Skip to content

feat: add customer-workload service account for pod isolation#4455

Merged
chronark merged 17 commits intomainfrom
feat/env-vars-rbac-isolation
Dec 9, 2025
Merged

feat: add customer-workload service account for pod isolation#4455
chronark merged 17 commits intomainfrom
feat/env-vars-rbac-isolation

Conversation

@Flo4604
Copy link
Member

@Flo4604 Flo4604 commented Dec 2, 2025

What does this PR do?

Fixes # (issue)

If there is not an issue for this, please create one first. This is used to tracking purposes and also helps us understand why this PR exists

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • Chore (refactoring code, technical debt, workflow improvements)
  • Enhancement (small improvements)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How should this be tested?

  • Test A
  • Test B

Checklist

Required

  • Filled out the "How to test" section in this PR
  • Read Contributing Guide
  • Self-reviewed my own code
  • Commented on my code in hard-to-understand areas
  • Ran pnpm build
  • Ran pnpm fmt
  • Ran make fmt on /go directory
  • Checked for warnings, there are none
  • Removed all console.logs
  • Merged the latest changes from main onto my branch with git pull origin main
  • My changes don't cause any responsiveness issues

Appreciated

  • If a UI change was made: Added a screen recording or screenshots to this PR
  • Updated the Unkey Docs if changes were necessary

@changeset-bot
Copy link

changeset-bot bot commented Dec 2, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 74b5b50

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel
Copy link

vercel bot commented Dec 2, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
dashboard Error Error Dec 9, 2025 4:18pm
1 Skipped Deployment
Project Deployment Preview Comments Updated (UTC)
engineering Ignored Ignored Preview Dec 9, 2025 4:18pm

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Dec 2, 2025
edited
Loading

Warning

Rate limit exceeded

@chronark has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 25 minutes and 44 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 569a89d and 74b5b50.

📒 Files selected for processing (1)
  • go/k8s/manifests/rbac.yaml (1 hunks)
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feat/env-vars-rbac-isolation

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

This was referenced Dec 2, 2025
Merged
Merged
Merged
Merged
@Flo4604 Graphite App
Copy link
Member Author

