openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
33dc98782b
openova/scripts
History
e3mrah 33dc98782b
feat(bp-self-sovereign-cutover): chart + bootstrap-kit slot 06a (#791) (#808) 
New platform Blueprint at `platform/self-sovereign-cutover/chart/`. Ships
DORMANT — eight step PodSpec ConfigMaps, the registry-pivot DaemonSet, the
mutable cutover-status ConfigMap, plus ServiceAccount/RBAC. The catalyst-api
cutover endpoint (#792, merged at 03828641) reads each step ConfigMap by
label selector and stamps real Jobs only on operator-driven trigger.

Step inventory:
  01 gitea-mirror             — git push --mirror upstream → local Gitea
  02 harbor-projects          — create 7 proxy-cache projects
  03 harbor-prewarm           — HEAD-pull bootstrap-kit images through cache
  04 registry-pivot           — DaemonSet rewrites registries.yaml on every node
  05 flux-gitrepository-patch — pivot GitRepository.url → local Gitea
  06 helmrepository-patches   — pivot 38 OCI URLs → local Harbor
  07 catalyst-api-env-patch   — kubectl set env CATALYST_GITOPS_REPO_URL
  08 egress-block-test        — CiliumNetworkPolicy + 10-min sovereignty proof

Plus self-sovereign-cutover-status ConfigMap with the consumer-contract keys
(cutoverComplete, currentStep, step.<name>.result, etc.) shipped at install
with helm.sh/resource-policy: keep so chart uninstall doesn't lose state.

Bootstrap-kit slot `06a-bp-self-sovereign-cutover.yaml` installs the chart
into the `catalyst` namespace (matches catalyst-api's default discovery
namespace), depends on bp-gitea + bp-harbor, uses disableWait: true.

RBAC splits `create` verbs into their own Rule WITHOUT resourceNames per
feedback_rbac_create_no_resourcenames.md — the bp-openbao loop anchor.

chart/tests/cutover-contract.sh enforces:
  - 8 step ConfigMaps render
  - required labels (part-of/component/cutover-order/cutover-mode)
  - required data keys (stepName + podSpec for job-mode)
  - step 04 mode=daemonset-wait
  - status ConfigMap retained on uninstall
  - RBAC create/resourceNames split

helm template smoke render: 1180 lines, 19 resources (1 Namespace + 1 SA +
11 ConfigMaps + 1 DaemonSet + 1 ClusterRole + 1 ClusterRoleBinding).
helm lint: clean.
scripts/check-bootstrap-deps.sh: PASSED (slot 6a registered, depends_on
[bp-gitea, bp-harbor]).

Co-authored-by: Hatice Yildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 21:55:19 +04:00
..
check-bootstrap-deps.sh fix(bp-external-secrets-stores): split ClusterSecretStore into separate chart per #247 pattern (closes #331) (#426) 2026-05-01 17:33:47 +04:00
check-vendor-coupling.sh fix(ci): vendor-coupling guardrail path - products/catalyst/bootstrap/api/internal/objectstorage (closes #438) (#440) 2026-05-01 18:21:57 +04:00
expected-bootstrap-deps.yaml feat(bp-self-sovereign-cutover): chart + bootstrap-kit slot 06a (#791) (#808) 2026-05-04 21:55:19 +04:00
generate-blueprint-deps.sh fix(wizard): blueprint deps sourced from Flux dependsOn (single source of truth) (#652) 2026-05-03 09:47:52 +04:00
operator-recover-sovereign.sh docs(ops): comprehensive operator runbook + remediation playbook + idempotent recovery script 2026-04-29 19:26:29 +02:00