datum-cloud · scotwells · May 22, 2026 · May 22, 2026 · May 22, 2026 · May 22, 2026
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -15,9 +15,9 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '~1.24.0'
+          go-version-file: 'go.mod'
 
       - name: Run linter
         uses: golangci/golangci-lint-action@v8
         with:
-          version: v2.1.5
+          version: v2.12.2
diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml
@@ -15,7 +15,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '~1.24.0'
+          go-version-file: 'go.mod'
 
       - name: Install the latest version of kind
         run: |

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -15,7 +15,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '~1.24.0'
+          go-version-file: 'go.mod'
 
       - name: Running Tests
         run: |

diff --git a/.golangci.yml b/.golangci.yml
@@ -35,6 +35,9 @@ linters:
           - dupl
           - lll
         path: internal/*
+      - linters:
+          - errcheck
+        path: internal/cmd/.*
     paths:
       - third_party$
       - builtin$

diff --git a/.goreleaser-plugin.yaml b/.goreleaser-plugin.yaml
@@ -0,0 +1,51 @@
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+version: 2
+
+project_name: datumctl-compute
+
+before:
+  hooks:
+    - go mod tidy
+
+builds:
+  - id: datumctl-compute
+    binary: datumctl-compute
+    main: ./cmd/datumctl-compute
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - "-X main.version=v{{.Version}}"
+
+archives:
+  - id: datumctl-compute
+    builds:
+      - datumctl-compute
+    format: tar.gz
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    format_overrides:
+      - goos: windows
+        format: zip
+
+checksum:
+  name_template: "checksums.txt"
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+      - "^chore:"
diff --git a/cmd/datumctl-compute/main.go b/cmd/datumctl-compute/main.go
@@ -0,0 +1,26 @@
+package main
+
+import (
+	"os"
+
+	"go.datum.net/datumctl/plugin"
+
+	"go.datum.net/compute/internal/cmd/compute"
+)
+
+// version is set at build time via ldflags.
+var version = "dev"
+
+func main() {
+	plugin.ServeManifest(plugin.Manifest{
+		Name:          "compute",
+		Version:       version,
+		Description:   "Deploy and manage containerized workloads on Datum Cloud",
+		APIVersion:    1,
+		MinAPIVersion: 1,
+	})
+
+	if err := compute.Command().Execute(); err != nil {
+		os.Exit(1)
+	}
+}
diff --git a/cmd/main.go b/cmd/main.go
@@ -32,12 +32,12 @@ import (
 	computev1alpha "go.datum.net/compute/api/v1alpha"
 	"go.datum.net/compute/internal/config"
 	"go.datum.net/compute/internal/controller"
+	milomulticluster "go.datum.net/compute/internal/provider/milo"
 	computewebhook "go.datum.net/compute/internal/webhook"
 	computev1alphawebhooks "go.datum.net/compute/internal/webhook/v1alpha"
 	networkingv1alpha "go.datum.net/network-services-operator/api/v1alpha"
 	quotav1alpha1 "go.miloapis.com/milo/pkg/apis/quota/v1alpha1"
 	multiclusterproviders "go.miloapis.com/milo/pkg/multicluster-runtime"
-	milomulticluster "go.miloapis.com/milo/pkg/multicluster-runtime/milo"
 	// +kubebuilder:scaffold:imports
 )
 

