openova

openova/openova

Fork 0

Commit Graph

Author	SHA1	Message	Date
e3mrah	83ec889f06	feat(platform): add global.imageRegistry to remaining bp-* charts + bp-catalyst-platform (PR 3/3, #560 ) (#580 ) Charts bumped: - bp-keycloak 1.2.0 -> 1.2.1 (subchart stub; per-component image.registry knobs documented) - bp-crossplane 1.1.3 -> 1.1.4 (subchart stub) - bp-crossplane-claims 1.1.0 -> 1.1.1 (global.kubectlImage added; kubectl Job image templated; Hetzner ubuntu-24.04 server images intentionally untouched) - bp-velero 1.2.0 -> 1.2.1 (subchart stub) - bp-kyverno 1.0.0 -> 1.0.1 (subchart stub; per-controller image.registry knobs documented) - bp-trivy 1.0.0 -> 1.0.1 (subchart stub; both operator + scanner image.registry knobs documented) - bp-grafana 1.0.0 -> 1.0.1 (subchart stub) - bp-flux 1.1.3 -> 1.1.4 (subchart stub; per-controller image.repository knobs documented) - bp-catalyst-platform 1.1.13 -> 1.1.14 (global.imageRegistry + images.{catalystApi,catalystUi,marketplaceApi,console,smeTag} added; all 14 Catalyst-authored image refs templated: catalyst-api, catalyst-ui, marketplace-api, console + 10 SME services) Post-handover per-Sovereign overlays set global.imageRegistry to harbor.<sovereign-fqdn> so every container image pull routes through the Sovereign's own Harbor proxy_cache. Closes (partial): issue #560 — all 23 bp-* charts now carry global.imageRegistry Co-authored-by: alierenbaysal <alierenbaysal@openova.io>	2026-05-02 13:21:53 +04:00
e3mrah	b6810c1940	feat(bp-crossplane-claims): UserAccess CRD + Composition + RBAC ClusterRoles for Sovereign IAM (closes #322 ) (#446 ) Adds the data plane for the Sovereign IAM access plane (epic #320): - platform/crossplane-claims/chart/templates/xrds/useraccess.yaml XUserAccess XRD (access.openova.io/v1alpha1) — cluster-scoped Claim carrying user identity (Keycloak subject + groups), Sovereign ref, and one or more (application, role, namespaces) grants. - platform/crossplane-claims/chart/templates/compositions/useraccess.yaml Default Composition useraccess.compose.openova.io — materialises one RoleBinding per Claim via provider-kubernetes Object against the per-Sovereign sovereign-<sovereignRef> ProviderConfig. Multi-grant shapes are expanded api-side into N single-grant Claims (avoids the Composition-iteration trap; no composition-functions introduced). - platform/crossplane-claims/chart/templates/clusterroles.yaml Three canonical ClusterRoles — openova:application-{admin,editor,viewer}. Editor + viewer explicitly omit secrets; admin can manage namespace- scoped roles/rolebindings (NOT cluster-scoped). - userAccess.enabled values toggle (default true), version bumps to 1.1.0 on chart + blueprint, sample fixture, validation script extended to expect 7 XRDs / 7 Compositions / 3 ClusterRoles. Canonical seam: extends the existing platform/crossplane-claims/chart/ XRD+Composition pattern (compose.openova.io/v1alpha1 family). New API group access.openova.io is intentional — IAM is a separate concern from the cloud-resource compose.* family. No catalyst-api or UI code touched (those are #323's territory; this PR ships the data model #323 consumes). Co-authored-by: hatiyildiz <hatiyildiz@noreply.github.com>	2026-05-01 19:03:10 +04:00
e3mrah	2d1799d738	fix(bp-crossplane): split XRDs+Compositions into bp-crossplane-claims (#247 ) Resolves install ordering on fresh clusters where the apiserver rejects CompositeResourceDefinition CRs because the apiextensions.crossplane.io CRDs registered by the crossplane subchart aren't live yet at apply time. - bp-crossplane bumped 1.1.2 -> 1.1.3 (controller-only payload) - NEW bp-crossplane-claims@1.0.0 carries XRDs + Compositions - Flux HelmRelease for crossplane-claims uses dependsOn: [bp-crossplane] - composition-validate.sh + fixtures relocate to the new chart - blueprint-release CI: opt-out annotation catalyst.openova.io/no-upstream=true permits zero-deps charts that legitimately ship only Catalyst-authored CRs (the original hollow-chart rule remains in force for every other umbrella chart) Live error this fixes (from otech.omani.works): no matches for kind "CompositeResourceDefinition" in version "apiextensions.crossplane.io/v1" -- ensure CRDs are installed first Pattern: intra-chart CRD-ordering breaks -> split charts + Flux dependsOn. Apply universally to similar cases going forward. Co-authored-by: hatiyildiz <hatice.yildiz@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-30 16:55:05 +04:00

