feat: add globalproxysettings (#550)

Signed-off-by: Oliver Bähler <[email protected]>

Author: oliverbaehler

.github/workflows/e2e.yaml .github/workflows/e2e-legacy.yaml.github/workflows/e2e.yaml renamed to .github/workflows/e2e-legacy.yaml

@@ -0,0 +1,56 @@
+name: e2e
+permissions: {}
+
+on:
+  push:
+    branches: [ "*" ]
+    paths:
+      - '.github/workflows/e2e.yml'
+      - 'api/**'
+      - 'controllers/**'
+      - 'internal/**'
+      - 'e2e/*'
+      - 'Dockerfile'
+      - 'go.*'
+      - 'main.go'
+      - 'Makefile'
+  pull_request:
+    branches: [ "*" ]
+    paths:
+      - '.github/workflows/e2e.yml'
+      - 'api/**'
+      - 'controllers/**'
+      - 'internal/**'
+      - 'e2e/*'
+      - 'Dockerfile'
+      - 'go.*'
+      - 'main.go'
+      - 'Makefile'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  kind:
+    name: Kubernetes
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s-version: [ 'v1.24.7', 'v1.25.3', 'v1.26.3', 'v1.27.2', 'v1.28.0', 'v1.29.0', 'v1.30.0', 'v1.31.0' ]
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version-file: 'go.mod'
+      - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v3
+        with:
+          version: v3.14.2
+      - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
+        with:
+          skipClusterCreation: true
+      - name: e2e testing
+        run: KIND_K8S_VERSION=${{ matrix.k8s-version }} make e2e

.github/workflows/e2e.yml

@@ -11,9 +11,17 @@ linters-settings:
     min-occurrences: 2
   cyclop:
     max-complexity: 17
+issues:
+  exclude-rules:
+    - path: (.+)_test.go
+      linters:
+        - revive
+      text: "^(dot-imports)"
 linters:
   enable-all: true
   disable:
+    - err113
+    - mnd
     - errchkjson
     - errname
     - forcetypeassert
@@ -27,14 +35,10 @@ linters:
     - nilerr
     - exhaustruct
     - depguard
-    # should be enabled
     - revive
-    - err113
-    - mnd
     - nilnil
     - wsl
     - perfsprint
-
-    # deprecated
     - exportloopref
-    - execinquery
+    - execinquery
+    - forcetypeassert

.golangci.yml

@@ -106,21 +106,21 @@ helm-docs: docker
 helm-lint: docker
 	@docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:v3.3.1 -c "cd /workdir; ct lint --config .github/configs/ct.yaml --lint-conf .github/configs/lintconf.yaml --all --debug"
 
-helm-test: helm-controller-version kind ct ko-build-all helm-create helm-install helm-destroy
+helm-test: helm-controller-version ct ko-build-all helm-create helm-install helm-destroy
 
 helm-install:
 	@kubectl apply --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml
 	@make install-capsule
 	@kubectl apply --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
 	@$(CT) install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
 
-helm-create:
-	@kind create cluster --wait=60s --name capsule-charts
-	@kind load docker-image --name capsule-charts $(CAPSULE_PROXY_IMG):$(VERSION)
+helm-create: kind
+	@$(KIND) create cluster --wait=60s --name capsule-charts
+	@$(KIND) load docker-image --name capsule-charts $(CAPSULE_PROXY_IMG):$(VERSION)
 	@kubectl create ns capsule-system
 
-helm-destroy:
-	@kind delete cluster --name capsule-charts
+helm-destroy: kind
+	@$(KIND) delete cluster --name capsule-charts
 
 ####################
 # -- Testing
@@ -129,14 +129,18 @@ helm-destroy:
 .PHONY: e2e
 e2e: e2e-build e2e-install e2e-exec
 
-.PHONY: e2e-exec
-e2e-exec:
+.PHONY: e2e-legacy-exec
+e2e-legacy-exec:
 	@./e2e/run.bash $${CLIENT_TEST:-kubectl}-$${CAPSULE_PROXY_MODE:-https}
 
