openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
4f4015a295
openova/platform/matrix
History
e3mrah 782d8015c5
feat(charts): bp-openmeter (CH-less) + bp-livekit + bp-matrix wrapper charts (closes #272 #273 #274) (#289) 
W2.5.F — three Catalyst Blueprint umbrella charts at platform/{openmeter,
livekit,matrix}/, each declaring its upstream chart under Chart.yaml
`dependencies:` so `helm dependency build` bundles the upstream payload
into the published OCI artifact (per docs/BLUEPRINT-AUTHORING.md §11.1
— hollow charts forbidden, CI-enforced by issue #181).

Per-chart kind summary
======================

bp-openmeter (closes #272)
  default `helm template` kinds: ConfigMap, Deployment, Service, ServiceAccount
  upstream chart: openmeter 1.0.0-beta.213 (oci://ghcr.io/openmeterio/helm-charts)

  ClickHouse-less profile per docs/BOOTSTRAP-KIT-EXPANSION-PLAN.md §6.4.
  The upstream chart's bundled clickhouse / kafka / postgresql / redis /
  svix subcharts are all DISABLED — Catalyst supplies CNPG (postgres),
  JetStream (event bus), and Valkey (redis-compat) at the platform tier.
  Chart-level toggle `catalystBlueprint.backend.kind` (default `cnpg`,
  alt `clickhouse`) records the active profile so observability/audit
  pipelines can report it. The OpenMeter binary's
  `aggregation.clickhouse.address` is left blank — per-Sovereign overlay
  supplies it once a host cluster adds bp-clickhouse and the operator
  re-rolls with `backend.kind: clickhouse`. Catalyst overlay templates
  (NetworkPolicy / ServiceMonitor / HPA) all default OFF per
  docs/BLUEPRINT-AUTHORING.md §11.2.

bp-livekit (closes #273)
  default `helm template` kinds: ConfigMap, Deployment, Service, ServiceAccount
  upstream chart: livekit-server 1.9.0 (https://helm.livekit.io)

  WebRTC SFU. Powers the Huawei iFlytek voice demo. Catalyst defaults
  pair LiveKit with bp-stunner (the upstream chart's bundled co-located
  TURN server is OFF; per-Sovereign overlay points the LiveKit TURN
  config at the stunner UDP-gateway Service). RTC UDP port range is
  50000-60000 (matches the Hetzner firewall rule the per-Sovereign
  overlay opens). Catalyst overlay templates (NetworkPolicy /
  ServiceMonitor / HPA) all default OFF; the chart's NetworkPolicy
  template documents that LiveKit's hostNetwork mode means pod-level
  policies do NOT cover the SFU port range — the firewall rule is the
  load-bearing control. blueprint.yaml `depends:` declares bp-stunner +
  bp-cert-manager + bp-valkey.

bp-matrix (closes #274)
  default `helm template` kinds: ConfigMap, Deployment, Ingress, Job,
  PersistentVolumeClaim, Pod, Role, RoleBinding, Secret, Service,
  ServiceAccount
  upstream chart: matrix-synapse 3.12.25 (https://ananace.gitlab.io/charts)

  Synapse (the Matrix server implementation, NOT the retired OpenOva
  product noun). Federation OFF by default (Catalyst per-Sovereign
  tenancy default — operator overlays flip it on per-Organization).
  Postgres backend via bp-cnpg externalPostgresql; OIDC SSO via
  bp-keycloak; bundled bitnami postgresql + redis subcharts both
  disabled. Catalyst overlay NetworkPolicy gates the federation port
  (8448) on `federation.enabled` — verified by Case 5 of the
  observability-toggle test. Catalyst-overlay ServiceMonitor (upstream
  chart has none) + HPA both default OFF.

Lint
====
All three charts pass `helm lint` clean (only the noisy "icon is
recommended" INFO message).

