126 lines
5.4 KiB
YAML
126 lines
5.4 KiB
YAML
global:
|
|
# When set, ALL Catalyst-authored container image pulls route through this
|
|
# registry. Post-handover: per-Sovereign overlays set this to
|
|
# harbor.<sovereign-fqdn> so every image pull hits the Sovereign's own Harbor
|
|
# proxy_cache rather than ghcr.io directly. Empty = no rewrite (image refs
|
|
# use `images.registry` / `images.organization` defaults below). Tracked
|
|
# under #560.
|
|
imageRegistry: ""
|
|
|
|
# ─── Catalyst image coordinates ───────────────────────────────────────────────
|
|
# Default registry + org point at ghcr.io/openova-io/openova. Per-Sovereign
|
|
# overlays leave these untouched and set global.imageRegistry to the local
|
|
# Harbor mirror instead.
|
|
images:
|
|
registry: "ghcr.io"
|
|
organization: "openova-io/openova"
|
|
# SHA tags — bump these via CI when building new images.
|
|
catalystApi:
|
|
tag: "e85035c"
|
|
catalystUi:
|
|
tag: "e85035c"
|
|
marketplaceApi:
|
|
tag: "3c2f7e4"
|
|
console:
|
|
tag: "3c2f7e4"
|
|
# All 10 SME microservices share one SHA tag (built from the same mono-repo commit).
|
|
smeTag: "046e5eb"
|
|
|
|
# bp-catalyst-platform umbrella values
|
|
#
|
|
# As of 1.1.9 this umbrella ships ONLY the Catalyst-Zero control-plane
|
|
# workloads (catalyst-ui, catalyst-api, ProvisioningState CRD, Sovereign
|
|
# HTTPRoute). The 10 foundation Blueprints (cilium, cert-manager, flux,
|
|
# crossplane, sealed-secrets, spire, nats-jetstream, openbao, keycloak,
|
|
# gitea) are installed independently by clusters/_template/bootstrap-kit/
|
|
# at slots 01..10. There are no subchart values to thread here.
|
|
#
|
|
# Historic note: 1.1.4 set `bp-keycloak.keycloak.postgresql.fullnameOverride`
|
|
# and `bp-gitea.gitea.postgresql.fullnameOverride` to deconflict bitnami
|
|
# postgresql `<release>-postgresql` collisions when both Blueprints were
|
|
# subcharts of this umbrella (issue #252). Now that they're top-level
|
|
# Flux HelmReleases under separate namespaces (bp-keycloak →
|
|
# `keycloak`, bp-gitea → `gitea`), the collision is gone and the
|
|
# overrides are unnecessary.
|
|
|
|
# ProvisioningState CRD — the canonical persistence shape for Sovereign
|
|
# provisioning runs (issue #88). Keeps observability of in-flight wizard
|
|
# runs on the K8s plane (`kubectl get provisioningstates -A`) in addition
|
|
# to the catalyst-api Pod's local flat-file store at
|
|
# /var/lib/catalyst/deployments. The two stores compose: the flat file is
|
|
# authoritative (full event log, fsync-rename atomic), the CRD is the
|
|
# coarse-grained projection (state machine pending → ... → ready | failed)
|
|
# that operators and sibling controllers consume.
|
|
provisioningState:
|
|
crd:
|
|
# Default true: the CRD is part of the bp-catalyst-platform contract.
|
|
# Disable only if the cluster has the CRD installed by an out-of-band
|
|
# mechanism (test envtest harness, sibling Catalyst instance) and a
|
|
# second install would conflict.
|
|
enabled: true
|
|
|
|
# ─── Sovereign HTTPRoute (Cilium Gateway API, issue #387) ─────────────────
|
|
# Renders templates/httproute.yaml when `ingress.gateway.enabled=true`
|
|
# (default) AND per-Sovereign overlay supplies `ingress.hosts.console.host`
|
|
# and `ingress.hosts.api.host`. The legacy contabo Ingress templates
|
|
# (templates/ingress.yaml, templates/ingress-console-tls.yaml) are
|
|
# excluded from Sovereign installs via .helmignore — Sovereigns ingress
|
|
# exclusively through Cilium Gateway API per ADR-0001 §9.4.
|
|
ingress:
|
|
gateway:
|
|
enabled: true
|
|
parentRef:
|
|
name: cilium-gateway
|
|
namespace: kube-system
|
|
sectionName: https
|
|
# Hosts populated by the bootstrap-kit slot
|
|
# (clusters/_template/bootstrap-kit/13-bp-catalyst-platform.yaml).
|
|
# Empty here so `helm template` without a per-Sovereign overlay fails
|
|
# closed (Inviolable Principle #4).
|
|
hosts:
|
|
console:
|
|
host: ""
|
|
api:
|
|
host: ""
|
|
admin:
|
|
host: ""
|
|
marketplace:
|
|
host: ""
|
|
# Marketplace mode toggle (issue #710). When enabled, the chart renders
|
|
# templates/sme-services/marketplace-routes.yaml exposing
|
|
# marketplace.<sov>/{,api/,back-office/} and *.<sov> (tenant wildcard)
|
|
# via Cilium Gateway. Default OFF — non-marketplace Sovereigns get the
|
|
# SME workloads but no public ingress.
|
|
marketplace:
|
|
enabled: false
|
|
|
|
# Marketplace operator branding + payment + signup config (issue #710).
|
|
# Operator-supplied at provision time; rendered into ConfigMaps consumed
|
|
# by templates/sme-services/marketplace.yaml + admin.yaml. Defaults are
|
|
# safe placeholders so non-marketplace Sovereigns render without input.
|
|
marketplace:
|
|
brand:
|
|
name: "" # Display name in storefront header (e.g. "Otech Cloud")
|
|
tagline: "" # Sub-headline (e.g. "Cloud + SaaS for Oman")
|
|
logo: "" # Logo URL (data: or remote)
|
|
primaryColor: "" # Hex (#RRGGBB) — falls back to chart default if empty
|
|
currency: "USD" # ISO-4217 (OMR / USD / EUR / SAR / AED / ...)
|
|
paymentProvider:
|
|
stripe:
|
|
enabled: false
|
|
publishableKey: "" # safe to render in storefront JS
|
|
secretKeyRef: # Secret + key holding STRIPE_SECRET_KEY
|
|
name: "" # default: "" — disabled
|
|
key: "secret-key"
|
|
webhookSecretRef:
|
|
name: ""
|
|
key: "webhook-secret"
|
|
signupPolicy:
|
|
requireVoucher: false # if true, /redeem must succeed before signup
|
|
googleOAuth:
|
|
enabled: false
|
|
clientId: ""
|
|
clientSecretRef:
|
|
name: ""
|
|
key: "client-secret"
|