Flo4604 commented Dec 2, 2025
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@Flo4604 Flo4604 mentioned this pull request Dec 2, 2025
Merged
19 tasks
@vercel vercel bot temporarily deployed to Preview – engineering December 2, 2025 13:41 Inactive
@vercel vercel bot temporarily deployed to Preview – dashboard December 2, 2025 13:44 Inactive
@Flo4604 Flo4604 force-pushed the feat/env-vars-krane-injection branch from ad029dc to ca3d3e9 Compare December 2, 2025 13:57
@Flo4604 Flo4604 force-pushed the feat/env-vars-rbac-isolation branch from b9d3717 to 4ba393d Compare December 2, 2025 13:57
@vercel vercel bot temporarily deployed to Preview – engineering December 2, 2025 13:57 Inactive
@vercel vercel bot temporarily deployed to Preview – dashboard December 2, 2025 13:58 Inactive
@Flo4604 Flo4604 force-pushed the feat/env-vars-rbac-isolation branch from 4ba393d to def8844 Compare December 2, 2025 14:06
@Flo4604 Flo4604 force-pushed the feat/env-vars-krane-injection branch from ca3d3e9 to 5cebd23 Compare December 2, 2025 14:06
@vercel vercel bot temporarily deployed to Preview – engineering December 2, 2025 14:06 Inactive
@vercel vercel bot temporarily deployed to Preview – dashboard December 2, 2025 14:09 Inactive
@Flo4604 Flo4604 force-pushed the feat/env-vars-krane-injection branch from 5cebd23 to fb9553e Compare December 2, 2025 14:13
@Flo4604 Flo4604 force-pushed the feat/env-vars-rbac-isolation branch from def8844 to 20627a7 Compare December 2, 2025 14:13
@vercel vercel bot temporarily deployed to Preview – engineering December 2, 2025 14:14 Inactive
@vercel vercel bot temporarily deployed to Preview – dashboard December 2, 2025 14:17 Inactive
@Flo4604 Flo4604 force-pushed the feat/env-vars-krane-injection branch from fb9553e to d343085 Compare December 2, 2025 14:42
@Flo4604 Flo4604 force-pushed the feat/env-vars-rbac-isolation branch from 20627a7 to 5492211 Compare December 2, 2025 14:42
@vercel vercel bot temporarily deployed to Preview – engineering December 2, 2025 14:43 Inactive
@vercel vercel bot temporarily deployed to Preview – dashboard December 2, 2025 14:45 Inactive
@Flo4604 Flo4604 force-pushed the feat/env-vars-rbac-isolation branch from 5492211 to 2f0ff63 Compare December 2, 2025 15:47
@Flo4604 Flo4604 force-pushed the feat/env-vars-krane-injection branch from d343085 to fdee599 Compare December 2, 2025 15:47
@vercel vercel bot temporarily deployed to Preview – engineering December 2, 2025 15:48 Inactive
@Flo4604 Flo4604 force-pushed the feat/env-vars-krane-injection branch from ce78cee to b071965 Compare December 4, 2025 17:36
@Flo4604 Flo4604 force-pushed the feat/env-vars-rbac-isolation branch from 30e9604 to 8669905 Compare December 4, 2025 17:36
@vercel vercel bot temporarily deployed to Preview – engineering December 4, 2025 17:37 Inactive
@vercel vercel bot temporarily deployed to Preview – dashboard December 4, 2025 17:40 Inactive
@Flo4604 Flo4604 mentioned this pull request Dec 4, 2025
Merged
19 tasks
Base automatically changed from feat/env-vars-krane-injection to main December 9, 2025 16:15
@chronark chronark merged commit 2a0d2d0 into main Dec 9, 2025
8 of 10 checks passed
@chronark chronark deleted the feat/env-vars-rbac-isolation branch December 9, 2025 16:16
@vercel vercel bot temporarily deployed to Preview – dashboard December 9, 2025 16:18 Inactive
mcstepp pushed a commit that referenced this pull request Dec 9, 2025
@Flo4604 @autofix-ci
@chronark @mcstepp
feat: add customer-workload service account for pod isolation (#4455)
ab29a67 
* feat: add environment variables db schema and queries

* fix db query

* feat: add SecretsConfig proto for encrypted env vars

* [autofix.ci] apply automated fixes

* feat: dashboard UI for environment variables management

* fix comment and rename file

* fix file export name

* Remove unnecessary comments from add-env-vars

* add toasts for environment variable operations

* [autofix.ci] apply automated fixes

* fix: add try/catch error handling to env var mutations

* unfmt file

* [autofix.ci] apply automated fixes

* feat: decrypt env vars in CTRL workflow before passing to Krane

* feat: inject env vars into pod spec via Krane

* feat: add customer-workload service account for pod isolation

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Andreas Thomas <dev@chronark.com>
Flo4604 added a commit that referenced this pull request Dec 10, 2025
@Flo4604 @autofix-ci @chronark
feat: add customer-workload service account for pod isolation (#4455)
18cd74f 
* feat: add environment variables db schema and queries

* fix db query

* feat: add SecretsConfig proto for encrypted env vars

* [autofix.ci] apply automated fixes

* feat: dashboard UI for environment variables management

* fix comment and rename file

* fix file export name

* Remove unnecessary comments from add-env-vars

* add toasts for environment variable operations

* [autofix.ci] apply automated fixes

* fix: add try/catch error handling to env var mutations

* unfmt file

* [autofix.ci] apply automated fixes

* feat: decrypt env vars in CTRL workflow before passing to Krane

* feat: inject env vars into pod spec via Krane

* feat: add customer-workload service account for pod isolation

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Andreas Thomas <dev@chronark.com>
chronark added a commit that referenced this pull request Dec 19, 2025
@Flo4604 @autofix-ci
@theabhayprajapati @MichaelUnkey @perkinsjr @chronark
Feat/add short lived docker pull tokens (#4486)
39d4702 
* feat: add environment variables db schema and queries

