openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity
2,123 Commits 480 Branches 0 Tags 98 MiB
27556577f7
Commit Graph

3 Commits

Author SHA1 Message Date
e3mrah
9a2f423ab7
fix: mark bp-dmz-vcluster + bp-netbird default-off for smoke-render gate (#1286) 
* fix(bp-keycloak): truncate catalyst-api-server description <255 chars (Postgres limit)

Keycloak DB column CLIENT.DESCRIPTION = varchar(255). Previous value was
458 chars, causing realm-config-cli post-install hook to fail with
PSQLException value too long. Caught on omantel provision #6 iter-13
chart roll — keycloak-config-cli Job CrashLoop, bp-keycloak HR False,
upstream HRs blocked.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(bp-keycloak): truncate catalyst-api-server desc <255 chars (Postgres limit)

Keycloak DB column CLIENT.DESCRIPTION = varchar(255). Previous value was
458 chars (since Fix #23 / commit febd5fef), causing realm-config-cli
post-install hook to fail with PSQLException 'value too long for type
character varying(255)' on every fresh Sovereign provision.

Caught on omantel provision #6 — keycloak-config-cli Job CrashLoop,
bp-keycloak HR False, all upstream HRs blocked from converging.

Backport to 1.4.x (1.5.0 had a separate breaking realm-rename change
reverted via PR #1282). Bootstrap-kit pin updated to 1.4.2.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(bp-dmz-vcluster, bp-netbird): mark default-off so smoke-render gate accepts 1-line manifests

Both blueprints are scratch charts (no upstream subchart) gated default-off.
helm-template smoke renders <2 lines, hitting the platform-wide
'Empty render' gate added in #181. Adding the documented annotation
'catalyst.openova.io/smoke-render-mode: "default-off"' for both — same
mechanism bp-qa-app uses (catalyst.openova.io/no-upstream).

Caught on omantel provision #6 — bp-dmz-vcluster + bp-netbird HelmRelease
permanently failing chart pull because Blueprint Release CI never
published their charts (smoke gate failure).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: alierenbaysal <alierenbaysal@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-10 15:57:18 +04:00
e3mrah
4a77a624bc
fix(infra): wire NetBird, DMZ vCluster, Hubble UI, BGP, Gitea client — qa-loop iter-12 Fix #53B+C (#1275) 
* fix(infra): wire NetBird, DMZ vCluster, Hubble UI, BGP, Gitea client — qa-loop iter-12 Fix #53B+C

Phase-4 infra installs from iter-12 diagnostic audit (37 of 41 e-blocked TCs covered):

bp-catalyst-platform 1.4.120 → 1.4.122 — Gitea client wired (cluster B, 4 TCs):
- catalyst-api Deployment now reads CATALYST_GITEA_URL + CATALYST_GITEA_TOKEN from `catalyst-gitea-token` Secret (mirrors blueprint-controller pattern).
- Unblocks /api/v1/sovereigns/.../blueprints/{publish,curatable,curate,edit-pr} which previously returned 503 "Gitea client unconfigured".
- TC-081, TC-082, TC-083, TC-085.

bp-netbird 0.1.0 → 0.1.1 + slot 53 install (cluster C, 4 TCs):
- Pinned image tags (netbirdio/management:0.34.0, signal:0.34.0, coturn:4.6.2) so chart renders without CI mirror cycle.
- Bootstrap-kit slot 53 enables NetBird on omantel; OIDC issuer points at the new omantel realm (Fix #53A).
- TC-281, TC-282, TC-283, TC-284.

bp-dmz-vcluster 0.1.0 → 0.1.1 + slot 54 install (cluster C, 3 TCs):
- Pinned upstream loft-sh/vcluster:0.20.0 tag.
- Bootstrap-kit slot 54 enables DMZ vCluster `omantel-dmz` on omantel.
- TC-286, TC-287, TC-288.

bp-cilium chart pin 1.2.0 → 1.3.0 + Hubble UI ingress + BGP (cluster C, 3 TCs):
- Hubble relay + UI enabled in omantel cilium overlay.
- catalystOverlay.hubbleUI block enables HTTPRoute hubble.console.omantel.biz; external-dns auto-creates the DNS record.
- bgpControlPlane.enabled=true for multi-region peering (TC-349).
- TC-289, TC-290, TC-349.

Total: 14 of the 25 cluster-C TCs covered + 4 cluster-B TCs.

* fix(catalyst-api): use literal in-cluster Gitea URL (Helm-template breaks Kustomize parse) — qa-loop iter-12 Fix #53C follow-up
 2026-05-10 10:50:36 +04:00
e3mrah
2c32fde847
feat(epic-5): NetBird mesh + ClusterMesh activator + DMZ vCluster scaffolds (#1100) (#1171) 
Closes the EPIC-5 leftovers (per .claude/architect-briefs/epic-5/00-master-brief-leftovers.md):

* NB — bp-netbird platform Blueprint chart (default-OFF, SHA-pinned, fail-fast).
  Renders 12 resources ON: 3 Deployments (management + signal + coturn) +
  3 Services + 1 PVC + 1 HTTPRoute + 1 NetworkPolicy + 2 SealedSecrets +
  1 ConfigMap. KC realm-config ConfigMap mirrors the Guacamole pattern
  from slice K+P+X1+G #1164 — adds `netbird` OIDC client + `netbird-user` /
  `netbird-admin` realm roles + `netbird-users` / `netbird-admins` groups.

* CM — ClusterMesh activator slice on the existing Cilium chart.
  ADDs platform/cilium/chart/values-clustermesh.yaml (operator-applied
  values overlay) + templates/clustermesh-config.yaml (renders the
  catalyst-clustermesh-config ConfigMap when cluster.name + cluster.id
  are set per-Sovereign). Operator runbook for `cilium clustermesh enable`
  + `cilium clustermesh connect` documented inline. Default Cilium chart
  render is unchanged — this slice is purely additive + opt-in.

* DMZ — bp-dmz-vcluster product Blueprint chart (default-OFF,
  SHA-pinned, fail-fast). Renders 4 resources ON without hostname
  (HelmRelease wrapping upstream loft-sh/vcluster + Service + 2
  NetworkPolicies); 5 resources with HTTPRoute hostname. Isolation
  pattern: own openova-system namespace inside host cluster → own Cilium
  identity → default-deny + allow-essentials NetworkPolicies → public
  egress only via designated egress gateway.

All 3 charts: helm lint clean. Tests at chart/tests/render.sh +
chart/tests/clustermesh-overlay.sh. Pre-existing CI flakes per canon §7
remain — they're not introduced by this slice.

Co-authored-by: hatiyildiz <hati.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-09 12:14:56 +04:00