feat(tenants): prune-protect the ascoachingogvaner skeleton for the KRO handover#2488
feat(tenants): prune-protect the ascoachingogvaner skeleton for the KRO handover#2488devantler wants to merge 2 commits into
Conversation
…RO handover Phase A of the #1932 ownership-transition design: annotate all 10 skeleton objects with kustomize.toolkit.fluxcd.io/prune: disabled so the later skeleton->Tenant-CR swap de-inventories them without Flux garbage-collecting them (kro adopts in place via forced SSA). The tenant Namespace holds the CNPG database and the tenant Kustomization's finalizer would GC the whole app — delete-then-recreate is data loss, so prune-protection must be live before the swap. No runtime behavior change today. Fixes #2486 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
🔗 Linked repositories identifiedCodeRabbit considers these linked repositories for cross-repo context during reviews:
📜 Recent review details⏰ Context from checks skipped due to timeout. (2)
🧰 Additional context used📓 Path-based instructions (2)**/*.{yaml,yml}📄 CodeRabbit inference engine (AGENTS.md)
Files:
k8s/**📄 CodeRabbit inference engine (AGENTS.md)
Files:
🧠 Learnings (1)📚 Learning: 2026-07-01T21:13:36.950ZApplied to files:
🔀 Multi-repo context devantler-tech/unifi, devantler-tech/ksail, devantler-tech/ascoachingogvanerLinked repositories findings
|
| Cohort / File(s) | Summary |
|---|---|
| k8s/bases/apps/ascoachingogvaner/kustomization.yaml | Added commonAnnotations with kustomize.toolkit.fluxcd.io/prune: disabled and explanatory Phase A comment |
Sequence Diagram(s)
Not applicable — this change is a configuration/annotation update with no observable runtime interaction flow.
Related issues: #2486 — Prune-protect the ascoachingogvaner tenant skeleton ahead of the KRO ownership swap (Phase A of #1932).
Suggested labels: kubernetes, kustomize, flux, phase-a
Suggested reviewers: devantler
Poem:
A rabbit hops through YAML fields so neat,
Adding a shield so nothing's deleted,
"Prune: disabled" — a phase-one feat,
Namespace and Kustomization, both protected,
Hop, hop, hooray, the handover's complete! 🐇
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
| Check name | Status | Explanation |
|---|---|---|
| Title check | ✅ Passed | The title clearly summarizes the prune-protection change for the ascoachingogvaner tenant skeleton. |
| Description check | ✅ Passed | The description is directly related to the skeleton prune-protection update and its Phase B handover context. |
| Linked Issues check | ✅ Passed | The kustomization-level commonAnnotations should apply prune disabling to all rendered skeleton objects, matching #2486's requirement. |
| Out of Scope Changes check | ✅ Passed | The change stays within the requested tenant-skeleton prune-protection work and adds no clear unrelated modifications. |
| Docstring Coverage | ✅ Passed | No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check. |
Comment @coderabbitai help to get the list of available commands.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@k8s/bases/apps/ascoachingogvaner/namespace.yaml`:
- Around line 4-9: The transitional `kustomize.toolkit.fluxcd.io/prune:
disabled` annotation and its comment are duplicated across the skeleton
manifests; move this temporary setting to `commonAnnotations` in the base
`kustomization.yaml` so `namespace.yaml` and the other skeleton resources don’t
each carry copy-pasted drift-prone text. Keep the rollout scoped to the relevant
kustomization base, and verify in the `kustomization.yaml` flow that applying
`commonAnnotations` won’t unintentionally affect workload pod templates before
removing the per-manifest annotation.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 5f0f04ef-9409-4ee6-b9c1-9c7a5ceb5fc8
📒 Files selected for processing (10)
k8s/bases/apps/ascoachingogvaner/cluster-role-binding.yamlk8s/bases/apps/ascoachingogvaner/external-secret.yamlk8s/bases/apps/ascoachingogvaner/flux-kustomization.yamlk8s/bases/apps/ascoachingogvaner/namespace.yamlk8s/bases/apps/ascoachingogvaner/network-policy.yamlk8s/bases/apps/ascoachingogvaner/oci-repository.yamlk8s/bases/apps/ascoachingogvaner/role-binding-ascoachingogvaner.yamlk8s/bases/apps/ascoachingogvaner/role-binding-external-dns-kube-system.yamlk8s/bases/apps/ascoachingogvaner/role-binding-external-dns.yamlk8s/bases/apps/ascoachingogvaner/service-account.yaml
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
devantler-tech/actions(auto-detected)devantler-tech/aws(auto-detected)devantler-tech/ksail(auto-detected)devantler-tech/reusable-workflows(auto-detected)devantler-tech/ascoachingogvaner(auto-detected)devantler-tech/unifi(auto-detected)devantler-tech/wedding-app(auto-detected)devantler-tech/provider-upjet-unifi(auto-detected)devantler-tech/agent-skills(auto-detected)
📜 Review details
⏰ Context from checks skipped due to timeout. (1)
- GitHub Check: Analyze (python)
🧰 Additional context used
📓 Path-based instructions (2)
**/*.{yaml,yml}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{yaml,yml}: Use Kustomize overlays rather than editing base resources directly;k8s/bases/is immutable from overlays and changes should be made withpatches:in provider or cluster overlays.
