v0.1.0-rc6

This is a pre-release, some of the planned features may not be yet implemented or misbehaving.

• a2fda44 fix: NewIngressHostnameCollision is returning pointer for error parsing
• 06330cf fix: example was wrong due to missing porting of NamespaceOptions
• 1ec9936 docs: hostname collision is now managed at Tenant level
• 694b519 build(helm): hostname collision is now managed at Tenant level
• 0b34f04 build(helm): removing deprecated collision values
• a702ef2 docs(helm): deprecating hostname collision
• 04d91af build(kustomize): hostname collision is now managed at Tenant level
• 8949be7 test(e2e): scoped Ingress hostname and path collision
• df08c9e refactor: hostname collision is now managed at Tenant level
• 07daffd build(helm): Ingress hostname collision scope at Tenant level
• 3a42b90 build(kustomize): Ingress hostname collision scope at Tenant level
• 09277e9 feat: Ingress hostname collision scope at Tenant level
• 47794c0 style: no need of nolint here
• e24394f refactor: avoiding init functions for direct registration
• 01053d5 refactor: renaming struct field names for allowed hostnames and classes
• b749e34 refactor: grouping Ingress options into defined struct
• 82480f3 docs: fix minor issues
• 88a9c24 docs: update links in documentation
• 651c62f docs: add further test cases
• dcb8b78 docs: additional test cases
• 7a69863 docs: additional test cases
• 894ea50 docs: add few test cases
• e4e3283 build(helm): Tenant status enums must be capitalized
• 007f008 build(kustomize): Tenant status enums must be capitalized
• bc6fc92 fix: Tenant status enums must be capitalized
• 01b511b test(e2e): fixing flakiness for Service and EP metadata
• 6223b1c chore(github): forcing Go 1.16 and removing caching
• d5158f0 chore(github): updating Kubernetes supported matrix
• 047f4a0 build(helm): aligning descriptions for v1.22.0
• 71cdb45 build(kustomize): aligning descriptions for v1.22.0
• 9182895 refactor:EndpointSlice v1beta1 deprecated for v1
• 2eceb09 chore(gomod): updating Kubernetes deps to 1.22
• 8ead555 docs: reference to admissionregistration.k8s.io/v1 for local debugging
• 57bf3d1 feat: skipping Ingress indexer setup for deprecated APIs
• bb58e90 test(e2e): skipping ingress class tests if running on Kubernetes 1.22
• f8fa87a chore(hack)!: upgrading to certificates.k8s.io/v1
• b3658b7 refactor AdditionalMetadataSpec struct. Remove Additional prefix from labels and annotations fields (#379)
• 54d0201 test(e2e): fix linting issues for NamespaceOptions tests
• 44ffe0d build(installer): CRD update for v1beta1 NamespaceOptions
• 491ab71 build(helm): CRD update for v1beta1 NamespaceOptions
• 4e9dbf8 build(kustomize): CRD update for v1beta1 NamespaceOptions
• 3461401 test(e2e): aligning tests to use new NamespaceOptions structure
• 737fb26 refactor: use NamespaceOptions struct to store namespace-related tenant configurations
• b560159 chore(gh): using build-args
• ddb9ffd (issues/365) refactor: split tenant controller to separate files
• cae65c9 fix: capsuleconfiguration controller package name should be config instead of rbac
• befcf65 feat: adding webhook and rest client latency per endpoint
• e1d9833 chore(gh): updating e2e workflow
• 848c6d9 refactor: using goroutines per Namespace for each resource Kind reconciliation
• bd12068 fix: handling multiple resources for hard ResourceQuota resources
• 4604e44 build(helm): Tenant or Namespace scope for resource quota budgets
• 31863b5 build(kustomize): Tenant or Namespace scope for resource quota budgets
• 7a055fc fix(test): matching upon reconciliation, not retrieval
• 29ab5ca test: Tenant or Namespace scope for resource quota budgets
• c52f784 feat: Tenant or Namespace scope for resource quota budgets
• 9244122 docs (helm): added namespace creation
• f883e7b fix: wrong description of Service external IPs
• 2f5f31b test(e2e): allowed external IPs is grouped in ServiceOptions
• e7ef964 build(helm): allowed external IPs is grouped in ServiceOptions
• 34f73af build(kustomize): allowed external IPs is grouped in ServiceOptions
• 18912a0 feat: allowed external IPs is grouped in ServiceOptions
• d43ad2f build(kustomize): updating to v0.1.0-rc5
• 9a59587 docs: update capsule-proxy docs

v0.1.0-rc5

This is a pre-release, some of the planned features may not be yet implemented or misbehaving.

