Each platform/<name>/chart/Chart.yaml now declares the canonical upstream
chart as a dependencies: entry. helm dependency build pulls the upstream
payload into the OCI artifact at publish time, so Flux helm install of
bp-<name>:1.1.0 actually installs the upstream Helm release alongside the
Catalyst-curated overlays (NetworkPolicy, ServiceMonitor, ClusterIssuer,
ExternalSecret) under templates/.
Pinned upstream chart versions per platform/<name>/blueprint.yaml:
- cilium 1.16.5 https://helm.cilium.io
- cert-manager v1.16.2 https://charts.jetstack.io
- flux 2.4.0 https://fluxcd-community.github.io/helm-charts
- crossplane 1.17.x https://charts.crossplane.io/stable
- sealed-secrets 2.16.x https://bitnami-labs.github.io/sealed-secrets
- spire ... https://spiffe.github.io/helm-charts-hardened
- nats-jetstream ... https://nats-io.github.io/k8s/helm/charts
- openbao ... https://openbao.github.io/openbao-helm
- keycloak ... https://charts.bitnami.com/bitnami
- gitea ... https://dl.gitea.com/charts
- catalyst-platform umbrella over the 10 leaf bp-* charts via
helm dependency
values.yaml in each chart adopts the umbrella convention: catalystBlueprint
metadata block (provenance + version) at top level, upstream subchart
values namespaced under the dependency name.
cert-manager specifically: clusterissuer-letsencrypt-dns01.yaml gets the
helm.sh/hook: post-install,post-upgrade annotation so it applies AFTER
cert-manager controllers are running and CRDs registered (the previous
hollow-chart shape ran the ClusterIssuer at install time when CRDs
didn't exist yet, which was the omantel cluster's exact failure mode).
Wrapper chart version bumped 1.0.0 → 1.1.0 across the board (umbrella
conversion is a meaningful structural revision). Cluster manifests in
clusters/_template/bootstrap-kit/ AND clusters/omantel.omani.works/
bootstrap-kit/ updated to reference 1.1.0.
The blueprint-release.yaml workflow's helm package step needs an
explicit helm dependency build before push so the upstream subchart
bytes ship inside the OCI artifact. That CI change is a follow-up
commit on this same branch (separate file scope).
43aff20254