Conversation
- Move webapp from operator/webapp/ to top-level webapp/ - Delete keip-container-archetype (use minimal-app instead) - Split core-controller.yaml into composite-controller.yaml, namespace.yaml, and webhook-deployment.yaml - Add declarative ConfigMap (keip-controller-props.yaml), replacing imperative kubectl create cm in Makefile - Add top-level operator/kustomization.yaml enabling single-command install via kubectl apply -k - Simplify operator Makefile - Update CI workflows for new directory structure
CI/CD: - Pin all third-party GitHub Actions to full commit SHAs - Add restrictive default permissions (contents: read) to all workflows - Fix subshell bug in verify_current_webapp_img.sh where exit 1 only exited the subshell, silently passing version mismatches - Quote and validate $GITHUB_BASE_REF in verify_changes_update_version.sh Operator: - Fix RBAC: replace unused delete verb with required patch for integrationroutes; fix roleRef.apiGroup to rbac.authorization.k8s.io - Add topologySpreadConstraints to webhook Deployment for HA - Add startupProbe to webhook container - Increase webhook memory limit to 256Mi for burst headroom - Add app.kubernetes.io/part-of label to webhook pod template - Set v1alpha1 served: false to prevent silently ignored resources - Add x-kubernetes-list-type/list-map-keys to CRD conditions arrays Webapp: - Sanitize webhook debug logging to emit only resource metadata - Add max_length (1MB) to Route.xml and namespace validation - Add _config_failed flag to k8s_client to prevent retry storms - Move cluster reachability check to create_route_resources to eliminate redundant API calls - Parallelize route deployment with asyncio.gather - Add catch-all exception handler to webhook endpoint - Extract shared get_cert_store_type(), removing duplicate in certmanager - Filter user labels to prevent overriding app.kubernetes.io/* selectors - Add securityContext to generated integration route pod templates - Fix .dockerignore to exclude venv/, .test_coverage/, and Makefile - Add return type to _with_cors(), remove unnecessary .keys() call - Fix relative path in test_deploy.py fixture loading keip-integration: - Pin eclipse-temurin base image to digest in Dockerfile and Jib - Add application.properties with secure actuator defaults - Remove VOLUME declarations; rely on Kubernetes volumeMounts - Add basic Spring context load test Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove unused `import json` from webhook.py (ruff F401) - Add spring-boot-starter-test dependency to keip-integration pom.xml - Add test route XML and TestPropertySource for KeipApplicationTests - Bump versions: operator 0.15.0→0.16.0, webapp 0.18.0→0.19.0, keip-integration 0.4.0→0.5.0 - Update operator image refs to match new versions Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Update verify scripts for renamed directories (minimal-app → keip-integration, operator/webapp → webapp) - Update CLAUDE.md, README.md, Makefile, and CI README for renames - Pass args to SpringApplication.run() in KeipApplication - Simplify composite-controller (remove statusChecks, add HTTPS TODO) - Harden webapp Dockerfile (non-root user, PYTHONDONTWRITEBYTECODE) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
jhunzik
approved these changes
Feb 19, 2026
| hooks: | ||
| sync: | ||
| webhook: | ||
| # TODO: Migrate to HTTPS. Sync requests contain CR specs with secret references. |
Collaborator
There was a problem hiding this comment.
We should create an issue for this
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Highlights
CI/CD Security
Operator
Webapp
keip-integration
Test plan
mvn verify🤖 Generated with Claude Code