From d77de9b60d10c2a981fa2f59739d67ff921b4d4c Mon Sep 17 00:00:00 2001 From: Scot Wells Date: Wed, 17 Jun 2026 15:51:20 -0500 Subject: [PATCH] fix(milo-integration): stop shipping ActivityPolicies to infra clusters MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The milo-integration component wires the inventory controller into a Milo control plane and is consumed by the infra-cluster Flux Kustomization (inventory-manager). It was also pulling in the 12 ActivityPolicy resources via `components: - ../../milo`. ActivityPolicies require the activity.miloapis.com CRDs, which are served only by the Milo control plane's activity-system aggregated apiserver — not the infra cluster. Every infra-cluster dry-run therefore failed with `no matches for kind "ActivityPolicy" in version "activity.miloapis.com/v1alpha1"`, leaving the Kustomization stuck in a failing retry loop. Drop the `components: - ../../milo` entry so milo-integration carries only the controller's Milo-wiring patches. The policies remain in config/milo and are applied directly to the Milo control plane by a dedicated Flux Kustomization. Co-Authored-By: Claude Opus 4.8 (1M context) --- .../components/milo-integration/kustomization.yaml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/config/components/milo-integration/kustomization.yaml b/config/components/milo-integration/kustomization.yaml index 1be61b9..811d166 100644 --- a/config/components/milo-integration/kustomization.yaml +++ b/config/components/milo-integration/kustomization.yaml @@ -17,13 +17,12 @@ kind: Component # `infra.datum.net/inject-datum-control-plane-trust-bundle: ""` so that # trust-manager populates the trust bundle ConfigMap. # -# This component also installs the inventory ActivityPolicy resources -# (config/milo) onto the Milo control plane. The policies only make sense -# where the Activity system runs, so they ship with the Milo integration -# rather than the self-contained dev overlay. - -components: - - ../../milo +# This component contains only the controller's Milo-wiring patches. The +# inventory ActivityPolicy resources are NOT installed here: they require the +# activity.miloapis.com CRDs served only by the Milo control plane's +# activity-system apiserver, and this component is consumed by the infra +# cluster (which has no such CRDs). The policies live in config/milo and are +# applied directly to the Milo control plane by a dedicated Flux Kustomization. patches: # Remove the base Secret-based webhook-cert volume and volumeMount so we