feat: fix slack notifications, gitops PR engine, rbac, and update documentation

[Prathamesh07-stack]

Description

This PR addresses several critical issues that were hindering the core Observe -> Reason -> Act workflow in the Zelyo Operator. It specifically fixes Slack notification failures, enables Personal Access Token (PAT) support for GitOps PR generation, resolves RBAC permission errors, and provide a complete documentation overhaul for an improved onboarding experience.

Fixes and Enhancements

🛡️ Core & RBAC

• Event Recording Fix: Added missing create, patch, and update permissions for events to the zelyo-operator ClusterRole. This resolves several forbidden errors in the logs when the operator attempts to record security scans and remediation actions.
• Observability: Instrumented the SecurityPolicy controller with detailed logging to track the notification dispatch flow from detection to delivery.

📢 Slack Notifications

• Webhook Resolution: Fixed a bug where the Slack webhook URL was not correctly retrieved from the NotificationChannel secrets. The controller now supports both url and webhook-url keys for better compatibility.
• Severity Filtering: Verified and refined the minSeverity logic to ensure alerts are only dispatched when findings meet the user-defined threshold.

🤖 GitOps & Remediation Engine

• PAT Authentication: Enhanced the GitHub client to support Personal Access Tokens (PAT). This allows users to quickly test the "Act" phase without requiring a complex GitHub App setup.
• LLM Reliability: Updated default configurations and guides to use google/gemini-2.0-flash. This ensures much higher reliability and fewer 429 (Rate Limit) errors during AI reasoning compared to older models.

📚 Documentation & UX

• Quickstart Guide: Renamed and restructured the quickstart-guide.md (formerly end-to-end-guide.md) to follow a more logical flow: Build -> Deploy -> Observe -> Act.
• Local Dev Workflow: Added critical instructions for building local images and importing them into k3d, ensuring developers are always running their latest local fixes.
• Troubleshooting: Expanded troubleshooting.md with diagnostic steps for Slack webhook verification and image version checks.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• This change requires a documentation update

How Has This Been Tested?

Verified on a local k3d cluster:

1. Slack: Confirmed successful delivery of real-time alerts for security violations.
2. GitOps: Confirmed successful automated creation of a Pull Request in a target repository using a GitHub PAT.
3. RBAC: Confirmed that events are now correctly recorded without permission errors.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly updates the 'Getting Started' documentation, transforming the local development environment setup. The primary goal is to simplify the onboarding process for new users by aligning the local setup with common production practices, utilizing modern tools like k3d, cert-manager, and Helm. This change enhances the user experience by providing a more robust and consistent installation and testing workflow.

Highlights

• Getting Started Guide Revamp: The entire 'Getting Started' guide has been overhauled to provide a more streamlined and production-aligned local development experience.
• Technology Stack Update: The guide now leverages k3d for local Kubernetes clusters, cert-manager for webhook certificate management, and Helm for installing the Zelyo Operator, replacing the previous kind and make-based setup.
• Simplified Installation Flow: The installation process is now consolidated, including steps for creating a k3d cluster, installing cert-manager, setting up the LLM API secret, and deploying the operator via its OCI Helm chart.
• Integrated Testing Steps: Testing the operator's functionality is now integrated directly into the guide, demonstrating how to deploy an insecure workload and verify findings with a SecurityPolicy.
• Documentation Cleanup: Obsolete sections like 'Deploying to a Real Cluster' and 'Verify Image Signature' have been removed, as the new local setup closely mirrors production deployment methods.

Changelog

• docs/getting-started.md
  • Updated the introduction to reflect the new setup using k3d, cert-manager, and Helm.
  • Replaced the 'What You'll Need' section with 'Prerequisites' listing Docker, k3d, kubectl, and Helm.
  • Changed 'Step 1: Clone the Repository' to 'Step 1: Create a Local Cluster' using k3d cluster create.
  • Introduced 'Step 2: Install cert-manager' with Helm OCI commands.
  • Added 'Step 3: Wait for Readiness' for cert-manager components.
  • Combined LLM API secret creation and Zelyo Operator Helm installation into 'Step 4'.
  • Renamed 'Step 5: Create Your First SecurityPolicy' to 'Step 6: Test Observation (Observe → Reason)' and restructured its sub-steps.
  • Modified the example SecurityPolicy to include check-privilege-escalation and set its namespace to zelyo-system.
  • Removed the previous 'Step 6: Deploy a Test Workload', 'Step 7: Check What Zelyo Operator Found', and 'Step 8: Clean Up' sections, integrating their concepts into the new flow.
  • Deleted the 'Deploying to a Real Cluster' and 'Verify Image Signature' sections.
  • Updated the 'What's Next?' table with revised guide titles and descriptions.

