feat(crd-schema-publisher): deploy

[jfroy]

Summary by CodeRabbit

• New Features
  • Introduced crd-schema-publisher service, accessible at csp.kantai.xyz with health monitoring, persistent storage, and auto-recovery capabilities.
  • Enabled Prometheus metrics collection and Grafana dashboard integration for real-time application monitoring, visualization, and operational insights.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 8f18ef29-63cd-44f0-bbec-83dec4cb1369

📥 Commits

Reviewing files that changed from the base of the PR and between 88d963e and b36ca56.

📒 Files selected for processing (4)

• kubernetes/apps/default/crd-schema-publisher/app/helmrelease.yaml
• kubernetes/apps/default/crd-schema-publisher/app/kustomization.yaml
• kubernetes/apps/default/crd-schema-publisher/ks.yaml
• kubernetes/apps/default/kustomization.yaml

✅ Files skipped from review due to trivial changes (3)

• kubernetes/apps/default/kustomization.yaml
• kubernetes/apps/default/crd-schema-publisher/ks.yaml
• kubernetes/apps/default/crd-schema-publisher/app/kustomization.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• kubernetes/apps/default/crd-schema-publisher/app/helmrelease.yaml

---

📝 Walkthrough

Walkthrough

A new Kubernetes application deployment for crd-schema-publisher is added via Flux, including an OCIRepository source, a HelmRelease with chart values for HTTP serving, persistence, health checks, and monitoring, integrated into the cluster through Kustomization resources.

Changes

CRD Schema Publisher Deployment

Layer / File(s)	Summary
Application Source & Release kubernetes/apps/default/crd-schema-publisher/app/helmrelease.yaml	OCIRepository points to oci://ghcr.io/sholdee/charts/crd-schema-publisher at tag 2026.429.153650. HelmRelease installs from that source with drift detection, infinite install retry, and 3 upgrade remediation retries. Chart values enable HTTP serving on port 8081, Envoy ingress routing to csp.kantai.xyz, 1Gi persistence, liveness/readiness probes on /healthz and /readyz, and PodMonitor/PrometheusRule metrics with Grafana dashboard operator integration.
Local Kustomization kubernetes/apps/default/crd-schema-publisher/app/kustomization.yaml	References ./helmrelease.yaml as the sole resource with YAML schema directive for tooling support.
Cluster Integration kubernetes/apps/default/crd-schema-publisher/ks.yaml, kubernetes/apps/default/kustomization.yaml	Flux Kustomization resource reconciles the app directory hourly with prune enabled, retry/timeout of 2m/5m. Parent kustomization includes the new Kustomization resource in its resources list.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A new app hops into the cluster today,
With charts and probes along the way,
Through Flux it flows, by Envoy it's routed,
Health checks and metrics—all well-suited!
CRD Publisher now takes its place,
In Kubernetes' bustling, dynamic space. 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly indicates the main change: adding deployment configuration for the crd-schema-publisher application across multiple Kubernetes/Flux manifest files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/crd-schema-publisher

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Review rate limit: 8/10 reviews remaining, refill in 9 minutes and 4 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: default/crd-schema-publisher

+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: default/crd-schema-publisher

@@ -0,0 +1,24 @@

+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: cluster-apps
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: crd-schema-publisher
+  namespace: default
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: crd-schema-publisher
+  interval: 1h
+  path: ./kubernetes/apps/default/crd-schema-publisher/app
+  prune: true
+  retryInterval: 2m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  targetNamespace: default
+  timeout: 5m
+
--- kubernetes/apps/default/crd-schema-publisher/app Kustomization: default/crd-schema-publisher OCIRepository: default/crd-schema-publisher

+++ kubernetes/apps/default/crd-schema-publisher/app Kustomization: default/crd-schema-publisher OCIRepository: default/crd-schema-publisher

@@ -0,0 +1,19 @@

+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  labels:
+    app.kubernetes.io/name: crd-schema-publisher
+    kustomize.toolkit.fluxcd.io/name: crd-schema-publisher
+    kustomize.toolkit.fluxcd.io/namespace: default
+  name: crd-schema-publisher
+  namespace: default
+spec:
+  interval: 1h
+  layerSelector:
+    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
+    operation: copy
+  ref:
+    tag: 2026.429.153650
+  url: oci://ghcr.io/sholdee/charts/crd-schema-publisher
+
--- kubernetes/apps/default/crd-schema-publisher/app Kustomization: default/crd-schema-publisher HelmRelease: default/crd-schema-publisher

