openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 26 Packages Projects Releases Wiki Activity
bf577e9d7b
openova/clusters/_template/bootstrap-kit
History
e3mrah bf577e9d7b
fix(bp-sme): allow egress from catalyst-system to gateway:8080 (TBD-A38, Closes #1917) (#1919) 
The baseline-default-deny CiliumNetworkPolicy in catalyst-system listed
14 platform namespaces in its egress allow-list (keycloak, gitea,
powerdns, cnpg-system, openbao, harbor, nats-system, loki, mimir, tempo,
alloy, opentelemetry, external-secrets-system, cert-manager) but did NOT
include `sme`. The bp-sme-platform chart deploys the SME control-plane
into namespace `sme`, and console in catalyst-system reaches
`gateway.sme.svc.cluster.local:8080` for every voucher list / issue /
redeem call (plus admin reaches the same gateway for tenant onboarding).
Every such call was therefore dropped at the egress hook and timed out
at 5s, surfaced at the operator as 503 `context deadline exceeded` on
the voucher list / voucher issue panels.

Reproduction on t32 (2026-05-19, fresh prov, READ-ONLY):

  $ kubectl exec -n catalyst-system catalyst-api-59d5cf5644-wrg4x \\
      -- curl -m 5 http://gateway.sme.svc.cluster.local:8080/healthz
  000 time=5.002937
  curl: (28) Connection timed out after 5002 milliseconds

Live CNP egress excerpt (kubectl get cnp -n catalyst-system
baseline-default-deny -o yaml | yq '.spec.egress[3]'):

  toEndpoints:
    - matchExpressions:
        - key: k8s:io.kubernetes.pod.namespace
          operator: In
          values:
            - keycloak  ... - cert-manager   # (no 'sme')

Fix: add `sme` to BOTH the values.yaml default
(`.Values.security.baselineCnp.allowedPlatformNamespaces`) AND the
template's `default (list ...)` fallback, so a Helm install with no
values overrides still renders the allow.

Originally masqueraded under #1748 (voucher list 503) and #1749 (voucher
issue 503) — those were thought to be services-build 502 regressions,
but this is a distinct CNP-misconfig bug class.

Validation:
- `helm template` confirms rendered CNP now lists `sme` in egress.
- `kubectl apply --dry-run=server` against t32 apiserver passes
  ("ciliumnetworkpolicy.cilium.io/baseline-default-deny configured").

Chart bumped 1.4.188 → 1.4.189; bootstrap-kit pin bumped to match.
No live patching on t32 — fix verified via server-side dry-run only,
per Principle #15.

