620d8b6c13
* feat(unified-rbac): SME-tier extension + host-header tenant discovery (#802) Implements the SME-tier extension to the existing Sovereign Console SPA per [Q-mine-1] of #795: same React bundle serves both otech-admin and SME-admin views, tenant context discovered via window.location.host against a back-end registry — not from path/subdomain string parsing. Backend (catalyst-api / unified-rbac slice): - Tenant registry (store.TenantRegistry) — flat-file host → tenant lookup table backing the public discovery endpoint. Host normalised to lowercase; case-insensitive lookups. - GET /api/v1/tenant/discover (public, no auth gate) — returns {tenant_id, tenant_kind, keycloak_realm_url, keycloak_client_id} on 200, 404 on unknown host, 503 if registry unwired. Admin URLs are NEVER on this wire. - POST /api/v1/sme/users — fires ADR-0003 3-step hook (Keycloak → NewAPI → K8s Secret SSA with field manager `unified-rbac`). Each step idempotent; persisted state machine in store.UserProvisionStore per ADR-0003 §3.4. Returns 202 with steps[] progress array so the SPA can render the 3-step indicator even on partial failure. - GET /api/v1/sme/users / DELETE /api/v1/sme/users/{uuid} — list + inverse rollback per ADR-0003 §3.7. - internal/newapi.Client — minimal NewAPI admin REST client; 201 happy-path + 409 idempotent recovery via GET ?external_id=<uuid> per ADR-0003 §3.2 (NewAPI does NOT rotate api_key on conflict). Frontend (Sovereign Console SPA): - Branded TenantID + TenantKind types (shared/types/tenant.ts) — same pattern as DeploymentID (#749). - shared/lib/tenantDiscover.ts — fire-and-forget discovery in main.tsx; result cached in module state for sidebar nav + OIDC bootstrap. - pages/sme/UsersPage.tsx — user CRUD UI with 3-step KC/NewAPI/Secret progress indicator wired off the API response shape. - pages/sme/RolesPage.tsx — canonical Keycloak group → app role map (wordpress / openclaw / stalwart / rbac) per #795 [B]. - pages/sme/sme.api.ts — typed REST client; X-Tenant-Host header carries window.location.host on every call. - Routes mounted at /console/sme/users + /console/sme/roles under the existing SovereignConsoleLayout — same SPA bundle, different route tree per discovered tenant_kind. Tests: 22 new UI tests (4 files), 33 new Go tests (4 files). All green: branded type parsers reject empty/non-string inputs, tenant discovery handles 200/404/503/network-error paths, the 3-step hook runs end-to-end against fake KC/NewAPI/SSA stubs, partial-failure states surface verbatim through the steps[] response field, public discovery endpoint never leaks admin URLs. Per docs/INVIOLABLE-PRINCIPLES.md #4 every URL goes through apiUrl() in shared/config/urls; per #2 wire shapes parse through branded-type parsers at the boundary; per #3 K8s Secret apply uses client-go SSA (field manager `unified-rbac`) — no exec.Command kubectl shell-out. Closes #802. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(unified-rbac): add Playwright E2E for SME-tier UI (#802) Three specs covering: - SME UsersPage: empty state → create form → 3-step progress indicator (KC done / NewAPI done / Secret done) — proves the page is wired to the API response shape. - SME RolesPage: canonical group → app-role table renders the full 7-row mapping locked in #795 [B]. - OTECH tenant: same SPA bundle navigates /console/dashboard for the otech discovery payload — proves [Q-mine-1] of #795 (one bundle, two route trees, host-driven discovery). Backend mocks: route fulfillers stub /tenant/discover, /sme/users, and /whoami so the dev-server harness can drive the SPA without the catalyst-api backend or a live SME vcluster. The full live cross-cluster E2E gates on bp-newapi (#799) seeding the tenant registry at SME-onboarding time, which lands in #804. 