• c0d4aab build(helm): CRD update for PriorityClass enum
• 6761fb9 build(kustomize): CRD update for PriorityClass enum
• bf9e0f6 test: PriorityClass proxy operations conversion
• f937942 feat: capsule-proxy operations for PriorityClass resources
• 89d7f30 build(helm): CRD update for v1beta1 service options
• 2a6ff09 build(kustomize): CRD update for v1beta1 service options
• 35f4810 test(e2e): aligning tests to new v1beta1 structure and ExternalName case
• 7aa62b6 test: conversion for new Service options
• 58645f3 chore(samples): example for ServiceOptions
• 0e55823 feat: toggling ExternalName service

v0.1.0-rc4

This is a pre-release, some of the planned features may not be yet implemented or misbehaving.

• ba69048 refactor: use OwnerListSpec to store tenant owners information
• faa2306 chore: support multiple groups in create-{user}/{user-openshift}.sh scripts
• c1448c8 build(installer): add description fields in CRD
• 776a56b build(helm): add description fields in CRD
• e4883bb build(kustomize): add description fields in CRD
• e70afb5 feat: add description fields in CRD
• ee7af18 docs: bare installation of Capsule using kubectl
• ac7de3b chore(github): updating steps for single YAML file installer diffs
• 8883b15 chore: single YAML file installer
• e23132c chore(kustomize): using single YAML file to install Capsule
• bec59a5 build(kustomize): updating to v0.1.0-rc3
• 9c649ac chore(kustomize): adding v1beta1 Tenant
• 3455aed fix(samples): Tenant v1beta1 example
• ad1edf5 fix(samples): removing empty file
• d64dcb5 fix: preserving v1alpha1 enable node ports false value avoiding CRD default
• 76d7697 docs: minor improvements
• 96f4f31 docs(velero): add brief explanation about new cli flag
• c3f9dfe feat(velero): improve usage function
• 502e9a5 feat(velero): add possibility to specify a tenant list by cli
• 6f208a6 fix(velero): fix wrong argument behaviour
• 1fb5200 fix(velero): add possibility to fix also apiVersion parameter
• 98e1640 fix: avoid nil slice during resource conversion

v0.1.0-rc3

This is a pre-release, some of the planned features may not be yet implemented or misbehaving.

• eb19a7a chore: fix linting issues
• db8b8ac test(e2e): support multiple tenant owners(add applications to act as tenant owners)
• 663ce93 build(helm): support multiple tenant owners(add applications to act as tenant owners)
• a6408f2 feat: support multiple tenant owners(add applications to act as tenant owners)
• 1aa026c chore(github): no need of fundings
• 6008373 bug: ensuring to update the conversion webhook CA bundle
• 414c03a feat: reconciliation for Tenant state
• 4d34a9e build(helm): support for Tenant state
• cb9b560 build(kustomize): support for Tenant state
• ef75d04 feat(api): Tenant state
• e1e75a0 docs(velero): add documentation about velero-restore script
• 80143ff feat(velero): add script to manage velero backup restoration
• 3d54810 chore: bump-up to latest version
• 09dfe33 bug(kustomize): fixing JSON path for kustomize-based installation
• 01ea36b chore: updating kustomize
• bd448d8 test(e2e): avoiding flaky tests for ingress hostnames collision
• b58ca3a chore: v1beta1 goimports and formatting
• 52fb094 feat(v1beta1): add conversion webhook
• 1b0fa58 chore: remove unused functions for v1alpha1 version
• 92655f1 build(helm): update crds to use v1beta1 version
• 44bf846 test(e2e): update tests to use v1beta1 version
• e6b433d feat(v1beta1): update code to use v1beta1 version
• 3e0882d refactor: domains is now API utils
• 4166093 feat(v1beta1): tenant spec
• 3d714dc build(kustomize)!: adding the conversion endpoint for v1beta1
• bd01881 feat(v1beta1): scaffolding the Convertible interface
• ac6af13 feat(v1beta1): registering conversion webhook
• 8fb4b7d feat: scaffolding v1beta1 Tenant version
• d4280b8 chore(makefile): ensure validation for each version
• 6e39b17 chore(operatorsdk): required scaffolding for v1alpha2
• b1a9603 fix: ensuring single reconciliation for Capsule RoleBinding resources
• 0d4201a docs(helm): update documentation about hostNetwork
• 1734c90 build(helm): add hostNetwork for manager pod
• 184f054 test(e2e): adding further tests for collisions
• 126449b build(helm): fixing pairing between values and collision CRD keys
• 284e7da build(helm): support for admission review version to v1
• 99e1589 build(helm)!: using multiple handlers per webhook
• 7cc2c3f build(kustomize)!: using multiple handlers per webhook
• ba07f99 refactor!: using multiple handers per route
• d799726 docs: Amazon EKS documentation

v0.1.0-rc2

This is a pre-release, some of the planned features may not be yet implemented or misbehaving.

