Skip to content

Phase 3: Ship readiness (S3.1–S3.3 + U3 acceptance gate)#4

Merged
ozimakov merged 9 commits into
mainfrom
cursor/phase-3-ship-readiness-38cf
Jul 7, 2026
Merged

Phase 3: Ship readiness (S3.1–S3.3 + U3 acceptance gate)#4
ozimakov merged 9 commits into
mainfrom
cursor/phase-3-ship-readiness-38cf

Conversation

@ozimakov

@ozimakov ozimakov commented Jul 6, 2026

Copy link
Copy Markdown
Owner

Summary

Implements Phase 3 — Ship readiness and the U3 v1.0 acceptance gate from PLAN.md, completing the path to v1.0 after U2.

S3.1 — Security conformance & hardening

  • test/e2e/security_test.go: pod security (non-root, read-only rootfs) and RBAC strip/restore conformance (A9), plus namespaced-scope isolation
  • Extended TestU2AbuseCases with ManifestKindNotAllowed and ManifestNamespaceViolation (A11)
  • docs/security.md hardening guide + docs/adr/000-threat-model.md

S3.2 — Documentation suite (NFR7)

  • New docs: concepts, install (Helm + manifests, both scopes), operations, troubleshooting, upgrade/uninstall
  • README refreshed with full doc index and Phase 3 status
  • CI doc checks: scripts/verify-spec-refs.sh, scripts/verify-doc-links.sh

S3.3 — Release engineering

  • make image (multi-arch buildx), make manifests-bundle
  • .github/workflows/release.yml: SemVer tag → multi-arch image, Helm chart, manifest bundle, SBOM, cosign
  • test/e2e/lifecycle_test.go: Helm upgrade + uninstall journeys (A12)

U3 — Acceptance gate

  • test/e2e/acceptance_test.go: A2 mounted-volume content via pod exec; A1–A12 ownership matrix
  • .github/workflows/u3.yml: matrix over k8s v1.31 + v1.30, Helm + plain manifests; namespaced A9 job; A12 uninstall job
  • make e2e-u3 orchestrates the full gate

Also included (S0.1/S0.3 gaps)

  • LICENSE (Apache-2.0), CONTRIBUTING.md, CODE_OF_CONDUCT.md, SECURITY.md

Verification

  • make verify (tidy, vet, build, unit+envtest, docs CI) — green
  • go test -tags e2e -c ./test/e2e/... — compiles
  • CI (ci.yml) — green
  • E2E U1/U2 (e2e.yml) — green
  • U3 acceptance gate (u3.yml) — green (all 4 matrix jobs + A9 namespaced + A12 uninstall)

CI hardening (latest)

  • scripts/ci-docker-retry.sh: exponential backoff for docker build/pull in U3 and E2E workflows (handles transient Docker Hub 500s)
  • Removed # syntax=docker/dockerfile:1 from Dockerfile to avoid an extra registry fetch before build

Self-review (virtual team)

Role Verdict Notes
Implementer Scope matches PLAN S3.1–S3.3 + U3; parallel deliverables landed
Security (Riley) A9/A11 automated; TM8 blast radius documented; ADR maps TM→controls RBAC test restores rules in cleanup
Technical writer NFR7 doc set complete; README Getting Started + Advanced unchanged in substance, index expanded
Release engineer SemVer workflow, SBOM, cosign hooks; CRD policy documented OCI helm push may need registry setup on first release
QA A1–A12 mapped; A2 strengthened; dual k8s + dual install in CI A10 still uses simulated SSA manager (same as U1)

PLAN refs

S3.1, S3.2, S3.3, U3, A9, A11, A12, NFR7, NFR10, T5, T7, TM8

Open in Web Open in Cursor 

cursoragent and others added 9 commits July 6, 2026 18:30
Deliver security conformance tests (A9 pod/RBAC), hardening guide and ADR,
full NFR7 documentation suite, release engineering (multi-arch image target,
manifest bundles, SemVer release workflow with SBOM/signing), and the U3 kind
acceptance gate covering A1–A12 across two Kubernetes minors with Helm and
plain-manifest installs.

Also closes S0.1/S0.3 governance gaps (LICENSE, CONTRIBUTING, docs CI).

Co-authored-by: Oleg Zimakov <[email protected]>
…test

- Load all Kubernetes-shaped YAML in manifest.Load so committed Secret/ConfigMap
  manifests trigger ManifestKindNotAllowed (A11) instead of silently rendering
- Exclude manifest-shaped files from ConfigMap via IsKubernetesManifest
- Create kohen-system namespace before kubectl apply in U3 manifests matrix
- Run RBAC conformance in operator namespace when scope=namespaced

Co-authored-by: Oleg Zimakov <[email protected]>
Multi-doc files with a ConfigMap now fail guard all-or-nothing; use a
separate ExternalSecret file instead.

Co-authored-by: Oleg Zimakov <[email protected]>
Use rollout:none (kubelet in-place mount update for A2) instead of waiting
on a rolling restart with busybox. Pre-load busybox:1.36 into kind in the
U3 workflow so the exec-based mount assertion is reliable.

Co-authored-by: Oleg Zimakov <[email protected]>
- Use ./deploy/helm/kohen so helm upgrade does not treat deploy as a repo
- Retry mount exec via podExecCatErr inside eventually (no Fatalf on first miss)
- Wait for deployment ready after configSyncReady before reading mounts

Co-authored-by: Oleg Zimakov <[email protected]>
Add scripts/ci-docker-retry.sh with exponential backoff for docker build
and pull steps in U3 and E2E workflows. Drop Dockerfile syntax directive
to avoid an extra registry fetch before the main build.

Co-authored-by: Oleg Zimakov <[email protected]>
@ozimakov ozimakov marked this pull request as ready for review July 7, 2026 04:11
@cursor

cursor Bot commented Jul 7, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@ozimakov ozimakov merged commit 29f60c7 into main Jul 7, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants