openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
1b85ab9227
openova/platform/stunner/chart/values.yaml
e3mrah c09109a61a
feat(charts): bp-stunner + bp-knative + bp-kserve wrapper charts (closes #263 #264 #265) (#290) 
Edge + serverless + model-serving batch (W2.5.C) — three upstream-
subchart umbrella Blueprints completing the bootstrap-kit slots for
WebRTC media relay (bp-relay → bp-stunner) and the AI/ML serving stack
(bp-cortex → bp-kserve → bp-knative).

Each chart follows the canonical umbrella pattern from
docs/BLUEPRINT-AUTHORING.md §11.1: Chart.yaml declares the upstream
chart under `dependencies:` so `helm dependency build` bundles the
upstream payload into the OCI artifact, and Catalyst-curated overlay
values + templates sit alongside in chart/values.yaml + chart/templates/.

Per-chart highlights:
- bp-stunner/1.0.0 — wraps stunner/stunner-gateway-operator 1.1.0.
  Ships a Cilium-native GatewayClass (Capabilities-gated on
  gateway.networking.k8s.io/v1) so bp-relay (LiveKit / SFU) can claim
  Gateway CRs without an operator-ordering dance. Default UDP TURN port
  range 30000-32767 matches the range opened at the Sovereign edge
  firewall (Crossplane bp-firewall composition).
- bp-knative/1.0.0 — wraps knative-operator v1.21.1. Ships a
  KnativeServing CR pre-configured for **istio-less mode**
  (ingress.istio.enabled=false, ingress.contour.enabled=false,
  ingress.kourier.enabled=false; config.network.ingress-class=cilium).
  Sovereign FQDN sourced from values, no hardcoded fallback per
  inviolable principle #4 — render fails loudly if cluster overlay
  doesn't set knativeOverlay.knativeServing.sovereignFqdn.
- bp-kserve/1.0.0 — wraps kserve/kserve v0.16.0 (latest version
  published on the official OCI registry as of 2026-04-30). Default
  deploymentMode=RawDeployment (no Knative hop on the hot path) but
  bp-knative is still installed (declared as a hard dep) so per-IS
  annotation `serving.kserve.io/deploymentMode: Serverless` opts in to
  scale-to-zero per tenant. Cilium native Gateway-API ingress
  (enableGatewayApi=true, className=cilium, disableIstioVirtualHost=
  true).

Observability discipline (issue #182): every observability toggle
(ServiceMonitor, HPA, GatewayClass) defaults false and is operator-
tunable via per-cluster overlay once bp-kube-prometheus-stack reconciles.
Each chart ships tests/observability-toggle.sh covering default-off,
opt-in (with `--api-versions monitoring.coreos.com/v1` to simulate
Prometheus Operator CRDs), and explicit-off cases.

Per-chart kind summary (helm template default render):

  bp-stunner: ClusterRole, ClusterRoleBinding, ConfigMap, Dataplane,
              Deployment, Role, RoleBinding, Service, ServiceAccount.
              (+ GatewayClass when --api-versions
              gateway.networking.k8s.io/v1 is passed.)

  bp-knative: ClusterRole, ClusterRoleBinding, ConfigMap,
              CustomResourceDefinition, Deployment, KnativeServing,
              Role, RoleBinding, Secret, Service, ServiceAccount.

  bp-kserve:  Certificate, ClusterRole, ClusterRoleBinding,
              ClusterServingRuntime, ClusterStorageContainer,
              ConfigMap, Deployment, Gateway, Issuer,
              MutatingWebhookConfiguration, Role, RoleBinding,
              Service, ServiceAccount, ValidatingWebhookConfiguration.

`helm lint` clean for all three (single INFO on missing icon — icons
land with marketplace card work).

`bash tests/observability-toggle.sh` green for all three (3 cases each:
default-off, opt-in, explicit-off).

