b52fc45c37
Chart 1.3.2 shipped serviceaccount-cutover-driver.yaml +
clusterrole-cutover-driver.yaml + clusterrolebinding-cutover-driver.yaml
with `{{ .Release.Namespace }}` directives that rendered fine via Helm
on Sovereigns but BROKE the Kustomize-mode contabo-mkt deploy: the
directives made Kustomize parse the files as invalid YAML and silently
skip them. Worse, the new files were never added to templates/
kustomization.yaml's resources list.
Result on contabo: catalyst-api Pod's spec.serviceAccountName references
a non-existent SA — the Pod fails ContainerCreating with the same RBAC
forbidden error #830 was meant to fix.
Fix:
- Strip `{{ .Release.Namespace }}` directives from the SA + ClusterRole
files. metadata.namespace auto-fills from Helm's --namespace flag
and from Kustomize's `namespace:` directive.
- For ClusterRoleBinding: Helm does NOT auto-inject subjects[0].
namespace the way it does metadata.namespace, so the apiserver
rejects bindings without it. Split into two files:
* clusterrolebinding-cutover-driver.yaml — Helm-only, uses
{{ .Release.Namespace }} (correctly resolves to catalyst-system
on Sovereigns).
* clusterrolebinding-cutover-driver-kustomize.yaml — Kustomize-
only, omits subjects[0].namespace and relies on Kustomize's
native injection (resolves to `catalyst` on contabo).
The .helmignore excludes the Kustomize-only file from Sovereign
chart packaging; templates/kustomization.yaml's resources list
references the Kustomize-only file, NOT the Helm-only one.
- Add the new RBAC files to templates/kustomization.yaml's resources
list so contabo's Flux Kustomization actually renders them.
Verified live with `helm template` (subjects[0].namespace=catalyst-system)
and `kubectl kustomize` (subjects[0].namespace=catalyst).
Bumps bp-catalyst-platform 1.3.2 → 1.3.3.
Issue: openova-io/openova#830 (Bug 1 follow-up)
Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
28 lines
1.0 KiB
Plaintext
28 lines
1.0 KiB
Plaintext
.DS_Store
|
|
.git/
|
|
.gitignore
|
|
*.swp
|
|
*.bak
|
|
*.tmp
|
|
*~
|
|
|
|
# Contabo-mkt only — applied by contabo's Flux Kustomization as raw YAML.
|
|
# Excluded from Sovereign chart packaging (Sovereigns use Cilium gateway, no Traefik).
|
|
templates/kustomization.yaml
|
|
templates/ingress.yaml
|
|
templates/ingress-console-tls.yaml
|
|
templates/sme-services/kustomization.yaml
|
|
templates/sme-services/ingress.yaml
|
|
templates/marketplace-api/kustomization.yaml
|
|
templates/marketplace-api/ingress.yaml
|
|
# Kustomize-only sibling of clusterrolebinding-cutover-driver.yaml.
|
|
# See clusterrolebinding-cutover-driver-kustomize.yaml header for rationale
|
|
# (issue #830 P0 Bug 1 follow-up).
|
|
templates/clusterrolebinding-cutover-driver-kustomize.yaml
|
|
|
|
# Other sme-services/* and marketplace-api/* templates are PACKAGED in
|
|
# bp-catalyst-platform 1.3.0+ but each file's content is wrapped in
|
|
# `{{- if and .Values.ingress.marketplace .Values.ingress.marketplace.enabled }}`
|
|
# (issue #710). Non-marketplace Sovereigns get an empty render; marketplace
|
|
# operators flip the toggle and the SME stack + HTTPRoutes deploy together.
|