fix(charts): explicit harbor.openova.io/proxy-dockerhub prefix on all chart-hook images (#163) (#1367)

Per CLAUDE.md MIRROR-EVERYTHING inviolable rule: every chart-hook image reference (pre/post-install Jobs, helper Pods) must use the explicit Harbor proxy-cache form. Fix #158's bitnami → bitnamilegacy swap was a band-aid; the architecturally correct fix is to defeat upstream-deletion blast radius entirely by routing through Harbor. The node-level containerd mirror in infra/hetzner/cloudinit-control- plane.tftpl (line 706) already redirects docker.io/* → harbor.openova.io/proxy-dockerhub/* implicitly, but implicit routing: - Hides the routing from SBOM scans - Bypasses the Kyverno harbor-proxy-pull ClusterPolicy - Means a chart audit (`grep docker.io`) misses a real dependency - Was the proximate cause of prov #27 wedging when Bitnami deleted docker.io/bitnami/kubectl:1.30.4 (Fix #158 had to chase the deletion mid-flight instead of being insulated by Harbor cache) 19 chart-hook image: refs + 5 chart values.yaml repository: defaults now carry the explicit harbor.openova.io/proxy-dockerhub prefix. Application/subchart images (keycloak, postgresql, mongodb in keycloak+litmus subcharts) are intentionally out of scope for this PR — those go through the node-level containerd mirror still. Affected blueprints + chart version bumps: bp-cert-manager 1.2.1 -> 1.2.2 bp-external-secrets-stores 1.0.4 -> 1.0.5 bp-crossplane-claims 1.1.4 -> 1.1.5 bp-flux 1.2.1 -> 1.2.2 bp-guacamole 0.1.16 -> 0.1.17 bp-self-sovereign-cutover 0.1.28 -> 0.1.29 bp-k8s-ws-proxy 0.1.9 -> 0.1.10 bp-harbor 1.2.15 -> 1.2.16 bp-gitea 1.2.5 -> 1.2.6 bp-newapi 1.4.5 -> 1.4.6 bp-wordpress-tenant 0.2.0 -> 0.2.1 catalyst-platform 1.4.138 -> 1.4.139 Co-authored-by: e3mrah <1234567+e3mrah@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 11:32:21 +04:00 · 2026-05-11 11:32:21 +04:00 · 74d23ab3dc
commit 74d23ab3dc
parent a415bfed58
43 changed files with 184 additions and 64 deletions
--- a/clusters/_template/bootstrap-kit/02-cert-manager.yaml
+++ b/clusters/_template/bootstrap-kit/02-cert-manager.yaml
@ -41,7 +41,7 @@ spec:
      # 1.2.1 (Fix #158): crdGate hook image switched from
      # bitnami/kubectl:1.30.4 (deleted from Docker Hub 2025-08) to
      # bitnamilegacy/kubectl:1.30.7.
-      version: 1.2.1
+      version: 1.2.2
      sourceRef:
        kind: HelmRepository
        name: bp-cert-manager
--- a/clusters/_template/bootstrap-kit/03-flux.yaml
+++ b/clusters/_template/bootstrap-kit/03-flux.yaml
@ -62,7 +62,7 @@ spec:
      # 1.2.1 (Fix #158): stuckHelmReleaseRecovery image switched from
      # bitnami/kubectl:1.31 (deleted from Docker Hub 2025-08) to
      # bitnamilegacy/kubectl:1.31.4. (Catches up from 1.1.3 → 1.2.1.)
-      version: 1.2.1
+      version: 1.2.2
      sourceRef:
        kind: HelmRepository
        name: bp-flux
--- a/clusters/_template/bootstrap-kit/06a-bp-self-sovereign-cutover.yaml
+++ b/clusters/_template/bootstrap-kit/06a-bp-self-sovereign-cutover.yaml
@ -256,7 +256,7 @@ spec:
      # platform-wide migration off bitnami/kubectl (deleted from
      # Docker Hub 2025-08). This Blueprint already uses alpine/k8s
      # + alpine since 0.1.10; no functional image change here.
-      version: 0.1.28
+      version: 0.1.29
      sourceRef:
        kind: HelmRepository
        name: bp-self-sovereign-cutover
--- a/clusters/_template/bootstrap-kit/10-gitea.yaml
+++ b/clusters/_template/bootstrap-kit/10-gitea.yaml
@ -52,7 +52,7 @@ spec:
      # bp-self-sovereign-cutover Step 1 gitea-mirror Job mounts it. K8s
      # forbids cross-namespace secretKeyRef; reflector is the canonical
      # platform-level mirror. Caught live on otech103 2026-05-04.
-      version: 1.2.5
+      version: 1.2.6
      sourceRef:
        kind: HelmRepository
        name: bp-gitea
--- a/clusters/_template/bootstrap-kit/14-crossplane-claims.yaml
+++ b/clusters/_template/bootstrap-kit/14-crossplane-claims.yaml
@ -57,7 +57,7 @@ spec:
      # controller watches).
      # 1.1.4 (Fix #158): kubectlImage switched from bitnami/kubectl:1.31
      # (deleted from Docker Hub 2025-08) to bitnamilegacy/kubectl:1.31.4.
-      version: 1.1.4
+      version: 1.1.5
      sourceRef:
        kind: HelmRepository
        name: bp-crossplane-claims
--- a/clusters/_template/bootstrap-kit/15a-external-secrets-stores.yaml
+++ b/clusters/_template/bootstrap-kit/15a-external-secrets-stores.yaml
@ -70,7 +70,7 @@ spec:
      # 1.0.4 (Fix #158): webhookGate hook image switched from
      # bitnami/kubectl:1.30.4 (deleted from Docker Hub 2025-08) to
      # bitnamilegacy/kubectl:1.30.7.
-      version: 1.0.4
+      version: 1.0.5
      sourceRef:
        kind: HelmRepository
        name: bp-external-secrets-stores
--- a/clusters/_template/bootstrap-kit/19-harbor.yaml
+++ b/clusters/_template/bootstrap-kit/19-harbor.yaml
@ -99,7 +99,7 @@ spec:
      # live on otech113 2026-05-05 (issue #935 Bug 1) — Step 02 was
      # in CreateContainerConfigError for 11+ retries, blocking
      # cutover indefinitely.
-      version: 1.2.15
+      version: 1.2.16
      sourceRef:
        kind: HelmRepository
        name: bp-harbor
--- a/clusters/_template/bootstrap-kit/51-bp-k8s-ws-proxy.yaml
+++ b/clusters/_template/bootstrap-kit/51-bp-k8s-ws-proxy.yaml
@ -80,7 +80,7 @@ spec:
      # because the Job (weight -10, lower=earlier in Helm) was
      # applied before its SA (weight 0). Bumps Chart.yaml 0.1.7 ->
      # 0.1.8; CI promote auto-bumps to 0.1.9 with new image SHA.
-      version: 0.1.9
+      version: 0.1.10
      sourceRef:
        kind: HelmRepository
        name: bp-k8s-ws-proxy
--- a/clusters/_template/bootstrap-kit/52-bp-guacamole.yaml
+++ b/clusters/_template/bootstrap-kit/52-bp-guacamole.yaml
@ -92,7 +92,7 @@ spec:
      # 0.1.15 (Fix #158): migrationImage bumped to
      # bitnamilegacy/kubectl:1.30.7 (was 1.29.3); template fallback no
      # longer references bitnami/kubectl (deleted from Docker Hub 2025-08).
-      version: 0.1.15
+      version: 0.1.17
      sourceRef:
        kind: HelmRepository
        name: bp-guacamole
--- a/clusters/_template/bootstrap-kit/80-newapi.yaml
+++ b/clusters/_template/bootstrap-kit/80-newapi.yaml
@ -102,7 +102,7 @@ spec:
      # for service "external-secrets-webhook"` on every fresh provision,
      # blocking the chart from reaching Ready and the Catalyst signup
      # hook (ADR-0003 §3.2) from finding the admin-token Secret.
-      version: 1.4.4
+      version: 1.4.6
      sourceRef:
        kind: HelmRepository
        name: bp-newapi
--- a/platform/cert-manager/chart/Chart.yaml
+++ b/platform/cert-manager/chart/Chart.yaml
@ -7,7 +7,14 @@ name: bp-cert-manager
 # remain), causing ImagePullBackOff on fresh Sovereign provisions
 # (prov #27 wedge). bitnamilegacy is Bitnami's deprecation-fallback
 # path with bash/sh preserved.
-version: 1.2.1
+#
+# 1.2.2 (Fix #163, 2026-05-11, MIRROR-EVERYTHING): crdGate hook image
+# switched from bitnamilegacy/kubectl:1.30.7 to
+# harbor.openova.io/proxy-dockerhub/bitnamilegacy/kubectl:1.30.7.
+# Per CLAUDE.md inviolable rule, ALL chart-hook references MUST be
+# explicit Harbor proxy-cache form — not just rely on the node-level
+# containerd mirror in registries.yaml.
+version: 1.2.2
 description: |
  Catalyst-curated Blueprint umbrella chart for cert-manager. Depends on the
  upstream `cert-manager` chart (Jetstack) as a Helm subchart so
--- a/platform/cert-manager/chart/values.yaml
+++ b/platform/cert-manager/chart/values.yaml
@ -137,9 +137,15 @@ crdGate:
  # versioned tags AND retains bash/sh in the image (rancher/kubectl
  # is distroless and would break the hook's bash-c shell script —
  # see platform/k8s-ws-proxy hmac-bootstrap-job.yaml comment).
-  # Same registry-path pattern as platform/guacamole recordings
-  # migrationImage. 1.30.7 is the newest 1.30.x in bitnamilegacy.
-  image: bitnamilegacy/kubectl:1.30.7
+  # 1.30.7 is the newest 1.30.x in bitnamilegacy.
