openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
74d23ab3dc
openova/platform/guacamole/chart/Chart.yaml
e3mrah 74d23ab3dc
fix(charts): explicit harbor.openova.io/proxy-dockerhub prefix on all chart-hook images (#163) (#1367) 
Per CLAUDE.md MIRROR-EVERYTHING inviolable rule: every chart-hook
image reference (pre/post-install Jobs, helper Pods) must use the
explicit Harbor proxy-cache form. Fix #158's bitnami → bitnamilegacy
swap was a band-aid; the architecturally correct fix is to defeat
upstream-deletion blast radius entirely by routing through Harbor.

The node-level containerd mirror in infra/hetzner/cloudinit-control-
plane.tftpl (line 706) already redirects docker.io/* →
harbor.openova.io/proxy-dockerhub/* implicitly, but implicit routing:
  - Hides the routing from SBOM scans
  - Bypasses the Kyverno harbor-proxy-pull ClusterPolicy
  - Means a chart audit (`grep docker.io`) misses a real dependency
  - Was the proximate cause of prov #27 wedging when Bitnami deleted
    docker.io/bitnami/kubectl:1.30.4 (Fix #158 had to chase the
    deletion mid-flight instead of being insulated by Harbor cache)

19 chart-hook image: refs + 5 chart values.yaml repository: defaults
now carry the explicit harbor.openova.io/proxy-dockerhub prefix.
Application/subchart images (keycloak, postgresql, mongodb in
keycloak+litmus subcharts) are intentionally out of scope for this
PR — those go through the node-level containerd mirror still.

Affected blueprints + chart version bumps:
  bp-cert-manager            1.2.1  -> 1.2.2
  bp-external-secrets-stores 1.0.4  -> 1.0.5
  bp-crossplane-claims       1.1.4  -> 1.1.5
  bp-flux                    1.2.1  -> 1.2.2
  bp-guacamole               0.1.16 -> 0.1.17
  bp-self-sovereign-cutover  0.1.28 -> 0.1.29
  bp-k8s-ws-proxy            0.1.9  -> 0.1.10
  bp-harbor                  1.2.15 -> 1.2.16
  bp-gitea                   1.2.5  -> 1.2.6
  bp-newapi                  1.4.5  -> 1.4.6
  bp-wordpress-tenant        0.2.0  -> 0.2.1
  catalyst-platform          1.4.138 -> 1.4.139

Co-authored-by: e3mrah <1234567+e3mrah@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 11:32:21 +04:00

