docs(pass-32): registry-DNS sweep — harbor.<domain> across 9 component READMEs

Pass 25's deferred sweep, executed. Image refs of the form harbor.<domain>/... (and one registry.<domain>/... in temporal) collapse the location-code segment. Per NAMING §5.1, Catalyst per-host-cluster Harbor DNS is harbor.{location-code}.{sovereign-domain} (e.g. harbor.hfmp.openova.io). Fixed (11 instances, 9 files): - anthropic-adapter, bge (×2), debezium, harbor (×2 — ingress + Kyverno policy), knative (×2 — serving + traffic-split), llm-gateway, strimzi, trivy — all standardized to harbor.<location-code>.<sovereign-domain>. - temporal had two drift items in one line: registry.<domain> (off-spec placeholder — Catalyst's only per-host-cluster registry is Harbor) AND legacy "fuse" namespace (renamed to bp-fabric per BUSINESS-STRATEGY §16.2 / Pass 26). Rewritten to fabric/order-worker. Out of scope (deliberate): :latest tag hygiene, and whether Application Blueprint READMEs should reference ghcr.io/openova-io/bp-<name>:<semver> vs the Sovereign Harbor mirror. Stalwart customer-email-domain <domain> placeholders preserved (correct semantics). external-dns illustrative gslb/api/svc.<domain> preserved (upstream-doc generic). With Pass 29 (canonical-doc DNS) + Pass 31 (carry-over fixes) + Pass 32 (image registry), the recurring DNS-placeholder collapse drift category is addressed end-to-end. Validation log Pass 32 entry added.
2026-04-27 22:36:39 +02:00 · 2026-04-27 22:36:39 +02:00 · 4043e1d51c
commit 4043e1d51c
parent 3993f5fc31
10 changed files with 33 additions and 12 deletions
--- a/docs/VALIDATION-LOG.md
+++ b/docs/VALIDATION-LOG.md
@ -63,6 +63,27 @@ ARCHITECTURE §10 had 3 phases; SOVEREIGN-PROVISIONING §3-§6 has 4 phases. Ali
 - ARCHITECTURE §3 topology diagram listed Crossplane, Flux, Harbor, grafana-stack INSIDE the Catalyst control-plane block. But §11 and PLATFORM-TECH-STACK §3 both classify these as per-host-cluster infrastructure (not Catalyst control plane). Topology diagram corrected; per-host-cluster infra now shown as a separate line referencing PLATFORM-TECH-STACK §3 for the full list. Also added the previously-missing `provisioning` row.
 - JetStream Account scoping was contradictory: ARCHITECTURE §5 said "Per-Org account: ws.{org}-{env_type}.>" (ambiguous), NAMING-CONVENTION §11.2 said "One JetStream Account scoped to ws.{org}-{env_type}.>" (per-Env), GLOSSARY+SECURITY+PLATFORM-TECH-STACK said per-Org. Reconciled to: one Account per Organization, subjects within use prefix `ws.{org}-{env_type}.>` for per-Environment partitioning. Fixed in ARCHITECTURE §5 and NAMING-CONVENTION §11.2.

+### Pass 32 — `harbor.<domain>` / `registry.<domain>` registry-DNS sweep (9 files, 11 instances)
+
+Pass 25's deferred sweep, executed. The pattern: image references with `harbor.<domain>/...` (and one `registry.<domain>/...` in temporal) collapse the location-code segment in the same way Pass 24/25/29 fixes addressed for service URLs. NAMING §5.1 establishes Catalyst per-host-cluster Harbor as `harbor.{location-code}.{sovereign-domain}` (e.g. `harbor.hfmp.openova.io`).
+
+Fixed:
+- platform/anthropic-adapter/README.md L68 — Application image ref.
+- platform/bge/README.md L68 + L95 — bge-m3 + bge-reranker image refs.
+- platform/debezium/README.md L151 — Kafka Connect build output.
+- platform/harbor/README.md L132 (ingress hosts) + L236 (Kyverno image-pattern policy).
+- platform/knative/README.md L99 + L123 — sample knative-serving image refs.
+- platform/llm-gateway/README.md L72 — gateway image ref.
+- platform/strimzi/README.md L164 — Kafka Connect build output.
+- platform/temporal/README.md L279 — `registry.<domain>/fuse/order-worker:latest` had two drift items in one line: the off-spec `registry.<domain>` placeholder (Catalyst's per-host-cluster registry is Harbor — there's no separate `registry` component) AND the legacy product name `fuse` (renamed to `bp-fabric` in BUSINESS-STRATEGY §16.2 / Pass 26). Rewritten to `harbor.<location-code>.<sovereign-domain>/fabric/order-worker:latest`.
+- platform/trivy/README.md L178 — Kyverno verifyImages policy `imageReferences:` glob.
+
+Out of scope (intentional): the `:latest` tag hygiene and the broader question of whether a Catalyst-published Application Blueprint should reference `ghcr.io/openova-io/bp-<name>:<semver>` directly vs the Sovereign's Harbor mirror. Both axes warrant their own pass; this pass strictly fixed the DNS placeholder shape.
+
+Out of scope (correctly): platform/stalwart/README.md `<domain>` placeholders in MX/A/TXT/DKIM/DMARC examples — those refer to the customer's email-receiving domain, not Catalyst control-plane DNS, so the bare `<domain>` is correct. platform/external-dns/README.md `gslb.<domain>` / `api.<domain>` / `svc.<domain>` references — those describe upstream external-dns behavior generically; clarifying them as Catalyst-specific would change their semantic.
+
+Final sweep grep confirms zero remaining `harbor.<domain>` / `registry.<domain>` instances. With Pass 29 (canonical doc DNS sweep), Pass 31 (openbao + librechat carry-over), and now Pass 32 (image registry sweep), the recurring DNS-placeholder collapse drift category is addressed end-to-end.
+
 ### Pass 31 — openbao DNS placeholder + librechat callback URL (Pass 22/29 carry-over); GLOSSARY clean

