W2.5.E batch — three Application-tier Blueprints completing the LLM
serving / workflow stack:
- bp-temporal/1.0.0 — wraps temporal/temporal 1.2.0 (the new chart
rewrite that removed cassandra:/mysql:/postgresql:/elasticsearch:/
prometheus:/grafana: top-level keys in favour of
server.config.persistence.datastores). Postgres-only via CNPG-backed
visibility store (skip Cassandra). Web UI ON. Keycloak OIDC
integration via --auth-claim-mapper renders auth.yaml ConfigMap
(operator wires via additionalVolumes once bp-keycloak is
reconciled, default OFF). dependsOn: bp-cnpg + bp-cert-manager.
Closes#271.
Kinds: Cluster (CNPG) + ConfigMap + Deployment + Job + Pod +
Service.
- bp-llm-gateway/1.0.0 — wraps berriai/litellm-helm 0.1.572 from OCI.
Subscription-aware proxy for Claude Code: routes to Anthropic (via
operator OAuth/Max subscription — NEVER an ANTHROPIC_API_KEY,
per memory/feedback_no_api_key.md), Bedrock, Vertex,
OpenAI-compatible (via bp-anthropic-adapter), and self-hosted
vLLM. CNPG-backed audit log (every prompt + response persisted
for compliance). Bundled bitnami postgresql + redis subcharts
DISABLED (db.useExisting=true points at the CNPG cluster).
Keycloak SSO via auth.yaml ConfigMap (default OFF).
ExternalSecret-backed environmentSecrets brings tokens / IAM
creds in without inlining plaintext. dependsOn: bp-cnpg +
bp-keycloak + bp-external-secrets. Closes#267.
Kinds: Cluster (CNPG audit) + ConfigMap + Deployment + Job +
Pod + Secret + Service + ServiceAccount.
- bp-anthropic-adapter/1.0.0 — Catalyst-authored scratch chart for
the OpenAI ↔ Anthropic translation Go service. SHA-pinned image
ghcr.io/openova-io/openova/anthropic-adapter:<sha> (Inviolable
Principle #4a — GitHub Actions is the only build path; empty
default tag fails the render with a clear error instead of
silently shipping :latest). OAuth/Max subscription token mounted
from K8s Secret materialized by ESO from bp-openbao —
ANTHROPIC_OAUTH_TOKEN env var, NEVER an ANTHROPIC_API_KEY.
Includes OpenAI → Anthropic model-mapping ConfigMap (gpt-4 →
claude-3-5-sonnet, gpt-4o-mini → claude-3-5-haiku, etc.).
sigstore/common library subchart included to satisfy the
hollow-chart gate (matches bp-vllm pattern from #283).
dependsOn: bp-external-secrets. Closes#268.
Kinds: ConfigMap + Deployment + Service + ServiceAccount.
CRITICAL — bp-llm-gateway and bp-anthropic-adapter both consume the
operator's Claude OAuth/Max subscription. Per memory/
feedback_no_api_key.md and the user's standing instruction, neither
chart accepts or generates an ANTHROPIC_API_KEY. Tokens flow
exclusively through ExternalSecret-managed K8s Secrets that ESO
materializes from bp-openbao at install time.
Per docs/BLUEPRINT-AUTHORING.md §11.2 (issue #182): every
observability toggle defaults `false` (ServiceMonitor / metrics
sidecar / PodMonitor) and is operator-tunable via per-cluster
overlay once bp-kube-prometheus-stack reconciles. Each chart ships
tests/observability-toggle.sh covering default-off, opt-in (with
--api-versions monitoring.coreos.com/v1 to simulate the CRDs), and
explicit-off cases. bp-anthropic-adapter additionally tests the
never-:latest gate via Case 4 (empty image tag must fail render).
Per docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode): every
upstream version, namespace, server URL, role, secret name, model
default, and toggle is exposed under values.yaml. Cluster overlays
in clusters/<sovereign>/ may override without rebuilding the
Blueprint OCI artifact.