96 lines
5.0 KiB
YAML
Raw Blame History

apiVersion: v2
name: bp-guacamole
# 0.1.1 (qa-loop iter-7 Fix #39): canonical short resource names
# (`guacd`, `guacamole-server`, `guacamole-recordings`); GHCR-mirrored
# upstream images so every Sovereign pulls from a registry we own;
# realm-patch ConfigMap lands in `keycloak` namespace (was: realm-name,
# which would have failed on every Sovereign); `realmConfig.namespace`
# override surface for non-default bp-keycloak placements.
# 0.1.3 (Fix #39 follow-up): default imagePullSecrets to [{name:
# ghcr-pull}] so the Deployments can pull from private GHCR without
# per-Sovereign overlay. The `ghcr-pull` secret is the canonical
# pull-credential surface across every Sovereign.
# 0.1.5 (Fix #39 follow-up): add /home/guacamole/.guacamole emptyDir
# mount so the webapp's first-start mkdir succeeds with
# readOnlyRootFilesystem=true. Without it pods crash-looped with
# `mkdir: cannot create directory '/home/guacamole/.guacamole':
# Read-only file system`.
# 0.1.9 (qa-loop iter-11 Fix #45 Cluster-A): pre-install/pre-upgrade
# Helm hook (Job + per-release ServiceAccount/Role/RoleBinding +
# cluster-scoped ClusterRole/ClusterRoleBinding for PV cleanup) that
# detects when the existing `guacamole-recordings` PVC is bound to a
# storageClass different from `.Values.guacamole.recordings.storageClass`
# and deletes the PVC + bound PV so the chart-side PVC manifest can
# recreate cleanly. Closes the live bp-guacamole HelmRelease wedge on
# omantel iter-11 (`PersistentVolumeClaim ... is invalid: spec:
# Forbidden: spec is immutable after creation`). Operator escape hatch:
# `.Values.guacamole.recordings.allowMigration: false` suppresses the
# hook for Sovereigns with long-lived recording state.
# 0.1.11 (Fix #45 Cluster-A follow-up): default `migrationImage` is
# now `docker.io/bitnamilegacy/kubectl:1.29.3` (the canonical kubectl
# surface used across every other Catalyst Blueprint). The 0.1.9
# default `bitnami/kubectl:1.30.4` 401'd on omantel because the
# Sovereign's Harbor docker.io proxy doesn't have it cached, leaving
# the migration Job in ImagePullBackOff and the bp-guacamole HR
# Reconciling forever.
# 0.1.15 (Fix #158, 2026-05-11): migrationImage bumped from
# bitnamilegacy/kubectl:1.29.3 -> bitnamilegacy/kubectl:1.30.7 to align
# with k3s 1.30 server version on Hetzner Sovereigns + template
# fallback default no longer references the deleted bitnami path.
# 0.1.17 (Fix #163, 2026-05-11, MIRROR-EVERYTHING): migrationImage AND
# oidc-secret-bootstrap-job both gain explicit
# harbor.openova.io/proxy-dockerhub prefix per CLAUDE.md inviolable rule.
version: 0.1.17
appVersion: "1.5.5"
description: |
Catalyst-authored Blueprint chart for Apache Guacamole — a clientless
HTML5 remote-desktop gateway that brokers SSH / RDP / VNC sessions
AND kubectl-exec sessions through one browser-accessible surface.
Sessions land authenticated via Keycloak SSO, are recorded to
SeaweedFS for compliance, and reach Pods inside the same Sovereign
via the per-node k8s-ws-proxy DaemonSet (bp-k8s-ws-proxy).
Per ADR-0001 §11: ONE Guacamole per Sovereign — Manara-style
multi-cluster fan-out is intentionally NOT supported (Sovereigns
stay self-sufficient).
This is a scratch chart — no upstream Guacamole Helm chart is
bundled. The container images are upstream `guacamole/guacd` and
`guacamole/guacamole`, SHA-pinned per
docs/INVIOLABLE-PRINCIPLES.md #4a. CI populates the SHA tags via
`yq eval -i .image.tag = "<sha>"` when promoting a build into
clusters/<sovereign>/.
Includes:
- guacd Deployment + Service (RDP/VNC/SSH protocol backend)
- guacamole-web Deployment + Service (Tomcat front-end with OIDC)
- HTTPRoute (Cilium Gateway) for browser ingress
- SeaweedFS PVC for session recordings (50Gi default)
- SealedSecret placeholder for the Keycloak OIDC client secret
- NetworkPolicy: default-deny + selective egress to k8s-ws-proxy
and Keycloak
- ConfigMap consumed by keycloak-config-cli post-deploy Job
(mirrors the existing pattern from platform/keycloak/chart/)
type: application
keywords: [catalyst, blueprint, guacamole, remote-desktop, oidc, recording]
maintainers:
- name: OpenOva Catalyst
email: catalyst@openova.io
annotations:
# Default values render zero resources (guacamole.enabled=false).
# The blueprint-release smoke gate honors this annotation and
# accepts a short default render; chart/tests/render.sh covers the
# enabled-render path with full --set overrides.
catalyst.openova.io/smoke-render-mode: default-off
# Scratch chart — the binary surface is fully owned by Apache. The
# `sigstore/common` library subchart below is included ONLY to satisfy
# the platform-wide blueprint-release.yaml hollow-chart gate (issue
# #181) — every umbrella MUST declare at least one dependency.
# `common` is a tiny library chart (helper templates only, zero
# runtime resources). Mirrors the same pattern used by
# bp-cert-manager-dynadot-webhook + bp-coraza for the same reason.
dependencies:
- name: common
version: "0.1.3"
repository: "https://sigstore.github.io/helm-charts"
Reference in New Issue View Git Blame Copy Permalink