e1f7d22f3c
Adds bp-gateway-api Blueprint (slot 01a) that vendors the upstream
Kubernetes Gateway API Standard-channel CRDs (v1.2.0) and registers them
ahead of every chart that ships HTTPRoute templates: bp-openbao,
bp-keycloak, bp-gitea, bp-powerdns, bp-catalyst-platform, bp-harbor,
bp-grafana.
Phase-8a-preflight live deployment otech10 (e1a0cd6662872fcb on
catalyst-api:c148ef3, 2026-05-01) reached 21/37 HRs Ready=True before
stalling on bp-harbor / bp-openbao / bp-powerdns reconciling to
InstallFailed with `no matches for kind "HTTPRoute" in version
"gateway.networking.k8s.io/v1"`. Cilium 1.16's chart `gatewayAPI.
enabled=true` flag wires up the cilium gateway controller and creates
the `cilium` GatewayClass, but does NOT install the
gateway.networking.k8s.io CRDs themselves; cilium 1.16 has no
`installCRDs`-equivalent knob for gateway-api so the upstream CRDs must
ship via a separate Blueprint.
Pattern locked in by docs/INVIOLABLE-PRINCIPLES.md and reinforced by
the founder for ALL similar future cases: intra-chart CRD-ordering
breaks → split into two charts + Flux dependsOn. Mirrors the
bp-crossplane/bp-crossplane-claims and bp-external-secrets/
bp-external-secrets-stores splits.
Files:
- platform/gateway-api/{blueprint.yaml,chart/} — new Blueprint with
per-CRD templates vendored from kubernetes-sigs/gateway-api v1.2.0
standard-install.yaml; helm.sh/resource-policy: keep on every CRD so
Helm uninstall does not orphan every HTTPRoute on the cluster
- platform/gateway-api/chart/scripts/regenerate.sh — developer tool
for re-vendoring on upstream version bump (annotation-driven)
- platform/gateway-api/chart/tests/crd-render.sh — chart integration
test (5 CRDs, keep annotation, bundle-version matches Chart.yaml pin)
