Skip to content

feat(tenants): prune-protect the ascoachingogvaner skeleton for the KRO handover#2488

Merged
devantler merged 2 commits into
mainfrom
claude/tenant-skeleton-prune-protect
Jul 5, 2026
Merged

feat(tenants): prune-protect the ascoachingogvaner skeleton for the KRO handover#2488
devantler merged 2 commits into
mainfrom
claude/tenant-skeleton-prune-protect

Conversation

@devantler

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Assistant

Why

The upcoming skeleton→Tenant-CR swap (#1932 Phase B) removes the tenant's 10 control-plane objects from Flux's inventory, and Flux deletes de-inventoried objects — for the tenant namespace (live database) and the tenant's Flux Kustomization (finalizer GCs the whole app) that is data loss, not churn.

What

Annotates all 10 ascoachingogvaner skeleton objects with kustomize.toolkit.fluxcd.io/prune: disabled so the swap hands them to KRO in place with no deletes. Behavior-preserving today; both overlays validate clean. Full design + risk register on #1932.

Must be merged and reconciled on prod before Phase B starts.

Fixes #2486

…RO handover

Phase A of the #1932 ownership-transition design: annotate all 10
skeleton objects with kustomize.toolkit.fluxcd.io/prune: disabled so the
later skeleton->Tenant-CR swap de-inventories them without Flux
garbage-collecting them (kro adopts in place via forced SSA). The tenant
Namespace holds the CNPG database and the tenant Kustomization's
finalizer would GC the whole app — delete-then-recreate is data loss,
so prune-protection must be live before the swap. No runtime behavior
change today.

Fixes #2486

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The Kustomization manifest at k8s/bases/apps/ascoachingogvaner/kustomization.yaml is updated to add a commonAnnotations entry setting kustomize.toolkit.fluxcd.io/prune: disabled, applied once at the Kustomization level. A comment is added explaining this is part of a Phase A skeleton-to-Tenant-CR handover, ensuring Flux does not garbage-collect objects when the KRO swap occurs.

Changes

Cohort / File(s) Summary
k8s/bases/apps/ascoachingogvaner/kustomization.yaml Added commonAnnotations with kustomize.toolkit.fluxcd.io/prune: disabled and explanatory Phase A comment

Sequence Diagram(s)

Not applicable — this change is a configuration/annotation update with no observable runtime interaction flow.

Related issues: #2486 — Prune-protect the ascoachingogvaner tenant skeleton ahead of the KRO ownership swap (Phase A of #1932).

Suggested labels: kubernetes, kustomize, flux, phase-a

Suggested reviewers: devantler

Poem:
A rabbit hops through YAML fields so neat,
Adding a shield so nothing's deleted,
"Prune: disabled" — a phase-one feat,
Namespace and Kustomization, both protected,
Hop, hop, hooray, the handover's complete! 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The kustomization-level commonAnnotations should apply prune disabling to all rendered skeleton objects, matching #2486's requirement.
Out of Scope Changes check ✅ Passed The change stays within the requested tenant-skeleton prune-protection work and adds no clear unrelated modifications.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The title clearly describes the prune-protection change for the ascoachingogvaner skeleton during the KRO handover.
Description check ✅ Passed The description is directly about disabling Flux prune for the ascoachingogvaner skeleton to avoid deletes during the swap.

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@k8s/bases/apps/ascoachingogvaner/namespace.yaml`:
- Around line 4-9: The transitional `kustomize.toolkit.fluxcd.io/prune:
disabled` annotation and its comment are duplicated across the skeleton
manifests; move this temporary setting to `commonAnnotations` in the base
`kustomization.yaml` so `namespace.yaml` and the other skeleton resources don’t
each carry copy-pasted drift-prone text. Keep the rollout scoped to the relevant
kustomization base, and verify in the `kustomization.yaml` flow that applying
`commonAnnotations` won’t unintentionally affect workload pod templates before
removing the per-manifest annotation.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 5f0f04ef-9409-4ee6-b9c1-9c7a5ceb5fc8

📥 Commits

Reviewing files that changed from the base of the PR and between dda1256 and 7f23124.

