9d9138231a
Refactor s3Resolver from a single-global-creds reader into a
tenant-scoped factory. Each tenant brings their own S3 endpoint,
region, three named buckets (backups + templates + audit), and
access keys (in Vault at v3/tenants/<id>/s3-credentials).
Touches:
s3.go — s3Resolver becomes factory; tenantS3 wraps
one minio.Client + bucket per tenant
audit.go — events grouped by tenantID per flush, written
to the tenant's audit bucket
backups.go — fleet view fans out one S3 LIST per tenant;
per-instance handlers resolve via Argo App
export/import/migrate — tenant resolved from Argo App label
or scope.TenantID
templates_* — per-template tenant lookup via templateTenantID
(platform tenant for OwnerPlatform manifests)
vitals.go — last-backup probe pulls tenantID before list
Adds AllTenants() to PlatformStore so the templates orphan sweep
can iterate every tenant configured with a templates bucket.
Build: tower:0.61.1 — pushed to registry.odoosky.cloud
72 lines
2.0 KiB
YAML
72 lines
2.0 KiB
YAML
# admin-platform-v3 — Tower platform default values.
|
|
|
|
backend:
|
|
enabled: true
|
|
image:
|
|
# Tower images live alongside the Docker Hub mirror on
|
|
# gitlab.odoosky.cloud — separate path, same registry. Pulled with
|
|
# the docker-mirror-pull deploy token (read-only registry scope),
|
|
# so every cluster that runs Tower needs the same imagePullSecret
|
|
# provisioned out-of-band (until cluster-platform-v3 owns it).
|
|
repository: registry.odoosky.cloud/odoosky/docker-mirror/tower
|
|
tag: "0.61.1"
|
|
pullPolicy: IfNotPresent
|
|
imagePullSecrets:
|
|
- name: docker-mirror-pull
|
|
replicas: 1
|
|
resources:
|
|
requests:
|
|
cpu: 50m
|
|
memory: 64Mi
|
|
limits:
|
|
cpu: "1"
|
|
memory: 256Mi
|
|
persistence:
|
|
enabled: true
|
|
size: 1Gi
|
|
|
|
frontend:
|
|
enabled: true
|
|
image:
|
|
repository: registry.odoosky.cloud/odoosky/docker-mirror/tower-ui
|
|
tag: "0.61.6"
|
|
pullPolicy: IfNotPresent
|
|
imagePullSecrets:
|
|
- name: docker-mirror-pull
|
|
replicas: 1
|
|
resources:
|
|
requests:
|
|
cpu: 10m
|
|
memory: 16Mi
|
|
limits:
|
|
cpu: 250m
|
|
memory: 64Mi
|
|
|
|
# Tower needs to talk to:
|
|
# - Gitea (create tenant repos, commit values.yaml)
|
|
# - ArgoCD (apply Application manifests)
|
|
#
|
|
# The credentials live in a K8s Secret in the same namespace, populated
|
|
# from the ExistingSecret pattern (so they aren't checked into Git).
|
|
# In Step 5+ we replace this with External Secrets sourcing from
|
|
# OpenBao at vault.odoosky.org.
|
|
config:
|
|
giteaURL: https://git.odoosky.org
|
|
giteaOrg: odoo-tower
|
|
chartRepo: instance-template-v3
|
|
argoCDURL: https://argocd.odoosky.org
|
|
argoCDUsername: admin
|
|
argoCDDestination: https://kubernetes.default.svc
|
|
argoCDProject: default
|
|
argoCDNamespace: argocd
|
|
tenantNamespace: tenants
|
|
# The Secret name (in the same namespace as Tower) that holds
|
|
# GITEA_TOKEN and ARGOCD_PASSWORD keys. Created out-of-band before
|
|
# this chart is applied.
|
|
existingSecret: tower-credentials
|
|
|
|
ingress:
|
|
domain: tower.odoosky.org
|
|
certIssuer: letsencrypt-prod
|
|
entryPoint: websecure
|