Skip to content

feat(tenants): wire the aws tenant to its signed OCI artifact#2481

Merged
devantler merged 1 commit into
mainfrom
claude/aws-tenant-wiring
Jul 5, 2026
Merged

feat(tenants): wire the aws tenant to its signed OCI artifact#2481
devantler merged 1 commit into
mainfrom
claude/aws-tenant-wiring

Conversation

@devantler

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Assistant

Why

The devantler-tech/aws repo merged its scaffold and published its first signed manifests artifact (v1.0.0) tonight, but nothing on the platform consumes it yet — the aws namespace plumbing from #2412 has been waiting for exactly this artifact.

What

Adds the aws tenant's OCIRepository (cosign-verified, anonymous pull of the public artifact) and its namespace-scoped Flux Kustomization running as the tenant ServiceAccount, mirroring the github-config/unifi tenant pattern. The artifact is an empty scaffold today, so this reconciles benignly; tenant RBAC is deliberately deferred to the first activated managed-resource kinds (child issue #2326).

Fixes #2325

Fixes #2325

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This change adds Flux GitOps resources for a new "aws" tenant under the Hetzner provider apps directory. It introduces an OCIRepository manifest that polls a public OCI registry for semver-tagged manifests with cosign signature verification, and a Kustomization manifest that reconciles those manifests into the aws namespace using a dedicated service account, with pruning, waiting, and a reconcile-exclude annotation. The local kustomization.yaml resources list is updated to include both new files.

Changes

Cohort / File Change Summary
oci-repository.yaml New OCIRepository resource for aws, polling ghcr.io registry, semver >=1.0.0, cosign keyless verification via GitHub Actions OIDC issuer/subject match
flux-kustomization.yaml New Flux Kustomization for aws, configuring interval/timeout/retryInterval, pruning, waiting, service account, sourceRef to OCIRepository, reconcile-exclude annotation
kustomization.yaml Adds oci-repository.yaml and flux-kustomization.yaml to resources list

Sequence Diagram(s)

sequenceDiagram
  participant Kustomization as aws Kustomization
  participant OCIRepository as aws OCIRepository
  participant Registry as ghcr.io/devantler-tech/aws
  Kustomization->>OCIRepository: sourceRef aws
  OCIRepository->>Registry: poll semver tag >=1.0.0
  Registry-->>OCIRepository: return manifests artifact
  OCIRepository-->>Kustomization: provide verified artifact
  Kustomization->>Kustomization: apply/prune resources in aws namespace
Loading

Related issues: #2325 (feat: AWS Crossplane provider + devantler-tech/aws tenant scaffold) — this PR addresses the "Wire aws as a platform tenant" portion of that scope.

Suggested labels: kubernetes, flux, hetzner, aws

Suggested reviewers: devantler

Poem:
A rabbit hops through YAML trees,
Finds an OCI repo with cosign keys,
A Kustomization waits with care,
Pruning namespaces, breathing air,
Aws tenant now joins the fleet with ease. 🐇☁️


Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (1 error)

Check name Status Explanation Resolution
Linked Issues check ❌ Error This PR only adds tenant wiring; it does not implement the AWS provider, activation policy, or OpenBao-backed ProviderConfig required by #2325. Either expand this PR to include the missing #2325 foundation work or narrow the issue linkage to the tenant-wiring subset only.
✅ Passed checks (4 passed)
Check name Status Explanation
Out of Scope Changes check ✅ Passed The changes stay focused on the aws tenant repo sync and do not introduce unrelated scope.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The title clearly states the main change: wiring the aws tenant to its signed OCI artifact.
Description check ✅ Passed The description matches the changeset and accurately explains the OCIRepository and Flux Kustomization additions.

Comment @coderabbitai help to get the list of available commands.

@devantler

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@devantler devantler marked this pull request as ready for review July 5, 2026 06:54
@devantler devantler added this pull request to the merge queue Jul 5, 2026
Merged via the queue into main with commit 1db1676 Jul 5, 2026
15 checks passed
@devantler devantler deleted the claude/aws-tenant-wiring branch July 5, 2026 07:20
@github-project-automation github-project-automation Bot moved this from 🫴 Ready to ✅ Done in 🌊 Project Board Jul 5, 2026
@botantler-1

botantler-1 Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 1.100.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@botantler-1 botantler-1 Bot added the released label Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.

feat: AWS Crossplane provider + devantler-tech/aws tenant scaffold

1 participant