feat: chart proposal

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

Author: oliverbaehler

.github/workflows/codecov.yml

@@ -31,7 +31,7 @@ jobs:
         run: make test
       - name: Upload Report to Codecov
         if: steps.checksecret.outputs.result == 'true'
-        uses: codecov/codecov-action@84508663e988701840491b86de86b666e8a86bed # v4.3.0
+        uses: codecov/codecov-action@5ecb98a3c6b747ed38dc09f787459979aebb39be # v4.3.1
         with:
           file: ./coverage.out
           fail_ci_if_error: true

.github/workflows/diff.yml

@@ -19,9 +19,9 @@ jobs:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: '1.21'
+          go-version-file: 'go.mod'
       - run: make manifests
       - name: Checking if Helm Chart crds is not aligned
         run: if [[ $(git diff | wc -l) -gt 0 ]]; then echo ">>> Untracked generated files have not been committed" && git --no-pager diff && exit 1; fi

.github/workflows/e2e.yml

@@ -43,14 +43,9 @@ jobs:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: '1.21'
-      - run: make manifests
-      - name: Checking if manifests are disaligned
-        run: test -z "$(git diff 2> /dev/null)"
-      - name: Checking if manifests generated untracked files
-        run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
+          go-version-file: 'go.mod'
       - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
         with:
           skipClusterCreation: true

.github/workflows/gosec.yml

@@ -18,7 +18,15 @@ jobs:
     steps:
       - name: Checkout Source
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version-file: 'go.mod'
       - name: Run Gosec Security Scanner
         uses: securego/gosec@26e57d6b340778c2983cd61775bc7e8bb41d002a # v2.19.0
         with:
-          args: ./...
+          args:  '-no-fail -fmt sarif -out gosec.sarif ./...'
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@c4fb451437765abf5018c6fbf22cce1a7da1e5cc
+        with:
+          sarif_file: gosec.sarif
+

.github/workflows/helm-test.yml

@@ -17,8 +17,6 @@ jobs:
         with:
           fetch-depth: 0
       - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v3
-        with:
-          version: v3.14.2
       - name: Linting Chart
         run: helm lint ./charts/capsule
       - name: Setup Chart Linting

.github/workflows/lint.yml

@@ -17,9 +17,9 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: '1.21'
+          go-version-file: 'go.mod'
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@9d1e0624a798bb64f6c3cea93db47765312263dc # v5.1.0
         with:

Makefile

@@ -1,6 +1,8 @@
 # Version
 GIT_HEAD_COMMIT ?= $(shell git rev-parse --short HEAD)
 VERSION         ?= $(or $(shell git describe --abbrev=0 --tags --match "v*" 2>/dev/null),$(GIT_HEAD_COMMIT))
+GOOS                 ?= $(shell go env GOOS)
+GOARCH               ?= $(shell go env GOARCH)
 
 # Defaults
 REGISTRY        ?= ghcr.io
@@ -141,6 +143,7 @@ dev-setup:
 # -- Docker
 ####################
 
+KO_PLATFORM     ?= linux/$(GOARCH)
 KOCACHE         ?= /tmp/ko-cache
 KO_REGISTRY     := ko.local
 KO_TAGS         ?= "latest"
@@ -160,9 +163,9 @@ LD_FLAGS        := "-X main.Version=$(VERSION) \
 
 .PHONY: ko-build-capsule
 ko-build-capsule: ko
-	@echo Building Capsule $(KO_TAGS) >&2
+	@echo Building Capsule $(KO_TAGS) for $(KO_PLATFORM) >&2
 	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(CAPSULE_IMG) \
-		$(KO) build ./ --bare --tags=$(KO_TAGS) --push=false --local
+		$(KO) build ./ --bare --tags=$(KO_TAGS) --push=false --local --platform=$(KO_PLATFORM)
 
 .PHONY: ko-build-all
 ko-build-all: ko-build-capsule
@@ -190,7 +193,7 @@ ko-publish-all: ko-publish-capsule
 ####################
 
 CONTROLLER_GEN         := $(shell pwd)/bin/controller-gen
-CONTROLLER_GEN_VERSION := v0.10.0
+CONTROLLER_GEN_VERSION := v0.15.0
 controller-gen: ## Download controller-gen locally if necessary.
 	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
 
@@ -200,7 +203,7 @@ apidocs-gen: ## Download crdoc locally if necessary.
 	$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@$(APIDOCS_GEN_VERSION))
 
 GINKGO         := $(shell pwd)/bin/ginkgo
-GINGKO_VERSION := v2.15.0
+GINGKO_VERSION := v2.17.2
 ginkgo: ## Download ginkgo locally if necessary.
 	$(call go-install-tool,$(GINKGO),github.com/onsi/ginkgo/v2/ginkgo@$(GINGKO_VERSION))
 
@@ -324,5 +327,5 @@ e2e-destroy:
 
 SPELL_CHECKER = npx spellchecker-cli
 docs-lint:
-	cd docs/content && $(SPELL_CHECKER) -f "*.md" "*/*.md" -d dictionary.txt
+	cd docs/content && $(SPELL_CHECKER) -f "*.md" "*/*.md" "!general/crds-apis.md" -d dictionary.txt
 

api/v1beta1/zz_generated.deepcopy.go

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: capsuleconfigurations.capsule.clastix.io
 spec:
   group: capsule.clastix.io
@@ -22,14 +21,19 @@ spec:
           API.
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -38,23 +42,20 @@ spec:
             properties:
               enableTLSReconciler:
                 default: true
-                description: Toggles the TLS reconciler, the controller that is able
-                  to generate CA and certificates for the webhooks when not using
-                  an already provided CA and certificate, or when these are managed
-                  externally with Vault, or cert-manager.
+                description: |-
+                  Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks
+                  when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
                 type: boolean
               forceTenantPrefix:
                 default: false
-                description: Enforces the Tenant owner, during Namespace creation,
-                  to name it using the selected Tenant name as prefix, separated by
-                  a dash. This is useful to avoid Namespace name collision in a public
-                  CaaS environment.
+                description: |-
+                  Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,
+                  separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
                 type: boolean
               nodeMetadata:
-                description: Allows to set the forbidden metadata for the worker nodes
-                  that could be patched by a Tenant. This applies only if the Tenant
-                  has an active NodeSelector, and the Owner have right to patch their
-                  nodes.
+                description: |-
+                  Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.
+                  This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
                 properties:
                   forbiddenAnnotations:
                     description: Define the annotations that a Tenant Owner cannot
@@ -87,15 +88,15 @@ spec:
                   TLSSecretName: capsule-tls
                   mutatingWebhookConfigurationName: capsule-mutating-webhook-configuration
                   validatingWebhookConfigurationName: capsule-validating-webhook-configuration
-                description: Allows to set different name rather than the canonical
-                  one for the Capsule configuration objects, such as webhook secret
-                  or configurations.
+                description: |-
+                  Allows to set different name rather than the canonical one for the Capsule configuration objects,
+                  such as webhook secret or configurations.
                 properties:
                   TLSSecretName:
                     default: capsule-tls
-                    description: Defines the Secret name used for the webhook server.
-                      Must be in the same Namespace where the Capsule Deployment is
-                      deployed.
+                    description: |-
+                      Defines the Secret name used for the webhook server.
+                      Must be in the same Namespace where the Capsule Deployment is deployed.
                     type: string
                   mutatingWebhookConfigurationName:
                     default: capsule-mutating-webhook-configuration