- clusters/_template/bootstrap-kit/01a-gateway-api.yaml — HelmRelease
+ HelmRepository, dependsOn bp-cilium
- clusters/_template/bootstrap-kit/{08-openbao,09-keycloak,10-gitea,
11-powerdns,13-bp-catalyst-platform,19-harbor,25-grafana}.yaml —
add `dependsOn: bp-gateway-api`
- clusters/_template/bootstrap-kit/kustomization.yaml — register
01a-gateway-api.yaml between 01-cilium and 02-cert-manager
- scripts/expected-bootstrap-deps.yaml — declare slot 1a + add
bp-gateway-api to depends_on of every HTTPRoute-using slot
Closes #503
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
278 lines
8.8 KiB
YAML
278 lines
8.8 KiB
YAML
# Expected dependency DAG for clusters/_template/bootstrap-kit/*.yaml
|
|
#
|
|
# Authoritative spec: docs/BOOTSTRAP-KIT-EXPANSION-PLAN.md §2.
|
|
# Consumed by: scripts/check-bootstrap-deps.sh
|
|
# Updated by: W2.K0 (slots 01-14 baseline + slots 15-48 forward declarations)
|
|
# W2.K1, K2, K3, K4 PRs add the corresponding HR files; this
|
|
# file already declares the expected deps for those slots so
|
|
# each W2 PR can be mechanically verified at merge time.
|
|
#
|
|
# Schema:
|
|
# slots:
|
|
# - slot: <int> # numeric prefix on the HR file (01..48)
|
|
# name: <string> # value of metadata.name on the HelmRelease
|
|
# depends_on: [<string>] # ordered or unordered; comparison is set-based
|
|
# wave: <"present"|"W2.K1"|"W2.K2"|"W2.K3"|"W2.K4">
|
|
#
|
|
# Comparison semantics enforced by check-bootstrap-deps.sh:
|
|
# - Each HR file present on disk MUST declare exactly the depends_on set listed
|
|
# here (missing edges -> error, extra edges -> error).
|
|
# - HRs declared here but not yet present on disk are reported as "deferred"
|
|
# (info, not an error) so that this file can be the static authoritative list
|
|
# while W2.K1..K4 land their HR files in series.
|
|
# - The graph is checked for cycles after merging declared+actual edges.
|
|
#
|
|
# The slot-numbering convention is documented in BOOTSTRAP-KIT-EXPANSION-PLAN.md §3.
|
|
|
|
slots:
|
|
# ---- Tier 0-4: present today (post-PR-247 baseline) -----------------------
|
|
- slot: 1
|
|
name: bp-cilium
|
|
depends_on: []
|
|
wave: present
|
|
- slot: 1a
|
|
name: bp-gateway-api
|
|
# Upstream Kubernetes Gateway API CRDs (Standard channel — issue #503).
|
|
# Cilium 1.16's `gatewayAPI.enabled=true` enables the controller but does
|
|
# NOT install the gateway.networking.k8s.io CRDs themselves; without them
|
|
# every chart that ships HTTPRoute templates (bp-keycloak / bp-gitea /
|
|
# bp-powerdns / bp-openbao / bp-harbor / bp-grafana / bp-catalyst-platform)
|
|
# fails install with `no matches for kind HTTPRoute`. Same split-CRD
|
|
# pattern as bp-crossplane-claims and bp-external-secrets-stores.
|
|
depends_on: [bp-cilium]
|
|
wave: present
|
|
- slot: 2
|
|
name: bp-cert-manager
|
|
depends_on: [bp-cilium]
|
|
wave: present
|
|
- slot: 3
|
|
name: bp-flux
|
|
depends_on: [bp-cert-manager]
|
|
wave: present
|
|
- slot: 4
|
|
name: bp-crossplane
|
|
depends_on: [bp-flux]
|
|
wave: present
|
|
- slot: 5
|
|
name: bp-sealed-secrets
|
|
depends_on: [bp-cert-manager]
|
|
wave: present
|
|
- slot: 6
|
|
name: bp-spire
|
|
depends_on: [bp-cert-manager]
|
|
wave: present
|
|
- slot: 7
|
|
name: bp-nats-jetstream
|
|
depends_on: [bp-spire]
|
|
wave: present
|
|
- slot: 8
|
|
name: bp-openbao
|
|
# bp-gateway-api dep (issue #503): chart ships an HTTPRoute template;
|
|
# gateway.networking.k8s.io/v1 CRDs must be registered before install.
|
|
depends_on: [bp-spire, bp-gateway-api]
|
|
wave: present
|
|
- slot: 9
|
|
name: bp-keycloak
|
|
# bp-gateway-api dep (issue #503): chart ships an HTTPRoute template.
|
|
depends_on: [bp-cert-manager, bp-gateway-api]
|
|
wave: present
|
|
- slot: 10
|
|
name: bp-gitea
|
|
# bp-gateway-api dep (issue #503): chart ships an HTTPRoute template.
|
|
depends_on: [bp-keycloak, bp-gateway-api]
|
|
wave: present
|
|
- slot: 11
|
|
name: bp-powerdns
|
|
# bp-gateway-api dep (issue #503): chart ships an api-httproute.yaml template.
|
|
depends_on: [bp-cert-manager, bp-gateway-api]
|
|
wave: present
|
|
- slot: 12
|
|
name: bp-external-dns
|
|
depends_on: [bp-cert-manager, bp-powerdns]
