openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
dd84060d05
openova/platform/livekit/chart/values.yaml
e3mrah 782d8015c5
feat(charts): bp-openmeter (CH-less) + bp-livekit + bp-matrix wrapper charts (closes #272 #273 #274) (#289) 
W2.5.F — three Catalyst Blueprint umbrella charts at platform/{openmeter,
livekit,matrix}/, each declaring its upstream chart under Chart.yaml
`dependencies:` so `helm dependency build` bundles the upstream payload
into the published OCI artifact (per docs/BLUEPRINT-AUTHORING.md §11.1
— hollow charts forbidden, CI-enforced by issue #181).

Per-chart kind summary
======================

bp-openmeter (closes #272)
  default `helm template` kinds: ConfigMap, Deployment, Service, ServiceAccount
  upstream chart: openmeter 1.0.0-beta.213 (oci://ghcr.io/openmeterio/helm-charts)

  ClickHouse-less profile per docs/BOOTSTRAP-KIT-EXPANSION-PLAN.md §6.4.
  The upstream chart's bundled clickhouse / kafka / postgresql / redis /
  svix subcharts are all DISABLED — Catalyst supplies CNPG (postgres),
  JetStream (event bus), and Valkey (redis-compat) at the platform tier.
  Chart-level toggle `catalystBlueprint.backend.kind` (default `cnpg`,
  alt `clickhouse`) records the active profile so observability/audit
  pipelines can report it. The OpenMeter binary's
  `aggregation.clickhouse.address` is left blank — per-Sovereign overlay
  supplies it once a host cluster adds bp-clickhouse and the operator
  re-rolls with `backend.kind: clickhouse`. Catalyst overlay templates
  (NetworkPolicy / ServiceMonitor / HPA) all default OFF per
  docs/BLUEPRINT-AUTHORING.md §11.2.

bp-livekit (closes #273)
  default `helm template` kinds: ConfigMap, Deployment, Service, ServiceAccount
  upstream chart: livekit-server 1.9.0 (https://helm.livekit.io)

  WebRTC SFU. Powers the Huawei iFlytek voice demo. Catalyst defaults
  pair LiveKit with bp-stunner (the upstream chart's bundled co-located
  TURN server is OFF; per-Sovereign overlay points the LiveKit TURN
  config at the stunner UDP-gateway Service). RTC UDP port range is
  50000-60000 (matches the Hetzner firewall rule the per-Sovereign
  overlay opens). Catalyst overlay templates (NetworkPolicy /
  ServiceMonitor / HPA) all default OFF; the chart's NetworkPolicy
  template documents that LiveKit's hostNetwork mode means pod-level
  policies do NOT cover the SFU port range — the firewall rule is the
  load-bearing control. blueprint.yaml `depends:` declares bp-stunner +
  bp-cert-manager + bp-valkey.

bp-matrix (closes #274)
  default `helm template` kinds: ConfigMap, Deployment, Ingress, Job,
  PersistentVolumeClaim, Pod, Role, RoleBinding, Secret, Service,
  ServiceAccount
  upstream chart: matrix-synapse 3.12.25 (https://ananace.gitlab.io/charts)

  Synapse (the Matrix server implementation, NOT the retired OpenOva
  product noun). Federation OFF by default (Catalyst per-Sovereign
  tenancy default — operator overlays flip it on per-Organization).
  Postgres backend via bp-cnpg externalPostgresql; OIDC SSO via
  bp-keycloak; bundled bitnami postgresql + redis subcharts both
  disabled. Catalyst overlay NetworkPolicy gates the federation port
  (8448) on `federation.enabled` — verified by Case 5 of the
  observability-toggle test. Catalyst-overlay ServiceMonitor (upstream
  chart has none) + HPA both default OFF.

Lint
====
All three charts pass `helm lint` clean (only the noisy "icon is
recommended" INFO message).

Observability tests
===================
Each chart's `tests/observability-toggle.sh` enforces the Catalyst
contract from docs/BLUEPRINT-AUTHORING.md §11.2:
  Case 1: default render produces zero monitoring.coreos.com/v1
          resources (no ServiceMonitor / PrometheusRule).
  Case 2: opt-in (--set serviceMonitor.enabled=true --api-versions
          monitoring.coreos.com/v1) renders a ServiceMonitor.
  Case 3: explicit-off render is clean.
  Case 4 (per chart):
    - openmeter: ClickHouse-less profile asserts no
      clickhouse.altinity.com / Kafka subchart resources leak into the
      default render.
    - livekit:   asserts upstream livekit-server.serviceMonitor.create
      defaults false.
    - matrix:    asserts default render carries an empty
      federation_domain_whitelist (the per-Sovereign tenancy default).
  Case 5 (matrix only): `--set federation.enabled=true networkPolicy
          .enabled=true` opens port 8448 in the Catalyst NetworkPolicy.

All gates green for all three charts.

Closes #272 #273 #274

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
2026-04-30 19:37:28 +04:00

197 lines
7.8 KiB
YAML
Raw Blame History

# Catalyst Blueprint umbrella metadata — the upstream livekit-server
# chart is resolved as a Helm subchart via Chart.yaml `dependencies:`.
# This values.yaml carries:
# 1. The catalystBlueprint metadata block (provenance + version) so
# observability/audit pipelines can inspect the artifact.
# 2. The upstream subchart values overlay under the `livekit-server:`
# key (umbrella-chart convention — the dependency name from
# Chart.yaml is the values namespace).
# 3. Catalyst-overlay knobs (networkPolicy, serviceMonitor, hpa) — all
# DEFAULT OFF per docs/BLUEPRINT-AUTHORING.md §11.2.
#
# Per docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode), every operationally-
# meaningful value is configurable; cluster overlays in clusters/<sovereign>/
# may override any of these without rebuilding the Blueprint OCI artifact.
catalystBlueprint:
upstream:
chart: livekit-server
version: "1.9.0"
repo: "https://helm.livekit.io"
# ─── Upstream chart values (subchart key: livekit-server) ────────────────
# `helm dependency build` resolves the upstream as a subchart; values here
# under the `livekit-server:` key flow into that subchart unchanged.
livekit-server:
# Solo-Sovereign baseline — single replica. LiveKit signaling state is
# carried in Redis when replicaCount > 1, so multi-tenant overlays MUST
# supply `livekit.redis.address` (Catalyst routes this to bp-valkey).
replicaCount: 1
image:
repository: livekit/livekit-server
pullPolicy: IfNotPresent
# ─── LiveKit binary configuration ──────────────────────────────────────
livekit:
port: 7880
log_level: info
rtc:
tcp_port: 7881
# UDP port range for RTC traffic. Must match the Hetzner firewall
# rule the per-Sovereign overlay opens. Per
# docs/INVIOLABLE-PRINCIPLES.md #4 every port is operator-tunable.
port_range_start: 50000
port_range_end: 60000
use_external_ip: true
# Redis (signaling-state store). Empty by default — Catalyst's per-
# Sovereign overlay points this at the bp-valkey Service when
# replicaCount > 1. Solo-Sovereigns with replicaCount: 1 leave this
# blank.
redis: {}
# API keys — empty by default. Operator MUST supply via
# `storeKeysInSecret.existingSecret` referencing an ExternalSecret
# (do NOT inline keys in cluster overlays). Per
# docs/INVIOLABLE-PRINCIPLES.md #4 nothing is hardcoded.
keys: {}
# ─── TURN server — Catalyst routes to bp-stunner ─────────────────────
# The upstream chart's bundled `livekit.turn` runs a co-located TURN
# server. Catalyst's standard pattern is to route TURN/STUN through
# bp-stunner (K8s-native) for NAT traversal — leave the bundled
# `livekit.turn.enabled` OFF and the per-Sovereign overlay supplies
# the stunner UDP-gateway endpoint via a Catalyst overlay annotation
# (see `livekitOverlay.stunner` below).
turn:
enabled: false
# Store API keys in a Secret instead of the ConfigMap. DEFAULT FALSE —
# the upstream chart's secret template requires either an
# `existingSecret` reference or an inline `keys:` map plus
# `livekit.key_file`. Catalyst's standard pattern is to project an
# ExternalSecret and have the operator's per-Sovereign overlay flip
# `enabled: true` and supply `existingSecret`. Default-off keeps
# `helm template` smoke renders clean without operator overlays.
storeKeysInSecret:
