openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
d64bb8bcce
openova/clusters/_template/bootstrap-kit/10-gitea.yaml
e3mrah 66abe75b2e
fix(bp-gitea): mirror gitea-admin-secret to catalyst ns via reflector annotations (#844) 
Live failure on otech103 2026-05-04: cutover Step-1 gitea-mirror Job in catalyst ns CrashLoops with 'secret "gitea-admin-secret" not found' because K8s forbids cross-namespace secretKeyRef. The Secret created by bp-gitea 1.2.4 lives in the gitea ns; the cutover Job runs in the catalyst ns.

Fix: add reflector.v1.k8s.emberstack.com annotations on the Secret so bp-reflector (already installed at slot 05a) mirrors it into the catalyst namespace. The Job's secretKeyRef then resolves locally. Reflector keeps the mirror in lockstep on password rotation.

Bumps bp-gitea 1.2.4 → 1.2.5 + slot 10 pin lockstep.

Co-authored-by: Hatice Yildiz <hatice.yildiz@openova.io>
2026-05-05 00:37:04 +04:00

82 lines
2.7 KiB
YAML
Raw Blame History

# bp-gitea — Catalyst Blueprint #10 of 11. Per-Sovereign Git server with
# the public Blueprint catalog mirror seeded. Catalyst's catalog-svc reads
# Blueprint metadata from this Gitea (not from the public openova monorepo
# directly) so the Sovereign is air-gap-ready by construction.
#
# Wrapper chart: platform/gitea/chart/
---
apiVersion: v1
kind: Namespace
metadata:
name: gitea
labels:
catalyst.openova.io/sovereign: ${SOVEREIGN_FQDN}
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: bp-gitea
namespace: flux-system
spec:
type: oci
interval: 15m
url: oci://ghcr.io/openova-io
secretRef:
name: ghcr-pull
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: bp-gitea
namespace: flux-system
spec:
interval: 15m
releaseName: gitea
targetNamespace: gitea
dependsOn:
- name: bp-keycloak
# bp-gateway-api (issue #503): chart ships an HTTPRoute template;
# gateway.networking.k8s.io/v1 CRDs must be registered first.
- name: bp-gateway-api
# bp-cnpg (issue #584): chart ships a CNPG Cluster CR;
# postgresql.cnpg.io/v1 CRD must be registered before bp-gitea
# applies so the Capabilities gate in cnpg-cluster.yaml creates
# the Cluster rather than skipping it silently.
- name: bp-cnpg
chart:
spec:
chart: bp-gitea
# 1.2.5: gitea-admin-secret carries reflector.v1.k8s.emberstack.com
# annotations so bp-reflector mirrors it into the catalyst ns where
# bp-self-sovereign-cutover Step 1 gitea-mirror Job mounts it. K8s
# forbids cross-namespace secretKeyRef; reflector is the canonical
# platform-level mirror. Caught live on otech103 2026-05-04.
version: 1.2.5
sourceRef:
kind: HelmRepository
name: bp-gitea
namespace: flux-system
# Event-driven install: Gitea PostgreSQL DB init + admin user creation +
# public Blueprint catalog mirror seeding is legitimately multi-minute.
# Helm install completes when manifests apply; downstream dependsOn
# checks Ready=True independently. Replaces PR #221 spec.timeout: 15m.
install:
disableWait: true
remediation:
retries: 3
upgrade:
disableWait: true
remediation:
retries: 3
values:
global:
sovereignFQDN: ${SOVEREIGN_FQDN}
# Per-Sovereign overrides — issue #387:
# Cilium Gateway HTTPRoute exposes Gitea at gitea.${SOVEREIGN_FQDN}.
# Upstream chart's own Ingress is disabled (gitea.ingress.enabled=false
# in platform/gitea/chart/values.yaml) — Sovereigns ingress through
# cilium-gateway from clusters/_template/bootstrap-kit/01-cilium.yaml.
gateway:
host: gitea.${SOVEREIGN_FQDN}
Reference in New Issue View Git Blame Copy Permalink