37 lines
3.2 KiB
Markdown
37 lines
3.2 KiB
Markdown
# Zastava CLI Commands
|
|
|
|
## Module
|
|
Cli
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Zastava CLI commands backed by dedicated Zastava module with agent, observer, and webhook components for Kubernetes admission controller management. Provides install, configure, status, logs, and uninstall operations for the admission webhook.
|
|
|
|
## Implementation Details
|
|
- **Command Group**: `src/Cli/StellaOps.Cli/Commands/ZastavaCommandGroup.cs` -- `ZastavaCommandGroup` (static class)
|
|
- Sprint: SPRINT_20260117_020_CLI_zastava_webhooks (ZAS-001 through ZAS-005)
|
|
- **Backend Module**: `src/Zastava/` -- Zastava Kubernetes admission controller
|
|
- **DTOs**: `ZastavaConfig` (Namespace, Policy, AllowedRegistries, BlockUnsigned, BlockCritical), `ZastavaStatus` (Namespace, WebhookRegistered, WebhookMode, PodStatus, Replicas, CertificateExpires, Statistics), `AdmissionStats` (TotalRequests, Allowed, Denied, Errors, Since)
|
|
- **Commands**:
|
|
- `stella zastava install [--namespace <ns>] [--mode validating|mutating|both] [--output <path>] [--apply] [--dry-run]` -- install admission webhook with manifest generation. Generates: Namespace, ServiceAccount, RBAC, TLS Certificate Secret, Deployment, Service, WebhookConfiguration
|
|
- `stella zastava configure [--policy <id>] [--allow-registries <list>] [--block-unsigned] [--block-critical] [--namespace <ns>] [--format text|json]` -- configure enforcement rules persisted to ConfigMap
|
|
- `stella zastava status [--namespace <ns>] [--format table|json]` -- show webhook status including registration, pod status, replicas, certificate expiry, and admission statistics (total/allowed/denied/errors)
|
|
- `stella zastava logs [--follow] [--since <duration>] [--decision allowed|denied|error] [--image <pattern>] [--namespace <ns>]` -- show webhook admission logs with streaming and filtering
|
|
- `stella zastava uninstall --confirm [--namespace <ns>] [--remove-secrets]` -- remove webhook (requires confirmation); optionally removes TLS secrets
|
|
|
|
## E2E Test Plan
|
|
- [ ] Run `stella zastava install --dry-run` and verify manifest preview without cluster changes
|
|
- [ ] Run `stella zastava install --namespace test-ns --mode validating --apply` and verify all resources created
|
|
- [ ] Run `stella zastava install --mode mutating --output ./manifests` and verify manifest files written
|
|
- [ ] Run `stella zastava configure --policy prod-policy --block-unsigned --block-critical` and verify configuration update
|
|
- [ ] Run `stella zastava configure --allow-registries ghcr.io,registry.example.com --format json` and verify JSON config
|
|
- [ ] Run `stella zastava status` and verify table with Webhook Registered, Mode, Pod Status, Replicas, Certificate Expires
|
|
- [ ] Run `stella zastava status --format json` and verify JSON with admission statistics
|
|
- [ ] Run `stella zastava logs --decision denied` and verify only denied admission logs shown
|
|
- [ ] Run `stella zastava logs --image "docker.io/*" --since 1h` and verify image and time filtering
|
|
- [ ] Run `stella zastava logs --follow` and verify streaming mode indicator
|
|
- [ ] Run `stella zastava uninstall` without `--confirm` and verify error requiring confirmation
|
|
- [ ] Run `stella zastava uninstall --confirm --remove-secrets` and verify all resources plus TLS secrets removed
|