From eefe1b3ec3207e77e40ffd4d4e4862d48b997acb Mon Sep 17 00:00:00 2001
From: Ronni Baslund <rhb@vdoc.dk>
Date: Wed, 10 Jun 2026 21:35:59 +0200
Subject: [PATCH] fix(infra): platform tenant is dezky-aps; disable prod
 seeding
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The recreated company tenant got slug dezky-aps (wizard auto-derives from
the display name 'Dezky ApS'), so the dezky.eu apex guard 409'd it while
the config still said 'dezky'. Also SEED_ENABLED=false in prod — the
seeder resurrected a ghost 'dezky' tenant on every platform-api boot,
which is how the slug landscape kept shifting. config-rev 4 rolls the
pods.
---
 .../production/fleet/apps/platform-api-config.yaml           | 5 ++++-
 infrastructure/production/fleet/apps/platform-api.yaml       | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/infrastructure/production/fleet/apps/platform-api-config.yaml b/infrastructure/production/fleet/apps/platform-api-config.yaml
index c3c906f..3d4fd98 100644
--- a/infrastructure/production/fleet/apps/platform-api-config.yaml
+++ b/infrastructure/production/fleet/apps/platform-api-config.yaml
@@ -23,7 +23,10 @@ data:
   # (PLATFORM_TENANT_SLUG) may claim the apex; nothing under it can be added
   # as a customer domain.
   PLATFORM_TENANT_DOMAIN: "dezky.eu"
-  PLATFORM_TENANT_SLUG: "dezky"
+  PLATFORM_TENANT_SLUG: "dezky-aps"
+  # No auto-seeded tenants in production — the dezky company tenant is
+  # created and owned through the operator like any other.
+  SEED_ENABLED: "false"
   # JWT validation for portal/operator-issued access tokens. Public Authentik
   # URLs on purpose: the token `iss` claim is the public URL, and the pod can
   # hairpin to it through the node's public IP.
diff --git a/infrastructure/production/fleet/apps/platform-api.yaml b/infrastructure/production/fleet/apps/platform-api.yaml
index 016069d..55cf120 100644
--- a/infrastructure/production/fleet/apps/platform-api.yaml
+++ b/infrastructure/production/fleet/apps/platform-api.yaml
@@ -21,7 +21,7 @@ spec:
       annotations:
         # Bump to force a rolling restart when only the ConfigMap changed —
         # pods read it as env, which is only resolved at container start.
-        dezky.eu/config-rev: "3"
+        dezky.eu/config-rev: "4"
     spec:
       containers:
         - name: platform-api