feat: bootstrap cleanup + machineconfig-backup (session/24)#24
Merged
Conversation
Governor directive (session/21): CODEBASE.md eliminated from all repos. The graphify knowledge graph at ~/ontai/graphify-out/graph.json is the sole authoritative source for codebase understanding. See root CONTEXT.md and CLAUDE.md for the Graphify Source of Truth Protocol.
PlatformTenant was a planned CRD for tenant coordination that was never implemented. Tenant coordination is handled by InfrastructureTalosCluster (mode=import or mode=bootstrap) plus the conductor role=tenant Deployment managed by the compiler enable bundle. Remove the forward-looking reference from Step 4b to prevent agents from attempting to implement a non-existent CRD category.
Replace /tmp/envtest-bins/1.35.0 (ephemeral, stale version) with the canonical ontai root Makefile target: make envtest-setup && export KUBEBUILDER_ASSETS=$(make -s envtest-path). Pinned to K8s 1.32.x.
- Remove ont-system talosconfig copy (PLATFORM-BL-TALOSCONFIG-ONTYSYSTEM-REMOVE):
ensureExecutorTalosconfig now copies only to seam-tenant-{cluster}; day-2
executor Jobs mount from Job namespace, never from ont-system.
- Canonical kubeconfig rename (PLATFORM-BL-KUBECONFIG-CANONICAL): removed
tenantKubeconfigSecretName constant and ensureTenantKubeconfigCopy; both import
and CAPI paths now read seam-mc-{cluster}-kubeconfig exclusively.
platform_security.go no longer writes target-cluster-kubeconfig.
PKI rotation e2e test updated to assert seam-mc-{cluster}-kubeconfig.
- CAPI tenant onboarding (PLATFORM-BL-CAPI-TENANT-ONBOARDING): step 8.5 added
to reconcileCAPIPath after CAPI Running: ensureCAPITalosconfig, ensureCAPIKubeconfig,
ensureTenantOnboarding called before ensureConductorReadyAndTransition.
- machineconfig-backup CRD and reconciler (PLATFORM-BL-MACHINECONFIG-BACKUP):
TalosMachineConfigBackup CRD, MachineConfigBackupReconciler, generic
ensureS3EnvSecretFor/resolveS3BackupSecretRef helpers. Registered in main.go.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ensureExecutorTalosconfignow copies talosconfig only toseam-tenant-{cluster}; removed ont-system destination (day-2 executor Jobs mount from Job namespace).tenantKubeconfigSecretNameconstant andensureTenantKubeconfigCopy; both import and CAPI paths readseam-mc-{cluster}-kubeconfigexclusively. PKI rotation e2e test updated.reconcileCAPIPath-- callsensureCAPITalosconfig,ensureCAPIKubeconfig,ensureTenantOnboardingafter CAPI Running beforeensureConductorReadyAndTransition.TalosMachineConfigBackupCRD,MachineConfigBackupReconciler(mirrors EtcdMaintenanceReconciler pattern), generic S3 helpersensureS3EnvSecretFor/resolveS3BackupSecretRefadded tos3_env_secret.go. Reconciler registered inmain.go.Test plan
go test ./...-- all tests green (unit + integration)TalosMachineConfigBackupCR creates Conductor Job inseam-tenant-{cluster}(live test when ccs-mgmt recovers)