43aff20254
Each platform/<name>/chart/Chart.yaml now declares the canonical upstream chart as a dependencies: entry. helm dependency build pulls the upstream payload into the OCI artifact at publish time, so Flux helm install of bp-<name>:1.1.0 actually installs the upstream Helm release alongside the Catalyst-curated overlays (NetworkPolicy, ServiceMonitor, ClusterIssuer, ExternalSecret) under templates/. Pinned upstream chart versions per platform/<name>/blueprint.yaml: - cilium 1.16.5 https://helm.cilium.io - cert-manager v1.16.2 https://charts.jetstack.io - flux 2.4.0 https://fluxcd-community.github.io/helm-charts - crossplane 1.17.x https://charts.crossplane.io/stable - sealed-secrets 2.16.x https://bitnami-labs.github.io/sealed-secrets - spire ... https://spiffe.github.io/helm-charts-hardened - nats-jetstream ... https://nats-io.github.io/k8s/helm/charts - openbao ... https://openbao.github.io/openbao-helm - keycloak ... https://charts.bitnami.com/bitnami - gitea ... https://dl.gitea.com/charts - catalyst-platform umbrella over the 10 leaf bp-* charts via helm dependency values.yaml in each chart adopts the umbrella convention: catalystBlueprint metadata block (provenance + version) at top level, upstream subchart values namespaced under the dependency name. cert-manager specifically: clusterissuer-letsencrypt-dns01.yaml gets the helm.sh/hook: post-install,post-upgrade annotation so it applies AFTER cert-manager controllers are running and CRDs registered (the previous hollow-chart shape ran the ClusterIssuer at install time when CRDs didn't exist yet, which was the omantel cluster's exact failure mode). Wrapper chart version bumped 1.0.0 → 1.1.0 across the board (umbrella conversion is a meaningful structural revision). Cluster manifests in clusters/_template/bootstrap-kit/ AND clusters/omantel.omani.works/ bootstrap-kit/ updated to reference 1.1.0. The blueprint-release.yaml workflow's helm package step needs an explicit helm dependency build before push so the upstream subchart bytes ship inside the OCI artifact. That CI change is a follow-up commit on this same branch (separate file scope). |
||
|---|---|---|
| .. | ||
| chart | ||
| blueprint.yaml | ||
| README.md | ||
SPIRE
SPIFFE/SPIRE workload identity. Catalyst control plane component (per docs/PLATFORM-TECH-STACK.md §2.3 — Per-Sovereign supporting services). Issues short-lived (5-min auto-rotated) X.509 SVIDs to every Pod across every host cluster a Sovereign owns.
Status: Accepted. Chart wrapper at chart/. Updated: 2026-04-28.
Why
Catalyst's identity model has two systems (per docs/SECURITY.md §1):
| Subject | System | Lifetime |
|---|---|---|
| Workloads (every Pod, every controller) | SPIFFE/SPIRE | 5-min SVID |
| Users (every human) | Keycloak | 15-min JWT |
SPIRE issues SVIDs scoped by SPIFFE ID:
spiffe://<sovereign>/ns/<namespace>/sa/<service-account>
OpenBao authenticates clients by SVID. JetStream authenticates clients by SVID. Catalyst REST APIs authenticate workloads by SVID + users by JWT.
Topology
| Layer | Replicas | Notes |
|---|---|---|
| SPIRE server | 1 (HA: 3) | On the Sovereign's mgt cluster. Upstream-bundle to a root SPIRE on the OpenOva publisher when present. |
| SPIRE agent | 1 per node | DaemonSet. Exposes Workload API (Unix socket) to Pods on that node. |
Chart
The chart/ directory wraps the upstream SPIFFE/SPIRE Helm chart with Catalyst-curated values. Installed by the Catalyst bootstrap kit during Phase 0 (per docs/SOVEREIGN-PROVISIONING.md §3) — after Cilium, cert-manager, Flux, and Crossplane have come up.
OCI artifact: ghcr.io/openova-io/bp-spire:1.0.0.
Part of OpenOva