+3 -4

.github/workflows/chart-release.yml

reviewed

··· 2 2 3 3 on: 4 4 push: 5 5 - branches: 6 6 - - main 7 7 - paths: 8 8 - - 'helm/**' 5 5 + # Only release charts on version tags 6 6 + tags: 7 7 + - 'v*.*.*' 9 8 10 9 permissions: 11 10 contents: read

+92

.github/workflows/ci.yml

reviewed

··· 1 1 + name: CI 2 2 + 3 3 + on: 4 4 + push: 5 5 + pull_request: 6 6 + 7 7 + jobs: 8 8 + # Fast feedback: linting and unit tests first 9 9 + test-and-lint: 10 10 + name: Tests and Linting 11 11 + runs-on: ubuntu-latest 12 12 + steps: 13 13 + - name: Checkout 14 14 + uses: actions/checkout@v4 15 15 + 16 16 + - name: Setup Go 17 17 + uses: actions/setup-go@v5 18 18 + with: 19 19 + go-version-file: go.mod 20 20 + 21 21 + # Run linting first (fast feedback) 22 22 + - name: Go Lint 23 23 + uses: golangci/golangci-lint-action@v8 24 24 + with: 25 25 + version: v2.4.0 26 26 + 27 27 + # Run unit tests 28 28 + - name: Unit Tests 29 29 + run: | 30 30 + go mod tidy 31 31 + make test 32 32 + 33 33 + # Helm linting 34 34 + - name: Set up Helm 35 35 + uses: azure/setup-helm@v4 36 36 + with: 37 37 + version: '3.14.0' 38 38 + 39 39 + - name: Helm Lint 40 40 + run: | 41 41 + helm lint helm/hsm-secrets-operator 42 42 + 43 43 + - name: Helm Template Test 44 44 + run: | 45 45 + helm template test helm/hsm-secrets-operator > /tmp/rendered.yaml 46 46 + 47 47 + - name: Validate Helm Templates 48 48 + run: | 49 49 + # Basic YAML validation for multiple documents 50 50 + python -c " 51 51 + import yaml 52 52 + with open('/tmp/rendered.yaml', 'r') as f: 53 53 + docs = yaml.safe_load_all(f) 54 54 + count = 0 55 55 + for doc in docs: 56 56 + if doc is not None: 57 57 + count += 1 58 58 + print(f'YAML validation passed - {count} documents found') 59 59 + " 60 60 + 61 61 + # Only build images if tests pass 62 62 + build-test: 63 63 + name: Build Test 64 64 + runs-on: ubuntu-latest 65 65 + needs: test-and-lint 66 66 + steps: 67 67 + - name: Checkout 68 68 + uses: actions/checkout@v4 69 69 + 70 70 + - name: Set up Docker Buildx 71 71 + uses: docker/setup-buildx-action@v3 72 72 + 73 73 + # Test that both images build successfully 74 74 + - name: Build Manager Image 75 75 + uses: docker/build-push-action@v5 76 76 + with: 77 77 + context: . 78 78 + file: ./Dockerfile 79 79 + push: false 80 80 + platforms: linux/amd64 81 81 + cache-from: type=gha,scope=manager 82 82 + cache-to: type=gha,mode=max,scope=manager 83 83 + 84 84 + - name: Build Discovery Image 85 85 + uses: docker/build-push-action@v5 86 86 + with: 87 87 + context: . 88 88 + file: ./Dockerfile.discovery 89 89 + push: false 90 90 + platforms: linux/amd64,linux/arm64 91 91 + cache-from: type=gha,scope=discovery 92 92 + cache-to: type=gha,mode=max,scope=discovery

+6

.github/workflows/docker-publish.yml

reviewed

··· 18 18 19 19 20 20 jobs: 21 21 + # Run CI checks first 22 22 + ci-check: 23 23 + uses: ./.github/workflows/ci.yml 24 24 + 21 25 build-manager: 22 26 runs-on: ubuntu-latest 27 27 + needs: ci-check 23 28 permissions: 24 29 contents: read 25 30 packages: write ··· 89 94 90 95 build-discovery: 91 96 runs-on: ${{ matrix.runner }} 97 97 + needs: ci-check 92 98 permissions: 93 99 contents: read 94 100 packages: write

