openova

openova/openova

Fork 0

Commit Graph

Author	SHA1	Message	Date
e3mrah	ba2ff05292	feat(charts): bp-seaweedfs + bp-harbor + bp-vpa wrapper charts (#284 ) W2.5.B — first authoring of the three Catalyst Blueprint wrapper charts that fill bootstrap-kit slots 18 (seaweedfs), 19 (harbor) and 29 (vpa). Each wraps an upstream chart as a Helm subchart and ships Catalyst- curated overlay templates (NetworkPolicy + ServiceMonitor) gated behind opt-in toggles, per docs/BLUEPRINT-AUTHORING.md §11 and docs/INVIOLABLE-PRINCIPLES.md. bp-seaweedfs (slot 18 — storage foundation) - Wraps seaweedfs/seaweedfs 4.22.0; Chart name `bp-seaweedfs`. - Catalyst defaults: 1 master + 3 volume + 1 filer + 2 s3 replicas. - S3 API on 8333 — single S3 surface every consumer talks to per docs/PLATFORM-TECH-STACK.md §3.5 (no per-app MinIO). - Overlay templates: NetworkPolicy (cross-namespace S3 reachability, cold-tier egress allowlist), ServiceMonitor (Capabilities-gated, DEFAULT FALSE per §11.2). - Default helm template kinds: ClusterRole, ClusterRoleBinding, ConfigMap, Deployment, Secret, Service, ServiceAccount, StatefulSet. bp-harbor (slot 19 — per-Sovereign OCI registry) - Wraps goharbor/harbor 1.18.3 (appVersion 2.14.3); Chart name `bp-harbor`. - Catalyst defaults: blob backend = SeaweedFS S3 (regionendpoint seaweedfs-s3.seaweedfs.svc:8333), metadata DB = bp-cnpg external Postgres, ingress class `cilium`, expose.tls.enabled true (cert- manager-issued Secret). - Overlay templates: NetworkPolicy (CNPG/SeaweedFS/Keycloak egress), ServiceMonitor (Capabilities-gated, DEFAULT FALSE). - Trivy + SSO + pull-mirror are operator-flag opt-ins per per- Sovereign overlay (default false; trivy/keycloak/cnpg deps land on later slots). - Default helm template kinds: ConfigMap, Deployment, Ingress, PersistentVolumeClaim, Secret, Service, StatefulSet. bp-vpa (slot 29 — vertical autoscaling) - Wraps cowboysysop/vertical-pod-autoscaler 11.1.1 (appVersion 1.5.0); Chart name `bp-vpa`. - Catalyst defaults: 1 replica each of recommender + updater + admission-controller. Default mode `Off` (recommend only). - Admission webhook self-signs via init Job (cluster-internal); per- Sovereign overlay MAY swap to cert-manager. - Overlay templates: NetworkPolicy (apiserver + metrics-server egress, admission webhook ingress). - Upstream metrics.serviceMonitor / metrics.prometheusRule defaulted false per §11.2. - Default helm template kinds: ClusterRole, ClusterRoleBinding, ConfigMap, Deployment, Job, Pod, Secret, Service, ServiceAccount. Lint + observability-toggle results helm lint: 1 chart(s) linted, 0 chart(s) failed (each) tests/observability-toggle.sh: PASS on all three (default render has zero monitoring.coreos.com/v1 references; opt-in render produces a ServiceMonitor; explicit-off render is clean). Path isolation: only platform/seaweedfs/, platform/harbor/, and platform/vpa/ — no HR slot files or other charts touched. Refs: bootstrap-kit slots 18, 19, 29 reconcile against ghcr.io/openova-io/bp-seaweedfs:1.0.0, bp-harbor:1.0.0, bp-vpa:1.0.0 which this commit produces on next blueprint-release CI run. Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>	2026-04-30 18:37:50 +04:00

Author

SHA1

Message

Date

e3mrah

ba2ff05292

feat(charts): bp-seaweedfs + bp-harbor + bp-vpa wrapper charts (#284 )

