Two SME-blocker bugs caught live on otech113 (alice signup gate 5 fails on
fresh Sovereign):
#952 — bp-newapi 1.4.0 Pod has no imagePullSecrets, so kubelet pulls
PRIVATE ghcr.io/openova-io/openova/{newapi-mirror,services-metering-sidecar}
anonymously and gets 403 Forbidden. Fix:
- Templatize spec.imagePullSecrets on Deployment + channel-seed Job.
- Default values.yaml `imagePullSecrets: [{name: ghcr-pull}]`.
- Add `newapi` to flux-system/ghcr-pull's reflector
reflection-{allowed,auto}-namespaces in cloudinit-control-plane.tftpl
so bp-reflector mirrors the source Secret into the namespace
automatically on every fresh Sovereign.
- Bump bp-newapi 1.4.0 -> 1.4.1, update _template overlay.
#953 — services-build.yaml's image-rewrite loop only matched the
hardcoded `image: ghcr.io/.../services-<svc>:<sha>` form. 7 of 8
sme-services templates use `image: "{{ ... }}/services-<svc>:{{
.Values.images.smeTag }}"`. Each services-build run bumped only
auth.yaml while reporting "update sme service images to ${SHA}",
leaving the live Pod on stale bytes (PR #951's #941 fix never reached
services-catalog despite the merge + chart bump chain). Fix:
- After the hardcoded loop, also bump `images.smeTag` in
products/catalyst/chart/values.yaml with a strict regex match
(`^ smeTag: "<sha>"$`); refuse to auto-bump if the line shape
changes (defends against silent drift if a contributor renames the
field).
- Mirror the change into the retry-path `rewrite()` function so a
reset-to-origin/main retry does not recreate the original bug.
Tests:
- platform/newapi/chart/tests/imagepullsecrets-render.sh — 4 cases
asserting the Deployment and channel-seed Job carry the default
ghcr-pull reference, that an empty override suppresses the block,
and that custom secret names propagate (Inviolable Principle #4).
- tests/integration/services-build-rewrite.sh — 3 cases reproducing
the workflow's rewrite logic on a sandboxed copy of the live
chart, asserting both auth.yaml's hardcoded line AND values.yaml's
smeTag get bumped, that helm-render of the catalyst chart with
the bumped values produces all 8 SME-service Deployments at the
new SHA, and that an idempotent re-bump to a second SHA also lands
cleanly.
Refs: #952#953 (umbrella #915 — alice signup gate 5).
Co-authored-by: hatiyildiz <143030955+hatiyildiz@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2ff50f0591