openova/platform/k8s-ws-proxy/chart/Chart.yaml

apiVersion: v2
name: bp-k8s-ws-proxy
# 0.1.1 (qa-loop iter-7 Fix #39): canonical workload name `k8s-ws-proxy`
# regardless of release name — DaemonSet + Service + ClusterRole +
# ClusterRoleBinding all named `k8s-ws-proxy` so the catalyst-api
# shells/issue handler + qa-loop test matrix (TC-236, TC-237) can
# address them without release-name knowledge.
# 0.1.4 (Fix #39 follow-up): default imagePullSecrets to [{name:
# ghcr-pull}] so the DaemonSet can pull from private GHCR without
# per-Sovereign overlay. The `ghcr-pull` secret is the canonical
# pull-credential surface across every Sovereign (catalyst-api,
# catalyst-ui, k8s-ws-proxy all mount it).
# Note: build-k8s-ws-proxy.yaml's promote job will auto-bump this to
# 0.1.5 on merge (with the new image SHA in values.yaml). Slot pin
# at 0.1.5 so omantel reconciles against the chart that carries
# BOTH the imagePullSecrets default AND the new image SHA.
# 0.1.6 (qa-loop bounded-cycle Wave 5 Fix #78, Gap E): adds
# templates/hmac-bootstrap-job.yaml — a Helm pre-install/pre-upgrade
# hook (weight -10) that auto-generates the `k8s-ws-proxy-hmac` Secret
# from /dev/urandom when absent. Pre-this, on every fresh Sovereign
# the DaemonSet pods sat ContainerCreating forever with
# "secret k8s-ws-proxy-hmac not found" because the chart referenced
# but never created it (audit prov #7 Gap E). Idempotent on upgrade
# (preserves existing key — rotating it would invalidate every
# in-flight catalyst-api signature). build-k8s-ws-proxy.yaml's promote
# job will auto-bump this to 0.1.7 on merge with the new image SHA;
# slot pins should be lifted to 0.1.7 once that promote runs.
# 0.1.8 (qa-loop bounded-cycle Fix #95, regression of Fix #78):
# explicit hook-weight ordering for the hmac-bootstrap quartet so the
# ServiceAccount lands BEFORE the Job that references it. Fix #78 set
# SA/Role/RoleBinding=0 and Job=-10; per Helm semantics (lower weights
# run first within the same hook phase) this caused the Job to be
# applied BEFORE its SA, surfacing on prov #8 as
# `serviceaccount "k8s-ws-proxy-hmac-bootstrap" not found` →
# CrashLoopBackOff → bp-k8s-ws-proxy HR Stalled → bp-guacamole blocked.
# Fix #95 weights: SA=-20 (first), Role+RoleBinding=-15, Job=-10
# (last; preserves Fix #78 render-test gate 3a). Render gate 9 added
# in tests/render.sh asserts the four-tier ordering. build-k8s-ws-
# proxy.yaml's promote job will auto-bump to 0.1.9 with the new image
# SHA on merge; bootstrap-kit slot pins should be lifted to 0.1.9 once
# that promote runs.
version: 0.1.9
appVersion: "0.1.0"
description: |
  Catalyst-authored Blueprint chart for the k8s-ws-proxy DaemonSet —
  the per-node WebSocket exec proxy that bridges HMAC-signed upstream
  callers (catalyst-api, Guacamole) onto the local kube-apiserver
  /api/v1/.../pods/exec stream.

  Per docs/INVIOLABLE-PRINCIPLES.md the binary is shipped as a
  DaemonSet so connections stay node-local; the Service binds with
  `internalTrafficPolicy: Local` so kube-proxy routes onto the local
  pod regardless of caller.

  Default-OFF gate: `enabled: false`. Operator opts in via per-Sovereign
  overlay AND populates the SHA-pinned image tag via CI.

  See `core/cmd/k8s-ws-proxy/DESIGN.md` for the wire contract +
  failure-mode matrix.  
type: application
keywords: [catalyst, blueprint, k8s, exec, websocket, daemonset]
annotations:
  # Default values render zero resources (k8sWsProxy.enabled=false).
  # The blueprint-release smoke gate honors this annotation and
  # accepts a short default render; chart/tests/render.sh covers the
  # enabled-render path with full --set overrides.
  catalyst.openova.io/smoke-render-mode: default-off
maintainers:
  - name: OpenOva Catalyst
    email: catalyst@openova.io
dependencies:
  - name: common
    version: "0.1.3"
    repository: "https://sigstore.github.io/helm-charts"