feat(tenants): wire the aws tenant to its signed OCI artifact#2481
Conversation
Fixes #2325 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
📝 WalkthroughWalkthroughThis change adds Flux GitOps resources for a new "aws" tenant under the Hetzner provider apps directory. It introduces an OCIRepository manifest that polls a public OCI registry for semver-tagged manifests with cosign signature verification, and a Kustomization manifest that reconciles those manifests into the aws namespace using a dedicated service account, with pruning, waiting, and a reconcile-exclude annotation. The local kustomization.yaml resources list is updated to include both new files. Changes
Sequence Diagram(s)sequenceDiagram
participant Kustomization as aws Kustomization
participant OCIRepository as aws OCIRepository
participant Registry as ghcr.io/devantler-tech/aws
Kustomization->>OCIRepository: sourceRef aws
OCIRepository->>Registry: poll semver tag >=1.0.0
Registry-->>OCIRepository: return manifests artifact
OCIRepository-->>Kustomization: provide verified artifact
Kustomization->>Kustomization: apply/prune resources in aws namespace
Related issues: Suggested labels: kubernetes, flux, hetzner, aws Suggested reviewers: devantler Poem: Caution Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional.
❌ Failed checks (1 error)
✅ Passed checks (4 passed)
Comment |
|
@coderabbitai review |
✅ Action performedReview finished.
|
|
🎉 This PR is included in version 1.100.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Why
The devantler-tech/aws repo merged its scaffold and published its first signed manifests artifact (v1.0.0) tonight, but nothing on the platform consumes it yet — the aws namespace plumbing from #2412 has been waiting for exactly this artifact.
What
Adds the aws tenant's OCIRepository (cosign-verified, anonymous pull of the public artifact) and its namespace-scoped Flux Kustomization running as the tenant ServiceAccount, mirroring the github-config/unifi tenant pattern. The artifact is an empty scaffold today, so this reconciles benignly; tenant RBAC is deliberately deferred to the first activated managed-resource kinds (child issue #2326).
Fixes #2325