openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 26 Packages Projects Releases Wiki Activity
6685bd7441
openova/platform/bp-rtz-vcluster/chart/values.yaml
e3mrah c073db28a9
feat(bootstrap-kit): bp-mgmt-vcluster + bp-dmz-vcluster + bp-rtz-vcluster — implement DoD A4 vCluster topology (#1526) 
Founder ruling 2026-05-16: docs/SOVEREIGN-MULTI-REGION-DOD.md A4 has
been promised on every multi-region prov for weeks but never built in
code — the bootstrap-kit had NO mgmt/dmz/rtz vCluster blueprints and
the Sovereign Console canvas reported `vCluster 0/0` on every prov.
This PR ships the 3 missing blueprints + wires them into the
bootstrap-kit so the topology contract finally lands.

DoD A4 ratified contract:
  primary    region → MGMT  + DMZ  vCluster
  secondary  region → DMZ   + RTZ  vCluster
Cross-vCluster intra-region traffic stays inside host k3s via Cilium.
Inter-region traffic goes over the DMZ WireGuard hop per A2.

Charts (all 3 mirror the canonical bp-cert-manager umbrella pattern —
loft-sh/vcluster 0.20.0 bundled as a Helm subchart via
`helm dependency build`, MIRROR-EVERYTHING image via
harbor.openova.io/proxy-ghcr by default, fail-fast image-tag guard
per INVIOLABLE-PRINCIPLES #4a, default-OFF via subchart `condition:`
key, NetworkPolicy isolation baseline):

  platform/bp-mgmt-vcluster/   primary-only,    slot 58
  platform/bp-dmz-vcluster/    every region,    slot 54 (default-ON)
  platform/bp-rtz-vcluster/    secondary-only,  slot 59

Each chart's tests/render.sh covers 3 contracts:
  1. default-OFF renders zero resources (subchart condition gate)
  2. enabled-with-empty-image-tag fails fast (SHA-pin guard)
  3. full-ON renders Namespace + NetworkPolicy + subchart
     StatefulSet + Service

Bootstrap-kit wiring:
  clusters/_template/bootstrap-kit/{54,58,59}-bp-*-vcluster.yaml
  clusters/_template/bootstrap-kit/kustomization.yaml (3 new resources)
  scripts/expected-bootstrap-deps.yaml (slots 54/58/59 + adjacent
    bp-openova-flow-server bp-cnpg dep drift fix)

scripts/check-bootstrap-deps.sh passes 0-drift after the change
(48 HRs present on disk, 14 deferred for W2.K4).

Region-key threading uses the existing `${SOVEREIGN_REGION_KEY}`
postBuild.substitute that the cloud-init tftpl already exports (per
the brief's "DON'T touch infra/hetzner/*" directive). The per-role
enable gates default safely (mgmt=false, dmz=true, rtz=false); a
follow-up tofu PR will add MGMT_VCLUSTER_ENABLED + RTZ_VCLUSTER_ENABLED
substitutes flipped on only on the appropriate CP, taking the canvas
count from `vCluster 3/3` to `vCluster 6/6` on a 3-region Sovereign.

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 16:13:17 +04:00

106 lines
3.0 KiB
YAML
Raw Blame History

# Catalyst Blueprint values for bp-rtz-vcluster (DoD A4 — vCluster
# topology, 2026-05-16).
#
# Per docs/INVIOLABLE-PRINCIPLES.md #1/#4/#4a + MIRROR-EVERYTHING.
catalystBlueprint:
upstream:
chart: vcluster
version: "0.20.0"
repo: "https://charts.loft.sh"
global:
imageRegistry: ""
rtzVcluster:
# Top-level enable gate. False by default; bootstrap-kit slot 59
# postBuild.substitute flips it on ONLY for secondary regions.
enabled: false
# ── Topology identity ───────────────────────────────────────────────
hostNamespace: rtz
vclusterName: rtz
role: secondary
# ── NodeSelector pin to this region's CP ────────────────────────────
# The RTZ vCluster pod MUST run on the region's own CP node so
# tenant traffic never silently lands in a foreign region.
nodeSelector:
regionLabelKey: "openova.io/region"
regionLabelValue: ""
image:
repository: "harbor.openova.io/proxy-ghcr/loft-sh/vcluster"
tag: "0.20.0"
pullPolicy: "IfNotPresent"
# ── NetworkPolicy isolation baseline ──────────────────────────────
# RTZ default-deny: tenant workloads only reach DMZ for outbound
# routes. NO direct mgmt access (mgmt only lives on the primary —
# MGMT calls cross-region via DMZ WG).
networkPolicy:
enabled: true
allowedIngressNamespaces:
- dmz # always present on the same region
allowWorldIngress: false # tenant pods never face world directly
vcluster:
controlPlane:
distro:
k8s:
enabled: true
backingStore:
database:
embedded:
enabled: true
statefulSet:
scheduling:
nodeSelector: {}
image:
registry: harbor.openova.io
repository: proxy-ghcr/loft-sh/vcluster
tag: "0.20.0"
resources:
requests:
cpu: "200m"
memory: "384Mi"
limits:
cpu: "2"
memory: "1Gi"
persistence:
volumeClaim:
enabled: true
size: "5Gi"
storageClass: "local-path"
service:
enabled: true
spec:
type: ClusterIP
sync:
toHost:
services:
enabled: true
ingresses:
enabled: false
persistentVolumeClaims:
enabled: true
configMaps:
enabled: true
secrets:
enabled: true
fromHost:
ingressClasses:
enabled: true
# Writes a host-namespace Secret named `vc-rtz` containing a kubeconfig
# for the vCluster's apiserver. The Sovereign-side handler
# (core/services/provisioning/handlers/handlers.go
# mirrorVClusterKubeconfig) mirrors this Secret into flux-system as
# `rtz-vcluster-kubeconfig` so per-Sovereign Flux Kustomization CRs
# can reconcile RTZ-vCluster-targeted resources.
exportKubeConfig:
context: vcluster
secret:
name: vc-rtz
Reference in New Issue View Git Blame Copy Permalink