Claude
0eeae350cf
fix: set KC_HOSTNAME_STRICT=false for NodePort access
...
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 8s
When accessing Keycloak via NodePort (127.0.0.1:30880), strict hostname
forces redirects to keycloak.georgepet.duckdns.org which is unreachable
from local browser. With strict=false, Keycloak uses the request's host
header for redirects when accessed via NodePort, while still using the
configured hostname for ingress access.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-19 17:01:11 +01:00
9bb1c3a5a6
Merge pull request 'Add Helm unit tests for web-app chart' ( #175 ) from feat/helm-unittest into main
2026-02-19 16:44:25 +01:00
Claude
a6578511a9
Add Helm unit tests for web-app chart (32 tests)
...
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 8s
6 test suites covering deployment, service, ingress, networkpolicy,
HPA, and PSS restricted security contexts. CI step added to
pr-checks workflow (requires helm-unittest in runner image).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-19 16:36:31 +01:00
daa9037ef0
Merge pull request 'fix: PostgreSQL NodePort in valid range' ( #174 ) from fix/pg-nodeport-range into main
2026-02-19 15:56:58 +01:00
Claude
944f00f23c
fix: PostgreSQL NodePort in valid range (32432)
...
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 8s
NodePort 35432 was outside K8s valid range (30000-32767).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-19 15:54:49 +01:00
0ebcfc6a24
Merge pull request 'Phase 16: fine-grained RBAC + DB rotation prep' ( #173 ) from feat/phase16-rbac-dynamic-secrets into main
2026-02-19 15:34:11 +01:00
Claude
f71c583d69
Phase 16: fine-grained RBAC (infra-operators) + DB rotation prep
...
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 8s
- Add infra-operators group to Keycloak realm
- Add K8s RBAC: operators get full CRUD in dev/staging, readonly in prod,
cluster-level readonly for nodes/namespaces/storage, no infra ns access
- Update ArgoCD RBAC: operators → role:readonly
- Update oauth2-proxy: allow infra-operators group
- Add PostgreSQL NodePort (35432) for OpenBao Database engine access
- Update NetworkPolicy: allow NodePort traffic from node CIDR
- Extend keycloak-secrets-manager Role: statefulset get/patch for rotation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-19 15:33:23 +01:00
414ed94cac
Merge pull request 'promote: arch-docs bc507aa to prod' ( #172 ) from promote/arch-docs-bc507aa-prod into main
2026-02-19 15:02:01 +01:00
Promotion Bot
07c9db9acf
promote: arch-docs bc507aa to prod
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 8s
2026-02-19 15:01:44 +01:00
042ad592c4
Merge pull request 'promote: arch-docs bc507aa to staging' ( #171 ) from promote/arch-docs-bc507aa-staging into main
2026-02-19 15:00:49 +01:00
Promotion Bot
b912dfa6cd
promote: arch-docs bc507aa to staging
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 9s
2026-02-19 15:00:32 +01:00
838454a2a2
Merge pull request 'deploy: arch-docs bc507aa to dev' ( #170 ) from deploy/arch-docs-bc507aa into main
2026-02-19 14:54:45 +01:00
CI Bot
4ff49d9eb1
deploy: arch-docs bc507aa to dev
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 7s
2026-02-19 13:54:33 +00:00
6227e1ed34
Merge pull request 'Add OIDC RBAC for Keycloak groups (Phase 15)' ( #169 ) from feat/oidc-rbac into main
2026-02-19 14:03:28 +01:00
root
ebf830bee1
Add OIDC RBAC for Keycloak groups (Phase 15)
AI Review / AI Code Review (pull_request) Successful in 3s
PR Checks / Validate & Security Scan (pull_request) Successful in 10s
2026-02-19 14:01:36 +01:00
b16b6445e3
Merge pull request 'deploy: arch-docs c40b145 to dev' ( #167 ) from deploy/arch-docs-c40b145 into main
2026-02-18 14:59:31 +01:00
CI Bot
8f340591a8
deploy: arch-docs c40b145 to dev
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 7s
2026-02-18 13:59:14 +00:00
9d0a4e6533
Merge pull request 'promote: arch-docs f1b8c43 to prod' ( #166 ) from promote/arch-docs-f1b8c43-prod into main
2026-02-18 13:15:53 +01:00
Promotion Bot
75639a0b2c
promote: arch-docs f1b8c43 to prod
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 7s
2026-02-18 13:15:41 +01:00
c7570137e3
Merge pull request 'promote: arch-docs f1b8c43 to staging' ( #165 ) from promote/arch-docs-f1b8c43-staging into main
2026-02-18 13:11:40 +01:00
Promotion Bot
dd470ada24
promote: arch-docs f1b8c43 to staging
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 8s
2026-02-18 13:11:23 +01:00
b0fbc76abe
Merge pull request 'deploy: arch-docs f1b8c43 to dev' ( #164 ) from deploy/arch-docs-f1b8c43 into main
2026-02-18 13:06:27 +01:00
CI Bot
4a20297571
deploy: arch-docs f1b8c43 to dev
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 8s
2026-02-18 12:06:10 +00:00
78d029e10f
Merge pull request 'deploy: arch-docs aed4ad6 to dev' ( #163 ) from deploy/arch-docs-aed4ad6 into main
2026-02-18 12:55:24 +01:00
CI Bot
6e34ded3d3
deploy: arch-docs aed4ad6 to dev
AI Review / AI Code Review (pull_request) Successful in 2s
PR Checks / Validate & Security Scan (pull_request) Successful in 8s
2026-02-18 11:55:12 +00:00
b897f124a7
Merge pull request 'deploy: arch-docs 24903e4 to dev' ( #162 ) from deploy/arch-docs-24903e4 into main
2026-02-18 12:36:40 +01:00
CI Bot
0e7945d12d
deploy: arch-docs 24903e4 to dev
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 8s
2026-02-18 11:36:23 +00:00
0221daaa8d
Merge pull request 'promote: arch-docs dfbd4e7 to prod' ( #161 ) from promote/arch-docs-dfbd4e7-prod into main
2026-02-18 11:55:14 +01:00
Promotion Bot
6266209733
promote: arch-docs dfbd4e7 to prod
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 9s
2026-02-18 11:54:57 +01:00
f2312c03b3
Merge pull request 'promote: arch-docs dfbd4e7 to staging' ( #160 ) from promote/arch-docs-dfbd4e7-staging into main
2026-02-18 11:51:23 +01:00
Promotion Bot
c4f47b0ed8
promote: arch-docs dfbd4e7 to staging
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 7s
2026-02-18 11:51:06 +01:00
629616cdd4
Merge pull request 'fix: allow ingress-nginx egress to oauth2-proxy port 4180' ( #159 ) from fix/oauth2-proxy-egress into main
2026-02-18 11:33:37 +01:00
root
dbe72075fb
fix: allow ingress-nginx egress to oauth2-proxy port 4180
...
