The feat/global-imageRegistry (#580) PR converted the literal image refs
in api-deployment.yaml and ui-deployment.yaml to Helm template expressions
({{ .Values.global.imageRegistry }}...) without updating the CI deploy step
to also patch those files. Since the catalyst-platform Flux Kustomization
reads these files as raw manifests (not via helm-controller), the Helm
template syntax was never rendered, leaving a literal '{{ if ... }}'
string as the image reference → InvalidImageName on every Pod start.
Root cause: two consumers of the same file — Helm chart path (Sovereign
clusters) and Kustomize path (contabo-mkt) — but only the Helm path was
handled by the deploy job.
Fix:
- Restore literal `ghcr.io/openova-io/openova/catalyst-{api,ui}:b50a600`
image refs in the Kustomize-path deployment YAMLs (immediate unblock).
- Update CI deploy step to sed-patch those literal refs on every deploy
commit so future image rolls keep both paths in sync (durable fix).
Closes: the InvalidImageName regression introduced in #580.
Unblocks: issue #608 (Phase-8b Agent A magic-link auth) — catalyst-api
was stuck at InvalidImageName since commit 83ec889f, preventing the
CATALYST_KC_ADDR / session-cookie auth gate from loading.
Co-authored-by: alierenbaysal <alierenbaysal@openova.io>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Part A — bp-reflector blueprint:
- Add clusters/_template/bootstrap-kit/05a-reflector.yaml (slot 05a,
dependsOn bp-cert-manager) — installs emberstack/reflector v7.1.288
via the bp-reflector OCI wrapper chart.
- Register in bootstrap-kit/kustomization.yaml.
- Add platform/reflector/chart/ wrapper (Chart.yaml + values.yaml):
single replica, 32Mi memory, ServiceMonitor off by default.
Part B — annotate flux-system/ghcr-pull + rename in charts:
- infra/hetzner/cloudinit-control-plane.tftpl: add four Reflector
annotations to the ghcr-pull Secret written at cloud-init time so
Reflector auto-mirrors it to every namespace on first boot.
- Rename imagePullSecrets from ghcr-pull-secret to ghcr-pull in:
api-deployment.yaml, ui-deployment.yaml,
marketplace-api/deployment.yaml, and all 11 sme-services/*.yaml
(14 total occurrences).
- Bump bp-catalyst-platform chart 1.1.12->1.1.13; update bootstrap-kit
HelmRelease version reference to match.
Root cause: the canonical secret name is ghcr-pull (written by
cloud-init as /var/lib/catalyst/ghcr-pull-secret.yaml). Charts were
referencing ghcr-pull-secret (wrong name), causing ImagePullBackOff
on all Catalyst pods on every new Sovereign.
Runtime hotfix applied to otech22: both ghcr-pull and ghcr-pull-secret
propagated to 33 namespaces via kubectl; non-Running pods bounced.
Co-authored-by: hatiyildiz <hatiyildiz@openova.io>
