diff --git a/go/apps/krane/backend/docker/deployment_create.go b/go/apps/krane/backend/docker/deployment_create.go
index 43f7acb344..da27eb9b9b 100644
--- a/go/apps/krane/backend/docker/deployment_create.go
+++ b/go/apps/krane/backend/docker/deployment_create.go
@@ -79,7 +79,7 @@ func (d *docker) CreateDeployment(ctx context.Context, req *connect.Request[kran
 			"unkey.managed.by":    "krane",
 		},
 		ExposedPorts: exposedPorts,
-		Env:          env,
+		// Env is set per-instance below with UNKEY_INSTANCE_ID
 	}
 
 	//nolint:exhaustruct // Docker SDK types have many optional fields
diff --git a/go/apps/krane/secrets/token/k8s_validator.go b/go/apps/krane/secrets/token/k8s_validator.go
index baba4fb94b..c4ea99734f 100644
--- a/go/apps/krane/secrets/token/k8s_validator.go
+++ b/go/apps/krane/secrets/token/k8s_validator.go
@@ -23,6 +23,7 @@ func NewK8sValidator(cfg K8sValidatorConfig) *K8sValidator {
 }
 
 func (v *K8sValidator) Validate(ctx context.Context, token string, deploymentID string) (*ValidationResult, error) {
+	//nolint:exhaustruct // k8s API types have many optional fields
 	tokenReview := &authv1.TokenReview{
 		Spec: authv1.TokenReviewSpec{Token: token},
 	}
diff --git a/go/apps/secrets-webhook/internal/services/mutator/config.go b/go/apps/secrets-webhook/internal/services/mutator/config.go
index 4067ef8b2a..3af715aee9 100644
--- a/go/apps/secrets-webhook/internal/services/mutator/config.go
+++ b/go/apps/secrets-webhook/internal/services/mutator/config.go
@@ -3,9 +3,10 @@ package mutator
 import "fmt"
 
 const (
-	unkeyEnvVolumeName      = "unkey-env-bin"
-	unkeyEnvMountPath       = "/unkey"
-	unkeyEnvBinary          = "/unkey/unkey-env"
+	unkeyEnvVolumeName = "unkey-env-bin"
+	unkeyEnvMountPath  = "/unkey"
+	unkeyEnvBinary     = "/unkey/unkey-env"
+	//nolint:gosec // G101: This is a file path, not credentials
 	ServiceAccountTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
 )
 
@@ -31,7 +32,10 @@ type podConfig struct {
 }
 
 func (m *Mutator) loadPodConfig(annotations map[string]string) (*podConfig, error) {
-	cfg := &podConfig{}
+	cfg := &podConfig{
+		DeploymentID:     "",
+		ProviderEndpoint: "",
+	}
 
 	cfg.DeploymentID = annotations[m.cfg.GetAnnotation(AnnotationDeploymentID)]
 	if cfg.DeploymentID == "" {
diff --git a/go/apps/secrets-webhook/internal/services/mutator/mutator.go b/go/apps/secrets-webhook/internal/services/mutator/mutator.go
index c9db211b6d..2a3ecd96a8 100644
--- a/go/apps/secrets-webhook/internal/services/mutator/mutator.go
+++ b/go/apps/secrets-webhook/internal/services/mutator/mutator.go
@@ -41,7 +41,7 @@ func (m *Mutator) ShouldMutate(pod *corev1.Pod) bool {
 
 func (m *Mutator) Mutate(ctx context.Context, pod *corev1.Pod, namespace string) (*Result, error) {
 	if !m.ShouldMutate(pod) {
-		return &Result{Mutated: false, Message: "pod not annotated for injection"}, nil
+		return &Result{Mutated: false, Patch: nil, Message: "pod not annotated for injection"}, nil
 	}
 
 	annotations := pod.GetAnnotations()
diff --git a/go/apps/secrets-webhook/internal/services/registry/registry.go b/go/apps/secrets-webhook/internal/services/registry/registry.go
index 7c4c5a5854..cd5fa9fdcc 100644
--- a/go/apps/secrets-webhook/internal/services/registry/registry.go
+++ b/go/apps/secrets-webhook/internal/services/registry/registry.go
@@ -40,6 +40,7 @@ func (r *Registry) GetImageConfig(
 	container *corev1.Container,
 	podSpec *corev1.PodSpec,
 ) (*ImageConfig, error) {
+	//nolint:exhaustruct // k8schain has many optional fields
 	chainOpts := k8schain.Options{
 		Namespace:          namespace,
 		ServiceAccountName: podSpec.ServiceAccountName,
@@ -134,7 +135,7 @@ func (r *Registry) findPlatformManifest(manifests []v1.Descriptor) (v1.Hash, boo
 			return m.Digest, true
 		}
 	}
-	return v1.Hash{}, false
+	return v1.Hash{}, false //nolint:exhaustruct // zero value for not-found case
 }
 
 func targetOS() string {
diff --git a/go/apps/secrets-webhook/routes/mutate/handler.go b/go/apps/secrets-webhook/routes/mutate/handler.go
index 884eeeaf46..d2ee7353e4 100644
--- a/go/apps/secrets-webhook/routes/mutate/handler.go
+++ b/go/apps/secrets-webhook/routes/mutate/handler.go
@@ -65,6 +65,7 @@ func (h *Handler) Handle(ctx context.Context, s *zen.Session) error {
 }
 
 func (h *Handler) sendResponse(s *zen.Session, uid types.UID, allowed bool, message string) error {
+	//nolint:exhaustruct // k8s admission API types have many optional fields
 	response := admissionv1.AdmissionReview{
 		TypeMeta: metav1.TypeMeta{APIVersion: "admission.k8s.io/v1", Kind: "AdmissionReview"},
 		Response: &admissionv1.AdmissionResponse{UID: uid, Allowed: allowed},
@@ -80,6 +81,7 @@ func (h *Handler) sendResponse(s *zen.Session, uid types.UID, allowed bool, mess
 func (h *Handler) sendResponseWithPatch(s *zen.Session, uid types.UID, patch []byte) error {
 	patchType := admissionv1.PatchTypeJSONPatch
 
+	//nolint:exhaustruct // k8s admission API types have many optional fields
 	response := admissionv1.AdmissionReview{
 		TypeMeta: metav1.TypeMeta{APIVersion: "admission.k8s.io/v1", Kind: "AdmissionReview"},
 		Response: &admissionv1.AdmissionResponse{
diff --git a/go/apps/secrets-webhook/run.go b/go/apps/secrets-webhook/run.go
index d402a90002..248435e1e2 100644
--- a/go/apps/secrets-webhook/run.go
+++ b/go/apps/secrets-webhook/run.go
@@ -42,6 +42,7 @@ func Run(ctx context.Context, cfg Config) error {
 		return fmt.Errorf("failed to load TLS certificates: %w", err)
 	}
 
+	//nolint:exhaustruct // zen.Config has many optional fields with sensible defaults
 	server, err := zen.New(zen.Config{
 		Logger: logger,
 		TLS:    tlsConfig,
diff --git a/go/cmd/ctrl/main.go b/go/cmd/ctrl/main.go
index be9be1f347..8b47d7cb74 100644
--- a/go/cmd/ctrl/main.go
+++ b/go/cmd/ctrl/main.go
@@ -186,6 +186,7 @@ func action(ctx context.Context, cmd *cli.Command) error {
 			Bucket:          cmd.String("vault-s3-bucket"),
 			AccessKeyID:     cmd.String("vault-s3-access-key-id"),
 			AccessKeySecret: cmd.String("vault-s3-access-key-secret"),
+			ExternalURL:     "",
 		},
 		// ACME Vault configuration - Let's Encrypt certificates
 		AcmeVaultMasterKeys: cmd.StringSlice("acme-vault-master-keys"),
@@ -194,6 +195,7 @@ func action(ctx context.Context, cmd *cli.Command) error {
 			Bucket:          cmd.String("acme-vault-s3-bucket"),
 			AccessKeyID:     cmd.String("acme-vault-s3-access-key-id"),
 			AccessKeySecret: cmd.String("acme-vault-s3-access-key-secret"),
+			ExternalURL:     "",
 		},
 
 		// Build configuration
diff --git a/go/cmd/dev/seed/ingress.go b/go/cmd/dev/seed/ingress.go
index fab6d4d42b..13eab7c202 100644
--- a/go/cmd/dev/seed/ingress.go
+++ b/go/cmd/dev/seed/ingress.go
@@ -112,6 +112,7 @@ func seedIngress(ctx context.Context, cmd *cli.Command) error {
 			GitCommitAuthorAvatarUrl: sql.NullString{},
 			GitCommitTimestamp:       sql.NullInt64{Int64: now, Valid: true},
 			OpenapiSpec:              sql.NullString{},
+			SecretsConfig:            nil,
 			Status:                   db.DeploymentsStatusReady,
 			CreatedAt:                now,
 			UpdatedAt:                sql.NullInt64{},