Skip to content

Stratio modifications on top of projectcapsule/capsule main#35

Open
forselli-stratio wants to merge 5 commits into
Stratio:main-upstreamfrom
forselli-stratio:stratio/features
Open

Stratio modifications on top of projectcapsule/capsule main#35
forselli-stratio wants to merge 5 commits into
Stratio:main-upstreamfrom
forselli-stratio:stratio/features

Conversation

@forselli-stratio

@forselli-stratio forselli-stratio commented Jun 30, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown

Overview

This PR contains all Stratio-specific modifications on top of the unmodified projectcapsule/capsule main branch (0c22ce88).

The base branch main-upstream is a direct mirror of projectcapsule/capsule main - no changes, no merges with old Stratio history. This makes the diff here the authoritative view of what Stratio adds.

Commits in this PR

1. Stratio CICD integration

Adds the Stratio build and publish pipeline:

  • Jenkinsfile - Jenkins pipeline wired to Stratio's libpipelines library
  • Dockerfile - multi-stage build (Go builder + Alpine runtime) for the controller image
  • VERSION / VERSION_HISTORY.md - version tracking files
  • bin/change-version.sh / bin/chart.sh - release helper scripts

2. [EOS-5809] Refactor chart tag default value to ensure chart uncoupling

Changes the Helm chart's default image tag from the chart version to an empty string, so the Docker image version and Helm chart version can be bumped independently.

3. Add Docker/Helm push steps, semantic versioning, and bump version to 0.8.0-SNAPSHOT

  • Adds doPushDockerECR and doPushHelmECR stages to the Jenkins pipeline to publish to Stratio's AWS ECR
  • Switches versioning strategy to semver
  • Bumps version to 0.8.0-SNAPSHOT

4. [Stratio] Port Stratio features onto upstream capsule sync

Two functional features added on top of upstream:

a) Capsule controller SA treated as tenant owner

The Capsule controller service account is automatically treated as a tenant owner, without needing to be listed in any tenant's .spec.owners.

Why: The controller needs to reconcile namespace-level resources on behalf of tenants. Without this, it would be denied by its own admission webhooks when acting inside a tenant namespace.

How: Uses the existing configuration.IsControllerServiceAccount(name, namespace) helper (reads the SERVICE_ACCOUNT env var already injected in charts/capsule/templates/_pod.tpl) in two places:

  • pkg/users/is_tenant_owner.go:IsTenantOwnerByStatus - fast-path status-based check
  • pkg/users/is_tenant_owner.go:IsCommonOwner - full ownership resolution check

Files changed: pkg/users/is_tenant_owner.go

b) ExcludeUserGroups - exclude groups from Capsule entirely

Adds a new excludeUserGroups field to CapsuleConfigurationSpec. Users whose groups match any entry are never treated as Capsule users, regardless of other group memberships. This is an early exit before any group or user matching.

Difference from ignoreUserWithGroups: ignoreUserWithGroups only fires when a user is already matched as a Capsule user via a group. excludeUserGroups fires first and prevents the user from being a Capsule user at all.

Use case: You have a broad group (e.g. system:authenticated) configured as a Capsule user group, but you want certain admin groups to bypass Capsule entirely.

Files changed:

  • api/v1beta2/capsuleconfiguration_types.go - new field
  • api/v1beta2/zz_generated.deepcopy.go - deepcopy for new field
  • charts/capsule/crds/capsule.clastix.io_capsuleconfigurations.yaml - CRD schema
  • charts/capsule/templates/configuration.yaml - Helm template
  • charts/capsule/values.yaml - new capsuleExcludeUserGroups: [] value
  • pkg/runtime/configuration/configuration.go - interface method
  • pkg/runtime/configuration/client.go - implementation
  • pkg/users/is_capsule_user.go - early-exit check

5. [BUILD] Bump Go toolchain to 1.26.4 to match go.mod requirement

go.mod requires go 1.26.4. The Dockerfile builder image and Jenkinsfile BUILDTOOL_IMAGE were on golang:1.24, causing go mod download to fail with GOTOOLCHAIN=local. Updated both to golang:1.26.4.

What is NOT changed from upstream

Everything else - the entire internal/, pkg/ (except the two files above), api/, config/ tree - is unmodified upstream code. No patches, no conflict resolutions, no backports.

Notes for future upstream syncs

To sync this branch forward when projectcapsule/capsule releases a new version:

git fetch projectcapsule
git checkout main-upstream
git reset --hard projectcapsule/main
git push upstream main-upstream --force-with-lease

git checkout stratio/features
git rebase main-upstream
# resolve any conflicts - only the 5 commits above need re-checking
git push origin stratio/features --force-with-lease

The Stratio diff is small enough (22 lines of Go across 2 files + build config) that rebases are low-friction.

forselli-stratio and others added 5 commits June 30, 2026 13:41
@forselli-stratio @claude
Stratio CICD integration
b4e5486 
Adapted from a00c7b4: updated Dockerfile for upstream restructuring
(cmd/controller/, internal/, ldflags now reference internal/version pkg).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@forselli-stratio @claude
[EOS-5809] Refactor chart tag default value to ensure chart uncoupling
47115e3 
Remove 'v' prefix prepended to AppVersion in the default image tag
so the chart version and app image tag remain independent.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@forselli-stratio @claude
Add Docker/Helm push steps, semantic versioning, and bump version to …
132a607 
…0.8.0-SNAPSHOT

Combines 02eecfe, dae142f, 2bddce3, and f6ba4d7 from master:
- Jenkinsfile: add ECR push steps and semver versioning type
- CHANGELOG: restructure for branch-0.7 release
- VERSION: bump to 0.8.0-SNAPSHOT

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@forselli-stratio @claude
[Stratio] Port Stratio features onto upstream capsule sync
d8531e1 
Ports two Stratio-specific features from the old master branch onto the
new upstream-aligned base (origin/stratio/upstream-sync):

1. Capsule user should be treated as a tenant owner (from commit 4f8ad39):
   The capsule controller service account is automatically treated as a
   tenant owner in IsTenantOwnerByStatus and IsCommonOwner, using the
   existing configuration.IsControllerServiceAccount() helper. This
   replaces the old approach of passing capsuleUserName through every
   handler (the new code already reads SERVICE_ACCOUNT env in _pod.tpl
   and provides IsControllerServiceAccount).

2. Add option to exclude groups from capsule (from commit 65dfdc8):
   Adds ExcludeUserGroups to CapsuleConfigurationSpec. Users in these
   groups are excluded before any other capsule-user check in
   IsCapsuleUser, regardless of other group memberships. Wired through
   the Configuration interface, client, CRD YAML, chart values, and
   configuration template.

Note: [EOS-10241] Avoid namespace-tenant auto-assignment (from commit
708706b) is already incorporated in the upstream's revised
validateNamespacePrefix, which correctly checks cfg.ForceTenantPrefix()
as the global default before tenant-level overrides.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@forselli-stratio @claude
[BUILD] Bump Go toolchain to 1.26.4 to match go.mod requirement
523334d 
go.mod requires go 1.26.4; Docker builder and Jenkins buildtool image
were still on golang:1.24, causing `go mod download` to fail with
GOTOOLCHAIN=local.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@forselli-stratio