cozystack · Arsolitt · May 15, 2026 · May 15, 2026 · May 15, 2026 · May 15, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -57,7 +57,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: azure/setup-helm@v4
-      - run: helm plugin install https://github.com/helm-unittest/helm-unittest
+      - run: helm plugin install --verify=false https://github.com/helm-unittest/helm-unittest
       - run: helm lint charts/kilo-clustermesh-operator --strict
       - run: helm unittest charts/kilo-clustermesh-operator
 
@@ -70,3 +70,39 @@ jobs:
           go-version: "1.26.3"
       - run: make manifests generate
       - run: git diff --exit-code
+
+  image:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    needs: [lint, test, build, helm, generate, integration]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/metadata-action@v5
+        id: meta
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=raw,value=main
+            type=sha,prefix=sha-,format=long
+      - uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Containerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            VERSION=main
+            REVISION=${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/.golangci.yml b/.golangci.yml
@@ -140,6 +140,7 @@ linters:
           - revive
           - gochecknoglobals
           - noinlineerr
+          - goconst
         path: _test\.go
       - linters:
           - err113

diff --git a/Makefile b/Makefile
@@ -45,7 +45,8 @@ help: ## Display this help.
 
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	"$(CONTROLLER_GEN)" rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	"$(CONTROLLER_GEN)" rbac:roleName=manager-role webhook paths="./..."
+	"$(CONTROLLER_GEN)" crd paths="./api/..." output:crd:artifacts:config=config/crd/bases
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/kilo-clustermesh-operator/templates/deployment.yaml b/charts/kilo-clustermesh-operator/templates/deployment.yaml
@@ -33,9 +33,9 @@ spec:
           image: "{{ .Values.image.repository }}:{{ include "kilo-clustermesh-operator.imageTag" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
-            - "--namespace={{ .Release.Namespace }}"
             - "--leader-elect={{ .Values.leaderElect }}"
             - "--metrics-bind-address={{ .Values.metricsBindAddress }}"
+            - "--metrics-secure={{ .Values.metricsSecure }}"
             - "--health-probe-bind-address={{ .Values.healthProbeBindAddress }}"
           securityContext:
             runAsNonRoot: true

diff --git a/charts/kilo-clustermesh-operator/tests/deployment_test.yaml b/charts/kilo-clustermesh-operator/tests/deployment_test.yaml
@@ -30,14 +30,6 @@ tests:
           path: spec.replicas
           value: 2
 
-  - it: should pass --namespace arg from release namespace
-    release:
-      namespace: test-ns
-    asserts:
-      - contains:
-          path: spec.template.spec.containers[0].args
-          content: "--namespace=test-ns"
-
   - it: should pass --leader-elect=true when leaderElect is true
     set:
       leaderElect: true
@@ -62,6 +54,20 @@ tests:
           path: spec.template.spec.containers[0].args
           content: "--metrics-bind-address=:9090"
 
+  - it: should pass --metrics-secure=false by default
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--metrics-secure=false"
+
+  - it: should pass --metrics-secure=true when enabled
+    set:
+      metricsSecure: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--metrics-secure=true"
+
   - it: should pass --health-probe-bind-address from values
     set:
       healthProbeBindAddress: ":9091"

diff --git a/charts/kilo-clustermesh-operator/values.yaml b/charts/kilo-clustermesh-operator/values.yaml
@@ -9,6 +9,7 @@ replicaCount: 1
 leaderElect: true
 
 metricsBindAddress: ":8080"
+metricsSecure: false
 healthProbeBindAddress: ":8081"
 
 resources:

diff --git a/pkg/kilo/v1alpha1/register.go b/pkg/kilo/v1alpha1/register.go
@@ -22,8 +22,14 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
+// GroupName is the API group used by Kilo's Peer type.
+const GroupName = "kilo.squat.ai"
+
+// GroupVersion is the API group version used by Kilo's Peer type.
+const GroupVersion = "v1alpha1"
+
 // SchemeGroupVersion is group version used to register these objects.
-var SchemeGroupVersion = schema.GroupVersion{Group: "kilo.squat.ai", Version: "v1alpha1"} //nolint:gochecknoglobals // kubebuilder-required package-level scheme registration variable.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: GroupVersion} //nolint:gochecknoglobals // kubebuilder-required package-level scheme registration variable.
 
 // SchemeBuilder is used to add go types to the GroupVersionKind scheme.
 var SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) //nolint:gochecknoglobals // kubebuilder-required package-level scheme registration variable.

diff --git a/pkg/kilo/v1alpha1/types_test.go b/pkg/kilo/v1alpha1/types_test.go
@@ -30,12 +30,12 @@ func TestAddToScheme(t *testing.T) {
 	s := runtime.NewScheme()
 	require.NoError(t, AddToScheme(s))
 
-	gvk := schema.GroupVersionKind{Group: "kilo.squat.ai", Version: "v1alpha1", Kind: "Peer"}
+	gvk := schema.GroupVersionKind{Group: GroupName, Version: GroupVersion, Kind: "Peer"}
 	obj, err := s.New(gvk)
 	require.NoError(t, err)
 	assert.IsType(t, &Peer{}, obj)
 
-	listGVK := schema.GroupVersionKind{Group: "kilo.squat.ai", Version: "v1alpha1", Kind: "PeerList"}
+	listGVK := schema.GroupVersionKind{Group: GroupName, Version: GroupVersion, Kind: "PeerList"}
 	listObj, err := s.New(listGVK)
 	require.NoError(t, err)
 	assert.IsType(t, &PeerList{}, listObj)

diff --git a/pkg/kilo/v1alpha1/zz_generated.deepcopy.go b/pkg/kilo/v1alpha1/zz_generated.deepcopy.go