Skip to content

feat(tenants): pilot the Tenant RGD local-first via an opt-in ascoachingogvaner Tenant CR#2389

Merged
devantler merged 2 commits into
mainfrom
claude/tenant-rgd-migrate-asc
Jul 2, 2026
Merged

feat(tenants): pilot the Tenant RGD local-first via an opt-in ascoachingogvaner Tenant CR#2389
devantler merged 2 commits into
mainfrom
claude/tenant-rgd-migrate-asc

Conversation

@devantler

@devantler devantler commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Assistant

Fixes #2388. Part of #1932 (its last open acceptance criterion: one tenant migrated as a local-first pilot, behavior-preserving). The Tenant RGD (#2197) has never been instantiated; this makes the live local pilot a one-line opt-in while keeping both cluster renders bit-identical.

What

  • k8s/providers/docker/apps/tenant-ascoachingogvaner.yaml — the typed Tenant CR (externalDns: true). ascoachingogvaner's 10-file skeleton maps 1:1 onto the RGD output (namespace w/ restricted PSS, edit-impersonated SA + RoleBinding, ghcr-auth ExternalSecret, default-deny NetworkPolicy, cosign-verified OCIRepository, impersonating Kustomization, 3× tenant-external-dns bindings). Unreferenced by default per the local-apps opt-in convention — enabling it is one resources: line, documented in the kustomization header.
  • ksail.yaml + ksail.prod.yamlTenant added to validation.skipKinds: the CRD is KRO-runtime-generated from the RGD, so no static catalog schema exists (Coroot/Flagger precedent). Required now, not speculatively: ksail workload validate schema-checks unreferenced files standalone, so the CR file is visited in both configs.
  • docs/TENANTS.md — §5 note that the manual multi-file copy is being replaced by the Tenant archetype, pilot status + pointer.

Decisions to steer (flagged)

  • Opt-in, not default-on, for local: a default-enabled tenant breaks the "local deploys no apps" convention and would leave the local apps layer permanently not-ready (ghcr-auth can't sync without locally-seeded OpenBao credentials → OCIRepository never pulls → wait: true fails).
  • Instance namespace = flux-system: KRO v1alpha1 generates namespace-scoped instance CRDs; children still land in the tenant namespace via the RGD's explicit namespace templating.
  • Prod migration deliberately NOT in scope: swapping the live skeleton for a Tenant CR removes those objects from the apps Kustomization inventory → Flux prune would delete the tenant namespace on prod (workloads + PVCs) before KRO recreates it. The prod ownership transition needs its own design (e.g. prune-protection during cutover), gated on this pilot proving out.

Validation

  • ksail workload validate --skip-helm-render — ✅ 490 files (local config), CR file visited
  • ksail --config ksail.prod.yaml workload validate --skip-helm-render — ✅ 490 files
  • kubectl kustomize k8s/clusters/local + k8s/clusters/prod — ✅ build, zero kind: Tenant rendered (both cluster renders unchanged vs baseline — the AC's behavior-preserving requirement)

Live pilot procedure (next step, needs a local cluster day)

  1. Add - tenant-ascoachingogvaner.yaml to k8s/providers/docker/apps/kustomization.yaml resources, ksail workload push && ksail workload reconcile.
  2. Verify KRO expands the Tenant: namespace/SA/RoleBinding/ExternalSecret/NetworkPolicy/OCIRepository/Kustomization + 3 external-dns bindings present and matching the skeleton (children ownership = KRO).
  3. Expected degraded state without seeded GHCR creds: ExternalSecret not synced, OCIRepository auth-failed, tenant Kustomization not-ready — the expansion itself is the pilot's proof.

…ingogvaner Tenant CR

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: d346352d-cbf5-4f09-91b1-b2209ca113bd

📥 Commits

Reviewing files that changed from the base of the PR and between 13fd254 and a35a8b0.

📒 Files selected for processing (3)
  • docs/TENANTS.md
  • k8s/providers/docker/apps/kustomization.yaml
  • k8s/providers/docker/apps/tenant-ascoachingogvaner.yaml
💤 Files with no reviewable changes (1)
  • k8s/providers/docker/apps/tenant-ascoachingogvaner.yaml
✅ Files skipped from review due to trivial changes (2)
  • k8s/providers/docker/apps/kustomization.yaml
  • docs/TENANTS.md

📝 Walkthrough

Walkthrough

This PR pilots a typed KRO Tenant custom resource by adding an unreferenced tenant-ascoachingogvaner.yaml manifest to the docker provider apps, documenting opt-in usage, adding Tenant to validation.skipKinds in ksail.yaml and ksail.prod.yaml, and documenting the pilot in docs/TENANTS.md.

Changes

Tenant RGD pilot scaffolding

Layer / File(s) Summary
Tenant CR manifest and opt-in wiring
k8s/providers/docker/apps/tenant-ascoachingogvaner.yaml, k8s/providers/docker/apps/kustomization.yaml
Adds a new unreferenced Tenant CR (kro.run/v1alpha1) for ascoachingogvaner in flux-system with externalDns: true, plus a documented opt-in comment block in the kustomization for local enablement.
Validation skipKinds updates
ksail.yaml, ksail.prod.yaml
Adds Tenant to validation.skipKinds in both configs and extends comments explaining the runtime-generated CRD schema.
Tenant archetype documentation
docs/TENANTS.md
Adds a Step 5 callout describing the Tenant archetype pilot, its RGD-based expansion, and its local-first scope.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Kustomization as docker apps kustomization
  participant TenantCR as Tenant CR (ascoachingogvaner)
  participant KRO as KRO controller
  participant RGD as Tenant ResourceGraphDefinition
  Kustomization->>TenantCR: reference (opt-in)
  TenantCR->>KRO: apply Tenant object
  KRO->>RGD: expand via typed spec
  RGD-->>KRO: control-plane and tenant-namespace resources
Loading

Related issues: #2388 (pilots the local-first Tenant migration for ascoachingogvaner as part of #1932 step 3)

Suggested labels: documentation, enhancement

Suggested reviewers: devantler

🐰 A tenant sprouts from typed decree,
KRO weaves namespaces silently,
Skipped in schemas, opt-in still,
Docker's pilot climbs the hill,
One CR to expand them all, quietly.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the pilot Tenant CR change and its opt-in local-first intent.
Description check ✅ Passed The description is directly about the Tenant RGD pilot, validation skips, and documentation updates.
Linked Issues check ✅ Passed The changes satisfy the linked issue by adding the opt-in Tenant CR, validation skips, and pilot documentation.
Out of Scope Changes check ✅ Passed The modified files and comments all align with the Tenant pilot scope and do not show unrelated changes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/tenant-rgd-migrate-asc

Comment @coderabbitai help to get the list of available commands.

…ing conventions

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/TENANTS.md`:
- Around line 139-149: The Tenant archetype note still points to the Docker
provider manifest path, which CI flags for a naming-convention violation. Update
the referenced path in the TENANTS docs to match the renamed manifest, and keep
the reference in sync with the actual tenant app manifest identifier so the docs
don’t point at a stale name.

In `@k8s/providers/docker/apps/ascoachingogvaner-tenant.yaml`:
- Around line 1-28: The filename for the Tenant manifest does not follow the
Kind-led naming convention expected by validate-naming.py. Rename the Tenant
resource file to a Kind-first form such as tenant-ascoachingogvaner.yaml, and
update any references to this manifest in kustomization.yaml and docs/TENANTS.md
so the opt-in documentation and include paths stay consistent.

In `@k8s/providers/docker/apps/kustomization.yaml`:
- Around line 32-38: The opt-in comment in the docker apps kustomization still
references the old tenant manifest name, so update it to match the renamed
tenant file once the Kind-led naming fix is applied. Adjust the comment near the
tenant RGD pilot entry so it points to the new manifest name instead of
ascoachingogvaner-tenant.yaml, keeping the guidance consistent with the
resources list and the referenced tenant manifest header.

In `@ksail.prod.yaml`:
- Around line 204-217: This change touches the protected production config in
ksail.prod.yaml by adding Tenant to skipKinds, so verify it is explicitly
approved by the prod config owner before keeping it. If the approval is not in
place, revert the ksail.prod.yaml edit and apply the Tenant skip only in the
non-protected/local validation config path used by ksail workload validate.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 863c880b-8bb8-4f86-9f25-a7f4981eeb4c

📥 Commits

Reviewing files that changed from the base of the PR and between 2ccb535 and 13fd254.

📒 Files selected for processing (5)
  • docs/TENANTS.md
  • k8s/providers/docker/apps/ascoachingogvaner-tenant.yaml
  • k8s/providers/docker/apps/kustomization.yaml
  • ksail.prod.yaml
  • ksail.yaml

Comment thread docs/TENANTS.md
Comment thread k8s/providers/docker/apps/ascoachingogvaner-tenant.yaml
Comment thread k8s/providers/docker/apps/kustomization.yaml
Comment thread ksail.prod.yaml
@devantler devantler marked this pull request as ready for review July 2, 2026 15:48
@devantler devantler added this pull request to the merge queue Jul 2, 2026
Merged via the queue into main with commit a3982e7 Jul 2, 2026
15 checks passed
@devantler devantler deleted the claude/tenant-rgd-migrate-asc branch July 2, 2026 18:49
@github-project-automation github-project-automation Bot moved this from 🫴 Ready to ✅ Done in 🌊 Project Board Jul 2, 2026
@botantler-1

botantler-1 Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 1.94.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.

Pilot the Tenant RGD local-first: opt-in ascoachingogvaner Tenant CR + validate wiring (#1932 step 3)

1 participant