 @@ func MutateAuthorization(proxyClusterScoped bool, proxyTenants []*tenant.ProxyTe
 		rules := (*obj).(*authorizationv1.SelfSubjectRulesReview)
 
 		var resourceRules []authorizationv1.ResourceRule
-		if proxyClusterScoped {
-			resourceRules = getAllResourceRules(proxyTenants)
-		} else {
-			resourceRules = []authorizationv1.ResourceRule{}
-		}
+
+		resourceRules = getAllResourceRules(proxyTenants)
 
 		resourceRules = append(resourceRules, authorizationv1.ResourceRule{
 			APIGroups: []string{""},

internal/authorization/middleware.go

@@ -19,7 +19,8 @@ const (
 	// essentially bypassing any authorization. Only use this option in trusted environments
 	// where authorization/authentication is offloaded to external systems.
 	SkipImpersonationReview = "SkipImpersonationReview"
-
+	// Deprecated: Use Global Proxy Settings instead (https://projectcapsule.dev/docs/proxy/proxysettings/#globalproxysettings)
+	//
 	// ProxyClusterScoped allows to proxy all clusterScoped objects
 	// for all tenant users.
 	ProxyClusterScoped = "ProxyClusterScoped"

internal/features/features.go

@@ -0,0 +1,42 @@
+// Copyright 2020-2026 Project Capsule Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package indexer
+
+import (
+	"fmt"
+
+	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+const (
+	TenantOwnerKindField = ".status.owner.ownerkind"
+)
+
+// TenantOwnerReference indexes Tenants by their status.owners (Kind:Name).
+type TenantOwnerReference struct{}
+
+func (o TenantOwnerReference) Object() client.Object {
+	return &capsulev1beta2.Tenant{}
+}
+
+func (o TenantOwnerReference) Field() string {
+	return TenantOwnerKindField
+}
+
+func (o TenantOwnerReference) Func() client.IndexerFunc {
+	return func(object client.Object) []string {
+		tnt, ok := object.(*capsulev1beta2.Tenant)
+		if !ok {
+			panic(fmt.Errorf("expected type *capsulev1beta2.Tenant, got %T", object))
+		}
+
+		var owners []string
+		for _, owner := range tnt.Status.Owners {
+			owners = append(owners, fmt.Sprintf("%s:%s", owner.Kind.String(), owner.Name))
+		}
+
+		return owners
+	}
+}