Skip to content

feat(tenants): prune-protect the ascoachingogvaner skeleton for the KRO handover#2488

Draft
devantler wants to merge 2 commits into
mainfrom
claude/tenant-skeleton-prune-protect
Draft

feat(tenants): prune-protect the ascoachingogvaner skeleton for the KRO handover#2488
devantler wants to merge 2 commits into
mainfrom
claude/tenant-skeleton-prune-protect

Conversation

@devantler

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Assistant

Why

The upcoming skeleton→Tenant-CR swap (#1932 Phase B) removes the tenant's 10 control-plane objects from Flux's inventory, and Flux deletes de-inventoried objects — for the tenant namespace (live database) and the tenant's Flux Kustomization (finalizer GCs the whole app) that is data loss, not churn.

What

Annotates all 10 ascoachingogvaner skeleton objects with kustomize.toolkit.fluxcd.io/prune: disabled so the swap hands them to KRO in place with no deletes. Behavior-preserving today; both overlays validate clean. Full design + risk register on #1932.

Must be merged and reconciled on prod before Phase B starts.

Fixes #2486

…RO handover

Phase A of the #1932 ownership-transition design: annotate all 10
skeleton objects with kustomize.toolkit.fluxcd.io/prune: disabled so the
later skeleton->Tenant-CR swap de-inventories them without Flux
garbage-collecting them (kro adopts in place via forced SSA). The tenant
Namespace holds the CNPG database and the tenant Kustomization's
finalizer would GC the whole app — delete-then-recreate is data loss,
so prune-protection must be live before the swap. No runtime behavior
change today.

Fixes #2486

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 485163ea-f1ee-41af-a6ea-f54e5fa7a5df

📥 Commits

Reviewing files that changed from the base of the PR and between 7f23124 and 2b66aa1.

📒 Files selected for processing (1)
  • k8s/bases/apps/ascoachingogvaner/kustomization.yaml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • devantler-tech/actions (auto-detected)
  • devantler-tech/aws (auto-detected)
  • devantler-tech/ksail (auto-detected)
  • devantler-tech/reusable-workflows (auto-detected)
  • devantler-tech/ascoachingogvaner (auto-detected)
  • devantler-tech/unifi (auto-detected)
  • devantler-tech/wedding-app (auto-detected)
  • devantler-tech/provider-upjet-unifi (auto-detected)
  • devantler-tech/agent-skills (auto-detected)
📜 Recent review details
⏰ Context from checks skipped due to timeout. (2)
  • GitHub Check: Analyze (actions)
  • GitHub Check: Analyze (python)
🧰 Additional context used
📓 Path-based instructions (2)
**/*.{yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{yaml,yml}: Use Kustomize overlays rather than editing base resources directly; k8s/bases/ is immutable from overlays and changes should be made with patches: in provider or cluster overlays.
Keep manifest changes small and use YAML/schema validation before submitting a manifest PR; for files with cluster context, prefer ksail workload validate / kubectl kustomize / kubectl apply --dry-run=client as appropriate.

Files:

  • k8s/bases/apps/ascoachingogvaner/kustomization.yaml
k8s/**

📄 CodeRabbit inference engine (AGENTS.md)

k8s/**: Respect Flux dependency order: bootstrapinfrastructure-controllersinfrastructureapps, with the prod-only infrastructure-overprovisioning layer hanging off infrastructure without gating apps.
Follow the hierarchical Kustomization flow: base configurations in k8s/bases/ feed provider overlays in k8s/providers/, which feed cluster overlays in k8s/clusters/.

Files:

  • k8s/bases/apps/ascoachingogvaner/kustomization.yaml
🧠 Learnings (1)
📚 Learning: 2026-07-01T21:13:36.950Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2359
File: k8s/bases/apps/actual-budget/helm-release.yaml:62-111
Timestamp: 2026-07-01T21:13:36.950Z
Learning: When reviewing Kustomize/Helm YAML in this repo, keep the base vs provider overlay split: `k8s/bases/apps/**` and `k8s/bases/infrastructure/**` should contain each app’s full, environment-agnostic configuration (including base-level postRenderer Kustomize patches such as deployment strategy, topology spread, probes, and env injection). `k8s/providers/{docker,hetzner}/**` should only add small provider-specific deltas (e.g., `interval`, `persistence.size`) via patch files (like `k8s/providers/<provider>/apps/<app>/patches/helm-release-patch.yaml`). If configuration is identical across providers (e.g., OIDC/OAuth env vars where `${domain}` is resolved per cluster via envsubst), it belongs in the base and must not be duplicated into provider overlays.