enabled: false
existingSecret: "" # operator-supplied (e.g. "livekit-keys")
keys: {}
# ─── Service / loadBalancer ────────────────────────────────────────────
# Single-instance LiveKit runs on hostNetwork so the SFU port range is
# reachable. The upstream chart sets podHostNetwork: true by default;
# Catalyst keeps it.
loadBalancer:
type: disable
servicePort: 80
annotations: {}
# turnLoadbalancer — left enabled to match upstream defaults; the
# service is harmless when bundled TURN is off.
turnLoadbalancer:
enable: true
# Autoscaling (HPA) — DEFAULT FALSE per docs/BLUEPRINT-AUTHORING.md
# §11.2 (Observability toggles must default false; HPA is gated on
# metrics-server which is part of the kube-prometheus-stack tier).
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 60
# Resource baseline — LiveKit recommends "plenty of resources" because
# only one instance per physical node fits (port range exclusivity).
# Solo-Sovereign baseline below; multi-tenant overlays bump.
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: 4
memory: 2Gi
serviceAccount:
create: true
annotations: {}
name: ""
# hostNetwork required so the SFU port range maps directly to the
# node's external IP. Upstream default — restate explicitly.
podHostNetwork: true
podAnnotations:
sidecar.istio.io/inject: "false"
linkerd.io/inject: disabled
# ─── Upstream ServiceMonitor — DEFAULT OFF ─────────────────────────────
# Per docs/BLUEPRINT-AUTHORING.md §11.2.
serviceMonitor:
create: false
annotations: {}
name: ""
interval: 30s
# ─── Catalyst-overlay knobs (consumed by templates/ in this chart) ───────
# All DEFAULT OFF per docs/BLUEPRINT-AUTHORING.md §11.2.
# bp-stunner integration — the Catalyst standard for WebRTC NAT
# traversal. The per-Sovereign overlay flips `enabled: true` and points
# `gatewayService` at the bp-stunner UDP-gateway. The bp-livekit chart
# emits this only as Service annotations + a Catalyst-overlay
# ConfigMap; the actual UDPRoute / Gateway resources live in
# bp-stunner's own chart.
livekitOverlay:
stunner:
enabled: false
gatewayService: "udp-gateway.stunner.svc.cluster.local:3478"
# Realm + shared-secret used by the upstream livekit binary's
# `turn_server` config. Operator supplies via ExternalSecret.
realm: "stunner.l7mp.io"
sharedSecretName: "" # ExternalSecret name (e.g. "livekit-stunner-shared-secret")
# NetworkPolicy — locks the livekit pods down to the minimum egress /
# ingress required (kube-dns, valkey, stunner, ingress). Default off —
# operator opts in via per-Sovereign overlay once consumer namespaces
# are known. Per docs/INVIOLABLE-PRINCIPLES.md #4 every selector /
# namespace label / port is operator-tunable.
networkPolicy:
enabled: false
valkeyNamespace: "valkey"
valkeyPort: 6379
stunnerNamespace: "stunner"
stunnerPort: 3478
ingressNamespace: "traefik"
# The signaling port the upstream chart exposes (`.livekit-server.livekit.port`).
signalingPort: 7880
# ServiceMonitor — Catalyst-overlay variant. The upstream chart
# already publishes its own ServiceMonitor (gated by `serviceMonitor.create`
# above, which we keep defaulted false). This Catalyst-side knob is the
# forward-compatibility guard so a future aggregate ServiceMonitor lands
# behind the same operator switch. Per docs/BLUEPRINT-AUTHORING.md
# §11.2 — DEFAULT OFF.
serviceMonitor:
enabled: false
interval: "30s"
scrapeTimeout: "10s"
path: "/metrics"
labels: {}
# HorizontalPodAutoscaler for the LiveKit Deployment. Default OFF.
# The upstream chart already exposes `livekit-server.autoscaling.enabled`
# (kept defaulted false above); this Catalyst-side knob is the
# forward-compatibility guard for a Catalyst-authored HPA shape (e.g.
# scaling on custom signaling-room metrics). Per
# docs/BLUEPRINT-AUTHORING.md §11.2 — DEFAULT OFF.
hpa:
enabled: false
minReplicas: 1
maxReplicas: 4
targetCPUUtilizationPercentage: 60
targetMemoryUtilizationPercentage: 80
Reference in New Issue View Git Blame Copy Permalink