openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
d9a1a88063
openova/clusters/_template/bootstrap-kit/27-kyverno.yaml
e3mrah fd5a9ecfad
feat(bootstrap-kit): security+policy batch — slots 27-34 (W2.K3) (#276) 
Adds 8 Tier 7 (Security/Policy) HelmReleases per
docs/BOOTSTRAP-KIT-EXPANSION-PLAN.md §2.5 — three cluster copies
(_template, omantel.omani.works, otech.omani.works).

Slots:
  27 bp-kyverno     dependsOn: bp-cilium       (admission policy engine)
  28 bp-reloader    dependsOn: (none)          (configmap/secret-rotation glue)
  29 bp-vpa         dependsOn: (none)          (vertical autoscaler)
  30 bp-trivy       dependsOn: bp-cert-manager (static scanner / operator)
  31 bp-falco       dependsOn: bp-cilium       (runtime threat detection / eBPF)
  32 bp-sigstore    dependsOn: bp-cert-manager (cosign admission verifier)
  33 bp-syft-grype  dependsOn: bp-cert-manager (SBOM + vulnerability matcher)
  34 bp-velero      dependsOn: bp-seaweedfs    (backup; SeaweedFS-backed)

Conventions followed:
  - HR shape mirrors the post-PR-250 event-driven pattern:
    install.disableWait + upgrade.disableWait, no blanket spec.timeout.
  - SOVEREIGN_FQDN substitution: `_template` carries the literal
    `${SOVEREIGN_FQDN}` placeholder; cluster copies have it expanded
    to the per-Sovereign FQDN at provisioning time (matches slot 11/12
    convention introduced by PR #168).
  - bp-reloader and bp-vpa intentionally have no dependsOn — they are
    fully independent infrastructure helpers per the plan's §2.5.
  - kustomization.yaml entries appended in numeric order (slots 15–26
    intentionally empty — reserved for W2.K1 storage+DB and W2.K2
    observability; W2.K3 ships independently).

Validation:
  - `kubectl kustomize clusters/_template/bootstrap-kit/`           OK
  - `kubectl kustomize clusters/omantel.omani.works/bootstrap-kit/` OK
  - `kubectl kustomize clusters/otech.omani.works/bootstrap-kit/`   OK
    (each: 22 HelmReleases, 22 HelmRepositories, 19 Namespaces)
  - All 24 new HR YAML files parse as 3 docs (Namespace + HelmRepository
    + HelmRelease).

Charts and OCI artifacts: charts already present at platform/<name>/
(kyverno, reloader, trivy, falco, sigstore, syft-grype, velero — all
v1.0.0 umbrella charts). Note: platform/vpa/ currently has README.md
only — chart authoring is tracked separately and does not block this
HR-shape PR (Flux will retry until the OCI artifact lands).

Refs docs/BOOTSTRAP-KIT-EXPANSION-PLAN.md §2.5, §3.1 (W2.K3 row),
§4.2 (kustomization merge protocol).

Co-authored-by: hatiyildiz <269457768+hatiyildiz@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 17:22:34 +04:00

74 lines
2.3 KiB
YAML
Raw Blame History

# bp-kyverno — Catalyst bootstrap-kit Blueprint #27 (W2.K3, Tier 7 — Security/Policy).
# Kubernetes-native admission policy engine. Validating/mutating/generating
# admission control via ClusterPolicy/Policy CRDs. HA mode with separate
# admission/background/cleanup/reports controllers. The first guardrail
# downstream Catalyst Apps land behind once the platform is bootstrapped.
#
# Wrapper chart: platform/kyverno/chart/ (umbrella over upstream
# kyverno/kyverno chart, Catalyst-curated values under the `kyverno:` key).
# Reconciled by: Flux on the new Sovereign's k3s control plane.
#
# dependsOn:
# - bp-cilium — Kyverno admission webhooks need a working CNI + Service
# mesh substrate to receive AdmissionReview requests from the apiserver.
# Cilium is the root of the Catalyst-Zero DAG; until it is Ready the
# apiserver→webhook path is not reachable and Kyverno install is racy.
#
# No further dependsOn: Kyverno installs its own CRDs and does not require
# cert-manager (it auto-generates admission webhook TLS via its built-in
# certificate controller).
---
apiVersion: v1
kind: Namespace
metadata:
name: kyverno
labels:
catalyst.openova.io/sovereign: ${SOVEREIGN_FQDN}
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: bp-kyverno
namespace: flux-system
spec:
type: oci
interval: 15m
url: oci://ghcr.io/openova-io
secretRef:
name: ghcr-pull
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: bp-kyverno
namespace: flux-system
spec:
interval: 15m
releaseName: kyverno
targetNamespace: kyverno
dependsOn:
- name: bp-cilium
chart:
spec:
chart: bp-kyverno
version: 1.0.0
sourceRef:
kind: HelmRepository
name: bp-kyverno
namespace: flux-system
# Event-driven install: Kyverno HA mode brings up four controller
# Deployments (admission, background, cleanup, reports) plus the
# admission webhook TLS bootstrap. Pod Ready is multi-minute on a
# cold cluster; Helm `--wait` would hold the HR's Ready=True signal
# past the point where downstream HRs could legitimately reconcile.
# disableWait lets Flux mark this Ready as soon as manifests apply.
install:
disableWait: true
remediation:
retries: 3
upgrade:
disableWait: true
remediation:
retries: 3
Reference in New Issue View Git Blame Copy Permalink