Applied to files:

  • k8s/bases/apps/ascoachingogvaner/kustomization.yaml
🔀 Multi-repo context devantler-tech/unifi, devantler-tech/ksail, devantler-tech/ascoachingogvaner

Linked repositories findings

devantler-tech/unifi

  • kustomization.yaml:18-22 — documents that commonAnnotations applies to every resource in the Kustomization, and uses it to pause all resources with crossplane.io/paused: "true". This is a close precedent for the PR’s commonAnnotations-based prune protection. [::devantler-tech/unifi::]

devantler-tech/ksail

  • No ascoachingogvaner references found in the repository search output. [::devantler-tech/ksail::]

devantler-tech/ascoachingogvaner

  • The repo root contains deploy/kustomization.yaml; the search output shows many tenant resources under deploy/ referencing ascoachingogvaner, but no other repository-level prune annotation usage was found in the sampled output. [::devantler-tech/ascoachingogvaner::]
🔇 Additional comments (1)
k8s/bases/apps/ascoachingogvaner/kustomization.yaml (1)

4-13: 🗄️ Data Integrity & Integration

No action needed. commonAnnotations covers all 10 direct resources in this kustomization, and there are no generators or nested overlays here.


📝 Walkthrough

Walkthrough

The Kustomization manifest at k8s/bases/apps/ascoachingogvaner/kustomization.yaml is updated to add a commonAnnotations entry setting kustomize.toolkit.fluxcd.io/prune: disabled, applied once at the Kustomization level. A comment is added explaining this is part of a Phase A skeleton-to-Tenant-CR handover, ensuring Flux does not garbage-collect objects when the KRO swap occurs.

Changes

Cohort / File(s) Summary
k8s/bases/apps/ascoachingogvaner/kustomization.yaml Added commonAnnotations with kustomize.toolkit.fluxcd.io/prune: disabled and explanatory Phase A comment

Sequence Diagram(s)

Not applicable — this change is a configuration/annotation update with no observable runtime interaction flow.

Related issues: #2486 — Prune-protect the ascoachingogvaner tenant skeleton ahead of the KRO ownership swap (Phase A of #1932).

Suggested labels: kubernetes, kustomize, flux, phase-a

Suggested reviewers: devantler

Poem:
A rabbit hops through YAML fields so neat,
Adding a shield so nothing's deleted,
"Prune: disabled" — a phase-one feat,
Namespace and Kustomization, both protected,
Hop, hop, hooray, the handover's complete! 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the prune-protection change for the ascoachingogvaner tenant skeleton.
Description check ✅ Passed The description is directly related to the skeleton prune-protection update and its Phase B handover context.
Linked Issues check ✅ Passed The kustomization-level commonAnnotations should apply prune disabling to all rendered skeleton objects, matching #2486's requirement.
Out of Scope Changes check ✅ Passed The change stays within the requested tenant-skeleton prune-protection work and adds no clear unrelated modifications.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@k8s/bases/apps/ascoachingogvaner/namespace.yaml`:
- Around line 4-9: The transitional `kustomize.toolkit.fluxcd.io/prune:
disabled` annotation and its comment are duplicated across the skeleton
manifests; move this temporary setting to `commonAnnotations` in the base
`kustomization.yaml` so `namespace.yaml` and the other skeleton resources don’t
each carry copy-pasted drift-prone text. Keep the rollout scoped to the relevant
kustomization base, and verify in the `kustomization.yaml` flow that applying
`commonAnnotations` won’t unintentionally affect workload pod templates before
removing the per-manifest annotation.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 5f0f04ef-9409-4ee6-b9c1-9c7a5ceb5fc8

📥 Commits

Reviewing files that changed from the base of the PR and between dda1256 and 7f23124.

📒 Files selected for processing (10)
  • k8s/bases/apps/ascoachingogvaner/cluster-role-binding.yaml
  • k8s/bases/apps/ascoachingogvaner/external-secret.yaml
  • k8s/bases/apps/ascoachingogvaner/flux-kustomization.yaml
  • k8s/bases/apps/ascoachingogvaner/namespace.yaml
  • k8s/bases/apps/ascoachingogvaner/network-policy.yaml
  • k8s/bases/apps/ascoachingogvaner/oci-repository.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-ascoachingogvaner.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-external-dns-kube-system.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-external-dns.yaml
  • k8s/bases/apps/ascoachingogvaner/service-account.yaml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • devantler-tech/actions (auto-detected)
  • devantler-tech/aws (auto-detected)
  • devantler-tech/ksail (auto-detected)
  • devantler-tech/reusable-workflows (auto-detected)
  • devantler-tech/ascoachingogvaner (auto-detected)
  • devantler-tech/unifi (auto-detected)
  • devantler-tech/wedding-app (auto-detected)
  • devantler-tech/provider-upjet-unifi (auto-detected)
  • devantler-tech/agent-skills (auto-detected)
📜 Review details
⏰ Context from checks skipped due to timeout. (1)
  • GitHub Check: Analyze (python)
🧰 Additional context used
📓 Path-based instructions (2)
**/*.{yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{yaml,yml}: Use Kustomize overlays rather than editing base resources directly; k8s/bases/ is immutable from overlays and changes should be made with patches: in provider or cluster overlays.
Keep manifest changes small and use YAML/schema validation before submitting a manifest PR; for files with cluster context, prefer ksail workload validate / kubectl kustomize / kubectl apply --dry-run=client as appropriate.

Files:

  • k8s/bases/apps/ascoachingogvaner/cluster-role-binding.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-external-dns-kube-system.yaml
  • k8s/bases/apps/ascoachingogvaner/oci-repository.yaml
  • k8s/bases/apps/ascoachingogvaner/network-policy.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-ascoachingogvaner.yaml
  • k8s/bases/apps/ascoachingogvaner/external-secret.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-external-dns.yaml
  • k8s/bases/apps/ascoachingogvaner/namespace.yaml
  • k8s/bases/apps/ascoachingogvaner/service-account.yaml
  • k8s/bases/apps/ascoachingogvaner/flux-kustomization.yaml
k8s/**

📄 CodeRabbit inference engine (AGENTS.md)

k8s/**: Respect Flux dependency order: bootstrapinfrastructure-controllersinfrastructureapps, with the prod-only infrastructure-overprovisioning layer hanging off infrastructure without gating apps.
Follow the hierarchical Kustomization flow: base configurations in k8s/bases/ feed provider overlays in k8s/providers/, which feed cluster overlays in k8s/clusters/.

Files:

  • k8s/bases/apps/ascoachingogvaner/cluster-role-binding.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-external-dns-kube-system.yaml
  • k8s/bases/apps/ascoachingogvaner/oci-repository.yaml
  • k8s/bases/apps/ascoachingogvaner/network-policy.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-ascoachingogvaner.yaml
  • k8s/bases/apps/ascoachingogvaner/external-secret.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-external-dns.yaml
  • k8s/bases/apps/ascoachingogvaner/namespace.yaml
  • k8s/bases/apps/ascoachingogvaner/service-account.yaml
  • k8s/bases/apps/ascoachingogvaner/flux-kustomization.yaml
🧠 Learnings (2)
📚 Learning: 2026-07-01T21:13:36.950Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2359
File: k8s/bases/apps/actual-budget/helm-release.yaml:62-111
Timestamp: 2026-07-01T21:13:36.950Z
Learning: When reviewing Kustomize/Helm YAML in this repo, keep the base vs provider overlay split: `k8s/bases/apps/**` and `k8s/bases/infrastructure/**` should contain each app’s full, environment-agnostic configuration (including base-level postRenderer Kustomize patches such as deployment strategy, topology spread, probes, and env injection). `k8s/providers/{docker,hetzner}/**` should only add small provider-specific deltas (e.g., `interval`, `persistence.size`) via patch files (like `k8s/providers/<provider>/apps/<app>/patches/helm-release-patch.yaml`). If configuration is identical across providers (e.g., OIDC/OAuth env vars where `${domain}` is resolved per cluster via envsubst), it belongs in the base and must not be duplicated into provider overlays.