|
|
wave: present
|
|
- slot: 13
|
|
name: bp-catalyst-platform
|
|
# bp-gateway-api dep (issue #503): umbrella chart ships catalyst-ui +
|
|
# catalyst-api HTTPRoute templates.
|
|
depends_on: [bp-gitea, bp-gateway-api]
|
|
wave: present
|
|
- slot: 14
|
|
name: bp-crossplane-claims
|
|
depends_on: [bp-crossplane]
|
|
wave: present
|
|
|
|
# ---- Tier 5: storage + DB (W2.K1, slots 15-19) ----------------------------
|
|
- slot: 15
|
|
name: bp-external-secrets
|
|
depends_on: [bp-openbao, bp-cert-manager]
|
|
wave: W2.K1
|
|
- slot: 15a
|
|
name: bp-external-secrets-stores
|
|
# Default ClusterSecretStore CR(s). Split from bp-external-secrets@1.0.0
|
|
# at PR #334 (issue #331) to resolve CRD-ordering deadlock —
|
|
# ClusterSecretStore CR cannot live in the same Helm release as the ESO
|
|
# subchart that registers its CRD. Mirrors bp-crossplane ↔
|
|
# bp-crossplane-claims pattern.
|
|
depends_on: [bp-external-secrets, bp-openbao]
|
|
wave: W2.K1
|
|
- slot: 16
|
|
name: bp-cnpg
|
|
depends_on: [bp-flux]
|
|
wave: W2.K1
|
|
- slot: 17
|
|
name: bp-valkey
|
|
depends_on: [bp-flux]
|
|
wave: W2.K1
|
|
- slot: 18
|
|
name: bp-seaweedfs
|
|
depends_on: [bp-flux, bp-cert-manager]
|
|
wave: W2.K1
|
|
- slot: 19
|
|
name: bp-harbor
|
|
# bp-seaweedfs dependency REMOVED per ADR-0001 §13 (cloud-direct).
|
|
# Harbor on Sovereigns writes blobs directly to cloud Object Storage
|
|
# (Hetzner / R2 / S3 / Azure / GCS), not via SeaweedFS. See
|
|
# clusters/_template/bootstrap-kit/19-harbor.yaml lines 35-37.
|
|
# bp-gateway-api dep (issue #503): chart ships an HTTPRoute template;
|
|
# gateway.networking.k8s.io/v1 CRDs must be registered first.
|
|
depends_on: [bp-cnpg, bp-cert-manager, bp-gateway-api]
|
|
wave: W2.K1
|
|
|
|
# ---- Tier 6: observability (W2.K2, slots 20-26) ---------------------------
|
|
- slot: 20
|
|
name: bp-opentelemetry
|
|
depends_on: [bp-cert-manager]
|
|
wave: W2.K2
|
|
- slot: 21
|
|
name: bp-alloy
|
|
depends_on: [bp-opentelemetry]
|
|
wave: W2.K2
|
|
- slot: 22
|
|
name: bp-loki
|
|
depends_on: [bp-seaweedfs]
|
|
wave: W2.K2
|
|
- slot: 23
|
|
name: bp-mimir
|
|
depends_on: [bp-seaweedfs]
|
|
wave: W2.K2
|
|
- slot: 24
|
|
name: bp-tempo
|
|
depends_on: [bp-seaweedfs]
|
|
wave: W2.K2
|
|
- slot: 25
|
|
name: bp-grafana
|
|
# bp-gateway-api dep (issue #503): chart ships an HTTPRoute template.
|
|
depends_on: [bp-cnpg, bp-loki, bp-mimir, bp-tempo, bp-keycloak, bp-gateway-api]
|
|
wave: W2.K2
|
|
- slot: 26
|
|
name: bp-langfuse
|
|
depends_on: [bp-cnpg, bp-keycloak, bp-cert-manager]
|
|
wave: W2.K2
|
|
|
|
# ---- Tier 7: security + policy (W2.K3, slots 27-34) -----------------------
|
|
- slot: 27
|
|
name: bp-kyverno
|
|
depends_on: [bp-cilium]
|
|
wave: W2.K3
|
|
- slot: 28
|
|
name: bp-reloader
|
|
depends_on: []
|
|
wave: W2.K3
|
|
- slot: 29
|
|
name: bp-vpa
|
|
depends_on: []
|
|
wave: W2.K3
|
|
- slot: 30
|
|
name: bp-trivy
|
|
depends_on: [bp-cert-manager]
|
|
wave: W2.K3
|
|
- slot: 31
|
|
name: bp-falco
|
|
depends_on: [bp-cilium]
|
|
wave: W2.K3
|
|
- slot: 32
|
|
name: bp-sigstore
|
|
depends_on: [bp-cert-manager]
|
|
wave: W2.K3
|
|
- slot: 33
|
|
name: bp-syft-grype
|
|
depends_on: [bp-cert-manager]