📒 Files selected for processing (10)
  • k8s/bases/apps/ascoachingogvaner/cluster-role-binding.yaml
  • k8s/bases/apps/ascoachingogvaner/external-secret.yaml
  • k8s/bases/apps/ascoachingogvaner/flux-kustomization.yaml
  • k8s/bases/apps/ascoachingogvaner/namespace.yaml
  • k8s/bases/apps/ascoachingogvaner/network-policy.yaml
  • k8s/bases/apps/ascoachingogvaner/oci-repository.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-ascoachingogvaner.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-external-dns-kube-system.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-external-dns.yaml
  • k8s/bases/apps/ascoachingogvaner/service-account.yaml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • devantler-tech/actions (auto-detected)
  • devantler-tech/aws (auto-detected)
  • devantler-tech/ksail (auto-detected)
  • devantler-tech/reusable-workflows (auto-detected)
  • devantler-tech/ascoachingogvaner (auto-detected)
  • devantler-tech/unifi (auto-detected)
  • devantler-tech/wedding-app (auto-detected)
  • devantler-tech/provider-upjet-unifi (auto-detected)
  • devantler-tech/agent-skills (auto-detected)
📜 Review details
⏰ Context from checks skipped due to timeout. (1)
  • GitHub Check: Analyze (python)
🧰 Additional context used
📓 Path-based instructions (2)
**/*.{yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{yaml,yml}: Use Kustomize overlays rather than editing base resources directly; k8s/bases/ is immutable from overlays and changes should be made with patches: in provider or cluster overlays.
Keep manifest changes small and use YAML/schema validation before submitting a manifest PR; for files with cluster context, prefer ksail workload validate / kubectl kustomize / kubectl apply --dry-run=client as appropriate.

Files:

  • k8s/bases/apps/ascoachingogvaner/cluster-role-binding.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-external-dns-kube-system.yaml
  • k8s/bases/apps/ascoachingogvaner/oci-repository.yaml
  • k8s/bases/apps/ascoachingogvaner/network-policy.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-ascoachingogvaner.yaml
  • k8s/bases/apps/ascoachingogvaner/external-secret.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-external-dns.yaml
  • k8s/bases/apps/ascoachingogvaner/namespace.yaml
  • k8s/bases/apps/ascoachingogvaner/service-account.yaml
  • k8s/bases/apps/ascoachingogvaner/flux-kustomization.yaml
k8s/**

📄 CodeRabbit inference engine (AGENTS.md)

k8s/**: Respect Flux dependency order: bootstrapinfrastructure-controllersinfrastructureapps, with the prod-only infrastructure-overprovisioning layer hanging off infrastructure without gating apps.
Follow the hierarchical Kustomization flow: base configurations in k8s/bases/ feed provider overlays in k8s/providers/, which feed cluster overlays in k8s/clusters/.

Files:

  • k8s/bases/apps/ascoachingogvaner/cluster-role-binding.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-external-dns-kube-system.yaml
  • k8s/bases/apps/ascoachingogvaner/oci-repository.yaml
  • k8s/bases/apps/ascoachingogvaner/network-policy.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-ascoachingogvaner.yaml
  • k8s/bases/apps/ascoachingogvaner/external-secret.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-external-dns.yaml
  • k8s/bases/apps/ascoachingogvaner/namespace.yaml
  • k8s/bases/apps/ascoachingogvaner/service-account.yaml
  • k8s/bases/apps/ascoachingogvaner/flux-kustomization.yaml
🧠 Learnings (2)
📚 Learning: 2026-07-01T21:13:36.950Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2359
File: k8s/bases/apps/actual-budget/helm-release.yaml:62-111
Timestamp: 2026-07-01T21:13:36.950Z
Learning: When reviewing Kustomize/Helm YAML in this repo, keep the base vs provider overlay split: `k8s/bases/apps/**` and `k8s/bases/infrastructure/**` should contain each app’s full, environment-agnostic configuration (including base-level postRenderer Kustomize patches such as deployment strategy, topology spread, probes, and env injection). `k8s/providers/{docker,hetzner}/**` should only add small provider-specific deltas (e.g., `interval`, `persistence.size`) via patch files (like `k8s/providers/<provider>/apps/<app>/patches/helm-release-patch.yaml`). If configuration is identical across providers (e.g., OIDC/OAuth env vars where `${domain}` is resolved per cluster via envsubst), it belongs in the base and must not be duplicated into provider overlays.