 Two real DNS-placeholder fixes; GLOSSARY confirmed clean.
--- a/platform/anthropic-adapter/README.md
+++ b/platform/anthropic-adapter/README.md
@ -65,7 +65,7 @@ spec:
    spec:
      containers:
        - name: adapter
-          image: harbor.<domain>/ai-hub/anthropic-adapter:latest
+          image: harbor.<location-code>.<sovereign-domain>/ai-hub/anthropic-adapter:latest
          ports:
            - containerPort: 8000
          env:
--- a/platform/bge/README.md
+++ b/platform/bge/README.md
@ -65,7 +65,7 @@ spec:
    spec:
      containers:
        - name: bge-m3
-          image: harbor.<domain>/ai-hub/bge-m3:latest
+          image: harbor.<location-code>.<sovereign-domain>/ai-hub/bge-m3:latest
          ports:
            - containerPort: 8080
          env:
@ -92,7 +92,7 @@ spec:
    spec:
      containers:
        - name: bge-reranker
-          image: harbor.<domain>/ai-hub/bge-reranker:latest
+          image: harbor.<location-code>.<sovereign-domain>/ai-hub/bge-reranker:latest
          ports:
            - containerPort: 8080
          env:
--- a/platform/debezium/README.md
+++ b/platform/debezium/README.md
@ -148,7 +148,7 @@ spec:
  build:
    output:
      type: docker
-      image: harbor.<domain>/debezium/debezium-connect:latest
+      image: harbor.<location-code>.<sovereign-domain>/debezium/debezium-connect:latest
      pushSecret: harbor-registry-credentials
    plugins:
      - name: debezium-postgres
--- a/platform/harbor/README.md
+++ b/platform/harbor/README.md
@ -129,7 +129,7 @@ expose:
  ingress:
    className: cilium
    hosts:
-      core: harbor.<domain>
+      core: harbor.<location-code>.<sovereign-domain>
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod

@ -233,7 +233,7 @@ spec:
        pattern:
          spec:
            containers:
-              - image: "harbor.<domain>/*"
+              - image: "harbor.<location-code>.<sovereign-domain>/*"
 ```

 ---
--- a/platform/knative/README.md
+++ b/platform/knative/README.md
@ -96,7 +96,7 @@ spec:
        autoscaling.knative.dev/max-scale: "10"
    spec:
      containers:
-        - image: harbor.<domain>/my-app:latest
+        - image: harbor.<location-code>.<sovereign-domain>/my-app:latest
          ports:
            - containerPort: 8080
          resources:
@ -120,7 +120,7 @@ spec:
      name: my-service-v2
    spec:
      containers:
-        - image: harbor.<domain>/my-app:v2
+        - image: harbor.<location-code>.<sovereign-domain>/my-app:v2
  traffic:
    - revisionName: my-service-v1
      percent: 90
--- a/platform/llm-gateway/README.md
+++ b/platform/llm-gateway/README.md
@ -69,7 +69,7 @@ spec:
    spec:
      containers:
        - name: gateway
-          image: harbor.<domain>/ai-hub/llm-gateway:latest
+          image: harbor.<location-code>.<sovereign-domain>/ai-hub/llm-gateway:latest
          ports:
            - containerPort: 8000
          env:
--- a/platform/strimzi/README.md
+++ b/platform/strimzi/README.md
@ -161,7 +161,7 @@ spec:
  build:
    output:
      type: docker
-      image: harbor.<domain>/kafka-connect:latest
+      image: harbor.<location-code>.<sovereign-domain>/kafka-connect:latest
    plugins:
      - name: debezium-postgres
        artifacts:
--- a/platform/temporal/README.md
+++ b/platform/temporal/README.md
@ -276,7 +276,7 @@ spec:
    spec:
      containers:
        - name: worker
-          image: registry.<domain>/fuse/order-worker:latest
+          image: harbor.<location-code>.<sovereign-domain>/fabric/order-worker:latest
          env:
            - name: TEMPORAL_HOST
              value: temporal-frontend.temporal.svc:7233
--- a/platform/trivy/README.md
+++ b/platform/trivy/README.md
@ -175,7 +175,7 @@ spec:
                - Pod
      verifyImages:
        - imageReferences:
-            - "harbor.<domain>/*"
+            - "harbor.<location-code>.<sovereign-domain>/*"
          attestations:
            - type: https://cosign.sigstore.dev/attestation/vuln/v1
              conditions: