openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
39f4eb6c51
openova/platform/sealed-secrets
History
e3mrah 1f5c76def1
fix(platform): sync blueprint.yaml versions with Chart.yaml (#199) 
* feat(ui): Playwright cosmetic + step-flow regression guards

15 regression guards in products/catalyst/bootstrap/ui/e2e/cosmetic-
guards.spec.ts that fail HARD when each user-flagged defect class
returns:

  1.  card height drift from canonical 108px
  2.  reserved right padding eating description width
  3.  logo tile drift from per-brand LOGO_SURFACE
  4.  invisible glyph (white-on-white) via luminance proxy
  5.  wizard step order Org/Topology/Provider/Credentials/Components/
      Domain/Review
  6.  legacy "Choose Your Stack" / "Always Included" tab labels
  7.  Domain step reachable before Components
  8.  CPX32 not the recommended Hetzner SKU
  9.  per-region SKU dropdown shows wrong provider catalog
  10. provision page is .html (static) not SPA route
  11. legacy bubble/edge DAG SVG markup on provision page
  12. admin sidebar drift from canonical core/console (w-56 + 7 labels)
  13. AppDetail uses tablist instead of sectioned layout
  14. job rows navigate to /job/<id> instead of expand-in-place
  15. Phase 0 banners (Hetzner infra / Cluster bootstrap) on AdminPage

Each test prints a failure message naming the canonical reference,
the source-of-truth file, and the data-testid PR needed (if any) so
the implementing agent has a precise target. No .skip() — per
INVIOLABLE-PRINCIPLES #2, missing components fail loud.

CI: .github/workflows/cosmetic-guards.yaml runs the suite on every
PR that touches products/catalyst/bootstrap/ui/** or core/console/**.

Docs: docs/UI-REGRESSION-GUARDS.md maps each test to the user's
original complaint, the canonical reference, and the green/red
semantics (5 tests intentionally RED on main today — they stay red
until the companion-agent's UI work lands).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(platform): sync blueprint.yaml versions with Chart.yaml so manifest-validation passes

---------

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 22:07:55 +04:00
..
chart fix(bp-*): observability toggles default false — break circular CRD dependency 2026-04-29 19:23:52 +02:00
blueprint.yaml fix(platform): sync blueprint.yaml versions with Chart.yaml (#199) 2026-04-29 22:07:55 +04:00
README.md feat(charts): G2 wrapper Helm charts for 11 bootstrap-kit components + blueprint-release CI 2026-04-28 12:51:06 +02:00

README.md

Sealed Secrets

Transient bootstrap-only secret transport. Catalyst control plane (per docs/PLATFORM-TECH-STACK.md §3.3 — Security and policy). Used during Phase 0 of Sovereign provisioning to ship initial bootstrap secrets through GitOps; archived/disabled after OpenBao + ESO replace it.

Status: Accepted. Chart wrapper at chart/. Updated: 2026-04-28.

Why transient

Per docs/SOVEREIGN-PROVISIONING.md §3 (Phase 0 Bootstrap kit):

e. Sealed Secrets (transient, only for bootstrap secrets)

Sealed Secrets is the standard pattern for "secrets in Git for the first 60 seconds of a cluster's life". After Phase 1 hand-off (per §4), the canonical Catalyst secret backend is OpenBao + ExternalSecrets Operator (ESO). Sealed Secrets stays installed but unused — the controller scales to 0 and the kubeseal CLI is no longer used.

Long-term cluster secrets follow the OpenBao path of org/<org>/env/<env_type>/... and are materialized into K8s Secrets via ESO ExternalSecret CRs.

Chart

The chart/ directory wraps the upstream Sealed Secrets Helm chart with Catalyst-curated values: minimal resources (controller is bootstrap-only), no UI.

OCI artifact: ghcr.io/openova-io/bp-sealed-secrets:1.0.0.

Part of OpenOva