+++ kubernetes/apps/default/crd-schema-publisher/app Kustomization: default/crd-schema-publisher HelmRelease: default/crd-schema-publisher

@@ -0,0 +1,69 @@

+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  labels:
+    app.kubernetes.io/name: crd-schema-publisher
+    kustomize.toolkit.fluxcd.io/name: crd-schema-publisher
+    kustomize.toolkit.fluxcd.io/namespace: default
+  name: crd-schema-publisher
+  namespace: default
+spec:
+  chartRef:
+    kind: OCIRepository
+    name: crd-schema-publisher
+  driftDetection:
+    mode: enabled
+  install:
+    remediation:
+      retries: -1
+  interval: 1h
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  values:
+    grafana:
+      dashboard:
+        operator:
+          allowCrossNamespaceImport: true
+          datasources:
+          - datasourceName: prometheus
+            inputName: DS_PROMETHEUS
+          defaultInstanceSelector:
+            enabled: false
+          enabled: true
+          instanceSelector:
+            matchLabels:
+              grafana.internal/instance: grafana
+    livenessProbe:
+      httpGet:
+        path: /healthz
+        port: health
+      initialDelaySeconds: 5
+      periodSeconds: 10
+    metrics:
+      podMonitor:
+        enabled: true
+      prometheusRule:
+        enabled: true
+    persistence:
+      enabled: true
+      size: 1Gi
+    readinessProbe:
+      httpGet:
+        path: /readyz
+        port: health
+      initialDelaySeconds: 3
+      periodSeconds: 5
+    serve:
+      enabled: true
+      httpRoute:
+        enabled: true
+        hostnames:
+        - csp.kantai.xyz
+        parentRefs:
+        - name: envoy-internal
+          namespace: network
+      port: 8081
+

[github-actions]

--- HelmRelease: default/crd-schema-publisher ServiceAccount: default/crd-schema-publisher

+++ HelmRelease: default/crd-schema-publisher ServiceAccount: default/crd-schema-publisher

@@ -0,0 +1,11 @@

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: crd-schema-publisher
+  labels:
+    app.kubernetes.io/name: crd-schema-publisher
+    app.kubernetes.io/instance: crd-schema-publisher
+    app.kubernetes.io/managed-by: Helm
+automountServiceAccountToken: true
+
--- HelmRelease: default/crd-schema-publisher ConfigMap: default/crd-schema-publisher-dashboard

+++ HelmRelease: default/crd-schema-publisher ConfigMap: default/crd-schema-publisher-dashboard

@@ -0,0 +1,1026 @@

+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: crd-schema-publisher-dashboard
+  labels:
+    app.kubernetes.io/name: crd-schema-publisher
+    app.kubernetes.io/instance: crd-schema-publisher
+    app.kubernetes.io/managed-by: grafana-operator
+data:
+  crd-schema-publisher.json: |-
+    {
+      "__inputs": [
+        {
+          "name": "DS_PROMETHEUS",
+          "label": "Prometheus",
+          "description": "Prometheus datasource for CRD Schema Publisher metrics",
+          "type": "datasource",
+          "pluginId": "prometheus",
+          "pluginName": "Prometheus"
+        }
+      ],
+      "__requires": [
+        {
+          "type": "grafana",
+          "id": "grafana",
+          "name": "Grafana",
+          "version": "12.0.0"
+        },
+        {
+          "type": "datasource",
+          "id": "prometheus",
+          "name": "Prometheus",
+          "version": "1.0.0"
+        },
+        {
+          "type": "panel",
+          "id": "stat",
+          "name": "Stat",
+          "version": ""
+        },
+        {
+          "type": "panel",
+          "id": "timeseries",
+          "name": "Time series",
+          "version": ""
+        }
+      ],
+      "id": null,
+      "uid": "crd-schema-publisher",
+      "title": "CRD Schema Publisher",
+      "tags": [
+        "kubernetes",
+        "crd-schema-publisher"
+      ],
+      "timezone": "browser",
+      "editable": true,
+      "fiscalYearStartMonth": 0,
+      "graphTooltip": 1,
+      "schemaVersion": 42,
+      "time": {
+        "from": "now-6h",
+        "to": "now"
+      },
+      "refresh": "30s",
+      "templating": {
+        "list": [
+          {
+            "current": {},
+            "hide": 0,
+            "includeAll": false,
+            "multi": false,
+            "name": "DS_PROMETHEUS",
+            "options": [],
+            "query": "prometheus",
+            "queryValue": "",
+            "refresh": 1,
+            "regex": "",
+            "skipUrlSync": false,
+            "type": "datasource"
+          }
+        ]
+      },
+      "annotations": {
+        "list": [
+          {
+            "builtIn": 1,
+            "datasource": {
+              "type": "grafana",
+              "uid": "-- Grafana --"
+            },
+            "enable": true,
+            "hide": true,
+            "iconColor": "rgba(0, 211, 255, 1)",
+            "name": "Annotations & Alerts",
+            "type": "dashboard"
+          }
+        ]
+      },
+      "panels": [
+        {
+          "type": "row",
+          "title": "Health at a Glance",
+          "collapsed": false,
+          "gridPos": {
+            "h": 1,
+            "w": 24,
+            "x": 0,
+            "y": 0
+          },
+          "id": 100,
+          "panels": []
+        },
+        {
+          "id": 1,
+          "title": "Watchdog",
+          "description": "Time since last debounce loop tick. Proves the watcher is alive and looping. Green < 60s, yellow < 120s, red > 120s.",
+          "type": "stat",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "gridPos": {
+            "h": 4,
+            "w": 4,
+            "x": 0,
+            "y": 1
+          },
+          "fieldConfig": {
+            "defaults": {
+              "unit": "s",
+              "thresholds": {
+                "mode": "absolute",
+                "steps": [
+                  {
+                    "color": "green",
+                    "value": null
+                  },
+                  {
+                    "color": "yellow",
+                    "value": 60
+                  },
+                  {
+                    "color": "red",
+                    "value": 120
+                  }
+                ]
+              },
+              "color": {
+                "mode": "thresholds"
+              }
+            },
+            "overrides": []
+          },
+          "options": {
+            "reduceOptions": {
+              "values": false,
+              "calcs": [
+                "lastNotNull"
+              ],
+              "fields": ""
+            },
+            "orientation": "auto",
+            "textMode": "auto",
+            "colorMode": "background",
+            "graphMode": "none",
+            "justifyMode": "center"
+          },
+          "targets": [
+            {
+              "datasource": {
+                "type": "prometheus",
+                "uid": "${DS_PROMETHEUS}"
+              },
+              "expr": "max(time() - crdpublisher_watchdog_timestamp)",
+              "legendFormat": "",
+              "refId": "A",
+              "instant": true
+            }
+          ]
+        },
+        {
+          "id": 2,
+          "title": "Leader",
+          "description": "Leader election status. Active = this instance holds the lease.",
+          "type": "stat",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "gridPos": {
+            "h": 4,
+            "w": 4,
+            "x": 4,
+            "y": 1
+          },
+          "fieldConfig": {
+            "defaults": {
+              "mappings": [
+                {
+                  "type": "value",
+                  "options": {
+                    "1": {
+                      "text": "Active",
+                      "color": "green",
+                      "index": 0
+                    },
+                    "0": {
+                      "text": "Standby",
+                      "color": "text",
+                      "index": 1
+                    }
+                  }
+                }
+              ],
+              "thresholds": {
+                "mode": "absolute",
+                "steps": [
+                  {
+                    "color": "text",
+                    "value": null
+                  }
+                ]
+              },
+              "color": {
+                "mode": "thresholds"
+              }
+            },
+            "overrides": []
+          },
+          "options": {
+            "reduceOptions": {
+              "values": false,
+              "calcs": [
+                "lastNotNull"
+              ],
+              "fields": ""
+            },
+            "orientation": "auto",
+            "textMode": "auto",
+            "colorMode": "background",
+            "graphMode": "none",
+            "justifyMode": "center"
+          },
+          "targets": [
+            {
+              "datasource": {
+                "type": "prometheus",
+                "uid": "${DS_PROMETHEUS}"
+              },
+              "expr": "max(crdpublisher_leader)",
+              "legendFormat": "",
+              "refId": "A",
+              "instant": true
+            }
+          ]
+        },
+        {
+          "id": 3,
+          "title": "Cycle Duration",
+          "description": "Duration of the last publish cycle.",
+          "type": "stat",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "gridPos": {
+            "h": 4,
+            "w": 4,
+            "x": 8,
+            "y": 1
+          },
+          "fieldConfig": {
+            "defaults": {
+              "unit": "s",
+              "thresholds": {
+                "mode": "absolute",
+                "steps": [
+                  {
+                    "color": "green",
+                    "value": null
+                  },
+                  {
+                    "color": "yellow",
+                    "value": 30
+                  },
+                  {
+                    "color": "red",
+                    "value": 60
+                  }
+                ]
+              },
+              "color": {
+                "mode": "thresholds"
+              }
+            },
+            "overrides": []
+          },
+          "options": {
+            "reduceOptions": {
+              "values": false,
+              "calcs": [
+                "lastNotNull"
+              ],
+              "fields": ""
+            },
+            "orientation": "auto",
+            "textMode": "auto",
+            "colorMode": "value",
+            "graphMode": "none",
+            "justifyMode": "center"
+          },
+          "targets": [
+            {
+              "datasource": {
+                "type": "prometheus",
+                "uid": "${DS_PROMETHEUS}"
+              },
+              "expr": "max(crdpublisher_publish_cycle_duration_seconds)",
+              "legendFormat": "",
+              "refId": "A",
+              "instant": true
+            }
+          ]
+        },
+        {
+          "id": 4,
+          "title": "CRDs",
+          "description": "Number of CRDs discovered in the last publish cycle.",
+          "type": "stat",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "gridPos": {
+            "h": 4,
+            "w": 3,
+            "x": 12,
+            "y": 1
+          },
+          "fieldConfig": {
+            "defaults": {
+              "unit": "short",
+              "thresholds": {
+                "mode": "absolute",
+                "steps": [
+                  {
+                    "color": "text",
+                    "value": null
+                  }
+                ]
+              },
+              "color": {
+                "mode": "fixed",
+                "fixedColor": "text"
+              }
+            },
+            "overrides": []
+          },
+          "options": {
+            "reduceOptions": {
+              "values": false,
+              "calcs": [
+                "lastNotNull"
+              ],
+              "fields": ""
+            },
+            "orientation": "auto",
+            "textMode": "auto",
+            "colorMode": "value",
+            "graphMode": "none",
+            "justifyMode": "center"
+          },
+          "targets": [
+            {
+              "datasource": {
[Diff truncated by flux-local]
--- HelmRelease: default/crd-schema-publisher PersistentVolumeClaim: default/crd-schema-publisher

+++ HelmRelease: default/crd-schema-publisher PersistentVolumeClaim: default/crd-schema-publisher

@@ -0,0 +1,16 @@

+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: crd-schema-publisher
+  labels:
+    app.kubernetes.io/name: crd-schema-publisher
+    app.kubernetes.io/instance: crd-schema-publisher
+    app.kubernetes.io/managed-by: Helm
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+
--- HelmRelease: default/crd-schema-publisher ClusterRole: default/crd-schema-publisher

+++ HelmRelease: default/crd-schema-publisher ClusterRole: default/crd-schema-publisher

@@ -0,0 +1,19 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: crd-schema-publisher
+  labels:
+    app.kubernetes.io/name: crd-schema-publisher
+    app.kubernetes.io/instance: crd-schema-publisher
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - watch
+
--- HelmRelease: default/crd-schema-publisher ClusterRoleBinding: default/crd-schema-publisher

+++ HelmRelease: default/crd-schema-publisher ClusterRoleBinding: default/crd-schema-publisher

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: crd-schema-publisher
+  labels:
+    app.kubernetes.io/name: crd-schema-publisher
+    app.kubernetes.io/instance: crd-schema-publisher
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: crd-schema-publisher
+subjects:
+- kind: ServiceAccount
+  name: crd-schema-publisher
+  namespace: default
+
--- HelmRelease: default/crd-schema-publisher Role: default/crd-schema-publisher-leader-election

+++ HelmRelease: default/crd-schema-publisher Role: default/crd-schema-publisher-leader-election

@@ -0,0 +1,19 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: crd-schema-publisher-leader-election
+  labels:
+    app.kubernetes.io/name: crd-schema-publisher
+    app.kubernetes.io/instance: crd-schema-publisher
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - create
+  - update
+
--- HelmRelease: default/crd-schema-publisher RoleBinding: default/crd-schema-publisher-leader-election

+++ HelmRelease: default/crd-schema-publisher RoleBinding: default/crd-schema-publisher-leader-election

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: crd-schema-publisher-leader-election
+  labels:
+    app.kubernetes.io/name: crd-schema-publisher
+    app.kubernetes.io/instance: crd-schema-publisher
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: crd-schema-publisher-leader-election
+subjects:
+- kind: ServiceAccount
+  name: crd-schema-publisher
+  namespace: default
+
--- HelmRelease: default/crd-schema-publisher Service: default/crd-schema-publisher

+++ HelmRelease: default/crd-schema-publisher Service: default/crd-schema-publisher

@@ -0,0 +1,24 @@

+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: crd-schema-publisher
+  labels:
+    app.kubernetes.io/name: crd-schema-publisher
+    app.kubernetes.io/instance: crd-schema-publisher
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: ClusterIP
+  ports:
+  - name: health
+    port: 8080
+    targetPort: health
+    protocol: TCP
+  - name: site
+    port: 8081
+    targetPort: site
+    protocol: TCP
+  selector:
+    app.kubernetes.io/name: crd-schema-publisher
+    app.kubernetes.io/instance: crd-schema-publisher
+
--- HelmRelease: default/crd-schema-publisher Deployment: default/crd-schema-publisher

+++ HelmRelease: default/crd-schema-publisher Deployment: default/crd-schema-publisher

@@ -0,0 +1,101 @@

+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: crd-schema-publisher
+  labels:
+    app.kubernetes.io/name: crd-schema-publisher
+    app.kubernetes.io/instance: crd-schema-publisher
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: crd-schema-publisher
+      app.kubernetes.io/instance: crd-schema-publisher
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: crd-schema-publisher
+        app.kubernetes.io/instance: crd-schema-publisher
+        app.kubernetes.io/managed-by: Helm
+    spec:
+      serviceAccountName: crd-schema-publisher
+      securityContext:
+        fsGroup: 65534
+        runAsGroup: 65534
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - name: crd-schema-publisher
+        image: ghcr.io/sholdee/crd-schema-publisher:v2026.429.153650
+        imagePullPolicy: IfNotPresent
+        args:
+        - watch
+        env:
+        - name: OUTPUT_DIR
+          value: /output
+        - name: DEBOUNCE_SECONDS
+          value: '15'
+        - name: HEALTH_PORT
+          value: '8080'
+        - name: SERVE_SITE
+          value: 'true'
+        - name: SITE_PORT
+          value: '8081'
+        - name: SERVE_ACCESS_LOG
+          value: 'false'
+        - name: LEASE_NAME
+          value: crd-schema-publisher
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        ports:
+        - name: health
+          containerPort: 8080
+          protocol: TCP
+        - name: site
+          containerPort: 8081
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: health
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: health
+          initialDelaySeconds: 3
+          periodSeconds: 5
+        resources:
+          limits:
+            cpu: 500m
+            memory: 500Mi
+          requests:
+            cpu: 50m
+            memory: 500Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - name: output
+          mountPath: /output
+      volumes:
+      - name: output
+        persistentVolumeClaim:
+          claimName: crd-schema-publisher
+
--- HelmRelease: default/crd-schema-publisher GrafanaDashboard: default/crd-schema-publisher-dashboard

+++ HelmRelease: default/crd-schema-publisher GrafanaDashboard: default/crd-schema-publisher-dashboard

@@ -0,0 +1,22 @@

+---
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: crd-schema-publisher-dashboard
+  labels:
+    app.kubernetes.io/name: crd-schema-publisher
+    app.kubernetes.io/instance: crd-schema-publisher
+    app.kubernetes.io/managed-by: Helm
+spec:
+  instanceSelector:
+    matchLabels:
+      grafana.internal/instance: grafana
+  resyncPeriod: 10m
+  allowCrossNamespaceImport: true
+  datasources:
+  - datasourceName: prometheus
+    inputName: DS_PROMETHEUS
+  configMapRef:
+    name: crd-schema-publisher-dashboard
+    key: crd-schema-publisher.json
+
--- HelmRelease: default/crd-schema-publisher HTTPRoute: default/crd-schema-publisher

+++ HelmRelease: default/crd-schema-publisher HTTPRoute: default/crd-schema-publisher

