openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
83ec889f06
openova/platform/flux/chart/values.yaml
e3mrah 83ec889f06
feat(platform): add global.imageRegistry to remaining bp-* charts + bp-catalyst-platform (PR 3/3, #560) (#580) 
Charts bumped:
- bp-keycloak 1.2.0 -> 1.2.1 (subchart stub; per-component image.registry knobs documented)
- bp-crossplane 1.1.3 -> 1.1.4 (subchart stub)
- bp-crossplane-claims 1.1.0 -> 1.1.1 (global.kubectlImage added; kubectl Job image templated; Hetzner ubuntu-24.04 server images intentionally untouched)
- bp-velero 1.2.0 -> 1.2.1 (subchart stub)
- bp-kyverno 1.0.0 -> 1.0.1 (subchart stub; per-controller image.registry knobs documented)
- bp-trivy 1.0.0 -> 1.0.1 (subchart stub; both operator + scanner image.registry knobs documented)
- bp-grafana 1.0.0 -> 1.0.1 (subchart stub)
- bp-flux 1.1.3 -> 1.1.4 (subchart stub; per-controller image.repository knobs documented)
- bp-catalyst-platform 1.1.13 -> 1.1.14 (global.imageRegistry + images.{catalystApi,catalystUi,marketplaceApi,console,smeTag} added; all 14 Catalyst-authored image refs templated: catalyst-api, catalyst-ui, marketplace-api, console + 10 SME services)

Post-handover per-Sovereign overlays set global.imageRegistry to harbor.<sovereign-fqdn> so every container image pull routes through the Sovereign's own Harbor proxy_cache.

Closes (partial): issue #560 — all 23 bp-* charts now carry global.imageRegistry

Co-authored-by: alierenbaysal <alierenbaysal@openova.io>
2026-05-02 13:21:53 +04:00

71 lines
3.3 KiB
YAML
Raw Blame History

# Catalyst Blueprint umbrella metadata — the upstream chart is now resolved
# as a Helm subchart via Chart.yaml `dependencies:`. This values.yaml carries
# both:
# 1. The catalystBlueprint metadata block (provenance + version) so
# observability/audit pipelines can inspect the artifact and report
# which upstream chart + version is bundled.
# 2. The upstream subchart values overlay under the `flux2:` key
# (umbrella-chart convention — the dependency name from Chart.yaml is
# the values namespace).
global:
# When set, ALL image pulls in this chart route through this registry.
# Used post-handover when the Sovereign's own Harbor takes over the
# proxy_cache role from contabo's central Harbor. Empty = no rewrite
# (image references use upstream defaults). The upstream flux2 chart
# exposes per-controller `flux2.<controller>.image.repository` knobs.
# Per-Sovereign overlays wire those alongside this value. Tracked under #560.
imageRegistry: ""
catalystBlueprint:
# Pinned to flux2 2.14.1 (= upstream Flux appVersion 2.4.0). MUST match
# `infra/hetzner/cloudinit-control-plane.tftpl`'s install.yaml URL
# (currently v2.4.0). See Chart.yaml comment block "CRITICAL VERSION-PIN
# INVARIANT" for the full incident replay (omantel.omani.works,
# 2026-04-29 — Flux controllers deleted by Helm rollback after a
# double-install version-mismatch).
upstream: { chart: flux2, version: "2.14.1", repo: "https://fluxcd-community.github.io/helm-charts" }
# ─── Catalyst overlay values ──────────────────────────────────────────────
catalyst:
# Namespace where the Flux controllers run. Used by
# templates/catalyst-cluster-reconciler-rbac.yaml to subject the
# canonical helm-controller + kustomize-controller ServiceAccounts in a
# ClusterRoleBinding to `cluster-admin`. See that file's header for the
# full issue #338 context.
#
# Per docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode), this is
# operator-overridable. The default is `flux-system` because that's the
# canonical Catalyst install namespace (see
# `clusters/_template/bootstrap-kit/03-flux.yaml` + cloud-init's flux2
# install.yaml). Changing it requires a parallel change to cloud-init.
fluxNamespace: flux-system
# ─── Upstream chart values (subchart key: flux2) ──────────────────────────
# Generated by docs/PROVISIONING-PLAN.md tickets [F] chart Pass 105+.
flux2:
installCRDs: true
sourceController:
resources:
requests: { cpu: 50m, memory: 64Mi }
limits: { memory: 256Mi }
kustomizeController:
resources:
requests: { cpu: 50m, memory: 64Mi }
limits: { memory: 256Mi }
helmController:
resources:
requests: { cpu: 50m, memory: 64Mi }
limits: { memory: 256Mi }
# Prometheus PodMonitor — DEFAULT OFF.
#
# Per docs/INVIOLABLE-PRINCIPLES.md #4 and docs/BLUEPRINT-AUTHORING.md
# §11.2 (Observability toggles must default false). The upstream flux2
# chart's `prometheus.podMonitor.create` renders a
# monitoring.coreos.com/v1 PodMonitor which the apiserver rejects on a
# fresh Sovereign before bp-kube-prometheus-stack ships the CRD.
# Operator opts in via per-cluster overlay (issue #182).
prometheus:
podMonitor:
create: false
Reference in New Issue View Git Blame Copy Permalink