Per CLAUDE.md MIRROR-EVERYTHING inviolable rule: every chart-hook
image reference (pre/post-install Jobs, helper Pods) must use the
explicit Harbor proxy-cache form. Fix#158's bitnami → bitnamilegacy
swap was a band-aid; the architecturally correct fix is to defeat
upstream-deletion blast radius entirely by routing through Harbor.
The node-level containerd mirror in infra/hetzner/cloudinit-control-
plane.tftpl (line 706) already redirects docker.io/* →
harbor.openova.io/proxy-dockerhub/* implicitly, but implicit routing:
- Hides the routing from SBOM scans
- Bypasses the Kyverno harbor-proxy-pull ClusterPolicy
- Means a chart audit (`grep docker.io`) misses a real dependency
- Was the proximate cause of prov #27 wedging when Bitnami deleted
docker.io/bitnami/kubectl:1.30.4 (Fix#158 had to chase the
deletion mid-flight instead of being insulated by Harbor cache)
19 chart-hook image: refs + 5 chart values.yaml repository: defaults
now carry the explicit harbor.openova.io/proxy-dockerhub prefix.
Application/subchart images (keycloak, postgresql, mongodb in
keycloak+litmus subcharts) are intentionally out of scope for this
PR — those go through the node-level containerd mirror still.
Affected blueprints + chart version bumps:
bp-cert-manager 1.2.1 -> 1.2.2
bp-external-secrets-stores 1.0.4 -> 1.0.5
bp-crossplane-claims 1.1.4 -> 1.1.5
bp-flux 1.2.1 -> 1.2.2
bp-guacamole 0.1.16 -> 0.1.17
bp-self-sovereign-cutover 0.1.28 -> 0.1.29
bp-k8s-ws-proxy 0.1.9 -> 0.1.10
bp-harbor 1.2.15 -> 1.2.16
bp-gitea 1.2.5 -> 1.2.6
bp-newapi 1.4.5 -> 1.4.6
bp-wordpress-tenant 0.2.0 -> 0.2.1
catalyst-platform 1.4.138 -> 1.4.139
Co-authored-by: e3mrah <1234567+e3mrah@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
74d23ab3dc