fix(catalyst-chart): propagate SMTP_USER/SMTP_PASS into notification Pod (TBD-X1) (#1915)

* fix(catalyst-chart): propagate SMTP_USER/SMTP_PASS into notification Pod (TBD-X1, Refs #1793) Wave 35 SMTP diagnostic root cause: notification.yaml only mounted SMTP_HOST / SMTP_PORT / SMTP_FROM from sme-secrets, so the Go net/smtp client dialed Stalwart without authentication. Stalwart's submission listener rejected every message with 503 5.5.1 "You must authenticate first" -> the (pre-companion-PR) fixed-60s retry storm slammed the relay 3x per message x 5 tenants and tripped Stalwart's [5 requests, 1000ms] rate-limiter for every tenant on the same relay. Fix is a one-symmetry-line with auth.yaml, which has consumed SMTP_USER and SMTP_PASS from sme-secrets since chart 1.4.20 (issue #934). This template was an oversight from the same change-set. The canonical SMTP-credentials propagation chain is already in place and unchanged here: mothership catalyst-openova-kc-credentials (key: smtp-user/smtp-pass) -> sovereign_smtp_seed.go SeedSovereignSMTPCredentials creates catalyst-system/sovereign-smtp-credentials on the new Sovereign (Phase-1, idempotent) -> sme-secrets.yaml lookup with source-wins precedence reads smtp-user / smtp-pass and emits SMTP_USER / SMTP_PASS keys in the per-tenant sme-secrets Secret -> auth.yaml AND (now, this PR) notification.yaml mount those two keys via secretKeyRef -> services-notification main.go reads SMTP_USER + SMTP_PASS via getEnv() -> buildAuth wires smtp.PlainAuth on every Send (companion PR services-notification smtp.go). Chart version bump 1.4.186 -> 1.4.187 per chart-release discipline. helm template test-render products/catalyst/chart \ --set ingress.marketplace.enabled=true | grep SMTP_USER -A2 ... shows both auth.yaml AND notification.yaml mount SMTP_USER from sme-secrets keyed SMTP_USER (verified). Companion PR: services-notification smtp.go upgrade to exponential backoff + 3-in-90s circuit breaker so a future credential gap surfaces loudly via ErrCircuitOpen and never restarts a rate-limiter storm. Refs #1793 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(bootstrap-kit): bump bp-catalyst-platform pin 1.4.186 -> 1.4.187 (TBD-X1, Refs #1793) Chart bump in the previous commit changed Chart.yaml version: 1.4.186 -> 1.4.187 (TBD-X1 SMTP_USER/SMTP_PASS wiring). The pin-sync-audit CI step caught the lockstep drift -- bootstrap-kit HelmRelease.spec.chart.spec.version MUST match the chart's Chart.yaml version exactly (see clusters/_template/bootstrap-kit/ 13-bp-catalyst-platform.yaml header comment + feedback_21_principles). Refs #1793 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: hatiyildiz <claude@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-19 10:38:29 +04:00 · 2026-05-19 10:38:29 +04:00 · 84ebcbeacf
commit 84ebcbeacf
parent cbfb3adfbe
3 changed files with 43 additions and 2 deletions
--- a/clusters/_template/bootstrap-kit/13-bp-catalyst-platform.yaml
+++ b/clusters/_template/bootstrap-kit/13-bp-catalyst-platform.yaml
@ -608,7 +608,7 @@ spec:
      # during the YAML scanner break introduced by PR #1858 and fixed
      # by PR #1866. Auto-bump-pin step didn't fire during the outage,
      # so this pin lagged by 2 versions. Refs #1864.
-      version: 1.4.186
+      version: 1.4.187
      sourceRef:
        kind: HelmRepository
        name: bp-catalyst-platform
--- a/products/catalyst/chart/Chart.yaml
+++ b/products/catalyst/chart/Chart.yaml
@ -1,5 +1,19 @@
 apiVersion: v2
 name: bp-catalyst-platform
+# 1.4.187 — TBD-X1 (issue #1793) notification.yaml SMTP_USER / SMTP_PASS
+# env wiring. Pre-fix the notification Pod read only SMTP_HOST / PORT /
+# FROM from sme-secrets, so the Go net/smtp client dialed Stalwart
+# without authentication. After every sme stack redeploy the missing
+# auth path returned 503 5.5.1 "You must authenticate first"; the old
+# fixed-60s retry loop (now upgraded to exponential backoff + circuit
+# breaker in services-notification, Refs PR companion) slammed the
+# relay 3x per message x 5 tenants and tripped Stalwart's
+# [5 requests, 1000ms] rate-limiter for every tenant on the same relay.
+# Fix is one-symmetry-line with auth.yaml which has consumed SMTP_USER
+# + SMTP_PASS from sme-secrets since chart 1.4.20 (#934). The
+# sme-secrets template's source-wins lookup against catalyst-system/
+# sovereign-smtp-credentials already populates the values from the
+# mothership-relay (Phase-1) or bp-stalwart-sovereign (Phase-2).
 # 1.4.186 — TBD-A45 (issue #1908) catalyst-api egress to secondary CP
 # :6443 unblocked. baseline-default-deny CNP world-egress block
 # previously allowed only 443/587/465/25 — catalyst-api fan-out to
@ -1294,7 +1308,7 @@ name: bp-catalyst-platform
 # 25/TCP (legacy SMTP fallback). All three are explicitly scoped to
 # `toEntities: world`, matching the existing 443/TCP allow. No other
 # rule semantics change. (Fixes PIN-issue 502 regression from #1785.)
-version: 1.4.186
+version: 1.4.187
 appVersion: 1.4.184
 # 1.4.183 — fix(httproute): omit default sectionName so multi-zone
 # Sovereigns attach via Cilium Gateway hostname matcher (Closes #1884,
--- a/products/catalyst/chart/templates/sme-services/notification.yaml
+++ b/products/catalyst/chart/templates/sme-services/notification.yaml
@ -64,6 +64,33 @@ spec:
                secretKeyRef:
                  name: sme-secrets
                  key: SMTP_FROM
+            # SMTP_USER / SMTP_PASS — added per TBD-X1 (Refs #1793).
+            # Pre-fix the notification Pod read only HOST/PORT/FROM
+            # which meant the Go net/smtp client dialed Stalwart
+            # without authentication; Stalwart's submission listener
+            # then rejected every message with 503 5.5.1 "You must
+            # authenticate first". The tight retry storm tripped
+            # Stalwart's [5 requests, 1000ms] rate-limiter for every
+            # tenant on the same relay.
+            #
+            # The auth.yaml template has consumed these two keys
+            # from sme-secrets since chart 1.4.20 (issue #934); this
+            # template was an oversight from the same change-set.
+            # The sme-secrets template's source-wins lookup against
+            # catalyst-system/sovereign-smtp-credentials already
+            # populates SMTP_USER + SMTP_PASS with the canonical
+            # mothership-relay credentials (Phase-1) or the
+            # bp-stalwart-sovereign-minted credentials (Phase-2).
+            - name: SMTP_USER
+              valueFrom:
+                secretKeyRef:
+                  name: sme-secrets
+                  key: SMTP_USER
+            - name: SMTP_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: sme-secrets
+                  key: SMTP_PASS
            - name: CORS_ORIGIN
              value: "https://sme.openova.io"
          resources: