refactor(operators): migrate k8s labels to agents.nanohype.dev/*

charts/bedrock-egress/templates/networkpolicy-template.yaml

@@ -16,7 +16,7 @@ data:
     metadata:
       name: tenant-egress
       labels:
-        eks-agent-platform/tenant: "true"
+        agents.nanohype.dev/tenant: "true"
     spec:
       podSelector: {}
       policyTypes:

charts/bedrock-egress/values.yaml

@@ -38,6 +38,6 @@ networkPolicy:
   #   - egress to agentgateway service
   #   - egress to OTel collector
   #   - egress DNS
-  tenantNamespaceLabel: "eks-agent-platform/tenant"
+  tenantNamespaceLabel: "agents.nanohype.dev/tenant"
   agentgatewayNamespace: agentgateway
   observabilityNamespace: observability

charts/tenant/templates/agentfleet.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: {{ .Values.controlPlaneNamespace | default .Release.Namespace }}
   labels:
     app.kubernetes.io/part-of: eks-agent-platform
-    eks-agent-platform/tenant: {{ .Values.platform.tenant }}
+    agents.nanohype.dev/tenant: {{ .Values.platform.tenant }}
 spec:
   platformRef:
     name: {{ .Values.platform.name }}

charts/tenant/templates/budgetpolicy.yaml

@@ -8,7 +8,7 @@ metadata:
   namespace: {{ .Values.controlPlaneNamespace | default .Release.Namespace }}
   labels:
     app.kubernetes.io/part-of: eks-agent-platform
-    eks-agent-platform/tenant: {{ .Values.platform.tenant }}
+    agents.nanohype.dev/tenant: {{ .Values.platform.tenant }}
 spec:
   platformRef:
     name: {{ .Values.platform.name }}

charts/tenant/templates/evalsuite.yaml

@@ -6,7 +6,7 @@ metadata:
   namespace: {{ .Values.controlPlaneNamespace | default .Release.Namespace }}
   labels:
     app.kubernetes.io/part-of: eks-agent-platform
-    eks-agent-platform/tenant: {{ .Values.platform.tenant }}
+    agents.nanohype.dev/tenant: {{ .Values.platform.tenant }}
 spec:
   platformRef:
     name: {{ .Values.platform.name }}

charts/tenant/templates/modelgateway.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: {{ .Values.controlPlaneNamespace | default .Release.Namespace }}
   labels:
     app.kubernetes.io/part-of: eks-agent-platform
-    eks-agent-platform/tenant: {{ .Values.platform.tenant }}
+    agents.nanohype.dev/tenant: {{ .Values.platform.tenant }}
 spec:
   platformRef:
     name: {{ .Values.platform.name }}

charts/tenant/templates/platform.yaml

@@ -8,8 +8,8 @@ metadata:
   namespace: {{ .Values.controlPlaneNamespace | default .Release.Namespace }}
   labels:
     app.kubernetes.io/part-of: eks-agent-platform
-    eks-agent-platform/persona: {{ .Values.platform.persona }}
-    eks-agent-platform/tenant: {{ .Values.platform.tenant }}
+    agents.nanohype.dev/persona: {{ .Values.platform.persona }}
+    agents.nanohype.dev/tenant: {{ .Values.platform.tenant }}
 spec:
   displayName: {{ .Values.platform.displayName | default .Values.platform.name | quote }}
   persona: {{ .Values.platform.persona }}

charts/tenant/templates/tenant.yaml

@@ -10,7 +10,7 @@ metadata:
   name: {{ .Values.platform.tenant }}
   labels:
     app.kubernetes.io/part-of: eks-agent-platform
-    eks-agent-platform/tenant: {{ .Values.platform.tenant }}
+    agents.nanohype.dev/tenant: {{ .Values.platform.tenant }}
 spec:
   displayName: {{ .Values.platform.displayName | default .Values.platform.tenant | quote }}
   primaryPersona: {{ .Values.platform.persona }}

docs/onboarding/local-kx.md

@@ -51,7 +51,7 @@ kubectl get platforms -A
 kubectl get -n tenants-blank ns,quota,limitrange,networkpolicy
 # tenant ns + ResourceQuota + LimitRange + default-deny NetworkPolicy
 
-kubectl get -n agentgateway routes.agentgateway.dev -l 'eks-agent-platform/platform=blank'
+kubectl get -n agentgateway routes.agentgateway.dev -l 'agents.nanohype.dev/platform=blank'
 # blank-primary route present
 
 kubectl get -n tenants-blank agents.kagent.dev modelconfigs.kagent.dev scaledobjects.keda.sh

docs/runbooks/kill-switch-fired.md

@@ -7,7 +7,7 @@
 ```bash
 # Map tenant name → platform → phase
 kubectl get tenant <tenant-name> -o wide
-kubectl get platforms -l eks-agent-platform/tenant=<tenant-name>
+kubectl get platforms -l agents.nanohype.dev/tenant=<tenant-name>
 ```
 
 If any Platform shows `Suspended`, follow [platform-suspended.md](./platform-suspended.md). Skip the rest of this runbook.
@@ -35,10 +35,10 @@ Cause: Bedrock model quota hit, cross-region inference profile mis-configured, a
 
 ```bash
 # Are the agent pods alive and reading from the queue (if SQS-backed)?
-kubectl -n tenants-<platform> get pods -l eks-agent-platform/fleet=<fleet-name>
+kubectl -n tenants-<platform> get pods -l agents.nanohype.dev/fleet=<fleet-name>
 
 # KEDA-scaled fleet: is the ScaledObject reporting healthy?
-kubectl -n tenants-<platform> get scaledobject -l eks-agent-platform/fleet=<fleet-name> -o yaml | grep -A 5 "status:"
+kubectl -n tenants-<platform> get scaledobject -l agents.nanohype.dev/fleet=<fleet-name> -o yaml | grep -A 5 "status:"
 
 # Inflight queue depth
 aws sqs get-queue-attributes --queue-url <queue-url> --attribute-names ApproximateNumberOfMessages

examples/blank-tenant/platform.yaml

@@ -28,8 +28,8 @@ metadata:
   name: blank
   namespace: eks-agent-platform
   labels:
-    eks-agent-platform/persona: generic
-    eks-agent-platform/tenant: example
+    agents.nanohype.dev/persona: generic
+    agents.nanohype.dev/tenant: example
 spec:
   displayName: Blank tenant
   persona: generic

operators/internal/agentctl/scaffold.go

@@ -83,8 +83,8 @@ func ScaffoldTenant(opts ScaffoldOptions) (*ScaffoldedResources, error) {
 			ObjectMeta: metav1.ObjectMeta{
 				Name: platformName, Namespace: opts.Namespace,
 				Labels: map[string]string{
-					"eks-agent-platform/persona": pdefs.Name,
-					"eks-agent-platform/tenant":  opts.TenantName,
+					"agents.nanohype.dev/persona": pdefs.Name,
+					"agents.nanohype.dev/tenant":  opts.TenantName,
 				},
 			},
 			Spec: platformv1alpha1.PlatformSpec{

operators/internal/controller/agentfleet_reconcile.go

@@ -79,8 +79,8 @@ func ensureTenantServiceAccount(ctx context.Context, c client.Client, p *platfor
 		}
 		sa.Labels = map[string]string{
 			"app.kubernetes.io/managed-by": "eks-agent-platform",
-			"eks-agent-platform/platform":  p.Name,
-			"eks-agent-platform/tenant":    p.Spec.Tenant,
+			LabelPlatform:                  p.Name,
+			LabelTenant:                    p.Spec.Tenant,
 		}
 		return nil
 	})
@@ -89,7 +89,7 @@ func ensureTenantServiceAccount(ctx context.Context, c client.Client, p *platfor
 
 // ensureFleetNetworkPolicy installs an Egress NetworkPolicy in the
 // tenant namespace selecting fleet pods (label
-// eks-agent-platform/fleet=<name>). Egress narrows to: kube-dns,
+// agents.nanohype.dev/fleet=<name>). Egress narrows to: kube-dns,
 // agentgateway, observability OTel. Ingress is denied entirely — no one
 // reaches a fleet pod from outside the tenant namespace.
 //
@@ -113,12 +113,12 @@ func (r *AgentFleetReconciler) ensureFleetNetworkPolicy(ctx context.Context, fle
 	_, err := controllerutil.CreateOrUpdate(ctx, r.Client, np, func() error {
 		np.Labels = map[string]string{
 			"app.kubernetes.io/managed-by": "eks-agent-platform",
-			"eks-agent-platform/platform":  p.Name,
-			"eks-agent-platform/fleet":     fleet.Name,
+			LabelPlatform:                  p.Name,
+			LabelFleet:                     fleet.Name,
 		}
 		np.Spec = networkingv1.NetworkPolicySpec{
 			PodSelector: metav1.LabelSelector{
-				MatchLabels: map[string]string{"eks-agent-platform/fleet": fleet.Name},
+				MatchLabels: map[string]string{LabelFleet: fleet.Name},
 			},
 			PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress},
 			Egress: []networkingv1.NetworkPolicyEgressRule{
@@ -166,9 +166,9 @@ func (r *AgentFleetReconciler) ensureKagentAgents(ctx context.Context, fleet *ag
 		configName := base + "-config"
 		labels := map[string]string{
 			"app.kubernetes.io/managed-by": "eks-agent-platform",
-			"eks-agent-platform/platform":  p.Name,
-			"eks-agent-platform/fleet":     fleet.Name,
-			"eks-agent-platform/agent":     agent.Name,
+			LabelPlatform:                  p.Name,
+			LabelFleet:                     fleet.Name,
+			LabelAgent:                     agent.Name,
 		}
 
 		// kagent ModelConfig — provider OpenAI pointed at the route's
@@ -322,8 +322,8 @@ func (r *AgentFleetReconciler) ensureKEDAScaledObject(ctx context.Context, fleet
 	_, err := controllerutil.CreateOrUpdate(ctx, r.Client, so, func() error {
 		so.SetLabels(map[string]string{
 			"app.kubernetes.io/managed-by": "eks-agent-platform",
-			"eks-agent-platform/platform":  p.Name,
-			"eks-agent-platform/fleet":     fleet.Name,
+			LabelPlatform:                  p.Name,
+			LabelFleet:                     fleet.Name,
 		})
 		var triggers []any
 		if queueURL != "" {
@@ -394,8 +394,8 @@ func (r *AgentFleetReconciler) ensureKEDATriggerAuth(ctx context.Context, fleet
 	_, err := controllerutil.CreateOrUpdate(ctx, r.Client, ta, func() error {
 		ta.SetLabels(map[string]string{
 			"app.kubernetes.io/managed-by": "eks-agent-platform",
-			"eks-agent-platform/platform":  p.Name,
-			"eks-agent-platform/fleet":     fleet.Name,
+			LabelPlatform:                  p.Name,
+			LabelFleet:                     fleet.Name,
 		})
 		spec := map[string]any{
 			"podIdentity": map[string]any{

operators/internal/controller/agentsandbox_reconcile.go

@@ -51,10 +51,10 @@ func agentSandboxResourceName(box *agentsv1alpha1.AgentSandbox) string {
 // NetworkPolicy podSelector. The `agentsandbox` label is the selector.
 func agentSandboxLabels(box *agentsv1alpha1.AgentSandbox, p *platformv1alpha1.Platform) map[string]string {
 	return map[string]string{
-		"app.kubernetes.io/managed-by":    "eks-agent-platform",
-		"app.kubernetes.io/component":     "agent-sandbox",
-		"eks-agent-platform/platform":     p.Name,
-		"eks-agent-platform/agentsandbox": box.Name,