1440 px screenshots captured at e2e/screenshots/802-*.png: - 802-sme-users-empty-1440.png - 802-sme-users-create-form-1440.png - 802-sme-users-after-create-1440.png - 802-sme-roles-1440.png - 802-otech-dashboard-same-bundle-1440.png Run: VITE_CATALYST_MODE=sovereign VITE_SOVEREIGN_FQDN=acme.otech.example npm run dev npx playwright test e2e/sme-tier-rbac.spec.ts Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(admin-console): add-domain flow + DNS propagation status panel (#829) Multi-domain Sovereign — operator-admin "Add another parent domain" surface in the Sovereign Console + live DNS propagation status panel. Closes the MD-4 sub-ticket of epic #825. Backend (catalyst-api/internal/handler/parent_domains.go): - GET /api/v1/sovereign/parent-domains — list pool - POST /api/v1/sovereign/parent-domains — add domain - DELETE /api/v1/sovereign/parent-domains/{name} — remove - GET /api/v1/sovereign/parent-domains/{name}/propagation — fan-out to 5+ public DNS resolvers The Add pipeline calls PDM /set-ns (sister #826), creates the PowerDNS zone (sister #827, env-gated stub until that PR lands), and issues a wildcard cert via cert-manager (also sister #827, env-gated stub). All three steps update the same store row so the UI can render per-step progress. DNS propagation panel uses Go's net.Resolver with a custom Dial that routes lookups through a SPECIFIC resolver IP (8.8.8.8, 1.1.1.1, 9.9.9.9, 208.67.222.222, 4.2.2.1) rather than the system resolver. Per inviolable principle #4, the resolver list, expected NS records, and per-query timeout are all env-overridable. Frontend (ui/src/pages/admin/parent-domains/): - ParentDomainsPage.tsx — list view + Add Domain modal + per-row inline drawer with PropagationPanel - PropagationPanel.tsx — polls /propagation every 60s, renders green/yellow/red pills per resolver + rolling % propagated number - parentDomains.api.ts — typed REST client wrappers, no inline /api/ Routing: - /console/parent-domains registered under SovereignConsoleLayout - Added to Settings sub-nav for operator-admin reachability Tests: - 6 vitest cases (empty state, populated rows, modal open, drawer toggle, primary lock, propagation panel mount) - 13 Go cases covering list/add/delete/validation/propagation wire shape against a stub PDM - 3 Playwright E2E + 1440x900 screenshots: e2e/screenshots/829-1-just-flipped.png (0% propagated) e2e/screenshots/829-2-partially-propagated.png (40%) e2e/screenshots/829-3-fully-propagated.png (100%) Per inviolable principle #10 (credential hygiene) the registrarToken field is forwarded byte-for-byte to PDM and never enters a logged struct; the modal input uses type="password". Refs: #825 (parent epic), #826 (sister MD-1), #827 (sister MD-2) --------- Co-authored-by: hatiyildiz <hatice.yildiz@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .claude | ||
| .github | ||
| .playwright-mcp | ||
| clusters | ||
| core | ||
| docs | ||
| infra/hetzner | ||
| platform | ||
| products | ||
| scripts | ||
| tests | ||
| .gitignore | ||
| CLAUDE.md | ||
| README.md | ||
OpenOva Catalyst
A self-sufficient Kubernetes-native platform. Published as signed OCI Blueprints. Deployable as your own Sovereign.
Catalyst is the open-source platform built by OpenOva. It turns any Kubernetes cluster into a Sovereign: a self-contained control plane that hosts Organizations, Environments, and Applications via GitOps + Crossplane, with a unified UI/Git/API for users.