+  #
+  # Fix #163 (2026-05-11, MIRROR-EVERYTHING): explicit Harbor proxy-cache
+  # prefix per CLAUDE.md inviolable rule. Node-level containerd mirror in
+  # cloudinit-control-plane.tftpl line 706 already rewrites docker.io →
+  # harbor.openova.io/proxy-dockerhub, but explicit references defeat
+  # upstream-deletion blast radius AND satisfy the Kyverno
+  # `harbor-proxy-pull` ClusterPolicy.
+  image: harbor.openova.io/proxy-dockerhub/bitnamilegacy/kubectl:1.30.7
  imagePullPolicy: IfNotPresent

 certManager:
--- a/platform/crossplane-claims/chart/Chart.yaml
+++ b/platform/crossplane-claims/chart/Chart.yaml
@ -5,7 +5,13 @@ name: bp-crossplane-claims
 # 1.31.4. Bitnami's 2025-08 secure-images cutover deleted every versioned
 # tag from docker.io/bitnami/kubectl. bitnamilegacy is Bitnami's
 # deprecation-fallback path.
-version: 1.1.4
+#
+# 1.1.5 (Fix #163, 2026-05-11, MIRROR-EVERYTHING): kubectlImage repository
+# switched from bitnamilegacy/kubectl to
+# harbor.openova.io/proxy-dockerhub/bitnamilegacy/kubectl. Per CLAUDE.md
+# inviolable rule, ALL chart-hook references MUST be explicit Harbor
+# proxy-cache form.
+version: 1.1.5
 description: |
  Catalyst Crossplane XRDs + Compositions Blueprint. Carries ONLY the
  apiextensions.crossplane.io/v1 CompositeResourceDefinition and
--- a/platform/crossplane-claims/chart/values.yaml
+++ b/platform/crossplane-claims/chart/values.yaml
@ -24,8 +24,13 @@ global:
  # versioned tags from docker.io/bitnami/kubectl (only :latest +
  # sha256-named tags remain). bitnamilegacy is Bitnami's deprecation-
  # fallback registry path; retains bash/sh.
+  #
+  # 2026-05-11 (Fix #163, MIRROR-EVERYTHING): explicit
+  # harbor.openova.io/proxy-dockerhub prefix per CLAUDE.md inviolable
+  # rule. Operator override still works — entire `repository` is one
+  # configurable string.
  kubectlImage:
-    repository: bitnamilegacy/kubectl
+    repository: harbor.openova.io/proxy-dockerhub/bitnamilegacy/kubectl
    tag: "1.31.4"

 catalystBlueprint:
--- a/platform/external-secrets-stores/chart/Chart.yaml
+++ b/platform/external-secrets-stores/chart/Chart.yaml
@ -37,7 +37,17 @@ name: bp-external-secrets-stores
 # bitnamilegacy is Bitnami's deprecation-fallback path with bash/sh
 # preserved (rancher/kubectl is distroless and would break the inline
 # shell script).
-version: 1.0.4
+#
+# 1.0.5 (Fix #163, 2026-05-11, MIRROR-EVERYTHING): webhookGate hook image
+# switched from bitnamilegacy/kubectl:1.30.7 to
+# harbor.openova.io/proxy-dockerhub/bitnamilegacy/kubectl:1.30.7.
+# Per CLAUDE.md inviolable rule, ALL chart-hook image references must
+# pull through the Harbor proxy-cache explicitly — not just rely on
+# the node-level containerd mirror in registries.yaml. This protects
+# the bootstrap-kit from upstream Docker Hub deletions (Bitnami 2025-08
+# is exactly such an incident) and satisfies the Kyverno
+# `harbor-proxy-pull` ClusterPolicy.
+version: 1.0.5
 description: |
  Catalyst-curated Blueprint chart for the default ESO ClusterSecretStore(s)
  that wire each Sovereign's bp-external-secrets controller to its bp-openbao
--- a/platform/external-secrets-stores/chart/values.yaml
+++ b/platform/external-secrets-stores/chart/values.yaml
@ -85,11 +85,14 @@ webhookGate:
  # recordings-pvc-migrate-hook.yaml). Versioned tag per
  # docs/INVIOLABLE-PRINCIPLES.md #4a.
  #
-  # 2026-05-11 (Fix #158): switched from docker.io/bitnami/kubectl:1.30.4
-  # because Bitnami's 2025-08 secure-images cutover deleted all
-  # versioned tags from docker.io/bitnami/kubectl (only :latest +
-  # sha256-named tags remain). bitnamilegacy is Bitnami's deprecation-
-  # fallback registry path; retains bash/sh (rancher/kubectl is
-  # distroless and would break the hook's bash-c shell script).
-  image: bitnamilegacy/kubectl:1.30.7
+  # 2026-05-11 (Fix #163, MIRROR-EVERYTHING): explicit Harbor proxy-cache
+  # prefix per CLAUDE.md inviolable rule. Node-level containerd mirror
+  # (registries.yaml in cloudinit-control-plane.tftpl line 706) already
+  # routes `docker.io/*` → `harbor.openova.io/proxy-dockerhub/*`, but
+  # explicit references defeat upstream-deletion blast radius (cf.
