refactor: standardize env token on production (was prod) + fix AGENTS catalog#9
Merged
Merged
Conversation
…d`) + fix the AGENTS addon catalog
─── Why ───
`production` is the org-wide environment token — landing-zone AWS + GCP, eks-gitops, kx,
all four tenant charts, eks-agent-platform, and eks-fleet all use it. The Azure stack
(aks-gitops + landing-zone's Azure live tree) was the lone holdout on the short `prod`,
which contradicted the "mirrors eks-gitops" contract. This brings AKS in line.
ApplicationSets resolve `values-{label}.yaml` and `overlays/{label}` from the cluster
secret's `environment` label, which the Azure substrate stamps. This change pairs with
landing-zone renaming its Azure env token `prod`→`production`; together the AKS clusters
get labeled `environment: production` and these files resolve.
─── Env-token rename ───
- 24 `values-prod.yaml` → `values-production.yaml`
- 8 `overlays/prod` directories + `environments/prod` → `production`
- `environment` label/value, the `ENVIRONMENT=` / `resourceGroup:` vars, the CI matrices,
and script usage examples → `production`. The `workload-prod` subscription alias is kept,
exactly as AWS keeps a `workload-prod` account with a `production` env.
- cluster name `prod-aks` → `production-aks` (dev/staging already used full env names).
─── Azure deploy artifacts ───
The prod env's values hardcode Azure resource identifiers derived from the cluster name +
subscription. The deterministic ones (velero backup storage, argo-workflows artifacts
storage, the secrets Key Vault) were recomputed for the new name from landing-zone's
`substr(replace(name,"-","") + purpose + subscription, 0, 24)` rule against the same
subscription. The Azure Monitor / Managed Grafana endpoint hostnames carry Azure-generated
random suffixes that refresh on apply; their `production-aks-*` prefix is corrected and the
suffixes remain the last-known deploy values.
─── AGENTS.md addon catalog ───
Rewrote the catalog to the actual six-category tree. Dropped addons that don't exist
(Argo CD, azure-workload-identity, azure-disk-csi-driver, cluster-autoscaler,
kube-prometheus-stack, azure-monitor-opentelemetry-collector, gatekeeper, network-policies,
agic), recategorized reloader (bootstrap, not operations), and corrected the catalog/,
dashboards/, and policies/ descriptions plus the ingress/observability difference notes.
`task validate` passes (yamllint + all kustomize overlays build across dev / staging / production).
Closes #8
CI Results
All validations passed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Two audit follow-ups from #8.
1.
prod→productionenv-token standardizationproductionis the org-wide environment token (landing-zone AWS+GCP, eks-gitops, kx, all four tenant charts, eks-agent-platform, eks-fleet). The Azure stack was the lone holdout on the shortprod, contradicting the "mirrors eks-gitops" claim.values-prod.yaml→values-production.yaml; 8overlays/prod+environments/proddirs →productionenvironmentlabel/value,ENVIRONMENT=/resourceGroup:vars, CI matrices, script usage, CLAUDE.md →productionprod-aks→production-aks(dev/staging already used full names)workload-prodsubscription alias is kept (same as AWS:workload-prodaccount +productionenv)ApplicationSets resolve
values-{label}.yaml/overlays/{label}from the cluster-secretenvironmentlabel that the substrate stamps — so this pairs with landing-zone renaming its Azure env tokenprod→production(separate PR). Together, AKS clusters get labeledenvironment: productionand these files resolve.Azure deploy artifacts: the prod values hardcode Azure resource ids derived from cluster name + subscription. The deterministic ones (velero/argo storage, secrets Key Vault) were recomputed for the new name from landing-zone's
substr(...)rule against the same subscription. Monitor/Grafana endpoint hostnames carry Azure-generated random suffixes that refresh on apply — prefix corrected, suffixes left as last-known.2. AGENTS.md addon catalog
Rewrote to the actual six-category tree. Dropped nonexistent addons (Argo CD, azure-workload-identity, azure-disk-csi-driver, cluster-autoscaler, kube-prometheus-stack, azure-monitor-otel, gatekeeper, network-policies, agic), recategorized
reloader(bootstrap), fixed thecatalog//dashboards//policies/bullets + ingress/observability notes.Verification
task validatepasses (yamllint + all kustomize overlays build across dev/staging/production).prod-token sweep clean — only the intentionalworkload-prodsubscription alias remains.Closes #8