Applied to files:

  • k8s/bases/apps/ascoachingogvaner/cluster-role-binding.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-external-dns-kube-system.yaml
  • k8s/bases/apps/ascoachingogvaner/oci-repository.yaml
  • k8s/bases/apps/ascoachingogvaner/network-policy.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-ascoachingogvaner.yaml
  • k8s/bases/apps/ascoachingogvaner/external-secret.yaml
  • k8s/bases/apps/ascoachingogvaner/role-binding-external-dns.yaml
  • k8s/bases/apps/ascoachingogvaner/namespace.yaml
  • k8s/bases/apps/ascoachingogvaner/service-account.yaml
  • k8s/bases/apps/ascoachingogvaner/flux-kustomization.yaml
📚 Learning: 2026-07-03T03:44:11.507Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2399
File: k8s/bases/apps/ascoachingogvaner/oci-repository.yaml:25-26
Timestamp: 2026-07-03T03:44:11.507Z
Learning: In Flux `OCIRepository` manifests under `k8s/bases/**/oci-repository.yaml`, keep the existing house convention for `spec.serviceAccountRef.verify.matchOIDCIdentity` subject regexes to use an `@.+` ref suffix (i.e., match any ref) rather than tightening it to a specific SHA/tag pattern.

If a PR adds a transitional dual-subject entry for an ongoing migration (e.g., moving from `devantler-tech/reusable-workflows` to `devantler-tech/actions`), do not request tightening the ref matcher in that PR. Defer any ref-matcher tightening to a separate, focused follow-up PR that consistently tightens `matchOIDCIdentity` subject rules once each file returns to a single subject after migration cleanup.

Applied to files:

  • k8s/bases/apps/ascoachingogvaner/oci-repository.yaml
🔇 Additional comments (10)
k8s/bases/apps/ascoachingogvaner/namespace.yaml (1)

4-9: LGTM!

k8s/bases/apps/ascoachingogvaner/flux-kustomization.yaml (1)

9-13: LGTM!

k8s/bases/apps/ascoachingogvaner/network-policy.yaml (1)

11-16: LGTM!

k8s/bases/apps/ascoachingogvaner/external-secret.yaml (1)

16-21: LGTM!

k8s/bases/apps/ascoachingogvaner/oci-repository.yaml (1)

5-10: LGTM!

k8s/bases/apps/ascoachingogvaner/cluster-role-binding.yaml (1)

6-11: LGTM!

k8s/bases/apps/ascoachingogvaner/role-binding-ascoachingogvaner.yaml (1)

4-9: LGTM!

k8s/bases/apps/ascoachingogvaner/role-binding-external-dns-kube-system.yaml (1)

7-12: LGTM!

k8s/bases/apps/ascoachingogvaner/service-account.yaml (1)

4-9: LGTM!

k8s/bases/apps/ascoachingogvaner/role-binding-external-dns.yaml (1)

8-18: 🎯 Functional Correctness

This is a single-document file; the lone RoleBinding already has prune: disabled.

			> Likely an incorrect or invalid review comment.

Comment thread k8s/bases/apps/ascoachingogvaner/namespace.yaml Outdated
@github-project-automation github-project-automation Bot moved this from 🫴 Ready to 🏃🏻‍♂️ In Progress in 🌊 Project Board Jul 5, 2026
Per CodeRabbit review: one commonAnnotations block instead of 10
per-file annotations — same rendered output (verified identical
annotated object set), auto-covers any file added before Phase B, and
none of these resources carries a pod template so the propagation
caveat is void.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@devantler devantler marked this pull request as ready for review July 5, 2026 06:48
@devantler devantler added this pull request to the merge queue Jul 5, 2026
Merged via the queue into main with commit c6a65ed Jul 5, 2026
15 checks passed
@devantler devantler deleted the claude/tenant-skeleton-prune-protect branch July 5, 2026 07:23
@github-project-automation github-project-automation Bot moved this from 🏃🏻‍♂️ In Progress to ✅ Done in 🌊 Project Board Jul 5, 2026
@botantler-1

botantler-1 Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 1.101.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@botantler-1 botantler-1 Bot added the released label Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.

Prune-protect the ascoachingogvaner tenant skeleton ahead of the KRO ownership swap

1 participant