From ad529a86b6737a559856e7647558f12259a47da1 Mon Sep 17 00:00:00 2001 From: stxkxs Date: Sun, 7 Jun 2026 00:38:07 -0700 Subject: [PATCH] Fix tenant-deploy contract (per-app namespace/project) + appset-count docs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From the core-repos quality audit. P0 (tenant deploy contract): apps-tenants.yaml targeted a shared `tenants-protohype` namespace + `tenant-protohype` AppProject that the operator never creates — it provisions per-Platform resources (namespace tenants-, AppProject ). Retargeted each tenant Application to the per-app namespace + project (derived in the template from `.app`), matching what the operator reconciles. Paired with eks-agent-platform widening the AppProject sourceRepos to the nanohype org so the Application's source is allowed. Docs: ApplicationSet count 10 -> 16; corrected "all use matrix" — 3 appsets (addons-agent-operator, clusters-appset, portal-tenants) use other generators. Note: the audit's "region cluster-Secret label is unset" finding is a false positive — landing-zone cluster-bootstrap sets the `region` label on the in-cluster ArgoCD cluster Secret (bootstrap.tf), which is what the addons-agent-operator generator reads. No change needed there. --- CLAUDE.md | 4 ++-- README.md | 4 ++-- applicationsets/apps-tenants.yaml | 14 ++++---------- docs/architecture/overview.md | 2 +- 4 files changed, 9 insertions(+), 15 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index bff9a5b..ebd802c 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -7,7 +7,7 @@ EKS-specific GitOps configuration for ArgoCD addon lifecycle management. Part of ## Directory Structure ``` -applicationsets/ → ArgoCD ApplicationSets (App-of-Apps pattern, 10 total) +applicationsets/ → ArgoCD ApplicationSets (App-of-Apps pattern, 16 total) addons/ → Addon configurations // # Helm addons (majority): @@ -43,7 +43,7 @@ Environment-specific values files contain ONLY differences from base — not a f Three addons use pure Kustomize (no Helm): storage-classes, priority-classes, karpenter-resources. These use the `base/overlays` pattern with `kustomization.yaml` in each overlay directory. Kyverno policies also use pure Kustomize (resources + JSON patches for enforcement mode). ### ApplicationSet Generator -All 10 ApplicationSets use `matrix` generator combining `clusters` selector with a `list` of addons. Two template styles: Helm multi-source (for Helm addons with `$values` ref) and single-source with Kustomize path (for Kustomize addons and policies). Environment is read from cluster secret labels: `{{ index .metadata.labels "environment" }}`. +Most ApplicationSets use a `matrix` generator combining `clusters` selector with a `list` of addons. Two template styles: Helm multi-source (for Helm addons with `$values` ref) and single-source with Kustomize path (for Kustomize addons and policies). Environment is read from cluster secret labels: `{{ index .metadata.labels "environment" }}`. ## Making Changes diff --git a/README.md b/README.md index d743917..13655f7 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ This repository is the EKS variant of a multi-cloud GitOps strategy. Infrastruct │ ▼ ┌─────────────────────────────────────────────────────────────────────┐ -│ ApplicationSets (10) │ +│ ApplicationSets (16) │ ├─────────────────────────────────────────────────────────────────────┤ │ ├── addons-bootstrap (cert-manager, external-secrets, ...) │ │ ├── addons-bootstrap-kustomize (storage-classes, priority-classes) │ @@ -48,7 +48,7 @@ This repository is the EKS variant of a multi-cloud GitOps strategy. Infrastruct ``` eks-gitops/ -├── applicationsets/ # ArgoCD ApplicationSets (10) +├── applicationsets/ # ArgoCD ApplicationSets (16) │ ├── addons-bootstrap.yaml │ ├── addons-bootstrap-kustomize.yaml │ ├── addons-networking.yaml diff --git a/applicationsets/apps-tenants.yaml b/applicationsets/apps-tenants.yaml index ded7274..57fd1e8 100644 --- a/applicationsets/apps-tenants.yaml +++ b/applicationsets/apps-tenants.yaml @@ -22,30 +22,22 @@ spec: - app: slack-knowledge-bot repoURL: https://github.com/nanohype/slack-knowledge-bot.git path: chart - namespace: tenants-protohype - project: tenant-protohype - app: digest-pipeline repoURL: https://github.com/nanohype/digest-pipeline.git path: chart - namespace: tenants-protohype - project: tenant-protohype - app: incident-response repoURL: https://github.com/nanohype/incident-response.git path: chart - namespace: tenants-protohype - project: tenant-protohype - app: competitive-intelligence repoURL: https://github.com/nanohype/competitive-intelligence.git path: chart - namespace: tenants-protohype - project: tenant-protohype template: metadata: name: '{{ .app }}-{{ index .metadata.labels "environment" }}' annotations: argocd.argoproj.io/sync-wave: "100" spec: - project: '{{ .project }}' + project: '{{ .app }}' sources: - repoURL: '{{ .repoURL }}' targetRevision: main @@ -59,7 +51,9 @@ spec: ref: values destination: server: https://kubernetes.default.svc - namespace: '{{ .namespace }}' + # Per-app tenant namespace the operator creates from the Platform name + # (PlatformNamespace = tenants-); CreateNamespace=false below. + namespace: 'tenants-{{ .app }}' syncPolicy: automated: prune: true diff --git a/docs/architecture/overview.md b/docs/architecture/overview.md index 3c74b57..e9ddcf1 100644 --- a/docs/architecture/overview.md +++ b/docs/architecture/overview.md @@ -21,7 +21,7 @@ graph TD ## ApplicationSet Pattern -All 10 ApplicationSets use the **matrix generator** combining: +Most ApplicationSets use the **matrix generator** (addons-agent-operator, clusters-appset, and portal-tenants use other generators) combining: 1. **Clusters generator** — selects clusters by label `argocd.argoproj.io/secret-type: cluster` 2. **List generator** — defines addons with name, namespace, path, and sync wave