openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 11 Packages Projects Releases Wiki Activity
2e9cfd4a57
openova/platform/reflector/chart/Chart.yaml
e3mrah b2307e290d
fix: bp-reflector + rename ghcr-pull-secret->ghcr-pull (Closes #543) (#554) 
Part A — bp-reflector blueprint:
- Add clusters/_template/bootstrap-kit/05a-reflector.yaml (slot 05a,
  dependsOn bp-cert-manager) — installs emberstack/reflector v7.1.288
  via the bp-reflector OCI wrapper chart.
- Register in bootstrap-kit/kustomization.yaml.
- Add platform/reflector/chart/ wrapper (Chart.yaml + values.yaml):
  single replica, 32Mi memory, ServiceMonitor off by default.

Part B — annotate flux-system/ghcr-pull + rename in charts:
- infra/hetzner/cloudinit-control-plane.tftpl: add four Reflector
  annotations to the ghcr-pull Secret written at cloud-init time so
  Reflector auto-mirrors it to every namespace on first boot.
- Rename imagePullSecrets from ghcr-pull-secret to ghcr-pull in:
  api-deployment.yaml, ui-deployment.yaml,
  marketplace-api/deployment.yaml, and all 11 sme-services/*.yaml
  (14 total occurrences).
- Bump bp-catalyst-platform chart 1.1.12->1.1.13; update bootstrap-kit
  HelmRelease version reference to match.

Root cause: the canonical secret name is ghcr-pull (written by
cloud-init as /var/lib/catalyst/ghcr-pull-secret.yaml). Charts were
referencing ghcr-pull-secret (wrong name), causing ImagePullBackOff
on all Catalyst pods on every new Sovereign.

Runtime hotfix applied to otech22: both ghcr-pull and ghcr-pull-secret
propagated to 33 namespaces via kubectl; non-Running pods bounced.

Co-authored-by: hatiyildiz <hatiyildiz@openova.io>
2026-05-02 12:17:51 +04:00

29 lines
1.1 KiB
YAML
Raw Blame History

apiVersion: v2
name: bp-reflector
version: 1.0.0
description: |
Catalyst-curated Blueprint umbrella chart for emberstack/reflector.
Reflector mirrors Kubernetes Secrets and ConfigMaps across namespaces
by watching for reflector.v1.k8s.emberstack.com/* annotations on the
source resource. On every Sovereign, flux-system/ghcr-pull carries
these annotations so it auto-mirrors to every namespace, eliminating
the ImagePullBackOff surface that was caused by cross-namespace secret
propagation gaps (issue #543).
dependsOn: bp-flux (03) — must be slot 05a to land after sealed-secrets
and before spire.
type: application
keywords: [catalyst, blueprint, reflector, secret-mirror]
maintainers:
- name: OpenOva Catalyst
email: catalyst@openova.io
# Upstream chart pulled in as a Helm subchart so `helm dependency build`
# bundles it into the OCI artifact. Pinned to reflector 7.1.288 (latest
# stable as of 2026-05). Per INVIOLABLE-PRINCIPLES.md #4 (never hardcode)
# the version is operator-bumpable via PR + Blueprint release.
dependencies:
- name: reflector
version: "7.1.288"
repository: "https://emberstack.github.io/helm-charts"
Reference in New Issue View Git Blame Copy Permalink