openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
fix/cutover-helm-timeout-127
openova/.gitignore
e3mrah 8988cd9e4f
feat(infra-hetzner): wire all var.regions[] entries end-to-end (slice G1, #1095) (#1131) 
Slice G1 of EPIC-0 (#1095, Group G "Multi-cluster substrate"). Today
infra/hetzner/main.tf only realises regions[0] end-to-end — every wizard
payload's regions[1..N] entries silently no-op. EPIC-6 (#1101) Continuum
DR demo needs 3 regions (mgmt + fsn + hel per docs/EPICS-1-6-unified-design.md
§3.8 + §11), so this slice closes the gap.

Architecture: hybrid singular-path + secondary-region overlay.
- The legacy singular path (var.region + count = local.control_plane_count)
  STAYS untouched — every existing Sovereign state (omantel, otech*) keeps
  its resource addresses (hcloud_server.control_plane[0],
  hcloud_load_balancer.main, etc) and produces a no-op plan diff.
- New regions (regions[1+]) are realised via a parallel for_each set keyed
  by "{cloudRegion}-{index}" (e.g. fsn1-1, hel1-2). Each secondary region
  gets its own /24 subnet inside the shared /16 hcloud_network, its own
  CP server, its own workers, and its own lb11 load balancer. The shared
  hcloud_firewall + hcloud_ssh_key (one tenant boundary per Sovereign).

Why hybrid not full for_each: a wholesale refactor would change every
existing resource address (hcloud_server.control_plane[0] →
hcloud_server.control_plane["mgmt"]), forcing every running Sovereign
to run `tofu state mv` for ~12 resources or face destructive recreates.
The brief explicitly bans that. Hybrid is purely additive — secondary
resources are NEW addresses no existing state carries.

No `tofu state mv` runbook required. Existing Sovereigns provisioned
with var.regions = [] or len(var.regions) == 1 produce identical plans
before and after this PR.

Slice G3 (out of scope here) wires Cilium ClusterMesh between secondary
regions and adds per-cluster GitOps path differentiation; today every
secondary CP renders an identical Flux Kustomization pointed at
clusters/<sovereign_fqdn>/.

Tests: tests/multi_region.tftest.hcl exercises 5 scenarios offline via
mock_provider + override_resource (no real Hetzner):
  - legacy_no_regions_payload (var.regions=[])
  - single_region_entry_does_not_double_provision (len==1)
  - three_region_mgmt_fsn_hel (EPIC-6 shape)
  - same_region_duplicates_produce_distinct_keys
  - non_hetzner_regions_are_filtered_out (oci entries skipped)
All 5 pass. CI workflow infra-hetzner-tofu.yaml runs validate + fmt -check
+ test on every PR touching infra/hetzner/**.

Per CLAUDE.md "every workflow MUST be event-driven, NEVER scheduled":
push-on-merge + pull-request-on-touch + workflow_dispatch only. No cron.

Validation:
  $ tofu validate
  Success! The configuration is valid.
  $ tofu fmt -check -recursive
  exit=0
  $ tofu test
  tests/multi_region.tftest.hcl... pass
    run "legacy_no_regions_payload"... pass
    run "single_region_entry_does_not_double_provision"... pass
    run "three_region_mgmt_fsn_hel"... pass
    run "same_region_duplicates_produce_distinct_keys"... pass
    run "non_hetzner_regions_are_filtered_out"... pass
  Success! 5 passed, 0 failed.

Co-authored-by: hatiyildiz <hatiyildiz@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-09 00:29:44 +04:00

35 lines
1.4 KiB
Plaintext
Raw Permalink Blame History

# Helm dependency-build artifacts. Generated by `helm dependency build` in CI
# and locally for validation. Subcharts are downloaded into chart/charts/ and
# locked via chart/Chart.lock; both are reproducible from chart/Chart.yaml's
# `dependencies:` block, so we don't track them.
**/charts/*.tgz
platform/*/chart/charts/
platform/*/chart/Chart.lock
products/*/chart/charts/
products/*/chart/Chart.lock
# Vendored upstream subcharts — exception to the above (issue #340).
# bp-seaweedfs vendors seaweedfs/seaweedfs 4.22.0 with templates/shared/
# security-configmap.yaml DELETED because it uses fromToml (Helm 3.13+)
# which Flux helm-controller's bundled SDK doesn't have. The chart has
# annotations.catalyst.openova.io/no-upstream=true to signal this to the
# blueprint-release workflow's hollow-chart guard.
!platform/seaweedfs/chart/charts/
!platform/seaweedfs/chart/charts/**
# Node + dev artifacts (untracked already, listed here for clarity).
**/node_modules/
**/dist/
**/.astro/
# OpenTofu / Terraform local working dir — generated by `tofu init` and
# never committed. The provider lock file (.terraform.lock.hcl) IS
# committed alongside versions.tf so collaborators install identical
# provider binaries; only the .terraform/ working dir + state files are
# ignored.
**/.terraform/
**/terraform.tfstate
**/terraform.tfstate.backup
**/*.tfstate
**/*.tfstate.backup
Reference in New Issue View Git Blame Copy Permalink