From b1a25c423556f0078ebfa0a875b0a8bc75d7827b Mon Sep 17 00:00:00 2001 From: e3mrah <81884938+emrahbaysal@users.noreply.github.com> Date: Sat, 2 May 2026 15:43:32 +0400 Subject: [PATCH] fix(bp-keycloak,bp-openbao): HTTPRoute backend wrong name + RBAC hook lifecycle bug (#598) (#600) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bug A — bp-keycloak@1.2.2: HTTPRoute backendService default was `-keycloak` (gave `keycloak-keycloak` with releaseName=keycloak) but bitnami's fullname helper trims the chart-name suffix when Release.Name already contains it, so the Service is just `keycloak`. Changed default to `.Release.Name`. Sovereign realm was already imported (config-cli ran successfully) — only the Gateway routing was broken, returning HTTP 500. Bug B — bp-openbao@1.2.6: auto-unseal-rbac SA/Role/RoleBinding had `helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded`. The `hook-succeeded` clause caused Helm to delete the SA immediately after the weight-0 RBAC hook completed, before the weight-5 init Job pod could mount its SA token and start. Removed all hook annotations from the RBAC resources so they are managed by regular Helm release lifecycle (created before hooks, never deleted mid-install). Bootstrap-kit refs bumped: bp-keycloak 1.2.0→1.2.2, bp-openbao 1.2.4→1.2.6. Verified on otech22 (manual remediation): Keycloak sovereign realm OIDC endpoint returns valid JSON, openbao-0 Initialized=true Sealed=false. Co-authored-by: alierenbaysal Co-authored-by: Claude Sonnet 4.6 --- .../_template/bootstrap-kit/08-openbao.yaml | 2 +- .../_template/bootstrap-kit/09-keycloak.yaml | 2 +- platform/keycloak/chart/Chart.yaml | 2 +- .../keycloak/chart/templates/httproute.yaml | 14 +++++---- platform/openbao/chart/Chart.yaml | 2 +- .../chart/templates/auto-unseal-rbac.yaml | 30 ++++++++++--------- 6 files changed, 28 insertions(+), 24 deletions(-) diff --git a/clusters/_template/bootstrap-kit/08-openbao.yaml b/clusters/_template/bootstrap-kit/08-openbao.yaml index 9e791857..7c0a336a 100644 --- a/clusters/_template/bootstrap-kit/08-openbao.yaml +++ b/clusters/_template/bootstrap-kit/08-openbao.yaml @@ -53,7 +53,7 @@ spec: chart: spec: chart: bp-openbao - version: 1.2.4 + version: 1.2.6 sourceRef: kind: HelmRepository name: bp-openbao diff --git a/clusters/_template/bootstrap-kit/09-keycloak.yaml b/clusters/_template/bootstrap-kit/09-keycloak.yaml index a9e04c5b..0775afce 100644 --- a/clusters/_template/bootstrap-kit/09-keycloak.yaml +++ b/clusters/_template/bootstrap-kit/09-keycloak.yaml @@ -41,7 +41,7 @@ spec: chart: spec: chart: bp-keycloak - version: 1.2.0 + version: 1.2.2 sourceRef: kind: HelmRepository name: bp-keycloak diff --git a/platform/keycloak/chart/Chart.yaml b/platform/keycloak/chart/Chart.yaml index 4210e5a5..6b9c55ba 100644 --- a/platform/keycloak/chart/Chart.yaml +++ b/platform/keycloak/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: bp-keycloak -version: 1.2.1 +version: 1.2.2 description: | Catalyst-curated Blueprint umbrella chart for Keycloak. Depends on the upstream `keycloak` chart (bitnami) as a Helm subchart so diff --git a/platform/keycloak/chart/templates/httproute.yaml b/platform/keycloak/chart/templates/httproute.yaml index f64a0cfb..f0bbf60f 100644 --- a/platform/keycloak/chart/templates/httproute.yaml +++ b/platform/keycloak/chart/templates/httproute.yaml @@ -10,11 +10,13 @@ Pattern from docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode): (the per-Sovereign Gateway from bootstrap-kit 01-cilium.yaml) -Backend reference: the upstream bitnami/keycloak chart's Service is -named `-keycloak`. With `releaseName: keycloak` set in the -bootstrap-kit slot the Service is `keycloak-keycloak`. Operators can -override via `gateway.backendService` if a non-default release name is -used. +Backend reference: the upstream bitnami/keycloak chart uses Helm's +`fullname` template which TRIMS the chart-name suffix when the Release.Name +already contains it. With releaseName=keycloak (bootstrap-kit default), the +bitnami fullname returns "keycloak" (not "keycloak-keycloak"). The default +backendService MUST use `.Release.Name` directly (issue #598). +Operators can override via `gateway.backendService` for non-default +release names. */}} {{- if and .Values.gateway .Values.gateway.enabled -}} {{- if .Values.gateway.host }} @@ -41,7 +43,7 @@ spec: type: PathPrefix value: {{ .Values.gateway.path | default "/" | quote }} backendRefs: - - name: {{ .Values.gateway.backendService | default (printf "%s-keycloak" .Release.Name) | quote }} + - name: {{ .Values.gateway.backendService | default .Release.Name | quote }} port: {{ .Values.gateway.backendPort | default 80 }} {{- end }} {{- end }} diff --git a/platform/openbao/chart/Chart.yaml b/platform/openbao/chart/Chart.yaml index 8d2ff22f..f1e5015c 100644 --- a/platform/openbao/chart/Chart.yaml +++ b/platform/openbao/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: bp-openbao -version: 1.2.5 +version: 1.2.6 description: | Catalyst-curated Blueprint umbrella chart for OpenBao. Depends on the upstream `openbao` chart as a Helm subchart so `helm dependency build` diff --git a/platform/openbao/chart/templates/auto-unseal-rbac.yaml b/platform/openbao/chart/templates/auto-unseal-rbac.yaml index 154298af..081532d5 100644 --- a/platform/openbao/chart/templates/auto-unseal-rbac.yaml +++ b/platform/openbao/chart/templates/auto-unseal-rbac.yaml @@ -1,5 +1,5 @@ {{- /* -Catalyst auto-unseal RBAC — bp-openbao (issue #316). +Catalyst auto-unseal RBAC — bp-openbao (issue #316, bug fix issue #598). ServiceAccount + RoleBindings used by the post-install Jobs that run `bao operator init` and bootstrap the Kubernetes auth method. @@ -16,6 +16,17 @@ Permissions required (least-privilege): runtime, not a one-shot init step) so it lives outside the Helm hook lifecycle. +RBAC resources are NOT Helm hooks (issue #598 root cause fix): + The SA/Role/RoleBinding must NOT have hook-delete-policy so they + persist for the Job container to use. Previously they had + `hook-delete-policy: before-hook-creation,hook-succeeded` — the + `hook-succeeded` clause caused Helm to delete the SA immediately + after the weight-0 hook "succeeded", before the weight-5 init Job + pod could start (Job pod needs the SA to exist for token mount). + Making them regular Helm-managed resources (no hook annotations) + ensures they exist for the full duration of the install/upgrade and + for idempotent re-runs. + Skip-render pattern (per #402 lesson, never use `{{ fail }}`): when `autoUnseal.enabled=false` this entire file emits nothing — `helm template` with default values stays clean. @@ -24,30 +35,24 @@ template` with default values stays clean. {{- if $au.enabled -}} --- # ServiceAccount used by the init + auth-bootstrap Jobs. Lives in the -# openbao namespace alongside the StatefulSet. +# openbao namespace alongside the StatefulSet. NOT a hook — must persist +# for the Job container's SA token mount (issue #598). apiVersion: v1 kind: ServiceAccount metadata: name: openbao-auto-unseal namespace: {{ .Release.Namespace | quote }} - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "0" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: catalyst.openova.io/blueprint: bp-openbao catalyst.openova.io/component: openbao-auto-unseal --- # Role: read+delete the seed Secret, get/list Pods to poll readiness. +# NOT a hook — persists for life of the Helm release (issue #598). apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: openbao-auto-unseal namespace: {{ .Release.Namespace | quote }} - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "0" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: catalyst.openova.io/blueprint: bp-openbao rules: @@ -75,15 +80,12 @@ rules: # later retry when the vault is initialised but still sealed. - openbao-unseal-keys --- +# RoleBinding — NOT a hook (issue #598). apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: openbao-auto-unseal namespace: {{ .Release.Namespace | quote }} - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "0" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: catalyst.openova.io/blueprint: bp-openbao roleRef: