openova

Author SHA1 Message Date

Author	SHA1	Message	Date
e3mrah	33dc98782b	feat(bp-self-sovereign-cutover): chart + bootstrap-kit slot 06a (#791 ) (#808 ) New platform Blueprint at `platform/self-sovereign-cutover/chart/`. Ships DORMANT — eight step PodSpec ConfigMaps, the registry-pivot DaemonSet, the mutable cutover-status ConfigMap, plus ServiceAccount/RBAC. The catalyst-api cutover endpoint (#792, merged at `03828641`) reads each step ConfigMap by label selector and stamps real Jobs only on operator-driven trigger. Step inventory: 01 gitea-mirror — git push --mirror upstream → local Gitea 02 harbor-projects — create 7 proxy-cache projects 03 harbor-prewarm — HEAD-pull bootstrap-kit images through cache 04 registry-pivot — DaemonSet rewrites registries.yaml on every node 05 flux-gitrepository-patch — pivot GitRepository.url → local Gitea 06 helmrepository-patches — pivot 38 OCI URLs → local Harbor 07 catalyst-api-env-patch — kubectl set env CATALYST_GITOPS_REPO_URL 08 egress-block-test — CiliumNetworkPolicy + 10-min sovereignty proof Plus self-sovereign-cutover-status ConfigMap with the consumer-contract keys (cutoverComplete, currentStep, step.<name>.result, etc.) shipped at install with helm.sh/resource-policy: keep so chart uninstall doesn't lose state. Bootstrap-kit slot `06a-bp-self-sovereign-cutover.yaml` installs the chart into the `catalyst` namespace (matches catalyst-api's default discovery namespace), depends on bp-gitea + bp-harbor, uses disableWait: true. RBAC splits `create` verbs into their own Rule WITHOUT resourceNames per feedback_rbac_create_no_resourcenames.md — the bp-openbao loop anchor. chart/tests/cutover-contract.sh enforces: - 8 step ConfigMaps render - required labels (part-of/component/cutover-order/cutover-mode) - required data keys (stepName + podSpec for job-mode) - step 04 mode=daemonset-wait - status ConfigMap retained on uninstall - RBAC create/resourceNames split helm template smoke render: 1180 lines, 19 resources (1 Namespace + 1 SA + 11 ConfigMaps + 1 DaemonSet + 1 ClusterRole + 1 ClusterRoleBinding). helm lint: clean. scripts/check-bootstrap-deps.sh: PASSED (slot 6a registered, depends_on [bp-gitea, bp-harbor]). Co-authored-by: Hatice Yildiz <hatice.yildiz@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-04 21:55:19 +04:00

e3mrah

33dc98782b

feat(bp-self-sovereign-cutover): chart + bootstrap-kit slot 06a (#791 ) (#808 )

New platform Blueprint at `platform/self-sovereign-cutover/chart/`. Ships
DORMANT — eight step PodSpec ConfigMaps, the registry-pivot DaemonSet, the
mutable cutover-status ConfigMap, plus ServiceAccount/RBAC. The catalyst-api
cutover endpoint (#792, merged at 03828641) reads each step ConfigMap by
label selector and stamps real Jobs only on operator-driven trigger.

Step inventory:
  01 gitea-mirror             — git push --mirror upstream → local Gitea
  02 harbor-projects          — create 7 proxy-cache projects
  03 harbor-prewarm           — HEAD-pull bootstrap-kit images through cache
  04 registry-pivot           — DaemonSet rewrites registries.yaml on every node
  05 flux-gitrepository-patch — pivot GitRepository.url → local Gitea
  06 helmrepository-patches   — pivot 38 OCI URLs → local Harbor
  07 catalyst-api-env-patch   — kubectl set env CATALYST_GITOPS_REPO_URL
  08 egress-block-test        — CiliumNetworkPolicy + 10-min sovereignty proof

Plus self-sovereign-cutover-status ConfigMap with the consumer-contract keys
(cutoverComplete, currentStep, step.<name>.result, etc.) shipped at install
with helm.sh/resource-policy: keep so chart uninstall doesn't lose state.

Bootstrap-kit slot `06a-bp-self-sovereign-cutover.yaml` installs the chart
into the `catalyst` namespace (matches catalyst-api's default discovery
namespace), depends on bp-gitea + bp-harbor, uses disableWait: true.

RBAC splits `create` verbs into their own Rule WITHOUT resourceNames per
feedback_rbac_create_no_resourcenames.md — the bp-openbao loop anchor.

chart/tests/cutover-contract.sh enforces:
  - 8 step ConfigMaps render
  - required labels (part-of/component/cutover-order/cutover-mode)
  - required data keys (stepName + podSpec for job-mode)
  - step 04 mode=daemonset-wait
  - status ConfigMap retained on uninstall
  - RBAC create/resourceNames split

helm template smoke render: 1180 lines, 19 resources (1 Namespace + 1 SA +
11 ConfigMaps + 1 DaemonSet + 1 ClusterRole + 1 ClusterRoleBinding).
helm lint: clean.
scripts/check-bootstrap-deps.sh: PASSED (slot 6a registered, depends_on
[bp-gitea, bp-harbor]).

Co-authored-by: Hatice Yildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-04 21:55:19 +04:00

1 Commits