feat: Audit ingress to a different webserver

.devcontainer/Dockerfile

@@ -54,7 +54,7 @@ RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/i
     | sh -s -- -b /usr/local/bin ${GOLANGCI_LINT_VERSION}
 
 # Set working directory
-WORKDIR /workspace
+WORKDIR /workspaces
 
 # Create godev group for shared Go development directory access
 # This allows both root (during build) and vscode user (during dev) to write to /go
@@ -128,8 +128,8 @@ RUN groupadd -f docker && usermod -aG docker vscode
 
 # Ensure vscode user can write to workspace (empty, so fast)
 # Note: /go permissions are already set in CI stage and preserved here
-RUN chown -R vscode:vscode /workspace && \
-    chmod -R 755 /workspace
+RUN chown -R vscode:vscode /workspaces && \
+    chmod -R 755 /workspaces
 
 # Switch back to vscode user for development
 USER vscode
@@ -138,4 +138,4 @@ USER vscode
 ENV DEBIAN_FRONTEND=dialog
 
 # Default command
-CMD ["/bin/bash"]
+CMD ["/bin/bash"]

.devcontainer/SETUP_CLUSTER_TROUBLESHOOTING.md

@@ -0,0 +1,72 @@
+# Troubleshooting `make setup-cluster` in DevContainer
+
+## Symptom
+
+`make setup-cluster` fails and Kind waits for the control-plane API server, with logs like:
+
+```
+Get "https://172.19.0.2:6443/livez?timeout=10s": dial tcp 172.19.0.2:6443: connect: connection refused
+```
+
+## Root cause (current setup)
+
+`test/e2e/kind/start-cluster.sh` generates `test/e2e/kind/cluster.ignore.yaml` from `HOST_PROJECT_PATH`.
+
+In the current devcontainer config, `HOST_PROJECT_PATH` is set from `${localWorkspaceFolder}`.  
+That produced:
+
+```
+hostPath: /home/simon/git/gitops-reverser2/test/e2e/kind/audit
+```
+
+But that mounted directory exists and is empty in the container, while the real audit files are under:
+
+```
+/workspaces/gitops-reverser2/test/e2e/kind/audit
+```
+
+Because the mount source is wrong/empty, kube-apiserver cannot read:
+
+- `/etc/kubernetes/audit/policy.yaml`
+- `/etc/kubernetes/audit/webhook-config.yaml`
+
+Then kube-apiserver fails startup, and Kind reports API server connection refused on `:6443`.
+
+## Why this happens
+
+The path strategy differs by Docker mode:
+
+- Host Docker socket mode: daemon needs host-visible paths.
+- Docker-in-Docker mode: daemon needs container-visible paths.
+
+Your current config mixes modes and path assumptions, so Kind mount path resolution is inconsistent.
+
+## Fix options
+
+1. Use Docker-in-Docker only (recommended)
+- Remove host socket mount from `.devcontainer/devcontainer.json`.
+- Set `HOST_PROJECT_PATH` to container workspace path (for example `/workspaces/${localWorkspaceFolderBasename}`).
+
+2. Use host Docker socket only
+- Remove `docker-in-docker` feature.
+- Keep `HOST_PROJECT_PATH` as host path.
+
+## Quick verification
+
+Before running `make setup-cluster`, verify generated config points to a path with files:
+
+```bash
+cat test/e2e/kind/cluster.ignore.yaml
+ls -la <hostPath-from-generated-file>
+```
+
+Expected: `policy.yaml` and `webhook-config.yaml` are present.
+
+## Immediate workaround
+
+Run setup with a container-visible path explicitly:
+
+```bash
+HOST_PROJECT_PATH=/workspaces/$(basename "$PWD") make setup-cluster
+```
+

.devcontainer/devcontainer.json

@@ -5,21 +5,20 @@
     "context": "..",
     "target": "dev"
   },
+  "workspaceMount": "source=${localWorkspaceFolder},target=/workspaces/${localWorkspaceFolderBasename},type=bind",
+  "workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}",
   "features": {
+    "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {},
     "ghcr.io/devcontainers/features/common-utils:2": {
       "userUid": "automatic",
       "userGid": "automatic",
       "username": "vscode"
     },
-    "ghcr.io/devcontainers/features/docker-in-docker:2": {
-      "moby": false,
-      "dockerDashComposeVersion": "v2"
-    },
     "ghcr.io/devcontainers/features/git:1": {}
   },
   "runArgs": [
-    "--network=host",
-    "--group-add=docker"
+    "--group-add=docker",
+    "--add-host=host.docker.internal:host-gateway"
   ],
   "forwardPorts": [
     13000,
@@ -58,17 +57,21 @@
         "golang.go",
         "ms-kubernetes-tools.vscode-kubernetes-tools",
         "ms-azuretools.vscode-docker",
-        "kilocode.kilo-code"
+        "openai.chatgpt"
       ]
     }
   },
-  "postCreateCommand": "sudo chmod 666 /var/run/docker.sock || true && docker network create -d=bridge --subnet=172.19.0.0/24 kind || true && sudo chown -R vscode:vscode /workspace || true",
+  "postCreateCommand": "bash .devcontainer/post-create.sh '${containerWorkspaceFolder}'",
   "remoteUser": "vscode",
   "mounts": [
-    "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind"
+    "source=ghconfig,target=/home/vscode/.config/gh,type=volume",
+    "source=${localEnv:HOME}${localEnv:USERPROFILE}/.gitconfig,target=/home/vscode/.gitconfig-host,type=bind,readonly,consistency=cached",
+    "source=gomodcache,target=/go/pkg/mod,type=volume",
+    "source=gobuildcache,target=/home/vscode/.cache/go-build,type=volume",
+    "source=codexconfig,target=/home/vscode/.codex,type=volume"
   ],
   "containerEnv": {
     "HOST_PROJECT_PATH": "${localWorkspaceFolder}",
-    "DOCKER_API_VERSION": "1.44"
+    "PROJECT_PATH": "/workspaces/${localWorkspaceFolderBasename}"
   }
-}
+}

.devcontainer/post-create.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+log() {
+  echo "[post-create] $*"
+}
+
+# Resolve workspace path in a way that works both inside and outside
+# VS Code-specific shell variable injection.
+workspace_dir="${1:-${containerWorkspaceFolder:-${WORKSPACE_FOLDER:-$(pwd)}}}"
+log "Using workspace directory: ${workspace_dir}"
+
+# Keep ~/.gitconfig writable inside the container while still importing host settings.
+if [ -f /home/vscode/.gitconfig-host ]; then
+  log "Configuring git to include /home/vscode/.gitconfig-host"
+  touch /home/vscode/.gitconfig
+  if git config --global --get-all include.path | grep -Fxq "/home/vscode/.gitconfig-host"; then
+    log "Host gitconfig include already present"
+  else
+    git config --global --add include.path /home/vscode/.gitconfig-host
+    log "Added host gitconfig include"
+  fi
+fi
+
+# Ensure Go-related caches exist and are writable by vscode
+log "Ensuring Go cache directories exist"
+sudo mkdir -p \
+  /home/vscode/.cache/go-build \
+  /home/vscode/.cache/goimports \
+  /home/vscode/.cache/golangci-lint
+
+# Fix ownership for workspace and cache roots used by tooling
+if [ -d "${workspace_dir}" ]; then
+  log "Fixing ownership for workspace and cache directories"
+  sudo chown -R vscode:vscode "${workspace_dir}" /home/vscode || true
+else
+  log "Workspace directory not found; fixing ownership for cache only"
+  sudo chown -R vscode:vscode /home/vscode || true
+fi
+
+log "post-create completed"