Version: 0.3

Konstruct 0.3.7

Released: March 9, 2026

Highlights

IaC Catalog Deployment Fix — IaC catalog items now commit to the correct platform GitOps repository
Public Repo Catalog Support — Catalog templates in public repositories no longer require a PAT
App Deployment — Applications can now be deployed directly from the catalog
Helm Template Support — Helm charts supported as a catalog template type
Org-Wide GitHub App Connections — Connect a GitHub App to an entire organization in a single step
Organization Selection for Super Admins — Super admins can switch between organizations more easily
IAM Policy Update — Workload cluster ESO roles now grant access to the /konstruct/{clusterName}/* SSM path prefix

IaC Catalog Deployment Fix

IaC catalog deployments now commit Terraform modules and Crossplane resources to the correct platform GitOps repository.

What Changed

Before 0.3.7: The application-operator resolved the push destination by reading the ArgoCD registry application's spec.source.repoURL. This returned the control plane registry repository instead of the platform team's project GitOps repository. IaC deployments either failed with authorization errors or committed content to the wrong repository.

After 0.3.7: The operator resolves the platform organization from the GitHub App credentials (konstruct-git-config) and constructs the correct repository URL using the project namespace:

https://github.com/{platformOrg}/{projectName}-gitops

IaC Deployment Flow

CatalogDeployment CR (control plane)
        ↓
Application-operator clones IaC template from catalog source
        ↓
Commits terraform module + Crossplane resources to platform GitOps repo
        ↓
Mgmt cluster ArgoCD syncs → creates ProviderConfig + Workspace
        ↓
Crossplane runs Terraform → provisions infrastructure

What Gets Committed

When an IaC catalog item is deployed, the operator commits the following to the platform GitOps repository:

terraform/{catalogAppName}/           # Cloned IaC module
registry/iac/{instanceName}/          # Crossplane resources
  ├── provider-config/
  │   └── provider-config.yaml        # ProviderConfig with detokenized values
  └── infrastructure/
      └── workspace.yaml              # Crossplane Workspace
registry/clusters/{clusterName}/
  └── components/iac/                 # ArgoCD applications
      ├── {instanceName}.yaml
      ├── {instanceName}-provider.yaml
      └── {instanceName}-infra.yaml

Public Repository Catalog Support

Catalog templates hosted in public GitHub repositories no longer require a Personal Access Token (PAT).

Before 0.3.7: Both the API and application-operator attempted to decrypt the PAT field even when it was empty, causing a ciphertext too short error.

After 0.3.7: The PAT field is checked before decryption. When empty, the operator clones the catalog source repository without authentication.

App Deployment

Applications can now be deployed directly from the catalog to target clusters. The application-operator handles template cloning, detokenization, and GitOps commit for application workloads alongside existing IaC support.

Helm Template Support

Helm charts are now supported as a catalog template type. Catalog entries can reference Helm charts that get deployed as ArgoCD Applications with configurable values.

Org-Wide GitHub App Connections

A GitHub App can now be connected to an entire organization in a single step. Previously, each project required its own GitHub App installation. The new flow connects at the org level and all projects within that organization inherit the connection.

Organization Selection for Super Admins

Super admins can now switch between organizations using an improved organization selector. This streamlines multi-org management for platform operators who manage multiple tenants.

IAM Policy Update

Workload cluster ESO (External Secrets Operator) IAM roles now include an additional SSM path in their policy:

arn:aws:ssm:{region}:{account}:parameter/konstruct/{clusterName}/*

AWS SSM Parameter Store reserves parameter names that begin with aws. The /konstruct/ prefix provides a dedicated namespace for catalog secrets, avoiding conflicts with AWS-managed parameters and making permissions easier to scope per cluster.

New clusters: The updated Terraform templates include this policy automatically.
Existing clusters: Run a Terraform re-apply on the affected workload cluster module to update the IAM policy.

Upgrade

Update targetRevision to 0.3.7 in your Konstruct ArgoCD Application manifest:

spec:
  source:
    chart: konstruct
    repoURL: oci://europe-west2-docker.pkg.dev/civo-com/charts
    targetRevision: 0.3.7
    helm:
      values: |
        global:
          konstructVersion: "v0.3.7"

Commit and push — ArgoCD syncs the new version automatically.

application-operator MR#72, MR#73 — App deployment, Helm template support
konstruct-api MR#149, MR#150, MR#153, MR#156, MR#157 — App deployment API, Helm support, org-wide GitHub App, super admin org selection
konstruct-ui MR#204 — Org-wide GitHub App UI
application-operator issues closed: #10, #12, #13, #15, #18, #19

Highlights​

IaC Catalog Deployment Fix​

What Changed​

IaC Deployment Flow​

What Gets Committed​

Public Repository Catalog Support​

App Deployment​

Helm Template Support​

Org-Wide GitHub App Connections​

Organization Selection for Super Admins​

IAM Policy Update​

Upgrade​

Related Work​