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request is a great initiative to modernize the getting started guide by adopting k3d, cert-manager, and Helm. The new guide is more streamlined and aligns better with current cloud-native practices. I've identified a few areas for improvement to enhance the user experience, including a critical fix for a command that would otherwise fail, removing some redundancy, re-introducing a cleanup section, and fixing a minor typo. Overall, these are excellent changes.

I am having trouble creating individual review comments. Click here to see my feedback.

docs/getting-started.md (32-36)

The helm install command for cert-manager is incorrect and will fail. The OCI repository path is outdated, the chart version v1.20.0 does not exist, and the crds.enabled=true flag is for older versions of the chart. I suggest updating to a recent version from the correct repository with the appropriate flag for CRD installation.

helm install cert-manager oci://quay.io/jetstack/cert-manager \
  --version v1.14.5 \
  --namespace cert-manager \
  --create-namespace \
  --set installCRDs=true

docs/getting-started.md (54-55)

The namespace zelyo-system is created here with kubectl, but the subsequent helm install command also uses the --create-namespace flag. This is redundant. It's common practice to let Helm manage the namespace creation. I suggest removing this kubectl command and relying on the Helm flag for a more streamlined experience.

docs/getting-started.md (148-159)

This "Clean Up" section was removed, but a getting-started guide should include instructions on how to remove the created resources to provide a complete user journey. Please consider adding an updated "Clean Up" section for the new k3d and helm based setup.

For example:

## Step 7: Clean Up

When you're finished, you can clean up the resources you created.

```bash
# Delete the test pod and policy
kubectl delete pod insecure-nginx -n default
kubectl delete -f test-security-policy.yaml

# Uninstall Zelyo Operator and cert-manager
helm uninstall zelyo-operator -n zelyo-system
helm uninstall cert-manager -n cert-manager

# Delete the k3d cluster
k3d cluster delete zelyo

docs/getting-started.md (150)

There appears to be a typo or copy-paste artifact (xes |) at the end of the table. This line should be removed.

[Copilot]

Pull request overview

This PR updates the documentation experience around installation/getting-started (moving to k3d + cert-manager + Helm, adding an end-to-end guide and troubleshooting), and also introduces several operator/runtime behavior changes (LLM/GitOps engine injection, PAT auth support, and SecurityPolicy-driven notifications).

Changes:

• Revamps docs navigation and adds new docs pages (End-to-End Guide, Troubleshooting); removes Quickstart.
• Adds runtime injection points for the remediation engine (LLM client, GitOps engine, config/strategy).
• Adds GitHub PAT client support and wires GitOps engine initialization from a Secret; adds SecurityPolicy notification dispatch logic.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 17 comments.

Show a summary per file

File	Description
mkdocs.yml	Updates site nav to include new docs and remove quickstart.
docs/getting-started.md	Rewrites getting started to k3d/cert-manager/Helm flow and references new docs.
docs/end-to-end-guide.md	Adds a comprehensive end-to-end setup and usage guide.
docs/troubleshooting.md	Adds troubleshooting steps for webhooks, Slack, LLM, and GitOps PRs.
internal/remediation/engine.go	Adds setters to mutate remediation engine dependencies/config at runtime.
internal/controller/zelyoconfig_controller.go	Injects LLM client into remediation engine and sets remediation strategy from ZelyoConfig.
internal/github/client.go	Adds a PAT-based GitHub client option and token logic.
internal/controller/remediationpolicy_controller.go	Initializes GitOps engine from a Secret (PAT) and injects into remediation engine.
internal/controller/securitypolicy_controller.go	Adds notification dispatch based on findings via NotificationChannels.
config/rbac/role.yaml	Expands manager ClusterRole permissions (including new write permissions).
config/samples/zelyo-operator_v1alpha1_zelyoconfig.yaml	Updates sample config defaults (mode/model/temperature type).
cmd/main.go	Wires remediation engine instance into the ZelyoConfig reconciler.

Comments suppressed due to low confidence (1)

docs/getting-started.md:172

• This page links to quickstart.md, but quickstart.md has been removed from the docs and is no longer in mkdocs nav. Update this link to the new End-to-End Guide (or another valid page) to avoid broken links in the published site.

| Guide | What You'll Learn |
|---|---|
| [Quick Start](quickstart.md) | Common recipes for security scanning |
| [CRD Reference](crd-reference.md) | Every field in every CRD explained |

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mayurkr]

@Prathamesh07-stack could you also review the copilot and gemini code review suggestions ^

• Also as discussed, lets merge getting-started.md with quickstart.md
• just keep it as quickstart.md name like the original, no need to add -guide to it.