openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
d1d351b384
openova/platform/spire
History
e3mrah 1f5c76def1
fix(platform): sync blueprint.yaml versions with Chart.yaml (#199) 
* feat(ui): Playwright cosmetic + step-flow regression guards

15 regression guards in products/catalyst/bootstrap/ui/e2e/cosmetic-
guards.spec.ts that fail HARD when each user-flagged defect class
returns:

  1.  card height drift from canonical 108px
  2.  reserved right padding eating description width
  3.  logo tile drift from per-brand LOGO_SURFACE
  4.  invisible glyph (white-on-white) via luminance proxy
  5.  wizard step order Org/Topology/Provider/Credentials/Components/
      Domain/Review
  6.  legacy "Choose Your Stack" / "Always Included" tab labels
  7.  Domain step reachable before Components
  8.  CPX32 not the recommended Hetzner SKU
  9.  per-region SKU dropdown shows wrong provider catalog
  10. provision page is .html (static) not SPA route
  11. legacy bubble/edge DAG SVG markup on provision page
  12. admin sidebar drift from canonical core/console (w-56 + 7 labels)
  13. AppDetail uses tablist instead of sectioned layout
  14. job rows navigate to /job/<id> instead of expand-in-place
  15. Phase 0 banners (Hetzner infra / Cluster bootstrap) on AdminPage

Each test prints a failure message naming the canonical reference,
the source-of-truth file, and the data-testid PR needed (if any) so
the implementing agent has a precise target. No .skip() — per
INVIOLABLE-PRINCIPLES #2, missing components fail loud.

CI: .github/workflows/cosmetic-guards.yaml runs the suite on every
PR that touches products/catalyst/bootstrap/ui/** or core/console/**.

Docs: docs/UI-REGRESSION-GUARDS.md maps each test to the user's
original complaint, the canonical reference, and the green/red
semantics (5 tests intentionally RED on main today — they stay red
until the companion-agent's UI work lands).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(platform): sync blueprint.yaml versions with Chart.yaml so manifest-validation passes

---------

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 22:07:55 +04:00
..
chart fix(bp-*): observability toggles default false — break circular CRD dependency 2026-04-29 19:23:52 +02:00
blueprint.yaml fix(platform): sync blueprint.yaml versions with Chart.yaml (#199) 2026-04-29 22:07:55 +04:00
README.md feat(charts): G2 wrapper Helm charts for 11 bootstrap-kit components + blueprint-release CI 2026-04-28 12:51:06 +02:00

README.md

SPIRE

SPIFFE/SPIRE workload identity. Catalyst control plane component (per docs/PLATFORM-TECH-STACK.md §2.3 — Per-Sovereign supporting services). Issues short-lived (5-min auto-rotated) X.509 SVIDs to every Pod across every host cluster a Sovereign owns.

Status: Accepted. Chart wrapper at chart/. Updated: 2026-04-28.

Why

Catalyst's identity model has two systems (per docs/SECURITY.md §1):

Subject System Lifetime
Workloads (every Pod, every controller) SPIFFE/SPIRE 5-min SVID
Users (every human) Keycloak 15-min JWT

SPIRE issues SVIDs scoped by SPIFFE ID:

spiffe://<sovereign>/ns/<namespace>/sa/<service-account>

OpenBao authenticates clients by SVID. JetStream authenticates clients by SVID. Catalyst REST APIs authenticate workloads by SVID + users by JWT.

Topology

Layer Replicas Notes
SPIRE server 1 (HA: 3) On the Sovereign's mgt cluster. Upstream-bundle to a root SPIRE on the OpenOva publisher when present.
SPIRE agent 1 per node DaemonSet. Exposes Workload API (Unix socket) to Pods on that node.

Chart

The chart/ directory wraps the upstream SPIFFE/SPIRE Helm chart with Catalyst-curated values. Installed by the Catalyst bootstrap kit during Phase 0 (per docs/SOVEREIGN-PROVISIONING.md §3) — after Cilium, cert-manager, Flux, and Crossplane have come up.

OCI artifact: ghcr.io/openova-io/bp-spire:1.0.0.

Part of OpenOva