Closes #263 #264 #265

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 19:37:38 +04:00

173 lines
6.9 KiB
YAML
Raw Blame History

# Catalyst Blueprint umbrella metadata — the upstream chart is resolved as
# a Helm subchart via Chart.yaml `dependencies:`. Catalyst-curated values
# under the `stunner-gateway-operator:` key flow into the upstream subchart
# unchanged. Values consumed by templates/ live alongside under
# `stunnerOverlay:`.
#
# Per docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode), every operationally-
# meaningful value (UDP port range, dataplane mode, replicas, image tag,
# observability toggles) is configurable; cluster overlays in
# clusters/<sovereign>/ may override any of these without rebuilding the
# Blueprint OCI artifact.
catalystBlueprint:
upstream:
chart: stunner-gateway-operator
version: "1.1.0"
repo: "https://l7mp.io/stunner"
# ─── Upstream chart values (subchart key: stunner-gateway-operator) ──────
# `helm dependency build` resolves the upstream as a subchart; values here
# under the `stunner-gateway-operator:` key flow into that subchart
# unchanged.
stunner-gateway-operator:
stunnerGatewayOperator:
enabled: true
deployment:
name: stunner-gateway-operator
podLabels:
catalyst.openova.io/blueprint: bp-stunner
catalyst.openova.io/component: gateway-operator
tolerations: []
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
container:
manager:
image:
# Pinned upstream image — DO NOT use floating tags per
# docs/INVIOLABLE-PRINCIPLES.md #4.
name: docker.io/l7mp/stunner-gateway-operator
pullPolicy: IfNotPresent
tag: "1.1.0"
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 256Mi
args:
- --health-probe-bind-address=:8081
- --metrics-bind-address=127.0.0.1:8080
- --leader-elect
- --zap-log-level=info
securityContext:
allowPrivilegeEscalation: false
# Dataplane — `managed` mode lets the operator render dataplane
# Deployments per Gateway CR (recommended). `legacy` runs a single
# static dataplane.
dataplane:
mode: managed
spec:
replicas: 1
image:
name: docker.io/l7mp/stunnerd
pullPolicy: IfNotPresent
tag: "1.1.0"
command:
- stunnerd
args:
- -w
- --udp-thread-num=16
env: []
resources:
requests:
cpu: 200m
memory: 128Mi
limits:
cpu: 1
memory: 512Mi
terminationGracePeriodSeconds: 3600
# Upstream metrics endpoint — kept OFF here (Catalyst exposes
# observability via `stunnerOverlay.serviceMonitor.enabled`
# below; turning it on triggers the upstream chart's own scraping
# config which is redundant with the Catalyst overlay).
enableMetricsEndpoint: false
hostNetwork: false
labels:
catalyst.openova.io/blueprint: bp-stunner
catalyst.openova.io/component: dataplane
annotations: {}
affinity: {}
containerSecurityContext: {}
securityContext: {}
tolerations: []
# STUNner auth-service — vendored TURN credential issuer. Off by
# default; per-Sovereign overlay enables when the Org uses long-term
# TURN credentials (most do once they have multi-tenant LiveKit).
stunnerAuthService:
enabled: false
deployment:
podLabels:
catalyst.openova.io/blueprint: bp-stunner
catalyst.openova.io/component: auth-service
# ─── Catalyst overlay values (consumed by templates/ in this chart) ──────
# These are NOT passed to the upstream subchart. They drive the Catalyst-
# authored overlay templates that ship alongside the upstream subchart.
stunnerOverlay:
# ─── UDP port range for TURN media relay ────────────────────────────────
# The dataplane needs a contiguous UDP port range exposed on the
# Sovereign's edge firewall. Default 30000-32767 mirrors the Hetzner
# Cloud Firewall convention (cf. Crossplane bp-firewall composition
# at platform/crossplane/compositions/xrd-firewall.yaml). Per-Sovereign
# overlays MAY narrow or widen the range to fit the cloud provider's
# NodePort allocation policy.
udpPortRange:
start: 30000
end: 32767
# ─── Cilium-native Gateway integration ──────────────────────────────────
# Render a `stunner.l7mp.io/v1` GatewayClass that the upstream
# `stunner-gateway-operator` claims. Cluster overlays MAY set
# `gatewayClass.create: false` and author their own GatewayClass
# (e.g. multi-tenant Sovereigns where each Org owns a distinct
# GatewayClass).
gatewayClass:
create: true
name: "stunner-gatewayclass"
# Operator-controller-name claimed by the gateway-operator; matches
# the upstream chart's default. Cluster overlays MAY override if a
# second operator instance is run side-by-side.
controllerName: "stunner.l7mp.io/gateway-operator"
# ─── NetworkPolicy (DEFAULT FALSE) ──────────────────────────────────────
# Per Catalyst convention NetworkPolicy ships disabled — operator turns
# this on via per-Sovereign overlay once consumer namespaces (where
# bp-relay / LiveKit runs) are pinned. Per docs/INVIOLABLE-PRINCIPLES.md
# #4 every selector / port is operator-tunable.
networkPolicy:
enabled: false
# Namespace where bp-relay (LiveKit / SFU) runs. Per-Sovereign
# overlay overrides if relay lives elsewhere.
relayNamespace: "relay"
# ─── ServiceMonitor (DEFAULT FALSE per docs/BLUEPRINT-AUTHORING.md §11.2)
# The `monitoring.coreos.com/v1` CRD ships with kube-prometheus-stack —
# an Application Blueprint installed AFTER the bootstrap-kit. Defaulting
# `enabled: true` would render a ServiceMonitor that the apiserver
# rejects on a fresh Sovereign install ("no matches for kind
# ServiceMonitor in version monitoring.coreos.com/v1"). Operator opts in
# via per-cluster overlay once kube-prometheus-stack reconciles.
serviceMonitor:
enabled: false
interval: "30s"
scrapeTimeout: "10s"
path: "/metrics"
namespace: "" # default: release namespace
labels: {}
# ─── HorizontalPodAutoscaler (DEFAULT FALSE) ────────────────────────────
# STUNner dataplane scales with active TURN allocations. Per-Sovereign
# overlays enable HPA on sovereigns serving multi-tenant WebRTC traffic
# at scale. Default solo-Sovereign keeps a single dataplane replica.
hpa:
enabled: false
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 70
targetMemoryUtilizationPercentage: 80
Reference in New Issue View Git Blame Copy Permalink