W2.5.B — first authoring of the three Catalyst Blueprint wrapper charts
that fill bootstrap-kit slots 18 (seaweedfs), 19 (harbor) and 29 (vpa).
Each wraps an upstream chart as a Helm subchart and ships Catalyst-
curated overlay templates (NetworkPolicy + ServiceMonitor) gated behind
opt-in toggles, per docs/BLUEPRINT-AUTHORING.md §11 and
docs/INVIOLABLE-PRINCIPLES.md.

bp-seaweedfs (slot 18 — storage foundation)
  - Wraps seaweedfs/seaweedfs 4.22.0; Chart name `bp-seaweedfs`.
  - Catalyst defaults: 1 master + 3 volume + 1 filer + 2 s3 replicas.
  - S3 API on 8333 — single S3 surface every consumer talks to per
    docs/PLATFORM-TECH-STACK.md §3.5 (no per-app MinIO).
  - Overlay templates: NetworkPolicy (cross-namespace S3 reachability,
    cold-tier egress allowlist), ServiceMonitor (Capabilities-gated,
    DEFAULT FALSE per §11.2).
  - Default helm template kinds: ClusterRole, ClusterRoleBinding,
    ConfigMap, Deployment, Secret, Service, ServiceAccount, StatefulSet.

bp-harbor (slot 19 — per-Sovereign OCI registry)
  - Wraps goharbor/harbor 1.18.3 (appVersion 2.14.3); Chart name
    `bp-harbor`.
  - Catalyst defaults: blob backend = SeaweedFS S3 (regionendpoint
    seaweedfs-s3.seaweedfs.svc:8333), metadata DB = bp-cnpg external
    Postgres, ingress class `cilium`, expose.tls.enabled true (cert-
    manager-issued Secret).
  - Overlay templates: NetworkPolicy (CNPG/SeaweedFS/Keycloak egress),
    ServiceMonitor (Capabilities-gated, DEFAULT FALSE).
  - Trivy + SSO + pull-mirror are operator-flag opt-ins per per-
    Sovereign overlay (default false; trivy/keycloak/cnpg deps land on
    later slots).
  - Default helm template kinds: ConfigMap, Deployment, Ingress,
    PersistentVolumeClaim, Secret, Service, StatefulSet.

bp-vpa (slot 29 — vertical autoscaling)
  - Wraps cowboysysop/vertical-pod-autoscaler 11.1.1 (appVersion
    1.5.0); Chart name `bp-vpa`.
  - Catalyst defaults: 1 replica each of recommender + updater +
    admission-controller. Default mode `Off` (recommend only).
  - Admission webhook self-signs via init Job (cluster-internal); per-
    Sovereign overlay MAY swap to cert-manager.
  - Overlay templates: NetworkPolicy (apiserver + metrics-server
    egress, admission webhook ingress).
  - Upstream metrics.serviceMonitor / metrics.prometheusRule defaulted
    false per §11.2.
  - Default helm template kinds: ClusterRole, ClusterRoleBinding,
    ConfigMap, Deployment, Job, Pod, Secret, Service, ServiceAccount.

Lint + observability-toggle results
  helm lint: 1 chart(s) linted, 0 chart(s) failed (each)
  tests/observability-toggle.sh: PASS on all three (default render has
  zero monitoring.coreos.com/v1 references; opt-in render produces a
  ServiceMonitor; explicit-off render is clean).

Path isolation: only platform/seaweedfs/, platform/harbor/, and
platform/vpa/ — no HR slot files or other charts touched.

Refs: bootstrap-kit slots 18, 19, 29 reconcile against
ghcr.io/openova-io/bp-seaweedfs:1.0.0, bp-harbor:1.0.0, bp-vpa:1.0.0
which this commit produces on next blueprint-release CI run.

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>

2026-04-30 18:37:50 +04:00

1 Commits