@@ -0,0 +1,24 @@

+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: crd-schema-publisher
+  labels:
+    app.kubernetes.io/name: crd-schema-publisher
+    app.kubernetes.io/instance: crd-schema-publisher
+    app.kubernetes.io/managed-by: Helm
+spec:
+  parentRefs:
+  - name: envoy-internal
+    namespace: network
+  hostnames:
+  - csp.kantai.xyz
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /
+    backendRefs:
+    - name: crd-schema-publisher
+      port: 8081
+
--- HelmRelease: default/crd-schema-publisher PodMonitor: default/crd-schema-publisher

+++ HelmRelease: default/crd-schema-publisher PodMonitor: default/crd-schema-publisher

@@ -0,0 +1,19 @@

+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: crd-schema-publisher
+  labels:
+    app.kubernetes.io/name: crd-schema-publisher
+    app.kubernetes.io/instance: crd-schema-publisher
+    app.kubernetes.io/managed-by: Helm
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: crd-schema-publisher
+      app.kubernetes.io/instance: crd-schema-publisher
+  podMetricsEndpoints:
+  - port: health
+    interval: 30s
+    path: /metrics
+
--- HelmRelease: default/crd-schema-publisher PrometheusRule: default/crd-schema-publisher

+++ HelmRelease: default/crd-schema-publisher PrometheusRule: default/crd-schema-publisher

@@ -0,0 +1,31 @@

+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: crd-schema-publisher
+  labels:
+    app.kubernetes.io/name: crd-schema-publisher
+    app.kubernetes.io/instance: crd-schema-publisher
+    app.kubernetes.io/managed-by: Helm
+spec:
+  groups:
+  - name: crd-schema-publisher
+    rules:
+    - alert: CRDPublisherWatchdogStale
+      expr: time() - crdpublisher_watchdog_timestamp > 120
+      for: 5m
+      labels:
+        severity: warning
+      annotations:
+        summary: CRD schema publisher watchdog is stale
+        description: The crd-schema-publisher watcher loop has not sent a heartbeat
+          in over 120 seconds. This indicates the process may be stuck or crashed.
+    - alert: CRDPublisherErrorSpike
+      expr: increase(crdpublisher_publish_cycles_total{result="error"}[1h]) > 5
+      for: 15m
+      labels:
+        severity: warning
+      annotations:
+        summary: CRD schema publisher error spike
+        description: More than 5 publish cycle errors in the last hour.
+

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

kubernetes/apps/default/crd-schema-publisher/app/helmrelease.yaml (1)

35-79: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add required reloader annotation and restrictive container security context.

I don’t see explicit configuration in this HelmRelease values for pod reloader annotation or the required restrictive container securityContext defaults. Please add both to satisfy policy for all containers.

As per coding guidelines, kubernetes/apps/**/helmrelease.yaml: "All HelmRelease containers must have reloader.stakater.com/auto: \"true\" annotation" and "must use security context: runAsNonRoot true, allowPrivilegeEscalation false, drop ALL, readOnlyRootFilesystem true".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kubernetes/apps/default/crd-schema-publisher/app/helmrelease.yaml` around
lines 35 - 79, Add the required pod reloader annotation and enforce a
restrictive container securityContext in the HelmRelease values: update the
values block (e.g., under values.serve or the chart-specific pod template
values) to include metadata.annotations with reloader.stakater.com/auto: "true",
and set a default container securityContext with runAsNonRoot: true,
allowPrivilegeEscalation: false, securityContext.capabilities.drop: ["ALL"], and
readOnlyRootFilesystem: true so all containers inherit these defaults; ensure
these keys are placed in the chart's values that map to the pod template (so
they apply to all containers) rather than only to a single container.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@kubernetes/apps/default/crd-schema-publisher/app/helmrelease.yaml`:
- Around line 23-25: Update the HelmRelease's spec.chartRef to use the shared
app-template OCIRepository: set spec.chartRef.kind to OCIRepository and
spec.chartRef.name to app-template and ensure spec.chartRef.namespace is
flux-system; then adjust any values in spec.values or spec.chart to conform to
the shared template's expectations (e.g., override chart-specific values under
spec.values instead of referencing a repo-specific chart name) so the
HelmRelease uses the centralized template provider (refer to spec.chartRef and
any overrides in the HelmRelease manifest).