* fix db query

* feat: add SecretsConfig proto for encrypted env vars

* [autofix.ci] apply automated fixes

* feat: dashboard UI for environment variables management

* fix comment and rename file

* fix file export name

* Remove unnecessary comments from add-env-vars

* add toasts for environment variable operations

* [autofix.ci] apply automated fixes

* fix: add try/catch error handling to env var mutations

* unfmt file

* [autofix.ci] apply automated fixes

* feat: decrypt env vars in CTRL workflow before passing to Krane

* feat: inject env vars into pod spec via Krane

* feat: add customer-workload service account for pod isolation

* remove gw from k8s manifest, add agent fix ctrl vault for certs

* seperate master keys too

* add inital webhook stuff

* add generated stuff

* adjust comments

* use otel lgtm stack in k8s too

* fix some rabbit comments

* fix some rabbit comments

* get rid of some unncessary comments

* actually add unkey env cmd gitignores...

* fix golint issues

* Fix/update validation issues status label (#4478)

* fix: update API key status label from 'Potential issues' to 'High Error Rate'

Changed the validation-issues status label to more clearly communicate
that the key is receiving invalid requests, rather than implying the
API or key itself is broken.

Changes:
- Label: 'Potential issues' → 'High Error Rate'
- Tooltip: Updated to clarify that requests are invalid (rate limited,
  unauthorized, etc.) rather than suggesting system issues

Fixes #4474

* chore: apply biome formatting

* fix: update status label to 'Elevated Rejections' per review

---------

Co-authored-by: CodeReaper <148160799+MichaelUnkey@users.noreply.github.com>

* chore: Remove un-used UI components (#4472)

* removed un used components

* updated members refs

---------

Co-authored-by: James P <james@unkey.dev>
Co-authored-by: Andreas Thomas <dev@chronark.com>

* perf: fix n+1 (#4484)

* fix: add 403 error when 0 key verification perms (#4483)

* fix: add 403 error when 0 key verification perms

* cleanup tests

* feat: add environment variables db schema and queries (#4450)

* feat: add environment variables db schema and queries

* fix db query

* feat: add SecretsConfig proto for encrypted env vars (#4451)

* feat: add environment variables db schema and queries

* fix db query

* feat: add SecretsConfig proto for encrypted env vars

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Andreas Thomas <dev@chronark.com>

* feat: add GetPullToken

* feat: dashboard UI for environment variables management (#4452)

* feat: add environment variables db schema and queries

* fix db query

* feat: add SecretsConfig proto for encrypted env vars

* [autofix.ci] apply automated fixes

* feat: dashboard UI for environment variables management

* fix comment and rename file

* fix file export name

* Remove unnecessary comments from add-env-vars

* add toasts for environment variable operations

* [autofix.ci] apply automated fixes

* fix: add try/catch error handling to env var mutations

* unfmt file

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Andreas Thomas <dev@chronark.com>

* feat: decrypt env vars in CTRL workflow before passing to Krane (#4453)

* feat: add environment variables db schema and queries

* fix db query

* feat: add SecretsConfig proto for encrypted env vars

* [autofix.ci] apply automated fixes

* feat: dashboard UI for environment variables management

* fix comment and rename file

* fix file export name

* Remove unnecessary comments from add-env-vars

* add toasts for environment variable operations

* [autofix.ci] apply automated fixes

* fix: add try/catch error handling to env var mutations

* unfmt file

* [autofix.ci] apply automated fixes

* feat: decrypt env vars in CTRL workflow before passing to Krane

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Andreas Thomas <dev@chronark.com>

* feat: inject env vars into pod spec via Krane (#4454)

* feat: add environment variables db schema and queries

* fix db query

* feat: add SecretsConfig proto for encrypted env vars

* [autofix.ci] apply automated fixes

* feat: dashboard UI for environment variables management

* fix comment and rename file

* fix file export name

* Remove unnecessary comments from add-env-vars

* add toasts for environment variable operations

* [autofix.ci] apply automated fixes

* fix: add try/catch error handling to env var mutations

* unfmt file

* [autofix.ci] apply automated fixes

* feat: decrypt env vars in CTRL workflow before passing to Krane

* feat: inject env vars into pod spec via Krane

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Andreas Thomas <dev@chronark.com>

* feat: add customer-workload service account for pod isolation (#4455)

