openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity

deploy: bump bp-guacamole upstream 1.5.5 chart 0.1.2

Browse Source
This commit is contained in:
github-actions[bot] 2026-05-09 21:49:24 +00:00
parent 5ca0a7d178
commit d280f6a7a5
2 changed files with 2 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
platform/guacamole/chart/Chart.yaml
View File

@ -6,7 +6,7 @@ name: bp-guacamole
# realm-patch ConfigMap lands in `keycloak` namespace (was: realm-name, # realm-patch ConfigMap lands in `keycloak` namespace (was: realm-name,
# which would have failed on every Sovereign); `realmConfig.namespace` # which would have failed on every Sovereign); `realmConfig.namespace`
# override surface for non-default bp-keycloak placements. # override surface for non-default bp-keycloak placements.
version: 0.1.1 version: 0.1.2
appVersion: "1.5.5" appVersion: "1.5.5"
description: | description: |
Catalyst-authored Blueprint chart for Apache Guacamole — a clientless Catalyst-authored Blueprint chart for Apache Guacamole — a clientless
@ -42,14 +42,12 @@ keywords: [catalyst, blueprint, guacamole, remote-desktop, oidc, recording]
maintainers: maintainers:
- name: OpenOva Catalyst - name: OpenOva Catalyst
email: catalyst@openova.io email: catalyst@openova.io
annotations: annotations:
# Default values render zero resources (guacamole.enabled=false). # Default values render zero resources (guacamole.enabled=false).
# The blueprint-release smoke gate honors this annotation and # The blueprint-release smoke gate honors this annotation and
# accepts a short default render; chart/tests/render.sh covers the # accepts a short default render; chart/tests/render.sh covers the
# enabled-render path with full --set overrides. # enabled-render path with full --set overrides.
catalyst.openova.io/smoke-render-mode: default-off catalyst.openova.io/smoke-render-mode: default-off
# Scratch chart — the binary surface is fully owned by Apache. The # Scratch chart — the binary surface is fully owned by Apache. The
# `sigstore/common` library subchart below is included ONLY to satisfy # `sigstore/common` library subchart below is included ONLY to satisfy
# the platform-wide blueprint-release.yaml hollow-chart gate (issue # the platform-wide blueprint-release.yaml hollow-chart gate (issue

13
platform/guacamole/chart/values.yaml
View File

@ -15,15 +15,13 @@
catalystBlueprint: catalystBlueprint:
upstream: upstream:
chart: "" # scratch chart — no upstream Helm chart chart: "" # scratch chart — no upstream Helm chart
version: "" version: ""
repo: "" repo: ""
# Top-level enable gate. When false, NO resources render. Verified by # Top-level enable gate. When false, NO resources render. Verified by
# `helm template` test in tests/. # `helm template` test in tests/.
guacamole: guacamole:
enabled: false enabled: false
# ── guacd: protocol backend ───────────────────────────────────── # ── guacd: protocol backend ─────────────────────────────────────
guacd: guacd:
# Resource name. Defaults to `guacd` so the catalyst-api shells/issue # Resource name. Defaults to `guacd` so the catalyst-api shells/issue
@ -52,7 +50,6 @@ guacamole:
limits: limits:
memory: 512Mi memory: 512Mi
port: 4822 port: 4822
# ── guacamole webapp: Tomcat front-end ───────────────────────── # ── guacamole webapp: Tomcat front-end ─────────────────────────
webapp: webapp:
# Resource name. Defaults to `guacamole-server` per the qa-loop test # Resource name. Defaults to `guacamole-server` per the qa-loop test
@ -72,7 +69,6 @@ guacamole:
limits: limits:
memory: 1Gi memory: 1Gi
port: 8080 port: 8080
# ── Recording (SeaweedFS PVC) ────────────────────────────────── # ── Recording (SeaweedFS PVC) ──────────────────────────────────
recordings: recordings:
# PVC name. Defaults to `guacamole-recordings`. Override only when # PVC name. Defaults to `guacamole-recordings`. Override only when
@ -84,7 +80,6 @@ guacamole:
# Sovereigns). Override per-Sovereign for non-Hetzner clouds. # Sovereigns). Override per-Sovereign for non-Hetzner clouds.
storageClass: hcloud-volumes storageClass: hcloud-volumes
mountPath: /recordings mountPath: /recordings
# ── Keycloak OIDC ────────────────────────────────────────────── # ── Keycloak OIDC ──────────────────────────────────────────────
oidc: oidc:
# Issuer URL — render in per-Sovereign overlay as # Issuer URL — render in per-Sovereign overlay as
@ -105,7 +100,6 @@ guacamole:
# Optional groups claim from the IdP — Guacamole reads roles # Optional groups claim from the IdP — Guacamole reads roles
# from this claim and maps them to per-connection ACLs. # from this claim and maps them to per-connection ACLs.
groupsClaim: groups groupsClaim: groups
# ── HTTPRoute (Cilium Gateway) ───────────────────────────────── # ── HTTPRoute (Cilium Gateway) ─────────────────────────────────
httproute: httproute:
enabled: true enabled: true
@ -118,7 +112,6 @@ guacamole:
# Hostname this Guacamole answers on. Empty value fails the # Hostname this Guacamole answers on. Empty value fails the
# helm template render (see _helpers.tpl `bp-guacamole.host`). # helm template render (see _helpers.tpl `bp-guacamole.host`).
hostname: "" hostname: ""
# ── NetworkPolicy ───────────────────────────────────────────── # ── NetworkPolicy ─────────────────────────────────────────────
# When enabled (default), a default-deny baseline is augmented with # When enabled (default), a default-deny baseline is augmented with
# selective egress to: keycloak (443), k8s-ws-proxy DaemonSet (8080), # selective egress to: keycloak (443), k8s-ws-proxy DaemonSet (8080),
@ -139,7 +132,6 @@ guacamole:
podSelector: podSelector:
app: seaweedfs app: seaweedfs
component: s3 component: s3
# ── NATS audit trail ────────────────────────────────────────── # ── NATS audit trail ──────────────────────────────────────────
audit: audit:
nats: nats:
@ -149,7 +141,6 @@ guacamole:
subject: catalyst.audit subject: catalyst.audit
auditType: guacamole-session auditType: guacamole-session
url: nats://nats-jetstream.nats-jetstream.svc.cluster.local:4222 url: nats://nats-jetstream.nats-jetstream.svc.cluster.local:4222
# ── Keycloak realm-config integration ───────────────────────── # ── Keycloak realm-config integration ─────────────────────────
# When enabled, the chart emits a ConfigMap that the bp-keycloak # When enabled, the chart emits a ConfigMap that the bp-keycloak
# post-deploy keycloak-config-cli Job picks up. The ConfigMap # post-deploy keycloak-config-cli Job picks up. The ConfigMap
@ -167,7 +158,6 @@ guacamole:
# canonical bp-keycloak namespace; override when bp-keycloak runs # canonical bp-keycloak namespace; override when bp-keycloak runs
# under a different namespace. # under a different namespace.
namespace: keycloak namespace: keycloak
# ── Pod-level security context ───────────────────────────────── # ── Pod-level security context ─────────────────────────────────
# Both pods run as non-root with read-only root FS — only /tmp # Both pods run as non-root with read-only root FS — only /tmp
# and /recordings are writable. # and /recordings are writable.
@ -183,6 +173,5 @@ guacamole:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
capabilities: capabilities:
drop: [ALL] drop: [ALL]
# ── Image pull secret ───────────────────────────────────────── # ── Image pull secret ─────────────────────────────────────────
imagePullSecrets: [] imagePullSecrets: []