openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 26 Packages Projects Releases Wiki Activity
59367b2fe5
openova/clusters/omantel.omani.works
History
e3mrah 7622cf626d
fix(bp-crossplane): align ProviderConfig secretRef with cloud-init seam (Refs #1947) (#1963) 
ProviderConfig in clusters/_template/infrastructure/ referenced
`crossplane-system/hcloud-credentials/token`, a Secret that nothing
in OpenTofu's cloud-init plants. Cloud-init writes the canonical
cloud-credentials Secret to `flux-system/cloud-credentials/hcloud-token`
(infra/hetzner/cloudinit-control-plane.tftpl line ~440), and the
cloud-init-applied ProviderConfig points at that.

Once bootstrap-kit reaches Ready, Flux's infrastructure-config
Kustomization reconciles `_template/infrastructure/` and over-writes
the cloud-init-applied ProviderConfig with the broken secretRef.
The Provider package itself still rolls out fine (the install path
doesn't consume ProviderConfig), but every managed-resource
reconcile (Server / LoadBalancer / Network / Volume) fails to
authenticate — silently de-credentialing the entire Crossplane Day-2
seam.

Refs #1947 — T3 walk on t34 (2026-05-19) flagged
`kubectl api-resources --api-group=hcloud.crossplane.io` empty. The
package availability is a separate concern (xpkg.upbound.io serves
404 for `crossplane-contrib/provider-hcloud` at all versions — the
upstream `crossplane-contrib/provider-hcloud` GitHub repo is also
404'd). That's a follow-up issue. THIS fix ensures the ProviderConfig
is correct so when the package is restored / mirrored, no second
chart-bump is needed.

Per docs/INVIOLABLE-PRINCIPLES.md #3: Crossplane is the only Day-2
cloud-resource mutation seam. The ProviderConfig MUST stay aligned
with the seam the OpenTofu module establishes — drift here silently
breaks every XRC-based mutation.

Also fixes the two legacy per-cluster overlays
(`omantel.omani.works/`, `otech.omani.works/`) so future operators
don't copy the broken reference forward — those overlays are
currently inert (cloud-init's Flux Kustomization points at
`_template/infrastructure`, not the per-cluster path), but
consistency matters per principle #11.

No chart bump needed: this is a pure Kustomize seam fix in
`clusters/_template/infrastructure/` — Flux reconciles directly
without going through bp-crossplane / bp-crossplane-claims.

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-19 19:23:04 +04:00
..
bootstrap-kit fix(bp-cert-manager): add CRD-establishment gate to close ClusterIssuer race (#149) (#1355) 2026-05-11 08:28:06 +04:00
flux-system feat(day2-iac): Crossplane Compositions + per-Sovereign Flux cluster tree + catalyst-dns binary 2026-04-28 14:09:29 +02:00
infrastructure fix(bp-crossplane): align ProviderConfig secretRef with cloud-init seam (Refs #1947) (#1963) 2026-05-19 19:23:04 +04:00
kustomization.yaml feat(day2-iac): Crossplane Compositions + per-Sovereign Flux cluster tree + catalyst-dns binary 2026-04-28 14:09:29 +02:00