diff --git a/config/base/certmanager/certificate.yaml b/config/base/certmanager/certificate.yaml
diff --git a/config/base/certmanager/kustomization.yaml b/config/base/certmanager/kustomization.yaml
diff --git a/config/base/certmanager/kustomizeconfig.yaml b/config/base/certmanager/kustomizeconfig.yaml
diff --git a/config/base/manager/manager.yaml b/config/base/manager/manager.yaml
@@ -66,20 +66,9 @@ spec:
         volumeMounts:
         - name: config
           mountPath: /config
-        - name: webhook-cert
-          mountPath: /tmp/k8s-webhook-server/serving-certs
-          readOnly: true
       serviceAccountName: compute
       terminationGracePeriodSeconds: 10
       volumes:
       - name: config
         configMap:
           name: compute-config
-      # Optional so the manager can run without admission webhooks: when
-      # `webhookServer:` is omitted from the server config, the binary
-      # skips the webhook server entirely and the missing Secret is fine.
-      - name: webhook-cert
-        secret:
-          secretName: compute-webhook-cert
-          defaultMode: 420
-          optional: true
diff --git a/config/components/csi-webhook-cert/kustomization.yaml b/config/components/csi-webhook-cert/kustomization.yaml
@@ -0,0 +1,32 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  # Add the CSI webhook cert volume and volumeMount to the manager Deployment.
+  # The issuer (csi.cert-manager.io/issuer-kind and csi.cert-manager.io/issuer-name)
+  # must be patched in by the consuming overlay or infra repo.
+  - target:
+      kind: Deployment
+      name: compute-manager
+    patch: |-
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: compute-manager
+      spec:
+        template:
+          spec:
+            containers:
+              - name: manager
+                volumeMounts:
+                  - name: webhook-server-tls
+                    mountPath: /tmp/k8s-webhook-server/serving-certs
+                    readOnly: true
+            volumes:
+              - name: webhook-server-tls
+                csi:
+                  driver: csi.cert-manager.io
+                  readOnly: true
+                  volumeAttributes:
+                    csi.cert-manager.io/fs-group: "65532"
+                    csi.cert-manager.io/dns-names: compute-webhook.compute-system.svc,compute-webhook.compute-system.svc.cluster.local
diff --git a/config/overlays/dev/config.yaml b/config/overlays/dev/config.yaml
@@ -2,9 +2,4 @@ apiVersion: apiserver.config.datumapis.com/v1alpha1
 kind: WorkloadOperator
 metricsServer:
   bindAddress: "0"
-
-webhookServer:
-  tls:
-    secretRef:
-      name: compute-webhook-cert
-      namespace: kube-system
+webhookServer: {}
diff --git a/config/overlays/dev/kustomization.yaml b/config/overlays/dev/kustomization.yaml
@@ -1,55 +1,29 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: compute-system
+
 resources:
   - ../../base/crd
   - ../../base/webhook
-  - ../../base/certmanager
+  - webhook-cert.yaml
 
-replacements:
-  - source:
-      kind: Certificate
-      group: cert-manager.io
-      version: v1
-      name: compute-serving-cert
-      fieldPath: .metadata.namespace
-    targets:
-      - select:
-          kind: ValidatingWebhookConfiguration
-        fieldPaths:
-          - .metadata.annotations.[cert-manager.io/inject-ca-from]
-        options:
-          delimiter: '/'
-          index: 0
-          create: true
-      - select:
-          kind: MutatingWebhookConfiguration
-        fieldPaths:
-          - .metadata.annotations.[cert-manager.io/inject-ca-from]
-        options:
-          delimiter: '/'
-          index: 0
-          create: true
-  - source:
-      kind: Certificate
-      group: cert-manager.io
-      version: v1
-      name: compute-serving-cert
-      fieldPath: .metadata.name
-    targets:
-      - select:
-          kind: ValidatingWebhookConfiguration
-        fieldPaths:
-          - .metadata.annotations.[cert-manager.io/inject-ca-from]
-        options:
-          delimiter: '/'
-          index: 1
-          create: true
-      - select:
-          kind: MutatingWebhookConfiguration
-        fieldPaths:
-          - .metadata.annotations.[cert-manager.io/inject-ca-from]
-        options:
-          delimiter: '/'
-          index: 1
-          create: true
+patches:
+  # Wire cainjector to the dev cert so the API server can verify the webhook.
+  - patch: |-
+      apiVersion: admissionregistration.k8s.io/v1
+      kind: MutatingWebhookConfiguration
+      metadata:
+        name: compute-mutating
+        annotations:
+          cert-manager.io/inject-ca-from: compute-system/compute-serving-cert
+  - patch: |-
+      apiVersion: admissionregistration.k8s.io/v1
+      kind: ValidatingWebhookConfiguration
+      metadata:
+        name: compute-validating
+        annotations:
+          cert-manager.io/inject-ca-from: compute-system/compute-serving-cert
 
 transformers:
   - webhook_patch.yaml
diff --git a/config/overlays/dev/webhook-cert.yaml b/config/overlays/dev/webhook-cert.yaml
@@ -0,0 +1,18 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: compute-serving-cert
+spec:
+  dnsNames:
+    - host.docker.internal
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: compute-webhook-cert
diff --git a/config/overlays/dev/webhook_patch.yaml b/config/overlays/dev/webhook_patch.yaml
@@ -1,23 +1,6 @@
 ---
 apiVersion: builtin
 kind: PatchTransformer
-metadata:
-  name: webhook-cert-patch
-patch: |-
-  - op: replace
-    path: /spec/dnsNames
-    value: ["host.docker.internal"]
-  - op: replace
-    path: /spec/secretName
-    value: compute-webhook-cert
-target:
-  kind: Certificate
-  group: cert-manager.io
-  version: v1
-  name: compute-serving-cert
----
-apiVersion: builtin
-kind: PatchTransformer
 metadata:
   name: mutatingwebhook-url-patch
 patch: |-