+		"app.kubernetes.io/managed-by": "eks-agent-platform",
+		"app.kubernetes.io/component":  "agent-sandbox",
+		LabelPlatform:                  p.Name,
+		LabelAgentSandbox:              box.Name,
 	}
 }
 
@@ -117,7 +117,7 @@ func (r *AgentSandboxReconciler) ensureAgentSandboxNetworkPolicy(ctx context.Con
 		np.Labels = agentSandboxLabels(box, p)
 		np.Spec = networkingv1.NetworkPolicySpec{
 			PodSelector: metav1.LabelSelector{
-				MatchLabels: map[string]string{"eks-agent-platform/agentsandbox": box.Name},
+				MatchLabels: map[string]string{LabelAgentSandbox: box.Name},
 			},
 			PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress},
 			Egress:      sandboxEgressRules(),

operators/internal/controller/eval_reconcile.go

@@ -99,12 +99,12 @@ func (r *EvalReconciler) ensureArgoWorkflow(ctx context.Context, suite *governan
 
 	_, err := controllerutil.CreateOrUpdate(ctx, r.Client, obj, func() error {
 		obj.SetLabels(map[string]string{
-			"app.kubernetes.io/managed-by":      "eks-agent-platform",
-			"eks-agent-platform/platform":       platform.Name,
-			"eks-agent-platform/tenant":         platform.Spec.Tenant,
-			"eks-agent-platform/agent-fleet":    fleet.Name,
-			"eks-agent-platform/eval-suite":     suite.Name,
-			"eks-agent-platform/pass-threshold": suite.Spec.PassThreshold,
+			"app.kubernetes.io/managed-by": "eks-agent-platform",
+			LabelPlatform:                  platform.Name,
+			LabelTenant:                    platform.Spec.Tenant,
+			LabelAgentFleet:                fleet.Name,
+			LabelEvalSuite:                 suite.Name,
+			LabelPassThreshold:             suite.Spec.PassThreshold,
 		})
 
 		// Parameters consumed by the platform-shared eval-runner template:

operators/internal/controller/labels.go

@@ -0,0 +1,33 @@
+/*
+Copyright 2026 stxkxs.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+*/
+
+package controller
+
+// Canonical k8s label keys for the objects the operator creates, under the
+// reserved agents.nanohype.dev/* prefix — the resource-tagging standard's render
+// for agent/tenant identity (and the namespace tenant-chart-base already uses).
+//
+// Each key is defined once and referenced for BOTH an object's metadata label
+// AND any selector that matches it (NetworkPolicy podSelectors, the immutable
+// Deployment/Service selectors). Sharing the constant makes a label and its
+// selector physically unable to drift — the failure mode this file exists to
+// prevent.
+const labelPrefix = "agents.nanohype.dev"
+
+const (
+	LabelPlatform      = labelPrefix + "/platform"
+	LabelTenant        = labelPrefix + "/tenant"
+	LabelPersona       = labelPrefix + "/persona"
+	LabelFleet         = labelPrefix + "/fleet"
+	LabelAgent         = labelPrefix + "/agent"
+	LabelAgentFleet    = labelPrefix + "/agent-fleet"
+	LabelAgentSandbox  = labelPrefix + "/agentsandbox"
+	LabelSandboxPool   = labelPrefix + "/sandboxpool"
+	LabelMetricsBridge = labelPrefix + "/metrics-bridge"
+	LabelEvalSuite     = labelPrefix + "/eval-suite"
+	LabelPassThreshold = labelPrefix + "/pass-threshold"
+	LabelModelFamily   = labelPrefix + "/model-family"
+)