* feat: add environment variables db schema and queries

* fix db query

* feat: add SecretsConfig proto for encrypted env vars

* [autofix.ci] apply automated fixes

* feat: dashboard UI for environment variables management

* fix comment and rename file

* fix file export name

* Remove unnecessary comments from add-env-vars

* add toasts for environment variable operations

* [autofix.ci] apply automated fixes

* fix: add try/catch error handling to env var mutations

* unfmt file

* [autofix.ci] apply automated fixes

* feat: decrypt env vars in CTRL workflow before passing to Krane

* feat: inject env vars into pod spec via Krane

* feat: add customer-workload service account for pod isolation

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Andreas Thomas <dev@chronark.com>

* remove gw from k8s manifest, add agent fix ctrl vault for certs (#4463)

* feat: add environment variables db schema and queries

* fix db query

* feat: add SecretsConfig proto for encrypted env vars

* [autofix.ci] apply automated fixes

* feat: dashboard UI for environment variables management

* fix comment and rename file

* fix file export name

* Remove unnecessary comments from add-env-vars

* add toasts for environment variable operations

* [autofix.ci] apply automated fixes

* fix: add try/catch error handling to env var mutations

* unfmt file

* [autofix.ci] apply automated fixes

* feat: decrypt env vars in CTRL workflow before passing to Krane

* feat: inject env vars into pod spec via Krane

* feat: add customer-workload service account for pod isolation

* remove gw from k8s manifest, add agent fix ctrl vault for certs

* seperate master keys too

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Andreas Thomas <dev@chronark.com>

* chore: Make Stripe Great Again (#4479)

* fix: Make stripe webhooks more robust

* chore: Move alert to UI (#4485)

* Moved alert to ui and swapped usages

* feat: better env var injection (#4468)

* feat: add environment variables db schema and queries

* fix db query

* feat: add SecretsConfig proto for encrypted env vars

* [autofix.ci] apply automated fixes

* feat: dashboard UI for environment variables management

* fix comment and rename file

* fix file export name

* Remove unnecessary comments from add-env-vars

* add toasts for environment variable operations

* [autofix.ci] apply automated fixes

* fix: add try/catch error handling to env var mutations

* unfmt file

* [autofix.ci] apply automated fixes

* feat: decrypt env vars in CTRL workflow before passing to Krane

* feat: inject env vars into pod spec via Krane

* feat: add customer-workload service account for pod isolation

* remove gw from k8s manifest, add agent fix ctrl vault for certs

* seperate master keys too

* add inital webhook stuff

* add generated stuff

* adjust comments

* use otel lgtm stack in k8s too

* fix some rabbit comments

* fix some rabbit comments

* get rid of some unncessary comments

* actually add unkey env cmd gitignores...

* fix golint issues (#4477)

* [autofix.ci] apply automated fixes

* fix fmt

* linter be happy

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Andreas Thomas <dev@chronark.com>

* make token pod owned

* feat: add lets encrypt challenges (#4471)

* feat: add lets encrypt challenges

* always disable cname following

* cleanup some code

* cleanup some code

* cleanup some code

* cleanup some code

* cleanup some code

* fix golint issues

* fix golint issues

* fmt

* remove old webhook code

* remove old webhook code

* make build id not optiona

* cleanup

* cleanup

* fmt

* fmt

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: abhay <88815641+theabhayprajapati@users.noreply.github.com>
Co-authored-by: CodeReaper <148160799+MichaelUnkey@users.noreply.github.com>
Co-authored-by: James P <james@unkey.dev>
Co-authored-by: Andreas Thomas <dev@chronark.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chronark chronark chronark approved these changes

@perkinsjr perkinsjr Awaiting requested review from perkinsjr perkinsjr is a code owner

@imeyer imeyer Awaiting requested review from imeyer imeyer is a code owner

@mcstepp mcstepp Awaiting requested review from mcstepp mcstepp is a code owner

@ogzhanolguncu ogzhanolguncu Awaiting requested review from ogzhanolguncu ogzhanolguncu is a code owner

@MichaelUnkey MichaelUnkey Awaiting requested review from MichaelUnkey MichaelUnkey is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Flo4604 @chronark