Keep manifest changes small and use YAML/schema validation before submitting a manifest PR; for files with cluster context, preferksail workload validate/kubectl kustomize/kubectl apply --dry-run=clientas appropriate.
Files:
k8s/bases/apps/ascoachingogvaner/cluster-role-binding.yamlk8s/bases/apps/ascoachingogvaner/role-binding-external-dns-kube-system.yamlk8s/bases/apps/ascoachingogvaner/oci-repository.yamlk8s/bases/apps/ascoachingogvaner/network-policy.yamlk8s/bases/apps/ascoachingogvaner/role-binding-ascoachingogvaner.yamlk8s/bases/apps/ascoachingogvaner/external-secret.yamlk8s/bases/apps/ascoachingogvaner/role-binding-external-dns.yamlk8s/bases/apps/ascoachingogvaner/namespace.yamlk8s/bases/apps/ascoachingogvaner/service-account.yamlk8s/bases/apps/ascoachingogvaner/flux-kustomization.yaml
k8s/**
📄 CodeRabbit inference engine (AGENTS.md)
k8s/**: Respect Flux dependency order:bootstrap→infrastructure-controllers→infrastructure→apps, with the prod-onlyinfrastructure-overprovisioninglayer hanging offinfrastructurewithout gatingapps.
Follow the hierarchical Kustomization flow: base configurations ink8s/bases/feed provider overlays ink8s/providers/, which feed cluster overlays ink8s/clusters/.
Files:
k8s/bases/apps/ascoachingogvaner/cluster-role-binding.yamlk8s/bases/apps/ascoachingogvaner/role-binding-external-dns-kube-system.yamlk8s/bases/apps/ascoachingogvaner/oci-repository.yamlk8s/bases/apps/ascoachingogvaner/network-policy.yamlk8s/bases/apps/ascoachingogvaner/role-binding-ascoachingogvaner.yamlk8s/bases/apps/ascoachingogvaner/external-secret.yamlk8s/bases/apps/ascoachingogvaner/role-binding-external-dns.yamlk8s/bases/apps/ascoachingogvaner/namespace.yamlk8s/bases/apps/ascoachingogvaner/service-account.yamlk8s/bases/apps/ascoachingogvaner/flux-kustomization.yaml
🧠 Learnings (2)
📚 Learning: 2026-07-01T21:13:36.950Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2359
File: k8s/bases/apps/actual-budget/helm-release.yaml:62-111
Timestamp: 2026-07-01T21:13:36.950Z
Learning: When reviewing Kustomize/Helm YAML in this repo, keep the base vs provider overlay split: `k8s/bases/apps/**` and `k8s/bases/infrastructure/**` should contain each app’s full, environment-agnostic configuration (including base-level postRenderer Kustomize patches such as deployment strategy, topology spread, probes, and env injection). `k8s/providers/{docker,hetzner}/**` should only add small provider-specific deltas (e.g., `interval`, `persistence.size`) via patch files (like `k8s/providers/<provider>/apps/<app>/patches/helm-release-patch.yaml`). If configuration is identical across providers (e.g., OIDC/OAuth env vars where `${domain}` is resolved per cluster via envsubst), it belongs in the base and must not be duplicated into provider overlays.
