progress

Makefile

@@ -151,7 +151,7 @@ e2e-install: install-capsule install-capsule-proxy rbac-fix
 .PHONY: e2e-load-image
 e2e-load-image: ko-build-all
 	@echo "Loading Docker image..."
-	@kind load docker-image --name capsule --nodes capsule-worker $(CAPSULE_PROXY_IMG):$(VERSION)
+	@kind load docker-image --name capsule $(CAPSULE_PROXY_IMG):$(VERSION)
 
 .PHONY: e2e-destroy
 e2e-destroy:
@@ -185,7 +185,8 @@ ifeq ($(CAPSULE_PROXY_MODE),http)
 		--set "kind=DaemonSet" \
 		--set "daemonset.hostNetwork=true" \
 		--set "serviceMonitor.enabled=false" \
-		--set "options.generateCertificates=false"
+		--set "options.generateCertificates=false" \
+		--set "options.extraArgs={--feature-gates=ProxyClusterScoped=true,--feature-gates=ProxyAllNamespaced=true}"
 else
 	@echo "Running in HTTPS mode"
 	@echo "capsule proxy certificates..."
@@ -194,19 +195,19 @@ else
 		&& kubectl --namespace capsule-system create secret generic capsule-proxy --from-file=tls.key=./127.0.0.1-key.pem --from-file=tls.crt=./127.0.0.1.pem --from-literal=ca=$$(cat $(ROOTCA) | base64 |tr -d '\n')
 	@echo "kubeconfig configurations..."
 	@cd hack \
-		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- alice oil capsule.clastix.io \
+		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- alice oil projectcapsule.dev,capsule.clastix.io \
 		&& mv alice-oil.kubeconfig alice.kubeconfig \
 		&& KUBECONFIG=alice.kubeconfig kubectl config set clusters.kind-capsule.certificate-authority-data $$(cat $(ROOTCA) | base64 |tr -d '\n') \
 		&& KUBECONFIG=alice.kubeconfig kubectl config set clusters.kind-capsule.server https://127.0.0.1:9001 \
-		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- bob gas capsule.clastix.io \
+		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- bob gas projectcapsule.dev,capsule.clastix.io \
 		&& mv bob-gas.kubeconfig bob.kubeconfig \
 		&& KUBECONFIG=bob.kubeconfig kubectl config set clusters.kind-capsule.certificate-authority-data $$(cat $(ROOTCA) | base64 |tr -d '\n') \
 		&& KUBECONFIG=bob.kubeconfig kubectl config set clusters.kind-capsule.server https://127.0.0.1:9001 \
-		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- joe gas capsule.clastix.io,foo.clastix.io \
+		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- joe gas projectcapsule.dev,capsule.clastix.io,foo.clastix.io \
 		&& mv joe-gas.kubeconfig foo.clastix.io.kubeconfig \
 		&& KUBECONFIG=foo.clastix.io.kubeconfig kubectl config set clusters.kind-capsule.certificate-authority-data $$(cat $(ROOTCA) | base64 |tr -d '\n') \
 		&& KUBECONFIG=foo.clastix.io.kubeconfig kubectl config set clusters.kind-capsule.server https://127.0.0.1:9001 \
-		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- dave soil capsule.clastix.io,bar.clastix.io \
+		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- dave soil projectcapsule.dev,capsule.clastix.io,bar.clastix.io \
 		&& mv dave-soil.kubeconfig dave.kubeconfig \
 		&& kubectl --kubeconfig=dave.kubeconfig config set clusters.kind-capsule.certificate-authority-data $$(cat $(ROOTCA) | base64 |tr -d '\n') \
 		&& kubectl --kubeconfig=dave.kubeconfig config set clusters.kind-capsule.server https://127.0.0.1:9001
@@ -219,8 +220,10 @@ else
 		--set "service.nodePort=" \
 		--set "kind=DaemonSet" \
 		--set "daemonset.hostNetwork=true" \
-		--set "serviceMonitor.enabled=false"
+		--set "serviceMonitor.enabled=false" \
+		--set "options.extraArgs={--feature-gates=ProxyClusterScoped=true,--feature-gates=ProxyAllNamespaced=true}"
 endif
+	@kubectl rollout restart ds capsule-proxy -n capsule-system || true
 
 rbac-fix:
 	@echo "RBAC customization..."

api/v1beta1/globalproxysettings_types.go

@@ -14,16 +14,23 @@ type GlobalProxySettingsSpec struct {
 	// The subjects are selected based on the oncoming requests. They don't have to relate to an existing tenant.
 	// However they must be part of the capsule-user groups.
 	// +kubebuilder:validation:MinItems=1
-	Subjects []GlobalSubjectSpec `json:"subjects"`
+	Rules []GlobalSubjectSpec `json:"rules"`
 }
 
 type GlobalSubjectSpec struct {
+	// Subjects that should receive additional permissions.
+	// The subjects are selected based on the oncoming requests. They don't have to relate to an existing tenant.
+	// However they must be part of the capsule-user groups.
+	Subjects []GlobalSubject `json:"subjects"`
+	// Cluster Resources for tenant Owner.
+	ClusterResources []ClusterResource `json:"clusterResources,omitempty"`
+}
+
+type GlobalSubject struct {
 	// Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount".
 	Kind v1beta2.OwnerKind `json:"kind"`
 	// Name of tenant owner.
 	Name string `json:"name"`
-	// Cluster Resources for tenant Owner.
-	ClusterResources []ClusterResource `json:"clusterResources,omitempty"`
 }
 
