a7fa0626b2
* docs(wbs): Mermaid DAG shows actual Phase-8a dependency cascade Per founder corrective: existing diagram missed the real blockers surfaced during otech10..otech22 burns. The image-pull-through gap (#557) and the cross-namespace secret gap (#543, #544) gate every workload pull from a public registry — without them, Sovereign hits DockerHub anonymous rate-limit on first provision and 30+ HRs are ImagePullBackOff/CreateContainerConfigError. Adds: - Phase 0b · Image pull-through (#557 + #557B Sovereign-Harbor swap + #557C charts global.imageRegistry templating). Edges to NATS / Gitea / Harbor / Grafana / Loki / Mimir / PowerDNS / Crossplane / cert-manager-powerdns-webhook / Trivy / Kyverno / SPIRE / OpenBao - Phase 0c · Cross-namespace secrets (#543 ghcr-pull Reflector + #544 powerdns-api-credentials reflect). Edges to bp-catalyst-platform and bp-cert-manager-powerdns-webhook - Phase 1 additions: #542 kubeconfig CP-IP fix and #547 helmwatch 38-HR threshold both gate Phase 8a integration test - Phase 0b → Phase 8b edge: post-handover Sovereign-Harbor swap is what makes "zero contabo dependency" DoD-met possible WBS now reflects the cascade observed live, not the pre-Phase-8a model. * feat(platform): add global.imageRegistry to bp-cilium/cert-manager/cert-manager-powerdns-webhook/sealed-secrets (PR 1/3, #560) - bp-cilium 1.1.1→1.1.2: global.imageRegistry stub added; upstream cilium subchart does not expose a single registry knob — per-Sovereign overlays wire specific image.repository fields alongside this value. - bp-cert-manager 1.1.1→1.1.2: global.imageRegistry stub added; upstream chart exposes per-component image.registry knobs documented in the comment. - bp-cert-manager-powerdns-webhook 1.0.2→1.0.3: global.imageRegistry stub added + deployment.yaml templated to prefix the webhook image repository when the value is non-empty. Verified: helm template with --set global.imageRegistry=harbor.openova.io produces harbor.openova.io/zachomedia/cert-manager-webhook-pdns:<appVersion>. - bp-sealed-secrets 1.1.1→1.1.2: global.imageRegistry stub added; upstream subchart exposes sealed-secrets.image.registry for overlay wiring. All four charts render clean with default values (empty imageRegistry). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: hatiyildiz <hatiyildiz@openova.io> Co-authored-by: alierenbaysal <alierenbaysal@openova.io> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
28 lines
1.2 KiB
YAML
28 lines
1.2 KiB
YAML
apiVersion: v2
|
|
name: bp-sealed-secrets
|
|
version: 1.1.2
|
|
description: |
|
|
Catalyst-curated Blueprint umbrella chart for sealed-secrets. Depends on
|
|
the upstream `sealed-secrets` chart (bitnami-labs) as a Helm subchart so
|
|
`helm dependency build` pulls the upstream payload into this artifact;
|
|
the Catalyst overlay templates in templates/ (NetworkPolicy,
|
|
ExternalSecret, ServiceMonitor) sit alongside the upstream subchart and
|
|
Helm renders both at install time. Catalyst-curated values flow into the
|
|
upstream subchart under the `sealed-secrets:` key in values.yaml.
|
|
type: application
|
|
keywords: [catalyst, blueprint, sealed-secrets]
|
|
maintainers:
|
|
- name: OpenOva Catalyst
|
|
email: catalyst@openova.io
|
|
|
|
# Upstream chart pulled in as a Helm subchart so `helm dependency build`
|
|
# bundles it into the OCI artifact. Pinned to sealed-secrets 2.16.1
|
|
# (matches platform/sealed-secrets/blueprint.yaml + values.yaml
|
|
# `catalystBlueprint.upstream.version`). Per
|
|
# docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode) the version is
|
|
# operator-bumpable via PR + Blueprint release.
|
|
dependencies:
|
|
- name: sealed-secrets
|
|
version: "2.16.1"
|
|
repository: "https://bitnami-labs.github.io/sealed-secrets"
|