|
|
wave: W2.K3
|
|
- slot: 34
|
|
name: bp-velero
|
|
# No dependsOn — Velero on Hetzner Sovereigns writes DIRECTLY to
|
|
# Hetzner Object Storage per ADR-0001 §13 + WBS §3 (S3-aware app
|
|
# rule). The previous SeaweedFS dependency was retired in #384;
|
|
# Velero's BackupStorageLocation now consumes flux-system/hetzner-
|
|
# object-storage Secret (issue #371) via Flux valuesFrom, populated
|
|
# at HelmRelease apply time — no in-cluster prerequisite Blueprint.
|
|
depends_on: []
|
|
wave: W2.K3
|
|
|
|
# ---- Tier 8 + 9: edge + apps + AI runtime (W2.K4, slots 35-48) ------------
|
|
- slot: 35
|
|
name: bp-coraza
|
|
depends_on: [bp-cilium, bp-cert-manager]
|
|
wave: W2.K4
|
|
- slot: 36
|
|
name: bp-stunner
|
|
depends_on: [bp-cilium, bp-cert-manager]
|
|
wave: W2.K4
|
|
- slot: 37
|
|
name: bp-knative
|
|
depends_on: [bp-cert-manager]
|
|
wave: W2.K4
|
|
- slot: 38
|
|
name: bp-kserve
|
|
depends_on: [bp-knative]
|
|
wave: W2.K4
|
|
- slot: 39
|
|
name: bp-vllm
|
|
depends_on: [bp-kserve]
|
|
wave: W2.K4
|
|
- slot: 40
|
|
name: bp-llm-gateway
|
|
depends_on: [bp-cnpg, bp-keycloak]
|
|
wave: W2.K4
|
|
- slot: 41
|
|
name: bp-anthropic-adapter
|
|
depends_on: [bp-llm-gateway]
|
|
wave: W2.K4
|
|
- slot: 42
|
|
name: bp-bge
|
|
depends_on: [bp-cnpg]
|
|
wave: W2.K4
|
|
- slot: 43
|
|
name: bp-nemo-guardrails
|
|
depends_on: [bp-llm-gateway, bp-bge, bp-cnpg]
|
|
wave: W2.K4
|
|
- slot: 44
|
|
name: bp-temporal
|
|
depends_on: [bp-cnpg, bp-cert-manager]
|
|
wave: W2.K4
|
|
- slot: 45
|
|
name: bp-openmeter
|
|
depends_on: [bp-cnpg, bp-nats-jetstream]
|
|
wave: W2.K4
|
|
- slot: 46
|
|
name: bp-livekit
|
|
depends_on: [bp-stunner, bp-cert-manager]
|
|
wave: W2.K4
|
|
- slot: 47
|
|
name: bp-matrix
|
|
depends_on: [bp-cnpg, bp-keycloak, bp-cert-manager]
|
|
wave: W2.K4
|
|
- slot: 48
|
|
name: bp-librechat
|
|
depends_on: [bp-llm-gateway, bp-vllm, bp-bge, bp-keycloak]
|
|
wave: W2.K4
|
|
|
|
# ---- Phase-2 (handover) — DNS-01 webhook against Sovereign's own PowerDNS -
|
|
# Authored under #373; lands at slot 49 because slots 36-48 were already
|
|
# forward-declared by the W2.K4 batch. Wave is "present" because the HR
|
|
# exists on disk now (chart-released; runtime exercise deferred to Phase 8).
|
|
- slot: 49
|
|
name: bp-cert-manager-powerdns-webhook
|
|
depends_on: [bp-cert-manager, bp-powerdns]
|
|
wave: present
|