stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/cli/zastava-cli-commands.md

3.2 KiB
Raw Blame History

Zastava CLI Commands

Module

Cli

Status

IMPLEMENTED

Description

Zastava CLI commands backed by dedicated Zastava module with agent, observer, and webhook components for Kubernetes admission controller management. Provides install, configure, status, logs, and uninstall operations for the admission webhook.

Implementation Details

  • Command Group: src/Cli/StellaOps.Cli/Commands/ZastavaCommandGroup.cs -- ZastavaCommandGroup (static class)
    • Sprint: SPRINT_20260117_020_CLI_zastava_webhooks (ZAS-001 through ZAS-005)
  • Backend Module: src/Zastava/ -- Zastava Kubernetes admission controller
  • DTOs: ZastavaConfig (Namespace, Policy, AllowedRegistries, BlockUnsigned, BlockCritical), ZastavaStatus (Namespace, WebhookRegistered, WebhookMode, PodStatus, Replicas, CertificateExpires, Statistics), AdmissionStats (TotalRequests, Allowed, Denied, Errors, Since)
  • Commands:
    • stella zastava install [--namespace <ns>] [--mode validating|mutating|both] [--output <path>] [--apply] [--dry-run] -- install admission webhook with manifest generation. Generates: Namespace, ServiceAccount, RBAC, TLS Certificate Secret, Deployment, Service, WebhookConfiguration
    • stella zastava configure [--policy <id>] [--allow-registries <list>] [--block-unsigned] [--block-critical] [--namespace <ns>] [--format text|json] -- configure enforcement rules persisted to ConfigMap
    • stella zastava status [--namespace <ns>] [--format table|json] -- show webhook status including registration, pod status, replicas, certificate expiry, and admission statistics (total/allowed/denied/errors)
    • stella zastava logs [--follow] [--since <duration>] [--decision allowed|denied|error] [--image <pattern>] [--namespace <ns>] -- show webhook admission logs with streaming and filtering
    • stella zastava uninstall --confirm [--namespace <ns>] [--remove-secrets] -- remove webhook (requires confirmation); optionally removes TLS secrets

E2E Test Plan

  • Run stella zastava install --dry-run and verify manifest preview without cluster changes
  • Run stella zastava install --namespace test-ns --mode validating --apply and verify all resources created
  • Run stella zastava install --mode mutating --output ./manifests and verify manifest files written
  • Run stella zastava configure --policy prod-policy --block-unsigned --block-critical and verify configuration update
  • Run stella zastava configure --allow-registries ghcr.io,registry.example.com --format json and verify JSON config
  • Run stella zastava status and verify table with Webhook Registered, Mode, Pod Status, Replicas, Certificate Expires
  • Run stella zastava status --format json and verify JSON with admission statistics
  • Run stella zastava logs --decision denied and verify only denied admission logs shown
  • Run stella zastava logs --image "docker.io/*" --since 1h and verify image and time filtering
  • Run stella zastava logs --follow and verify streaming mode indicator
  • Run stella zastava uninstall without --confirm and verify error requiring confirmation
  • Run stella zastava uninstall --confirm --remove-secrets and verify all resources plus TLS secrets removed