openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
2ff50f0591
openova/platform/cnpg/blueprint.yaml
e3mrah 9dc8506dd9
feat(charts): bp-external-secrets + bp-cnpg + bp-valkey wrapper charts (#285) 
Storage-substrate batch (W2.5.A) — closes #254 by shipping the three
upstream-subchart umbrella Blueprints that the Flux HRs at
clusters/_template/bootstrap-kit/{15-external-secrets,16-cnpg,17-valkey}
.yaml (merged via PR #262) target.

Each chart follows the canonical umbrella pattern documented in
docs/BLUEPRINT-AUTHORING.md §11.1: Chart.yaml declares the upstream
chart under `dependencies:` so `helm dependency build` bundles the
upstream payload into the OCI artifact, and Catalyst-curated overlay
values + templates sit alongside in chart/values.yaml + chart/templates/.

Per-chart highlights:
- bp-external-secrets/1.0.0 — wraps external-secrets/external-secrets
  0.10.7. Ships a default `vault-region1` ClusterSecretStore (via Helm
  post-install/post-upgrade hook to defer the CR application until the
  upstream chart's CRDs are registered) wired to the in-cluster
  bp-openbao service. clusterSecretStore.enabled toggle lets cluster
  overlays opt out and author their own multi-region CRs.
- bp-cnpg/1.0.0 — wraps cnpg/cloudnative-pg 0.28.0. Operator-only
  surface (Cluster CRs are per-Application). CRDs ship in-chart so
  bp-powerdns / bp-keycloak / bp-gitea / bp-langfuse / bp-grafana /
  bp-temporal / bp-matrix / bp-llm-gateway / bp-bge / bp-nemo-guardrails
  / bp-openmeter / pool-domain-manager can `dependsOn: bp-cnpg` via
  Flux — closing #254 (bp-powerdns CreateContainerConfigError on
  pdns-pg-app secret).
- bp-valkey/1.0.0 — wraps bitnami/valkey 5.5.1. BSD-3 Redis-compatible
  cache, replication architecture, password auth ON, NetworkPolicy ON,
  replicas 0 by default for solo Sovereigns (cluster overlays bump for
  HA). Application-tier cache only — Catalyst control plane uses NATS
  JetStream KV (per ARCHITECTURE.md §5).

Per docs/BLUEPRINT-AUTHORING.md §11.2 (issue #182): every observability
toggle defaults `false` (ServiceMonitor / PodMonitor / PrometheusRule /
metrics sidecar) and is operator-tunable via per-cluster overlay once
bp-kube-prometheus-stack reconciles. Each chart ships
tests/observability-toggle.sh covering default-off, opt-in (--api-versions
monitoring.coreos.com/v1 to simulate the CRDs), and explicit-off cases.

Per docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode): every upstream
version, namespace, server URL, role, and password toggle is exposed
under values.yaml. Cluster overlays in clusters/<sovereign>/ may
override without rebuilding the Blueprint OCI artifact.

helm lint: 1 chart(s) linted, 0 chart(s) failed (each, INFO icon-recommended only)
helm template default render kinds:
  bp-external-secrets: ClusterRole, ClusterRoleBinding, ClusterSecretStore, CustomResourceDefinition, Deployment, Role, RoleBinding, Secret, Service, ServiceAccount, ValidatingWebhookConfiguration
  bp-cnpg:             ClusterRole, ClusterRoleBinding, ConfigMap, CustomResourceDefinition, Deployment, MutatingWebhookConfiguration, Service, ServiceAccount, ValidatingWebhookConfiguration
  bp-valkey:           ConfigMap, NetworkPolicy, PodDisruptionBudget, Secret, Service, ServiceAccount, StatefulSet

Closes #254

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
2026-04-30 18:39:29 +04:00

60 lines
2.2 KiB
YAML
Raw Blame History

apiVersion: catalyst.openova.io/v1alpha1
kind: Blueprint
metadata:
name: bp-cnpg
labels:
catalyst.openova.io/section: pts-4-1-data-services
spec:
version: 1.0.0
card:
title: CloudNativePG
summary: |
Production-grade PostgreSQL operator. Per-Sovereign Postgres-as-a-
service via postgresql.cnpg.io/v1.Cluster CRs. Bootstrap-kit slot 16
— required by every PG-backed bootstrap component (bp-powerdns,
bp-keycloak HA, bp-gitea metadata, bp-langfuse, bp-grafana config DB,
bp-temporal, bp-matrix synapse, bp-llm-gateway, bp-bge,
bp-nemo-guardrails, bp-openmeter, pool-domain-manager).
icon: cnpg.svg
category: data
visibility: unlisted # mandatory infra, auto-installed by bootstrap kit
configSchema:
type: object
properties:
monitoring:
type: object
properties:
podMonitorEnabled:
type: boolean
default: false
description: |
Render PodMonitor for the operator. Requires Prometheus
Operator CRDs (kube-prometheus-stack); cluster overlays flip
true once that Application Blueprint reconciles.
crds:
type: object
properties:
create:
type: boolean
default: true
description: |
Install postgresql.cnpg.io CRDs as part of this chart. CNPG's
CRDs ship with the upstream chart so consumers of
`postgresql.cnpg.io/v1.Cluster` (bp-powerdns, bp-keycloak,
bp-gitea, …) gate themselves on bp-cnpg via Flux dependsOn.
placementSchema:
modes: [single-region, active-active]
default: single-region # operator runs once per host cluster; Cluster CRs handle replication
manifests:
chart: ./chart
# CNPG only needs Flux Ready (its own CRDs ship in the same chart;
# consumers of postgresql.cnpg.io/v1.Cluster gate themselves on bp-cnpg).
# The Flux HR at clusters/_template/bootstrap-kit/16-cnpg.yaml encodes
# this dependsOn. Declared here for documentation parity; the
# blueprint-controller does not yet reconcile this field.
depends:
- blueprint: bp-flux
version: ^1.0
upgrades:
from: ["0.x"]
Reference in New Issue View Git Blame Copy Permalink