openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 26 Packages Projects Releases Wiki Activity
6685bd7441
openova/platform/wordpress-tenant/chart/Chart.yaml
e3mrah 6685bd7441
feat(catalog-seed): add bp-cnpg-pair Blueprint + wordpress-tenant active-hot-standby mode (Refs TBD-E8b, TBD-B31) (#1717) 
Wave 28-B discovery: the bp-cnpg-pair Catalyst-curated Blueprint chart
(platform/cnpg-pair/ @ 0.1.1) was missing from the catalog-seed
template added by PR #1697. The chart is published at
oci://ghcr.io/openova-io/bp-cnpg-pair, but operators had no way to see
it in /api/v1/catalog on a fresh Sovereign — only the 13 entries from
PR #1697 rendered.

This PR seeds bp-cnpg-pair alongside its bp-cnpg companion in
templates/catalog-seed/blueprints.yaml. Render goes from 13 -> 14
Blueprint CRs on a freshly-handed-over Sovereign.

Also wires the canonical `database.mode` enum knob on bp-wordpress-
tenant (singleton | active-hot-standby), aligning the operator-facing
interface with the new bp-cnpg-pair Blueprint:

  - chart/values.yaml: new `database.mode` (empty default for back-compat).
  - chart/templates/_helpers.tpl: new `bp-wordpress-tenant.dbMode` helper
    with resolution precedence (enum wins; legacy
    `pg.activeHotStandby.enabled` boolean folds as alias for chart
    0.3.x overlays).
  - chart/templates/cnpg-cluster.yaml: reads the resolved enum via the
    helper instead of the raw boolean. Output is bit-for-bit identical
    when overlays don't set the new knob (back-compat smoke verified:
    legacy boolean still renders 2 Cluster CRs).
  - blueprint.yaml: configSchema exposes `database.mode` so the
    marketplace voucher -> org wizard (D29) can present a
    "Postgres topology" picker instead of a boolean.
  - Chart.yaml: version bump 0.3.0 -> 0.3.1.

Status:
  - chart render: helm lint clean on both charts; 4 invariants pass
    (singleton/mode=ahs/legacy-bool/mode-overrides-bool).
  - runtime D31: chart-rendered as of PR #1562; full prov-time
    runtime verification remains deferred (gated on next Sovereign
    fresh-prov per docs/SESSION-2026-05-17-CONVERGENCE.md).

Refs TBD-E8b, TBD-B31.

