feat(tenants): pilot the Tenant RGD local-first via an opt-in ascoachingogvaner Tenant CR#2389
Conversation
…ingogvaner Tenant CR Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (3)
💤 Files with no reviewable changes (1)
✅ Files skipped from review due to trivial changes (2)
📝 WalkthroughWalkthroughThis PR pilots a typed KRO ChangesTenant RGD pilot scaffolding
Estimated code review effort: 2 (Simple) | ~10 minutes Sequence Diagram(s)sequenceDiagram
participant Kustomization as docker apps kustomization
participant TenantCR as Tenant CR (ascoachingogvaner)
participant KRO as KRO controller
participant RGD as Tenant ResourceGraphDefinition
Kustomization->>TenantCR: reference (opt-in)
TenantCR->>KRO: apply Tenant object
KRO->>RGD: expand via typed spec
RGD-->>KRO: control-plane and tenant-namespace resources
Related issues: Suggested labels: documentation, enhancement Suggested reviewers: devantler 🐰 A tenant sprouts from typed decree, 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
…ing conventions Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/TENANTS.md`:
- Around line 139-149: The Tenant archetype note still points to the Docker
provider manifest path, which CI flags for a naming-convention violation. Update
the referenced path in the TENANTS docs to match the renamed manifest, and keep
the reference in sync with the actual tenant app manifest identifier so the docs
don’t point at a stale name.
In `@k8s/providers/docker/apps/ascoachingogvaner-tenant.yaml`:
- Around line 1-28: The filename for the Tenant manifest does not follow the
Kind-led naming convention expected by validate-naming.py. Rename the Tenant
resource file to a Kind-first form such as tenant-ascoachingogvaner.yaml, and
update any references to this manifest in kustomization.yaml and docs/TENANTS.md
so the opt-in documentation and include paths stay consistent.
In `@k8s/providers/docker/apps/kustomization.yaml`:
- Around line 32-38: The opt-in comment in the docker apps kustomization still
references the old tenant manifest name, so update it to match the renamed
tenant file once the Kind-led naming fix is applied. Adjust the comment near the
tenant RGD pilot entry so it points to the new manifest name instead of
ascoachingogvaner-tenant.yaml, keeping the guidance consistent with the
resources list and the referenced tenant manifest header.
In `@ksail.prod.yaml`:
- Around line 204-217: This change touches the protected production config in
ksail.prod.yaml by adding Tenant to skipKinds, so verify it is explicitly
approved by the prod config owner before keeping it. If the approval is not in
place, revert the ksail.prod.yaml edit and apply the Tenant skip only in the
non-protected/local validation config path used by ksail workload validate.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 863c880b-8bb8-4f86-9f25-a7f4981eeb4c
📒 Files selected for processing (5)
docs/TENANTS.mdk8s/providers/docker/apps/ascoachingogvaner-tenant.yamlk8s/providers/docker/apps/kustomization.yamlksail.prod.yamlksail.yaml
|
🎉 This PR is included in version 1.94.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Fixes #2388. Part of #1932 (its last open acceptance criterion: one tenant migrated as a local-first pilot, behavior-preserving). The Tenant RGD (#2197) has never been instantiated; this makes the live local pilot a one-line opt-in while keeping both cluster renders bit-identical.
What
k8s/providers/docker/apps/tenant-ascoachingogvaner.yaml— the typedTenantCR (externalDns: true). ascoachingogvaner's 10-file skeleton maps 1:1 onto the RGD output (namespace w/ restricted PSS,edit-impersonated SA + RoleBinding, ghcr-auth ExternalSecret, default-deny NetworkPolicy, cosign-verified OCIRepository, impersonating Kustomization, 3× tenant-external-dns bindings). Unreferenced by default per the local-apps opt-in convention — enabling it is oneresources:line, documented in the kustomization header.ksail.yaml+ksail.prod.yaml—Tenantadded tovalidation.skipKinds: the CRD is KRO-runtime-generated from the RGD, so no static catalog schema exists (Coroot/Flagger precedent). Required now, not speculatively:ksail workload validateschema-checks unreferenced files standalone, so the CR file is visited in both configs.docs/TENANTS.md— §5 note that the manual multi-file copy is being replaced by theTenantarchetype, pilot status + pointer.Decisions to steer (flagged)
appslayer permanently not-ready (ghcr-auth can't sync without locally-seeded OpenBao credentials → OCIRepository never pulls →wait: truefails).flux-system: KRO v1alpha1 generates namespace-scoped instance CRDs; children still land in the tenant namespace via the RGD's explicit namespace templating.appsKustomization inventory → Flux prune would delete the tenant namespace on prod (workloads + PVCs) before KRO recreates it. The prod ownership transition needs its own design (e.g. prune-protection during cutover), gated on this pilot proving out.Validation
ksail workload validate --skip-helm-render— ✅ 490 files (local config), CR file visitedksail --config ksail.prod.yaml workload validate --skip-helm-render— ✅ 490 fileskubectl kustomize k8s/clusters/local+k8s/clusters/prod— ✅ build, zerokind: Tenantrendered (both cluster renders unchanged vs baseline — the AC's behavior-preserving requirement)Live pilot procedure (next step, needs a local cluster day)
- tenant-ascoachingogvaner.yamltok8s/providers/docker/apps/kustomization.yamlresources,ksail workload push && ksail workload reconcile.