* fix(bp-gitea): switch to CNPG-managed postgres, drop bitnamilegacy subchart (Closes#584)
The bundled Bitnami postgresql subchart pulls docker.io/bitnamilegacy/postgresql
which is unavailable (DH deprecated namespace) — gitea-postgresql-0 stuck in
ImagePullBackOff on otech22, cascading to gitea Init:CrashLoopBackOff.
Mirrors the bp-harbor pattern (PR #578): provision a CNPG Cluster CR (gitea-pg,
namespace gitea, 5Gi, pg16) + a reflector-managed gitea-database-secret, wiring
GITEA__database__PASSWD from the CNPG-generated gitea-pg-app Secret. All Bitnami
subchart config removed; postgresql.enabled: false.
Bootstrap-kit (template + otech + omantel): bump bp-gitea 1.1.2 → 1.2.0, add
dependsOn: bp-cnpg so the postgresql.cnpg.io/v1 CRD is registered before the
Capabilities gate in cnpg-cluster.yaml fires. omantel overlay migrated from
legacy ingress: to gateway: (Cilium Gateway API, issue #387).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(dependency-audit): add bp-reflector (5a) to expected DAG + external-dns dep edge
bp-reflector was added to the bootstrap-kit (slot 05a) in issue #543 but was
never registered in scripts/expected-bootstrap-deps.yaml, causing the
dependency-graph-audit CI gate to error on every PR that includes this branch.
Also declare bp-reflector in bp-external-dns's depends_on to match the actual
HR file (12-external-dns.yaml dependsOn bp-reflector).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(bp-gateway-api): update CRD-count test 5→10 for experimental channel + DAG audit
Two fixes to unblock bp-gateway-api:1.1.0 OCI publish and the
dependency-graph-audit CI gate:
1. crd-render.sh: expect 10 CRDs (experimental channel) not 5.
Chart 1.1.0 vendors experimental-install.yaml (TLSRoute, TCPRoute,
UDPRoute, BackendLBPolicy, BackendTLSPolicy in addition to 5 standard
CRDs) because Cilium 1.16.x checks for TLSRoute at operator startup.
Without this fix the blueprint-release workflow for 1.1.0 fails the
chart-test step and never pushes to GHCR — leaving all 13 dependent
HRs stuck dependency-not-ready on every Sovereign.
2. expected-bootstrap-deps.yaml: add bp-reflector (slot 5a) and update
bp-external-dns depends_on to include bp-reflector. bp-reflector was
added to the bootstrap-kit in issue #543 but was missing from the
expected DAG, causing dependency-graph-audit ERRORs on every PR.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: alierenbaysal <alierenbaysal@openova.io>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: hatiyildiz <hatice@openova.io>
Root cause (otech22 2026-05-02): Cilium operator checks for Gateway API
CRDs at startup and disables its gateway controller if they are absent —
a static, one-shot decision. Cloud-init installs k3s+Cilium first, then
Flux reconciles bp-gateway-api minutes later, so the operator always
starts without CRDs and never recovers. All 8 HTTPRoutes orphaned.
Three-part permanent fix:
1. cloud-init: apply Gateway API v1.1.0 experimental CRDs (incl.
TLSRoute) BEFORE the Cilium helm install. Cilium 1.16.x requires
TLSRoute CRD to be present; without it the operator's capability
check fails entirely and disables the gateway controller.
2. bp-cilium (1.1.2 → 1.1.3): add gatewayAPI.gatewayClass.create: "true"
to force GatewayClass creation regardless of CRD presence at Helm
render time. Upstream default "auto" skips GatewayClass when the
gateway API CRDs are absent at install time (Capabilities check).
3. bp-gateway-api (1.0.0 → 1.1.0): downgrade CRDs from v1.2.0 to v1.1.0
and ship experimental channel (TLSRoute, TCPRoute, UDPRoute,
BackendLBPolicy, BackendTLSPolicy). Gateway API v1.2.0 changed
status.supportedFeatures from string[] to object[]; Cilium 1.16.5
writes the old string format and the v1.2.0 CRD rejects the status
patch with "must be of type object: string", leaving GatewayClass
permanently Unknown/Pending. v1.1.0 retains string schema.
Upgrade path: bump bp-gateway-api + bp-cilium together when Cilium ≥ 1.17
adopts the v1.2.0 object schema for supportedFeatures.
Closes#503
Co-authored-by: hatiyildiz <hatiyildiz@openova.io>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds bp-gateway-api Blueprint (slot 01a) that vendors the upstream
Kubernetes Gateway API Standard-channel CRDs (v1.2.0) and registers them
ahead of every chart that ships HTTPRoute templates: bp-openbao,
bp-keycloak, bp-gitea, bp-powerdns, bp-catalyst-platform, bp-harbor,
bp-grafana.
Phase-8a-preflight live deployment otech10 (e1a0cd6662872fcb on
catalyst-api:c148ef3, 2026-05-01) reached 21/37 HRs Ready=True before
stalling on bp-harbor / bp-openbao / bp-powerdns reconciling to
InstallFailed with `no matches for kind "HTTPRoute" in version
"gateway.networking.k8s.io/v1"`. Cilium 1.16's chart `gatewayAPI.
enabled=true` flag wires up the cilium gateway controller and creates
the `cilium` GatewayClass, but does NOT install the
gateway.networking.k8s.io CRDs themselves; cilium 1.16 has no
`installCRDs`-equivalent knob for gateway-api so the upstream CRDs must
ship via a separate Blueprint.
Pattern locked in by docs/INVIOLABLE-PRINCIPLES.md and reinforced by
the founder for ALL similar future cases: intra-chart CRD-ordering
breaks → split into two charts + Flux dependsOn. Mirrors the
bp-crossplane/bp-crossplane-claims and bp-external-secrets/
bp-external-secrets-stores splits.
Files:
- platform/gateway-api/{blueprint.yaml,chart/} — new Blueprint with
per-CRD templates vendored from kubernetes-sigs/gateway-api v1.2.0
standard-install.yaml; helm.sh/resource-policy: keep on every CRD so
Helm uninstall does not orphan every HTTPRoute on the cluster
- platform/gateway-api/chart/scripts/regenerate.sh — developer tool
for re-vendoring on upstream version bump (annotation-driven)
- platform/gateway-api/chart/tests/crd-render.sh — chart integration
test (5 CRDs, keep annotation, bundle-version matches Chart.yaml pin)
- clusters/_template/bootstrap-kit/01a-gateway-api.yaml — HelmRelease
+ HelmRepository, dependsOn bp-cilium
- clusters/_template/bootstrap-kit/{08-openbao,09-keycloak,10-gitea,
11-powerdns,13-bp-catalyst-platform,19-harbor,25-grafana}.yaml —
add `dependsOn: bp-gateway-api`
- clusters/_template/bootstrap-kit/kustomization.yaml — register
01a-gateway-api.yaml between 01-cilium and 02-cert-manager
- scripts/expected-bootstrap-deps.yaml — declare slot 1a + add
bp-gateway-api to depends_on of every HTTPRoute-using slot
Closes#503
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
