openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 26 Packages Projects Releases Wiki Activity
6685bd7441
openova/platform/bp-rtz-vcluster
History
e3mrah c60942bb4f
fix(blueprints): vcluster charts smoke-render annotation = "default-off" (#1527) 
Blueprint Release CI's smoke-render gate fails on `render < 5 lines`
unless the chart Chart.yaml declares the LITERAL token
`catalyst.openova.io/smoke-render-mode: "default-off"`.

PR #1526 shipped the 3 vCluster blueprints with descriptive but
non-accepted tokens (`primary-only` / `every-region` / `secondary-only`)
so the gate failed for `bp-mgmt-vcluster` (renders 1 line with
`mgmtVcluster.enabled=false`). All 3 charts default-OFF
(`.enabled: false` in values.yaml) and the bootstrap-kit slots flip
them on via postBuild.substitute.

This PR aligns all 3 to the accepted `"default-off"` token.

The full-ON render path is exercised by each chart's
`chart/tests/render.sh` (asserts Namespace + NetworkPolicy + subchart
StatefulSet + Service produced when enabled=true) — CI doesn't run
this as a Release gate but the agent's brief did.

Refs PR #1526.

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 16:15:51 +04:00
..
chart fix(blueprints): vcluster charts smoke-render annotation = "default-off" (#1527) 2026-05-16 16:15:51 +04:00
blueprint.yaml feat(bootstrap-kit): bp-mgmt-vcluster + bp-dmz-vcluster + bp-rtz-vcluster — implement DoD A4 vCluster topology (#1526) 2026-05-16 16:13:17 +04:00
README.md feat(bootstrap-kit): bp-mgmt-vcluster + bp-dmz-vcluster + bp-rtz-vcluster — implement DoD A4 vCluster topology (#1526) 2026-05-16 16:13:17 +04:00

README.md

bp-rtz-vcluster

Bootstrap-kit Blueprint #59. Provisions the RTZ vCluster on every secondary region — the regional tenant-workload vCluster.

Why this exists — DoD A4

docs/SOVEREIGN-MULTI-REGION-DOD.md invariant A4:

primary region = MGMT + DMZ vCluster; each secondary region = DMZ + RTZ vCluster. Cross-vCluster intra-region traffic stays inside host k3s via Cilium.

This Blueprint implements the RTZ half of the secondary-region pair.

Region role vClusters This chart
Primary MGMT + DMZ not rendered (gated off via SOVEREIGN_REGION_ROLE)
Secondary DMZ + RTZ rendered

Resources rendered (full-ON)

  • Namespace rtz (catalyst.openova.io/vcluster-role=rtz label)
  • NetworkPolicy default-deny + allowFrom dmz (RTZ has NO direct MGMT access — primary's MGMT only reachable via DMZ WG cross-region)
  • Upstream loft-sh/vcluster 0.20.0 subchart under rtz namespace with:
    • nodeSelector: openova.io/region=<secondary-region-key> so the StatefulSet lands on the region's own CP node
    • local-path storage class, 5Gi PVC
    • 200m CPU / 384Mi memory request
    • MIRROR-EVERYTHING image: harbor.openova.io/proxy-ghcr/loft-sh/vcluster:0.20.0

Topology dependency

Phase 0 (cloud-init Hetzner CP per region)
   ↓
bp-cilium             — CNI + Gateway API (slot 01)
   ↓
bp-cert-manager       — TLS for ClusterIssuers (slot 02)
   ↓
bp-mgmt-vcluster      — slot 58 (primary-only)
bp-dmz-vcluster       — slot 54 (every region)
bp-rtz-vcluster       — THIS chart (slot 59, secondary-only)

See also

  • docs/SOVEREIGN-MULTI-REGION-DOD.md — A4 contract
  • platform/bp-mgmt-vcluster/ — primary-region companion
  • platform/bp-dmz-vcluster/ — every-region companion
  • scripts/expected-bootstrap-deps.yaml slot 59