openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
74d23ab3dc
openova/platform/crossplane-claims/chart/Chart.yaml
e3mrah 74d23ab3dc
fix(charts): explicit harbor.openova.io/proxy-dockerhub prefix on all chart-hook images (#163) (#1367) 
Per CLAUDE.md MIRROR-EVERYTHING inviolable rule: every chart-hook
image reference (pre/post-install Jobs, helper Pods) must use the
explicit Harbor proxy-cache form. Fix #158's bitnami → bitnamilegacy
swap was a band-aid; the architecturally correct fix is to defeat
upstream-deletion blast radius entirely by routing through Harbor.

The node-level containerd mirror in infra/hetzner/cloudinit-control-
plane.tftpl (line 706) already redirects docker.io/* →
harbor.openova.io/proxy-dockerhub/* implicitly, but implicit routing:
  - Hides the routing from SBOM scans
  - Bypasses the Kyverno harbor-proxy-pull ClusterPolicy
  - Means a chart audit (`grep docker.io`) misses a real dependency
  - Was the proximate cause of prov #27 wedging when Bitnami deleted
    docker.io/bitnami/kubectl:1.30.4 (Fix #158 had to chase the
    deletion mid-flight instead of being insulated by Harbor cache)

19 chart-hook image: refs + 5 chart values.yaml repository: defaults
now carry the explicit harbor.openova.io/proxy-dockerhub prefix.
Application/subchart images (keycloak, postgresql, mongodb in
keycloak+litmus subcharts) are intentionally out of scope for this
PR — those go through the node-level containerd mirror still.

Affected blueprints + chart version bumps:
  bp-cert-manager            1.2.1  -> 1.2.2
  bp-external-secrets-stores 1.0.4  -> 1.0.5
  bp-crossplane-claims       1.1.4  -> 1.1.5
  bp-flux                    1.2.1  -> 1.2.2
  bp-guacamole               0.1.16 -> 0.1.17
  bp-self-sovereign-cutover  0.1.28 -> 0.1.29
  bp-k8s-ws-proxy            0.1.9  -> 0.1.10
  bp-harbor                  1.2.15 -> 1.2.16
  bp-gitea                   1.2.5  -> 1.2.6
  bp-newapi                  1.4.5  -> 1.4.6
  bp-wordpress-tenant        0.2.0  -> 0.2.1
  catalyst-platform          1.4.138 -> 1.4.139

Co-authored-by: e3mrah <1234567+e3mrah@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 11:32:21 +04:00

47 lines
2.2 KiB
YAML
Raw Blame History

apiVersion: v2
name: bp-crossplane-claims
# 1.1.4 (Fix #158, 2026-05-11): kubectlImage switched from
# docker.io/bitnami/kubectl:1.31 to docker.io/bitnamilegacy/kubectl:
# 1.31.4. Bitnami's 2025-08 secure-images cutover deleted every versioned
# tag from docker.io/bitnami/kubectl. bitnamilegacy is Bitnami's
# deprecation-fallback path.
#
# 1.1.5 (Fix #163, 2026-05-11, MIRROR-EVERYTHING): kubectlImage repository
# switched from bitnamilegacy/kubectl to
# harbor.openova.io/proxy-dockerhub/bitnamilegacy/kubectl. Per CLAUDE.md
# inviolable rule, ALL chart-hook references MUST be explicit Harbor
# proxy-cache form.
version: 1.1.5
description: |
Catalyst Crossplane XRDs + Compositions Blueprint. Carries ONLY the
apiextensions.crossplane.io/v1 CompositeResourceDefinition and
Composition CRs that define the compose.openova.io/v1alpha1 day-2 CRUD
family (XClusterClaim, XRegionClaim, XNodePoolClaim, XLoadBalancerClaim,
XPeeringClaim, XNodeActionClaim).
This chart was split out of bp-crossplane to resolve the intra-chart
CRD-ordering bind: a single Helm release cannot install a CRD AND a CR
of that CRD's kind in the same apply pass — the apiserver rejects the
CR because the CRD is not yet registered. The upstream crossplane
subchart (in bp-crossplane) registers the apiextensions.crossplane.io
CRDs; this chart depends on bp-crossplane being Ready (via Flux
HelmRelease `dependsOn`) before its templates are applied.
Pattern locked in by docs/INVIOLABLE-PRINCIPLES.md and reinforced by
the founder for ALL similar future cases: intra-chart CRD-ordering
breaks → split into two charts + Flux dependsOn.
type: application
keywords: [catalyst, blueprint, crossplane, claims, xrds, compositions]
maintainers:
- name: OpenOva Catalyst
email: catalyst@openova.io
# This chart legitimately ships NO upstream subchart — its entire payload
# is Catalyst-authored XRDs + Compositions. The blueprint-release CI
# guard (hollow-chart check, issue #181) reads this annotation and skips
# the "MUST declare dependencies" rule for charts marked here. The check
# remains in force for every other umbrella chart. See
# .github/workflows/blueprint-release.yaml GUARD 1.
annotations:
catalyst.openova.io/no-upstream: "true"
Reference in New Issue View Git Blame Copy Permalink