In
`@kubernetes/apps/observability-agents/scrutiny-collector/app/helmrelease.yaml`:
- Around line 49-55: The HelmRelease mounts a ConfigMap named
"scrutiny-collector-config" via the "collector-config" entry but lacks the
required reloader annotation; add the annotation key reloader.stakater.com/auto
with value "true" to the HelmRelease metadata annotations (the
controller/HelmRelease resource that deploys the scrutiny collector) so
ConfigMap updates trigger restarts—locate the HelmRelease resource for the
scrutiny collector and add reloader.stakater.com/auto: "true" under its
metadata.annotations.

---

Outside diff comments:
In `@kubernetes/apps/default/crd-schema-publisher/app/helmrelease.yaml`:
- Around line 35-79: Add the required pod reloader annotation and enforce a
restrictive container securityContext in the HelmRelease values: update the
values block (e.g., under values.serve or the chart-specific pod template
values) to include metadata.annotations with reloader.stakater.com/auto: "true",
and set a default container securityContext with runAsNonRoot: true,
allowPrivilegeEscalation: false, securityContext.capabilities.drop: ["ALL"], and
readOnlyRootFilesystem: true so all containers inherit these defaults; ensure
these keys are placed in the chart's values that map to the pod template (so
they apply to all containers) rather than only to a single container.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: ef13117d-7c1f-45de-90d2-29699c80ec25

📥 Commits

Reviewing files that changed from the base of the PR and between 5b0ec63 and 88d963e.

📒 Files selected for processing (8)

• kubernetes/apps/default/crd-schema-publisher/app/helmrelease.yaml
• kubernetes/apps/default/crd-schema-publisher/app/kustomization.yaml
• kubernetes/apps/default/crd-schema-publisher/ks.yaml
• kubernetes/apps/default/kustomization.yaml
• kubernetes/apps/observability-agents/scrutiny-collector/app/configs/collector.yaml
• kubernetes/apps/observability-agents/scrutiny-collector/app/helmrelease.yaml
• kubernetes/apps/observability-agents/scrutiny-collector/app/kustomization.yaml
• kubernetes/apps/observability-agents/scrutiny-collector/zfs/helmrelease.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Use the mandated shared app-template chartRef.

spec.chartRef is wired to crd-schema-publisher, but this repo policy requires OCIRepository/app-template from flux-system. Please switch the chartRef to the shared template and align values accordingly.

Suggested baseline change

  chartRef:
    kind: OCIRepository
-   name: crd-schema-publisher
+   name: app-template
+   namespace: flux-system

As per coding guidelines, kubernetes/apps/**/helmrelease.yaml: "HelmRelease resources must use chartRef.kind: OCIRepository with name app-template in flux-system namespace".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	chartRef:
	kind: OCIRepository
	name: crd-schema-publisher
	chartRef:
	kind: OCIRepository
	name: app-template
	namespace: flux-system

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kubernetes/apps/default/crd-schema-publisher/app/helmrelease.yaml` around
lines 23 - 25, Update the HelmRelease's spec.chartRef to use the shared
app-template OCIRepository: set spec.chartRef.kind to OCIRepository and
spec.chartRef.name to app-template and ensure spec.chartRef.namespace is
flux-system; then adjust any values in spec.values or spec.chart to conform to
the shared template's expectations (e.g., override chart-specific values under
spec.values instead of referencing a repo-specific chart name) so the
HelmRelease uses the centralized template provider (refer to spec.chartRef and
any overrides in the HelmRelease manifest).

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add the required reloader annotation now that ConfigMap-driven config is mounted.

Lines 49-55 introduce a mounted collector config, but this HelmRelease still lacks reloader.stakater.com/auto: "true" on the controller. Please add it so config updates can trigger a restart path consistently.

Proposed change

     controllers:
       scrutiny-collector:
+        annotations:
+          reloader.stakater.com/auto: "true"
         type: daemonset
         containers:
           collector:

As per coding guidelines, "All HelmRelease containers must have reloader.stakater.com/auto: "true" annotation to restart on secret changes".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kubernetes/apps/observability-agents/scrutiny-collector/app/helmrelease.yaml`
around lines 49 - 55, The HelmRelease mounts a ConfigMap named
"scrutiny-collector-config" via the "collector-config" entry but lacks the
required reloader annotation; add the annotation key reloader.stakater.com/auto
with value "true" to the HelmRelease metadata annotations (the
controller/HelmRelease resource that deploys the scrutiny collector) so
ConfigMap updates trigger restarts—locate the HelmRelease resource for the
scrutiny collector and add reloader.stakater.com/auto: "true" under its
metadata.annotations.