openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 11 Packages Projects Releases Wiki Activity
8f96daeb6f
openova/platform/wordpress-tenant
History
e3mrah 3e7284de45
fix(bp-wordpress-tenant): default-values smoke render must succeed (#800) (#814) 
The Blueprint Release workflow runs `helm template <chart>` with NO
overrides as a smoke gate before publishing the OCI artifact. After
#800's initial merge (c141fcd1), that smoke step failed because
`smeDomain`, `keycloak.realmURL`, and `keycloak.clientSecretName`
used `required` calls or empty strings that produced render-time
errors:

  Error: execution error at (oidc-config-job.yaml:82:33):
    .Values.smeDomain or .Values.ingress.host MUST be set
    (no sensible default per INVIOLABLE-PRINCIPLES #4).

Fix: replace empty defaults with placeholder values
(`sme.local`, `https://auth.sme.local/realms/sme`,
`wordpress-oidc`) and remove the `required` template fences. Per-
Sovereign overlays MUST override these placeholders at install time;
the runtime `oidc-config` Job will surface a clear failure if they
remain on the placeholder (Keycloak realm URL won't resolve). This
matches the trade-off INVIOLABLE-PRINCIPLES #4 calls out — operator-
configurable values, no production-safe defaults, but smoke-render
still passes.

Verified:
  - `helm template smoke .` (no overrides) → 812 lines, 11 K8s
    resources rendered cleanly.
  - `helm template smoke . --set smeDomain=... --api-versions
    postgresql.cnpg.io/v1 ...` → 12 resources including the CNPG
    Cluster, with all wordpress images SHA-pinned to
    sha256:054e611...196.
  - chart/tests/observability-toggle.sh both cases PASS.
  - `helm lint` only the cosmetic icon-recommended INFO note.

Refs: #800

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
2026-05-04 22:19:40 +04:00
..
chart fix(bp-wordpress-tenant): default-values smoke render must succeed (#800) (#814) 2026-05-04 22:19:40 +04:00
blueprint.yaml feat(bp-wordpress-tenant): turnkey SSO-wired WordPress per SME (#800) (#811) 2026-05-04 22:13:32 +04:00
README.md feat(bp-wordpress-tenant): turnkey SSO-wired WordPress per SME (#800) (#811) 2026-05-04 22:13:32 +04:00

README.md

platform/wordpress-tenant

Catalyst Blueprint that provisions a turnkey, SSO-pre-wired WordPress instance per SME tenant inside the SME's vcluster. Part of the #795 SME-tenant turnkey experience epic, ticket #800 (SME-5).

What's here

Path Contents
blueprint.yaml Catalyst Blueprint metadata (configSchema, depends, placementSchema)
chart/ Helm chart bp-wordpress-tenant v0.1.0 — see chart/README.md
chart/templates/ Deployment, Service, Ingress, PVC, CNPG Cluster, NetworkPolicy, ServiceAccount + 3 post-install Jobs (db-secret-sync, oidc-config, admin-user)
chart/tests/ observability-toggle.sh (per #182)

Operator install

helm install acme-wordpress oci://ghcr.io/openova-io/bp-wordpress-tenant \
  --version 0.1.0 \
  --namespace sme-acme \
  --set smeDomain=acme.otech31.omani.works \
  --set keycloak.realmURL=https://auth.acme.otech31.omani.works/realms/sme \
  --set keycloak.clientSecretName=wordpress-oidc \
  --set adminUser.email=admin@acme.com

The Sovereign's tenant-provisioning pipeline (#804) wires this Helm release into a Flux HelmRelease per SME, registers the OIDC client in the SME realm, seals the client secret into wordpress-oidc, and renders the per-SME values overlay.

See also

  • chart/README.md — full value reference + boot sequence
  • docs/BLUEPRINT-AUTHORING.md §11 (umbrella shape, hollow-chart guard, observability toggles)
  • docs/INVIOLABLE-PRINCIPLES.md (no hardcoding, SHA-pinned images, target-state shape)
  • Issue #795 (epic), #800 (this Blueprint)