openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
d9a1a88063
openova/clusters/omantel.omani.works/bootstrap-kit/33-syft-grype.yaml
e3mrah fd5a9ecfad
feat(bootstrap-kit): security+policy batch — slots 27-34 (W2.K3) (#276) 
Adds 8 Tier 7 (Security/Policy) HelmReleases per
docs/BOOTSTRAP-KIT-EXPANSION-PLAN.md §2.5 — three cluster copies
(_template, omantel.omani.works, otech.omani.works).

Slots:
  27 bp-kyverno     dependsOn: bp-cilium       (admission policy engine)
  28 bp-reloader    dependsOn: (none)          (configmap/secret-rotation glue)
  29 bp-vpa         dependsOn: (none)          (vertical autoscaler)
  30 bp-trivy       dependsOn: bp-cert-manager (static scanner / operator)
  31 bp-falco       dependsOn: bp-cilium       (runtime threat detection / eBPF)
  32 bp-sigstore    dependsOn: bp-cert-manager (cosign admission verifier)
  33 bp-syft-grype  dependsOn: bp-cert-manager (SBOM + vulnerability matcher)
  34 bp-velero      dependsOn: bp-seaweedfs    (backup; SeaweedFS-backed)

Conventions followed:
  - HR shape mirrors the post-PR-250 event-driven pattern:
    install.disableWait + upgrade.disableWait, no blanket spec.timeout.
  - SOVEREIGN_FQDN substitution: `_template` carries the literal
    `${SOVEREIGN_FQDN}` placeholder; cluster copies have it expanded
    to the per-Sovereign FQDN at provisioning time (matches slot 11/12
    convention introduced by PR #168).
  - bp-reloader and bp-vpa intentionally have no dependsOn — they are
    fully independent infrastructure helpers per the plan's §2.5.
  - kustomization.yaml entries appended in numeric order (slots 15–26
    intentionally empty — reserved for W2.K1 storage+DB and W2.K2
    observability; W2.K3 ships independently).

Validation:
  - `kubectl kustomize clusters/_template/bootstrap-kit/`           OK
  - `kubectl kustomize clusters/omantel.omani.works/bootstrap-kit/` OK
  - `kubectl kustomize clusters/otech.omani.works/bootstrap-kit/`   OK
    (each: 22 HelmReleases, 22 HelmRepositories, 19 Namespaces)
  - All 24 new HR YAML files parse as 3 docs (Namespace + HelmRepository
    + HelmRelease).

Charts and OCI artifacts: charts already present at platform/<name>/
(kyverno, reloader, trivy, falco, sigstore, syft-grype, velero — all
v1.0.0 umbrella charts). Note: platform/vpa/ currently has README.md
only — chart authoring is tracked separately and does not block this
HR-shape PR (Flux will retry until the OCI artifact lands).

Refs docs/BOOTSTRAP-KIT-EXPANSION-PLAN.md §2.5, §3.1 (W2.K3 row),
§4.2 (kustomization merge protocol).

Co-authored-by: hatiyildiz <269457768+hatiyildiz@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 17:22:34 +04:00

69 lines
2.0 KiB
YAML
Raw Blame History

# bp-syft-grype — Catalyst bootstrap-kit Blueprint #33 (W2.K3, Tier 7 — Security/Policy).
# Anchore Syft + Grype as a scheduled CronJob. SBOM generation (Syft)
# paired with vulnerability matching (Grype) — the offline / scheduled
# half of the supply-chain stack. Anchore does not publish a Helm chart
# for the open-source CLIs, so this Blueprint is a scratch chart that
# wires the official ghcr.io/anchore/syft and ghcr.io/anchore/grype
# containers into a CronJob that scans the Sovereign's image inventory.
#
# Wrapper chart: platform/syft-grype/chart/ (Catalyst-authored scratch
# chart — no upstream subchart).
# Reconciled by: Flux on the new Sovereign's k3s control plane.
#
# dependsOn:
# - bp-cert-manager — the result-export sidecar publishes SBOMs over
# mTLS to the central scan-result store; cert-manager issues the
# workload's TLS material via the cluster's ClusterIssuer.
---
apiVersion: v1
kind: Namespace
metadata:
name: syft-grype
labels:
catalyst.openova.io/sovereign: omantel.omani.works
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: bp-syft-grype
namespace: flux-system
spec:
type: oci
interval: 15m
url: oci://ghcr.io/openova-io
secretRef:
name: ghcr-pull
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: bp-syft-grype
namespace: flux-system
spec:
interval: 15m
releaseName: syft-grype
targetNamespace: syft-grype
dependsOn:
- name: bp-cert-manager
chart:
spec:
chart: bp-syft-grype
version: 1.0.0
sourceRef:
kind: HelmRepository
name: bp-syft-grype
namespace: flux-system
# Event-driven install: the Blueprint is mostly a CronJob + RBAC
# surface. There is no long-running Deployment whose Ready=True is
# meaningful — disableWait is the correct shape so Flux marks Ready
# as soon as manifests apply.
install:
disableWait: true
remediation:
retries: 3
upgrade:
disableWait: true
remediation:
retries: 3
Reference in New Issue View Git Blame Copy Permalink