 //+kubebuilder:object:root=true

charts/capsule-proxy/crds/capsule.clastix.io_globalproxysettings.yaml

@@ -19,7 +19,7 @@ spec:
     schema:
       openAPIV3Schema:
         description: GlobalProxySettings is the Schema for the globalproxysettings
-          API
+          API.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -34,13 +34,13 @@ spec:
           metadata:
             type: object
           spec:
-            description: GlobalProxySettingsSpec defines the desired state of GlobalProxySettings
+            description: GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
             properties:
-              subjects:
+              rules:
                 description: Subjects that should receive additional permissions.
-                  The subjects are selected based on the requests. They don't have
-                  to relate to an existing tenant However they must be part of the
-                  capsule-user groups.
+                  The subjects are selected based on the oncoming requests. They don't
+                  have to relate to an existing tenant. However they must be part
+                  of the capsule-user groups.
                 items:
                   properties:
                     clusterResources:
@@ -76,7 +76,9 @@ spec:
                             type: array
                           selector:
                             description: Select all cluster scoped resources with
-                              the given label selector.
+                              the given label selector. Defining a selector which
+                              does not match any resources is considered not selectable
+                              (eg. using operation NotExists).
                             properties:
                               matchExpressions:
                                 description: matchExpressions is a list of label selector
@@ -127,25 +129,36 @@ spec:
                         - selector
                         type: object
                       type: array
-                    kind:
-                      description: Kind of tenant owner. Possible values are "User",
-                        "Group", and "ServiceAccount"
-                      enum:
-                      - User
-                      - Group
-                      - ServiceAccount
-                      type: string
-                    name:
-                      description: Name of tenant owner.
-                      type: string
+                    subjects:
+                      description: Subjects that should receive additional permissions.
+                        The subjects are selected based on the oncoming requests.
+                        They don't have to relate to an existing tenant. However they
+                        must be part of the capsule-user groups.
+                      items:
+                        properties:
+                          kind:
+                            description: Kind of tenant owner. Possible values are
+                              "User", "Group", and "ServiceAccount".
+                            enum:
+                            - User
+                            - Group
+                            - ServiceAccount
+                            type: string
+                          name:
+                            description: Name of tenant owner.
+                            type: string
+                        required:
+                        - kind
+                        - name
+                        type: object
+                      type: array
                   required:
-                  - kind
-                  - name
+                  - subjects
                   type: object
                 minItems: 1
                 type: array
             required:
-            - subjects
+            - rules
             type: object
         type: object
     served: true

charts/capsule-proxy/crds/capsule.clastix.io_proxysettings.yaml

@@ -74,7 +74,9 @@ spec:
                             type: array
                           selector:
                             description: Select all cluster scoped resources with
-                              the given label selector.
+                              the given label selector. Defining a selector which
+                              does not match any resources is considered not selectable
+                              (eg. using operation NotExists).
                             properties:
                               matchExpressions:
                                 description: matchExpressions is a list of label selector

charts/capsule-proxy/values.yaml

@@ -100,9 +100,14 @@ jobs:
 # Manage CRD Lifecycle
 crds:
   # -- Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations)
-  install: false
+  install: true
   # -- Keep the CustomResourceDefinitions (when the chart is deleted)
   keep: true
+  # -- Extra Labels for CRDs
+  labels: {}
+  # -- Extra Annotations for CRDs
+  annnotations: {}
+
 
 # Manage RBAC Lifecycle
 rbac:

e2e/global_settings_test.go

@@ -0,0 +1,37 @@
+package e2e
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/onsi/ginkgo/v2"
+	"github.com/onsi/gomega"
+	"k8s.io/client-go/kubernetes"
+)
+
+var _ = ginkgo.Describe("Kubernetes E2E Test with Multiple Users", func() {
+	var aliceClient, bobClient *kubernetes.Clientset
+
+	ginkgo.BeforeEach(func() {
+		var err error
+		// Load Alice's kubeconfig
+		aliceClient, err = loadKubeConfig("alice")
+		gomega.Expect(err).NotTo(gomega.HaveOccurred())
+
+		// Load Bob's kubeconfig
+		bobClient, err = loadKubeConfig("bob")
+		gomega.Expect(err).NotTo(gomega.HaveOccurred())
+	})
+
+	ginkgo.It("Should verify Alice and Bob's access", func() {
+		// Example: Alice lists namespaces
+		namespaces, err := aliceClient.CoreV1().Namespaces().List(context.TODO(), metav1.ListOptions{})
+		gomega.Expect(err).NotTo(gomega.HaveOccurred())
+		fmt.Println("Namespaces accessible by Alice:", namespaces)
+
+		// Example: Bob lists namespaces
+		namespaces, err = bobClient.CoreV1().Namespaces().List(context.TODO(), metav1.ListOptions{})
+		gomega.Expect(err).NotTo(gomega.HaveOccurred())
+		fmt.Println("Namespaces accessible by Bob:", namespaces)
+	})
+})