Cold Sovereign on prov #22 (e2fc1004362ce765) hit terminal HR FAILED
on bp-powerdns: post-install hook Job DeadlineExceeded after 5m, Helm
hook reported `post-install: timed out waiting for the condition`,
HelmRelease retried 4x then went terminal.
Root cause: zoneBootstrap.activeDeadlineSeconds default of 300s was
shorter than the time bp-cnpg needed to synthesise the `pdns-pg-app`
Secret on a cold k3s control plane. The powerdns Pod was not Ready,
curl against http://powerdns:8081 inside the Job kept failing under
backoffLimit=6, and the 5-minute Job-level deadline killed it.
Canonical seam: chart values.yaml (the Job spec consumes
{{ .Values.zoneBootstrap.activeDeadlineSeconds }} via the existing
templated knob — no new template plumbing required, principle 18 met).
Fix: raise default 300s -> 840s (14m). Sits below the HR install.timeout
of 15m in clusters/_template/bootstrap-kit/11-powerdns.yaml, so a true
chart failure still surfaces via Flux's own remediation path rather
than wedging on a Helm wait that outlives its outer wrapper.
Chart bump: 1.2.1 -> 1.2.2. _template HR pinned to 1.2.2 with a comment
explaining the prov-#22 incident.
Per-Sovereign HR files (clusters/omantel.omani.works/, otech.omani.works/)
remain pinned to 1.1.5 — pre-existing drift, not in scope here. New
Sovereign provisioning reads from the _template path.
Same fix family as #127, #131, #143 (HR/Job timeout-ladder alignment
where a downstream Job's deadline must fit inside its HR wrapper cap).
## Claimed TCs
- prov-22-bp-powerdns-hr-ready
- prov-22-zone-bootstrap-job-completes-cold-cnpg
Co-authored-by: e3mrah <1234567+e3mrah@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
930529136c