Applied to files:

  • k8s/bases/apps/ascoachingogvaner/cluster-role-binding.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-external-dns-kube-system.yaml
  • k8s/bases/apps/ascoachingogvaner/oci-repository.yaml
  • k8s/bases/apps/ascoachingogvaner/network-policy.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-ascoachingogvaner.yaml
  • k8s/bases/apps/ascoachingogvaner/external-secret.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-external-dns.yaml
  • k8s/bases/apps/ascoachingogvaner/namespace.yaml
  • k8s/bases/apps/ascoachingogvaner/service-account.yaml
  • k8s/bases/apps/ascoachingogvaner/flux-kustomization.yaml
📚 Learning: 2026-07-03T03:44:11.507Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2399
File: k8s/bases/apps/ascoachingogvaner/oci-repository.yaml:25-26
Timestamp: 2026-07-03T03:44:11.507Z
Learning: In Flux `OCIRepository` manifests under `k8s/bases/**/oci-repository.yaml`, keep the existing house convention for `spec.serviceAccountRef.verify.matchOIDCIdentity` subject regexes to use an `@.+` ref suffix (i.e., match any ref) rather than tightening it to a specific SHA/tag pattern.

If a PR adds a transitional dual-subject entry for an ongoing migration (e.g., moving from `devantler-tech/reusable-workflows` to `devantler-tech/actions`), do not request tightening the ref matcher in that PR. Defer any ref-matcher tightening to a separate, focused follow-up PR that consistently tightens `matchOIDCIdentity` subject rules once each file returns to a single subject after migration cleanup.

Applied to files:

  • k8s/bases/apps/ascoachingogvaner/oci-repository.yaml
🔇 Additional comments (10)
k8s/bases/apps/ascoachingogvaner/namespace.yaml (1)

4-9: LGTM!

k8s/bases/apps/ascoachingogvaner/flux-kustomization.yaml (1)

9-13: LGTM!

k8s/bases/apps/ascoachingogvaner/network-policy.yaml (1)

11-16: LGTM!

k8s/bases/apps/ascoachingogvaner/external-secret.yaml (1)

16-21: LGTM!

k8s/bases/apps/ascoachingogvaner/oci-repository.yaml (1)

5-10: LGTM!

k8s/bases/apps/ascoachingogvaner/cluster-role-binding.yaml (1)

6-11: LGTM!

k8s/bases/apps/ascoachingogvaner/role-binding-ascoachingogvaner.yaml (1)

4-9: LGTM!

k8s/bases/apps/ascoachingogvaner/role-binding-external-dns-kube-system.yaml (1)

7-12: LGTM!

k8s/bases/apps/ascoachingogvaner/service-account.yaml (1)

4-9: LGTM!

k8s/bases/apps/ascoachingogvaner/role-binding-external-dns.yaml (1)

8-18: 🎯 Functional Correctness

This is a single-document file; the lone RoleBinding already has prune: disabled.

			> Likely an incorrect or invalid review comment.

Comment thread k8s/bases/apps/ascoachingogvaner/namespace.yaml Outdated
@github-project-automation github-project-automation Bot moved this from 🫴 Ready to 🏃🏻‍♂️ In Progress in 🌊 Project Board Jul 5, 2026
Per CodeRabbit review: one commonAnnotations block instead of 10
per-file annotations — same rendered output (verified identical
annotated object set), auto-covers any file added before Phase B, and
none of these resources carries a pod template so the propagation
caveat is void.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: 🏃🏻‍♂️ In Progress

Development

Successfully merging this pull request may close these issues.

Prune-protect the ascoachingogvaner tenant skeleton ahead of the KRO ownership swap

1 participant