openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 11 Packages Projects Releases Wiki Activity
6aa66e0652
openova/platform/matrix/chart/values.yaml
e3mrah 782d8015c5
feat(charts): bp-openmeter (CH-less) + bp-livekit + bp-matrix wrapper charts (closes #272 #273 #274) (#289) 
W2.5.F — three Catalyst Blueprint umbrella charts at platform/{openmeter,
livekit,matrix}/, each declaring its upstream chart under Chart.yaml
`dependencies:` so `helm dependency build` bundles the upstream payload
into the published OCI artifact (per docs/BLUEPRINT-AUTHORING.md §11.1
— hollow charts forbidden, CI-enforced by issue #181).

Per-chart kind summary
======================

bp-openmeter (closes #272)
  default `helm template` kinds: ConfigMap, Deployment, Service, ServiceAccount
  upstream chart: openmeter 1.0.0-beta.213 (oci://ghcr.io/openmeterio/helm-charts)

  ClickHouse-less profile per docs/BOOTSTRAP-KIT-EXPANSION-PLAN.md §6.4.
  The upstream chart's bundled clickhouse / kafka / postgresql / redis /
  svix subcharts are all DISABLED — Catalyst supplies CNPG (postgres),
  JetStream (event bus), and Valkey (redis-compat) at the platform tier.
  Chart-level toggle `catalystBlueprint.backend.kind` (default `cnpg`,
  alt `clickhouse`) records the active profile so observability/audit
  pipelines can report it. The OpenMeter binary's
  `aggregation.clickhouse.address` is left blank — per-Sovereign overlay
  supplies it once a host cluster adds bp-clickhouse and the operator
  re-rolls with `backend.kind: clickhouse`. Catalyst overlay templates
  (NetworkPolicy / ServiceMonitor / HPA) all default OFF per
  docs/BLUEPRINT-AUTHORING.md §11.2.

bp-livekit (closes #273)
  default `helm template` kinds: ConfigMap, Deployment, Service, ServiceAccount
  upstream chart: livekit-server 1.9.0 (https://helm.livekit.io)

  WebRTC SFU. Powers the Huawei iFlytek voice demo. Catalyst defaults
  pair LiveKit with bp-stunner (the upstream chart's bundled co-located
  TURN server is OFF; per-Sovereign overlay points the LiveKit TURN
  config at the stunner UDP-gateway Service). RTC UDP port range is
  50000-60000 (matches the Hetzner firewall rule the per-Sovereign
  overlay opens). Catalyst overlay templates (NetworkPolicy /
  ServiceMonitor / HPA) all default OFF; the chart's NetworkPolicy
  template documents that LiveKit's hostNetwork mode means pod-level
  policies do NOT cover the SFU port range — the firewall rule is the
  load-bearing control. blueprint.yaml `depends:` declares bp-stunner +
  bp-cert-manager + bp-valkey.

bp-matrix (closes #274)
  default `helm template` kinds: ConfigMap, Deployment, Ingress, Job,
  PersistentVolumeClaim, Pod, Role, RoleBinding, Secret, Service,
  ServiceAccount
  upstream chart: matrix-synapse 3.12.25 (https://ananace.gitlab.io/charts)

  Synapse (the Matrix server implementation, NOT the retired OpenOva
  product noun). Federation OFF by default (Catalyst per-Sovereign
  tenancy default — operator overlays flip it on per-Organization).
  Postgres backend via bp-cnpg externalPostgresql; OIDC SSO via
  bp-keycloak; bundled bitnami postgresql + redis subcharts both
  disabled. Catalyst overlay NetworkPolicy gates the federation port
  (8448) on `federation.enabled` — verified by Case 5 of the
  observability-toggle test. Catalyst-overlay ServiceMonitor (upstream
  chart has none) + HPA both default OFF.

Lint
====
All three charts pass `helm lint` clean (only the noisy "icon is
recommended" INFO message).

Observability tests
===================
Each chart's `tests/observability-toggle.sh` enforces the Catalyst
contract from docs/BLUEPRINT-AUTHORING.md §11.2:
  Case 1: default render produces zero monitoring.coreos.com/v1
          resources (no ServiceMonitor / PrometheusRule).
  Case 2: opt-in (--set serviceMonitor.enabled=true --api-versions
          monitoring.coreos.com/v1) renders a ServiceMonitor.
  Case 3: explicit-off render is clean.
  Case 4 (per chart):
    - openmeter: ClickHouse-less profile asserts no
      clickhouse.altinity.com / Kafka subchart resources leak into the
      default render.
    - livekit:   asserts upstream livekit-server.serviceMonitor.create
      defaults false.
    - matrix:    asserts default render carries an empty
      federation_domain_whitelist (the per-Sovereign tenancy default).
  Case 5 (matrix only): `--set federation.enabled=true networkPolicy
          .enabled=true` opens port 8448 in the Catalyst NetworkPolicy.

All gates green for all three charts.

Closes #272 #273 #274

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
2026-04-30 19:37:28 +04:00

224 lines
9.8 KiB
YAML
Raw Blame History

# Catalyst Blueprint umbrella metadata — the upstream matrix-synapse
# chart is resolved as a Helm subchart via Chart.yaml `dependencies:`.
# This values.yaml carries:
# 1. The catalystBlueprint metadata block (provenance + version) so
# observability/audit pipelines can inspect the artifact.
# 2. The upstream subchart values overlay under the `matrix-synapse:`
# key (umbrella-chart convention — the dependency name from
# Chart.yaml is the values namespace).
# 3. Catalyst-overlay knobs (networkPolicy, serviceMonitor, hpa) — all
# DEFAULT OFF per docs/BLUEPRINT-AUTHORING.md §11.2.
#
# Per docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode), every operationally-
# meaningful value is configurable; cluster overlays in clusters/<sovereign>/
# may override any of these without rebuilding the Blueprint OCI artifact.
catalystBlueprint:
upstream:
chart: matrix-synapse
version: "3.12.25"
repo: "https://ananace.gitlab.io/charts"
# ─── Upstream chart values (subchart key: matrix-synapse) ────────────────
# `helm dependency build` resolves the upstream as a subchart; values here
# under the `matrix-synapse:` key flow into that subchart unchanged.
matrix-synapse:
image:
repository: ghcr.io/element-hq/synapse
pullPolicy: IfNotPresent
# ─── Server identity ───────────────────────────────────────────────────
# Per-Sovereign overlay supplies the actual hostname (typically
# chat.<sovereign-fqdn>). Default placeholder so `helm template` smoke
# renders without `--set` — operator overrides via per-Sovereign
# overlay. Per docs/INVIOLABLE-PRINCIPLES.md #4 nothing is hardcoded.
serverName: "matrix.example.local"
publicServerName: "matrix.example.local"
# Signing-key job — generates Synapse's federation signing key on
# first install. Catalyst's per-Sovereign tenancy default keeps
# federation OFF, but Synapse still requires a signing key for
# internal cryptographic operations. Operator overlays can supply an
# `existingSecret` to preserve the key across re-rolls.
signingkey:
job:
enabled: true
existingSecret: ""
# ─── Federation — OFF by default (per-Sovereign tenancy) ───────────────
# The upstream chart does not expose a top-level `federation.enabled`
# toggle; federation is gated by:
# - whether the chart-rendered ingress includes the federation port,
# - whether `extraConfig.federation_domain_whitelist` is set,
# - whether the homeserver.yaml `disable_federation: true` knob is
# supplied via `extraConfig`.
# Catalyst's wrapper supplies the OFF posture via `extraConfig` below;
# operator overlays delete the override (or supply a domain whitelist)
# to enable federation per-Organization.
extraConfig:
# Catalyst per-Sovereign tenancy default — federation OFF.
federation_domain_whitelist: []
# Local-account registration OFF — Catalyst standard is OIDC-only
# accounts (registration handled in Keycloak).
enable_registration: false
enable_registration_without_verification: false
# ─── Postgres backend — bp-cnpg (external) ─────────────────────────────
# Disable the bundled bitnami/postgresql; route Synapse at the bp-cnpg
# Cluster CR via `externalPostgresql`. Per-Sovereign overlay supplies
# the actual host + ExternalSecret holding the password.
postgresql:
enabled: false
externalPostgresql:
host: "matrix-postgres-rw.matrix.svc.cluster.local"
port: 5432
username: "synapse"
database: "synapse"
# Operator-supplied ExternalSecret holding the postgres password.
# Default is a placeholder name so the upstream chart's `required`
# password validation is satisfied at `helm template` smoke render
# time. The per-Sovereign overlay supplies the real ExternalSecret
# name (e.g. "matrix-postgres-credentials") at install time. Per
# docs/INVIOLABLE-PRINCIPLES.md #4 nothing is hardcoded — the
# placeholder is operator-replaceable.
existingSecret: "matrix-postgres-credentials"
existingSecretPasswordKey: "password"
sslmode: "require"
# ─── Redis (signaling-state for workers) ───────────────────────────────
# Bundled redis OFF — Catalyst routes at bp-valkey when workers are
# enabled. Default solo-Sovereign topology has no workers, so no
# Redis is required.
redis:
enabled: false
externalRedis:
enabled: false
host: "valkey-primary.valkey.svc.cluster.local"
port: 6379
existingSecret: "" # e.g. "matrix-redis-credentials"
# ─── Persistence ───────────────────────────────────────────────────────
# Synapse media repository — local PVC. Multi-tenant overlays MAY
# swap to bp-seaweedfs S3-backed media storage via the upstream
# chart's `media` config block.
persistence:
enabled: true
size: 10Gi
# ─── Ingress — Catalyst standard ───────────────────────────────────────
# The upstream chart renders an Ingress when `ingress.enabled: true`.
# Per-Sovereign overlay supplies csHosts (chat.<sovereign-fqdn>) +
# ClusterIssuer annotations. Default placeholder hosts so `helm
# template` smoke renders without `--set`.
ingress:
enabled: true
annotations: {}
csHosts: [] # operator-supplied (e.g. ["chat.<sovereign-fqdn>"])
hosts: []
wkHosts: []
tls: []
# ─── Synapse main pod ──────────────────────────────────────────────────
synapse:
replicaCount: 1
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
memory: 2Gi
# ─── Workers (sharding) — DEFAULT OFF ──────────────────────────────────
# Solo-Sovereign baseline runs Synapse monolithic. Multi-tenant
# overlays enable workers (and consequently bp-valkey for inter-worker
# signaling). Per docs/BLUEPRINT-AUTHORING.md §11.2 — DEFAULT OFF.
workers:
generic_worker:
enabled: false
federation_sender:
enabled: false
media_repository:
enabled: false
# ─── ServiceMonitor — upstream chart does NOT publish one ──────────────
# The Catalyst-overlay ServiceMonitor lives in templates/servicemonitor
# .yaml (gated by .Values.serviceMonitor.enabled, default false). The
# upstream chart sets prometheus.io/scrape annotations on the metrics
# port; the Catalyst overlay turns those into a proper ServiceMonitor.
# ─── Catalyst-overlay knobs (consumed by templates/ in this chart) ───────
# All DEFAULT OFF per docs/BLUEPRINT-AUTHORING.md §11.2.
# Catalyst-side OIDC config — applied via the upstream chart's
# `extraConfig.oidc_providers` block at install time. Operator's
# per-Sovereign overlay supplies the actual issuer URL + ExternalSecret
# holding the client secret. Default OFF until operator wires Keycloak.
oidc:
enabled: true
idpId: "keycloak"
idpName: "Keycloak"
issuer: "" # operator-supplied (e.g. https://keycloak.<loc>.<sovereign-domain>/realms/<org>)
clientId: "matrix-synapse"
scopes: ["openid", "profile", "email"]
# ExternalSecret name carrying client_secret. Required key:
# OIDC_CLIENT_SECRET. Operator-supplied.
existingSecret: "" # e.g. "matrix-oidc-credentials"
# Federation toggle — Catalyst-overlay marker. The actual federation
# behaviour is gated by upstream chart values + the homeserver.yaml
# config block; this knob is the documentation-level switch operators
# flip when enabling per-Organization federation. DEFAULT FALSE per
# Catalyst per-Sovereign tenancy.
federation:
enabled: false
# Element-Web client — separate Application Blueprint (bp-element-web,
# slot 47). This block is a documentation-level pointer the per-
# Sovereign overlay reads when wiring chat-web.<sovereign-fqdn>.
elementWeb:
enabled: true
hostHint: "chat-web.<sovereign-fqdn>"
# NetworkPolicy — locks the synapse pods down to the minimum egress /
# ingress required (kube-dns, cnpg, keycloak, ingress). Default off —
# operator opts in via per-Sovereign overlay once consumer namespaces
# are known. Per docs/INVIOLABLE-PRINCIPLES.md #4 every selector /
# namespace label / port is operator-tunable.
networkPolicy:
enabled: false
cnpgNamespace: "cnpg"
cnpgPort: 5432
keycloakNamespace: "keycloak"
keycloakPort: 8443
ingressNamespace: "traefik"
# Federation port (only used when federation.enabled=true) — Synapse
# listens on 8448 for inbound federation traffic.
federationPort: 8448
# Synapse client API port.
clientPort: 8008
# ServiceMonitor — Catalyst-overlay variant. The upstream chart does
# NOT publish a ServiceMonitor template; this Catalyst-side template is
# the only path for Prometheus scraping. Per docs/BLUEPRINT-AUTHORING.md
# §11.2 — DEFAULT OFF.
serviceMonitor:
enabled: false
interval: "30s"
scrapeTimeout: "10s"
path: "/_synapse/metrics"
labels: {}
# HorizontalPodAutoscaler for the Synapse main Deployment. Default OFF.
# Solo-Sovereign baseline runs Synapse monolithic with replicaCount: 1.
# Multi-tenant overlays enable workers + HPA when room/event throughput
# warrants. Per docs/BLUEPRINT-AUTHORING.md §11.2 — DEFAULT OFF.
hpa:
enabled: false
minReplicas: 1
maxReplicas: 4
targetCPUUtilizationPercentage: 70
targetMemoryUtilizationPercentage: 80
Reference in New Issue View Git Blame Copy Permalink