+  # bitnami/kubectl 2025-08 secure-images purge) AND make SBOM auditing
+  # plus the Kyverno `harbor-proxy-pull` ClusterPolicy work consistently.
+  # bitnamilegacy/* is Bitnami's deprecation-fallback path; kept because
+  # rancher/kubectl is distroless and would break the hook's bash shim.
+  image: harbor.openova.io/proxy-dockerhub/bitnamilegacy/kubectl:1.30.7
  imagePullPolicy: IfNotPresent
--- a/platform/flux/chart/Chart.yaml
+++ b/platform/flux/chart/Chart.yaml
@ -5,7 +5,13 @@ name: bp-flux
 # docker.io/bitnamilegacy/kubectl:1.31.4. Bitnami's 2025-08 secure-images
 # cutover deleted every versioned tag from docker.io/bitnami/kubectl.
 # bitnamilegacy is Bitnami's deprecation-fallback path.
-version: 1.2.1
+#
+# 1.2.2 (Fix #163, 2026-05-11, MIRROR-EVERYTHING): stuckHelmReleaseRecovery
+# CronJob image switched from bitnamilegacy/kubectl:1.31.4 to
+# harbor.openova.io/proxy-dockerhub/bitnamilegacy/kubectl:1.31.4.
+# Per CLAUDE.md inviolable rule, ALL chart-hook references MUST be
+# explicit Harbor proxy-cache form.
+version: 1.2.2
 description: |
  Catalyst-curated Blueprint umbrella chart for Flux. Depends on the
  upstream `flux2` chart (fluxcd-community) as a Helm subchart so
--- a/platform/flux/chart/values.yaml
+++ b/platform/flux/chart/values.yaml
@ -62,7 +62,12 @@ catalyst:
    # 2026-05-11 (Fix #158): switched from docker.io/bitnami/kubectl:1.31
    # because Bitnami's 2025-08 secure-images cutover deleted all
    # versioned tags. bitnamilegacy is the deprecation-fallback path.
-    image: "bitnamilegacy/kubectl:1.31.4"
+    #
+    # 2026-05-11 (Fix #163, MIRROR-EVERYTHING): explicit
+    # harbor.openova.io/proxy-dockerhub/* prefix per CLAUDE.md inviolable
+    # rule. Defeats upstream-deletion blast radius and satisfies the
+    # Kyverno `harbor-proxy-pull` ClusterPolicy.
+    image: "harbor.openova.io/proxy-dockerhub/bitnamilegacy/kubectl:1.31.4"

 # ─── Upstream chart values (subchart key: flux2) ──────────────────────────
 # Generated by docs/PROVISIONING-PLAN.md tickets [F] chart Pass 105+.
--- a/platform/gitea/chart/Chart.yaml
+++ b/platform/gitea/chart/Chart.yaml
@ -1,6 +1,10 @@
 apiVersion: v2
 name: bp-gitea
-version: 1.2.5
+# 1.2.6 (Fix #163, 2026-05-11, MIRROR-EVERYTHING): database-secret-sync-job
+# hook image switched from curlimages/curl:8.10.1 to
+# harbor.openova.io/proxy-dockerhub/curlimages/curl:8.10.1 per CLAUDE.md
+# inviolable rule.
+version: 1.2.6
 description: |
  Catalyst-curated Blueprint umbrella chart for Gitea. Depends on the
  upstream `gitea` chart (dl.gitea.com) as a Helm subchart so
--- a/platform/gitea/chart/templates/database-secret-sync-job.yaml
+++ b/platform/gitea/chart/templates/database-secret-sync-job.yaml
@ -76,7 +76,10 @@ spec:
          #   - bitnami/kubectl:1.31.4 — bitnami moved to sha256-only tags
          #   - rancher/kubectl:v1.34.6 — distroless, no /bin/sh; container
          #     can't run our inline shell script.
-          image: curlimages/curl:8.10.1
+          # Fix #163 (2026-05-11, MIRROR-EVERYTHING): explicit
+          # harbor.openova.io/proxy-dockerhub prefix per CLAUDE.md
+          # inviolable rule.
+          image: harbor.openova.io/proxy-dockerhub/curlimages/curl:8.10.1
          imagePullPolicy: IfNotPresent
          env:
            - name: SOURCE_SECRET
--- a/platform/guacamole/chart/Chart.yaml
+++ b/platform/guacamole/chart/Chart.yaml
@ -37,7 +37,10 @@ name: bp-guacamole
 # bitnamilegacy/kubectl:1.29.3 -> bitnamilegacy/kubectl:1.30.7 to align
 # with k3s 1.30 server version on Hetzner Sovereigns + template
 # fallback default no longer references the deleted bitnami path.
-version: 0.1.16
+# 0.1.17 (Fix #163, 2026-05-11, MIRROR-EVERYTHING): migrationImage AND
+# oidc-secret-bootstrap-job both gain explicit
+# harbor.openova.io/proxy-dockerhub prefix per CLAUDE.md inviolable rule.
