Phase 3: Ship readiness (S3.1–S3.3 + U3 acceptance gate)#4
Merged
Conversation
Deliver security conformance tests (A9 pod/RBAC), hardening guide and ADR, full NFR7 documentation suite, release engineering (multi-arch image target, manifest bundles, SemVer release workflow with SBOM/signing), and the U3 kind acceptance gate covering A1–A12 across two Kubernetes minors with Helm and plain-manifest installs. Also closes S0.1/S0.3 governance gaps (LICENSE, CONTRIBUTING, docs CI). Co-authored-by: Oleg Zimakov <[email protected]>
…test - Load all Kubernetes-shaped YAML in manifest.Load so committed Secret/ConfigMap manifests trigger ManifestKindNotAllowed (A11) instead of silently rendering - Exclude manifest-shaped files from ConfigMap via IsKubernetesManifest - Create kohen-system namespace before kubectl apply in U3 manifests matrix - Run RBAC conformance in operator namespace when scope=namespaced Co-authored-by: Oleg Zimakov <[email protected]>
Multi-doc files with a ConfigMap now fail guard all-or-nothing; use a separate ExternalSecret file instead. Co-authored-by: Oleg Zimakov <[email protected]>
Use rollout:none (kubelet in-place mount update for A2) instead of waiting on a rolling restart with busybox. Pre-load busybox:1.36 into kind in the U3 workflow so the exec-based mount assertion is reliable. Co-authored-by: Oleg Zimakov <[email protected]>
- Use ./deploy/helm/kohen so helm upgrade does not treat deploy as a repo - Retry mount exec via podExecCatErr inside eventually (no Fatalf on first miss) - Wait for deployment ready after configSyncReady before reading mounts Co-authored-by: Oleg Zimakov <[email protected]>
Co-authored-by: Oleg Zimakov <[email protected]>
Co-authored-by: Oleg Zimakov <[email protected]>
Co-authored-by: Oleg Zimakov <[email protected]>
Add scripts/ci-docker-retry.sh with exponential backoff for docker build and pull steps in U3 and E2E workflows. Drop Dockerfile syntax directive to avoid an extra registry fetch before the main build. Co-authored-by: Oleg Zimakov <[email protected]>
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements Phase 3 — Ship readiness and the U3 v1.0 acceptance gate from
PLAN.md, completing the path to v1.0 after U2.S3.1 — Security conformance & hardening
test/e2e/security_test.go: pod security (non-root, read-only rootfs) and RBAC strip/restore conformance (A9), plus namespaced-scope isolationTestU2AbuseCaseswithManifestKindNotAllowedandManifestNamespaceViolation(A11)docs/security.mdhardening guide +docs/adr/000-threat-model.mdS3.2 — Documentation suite (NFR7)
scripts/verify-spec-refs.sh,scripts/verify-doc-links.shS3.3 — Release engineering
make image(multi-arch buildx),make manifests-bundle.github/workflows/release.yml: SemVer tag → multi-arch image, Helm chart, manifest bundle, SBOM, cosigntest/e2e/lifecycle_test.go: Helm upgrade + uninstall journeys (A12)U3 — Acceptance gate
test/e2e/acceptance_test.go: A2 mounted-volume content via pod exec; A1–A12 ownership matrix.github/workflows/u3.yml: matrix over k8s v1.31 + v1.30, Helm + plain manifests; namespaced A9 job; A12 uninstall jobmake e2e-u3orchestrates the full gateAlso included (S0.1/S0.3 gaps)
LICENSE(Apache-2.0),CONTRIBUTING.md,CODE_OF_CONDUCT.md,SECURITY.mdVerification
make verify(tidy, vet, build, unit+envtest, docs CI) — greengo test -tags e2e -c ./test/e2e/...— compilesci.yml) — greene2e.yml) — greenu3.yml) — green (all 4 matrix jobs + A9 namespaced + A12 uninstall)CI hardening (latest)
scripts/ci-docker-retry.sh: exponential backoff fordocker build/pullin U3 and E2E workflows (handles transient Docker Hub 500s)# syntax=docker/dockerfile:1fromDockerfileto avoid an extra registry fetch before buildSelf-review (virtual team)
PLAN refs
S3.1, S3.2, S3.3, U3, A9, A11, A12, NFR7, NFR10, T5, T7, TM8