Documentation
| Document | What it covers |
|---|---|
docs/GLOSSARY.md |
Canonical terminology — read first |
docs/ARCHITECTURE.md |
Catalyst architecture overview |
docs/IMPLEMENTATION-STATUS.md |
What's built today vs what's design-only — read second |
docs/NAMING-CONVENTION.md |
Naming patterns for every resource type |
docs/PERSONAS-AND-JOURNEYS.md |
Personas × journeys matrix; surfaces |
docs/SECURITY.md |
Identity (SPIFFE + Keycloak), secrets (OpenBao + ESO), rotation, multi-region semantics |
docs/SOVEREIGN-PROVISIONING.md |
How to bring a Sovereign online |
docs/BLUEPRINT-AUTHORING.md |
Writing Blueprints (incl. Crossplane Compositions) |
docs/PLATFORM-TECH-STACK.md |
Every component's role in Catalyst |
docs/SRE.md |
Operating a Sovereign |
docs/BUSINESS-STRATEGY.md |
Product strategy and GTM |
docs/TECHNOLOGY-FORECAST-2027-2030.md |
Component forecast 2027–2030 |
docs/VALIDATION-LOG.md |
Trail of doc-integrity validation passes (audit log) |
Heads-up before reading further: the architecture docs in this repo describe Catalyst's target state. Significant portions are not yet implemented — see
docs/IMPLEMENTATION-STATUS.mdfor what exists today vs what is design.
The model in 60 seconds
OpenOva (the company) publishes Catalyst (the platform).
A deployed Catalyst is called a Sovereign.
A Sovereign has:
- Organizations (multi-tenancy unit)
- Environments (org-scoped, env-typed: prod/stg/uat/dev/poc)
- Applications (installed Blueprints)
- Blueprints (the App Store catalog — public + Org-private)
Users install Applications from Blueprints into Environments.
Blueprints can depend on Blueprints (arbitrary depth).
Each Environment is one Gitea repo + one or more vclusters.
Every state change is a Git commit.
Every UI surface reads from a single CQRS projection.
Same code runs in every Sovereign:
- openova (run by us; SaaS Organizations)
- omantel (run by Omantel; SME Organizations across Oman)
- bankdhofar (run by the bank; internal Organizations)
- your-company (run by you, on infrastructure you choose)
See docs/GLOSSARY.md for every term, docs/ARCHITECTURE.md for the full picture.
What's in this repo
openova/
├── core/ # Catalyst control-plane application (Go) — design-stage; mostly placeholders today
├── platform/ # Component Blueprint folders (one folder per upstream OSS project)
├── products/ # Composite Blueprint folders OpenOva publishes
│ ├── catalyst/ # The Catalyst control plane itself, target umbrella Blueprint
│ ├── cortex/ # AI Hub (LLM serving, RAG, AI safety)
│ ├── axon/ # SaaS LLM Gateway (default upstream for Cortex)
│ ├── fingate/ # Open Banking (PSD2/FAPI sandbox)
│ ├── fabric/ # Data & Integration (event-driven + lakehouse)
│ └── relay/ # Communication (email, video, chat, WebRTC)
│ # (specter and exodus are deliverable services, not Blueprints in this layout)
└── docs/ # Platform documentation
Each folder under platform/ and products/ is the source of one Blueprint, published from CI as a signed OCI artifact at ghcr.io/openova-io/bp-<name>:<semver> (the bp- prefix is added to the OCI artifact name; folder names stay short). Per-folder isolation is provided at the OCI artifact layer, not the Git repo layer — this is a monorepo with per-Blueprint fan-out, not a meta-repo of separate Git repositories. See docs/BLUEPRINT-AUTHORING.md §2 for the folder layout contract.
Today, the 12-component bootstrap kit (cilium, cert-manager, flux, crossplane, sealed-secrets, spire, nats-jetstream, openbao, keycloak, gitea, powerdns + the bp-catalyst-platform umbrella under
products/catalyst/) ships with fullchart/+blueprint.yamlperdocs/IMPLEMENTATION-STATUS.md§7, plusproducts/axon/and theexternal-dnsleaf chart. The remaining 45 platform components and thecortex / fabric / fingate / relayproduct folders are design-stage — README only — until each lands its Blueprint manifest, chart, Compositions, and CI fan-out.
Stack at a glance
| Layer | Technology |
|---|---|
| Container runtime | k3s (k8s-conformant), containerd |
| CNI / Service Mesh | Cilium (eBPF mTLS, L7 policies, Gateway API) |
| GitOps | Flux (per-vcluster, lightweight) |
| Git | Gitea (per-Sovereign, hosts Blueprint mirror + per-Environment repos) |
| IaC for non-K8s | Crossplane (the only IaC; not user-facing) |
| Bootstrap IaC | OpenTofu (one-shot, archived after Phase 0) |
| Multi-tenancy | vcluster (one per Organization per host cluster) |
| Identity (workloads) | SPIFFE/SPIRE (5-min rotating SVIDs, mTLS everywhere) |
| Identity (users) | Keycloak (per-Org for SME, per-Sovereign for corporate) |
| Secrets | OpenBao (Apache 2.0; independent Raft per region, no stretched cluster) + External Secrets Operator |
| Event spine | NATS JetStream (Apache 2.0; pub/sub + KV; per-Org accounts) |
| TLS | cert-manager + Let's Encrypt or corporate CA |
| Policy | Kyverno |
| Supply chain | cosign (Sigstore), Syft + Grype SBOM, Trivy scans |
| Runtime security | Falco (eBPF) |
| Observability | OpenTelemetry → Grafana stack (Alloy + Loki + Mimir + Tempo) |
| WAF | Coraza (OWASP CRS) |
| DNS | PowerDNS authoritative per Sovereign zone + DNSSEC + lua-records (ifurlup, pickclosest); pool-domain-manager allocates pool subdomains and flips parent-zone NS via registrar adapters (Cloudflare / Namecheap / GoDaddy / OVH / Dynadot) — see docs/MULTI-REGION-DNS.md, docs/PLATFORM-POWERDNS.md |
| Backup | Velero (to SeaweedFS, which routes the cold tier to cloud archival S3) |
| Container registry | Harbor |
For the full component list and trends see docs/PLATFORM-TECH-STACK.md and docs/TECHNOLOGY-FORECAST-2027-2030.md.
Cloud providers
| Provider | Status |
|---|---|
| Hetzner Cloud | Available (most-tested path) |
| AWS / GCP / Azure | Crossplane providers available; full path coming |
| Oracle Cloud (OCI) | Crossplane provider available; full path coming |
| Huawei Cloud | Crossplane provider available; full path coming |
All providers reach Catalyst via the same Crossplane abstraction; Sovereign provisioning details per provider are in docs/SOVEREIGN-PROVISIONING.md.
Getting started
Try it (managed)
Visit marketplace.openova.io to install Applications on the openova Sovereign without any infrastructure setup. SaaS journey for SMEs and evaluations.
Run your own Sovereign
1. Provision via catalyst-provisioner.openova.io (managed bootstrap), OR
2. Self-host bp-catalyst-provisioner in your own infrastructure (air-gap path).
Then follow the procedure in docs/SOVEREIGN-PROVISIONING.md.
Build a Blueprint
See docs/BLUEPRINT-AUTHORING.md. A Blueprint is a folder under platform/<name>/ (or products/<name>/) in this monorepo containing blueprint.yaml + manifests (Helm chart or Kustomize base) + (optional) Crossplane Compositions. CI signs each folder's contents and publishes to OCI as ghcr.io/openova-io/bp-<name>:<semver>. Catalyst's blueprint-controller picks it up automatically. Org-private Blueprints follow the same shape inside per-Sovereign Gitea repos.
License
All Blueprints and the Catalyst control plane are open source. Each component carries its own upstream license (typically Apache 2.0, MPL 2.0, or BSD-3); see each component's LICENSE file.
OpenOva charges for support, managed operations, and expert services — never for access to code. See docs/BUSINESS-STRATEGY.md §10.
Contributing
PRs welcome. The contribution path for Blueprints (including Crossplane Compositions) is documented in docs/BLUEPRINT-AUTHORING.md §13. Issues and discussions on GitHub.
Cloud-native is the foundation. Catalyst is how you operate it.