openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 11 Packages Projects Releases Wiki Activity
f18dd8df19
openova/platform/livekit/blueprint.yaml
e3mrah 782d8015c5
feat(charts): bp-openmeter (CH-less) + bp-livekit + bp-matrix wrapper charts (closes #272 #273 #274) (#289) 
W2.5.F — three Catalyst Blueprint umbrella charts at platform/{openmeter,
livekit,matrix}/, each declaring its upstream chart under Chart.yaml
`dependencies:` so `helm dependency build` bundles the upstream payload
into the published OCI artifact (per docs/BLUEPRINT-AUTHORING.md §11.1
— hollow charts forbidden, CI-enforced by issue #181).

Per-chart kind summary
======================

bp-openmeter (closes #272)
  default `helm template` kinds: ConfigMap, Deployment, Service, ServiceAccount
  upstream chart: openmeter 1.0.0-beta.213 (oci://ghcr.io/openmeterio/helm-charts)

  ClickHouse-less profile per docs/BOOTSTRAP-KIT-EXPANSION-PLAN.md §6.4.
  The upstream chart's bundled clickhouse / kafka / postgresql / redis /
  svix subcharts are all DISABLED — Catalyst supplies CNPG (postgres),
  JetStream (event bus), and Valkey (redis-compat) at the platform tier.
  Chart-level toggle `catalystBlueprint.backend.kind` (default `cnpg`,
  alt `clickhouse`) records the active profile so observability/audit
  pipelines can report it. The OpenMeter binary's
  `aggregation.clickhouse.address` is left blank — per-Sovereign overlay
  supplies it once a host cluster adds bp-clickhouse and the operator
  re-rolls with `backend.kind: clickhouse`. Catalyst overlay templates
  (NetworkPolicy / ServiceMonitor / HPA) all default OFF per
  docs/BLUEPRINT-AUTHORING.md §11.2.

bp-livekit (closes #273)
  default `helm template` kinds: ConfigMap, Deployment, Service, ServiceAccount
  upstream chart: livekit-server 1.9.0 (https://helm.livekit.io)

  WebRTC SFU. Powers the Huawei iFlytek voice demo. Catalyst defaults
  pair LiveKit with bp-stunner (the upstream chart's bundled co-located
  TURN server is OFF; per-Sovereign overlay points the LiveKit TURN
  config at the stunner UDP-gateway Service). RTC UDP port range is
  50000-60000 (matches the Hetzner firewall rule the per-Sovereign
  overlay opens). Catalyst overlay templates (NetworkPolicy /
  ServiceMonitor / HPA) all default OFF; the chart's NetworkPolicy
  template documents that LiveKit's hostNetwork mode means pod-level
  policies do NOT cover the SFU port range — the firewall rule is the
  load-bearing control. blueprint.yaml `depends:` declares bp-stunner +
  bp-cert-manager + bp-valkey.

bp-matrix (closes #274)
  default `helm template` kinds: ConfigMap, Deployment, Ingress, Job,
  PersistentVolumeClaim, Pod, Role, RoleBinding, Secret, Service,
  ServiceAccount
  upstream chart: matrix-synapse 3.12.25 (https://ananace.gitlab.io/charts)

  Synapse (the Matrix server implementation, NOT the retired OpenOva
  product noun). Federation OFF by default (Catalyst per-Sovereign
  tenancy default — operator overlays flip it on per-Organization).
  Postgres backend via bp-cnpg externalPostgresql; OIDC SSO via
  bp-keycloak; bundled bitnami postgresql + redis subcharts both
  disabled. Catalyst overlay NetworkPolicy gates the federation port
  (8448) on `federation.enabled` — verified by Case 5 of the
  observability-toggle test. Catalyst-overlay ServiceMonitor (upstream
  chart has none) + HPA both default OFF.

Lint
====
All three charts pass `helm lint` clean (only the noisy "icon is
recommended" INFO message).

Observability tests
===================
Each chart's `tests/observability-toggle.sh` enforces the Catalyst
contract from docs/BLUEPRINT-AUTHORING.md §11.2:
  Case 1: default render produces zero monitoring.coreos.com/v1
          resources (no ServiceMonitor / PrometheusRule).
  Case 2: opt-in (--set serviceMonitor.enabled=true --api-versions
          monitoring.coreos.com/v1) renders a ServiceMonitor.
  Case 3: explicit-off render is clean.
  Case 4 (per chart):
    - openmeter: ClickHouse-less profile asserts no
      clickhouse.altinity.com / Kafka subchart resources leak into the
      default render.
    - livekit:   asserts upstream livekit-server.serviceMonitor.create
      defaults false.
    - matrix:    asserts default render carries an empty
      federation_domain_whitelist (the per-Sovereign tenancy default).
  Case 5 (matrix only): `--set federation.enabled=true networkPolicy
          .enabled=true` opens port 8448 in the Catalyst NetworkPolicy.

All gates green for all three charts.

Closes #272 #273 #274

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
2026-04-30 19:37:28 +04:00

113 lines
3.8 KiB
YAML
Raw Blame History

apiVersion: catalyst.openova.io/v1alpha1
kind: Blueprint
metadata:
name: bp-livekit
labels:
catalyst.openova.io/category: application
catalyst.openova.io/section: pts-4-5-communication
spec:
version: 1.0.0
card:
title: LiveKit
summary: |
WebRTC SFU for real-time video, audio, and data. Powers the
Huawei iFlytek voice demo and any Application that needs
sub-second media routing. Pairs with bp-stunner for K8s-native
TURN/STUN — Catalyst routes LiveKit's TURN config at the stunner
Service so SFU traffic survives the host cluster's NAT
boundary. Hetzner firewall opens UDP 50000-60000 (LiveKit's RTC
port range) per the operator's per-Sovereign overlay.
icon: livekit.svg
category: application
tags: [webrtc, sfu, video, audio, communication, application]
documentation: https://docs.livekit.io
license: Apache-2.0
visibility: listed
owner:
team: platform
contact: platform@openova.io
configSchema:
type: object
properties:
keys:
type: object
description: |
LiveKit API keys (`<api_key>: <api_secret>` pairs). For
production overlays use `storeKeysInSecret.existingSecret`
to project an ExternalSecret instead of inlining values
here. Per docs/INVIOLABLE-PRINCIPLES.md #4 nothing is
hardcoded — the wrapper ships an empty map and operator
overlays inject the secret reference.
rtc:
type: object
properties:
portRangeStart:
type: integer
default: 50000
description: |
Start of the UDP port range LiveKit binds for RTC
traffic. Must match the Hetzner firewall rule the
per-Sovereign overlay opens.
portRangeEnd:
type: integer
default: 60000
description: |
End of the UDP port range LiveKit binds for RTC
traffic. Must match the Hetzner firewall rule the
per-Sovereign overlay opens.
stunner:
type: object
properties:
enabled:
type: boolean
default: true
description: |
Route TURN/STUN through bp-stunner instead of running a
co-located TURN server. Catalyst standard.
gatewayService:
type: string
default: "udp-gateway.stunner.svc.cluster.local:3478"
description: |
Cluster-internal endpoint of the stunner UDP-gateway
Service. Per docs/INVIOLABLE-PRINCIPLES.md #4 the
operator MAY override per-Sovereign.
tls:
type: object
properties:
issuerRef:
type: string
default: "letsencrypt-prod"
description: |
cert-manager ClusterIssuer name (per-Sovereign overlay
chooses staging vs prod).
serviceMonitor:
type: object
properties:
enabled:
type: boolean
default: false
description: |
monitoring.coreos.com/v1 ServiceMonitor — requires the
Prometheus Operator CRDs from kube-prometheus-stack.
Per docs/BLUEPRINT-AUTHORING.md §11.2 default false;
operator opts in via per-cluster overlay (issue #182).
placementSchema:
modes: [single-region]
default: single-region
minRegions: 1
maxRegions: 1
manifests:
chart: ./chart
depends:
- blueprint: bp-stunner # K8s-native TURN/STUN for NAT traversal
version: ^1
- blueprint: bp-cert-manager # ingress TLS via ClusterIssuer
version: ^1
- blueprint: bp-valkey # required when LiveKit runs >1 replica (signaling state)
version: ^1
upgrades:
from: ["0.x"]
observability:
metrics: prometheus
logs: stdout
Reference in New Issue View Git Blame Copy Permalink