+48

.github/workflows/e2e-tests.yml

reviewed

··· 1 1 + name: E2E Tests 2 2 + 3 3 + # Only run E2E tests manually or on schedule (not on every push) 4 4 + on: 5 5 + workflow_dispatch: # Manual trigger 6 6 + schedule: 7 7 + - cron: '0 2 * * *' # Run nightly at 2 AM UTC 8 8 + # Optionally run on release tags 9 9 + push: 10 10 + tags: 11 11 + - 'v*.*.*' 12 12 + 13 13 + jobs: 14 14 + test-e2e: 15 15 + name: End-to-End Tests 16 16 + runs-on: ubuntu-latest 17 17 + steps: 18 18 + - name: Checkout 19 19 + uses: actions/checkout@v4 20 20 + 21 21 + - name: Setup Go 22 22 + uses: actions/setup-go@v5 23 23 + with: 24 24 + go-version-file: go.mod 25 25 + 26 26 + - name: Install Kind 27 27 + run: | 28 28 + curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-amd64 29 29 + chmod +x ./kind 30 30 + sudo mv ./kind /usr/local/bin/kind 31 31 + 32 32 + - name: Verify Kind Installation 33 33 + run: kind version 34 34 + 35 35 + - name: Run E2E Tests 36 36 + run: | 37 37 + go mod tidy 38 38 + make test-e2e 39 39 + 40 40 + - name: Collect Logs on Failure 41 41 + if: failure() 42 42 + run: | 43 43 + echo "=== Cluster Info ===" 44 44 + kubectl cluster-info dump || true 45 45 + echo "=== Pod Logs ===" 46 46 + kubectl logs -l app=hsm-secrets-operator --all-containers=true --tail=100 || true 47 47 + echo "=== Events ===" 48 48 + kubectl get events --sort-by='.lastTimestamp' || true

-57

.github/workflows/lint.yml

reviewed

··· 1 1 - name: Lint 2 2 - 3 3 - on: 4 4 - push: 5 5 - pull_request: 6 6 - 7 7 - jobs: 8 8 - golint: 9 9 - name: Go Lint 10 10 - runs-on: ubuntu-latest 11 11 - steps: 12 12 - - name: Clone the code 13 13 - uses: actions/checkout@v4 14 14 - 15 15 - - name: Setup Go 16 16 - uses: actions/setup-go@v5 17 17 - with: 18 18 - go-version-file: go.mod 19 19 - 20 20 - - name: Run linter 21 21 - uses: golangci/golangci-lint-action@v8 22 22 - with: 23 23 - version: v2.4.0 24 24 - 25 25 - helm-lint: 26 26 - name: Helm Lint 27 27 - runs-on: ubuntu-latest 28 28 - steps: 29 29 - - name: Checkout 30 30 - uses: actions/checkout@v4 31 31 - 32 32 - - name: Set up Helm 33 33 - uses: azure/setup-helm@v4 34 34 - with: 35 35 - version: '3.14.0' 36 36 - 37 37 - - name: Lint Helm chart 38 38 - run: | 39 39 - helm lint helm/hsm-secrets-operator 40 40 - 41 41 - - name: Template Helm chart 42 42 - run: | 43 43 - helm template test helm/hsm-secrets-operator > /tmp/rendered.yaml 44 44 - 45 45 - - name: Validate rendered templates 46 46 - run: | 47 47 - # Basic YAML validation for multiple documents 48 48 - python -c " 49 49 - import yaml 50 50 - with open('/tmp/rendered.yaml', 'r') as f: 51 51 - docs = yaml.safe_load_all(f) 52 52 - count = 0 53 53 - for doc in docs: 54 54 - if doc is not None: 55 55 - count += 1 56 56 - print(f'YAML validation passed - {count} documents found') 57 57 - "