+version: 0.1.17
 appVersion: "1.5.5"
 description: |
  Catalyst-authored Blueprint chart for Apache Guacamole — a clientless
--- a/platform/guacamole/chart/templates/oidc-secret-bootstrap-job.yaml
+++ b/platform/guacamole/chart/templates/oidc-secret-bootstrap-job.yaml
@ -199,7 +199,10 @@ spec:
          # k8s-API operations from a Job — alpine-based, has /bin/sh,
          # has /dev/urandom, has base64. Identical to the image used
          # by Fix #78 (k8s-ws-proxy hmac-bootstrap).
-          image: curlimages/curl:8.10.1
+          # Fix #163 (2026-05-11, MIRROR-EVERYTHING): explicit
+          # harbor.openova.io/proxy-dockerhub prefix per CLAUDE.md
+          # inviolable rule.
+          image: harbor.openova.io/proxy-dockerhub/curlimages/curl:8.10.1
          imagePullPolicy: IfNotPresent
          env:
            - name: SECRET_NAME
--- a/platform/guacamole/chart/values.yaml
+++ b/platform/guacamole/chart/values.yaml
@ -110,7 +110,10 @@ guacamole:
    # image traceable to a known-good SHA).
    # Fix #158 (2026-05-11): bumped 1.29.3 -> 1.30.7 to align with
    # k3s 1.30 server version on Hetzner Sovereigns.
-    migrationImage: docker.io/bitnamilegacy/kubectl:1.30.7
+    # Fix #163 (2026-05-11, MIRROR-EVERYTHING): explicit
+    # harbor.openova.io/proxy-dockerhub prefix per CLAUDE.md inviolable
+    # rule.
+    migrationImage: harbor.openova.io/proxy-dockerhub/bitnamilegacy/kubectl:1.30.7
  # ── Keycloak OIDC ──────────────────────────────────────────────
  oidc:
    # Issuer URL — render in per-Sovereign overlay as
--- a/platform/harbor/chart/Chart.yaml
+++ b/platform/harbor/chart/Chart.yaml
@ -38,7 +38,11 @@ description: |
  this Blueprint hard-depends on bp-cnpg + bp-cert-manager. The
  earlier dependency on bp-seaweedfs is REMOVED (cloud-direct S3 path).
 type: application
-version: 1.2.15
+# 1.2.16 (Fix #163, 2026-05-11, MIRROR-EVERYTHING): database-secret-sync-job
+# hook image switched from curlimages/curl:8.10.1 to
+# harbor.openova.io/proxy-dockerhub/curlimages/curl:8.10.1 per CLAUDE.md
+# inviolable rule.
+version: 1.2.16
 appVersion: "2.14.3"
 keywords: [catalyst, blueprint, harbor, oci, registry, container]
 maintainers:
--- a/platform/harbor/chart/templates/database-secret-sync-job.yaml
+++ b/platform/harbor/chart/templates/database-secret-sync-job.yaml
@ -75,7 +75,10 @@ spec:
          #   - bitnami/kubectl:1.31.4 — bitnami moved to sha256-only tags
          #   - rancher/kubectl:v1.34.6 — distroless, no /bin/sh; container
          #     can't run our inline shell script.
-          image: curlimages/curl:8.10.1
+          # Fix #163 (2026-05-11, MIRROR-EVERYTHING): explicit
+          # harbor.openova.io/proxy-dockerhub prefix per CLAUDE.md
+          # inviolable rule.
+          image: harbor.openova.io/proxy-dockerhub/curlimages/curl:8.10.1
          imagePullPolicy: IfNotPresent
          env:
            - name: SOURCE_SECRET
--- a/platform/k8s-ws-proxy/chart/Chart.yaml
+++ b/platform/k8s-ws-proxy/chart/Chart.yaml
@ -39,7 +39,11 @@ name: bp-k8s-ws-proxy
 # proxy.yaml's promote job will auto-bump to 0.1.9 with the new image
 # SHA on merge; bootstrap-kit slot pins should be lifted to 0.1.9 once
 # that promote runs.
-version: 0.1.9
+# 0.1.10 (Fix #163, 2026-05-11, MIRROR-EVERYTHING): hmac-bootstrap-job
+# hook image switched from curlimages/curl:8.10.1 to
+# harbor.openova.io/proxy-dockerhub/curlimages/curl:8.10.1 per CLAUDE.md
+# inviolable rule.
+version: 0.1.10
 appVersion: "0.1.0"
 description: |
  Catalyst-authored Blueprint chart for the k8s-ws-proxy DaemonSet —
--- a/platform/k8s-ws-proxy/chart/templates/hmac-bootstrap-job.yaml
+++ b/platform/k8s-ws-proxy/chart/templates/hmac-bootstrap-job.yaml
@ -200,7 +200,10 @@ spec:
          # curlimages/curl is the canonical Catalyst seam for in-chart
          # k8s-API operations from a Job — alpine-based, has /bin/sh,
          # has /dev/urandom, has base64. No kubectl dependency.
-          image: curlimages/curl:8.10.1
+          # Fix #163 (2026-05-11, MIRROR-EVERYTHING): explicit
+          # harbor.openova.io/proxy-dockerhub prefix per CLAUDE.md
+          # inviolable rule.
