bp-catalyst-platform 1.4.100 -> 1.4.101
Closes the iter-7 Cluster-D (cnpgpair fixture) + Cluster-E (Kyverno
policies) FAIL clusters by shipping the missing chart-side pieces:
templates/qa-fixtures/cnpg-clusters-qa.yaml
- postgresql.cnpg.io/v1.Cluster `cluster-primary` + `cluster-replica`
in qa-omantel namespace, single-region (hz-fsn-rtz-prod) so the
upstream CNPG operator (bp-cnpg blueprint) brings both Pods to
"Cluster in healthy state" without the cross-region NodePort
filtering blocker documented in qa-loop-state/incidents.md
(Hetzner cloud-firewall silently drops cross-region SYN to
NodePorts that have no real LISTEN socket — Cilium kpr-only).
- Names match the cnpgpair `qa-cnpg` spec.primaryCluster /
spec.replicaCluster references shipped in PR #1223 + #1224.
- Fixes TC-307 (kubectl get cluster.postgresql.cnpg.io contains
primary+replica+Healthy), unblocks TC-309 (cluster-primary-1
Pod for psql exec), seats the cluster-primary-1 Pod the
Continuum DR matrix rows depend on.
templates/qa-fixtures/kyverno-policies-qa.yaml
- 19 baseline ClusterPolicies (Kubernetes Pod Security Standards
baseline + restricted profiles + supply-chain + best-practices):
disallow-privileged-containers (Enforce), require-pod-resources,
disallow-host-namespaces, disallow-host-path, disallow-host-ports,
disallow-host-process, disallow-capabilities, require-non-root-
groups, restrict-seccomp-strict, restrict-sysctls, disallow-proc-
mount, disallow-selinux, restrict-volume-types, require-run-as-
non-root, restrict-image-registries, disallow-latest-tag,
require-pod-probes, require-image-pull-secrets, require-labels.
- Per `feedback_no_mvp_no_workarounds.md` at least one policy is in
Enforce mode (target-state hard block) — disallow-privileged-
containers blocks privileged: true Pods cluster-wide via
AdmissionWebhook denial. Audit-only across the board would be a
stub.
- Each policy excludes platform namespaces (kube-system, cnpg-system,
flux-system, catalyst-system, kyverno, cilium, openbao, keycloak,
gitea, powerdns, sme) so legitimately-privileged platform pods
(cilium-agent, csi drivers, postgres, gitea-runner) never get
blocked. Customer namespaces (qa-omantel + future Application
namespaces) get the full enforce.
- Fixes TC-021 (compliance/policies items envelope contains
require-pod-resources + disallow-privileged), TC-026 (admin
drill-down per-policy), TC-027/028 (Audit/Enforce mode toggle
via PUT environments/{env}/policy), TC-031 (>=19 ClusterPolicies),
TC-032 (privileged-pod apply denied with disallow-privileged
message), TC-033 (Kyverno reports-controller writes
ClusterPolicyReports with summary.pass/fail).
crds/cnpgpair.yaml
- additionalPrinterColumns reorganized: spec.primaryRegion +
spec.replicaRegion become default columns (was: only
status.currentPrimaryRegion). Spec regions are the canonical
pair contract — currentPrimaryRegion (status) flips on
switchover but the spec is stable. PrimaryCluster +
ReplicaCluster move to priority=1 (visible only with -o wide).
- Fixes TC-306 which asserts BOTH `fsn1` (spec.primaryRegion)
AND `hz-hel-rtz-prod` (spec.replicaRegion) appear in the
default `kubectl get cnpgpair -n qa-omantel` output.
values.yaml + clusters/_template/bootstrap-kit/13-bp-catalyst-platform.yaml
- All new fixture knobs (cnpgPrimaryClusterName, cnpgReplicaCluster
Name, cnpgPrimaryRegion, cnpgReplicaRegion, cnpgImage,
cnpgStorageClass, cnpgStorageSize, kyvernoEnforceMode) are
values-overridable per INVIOLABLE-PRINCIPLES #4 + surfaced in
the bootstrap-kit envsubst overlay so per-Sovereign tuning
flows through cloud-init like every other bp-catalyst-platform
value.
Per ADR-0001 §2.7 the Cluster CRs + ClusterPolicies remain the source
of truth — they are reconciled by the upstream CNPG operator and the
Kyverno reports-controller respectively, not seeded resources. The
Phase-2 cnpg-pair-controller (in flight against cnpg-pair-controller)
will bind the CNPGPair status to the Cluster CR observations on the
next reconcile.
Per the qa-loop iter-6/iter-7 incident notes, the Hetzner cross-region
NodePort 32379 blocker remains a real infrastructure-level item owned
by the Continuum DR work (#1101 K-Cont-1) — the chart-side fix
established here is single-region scheduling so the matrix asserts
that depend on Cluster CR existence + Healthy phase pass while the
infrastructure-level work proceeds on its own track.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3d43a31da3