Closes #1917
Refs #1748
Refs #1749

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
2026-05-19 10:49:47 +04:00
..
01-cilium.yaml fix(clustermesh-lb): revert use-private-ip to false (D11) (#1550) 2026-05-16 21:01:20 +04:00
01a-gateway-api.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
02-cert-manager.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
03-flux.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
04-crossplane.yaml chore(bootstrap-kit): flush 13 pre-existing chart-pin drifts (Refs TBD-A6b) (#1716) 2026-05-18 19:03:58 +04:00
05-sealed-secrets.yaml chore(bootstrap-kit): flush 13 pre-existing chart-pin drifts (Refs TBD-A6b) (#1716) 2026-05-18 19:03:58 +04:00
05a-reflector.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
06a-bp-self-sovereign-cutover.yaml fix(bp-gitea+bp-harbor): shorten mirror interval to 5m for post-cutover freshness (TBD-A37, Closes #1899) (#1916) 2026-05-19 10:42:11 +04:00
07-nats-jetstream.yaml chore(bootstrap-kit): flush 13 pre-existing chart-pin drifts (Refs TBD-A6b) (#1716) 2026-05-18 19:03:58 +04:00
08-openbao.yaml deploy(bp-openbao): bump bootstrap-kit pin -> 1.2.17 (auto, Refs TBD-A6, retry 2) 2026-05-19 03:57:57 +00:00
09-keycloak.yaml deploy(bp-keycloak): bump bootstrap-kit pin -> 1.4.6 (auto, Refs TBD-A6, retry 1) 2026-05-19 03:57:59 +00:00
10-gitea.yaml deploy(bp-gitea): bump bootstrap-kit pin -> 1.2.8 (auto, Refs TBD-A6, retry 2) 2026-05-19 03:57:55 +00:00
11-powerdns.yaml deploy(bp-powerdns): bump bootstrap-kit pin -> 1.2.4 (auto, Refs TBD-A6, retry 1) 2026-05-19 03:58:05 +00:00
12-external-dns.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
13-bp-catalyst-platform.yaml fix(bp-sme): allow egress from catalyst-system to gateway:8080 (TBD-A38, Closes #1917) (#1919) 2026-05-19 10:49:47 +04:00
14-crossplane-claims.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
15-external-secrets.yaml chore(bootstrap-kit): flush 13 pre-existing chart-pin drifts (Refs TBD-A6b) (#1716) 2026-05-18 19:03:58 +04:00
15a-external-secrets-stores.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
16-cnpg.yaml chore(bootstrap-kit): flush 13 pre-existing chart-pin drifts (Refs TBD-A6b) (#1716) 2026-05-18 19:03:58 +04:00
17-valkey.yaml chore(bootstrap-kit): flush 13 pre-existing chart-pin drifts (Refs TBD-A6b) (#1716) 2026-05-18 19:03:58 +04:00
18-seaweedfs.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
19-harbor.yaml deploy(bp-harbor): bump bootstrap-kit pin -> 1.2.19 + blueprint.yaml lockstep (auto, Refs TBD-A6 + TBD-A20, retry 2) 2026-05-19 04:03:38 +00:00
19a-bp-sandbox.yaml fix(tenant+sandbox): wire K8s client SA + NEWAPI_DEFAULT_CHANNELS default (Closes #1775, #1777) (#1783) 2026-05-18 21:23:28 +04:00
20-opentelemetry.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
21-alloy.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
22-loki.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
23-mimir.yaml deploy(bp-mimir): bump bootstrap-kit pin 1.0.3 -> 1.0.4 (auto, Refs TBD-A6) 2026-05-18 15:57:28 +00:00
24-tempo.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
25-grafana.yaml deploy(bp-grafana): bump bootstrap-kit pin -> 1.0.2 (auto, Refs TBD-A6, retry 1) 2026-05-19 03:57:53 +00:00
27-kyverno.yaml chore(bootstrap-kit): flush 13 pre-existing chart-pin drifts (Refs TBD-A6b) (#1716) 2026-05-18 19:03:58 +04:00
28-reloader.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
29-vpa.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
30-trivy.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
31-falco.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
32-sigstore.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
33-syft-grype.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
34-velero.yaml fix(bp-velero): bump 1.2.1 -> 1.2.2 to force a publish (Closes #1799) (#1846) 2026-05-19 00:43:13 +04:00
35-coraza.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
49-bp-cert-manager-powerdns-webhook.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
50-cluster-autoscaler.yaml fix(autoscaler): attach scale-up VMs to private network so they k3s-join (#1427) 2026-05-12 06:11:30 +04:00
51-bp-k8s-ws-proxy.yaml chore(bootstrap-kit): flush 13 pre-existing chart-pin drifts (Refs TBD-A6b) (#1716) 2026-05-18 19:03:58 +04:00
52-bp-guacamole.yaml deploy(bp-guacamole): bump bootstrap-kit pin 0.1.25 -> 0.1.26 (auto, Refs TBD-A6) 2026-05-18 22:20:35 +00:00
54-bp-dmz-vcluster.yaml fix(charts): resolve bp-dmz-vcluster duplicate-name pseudo-drift (Closes A6c) (#1771) 2026-05-18 20:31:41 +04:00
55-bp-hcloud-ccm.yaml feat(openova-flow-adapter-flux): synthetic phase/region nodes + contains edges (Agent #6) (#1400) 2026-05-11 17:00:26 +04:00
56-bp-openova-flow-server.yaml fix(httproutes): retarget guacamole-server + openova-flow-server to cilium-gateway in kube-system (Refs TBD-G6, C12-004) (#1692) 2026-05-18 16:38:17 +04:00
57-bp-openova-flow-emitter.yaml fix(bp-openova-flow-emitter slot 57): drop :8080 port (Service is :80) 2026-05-11 22:49:29 +02:00
58-bp-mgmt-vcluster.yaml fix(vcluster): canonical region label substitute + per-role enable flags (#1531) 2026-05-16 17:28:06 +04:00
59-bp-rtz-vcluster.yaml fix(vcluster): canonical region label substitute + per-role enable flags (#1531) 2026-05-16 17:28:06 +04:00
60-bp-vcluster-helmrepo.yaml fix(bootstrap-kit): install vcluster CRDs + controller on Sovereign (gates Org → vCluster spawn) (#1624) 2026-05-18 09:27:58 +04:00
80-newapi.yaml deploy(bp-newapi): bump bootstrap-kit pin -> 1.4.26 + blueprint.yaml lockstep (auto, Refs TBD-A6 + TBD-A20, retry 1) 2026-05-19 04:04:07 +00:00
kustomization.yaml fix(sandbox-controller): default-ON enabled gate so controller materialises on fresh prov (#1702) 2026-05-18 17:20:40 +04:00