+          image: harbor.openova.io/proxy-dockerhub/curlimages/curl:8.10.1
          imagePullPolicy: IfNotPresent
          env:
            - name: SECRET_NAME
--- a/platform/newapi/chart/Chart.yaml
+++ b/platform/newapi/chart/Chart.yaml
@ -122,7 +122,11 @@ name: bp-newapi
 # Issue #915 (epic SME tenant integration DoD: alice → OpenClaw →
 # NewAPI → Qwen3.6@BankDhofar end-to-end).
 # 1.2.0: Traefik Middleware gated behind ingress.middleware.enabled.
-version: 1.4.5
+# 1.4.6 (Fix #163, 2026-05-11, MIRROR-EVERYTHING): 000-external-secrets-
+# webhook-readiness-job hook image switched from curlimages/curl:8.10.1
+# to harbor.openova.io/proxy-dockerhub/curlimages/curl:8.10.1 per
+# CLAUDE.md inviolable rule.
+version: 1.4.6
 appVersion: "0.13.2"
 description: |
  Catalyst Blueprint scratch chart for NewAPI — multi-tenant LLM
--- a/platform/newapi/chart/templates/000-external-secrets-webhook-readiness-job.yaml
+++ b/platform/newapi/chart/templates/000-external-secrets-webhook-readiness-job.yaml
@ -140,7 +140,10 @@ spec:
          type: RuntimeDefault
      containers:
        - name: probe
-          image: curlimages/curl:8.10.1
+          # Fix #163 (2026-05-11, MIRROR-EVERYTHING): explicit
+          # harbor.openova.io/proxy-dockerhub prefix per CLAUDE.md
+          # inviolable rule.
+          image: harbor.openova.io/proxy-dockerhub/curlimages/curl:8.10.1
          imagePullPolicy: IfNotPresent
          env:
            - name: WEBHOOK_URL
--- a/platform/self-sovereign-cutover/chart/Chart.yaml
+++ b/platform/self-sovereign-cutover/chart/Chart.yaml
@ -5,7 +5,16 @@ name: bp-self-sovereign-cutover
 # alpine for chroot-pivot). Comment text now reflects the platform-wide
 # Fix #158 migration to bitnamilegacy/kubectl across other Blueprints.
 # No functional change in this Blueprint.
-version: 0.1.28
+#
+# 0.1.29 (Fix #163, 2026-05-11, MIRROR-EVERYTHING): every default image
+# reference (kubectl/git/curl/hostExec + the hardcoded alpine/k8s in
+# step 06) now uses the explicit harbor.openova.io/proxy-dockerhub
+# prefix per CLAUDE.md inviolable rule. The Sovereign cloudinit already
+# routes containerd through this proxy at node-boot time, so the
+# pre-cutover Jobs can reach the explicit URL just fine. Operator
+# override via .Values.global.imageRegistry remains intact for true
+# air-gap or alternate mirror deployments.
+version: 0.1.29
 description: |
  Catalyst Self-Sovereignty Cutover Blueprint. Installs DORMANT — this
  chart ships eight step ConfigMaps (PodSpec ConfigMaps, one per step),
--- a/platform/self-sovereign-cutover/chart/templates/06-helmrepository-patches-job.yaml
+++ b/platform/self-sovereign-cutover/chart/templates/06-helmrepository-patches-job.yaml
@ -46,9 +46,12 @@ data:
    activeDeadlineSeconds: {{ .Values.stepTimeouts.helmRepositoryPatchesSeconds }}
    containers:
      - name: helmrepository-patches
-        image: alpine/k8s:1.31.4   # ships kubectl + git so we can both
-                                   # patch the live K8s object AND push
-                                   # the YAML edit to local Gitea (#970).
+        # alpine/k8s ships kubectl + git so we can both patch the live
+        # K8s object AND push the YAML edit to local Gitea (#970).
+        # Fix #163 (2026-05-11, MIRROR-EVERYTHING): explicit
+        # harbor.openova.io/proxy-dockerhub prefix per CLAUDE.md
+        # inviolable rule.