Per docs/BLUEPRINT-AUTHORING.md §11.1 (umbrella shape — hard
contract): bp-temporal and bp-llm-gateway declare their upstream
charts under Chart.yaml dependencies: so helm dependency build
bundles the upstream payload into the OCI artifact. bp-anthropic-
adapter is a scratch chart (no upstream Helm chart exists) and
includes sigstore/common as the obligatory hollow-chart-gate
dependency, matching the bp-vllm precedent from W2.5.D (#283).
Closes#267Closes#268Closes#271
helm lint: 1 chart(s) linted, 0 chart(s) failed (each, INFO icon-recommended only)
Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Acceptance greps with Pass 37's new literal-domain check and case-insensitive
banned-term sweep found one surviving instance: platform/temporal/README.md
L272 Worker Deployment had `namespace: fuse`. Pass 26 renamed fuse → fabric;
Pass 32+35 fixed temporal's image ref and DNS but the namespace YAML key
was missed (eye tracks surrounding structure, skims past `namespace:` value).
Renamed to `fabric`.
docs/SECURITY.md: clean (deep re-scan §6-§10 per Pass 23 lesson). All
sections consistent with canonical model and Pass 7's independent-Raft fix.
§9 OpenSearch SIEM wording acceptable as "default destination when SIEM
is enabled" rather than "default-installed component" — deferred for
optional tightening pass.
platform/grafana/README.md: clean. Banner, tiered storage, and OTel
instrumentation example all consistent with canonical conventions.
Lesson: case-insensitive banned-term grep is non-negotiable. Future
passes should always run \bfuse\b and similar legacy-product-name greps
regardless of surfaced category.
Pass 25's deferred sweep, executed. Image refs of the form
harbor.<domain>/... (and one registry.<domain>/... in temporal) collapse
the location-code segment. Per NAMING §5.1, Catalyst per-host-cluster
Harbor DNS is harbor.{location-code}.{sovereign-domain} (e.g.
harbor.hfmp.openova.io).
Fixed (11 instances, 9 files):
- anthropic-adapter, bge (×2), debezium, harbor (×2 — ingress + Kyverno
policy), knative (×2 — serving + traffic-split), llm-gateway, strimzi,
trivy — all standardized to harbor.<location-code>.<sovereign-domain>.
- temporal had two drift items in one line: registry.<domain> (off-spec
placeholder — Catalyst's only per-host-cluster registry is Harbor) AND
legacy "fuse" namespace (renamed to bp-fabric per BUSINESS-STRATEGY
§16.2 / Pass 26). Rewritten to fabric/order-worker.
Out of scope (deliberate): :latest tag hygiene, and whether Application
Blueprint READMEs should reference ghcr.io/openova-io/bp-<name>:<semver>
vs the Sovereign Harbor mirror. Stalwart customer-email-domain <domain>
placeholders preserved (correct semantics). external-dns illustrative
gslb/api/svc.<domain> preserved (upstream-doc generic).
With Pass 29 (canonical-doc DNS) + Pass 31 (carry-over fixes) + Pass 32
(image registry), the recurring DNS-placeholder collapse drift category
is addressed end-to-end.
Validation log Pass 32 entry added.
Seven more Application Blueprint banners landed:
- temporal (§4.3): durable workflow orchestration; bp-fabric.
- flink (§4.3): stream + batch processing; bp-fabric.
- debezium (§4.2): CDC into Strimzi/Kafka; bp-fabric pipeline source.
- iceberg (§4.4): open table format on MinIO + archival S3.
- openmeter (§4.8): API metering for bp-fingate.
- litmus (§4.9): chaos engineering required by DORA / NIS2.
- valkey (§4.1): banner explicitly states NOT a Catalyst control-
plane component — control plane uses NATS JetStream KV per
ARCHITECTURE §5 / GLOSSARY event-spine. Valkey is Application-tier
caching only. This is the disambiguation that PLATFORM-TECH-STACK
§1 establishes ("same upstream technology can serve in multiple
categories") — pinned in the per-component README so it can't be
misread.
VALIDATION-LOG: Pass 14 entry added.
Refs #37