Applied to files:
k8s/bases/apps/ascoachingogvaner/cluster-role-binding.yamlk8s/bases/apps/ascoachingogvaner/role-binding-external-dns-kube-system.yamlk8s/bases/apps/ascoachingogvaner/oci-repository.yamlk8s/bases/apps/ascoachingogvaner/network-policy.yamlk8s/bases/apps/ascoachingogvaner/role-binding-ascoachingogvaner.yamlk8s/bases/apps/ascoachingogvaner/external-secret.yamlk8s/bases/apps/ascoachingogvaner/role-binding-external-dns.yamlk8s/bases/apps/ascoachingogvaner/namespace.yamlk8s/bases/apps/ascoachingogvaner/service-account.yamlk8s/bases/apps/ascoachingogvaner/flux-kustomization.yaml
📚 Learning: 2026-07-03T03:44:11.507Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2399
File: k8s/bases/apps/ascoachingogvaner/oci-repository.yaml:25-26
Timestamp: 2026-07-03T03:44:11.507Z
Learning: In Flux `OCIRepository` manifests under `k8s/bases/**/oci-repository.yaml`, keep the existing house convention for `spec.serviceAccountRef.verify.matchOIDCIdentity` subject regexes to use an `@.+` ref suffix (i.e., match any ref) rather than tightening it to a specific SHA/tag pattern.
If a PR adds a transitional dual-subject entry for an ongoing migration (e.g., moving from `devantler-tech/reusable-workflows` to `devantler-tech/actions`), do not request tightening the ref matcher in that PR. Defer any ref-matcher tightening to a separate, focused follow-up PR that consistently tightens `matchOIDCIdentity` subject rules once each file returns to a single subject after migration cleanup.
Applied to files:
k8s/bases/apps/ascoachingogvaner/oci-repository.yaml
🔇 Additional comments (10)
k8s/bases/apps/ascoachingogvaner/namespace.yaml (1)
4-9: LGTM!k8s/bases/apps/ascoachingogvaner/flux-kustomization.yaml (1)
9-13: LGTM!k8s/bases/apps/ascoachingogvaner/network-policy.yaml (1)
11-16: LGTM!k8s/bases/apps/ascoachingogvaner/external-secret.yaml (1)
16-21: LGTM!k8s/bases/apps/ascoachingogvaner/oci-repository.yaml (1)
5-10: LGTM!k8s/bases/apps/ascoachingogvaner/cluster-role-binding.yaml (1)
6-11: LGTM!k8s/bases/apps/ascoachingogvaner/role-binding-ascoachingogvaner.yaml (1)
4-9: LGTM!k8s/bases/apps/ascoachingogvaner/role-binding-external-dns-kube-system.yaml (1)
7-12: LGTM!k8s/bases/apps/ascoachingogvaner/service-account.yaml (1)
4-9: LGTM!k8s/bases/apps/ascoachingogvaner/role-binding-external-dns.yaml (1)
8-18: 🎯 Functional CorrectnessThis is a single-document file; the lone RoleBinding already has
prune: disabled.> Likely an incorrect or invalid review comment.
Per CodeRabbit review: one commonAnnotations block instead of 10 per-file annotations — same rendered output (verified identical annotated object set), auto-covers any file added before Phase B, and none of these resources carries a pod template so the propagation caveat is void. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Why
The upcoming skeleton→Tenant-CR swap (#1932 Phase B) removes the tenant's 10 control-plane objects from Flux's inventory, and Flux deletes de-inventoried objects — for the tenant namespace (live database) and the tenant's Flux Kustomization (finalizer GCs the whole app) that is data loss, not churn.
What
Annotates all 10 ascoachingogvaner skeleton objects with
kustomize.toolkit.fluxcd.io/prune: disabledso the swap hands them to KRO in place with no deletes. Behavior-preserving today; both overlays validate clean. Full design + risk register on #1932.Must be merged and reconciled on prod before Phase B starts.
Fixes #2486