operators/internal/controller/modelgateway_reconcile.go

@@ -247,13 +247,13 @@ func (r *ModelGatewayReconciler) ensureRouteRateLimit(ctx context.Context, platf
 func gatewayLabels(platformName string) map[string]string {
 	return map[string]string{
 		"app.kubernetes.io/managed-by": "eks-agent-platform",
-		"eks-agent-platform/platform":  platformName,
+		LabelPlatform:                  platformName,
 	}
 }
 
 func routeLabels(platformName, modelFamily string) map[string]string {
 	l := gatewayLabels(platformName)
-	l["eks-agent-platform/model-family"] = modelFamily
+	l[LabelModelFamily] = modelFamily
 	return l
 }
 

operators/internal/controller/platform_reconcile.go

@@ -84,9 +84,9 @@ func labelsForPlatform(p *platformv1alpha1.Platform) map[string]string {
 	return map[string]string{
 		"app.kubernetes.io/managed-by": "eks-agent-platform",
 		"app.kubernetes.io/part-of":    "eks-agent-platform",
-		"eks-agent-platform/platform":  p.Name,
-		"eks-agent-platform/tenant":    p.Spec.Tenant,
-		"eks-agent-platform/persona":   p.Spec.Persona,
+		LabelPlatform:                  p.Name,
+		LabelTenant:                    p.Spec.Tenant,
+		LabelPersona:                   p.Spec.Persona,
 	}
 }
 

operators/internal/controller/sandboxpool_reconcile.go

@@ -79,10 +79,10 @@ func workerImage(pool *agentsv1alpha1.SandboxPool) string {
 // the NetworkPolicy podSelector. The `sandboxpool` label is the selector.
 func sandboxPodLabels(pool *agentsv1alpha1.SandboxPool, p *platformv1alpha1.Platform) map[string]string {
 	return map[string]string{
-		"app.kubernetes.io/managed-by":   "eks-agent-platform",
-		"app.kubernetes.io/component":    "sandbox-worker",
-		"eks-agent-platform/platform":    p.Name,
-		"eks-agent-platform/sandboxpool": pool.Name,
+		"app.kubernetes.io/managed-by": "eks-agent-platform",
+		"app.kubernetes.io/component":  "sandbox-worker",
+		LabelPlatform:                  p.Name,
+		LabelSandboxPool:               pool.Name,
 	}
 }
 
@@ -91,11 +91,11 @@ func sandboxPodLabels(pool *agentsv1alpha1.SandboxPool, p *platformv1alpha1.Plat
 // label is the selector for all three.
 func metricsBridgeLabels(pool *agentsv1alpha1.SandboxPool, p *platformv1alpha1.Platform) map[string]string {
 	return map[string]string{
-		"app.kubernetes.io/managed-by":      "eks-agent-platform",
-		"app.kubernetes.io/component":       "sandbox-metrics-bridge",
-		"eks-agent-platform/platform":       p.Name,
-		"eks-agent-platform/sandboxpool":    pool.Name,
-		"eks-agent-platform/metrics-bridge": pool.Name,
+		"app.kubernetes.io/managed-by": "eks-agent-platform",
+		"app.kubernetes.io/component":  "sandbox-metrics-bridge",
+		LabelPlatform:                  p.Name,
+		LabelSandboxPool:               pool.Name,
+		LabelMetricsBridge:             pool.Name,
 	}
 }
 
@@ -123,7 +123,7 @@ func (r *SandboxPoolReconciler) ensureWorkerDeployment(ctx context.Context, pool
 		ObjectMeta: metav1.ObjectMeta{Name: sandboxResourceName(pool), Namespace: PlatformNamespace(p)},
 	}
 	labels := sandboxPodLabels(pool, p)
-	selector := map[string]string{"eks-agent-platform/sandboxpool": pool.Name}
+	selector := map[string]string{LabelSandboxPool: pool.Name}