+        image: harbor.openova.io/proxy-dockerhub/alpine/k8s:1.31.4
        imagePullPolicy: IfNotPresent
        env:
          - name: HELMREPO_NAMESPACE
--- a/platform/self-sovereign-cutover/chart/values.yaml
+++ b/platform/self-sovereign-cutover/chart/values.yaml
@ -247,27 +247,33 @@ catalystAPI:
 # BEFORE registries.yaml v2 takes effect on the node containerd.
 # Post-pivot steps (≥ 05) MAY use the local Harbor copy via
 # global.imageRegistry — defaulted off so smoke render is clean.
+#
+# Fix #163 (2026-05-11, MIRROR-EVERYTHING): every default repository
+# is now the explicit Harbor proxy-cache path per CLAUDE.md inviolable
+# rule. The Sovereign's k3s cloudinit (infra/hetzner/cloudinit-control-
+# plane.tftpl line 706) ALWAYS configures containerd with
+# /etc/rancher/k3s/registries.yaml routing docker.io → harbor.openova.io
+# BEFORE k3s starts, so the pre-cutover Jobs can reach the explicit
+# Harbor URL just fine. Post-cutover overlay via global.imageRegistry
+# remains the operator override for true air-gap mode.
 images:
  kubectl:
-    # Switched from bitnami/kubectl (Bitnami deprecated public Docker Hub
-    # in 2025; both :1.31 and :1.31.4 returned 404). alpine/k8s is the
-    # canonical alternative — alpine-based image with kubectl + helm +
-    # the standard k8s CLI surface, actively maintained on Docker Hub.
-    # Caught live on otech103 2026-05-04.
-    repository: "alpine/k8s"
+    # alpine/k8s is the canonical alpine-based image carrying kubectl +
+    # helm + the standard k8s CLI surface (replaced bitnami/kubectl in
+    # 2025 after Bitnami's deprecation on Docker Hub).
+    repository: "harbor.openova.io/proxy-dockerhub/alpine/k8s"
    tag: "1.31.4"
  git:
-    repository: "alpine/git"
+    repository: "harbor.openova.io/proxy-dockerhub/alpine/git"
    tag: "v2.45.2"
  curl:
-    repository: "curlimages/curl"
+    repository: "harbor.openova.io/proxy-dockerhub/curlimages/curl"
    tag: "8.10.1"
  # registry-pivot writes to /etc/rancher/k3s/registries.yaml on every
  # node. Uses alpine + `chroot /host` invocation pattern (kubectl not
-  # required — direct file write via host mount; per Fix #158 platform
-  # fleet has migrated off bitnami/kubectl due to 2025-08 tag deletion).
+  # required — direct file write via host mount).
  hostExec:
-    repository: "alpine"
+    repository: "harbor.openova.io/proxy-dockerhub/library/alpine"
    tag: "3.20"

 # registry-pivot DaemonSet — runs from chart install to converge
--- a/platform/wordpress-tenant/chart/Chart.yaml
+++ b/platform/wordpress-tenant/chart/Chart.yaml
@ -24,7 +24,11 @@ name: bp-wordpress-tenant
 #     sme_tenant_gitops.go `smeTenantBPWordPress`) bumped to emit both
 #     `oidc.*` and `keycloak.*` so chart 0.1.x and 0.2.0 reconciles work.
 # 0.1.0 — initial release (#800).
-version: 0.2.0
+# 0.2.1 (Fix #163, 2026-05-11, MIRROR-EVERYTHING): database-secret-sync-job
+# hook image switched from curlimages/curl:8.10.1 to
+# harbor.openova.io/proxy-dockerhub/curlimages/curl:8.10.1 per CLAUDE.md
+# inviolable rule.
+version: 0.2.1
 appVersion: "6"
 description: |
  Catalyst Blueprint scratch chart for in-vcluster WordPress, one
--- a/platform/wordpress-tenant/chart/templates/database-secret-sync-job.yaml
+++ b/platform/wordpress-tenant/chart/templates/database-secret-sync-job.yaml
@ -46,7 +46,10 @@ spec:
          # curlimages/curl matches bp-gitea (no kubectl image
          # required — we talk to the apiserver via the in-pod
          # ServiceAccount token).
-          image: curlimages/curl:8.10.1
+          # Fix #163 (2026-05-11, MIRROR-EVERYTHING): explicit
+          # harbor.openova.io/proxy-dockerhub prefix per CLAUDE.md
+          # inviolable rule.
+          image: harbor.openova.io/proxy-dockerhub/curlimages/curl:8.10.1
          imagePullPolicy: IfNotPresent
          env:
            - name: SOURCE_SECRET
--- a/products/catalyst/chart/Chart.yaml
+++ b/products/catalyst/chart/Chart.yaml
@ -1015,7 +1015,14 @@ name: bp-catalyst-platform
 #   - values.yaml: new knobs `cnpgPairAliasName`,
 #     `cnpgPairPostSwitchoverPrimary`, `continuumPlatformNamespace` —
 #     all values-overridable per INVIOLABLE-PRINCIPLES #4.
-version: 1.4.138
+# 1.4.139 (Fix #163, 2026-05-11, MIRROR-EVERYTHING): every chart-hook
+# image reference in this Blueprint (catalyst-gitea-token-secret +
+# qa-fixtures Jobs) now uses the explicit
+# harbor.openova.io/proxy-dockerhub prefix per CLAUDE.md inviolable
+# rule. No functional change — node-level containerd mirror already
+# routed these pulls correctly; this makes the routing auditable in
+# SBOM scans and Kyverno harbor-proxy-pull ClusterPolicy.
+version: 1.4.139
 appVersion: 1.4.94
 # 1.4.129 (qa-loop iter-16 Fix #65): ship the missing
 # `openova-catalog` Flux v1 HelmRepository in flux-system. The
--- a/products/catalyst/chart/templates/catalyst-gitea-token-secret.yaml
+++ b/products/catalyst/chart/templates/catalyst-gitea-token-secret.yaml
@ -291,7 +291,10 @@ spec:
      restartPolicy: OnFailure
      containers:
        - name: mint
-          image: docker.io/alpine/k8s:1.31.4
+          # Fix #163 (2026-05-11, MIRROR-EVERYTHING): explicit
+          # harbor.openova.io/proxy-dockerhub prefix per CLAUDE.md
+          # inviolable rule.
+          image: harbor.openova.io/proxy-dockerhub/alpine/k8s:1.31.4
          command: ["sh","-c"]
          args:
            - |
--- a/products/catalyst/chart/templates/qa-fixtures/cnpg-clusters-qa.yaml
+++ b/products/catalyst/chart/templates/qa-fixtures/cnpg-clusters-qa.yaml
@ -133,7 +133,7 @@ spec:
      restartPolicy: OnFailure
      containers:
        - name: seed
-          image: docker.io/bitnamilegacy/kubectl:1.29.3
+          image: harbor.openova.io/proxy-dockerhub/bitnamilegacy/kubectl:1.29.3
          command: ["sh", "-c"]
          args:
            - |
@ -419,7 +419,7 @@ spec:
      restartPolicy: OnFailure
      containers:
        - name: seed
-          image: docker.io/bitnamilegacy/kubectl:1.29.3
+          image: harbor.openova.io/proxy-dockerhub/bitnamilegacy/kubectl:1.29.3
          env:
            - name: NS
              value: {{ .Values.qaFixtures.namespace | default "qa-omantel" | quote }}
--- a/products/catalyst/chart/templates/qa-fixtures/cnpgpair-qa.yaml
+++ b/products/catalyst/chart/templates/qa-fixtures/cnpgpair-qa.yaml
@ -103,7 +103,7 @@ spec:
      restartPolicy: OnFailure
      containers:
        - name: seed
-          image: docker.io/bitnamilegacy/kubectl:1.29.3
+          image: harbor.openova.io/proxy-dockerhub/bitnamilegacy/kubectl:1.29.3
          command: ["sh", "-c"]
          args:
            - |
--- a/products/catalyst/chart/templates/qa-fixtures/continuum-qa.yaml
+++ b/products/catalyst/chart/templates/qa-fixtures/continuum-qa.yaml
@ -126,7 +126,7 @@ spec:
      restartPolicy: OnFailure
      containers:
        - name: seed
-          image: docker.io/bitnamilegacy/kubectl:1.29.3
+          image: harbor.openova.io/proxy-dockerhub/bitnamilegacy/kubectl:1.29.3
          command: ["sh", "-c"]
          args:
            - |
--- a/products/catalyst/chart/templates/qa-fixtures/node-labels-seeder.yaml
+++ b/products/catalyst/chart/templates/qa-fixtures/node-labels-seeder.yaml
@ -95,7 +95,7 @@ spec:
      restartPolicy: OnFailure
      containers:
        - name: seed
-          image: docker.io/bitnamilegacy/kubectl:1.29.3
+          image: harbor.openova.io/proxy-dockerhub/bitnamilegacy/kubectl:1.29.3
          command: ["sh", "-c"]
          args:
            - |
--- a/products/catalyst/chart/templates/qa-fixtures/pdm-qa.yaml
+++ b/products/catalyst/chart/templates/qa-fixtures/pdm-qa.yaml
@ -94,7 +94,7 @@ spec:
      restartPolicy: OnFailure
      containers:
        - name: seed
-          image: docker.io/bitnamilegacy/kubectl:1.29.3
+          image: harbor.openova.io/proxy-dockerhub/bitnamilegacy/kubectl:1.29.3
          env:
            - name: PDNS_ZONE
              value: {{ .Values.qaFixtures.pdmZone | default "openova.io" | quote }}
--- a/products/catalyst/chart/templates/qa-fixtures/pre-install-finalizer-strip.yaml
+++ b/products/catalyst/chart/templates/qa-fixtures/pre-install-finalizer-strip.yaml
@ -153,7 +153,7 @@ spec:
          type: RuntimeDefault
      containers:
        - name: strip
-          image: docker.io/bitnamilegacy/kubectl:1.29.3
+          image: harbor.openova.io/proxy-dockerhub/bitnamilegacy/kubectl:1.29.3
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
--- a/products/catalyst/chart/templates/qa-fixtures/scheduledbackup-qa.yaml
+++ b/products/catalyst/chart/templates/qa-fixtures/scheduledbackup-qa.yaml
@ -95,7 +95,7 @@ spec:
      restartPolicy: OnFailure
      containers:
        - name: seed
-          image: docker.io/bitnamilegacy/kubectl:1.29.3
+          image: harbor.openova.io/proxy-dockerhub/bitnamilegacy/kubectl:1.29.3
          command: ["sh", "-c"]
          args:
            - |