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
2026-05-18 19:08:05 +04:00

109 lines
5.4 KiB
YAML
Raw Blame History

apiVersion: v2
name: bp-wordpress-tenant
# 0.2.0 (2026-05-05) — umbrella issue #915 (D1):
# - Replaced direct PHP/SQL writes in templates/oidc-config-job.yaml
# with wp-cli commands run from the canonical `wordpress:cli`
# image. `wp plugin install openid-connect-generic --activate`
# replaces the previous `INSERT INTO wp_options ('active_plugins',
# ...)`; `wp option update openid_connect_generic_settings` replaces
# the previous serialised-PHP UPSERT. Idempotency via `wp plugin
# is-installed` + `wp core is-installed`.
# - New `oidc.*` block in values.yaml (canonical input contract):
# `oidc.{enabled,issuerURL,clientId,clientSecretName,defaultRole,
# identityKey,roleMapping,cliImage}`. The legacy `keycloak.*` block
# remains as a back-compat alias (chart 0.1.x clusters whose
# orchestrator hasn't been re-rendered keep working) — folding
# happens via _helpers.tpl `oidcIssuerURL/oidcClientId/
# oidcClientSecretName` definitions.
# - Default OIDC client secret name moved from `wordpress-oidc` to
# `wordpress-oidc-client-secret` to align with the Secret name
# emitted by PR #918 (bp-keycloak tenant-realm ConfigMap).
# - `oidc.defaultRole=subscriber` — newly auto-created SSO users land
# with subscriber capability (operator can override via overlay).
# - Orchestrator emit (products/catalyst/bootstrap/api/internal/handler/
# sme_tenant_gitops.go `smeTenantBPWordPress`) bumped to emit both
# `oidc.*` and `keycloak.*` so chart 0.1.x and 0.2.0 reconciles work.
# 0.1.0 — initial release (#800).
# 0.2.1 (Fix #163, 2026-05-11, MIRROR-EVERYTHING): database-secret-sync-job
# hook image switched from curlimages/curl:8.10.1 to
# harbor.openova.io/proxy-dockerhub/curlimages/curl:8.10.1 per CLAUDE.md
# inviolable rule.
# 0.3.0 (D31, 2026-05-16): Sovereign DoD D31 — active-hot-standby Postgres.
# - New `pg.activeHotStandby.{enabled,primaryRegion,replicaRegion,
# walStreaming,clusterMesh}` block in values.yaml.
# - templates/cnpg-cluster.yaml now renders TWO Cluster.postgresql.cnpg.io
# resources (primary + replica) when enabled=true, mirroring the
# bp-cnpg-pair pattern (platform/cnpg-pair/chart/templates/
# {primary,replica}-cluster.yaml). WAL streams over Cilium ClusterMesh
# via the primary's spec.managed.services.additional entry annotated
# `service.cilium.io/global: "true"`.
# - When enabled=false (default) the existing single Cluster shape is
# preserved bit-for-bit — no regression for non-HA tenants.
# - New tests/active-hot-standby-render.sh render-gate asserts default
# render emits 1 Cluster and enabled render emits 2 Cluster CRs with
# the right nodeSelectors + replica.source + externalCluster.host.
# 0.3.1 (TBD-E8b, 2026-05-18): canonical `database.mode` enum.
# - New `database.mode` knob (singleton | active-hot-standby). When
# set, overrides the legacy `pg.activeHotStandby.enabled` boolean
# (kept as back-compat alias for chart 0.3.0 overlays). Resolution
# precedence centralised in _helpers.tpl `bp-wordpress-tenant.dbMode`.
# - templates/cnpg-cluster.yaml now reads the resolved enum via the
# helper; pre-existing renders bit-for-bit identical when overlays
# don't set the new knob (back-compat smoke).
# - blueprint.yaml configSchema exposes `database.mode` so the
# marketplace voucher → org wizard (D29) can present a
# "Postgres topology" picker instead of a boolean.
# - Companion to catalog-seed bp-cnpg-pair Blueprint CR (Refs TBD-E8b).
version: 0.3.1
appVersion: "6"
description: |
Catalyst Blueprint scratch chart for in-vcluster WordPress, one
instance per SME tenant. Pre-wires:
- SSO via the per-tenant Keycloak realm using the
`openid-connect-generic` plugin (auto-create-on-first-login,
configurable default role, Keycloak-group → WP-role mapping).
- Postgres provisioned by bp-cnpg (Cluster CR) in the SME tenant
namespace; password mirrored via reflector + post-install Job.
- PVC-backed `/var/www/html/wp-content/` for theme/plugin/upload
persistence.
- Ingress at `wordpress.<sme-domain>` routed via the SME's ingress
with cert-manager TLS.
- Idempotent post-install Jobs run via `wp-cli` that (a) `wp core
install` + `wp plugin install openid-connect-generic --activate`
+ `wp option update openid_connect_generic_settings` pointing
at the operator-supplied Keycloak realm + client, (b) pre-seed
the SME admin WP user with the SSO email mapping.
This is a scratch chart — there is no first-party Helm chart for
WordPress (the upstream WordPress project ships only a Docker image at
`wordpress:6-php8.3-apache`). The `common` library subchart is
declared as a Helm dependency so the BLUEPRINT-AUTHORING.md hollow-
chart guard (issue #181) is satisfied; bp-newapi follows the same
pattern.
Pairs with bp-cnpg (Postgres), bp-keycloak (SME-vcluster IdP),
bp-reflector (Secret mirror), bp-cert-manager (ACME TLS).
type: application
keywords:
- catalyst
- blueprint
- wordpress
- cms
- sme
- tenant
- sso
- keycloak
- oidc
maintainers:
- name: OpenOva Catalyst
email: catalyst@openova.io
# Scratch chart — see comments in bp-newapi/chart/Chart.yaml for the
# rationale on the `common` library subchart dependency (issue #181
# hollow-chart gate).
dependencies:
- name: common
version: "0.1.3"
repository: "https://sigstore.github.io/helm-charts"
Reference in New Issue View Git Blame Copy Permalink