 	envKeyRef := pool.Spec.EnvironmentKeySecret
 	_, err := controllerutil.CreateOrUpdate(ctx, r.Client, dep, func() error {
 		dep.Labels = labels
@@ -184,7 +184,7 @@ func (r *SandboxPoolReconciler) ensureSandboxNetworkPolicy(ctx context.Context,
 		np.Labels = sandboxPodLabels(pool, p)
 		np.Spec = networkingv1.NetworkPolicySpec{
 			PodSelector: metav1.LabelSelector{
-				MatchLabels: map[string]string{"eks-agent-platform/sandboxpool": pool.Name},
+				MatchLabels: map[string]string{LabelSandboxPool: pool.Name},
 			},
 			PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress},
 			Egress:      sandboxEgressRules(),
@@ -259,7 +259,7 @@ func (r *SandboxPoolReconciler) ensureMetricsBridgeDeployment(ctx context.Contex
 		ObjectMeta: metav1.ObjectMeta{Name: metricsBridgeName(pool), Namespace: PlatformNamespace(p)},
 	}
 	labels := metricsBridgeLabels(pool, p)
-	selector := map[string]string{"eks-agent-platform/metrics-bridge": pool.Name}
+	selector := map[string]string{LabelMetricsBridge: pool.Name}
 	_, err := controllerutil.CreateOrUpdate(ctx, r.Client, dep, func() error {
 		dep.Labels = labels
 		dep.Spec.Replicas = ptrTo(int32(1))
@@ -327,7 +327,7 @@ func (r *SandboxPoolReconciler) ensureMetricsBridgeService(ctx context.Context,
 	_, err := controllerutil.CreateOrUpdate(ctx, r.Client, svc, func() error {
 		svc.Labels = metricsBridgeLabels(pool, p)
 		svc.Spec.Type = corev1.ServiceTypeClusterIP
-		svc.Spec.Selector = map[string]string{"eks-agent-platform/metrics-bridge": pool.Name}
+		svc.Spec.Selector = map[string]string{LabelMetricsBridge: pool.Name}
 		svc.Spec.Ports = []corev1.ServicePort{{
 			Name:       "http",
 			Port:       80,
@@ -357,7 +357,7 @@ func (r *SandboxPoolReconciler) ensureMetricsBridgeNetworkPolicy(ctx context.Con
 		np.Labels = metricsBridgeLabels(pool, p)
 		np.Spec = networkingv1.NetworkPolicySpec{
 			PodSelector: metav1.LabelSelector{
-				MatchLabels: map[string]string{"eks-agent-platform/metrics-bridge": pool.Name},
+				MatchLabels: map[string]string{LabelMetricsBridge: pool.Name},
 			},
 			PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress},
 			Ingress: []networkingv1.NetworkPolicyIngressRule{{

operators/test/conformance/platform_reconciler_test.go

@@ -86,11 +86,11 @@ func TestPlatformReconciler_CreatesTenantNamespaceWithPSS(t *testing.T) {
 	if ns.Labels["pod-security.kubernetes.io/enforce"] != "restricted" {
 		t.Errorf("PSS enforce label: got %q want restricted", ns.Labels["pod-security.kubernetes.io/enforce"])
 	}
-	if ns.Labels["eks-agent-platform/platform"] != p.Name {
-		t.Errorf("platform label: got %q want %q", ns.Labels["eks-agent-platform/platform"], p.Name)
+	if ns.Labels["agents.nanohype.dev/platform"] != p.Name {
+		t.Errorf("platform label: got %q want %q", ns.Labels["agents.nanohype.dev/platform"], p.Name)
 	}
-	if ns.Labels["eks-agent-platform/tenant"] != "acme" {
-		t.Errorf("tenant label: got %q want acme", ns.Labels["eks-agent-platform/tenant"])
+	if ns.Labels["agents.nanohype.dev/tenant"] != "acme" {
+		t.Errorf("tenant label: got %q want acme", ns.Labels["agents.nanohype.dev/tenant"])
 	}
 }