Author

SHA1

Message

Date

e3mrah

83ec889f06

feat(platform): add global.imageRegistry to remaining bp-* charts + bp-catalyst-platform (PR 3/3, #560 ) (#580 )

Charts bumped:
- bp-keycloak 1.2.0 -> 1.2.1 (subchart stub; per-component image.registry knobs documented)
- bp-crossplane 1.1.3 -> 1.1.4 (subchart stub)
- bp-crossplane-claims 1.1.0 -> 1.1.1 (global.kubectlImage added; kubectl Job image templated; Hetzner ubuntu-24.04 server images intentionally untouched)
- bp-velero 1.2.0 -> 1.2.1 (subchart stub)
- bp-kyverno 1.0.0 -> 1.0.1 (subchart stub; per-controller image.registry knobs documented)
- bp-trivy 1.0.0 -> 1.0.1 (subchart stub; both operator + scanner image.registry knobs documented)
- bp-grafana 1.0.0 -> 1.0.1 (subchart stub)
- bp-flux 1.1.3 -> 1.1.4 (subchart stub; per-controller image.repository knobs documented)
- bp-catalyst-platform 1.1.13 -> 1.1.14 (global.imageRegistry + images.{catalystApi,catalystUi,marketplaceApi,console,smeTag} added; all 14 Catalyst-authored image refs templated: catalyst-api, catalyst-ui, marketplace-api, console + 10 SME services)

Post-handover per-Sovereign overlays set global.imageRegistry to harbor.<sovereign-fqdn> so every container image pull routes through the Sovereign's own Harbor proxy_cache.

Closes (partial): issue #560 — all 23 bp-* charts now carry global.imageRegistry

Co-authored-by: alierenbaysal <alierenbaysal@openova.io>

2026-05-02 13:21:53 +04:00

e3mrah

b6810c1940

feat(bp-crossplane-claims): UserAccess CRD + Composition + RBAC ClusterRoles for Sovereign IAM (closes #322 ) (#446 )

Adds the data plane for the Sovereign IAM access plane (epic #320):

- platform/crossplane-claims/chart/templates/xrds/useraccess.yaml
  XUserAccess XRD (access.openova.io/v1alpha1) — cluster-scoped Claim
  carrying user identity (Keycloak subject + groups), Sovereign ref, and
  one or more (application, role, namespaces) grants.

- platform/crossplane-claims/chart/templates/compositions/useraccess.yaml
  Default Composition useraccess.compose.openova.io — materialises one
  RoleBinding per Claim via provider-kubernetes Object against the
  per-Sovereign sovereign-<sovereignRef> ProviderConfig. Multi-grant
  shapes are expanded api-side into N single-grant Claims (avoids the
  Composition-iteration trap; no composition-functions introduced).

- platform/crossplane-claims/chart/templates/clusterroles.yaml
  Three canonical ClusterRoles — openova:application-{admin,editor,viewer}.
  Editor + viewer explicitly omit secrets; admin can manage namespace-
  scoped roles/rolebindings (NOT cluster-scoped).

- userAccess.enabled values toggle (default true), version bumps to 1.1.0
  on chart + blueprint, sample fixture, validation script extended to
  expect 7 XRDs / 7 Compositions / 3 ClusterRoles.

Canonical seam: extends the existing platform/crossplane-claims/chart/
XRD+Composition pattern (compose.openova.io/v1alpha1 family). New API
group access.openova.io is intentional — IAM is a separate concern from
the cloud-resource compose.* family. No catalyst-api or UI code touched
(those are #323's territory; this PR ships the data model #323 consumes).

Co-authored-by: hatiyildiz <hatiyildiz@noreply.github.com>

2026-05-01 19:03:10 +04:00

e3mrah

2d1799d738

fix(bp-crossplane): split XRDs+Compositions into bp-crossplane-claims (#247 )

Resolves install ordering on fresh clusters where the apiserver rejects
CompositeResourceDefinition CRs because the apiextensions.crossplane.io
CRDs registered by the crossplane subchart aren't live yet at apply time.

- bp-crossplane bumped 1.1.2 -> 1.1.3 (controller-only payload)
- NEW bp-crossplane-claims@1.0.0 carries XRDs + Compositions
- Flux HelmRelease for crossplane-claims uses dependsOn: [bp-crossplane]
- composition-validate.sh + fixtures relocate to the new chart
- blueprint-release CI: opt-out annotation
  catalyst.openova.io/no-upstream=true permits zero-deps charts that
  legitimately ship only Catalyst-authored CRs (the original hollow-chart
  rule remains in force for every other umbrella chart)

Live error this fixes (from otech.omani.works):
  no matches for kind "CompositeResourceDefinition" in version
  "apiextensions.crossplane.io/v1" -- ensure CRDs are installed first

Pattern: intra-chart CRD-ordering breaks -> split charts + Flux dependsOn.
Apply universally to similar cases going forward.

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-30 16:55:05 +04:00

3 Commits