openova/clusters/_template/bootstrap-kit/15-external-secrets.yaml

# bp-external-secrets — Catalyst bootstrap-kit Blueprint, W2.K1 slot 15.
# External Secrets Operator (ESO). Day-2 secret pipeline from OpenBao →
# Kubernetes Secret materialization. Takes over from bp-sealed-secrets
# (slot 05, transient) once OpenBao is Ready and ESO is reconciling.
#
# Per docs/BOOTSTRAP-KIT-EXPANSION-PLAN.md §1.2 (Tier 0/3 — host-layer
# secret distribution) and §2.3 (W2.K1 dependency graph): ESO is sequenced
# at slot 15 (first slot in the W2.K1 contiguous range) but its
# dependsOn is [bp-openbao(08), bp-cert-manager(02)] — Flux gates install
# on Ready=True for both, regardless of slot order. ESO's webhook
# requests a TLS cert from the cluster's letsencrypt-prod / cluster-ca
# ClusterIssuer; without bp-cert-manager Ready, the Certificate stays
# Pending and the operator never reaches Running.
#
# Wrapper chart: platform/external-secrets/chart/
# Catalyst-curated values: platform/external-secrets/chart/values.yaml
# Reconciled by: Flux on the new Sovereign's k3s control plane.

---
apiVersion: v1
kind: Namespace
metadata:
  name: external-secrets-system
  labels:
    catalyst.openova.io/sovereign: SOVEREIGN_FQDN_PLACEHOLDER
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: bp-external-secrets
  namespace: flux-system
spec:
  type: oci
  interval: 15m
  url: oci://ghcr.io/openova-io
  secretRef:
    name: ghcr-pull
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: bp-external-secrets
  namespace: flux-system
spec:
  interval: 15m
  releaseName: external-secrets
  targetNamespace: external-secrets-system
  # ESO depends on:
  #   - bp-openbao(08): the secret backend ESO pulls from. ClusterSecretStore
  #     resources reference the in-cluster OpenBao service; without OpenBao
  #     Ready those CRs land but every ExternalSecret reconcile fails.
  #   - bp-cert-manager(02): ESO's admission webhook needs a TLS cert.
  #     bp-cert-manager provides the ClusterIssuer that signs it.
  dependsOn:
    - name: bp-openbao
    - name: bp-cert-manager
  chart:
    spec:
      chart: bp-external-secrets
      version: 1.1.0
      sourceRef:
        kind: HelmRepository
        name: bp-external-secrets
        namespace: flux-system
  # Event-driven install per docs/INVIOLABLE-PRINCIPLES.md #3 (Flux
  # dependsOn is the gate, not Helm timeout). Replaces blanket
  # spec.timeout: 15m band-aid pattern from PR #221, removed in PR #250.
  install:
    disableWait: true
    remediation:
      retries: 3
  upgrade:
    disableWait: true
    remediation:
      retries: 3