AI Review / AI Code Review (pull_request) Successful in 7s
PR Checks / Validate & Security Scan (pull_request) Successful in 17s
Ingress controller needs to reach oauth2-proxy for auth_request
subrequests on dev/staging arch-docs. Port 4180 was missing from
the egress rules, causing timeout on all auth-protected routes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 11:29:33 +01:00
ef459975da
Merge pull request 'deploy: arch-docs dfbd4e7 to dev' ( #158 ) from deploy/arch-docs-dfbd4e7 into main
2026-02-18 11:01:29 +01:00
CI Bot
462e3044b8
deploy: arch-docs dfbd4e7 to dev
AI Review / AI Code Review (pull_request) Successful in 8s
PR Checks / Validate & Security Scan (pull_request) Successful in 10s
2026-02-18 10:00:58 +00:00
f93f96c08b
Merge pull request 'feat: switch Kyverno to Enforce mode' ( #157 ) from feature/kyverno-enforce into main
2026-02-18 10:12:09 +01:00
root
3992d69c8e
feat: switch Kyverno image verification to Enforce mode
...
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 8s
All current images in dev/staging/prod are signed with cosign.
CI pipeline signs new images automatically.
Enforce mode will block unsigned images from our registry.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 10:11:26 +01:00
38f1afcf2d
Merge pull request 'deploy: arch-docs 0b36f23 to dev' ( #156 ) from deploy/arch-docs-0b36f23 into main
2026-02-18 10:05:58 +01:00
CI Bot
8e6567c355
deploy: arch-docs 0b36f23 to dev
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 8s
2026-02-18 09:05:41 +00:00
d9f7551c2b
Merge pull request 'fix: add gitea DNS for Kyverno signature verification' ( #155 ) from fix/kyverno-gitea-dns into main
2026-02-18 09:49:46 +01:00
root
3821b508f9
fix: add gitea DNS resolution for Kyverno signature verification
...
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 7s
Gitea registry (ROOT_URL=http://gitea:3000 ) redirects V2 token auth
to http://gitea:3000/v2/token . K8s pods can't resolve 'gitea' Docker
hostname. This Service+Endpoints maps gitea to 10.10.10.1 in kyverno ns.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 09:49:07 +01:00
38432ac92c
Merge pull request 'fix: skip Rekor tlog verification in Kyverno policy' ( #154 ) from fix/kyverno-skip-rekor into main
2026-02-18 09:41:26 +01:00
root
f8f27657f1
fix: skip Rekor tlog and SCT verification in Kyverno policy
...
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 10s
Private infrastructure has no internet access from K8s nodes.
Kyverno was failing to verify signatures because it tried to
fetch Rekor TUF root from tuf-repo-cdn.sigstore.dev (timeout).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 09:39:08 +01:00
336ec1166e
Merge pull request 'deploy: arch-docs 2d487ec to dev' ( #153 ) from deploy/arch-docs-2d487ec into main
2026-02-18 08:59:29 +01:00
CI Bot
ca0fee011e
deploy: arch-docs 2d487ec to dev
AI Review / AI Code Review (pull_request) Successful in 2s
PR Checks / Validate & Security Scan (pull_request) Successful in 8s
2026-02-18 07:59:12 +00:00
2a22770d89
Merge pull request 'fix: set mutateDigest=false for Kyverno Audit policy' ( #152 ) from fix/kyverno-policy-audit into main
2026-02-18 06:24:08 +01:00
root
710be91b06
fix: set mutateDigest=false for Kyverno Audit mode policy
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 7s
2026-02-18 06:23:22 +01:00
30bcd79575
Merge pull request 'fix: add ServerSideApply for Kyverno CRDs' ( #151 ) from fix/kyverno-ssa into main
2026-02-18 06:14:56 +01:00
root
d629bc5ef7
fix: add ServerSideApply for Kyverno CRDs (annotation too long)
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 7s
2026-02-18 06:14:08 +01:00
4b0e0bea40
Merge pull request 'feat: Kyverno + cosign image verification' ( #150 ) from feature/cosign-kyverno into main
2026-02-18 06:10:33 +01:00
