Skip to content

docs: portal write→read loop validated; wire portal-tenants #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
stxkxs merged 1 commit into from
May 31, 2026
Merged

docs: portal write→read loop validated; wire portal-tenants #27

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 19 additions & 12 deletions docs/runbooks/deploy-end-to-end.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,20 +111,27 @@ boundary ARNs) from SSM via its IRSA role. Verify:
cd portal && docker compose up -d && task dev
```

Config the worker (env): `GITOPS_TENANTS_REPO_URL` (a tenants gitops repo),
Config the worker (env): `GITOPS_TENANTS_REPO_URL` (the tenants gitops repo),
`GITOPS_TENANTS_REPO_REF`, `GITOPS_SSH_KEY_PATH`, `GITOPS_AUTHOR_NAME/EMAIL`,
`EKS_AGENT_PLATFORM_CHARTS_REPO_URL` (the operator repo, for the `charts/tenant`
boundary chart). Register the EKS cluster (SlimConfig: API endpoint + CA + a
`view`-bound SA token; add the AWS provider so the connection-test assume-role
runs). Then drive create-tenant in the UI → it renders `charts/tenant`
(Platform + BudgetPolicy) → commits to the tenants repo → ArgoCD applies → the
operator provisions namespace + real per-Platform IRSA + KMS. The app workloads
land via the eks-gitops `apps-tenants` ApplicationSet, with per-env values from
`tofu output` (platform role ARN, tenant infra).

> Portal-driven deploy is the one path that was NOT live-exercised on EKS in the
> 2026-05-31 run — verify it on first use. Everything below it (operator real
> reconcile) is verified.
boundary chart). **`GITOPS_TENANTS_REPO_URL` must equal the `repoURL` in the
eks-gitops `portal-tenants` ApplicationSet** — that's what applies the commits.
Register the EKS cluster (SlimConfig: API endpoint + CA + a `view`-bound SA
token; add the AWS provider so the connection-test assume-role runs). Then drive
create-tenant in the UI → it renders `charts/tenant` (Tenant + Platform +
BudgetPolicy + agent-plane CRs) → commits to `tenants/<cluster>/<tenant>.yaml` →
the `portal-tenants` ApplicationSet applies it → the operator provisions the
namespace + real per-Platform IRSA + KMS → the watcher lists the Tenant back into
the portal inventory. The app workloads land separately via the `apps-tenants`
ApplicationSet, with per-env values from `tofu output`.

> The write→read loop (render → commit → apply → reconcile → watcher observes) was
> validated on kx on 2026-05-31: the rendered Tenant + Platform reconcile to Ready
> and the Tenant appears under the watcher's `tenants.platform.nanohype.dev` query,
> cloudgov-clean. NOT yet exercised on real EKS: the full portal stack
> (server/worker/DB) + the `portal-tenants` ApplicationSet's ArgoCD apply — verify
> those on first EKS use. (On kx, ArgoCD is idle by design, so the rehearsal applied
> the rendered manifest directly.)

### B4. Validate

Expand Down
Loading