Observability tests
===================
Each chart's `tests/observability-toggle.sh` enforces the Catalyst
contract from docs/BLUEPRINT-AUTHORING.md §11.2:
  Case 1: default render produces zero monitoring.coreos.com/v1
          resources (no ServiceMonitor / PrometheusRule).
  Case 2: opt-in (--set serviceMonitor.enabled=true --api-versions
          monitoring.coreos.com/v1) renders a ServiceMonitor.
  Case 3: explicit-off render is clean.
  Case 4 (per chart):
    - openmeter: ClickHouse-less profile asserts no
      clickhouse.altinity.com / Kafka subchart resources leak into the
      default render.
    - livekit:   asserts upstream livekit-server.serviceMonitor.create
      defaults false.
    - matrix:    asserts default render carries an empty
      federation_domain_whitelist (the per-Sovereign tenancy default).
  Case 5 (matrix only): `--set federation.enabled=true networkPolicy
          .enabled=true` opens port 8448 in the Catalyst NetworkPolicy.

All gates green for all three charts.

Closes #272 #273 #274

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
2026-04-30 19:37:28 +04:00
..
chart feat(charts): bp-openmeter (CH-less) + bp-livekit + bp-matrix wrapper charts (closes #272 #273 #274) (#289) 2026-04-30 19:37:28 +04:00
blueprint.yaml feat(charts): bp-openmeter (CH-less) + bp-livekit + bp-matrix wrapper charts (closes #272 #273 #274) (#289) 2026-04-30 19:37:28 +04:00
README.md feat(charts): bp-openmeter (CH-less) + bp-livekit + bp-matrix wrapper charts (closes #272 #273 #274) (#289) 2026-04-30 19:37:28 +04:00

README.md

bp-matrix

Self-hosted, federation-capable team chat. Catalyst Application Blueprint wrapping the Synapse Matrix homeserver. See docs/PLATFORM-TECH-STACK.md §4.5 (Communication).

"Synapse" here = the Matrix server implementation, NOT the retired OpenOva product noun (which has been replaced by bp-axon for the SaaS LLM gateway).

Status: Accepted | Updated: 2026-04-30

Overview

Synapse is the reference Matrix homeserver. Catalyst pairs it with:

Component Integration
bp-cnpg PostgreSQL backend (via externalPostgresql)
bp-keycloak OIDC SSO (via extraConfig.oidc_providers)
bp-cert-manager Ingress TLS via cluster Issuer
bp-valkey Workers signaling backend (only when workers are enabled)
bp-element-web Web client at chat-web.<sovereign-fqdn> (separate Blueprint, slot 47)

Per-Sovereign tenancy default — federation OFF

Catalyst's per-Sovereign tenancy default keeps each Sovereign's Matrix instance private. Operator overlays flip federation.enabled: true per-Organization for cross-Sovereign collaboration. The chart's NetworkPolicy template only opens federation port 8448 when federation.enabled is true (verified by Case 5 of tests/observability-toggle.sh).

Local registration OFF

Catalyst standard is OIDC-only accounts (registration is handled in Keycloak). The wrapper sets extraConfig.enable_registration: false by default; operator overlays may flip it on for development Sovereigns.

Chart shape

platform/matrix/
├── blueprint.yaml                     # Catalyst Blueprint CRD
├── chart/
│   ├── Chart.yaml                     # umbrella; deps: matrix-synapse (Helm)
│   ├── values.yaml                    # Catalyst defaults (federation OFF, OIDC ON)
│   └── templates/
│       ├── _helpers.tpl
│       ├── networkpolicy.yaml         # default OFF; federation port gated by federation.enabled
│       ├── servicemonitor.yaml        # default OFF (CRD-gated)
│       └── hpa.yaml                   # default OFF
├── chart/tests/observability-toggle.sh
└── README.md

Observability toggles (all default OFF)

Per docs/BLUEPRINT-AUTHORING.md §11.2.

Toggle Default Why
serviceMonitor.enabled false upstream chart has no ServiceMonitor; Catalyst overlay default off
networkPolicy.enabled false Operator supplies consumer-namespace selectors per-Sovereign
hpa.enabled false Solo-Sovereign baseline runs Synapse monolithic
federation.enabled false Catalyst per-Sovereign tenancy default (private rooms)
extraConfig.enable_registration false OIDC-only accounts (registration in Keycloak)

Verification

helm dependency update platform/matrix/chart
helm template platform/matrix/chart | grep -E "^kind:" | sort -u
helm lint platform/matrix/chart
bash platform/matrix/chart/tests/observability-toggle.sh

Part of OpenOva. Closes #274.