• 8d1a109 build(helm): webhook for Namespace handling when tenant is freezed
• a190454 build(kustomize): webhook for Namespace handling when tenant is freezed
• 7574335 refactor: using separated webhooks for Namespace handling
• 72e97b9 feat: providing utility for webhook auth identification
• b3c6082 feat: providing event for Tenant cordoning
• 9a94009 docs: fixing links
• f9becf3 docs: Tenant cordoning
• e1160b8 test(e2e): Tenant cordoning webhook
• 6472b22 build(helm): Tenant cordononing webhook
• a2e5bbf build(kustomize): Tenant cordoning webhook
• 8804496 feat: cordoning Tenant webhook
• 5de0a6d # This is a combination of 2 commits. # This is the 1st commit message:
• 531cc4c refactor: renaming Tenant webhook handler
• 3e33290 fix: fixed typo in script description
• 824442b feat: add exits when encounters an error
• 3458335 refactor: meaningful error for complete block of Service external IPs
• 5681228 fix: blocking non valid external IP
• 7237972 fix: using /32 in case of bare IPs
• 46fc65a fix: avoiding concurrent map write
• 44acfae feat: fix typo in event message
• 7ca087c feat: update event messages
• b2b640d test(e2e): refactoring to avoid flakiness
• 5b35e0b refactor(e2e): using non absolute version import name
• accd9ca feat: emitting events for policies violations
• e7b33bd docs: documenting ImagePullPolicy enforcement
• 08fbd26 test(e2e): bug on PodPriorityClass case
• 006b0c8 test(e2e): ImagePullPolicy for v1alpha using annotations
• b6f3fcc build(helm): webhook for ImagePullPolicy enforcement
• bf79c25 build(kustomize): webhook for image PullPolicy
• 630e802 feat: image PullPolicy webhook enforcer
• e5a1861 test: aligning to new additional RoleBinding name pattern
• 246c1a3 fix: misleading info message for additional RoleBindings sync
• a06e689 fix: avoiding Namespace's RoleBinding labels collision
• 61c9bc6 refactor: object labels must be set in the mutateFn
• 9c8b037 feat: emitting events for Tenant operations
• dfe0f5e chore: do docker(x) build/push step in gh actions
• a1a2e5e build(helm): using arm compatible kubectl image
• 20aa765 build: using targetarch for arm support
• 7c1592e chore(license): switching over SPDX license header (#280)
• f60f2b1 build: using Quay.io-hoested builder image
• 53377e9 docs: Updated Golang version
• d0893a5 docs: Fixed typo

v0.1.0-rc1

This is a pre-release, some of the planned features may not be yet implemented or misbehaving.

• feat: providing log upon CapsuleConfiguration change (a7fff59)
• chore(make): reorg helm params (a4128b5)
• chore: no need of fmt or vet, already managed by golanci-lint (b349042)
• test(e2e): typo on feature documentation By group (40bdf0c)
• docs: documenting CapsuleConfiguration CRD and options (20d0ef8)
• test(e2e): modifying CapsuleConfiguration at runtime (6103494)
• build(helm): deletion of CRB using names rather than label (ca7b859)
• build(helm)!: support for CapsuleConfiguration CRD (73e6a17)
• build(kustomize)!: support for CapsuleConfiguration CRD (9103a14)
• refactor: simplifying RBAC managed with multiple user groups (d532f16)
• feat!: using CapsuleConfiguration CRD with reload at runtime (3570b02)
• chore: using last git commit as build date (994a4c2)
• chore: upgrading kubebuilder project to v3 (eff1282)
• docs: block of NodePort services using Tenant annotation (52a73e0)
• docs: Pod Priority Class enforcement using Tenant annotations (4ccef41)
• test: testing enforced Pod Priority Class using Tenant annotations (dfb0a53)
• build(helm): providing webhook for Pod Priority Class (9ef64d0)
• build(kustomize): installing Pod Priority Class webhook (5649283)
• feat: enforcing Pod Priority Class (0481822)
• build(helm): using different names for Job hooks (bcbd9c2)
• fix: the ClusterRoleBindings capsule-namespace-provisioner are not re… (229b569)
• fix: wrong order of checks in validating-external-service-ips webhook (ef6eea6)
• chore(ci): output diff files for manifests files (bb6614d)
• build(helm): use multiple groups as capsule-user-group. Remove capsul… (784f3a7)
• feat: use multiple groups as capsule-user-group (3c9895e)
• fix: generating TLS certificate matching the deployed Namespace (6dc83b1)
• feat: block use of NodePort Services (e6da507)
• chore(go): upgrading to go 1.16 (5bca3b7)
• chore(operatorsdk): upgrading to v3 format (2e188d2)
• chore(kustomize): new CRD and webhooks for admission/v1 (3afee65)
• refactor: moving to admission/v1 for Kubernetes +1.16 (c22cb6c)
• chore(mod): upgrading controller-runtime to v0.8.3 (202a18c)
• chore(make): upgrading to controller-tools v0.5.0 (8441d88)
• test: checking runtime count for pods (d5af190)
• chore(kustomize): deprecating metrics RBAC proxy (82ae78b)
• chore(helm): deprecating metrics RBAC proxy (6c44a6a)
• docs: update capsule-proxy documentation (d6e7437)
• chore: triggering Helm Charts CD upon tag release (ac7114e)
• docs: typo on README.md (2fdc08c)
• refactor: better name variables in pkg/webhook/utils (c2cede6)
• refactor: better name variables in pkg/webhook/tenantprefix (36c90d4)
• refactor: better name variables in pkg/webhook/tenant (34c9583)
• refactor: better name variables in pkg/webhook/services (e5f17d1)
• refactor: better name variables in pkg/webhook/registry (e1b2037)
• refactor: better name variables in pkg/webhook/pvc (cec8cc0)
• refactor: better name variables in pkg/webhook/ownerreference (7ca9fe0)
• refactor: better name variables in pkg/webhook/namespacequota (b87a6c0)
• refactor: better name variables in pkg/webhook/ingress (01b75a5)
• refactor: better name variables in pkg/webhook (2c6dcf0)
• refactor: better name variables in main.go (7994ae1)
• Helm and Kustomize to v0.0.5 (#239) (d8449fe)
• feat: adding name label to each Namespace (#242) (12237ae)

v0.0.5

v0.0.5 (2021-03-20)

Capsule v0.0.5 is out, grab your version as following!

docker pull quay.io/clastix/capsule:v0.0.5

Improvements

• Various typos in the docs (#198, #201, #197, #210)
• Custom image for Helm hooks (#208)
• Typo in validating webhook error message (#212)
• No more confusing .dirty information on logs (#213)
• Providing user script creation for OCP (#229)
• Capsule Helm Chart probes are configurable (#220)

Features

• Avoid Ingress resources hostname collision (#215)
• Allow multiple Tenant resources to share the same hostnames in the allowed lists (#206)

Hotfix

• Avoiding deletion of Capsule secrets on Helm upgrade (#194)
• Namespaces metadata are just handled by the Tenant manifest (#200)
• Ignoring webhooks for kube-system ServiceAccount resources (#234)

Many congrats to the community for helping to shape this new release: @ValentinoUberti, @ludusrusso, @davideimola, @frodopwns, @unai-ttxu, @donhighmsft, @onematchfox, @bsctl!

v0.0.5-rc2

v0.0.5-rc2 (2021-03-06)

Final release candidate for upcoming v0.0.5.

docker pull quay.io/clastix/capsule:v0.0.5-rc2

Improvements

• Various typos in the docs (#198, #201, #197, #210)
• Custom image for Helm hooks (#208)
• Typo in validating webhook error message (#212)
• No more confusing .dirty information on logs (#213)

Features

• Avoid Ingress resources hostname collision (#215)
• Allow multiple Tenant resources to share the same hostnames in the allowed lists (#206)

Hotfix

• Avoiding deletion of Capsule secrets on Helm upgrade (#194)
• Namespaces metadata are just handled by the Tenant manifest (#200)

v0.0.5-rc1

v0.0.5-rc1 (2021-01-21)

A small hotfix regarding a missing webhook at the Tenant level will be addressed along with other minor improvements on the v0.0.5 release.

docker pull quay.io/clastix/capsule:v0.0.5-rc1

Hotfix

• Validating Tenant also on UPDATE (#191)

v0.0.4

v0.0.4 (2021-01-13)

Happy new year from Clastix Labs!

Docker images are hosted on quay.io and can be pulled with the following command:

docker pull quay.io/clastix/capsule:v0.0.4

Enhancement

• Helm Charts are included in the Capsule repository and can be fetched using the repo https://clastix.github.io/charts (#147)
• Tenant ResourceQuota hard value is available in the Namespaced resource as an annotation (#158)
• Allowed container registries are annotated in the Tenant Namespaces (#154)
• Making Capsule more flexible with optional fields (#153)
• Documentation improved (#146)
• E2E tests are less flaky (#172, #176)
• Adding more strict linters (#169)

Features

• Mitigating Kubernetes CVE-2020-8554 enforcing Service external IPs (#161)
• Supporting Kubernetes 1.20 (#171)
• Enforcing the allowed hostnames per Tenant (#162)

Bug

• Avoiding loop with Tenant ResourceQuota dealing with multiple Namespaces (#168)
• Fixing the broken binary search for the InCapsuleGroup function (#181)

More features are on their way and planned here

Thanks

We got new entries as @gernest and @paolocarta: thanks for helping us shaping Capsule! 🎉

Last but not least, same for @bsctl and @MaxFedotov: unstoppable and awesome maintainers.