28f15c92f3
3 bugs caught while smoke-testing the multi-tenant signup → first
deploy flow:
1. /api/me returned capabilities: null when scope.role was nil
(a tenant member viewing the platform tenant context). Frontend's
useAuth.can() does for-of on the array → TypeError. Fix: backend
returns []string{} not nil; frontend defends against null.
2. WelcomeView slug input pattern '[a-z][a-z0-9-]{2,39}' is rejected
by Firefox's HTML5 form validation under the v-flag (treats trailing
'-' as a class-range start). Move hyphen to start of the class.
3. Domain & DNS Save button is genuinely separate from the Cloudflare
token Save (by design — token rotates independently). Documenting
here so the next person doesn't think they saved when they didn't.
72 lines
2.0 KiB
YAML
72 lines
2.0 KiB
YAML
# admin-platform-v3 — Tower platform default values.
|
|
|
|
backend:
|
|
enabled: true
|
|
image:
|
|
# Tower images live alongside the Docker Hub mirror on
|
|
# gitlab.odoosky.cloud — separate path, same registry. Pulled with
|
|
# the docker-mirror-pull deploy token (read-only registry scope),
|
|
# so every cluster that runs Tower needs the same imagePullSecret
|
|
# provisioned out-of-band (until cluster-platform-v3 owns it).
|
|
repository: registry.odoosky.cloud/odoosky/docker-mirror/tower
|
|
tag: "0.61.2"
|
|
pullPolicy: IfNotPresent
|
|
imagePullSecrets:
|
|
- name: docker-mirror-pull
|
|
replicas: 1
|
|
resources:
|
|
requests:
|
|
cpu: 50m
|
|
memory: 64Mi
|
|
limits:
|
|
cpu: "1"
|
|
memory: 256Mi
|
|
persistence:
|
|
enabled: true
|
|
size: 1Gi
|
|
|
|
frontend:
|
|
enabled: true
|
|
image:
|
|
repository: registry.odoosky.cloud/odoosky/docker-mirror/tower-ui
|
|
tag: "0.61.7"
|
|
pullPolicy: IfNotPresent
|
|
imagePullSecrets:
|
|
- name: docker-mirror-pull
|
|
replicas: 1
|
|
resources:
|
|
requests:
|
|
cpu: 10m
|
|
memory: 16Mi
|
|
limits:
|
|
cpu: 250m
|
|
memory: 64Mi
|
|
|
|
# Tower needs to talk to:
|
|
# - Gitea (create tenant repos, commit values.yaml)
|
|
# - ArgoCD (apply Application manifests)
|
|
#
|
|
# The credentials live in a K8s Secret in the same namespace, populated
|
|
# from the ExistingSecret pattern (so they aren't checked into Git).
|
|
# In Step 5+ we replace this with External Secrets sourcing from
|
|
# OpenBao at vault.odoosky.org.
|
|
config:
|
|
giteaURL: https://git.odoosky.org
|
|
giteaOrg: odoo-tower
|
|
chartRepo: instance-template-v3
|
|
argoCDURL: https://argocd.odoosky.org
|
|
argoCDUsername: admin
|
|
argoCDDestination: https://kubernetes.default.svc
|
|
argoCDProject: default
|
|
argoCDNamespace: argocd
|
|
tenantNamespace: tenants
|
|
# The Secret name (in the same namespace as Tower) that holds
|
|
# GITEA_TOKEN and ARGOCD_PASSWORD keys. Created out-of-band before
|
|
# this chart is applied.
|
|
existingSecret: tower-credentials
|
|
|
|
ingress:
|
|
domain: tower.odoosky.org
|
|
certIssuer: letsencrypt-prod
|
|
entryPoint: websecure
|