+.PHONY: e2e-exec
+e2e-exec: ginkgo
+	$(GINKGO) -v -tags e2e ./e2e
+
 .PHONY: e2e-build
-e2e-build:
+e2e-build: kind
 	@echo "Building kubernetes env using Kind $${KIND_K8S_VERSION:-v1.27.0}..."
-	@kind create cluster --name capsule --image kindest/node:$${KIND_K8S_VERSION:-v1.27.0} --config ./e2e/kind.yaml --wait=120s \
+	@$(KIND) create cluster --name capsule --image kindest/node:$${KIND_K8S_VERSION:-v1.27.0} --config ./e2e/kind.yaml --wait=120s \
 		&& kubectl taint nodes capsule-worker2 key1=value1:NoSchedule
 	@helm repo add bitnami https://charts.bitnami.com/bitnami
 	@helm repo update
@@ -149,13 +153,13 @@ e2e-build:
 e2e-install: install-capsule install-capsule-proxy rbac-fix
 
 .PHONY: e2e-load-image
-e2e-load-image: ko-build-all
+e2e-load-image: kind ko-build-all
 	@echo "Loading Docker image..."
-	@kind load docker-image --name capsule --nodes capsule-worker $(CAPSULE_PROXY_IMG):$(VERSION)
+	@$(KIND) load docker-image --name capsule $(CAPSULE_PROXY_IMG):$(VERSION)
 
 .PHONY: e2e-destroy
-e2e-destroy:
-	kind delete cluster --name capsule
+e2e-destroy: kind
+	$(KIND) delete cluster --name capsule
 
 install-capsule:
 	@echo "Installing capsule..."
@@ -185,7 +189,8 @@ ifeq ($(CAPSULE_PROXY_MODE),http)
 		--set "kind=DaemonSet" \
 		--set "daemonset.hostNetwork=true" \
 		--set "serviceMonitor.enabled=false" \
-		--set "options.generateCertificates=false"
+		--set "options.generateCertificates=false" \
+		--set "options.extraArgs={--feature-gates=ProxyClusterScoped=true,--feature-gates=ProxyAllNamespaced=true}"
 else
 	@echo "Running in HTTPS mode"
 	@echo "capsule proxy certificates..."
@@ -194,19 +199,19 @@ else
 		&& kubectl --namespace capsule-system create secret generic capsule-proxy --from-file=tls.key=./127.0.0.1-key.pem --from-file=tls.crt=./127.0.0.1.pem --from-literal=ca=$$(cat $(ROOTCA) | base64 |tr -d '\n')
 	@echo "kubeconfig configurations..."
 	@cd hack \
-		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- alice oil capsule.clastix.io \
+		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- alice oil projectcapsule.dev,capsule.clastix.io \
 		&& mv alice-oil.kubeconfig alice.kubeconfig \
 		&& KUBECONFIG=alice.kubeconfig kubectl config set clusters.kind-capsule.certificate-authority-data $$(cat $(ROOTCA) | base64 |tr -d '\n') \
 		&& KUBECONFIG=alice.kubeconfig kubectl config set clusters.kind-capsule.server https://127.0.0.1:9001 \
-		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- bob gas capsule.clastix.io \
+		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- bob gas projectcapsule.dev,capsule.clastix.io \
 		&& mv bob-gas.kubeconfig bob.kubeconfig \
 		&& KUBECONFIG=bob.kubeconfig kubectl config set clusters.kind-capsule.certificate-authority-data $$(cat $(ROOTCA) | base64 |tr -d '\n') \
 		&& KUBECONFIG=bob.kubeconfig kubectl config set clusters.kind-capsule.server https://127.0.0.1:9001 \
-		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- joe gas capsule.clastix.io,foo.clastix.io \
+		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- joe gas projectcapsule.dev,capsule.clastix.io,foo.clastix.io \
 		&& mv joe-gas.kubeconfig foo.clastix.io.kubeconfig \
 		&& KUBECONFIG=foo.clastix.io.kubeconfig kubectl config set clusters.kind-capsule.certificate-authority-data $$(cat $(ROOTCA) | base64 |tr -d '\n') \
 		&& KUBECONFIG=foo.clastix.io.kubeconfig kubectl config set clusters.kind-capsule.server https://127.0.0.1:9001 \
-		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- dave soil capsule.clastix.io,bar.clastix.io \
+		&& curl -s https://raw.githubusercontent.com/projectcapsule/capsule/main/hack/create-user.sh | bash -s -- dave soil projectcapsule.dev,capsule.clastix.io,bar.clastix.io \
 		&& mv dave-soil.kubeconfig dave.kubeconfig \
 		&& kubectl --kubeconfig=dave.kubeconfig config set clusters.kind-capsule.certificate-authority-data $$(cat $(ROOTCA) | base64 |tr -d '\n') \
 		&& kubectl --kubeconfig=dave.kubeconfig config set clusters.kind-capsule.server https://127.0.0.1:9001
@@ -219,8 +224,10 @@ else
 		--set "service.nodePort=" \
 		--set "kind=DaemonSet" \
 		--set "daemonset.hostNetwork=true" \
-		--set "serviceMonitor.enabled=false"
+		--set "serviceMonitor.enabled=false" \
+		--set "options.extraArgs={--feature-gates=ProxyClusterScoped=true,--feature-gates=ProxyAllNamespaced=true}"
 endif
+	@kubectl rollout restart ds capsule-proxy -n capsule-system || true
 
 rbac-fix:
 	@echo "RBAC customization..."
@@ -258,6 +265,11 @@ CONTROLLER_GEN_VERSION = v0.8.0
 controller-gen: ## Download controller-gen locally if necessary.
 	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
 
+GINKGO         := $(shell pwd)/bin/ginkgo
+GINKGO_VERSION = v2.19.0
+ginkgo: ## Download ginkgo locally if necessary.
+	$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo@$(GINKGO_VERSION))
+
 MKCERT = $(shell pwd)/bin/mkcert
 MKCERT_VERSION = v1.4.4
 mkcert: ## Download mkcert locally if necessary.

Makefile

@@ -1,3 +1,7 @@
+# Code generated by tool. DO NOT EDIT.
+# This file is used to track the info used to scaffold your project
+# and allow the plugins properly work.
+# More info: https://book.kubebuilder.io/reference/project-config.html
 domain: clastix.io
 layout:
 - go.kubebuilder.io/v3
@@ -16,4 +20,11 @@ resources:
   kind: ProxySettings
   path: github.com/projectcapsule/capsule-proxy/api/v1beta1
   version: v1beta1
+- api:
+    crdVersion: v1
+  domain: clastix.io
+  group: capsule
+  kind: GlobalProxySettings
+  path: github.com/projectcapsule/capsule-proxy/api/v1beta1
+  version: v1beta1
 version: "3"

PROJECT

@@ -26,5 +26,6 @@ type ClusterResource struct {
 	Operations []ClusterResourceOperation `json:"operations"`
 
 	// Select all cluster scoped resources with the given label selector.
+	// Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists).
 	Selector *metav1.LabelSelector `json:"selector"`
 }

api/v1beta1/clusterresoure.go

@@ -0,0 +1,60 @@
+// Copyright 2020-2023 Project Capsule Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import (
+	"github.com/projectcapsule/capsule/api/v1beta2"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// GlobalProxySettingsSpec defines the desired state of GlobalProxySettings.
+type GlobalProxySettingsSpec struct {
+	// Subjects that should receive additional permissions.
+	// The subjects are selected based on the oncoming requests. They don't have to relate to an existing tenant.
+	// However they must be part of the capsule-user groups.
+	// +kubebuilder:validation:MinItems=1
+	Rules []GlobalSubjectSpec `json:"rules"`
+}
+
+type GlobalSubjectSpec struct {
+	// Subjects that should receive additional permissions.
+	// The subjects are selected based on the oncoming requests. They don't have to relate to an existing tenant.
+	// However they must be part of the capsule-user groups.
+	Subjects []GlobalSubject `json:"subjects"`
+	// Cluster Resources for tenant Owner.
+	ClusterResources []ClusterResource `json:"clusterResources,omitempty"`
+}
+
+type GlobalSubject struct {
+	// Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount".
+	Kind v1beta2.OwnerKind `json:"kind"`
+	// Name of tenant owner.
+	Name string `json:"name"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+//+kubebuilder:resource:scope=Cluster
+
+// GlobalProxySettings is the Schema for the globalproxysettings API.
+type GlobalProxySettings struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec GlobalProxySettingsSpec `json:"spec,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// GlobalProxySettingsList contains a list of GlobalProxySettings.
+type GlobalProxySettingsList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []GlobalProxySettings `json:"items"`
+}
+
+//nolint:gochecknoinits
+func init() {
+	SchemeBuilder.Register(&GlobalProxySettings{}, &GlobalProxySettingsList{})
+}