-32

.github/workflows/test-e2e.yml

reviewed

··· 1 1 - name: E2E Tests 2 2 - 3 3 - on: 4 4 - push: 5 5 - pull_request: 6 6 - 7 7 - jobs: 8 8 - test-e2e: 9 9 - name: Run on Ubuntu 10 10 - runs-on: ubuntu-latest 11 11 - steps: 12 12 - - name: Clone the code 13 13 - uses: actions/checkout@v4 14 14 - 15 15 - - name: Setup Go 16 16 - uses: actions/setup-go@v5 17 17 - with: 18 18 - go-version-file: go.mod 19 19 - 20 20 - - name: Install the latest version of kind 21 21 - run: | 22 22 - curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-amd64 23 23 - chmod +x ./kind 24 24 - sudo mv ./kind /usr/local/bin/kind 25 25 - 26 26 - - name: Verify kind installation 27 27 - run: kind version 28 28 - 29 29 - - name: Running Test e2e 30 30 - run: | 31 31 - go mod tidy 32 32 - make test-e2e

-23

.github/workflows/test.yml

reviewed

··· 1 1 - name: Tests 2 2 - 3 3 - on: 4 4 - push: 5 5 - pull_request: 6 6 - 7 7 - jobs: 8 8 - test: 9 9 - name: Run on Ubuntu 10 10 - runs-on: ubuntu-latest 11 11 - steps: 12 12 - - name: Clone the code 13 13 - uses: actions/checkout@v4 14 14 - 15 15 - - name: Setup Go 16 16 - uses: actions/setup-go@v5 17 17 - with: 18 18 - go-version-file: go.mod 19 19 - 20 20 - - name: Running Tests 21 21 - run: | 22 22 - go mod tidy 23 23 - make test

+5 -1

CLAUDE.md

reviewed

··· 19 19 make setup-test-e2e # Set up Kind cluster for e2e testing 20 20 make cleanup-test-e2e # Tear down Kind cluster 21 21 22 22 + # NOTE: E2E tests are slow and run manually or nightly (not on every push) 23 23 + # To trigger E2E tests manually in GitHub Actions: 24 24 + # Go to Actions tab -> "E2E Tests" -> "Run workflow" 25 25 + 22 26 # Run specific test package 23 27 go test ./internal/controller -v 24 28 go test ./internal/hsm -v ··· 37 41 golangci-lint run ./... # Lint all packages (REQUIRED before code changes) 38 42 39 43 # Sync CRDs from config/ to helm/ after CRD changes 40 40 - make helm-sync # Sync generated CRDs to Helm templates 44 44 + make helm-sync # Sync generated CRDs to Helm crds/ directory 41 45 ``` 42 46 43 47 ### Docker Images

+3 -3

Makefile

reviewed

··· 98 98 $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases 99 99 100 100 .PHONY: helm-sync 101 101 - helm-sync: manifests ## Sync generated CRDs from config/ to helm/ templates 102 102 - @echo "Syncing CRDs from config/crd/bases/ to helm/hsm-secrets-operator/templates/crds/" 103 103 - cp config/crd/bases/*.yaml helm/hsm-secrets-operator/templates/crds/ 101 101 + helm-sync: manifests ## Sync generated CRDs from config/ to helm/crds/ 102 102 + @echo "Syncing CRDs from config/crd/bases/ to helm/hsm-secrets-operator/crds/" 103 103 + cp config/crd/bases/*.yaml helm/hsm-secrets-operator/crds/ 104 104 @echo "✅ CRDs synced successfully" 105 105 106 106 .PHONY: generate

+2 -2

helm/hsm-secrets-operator/Chart.yaml

reviewed

··· 2 2 name: hsm-secrets-operator 3 3 description: A Kubernetes operator that bridges Pico HSM binary data storage with Kubernetes Secrets 4 4 type: application 5 5 - version: 0.2.5 6 6 - appVersion: v0.2.5 5 5 + version: 0.2.6 6 6 + appVersion: v0.2.6 7 7 icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/kubernetes/icon/color/kubernetes-icon-color.svg 8 8 home: https://github.com/evanjarrett/hsm-secrets-operator 9 9 sources:

helm/hsm-secrets-operator/templates/crds/hsm.j5t.io_hsmdevices.yaml helm/hsm-secrets-operator/crds/hsm.j5t.io_hsmdevices.yaml

reviewed

helm/hsm-secrets-operator/templates/crds/hsm.j5t.io_hsmsecrets.yaml helm/hsm-secrets-operator/crds/hsm.j5t.io_hsmsecrets.yaml

reviewed