openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
9763286900
openova/platform/sealed-secrets
History
e3mrah ab67a48fe7
fix(blueprints): align blueprint.yaml spec.version with Chart.yaml version (#817) (#819) 
TestBootstrapKit_BlueprintCardsHaveRequiredFields was failing on main for
9 blueprints because their platform/<name>/chart/Chart.yaml version had
been bumped without a matching update to platform/<name>/blueprint.yaml
spec.version. The pre-existing failure forced 7 recent PRs to self-merge
with --admin, masking real CI failures.

Aligned spec.version to match Chart.yaml version on:

  cert-manager   1.1.1 -> 1.1.2
  flux           1.1.3 -> 1.1.4
  crossplane     1.1.3 -> 1.1.4
  sealed-secrets 1.1.1 -> 1.1.2
  spire          1.1.4 -> 1.1.7
  nats-jetstream 1.1.1 -> 1.1.2
  openbao        1.2.0  -> 1.2.14
  keycloak       1.3.1 -> 1.3.2
  gitea          1.2.1 -> 1.2.3

Verified locally:

  $ go test ./... -run TestBootstrapKit_BlueprintCardsHaveRequiredFields -count=1
  --- PASS: TestBootstrapKit_BlueprintCardsHaveRequiredFields (0.01s)
      ... all 10 sub-tests pass (cilium + the 9 above)

The existing test (tests/e2e/bootstrap-kit/main_test.go:145) is itself
the drift guardrail: it fails CI whenever Chart.yaml is bumped without a
matching blueprint.yaml bump. No additional script needed.

Closes #817 once verified on main.

Co-authored-by: Hatice Yildiz <hatice.yildiz@openova.io>
2026-05-04 22:32:49 +04:00
..
chart feat(platform): add global.imageRegistry to bp-cilium/cert-manager/cert-manager-pdns-webhook/sealed-secrets (PR 1/3 #560) (#562) 2026-05-02 12:48:37 +04:00
blueprint.yaml fix(blueprints): align blueprint.yaml spec.version with Chart.yaml version (#817) (#819) 2026-05-04 22:32:49 +04:00
README.md feat(charts): G2 wrapper Helm charts for 11 bootstrap-kit components + blueprint-release CI 2026-04-28 12:51:06 +02:00

README.md

Sealed Secrets

Transient bootstrap-only secret transport. Catalyst control plane (per docs/PLATFORM-TECH-STACK.md §3.3 — Security and policy). Used during Phase 0 of Sovereign provisioning to ship initial bootstrap secrets through GitOps; archived/disabled after OpenBao + ESO replace it.

Status: Accepted. Chart wrapper at chart/. Updated: 2026-04-28.

Why transient

Per docs/SOVEREIGN-PROVISIONING.md §3 (Phase 0 Bootstrap kit):

e. Sealed Secrets (transient, only for bootstrap secrets)

Sealed Secrets is the standard pattern for "secrets in Git for the first 60 seconds of a cluster's life". After Phase 1 hand-off (per §4), the canonical Catalyst secret backend is OpenBao + ExternalSecrets Operator (ESO). Sealed Secrets stays installed but unused — the controller scales to 0 and the kubeseal CLI is no longer used.

Long-term cluster secrets follow the OpenBao path of org/<org>/env/<env_type>/... and are materialized into K8s Secrets via ESO ExternalSecret CRs.

Chart

The chart/ directory wraps the upstream Sealed Secrets Helm chart with Catalyst-curated values: minimal resources (controller is bootstrap-only), no UI.

OCI artifact: ghcr.io/openova-io/bp-sealed-secrets:1.0.0.

Part of OpenOva