{"id":50790321,"url":"https://github.com/atensecurity/thoth-operator","last_synced_at":"2026-06-12T10:31:10.797Z","repository":{"id":355315242,"uuid":"1227617586","full_name":"atensecurity/thoth-operator","owner":"atensecurity","description":"Kubernetes operator for managing Thoth headless control-plane resources","archived":false,"fork":false,"pushed_at":"2026-06-08T02:23:33.000Z","size":119,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-08T04:15:03.831Z","etag":null,"topics":["gitops","governance","kubernetes","operator","security","thoth"],"latest_commit_sha":null,"homepage":"https://pkg.go.dev/github.com/atensecurity/thoth-operator","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/atensecurity.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-02T23:42:59.000Z","updated_at":"2026-06-08T02:23:36.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/atensecurity/thoth-operator","commit_stats":null,"previous_names":["atensecurity/thoth-operator"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/atensecurity/thoth-operator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atensecurity%2Fthoth-operator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atensecurity%2Fthoth-operator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atensecurity%2Fthoth-operator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atensecurity%2Fthoth-operator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/atensecurity","download_url":"https://codeload.github.com/atensecurity/thoth-operator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atensecurity%2Fthoth-operator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34240815,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-12T02:00:06.859Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gitops","governance","kubernetes","operator","security","thoth"],"created_at":"2026-06-12T10:31:10.673Z","updated_at":"2026-06-12T10:31:10.777Z","avatar_url":"https://github.com/atensecurity.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# thoth-operator\n\nKubernetes operator for managing Aten Security Thoth control-plane configuration from inside customer clusters.\n\n## Documentation\n\n- Aten Security docs: https://docs.atensecurity.com/docs/kubernetes-operator/\n- Public runbook: https://github.com/atensecurity/thoth-runbooks/blob/main/onboarding/kubernetes-operator.md\n\nThis operator reconciles a `ThothTenant` custom resource and applies desired state to the Thoth headless governance control plane:\n\n- Tenant settings (`/{tenant}/thoth/settings`)\n- Optional webhook test (`/{tenant}/thoth/settings/webhook/test`)\n- Optional MCP inventory report snapshot (`/{tenant}/thoth/mcp/inventory/report`)\n- Optional MCP catalog verification check (`/{tenant}/thoth/mcp/catalog/verify`)\n- MDM provider upsert (`/{tenant}/thoth/mdm/providers`)\n- Optional MDM sync run + polling (`/{tenant}/thoth/mdm/providers/{provider}/sync`)\n- Policy bundle provisioning (`/{tenant}/thoth/policy-bundles`)\n- Bulk compliance pack assignments (`/{tenant}/thoth/packs/apply`)\n- Optional policy sync trigger (`/{tenant}/thoth/policies/sync`)\n- Optional governance evidence backfill (`/{tenant}/governance/evidence/thoth/backfill`)\n- Optional decision-field backfill (`/{tenant}/thoth/governance/backfill-decision-fields`)\n- Optional redacted decision metadata export (`/{tenant}/thoth/governance/decision-metadata/export`)\n\n## Recommended Pattern\n\nUse a hybrid model:\n\n1. Terraform/Pulumi for platform lifecycle and global governance resources.\n2. `thoth-operator` for cluster-local day-2 operations (GitOps-driven settings, tenant bootstrap automation, secret rotation alignment).\n\n## Quick Start\n\n```bash\nhelm upgrade --install thoth-operator ./charts/thoth-operator \\\n  --namespace thoth-system \\\n  --create-namespace\n\nkubectl -n thoth-system create secret generic thoth-admin-token \\\n  --from-literal=token='\u003cTHOTH_ADMIN_BEARER_TOKEN\u003e'\n\nkubectl apply -f examples/thothtenant.yaml\n```\n\n## Repository Layout\n\n- `api/` — CRD API types\n- `controllers/` — reconcile logic\n- `internal/thoth/` — Thoth API client with retry/backoff\n- `config/` — raw Kubernetes manifests\n- `charts/thoth-operator/` — Helm chart distribution\n- `examples/` — sample resources\n\n## Configuration\n\n`ThothTenant.spec` key fields:\n\n- `tenantId` (required)\n- `apexDomain` (optional, default `atensecurity.com`)\n- `apiBaseURL` (optional override; otherwise derived as `https://grid.{tenantId}.{apexDomain}`)\n- `authMode` (optional: `auto`/`bearer`/`api_key`; default `auto`)\n- `authSecretRef` (required: Kubernetes secret name/key containing admin bearer token)\n- `settings` (optional arbitrary JSON map)\n- `mdmProvider` (optional provider block)\n- `mdmSync` (optional one-shot sync on spec generation change)\n- `webhookSettings` (optional typed webhook config + webhook test on apply)\n- `mcpInventoryReport` (optional periodic MCP endpoint inventory summary snapshot)\n- `mcpCatalogVerify` (optional policy-derived MCP catalog verification check)\n- `policyBundles` (optional list of Cedar/OPA deterministic policies to create/update)\n- `packAssignments` (optional list of bulk pack apply operations)\n- `policySync` (optional bool to trigger policy sync on generation changes)\n- `governanceEvidenceBackfill` (optional block to trigger evidence backfill on generation changes)\n- `governanceDecisionFieldBackfill` (optional block to backfill decision evidence fields)\n- `decisionMetadataExport` (optional periodic export; defaults to internal Moses collector)\n\n## Decision Metadata Export\n\n`decisionMetadataExport` is designed for model-training pipelines without leaking raw user/tool content:\n\n- Raw content and tool arguments are not exported.\n- Sensitive identities are HMAC-SHA256 hashed per tenant.\n- Export includes decision context (policy IDs, reason codes, action class, trace IDs, parameter keys).\n- By default, payload is delivered to the internal GovAPI collector:\n  `POST /:tenant-id/thoth/governance/moses/training/decision-metadata/collect`.\n- If `decisionMetadataExport.destinationUrl` is set, payload is delivered to that external endpoint instead.\n\nUse `decisionMetadataExport.authTokenSecretRef` when your external collector requires bearer auth.\n\n## Security Notes\n\n- Store Thoth admin and MDM tokens only in Kubernetes Secrets (never inline in CRs).\n- Restrict operator namespace + RBAC scope where possible.\n- Rotate secrets and rely on reconciliation for re-application.\n- Secret updates are watched; changing referenced secrets triggers immediate reconcile.\n\n## Production Checklist\n\n- Run at least two replicas with leader election enabled.\n- Scope `watchNamespace` if each tenant is isolated per namespace.\n- Use GitOps for `ThothTenant` resources and token secret rotation.\n- Pin the operator image tag and promote tags through staging before production.\n- Monitor `Ready` condition and operator logs for reconciliation failures.\n\n## Release Automation\n\n- Public release workflow: `.github/workflows/release.yml`\n- Trigger: signed tag push (`vX.Y.Z` or `vX.Y.Z-rcN`) in `atensecurity/thoth-operator`\n- GitHub release notes are sourced from the matching section in `CHANGELOG.md`\n  (for RC tags, falls back to base version or `Unreleased`).\n- Outputs:\n  - Multi-arch image: `ghcr.io/atensecurity/thoth-operator:\u003cversion\u003e`\n  - OCI Helm chart: `oci://ghcr.io/atensecurity/charts/thoth-operator:\u003cversion\u003e`\n  - Cosign signatures for both image and chart digest\n\n## License\n\nApache License 2.0.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fatensecurity%2Fthoth-operator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fatensecurity%2Fthoth-operator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fatensecurity%2Fthoth-operator/lists"}