From 9d9138231a24172769d198609c4e46c5c87b390d Mon Sep 17 00:00:00 2001
From: Tower Bot <tower@odoosky.org>
Date: Thu, 30 Apr 2026 10:37:24 +0300
Subject: [PATCH] =?UTF-8?q?tower=200.61.1=20=E2=80=94=20Phase=20F=20(B):?=
 =?UTF-8?q?=20tenant-scoped=20S3=20resolver?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Refactor s3Resolver from a single-global-creds reader into a
tenant-scoped factory. Each tenant brings their own S3 endpoint,
region, three named buckets (backups + templates + audit), and
access keys (in Vault at v3/tenants/<id>/s3-credentials).

Touches:
  s3.go         — s3Resolver becomes factory; tenantS3 wraps
                  one minio.Client + bucket per tenant
  audit.go      — events grouped by tenantID per flush, written
                  to the tenant's audit bucket
  backups.go    — fleet view fans out one S3 LIST per tenant;
                  per-instance handlers resolve via Argo App
  export/import/migrate — tenant resolved from Argo App label
                  or scope.TenantID
  templates_*   — per-template tenant lookup via templateTenantID
                  (platform tenant for OwnerPlatform manifests)
  vitals.go     — last-backup probe pulls tenantID before list

Adds AllTenants() to PlatformStore so the templates orphan sweep
can iterate every tenant configured with a templates bucket.

Build: tower:0.61.1 — pushed to registry.odoosky.cloud
---
 values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/values.yaml b/values.yaml
index 5d1f5dc..89eda2a 100644
--- a/values.yaml
+++ b/values.yaml
@@ -9,7 +9,7 @@ backend:
     # so every cluster that runs Tower needs the same imagePullSecret
     # provisioned out-of-band (until cluster-platform-v3 owns it).
     repository: registry.odoosky.cloud/odoosky/docker-mirror/tower
-    tag: "0.61.0"
+    tag: "0.61.1"
     pullPolicy: IfNotPresent
   imagePullSecrets:
     - name: docker-mirror-pull