From a1dbe14c205c755fb25c3af4383a5a889589f8c9 Mon Sep 17 00:00:00 2001
From: Tower Deploy <tower-deploy@odoosky.org>
Date: Mon, 27 Apr 2026 00:47:07 +0300
Subject: [PATCH] Initial chart: odoosky-system namespace + local container
 registry (Distribution v2)

---
 Chart.yaml               | 14 ++++++
 templates/namespace.yaml |  7 +++
 templates/registry.yaml  | 92 ++++++++++++++++++++++++++++++++++++++++
 values.yaml              | 36 ++++++++++++++++
 4 files changed, 149 insertions(+)
 create mode 100644 Chart.yaml
 create mode 100644 templates/namespace.yaml
 create mode 100644 templates/registry.yaml
 create mode 100644 values.yaml

diff --git a/Chart.yaml b/Chart.yaml
new file mode 100644
index 0000000..2f5ccef
--- /dev/null
+++ b/Chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: v2
+name: cluster-platform-v3
+description: |
+  Per-cluster platform infrastructure for OdooSky v3. ArgoCD-managed
+  on every connected customer K8s cluster. Provides:
+    - odoosky-system namespace (where Tower spawns build Jobs and
+      stores cluster-private credentials sourced from OpenBao)
+    - Local container registry (Distribution v2). In-cluster
+      BuildKit Jobs push addon images here; the chart consumes
+      them as image volumes. Sovereignty + GFW resistance: no
+      cross-cluster image transfer.
+type: application
+version: 0.1.0
+appVersion: "0.1.0"
diff --git a/templates/namespace.yaml b/templates/namespace.yaml
new file mode 100644
index 0000000..cf200b1
--- /dev/null
+++ b/templates/namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.namespace }}
+  labels:
+    odoosky.io/component: platform
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
diff --git a/templates/registry.yaml b/templates/registry.yaml
new file mode 100644
index 0000000..676b6f8
--- /dev/null
+++ b/templates/registry.yaml
@@ -0,0 +1,92 @@
+{{- if .Values.registry.enabled -}}
+# Local container registry. Single replica — addon images are
+# rebuildable from Gitea source, so we trade HA for simplicity.
+# A node failure means a brief gap in image availability that
+# Tower's ensureAddonImage can recover from on the next pull.
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: registry
+  namespace: {{ .Values.namespace }}
+  labels:
+    odoosky.io/component: registry
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: {{ .Values.registry.persistence.size | quote }}
+  {{- with .Values.registry.persistence.storageClass }}
+  storageClassName: {{ . | quote }}
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: registry
+  namespace: {{ .Values.namespace }}
+  labels:
+    odoosky.io/component: registry
+spec:
+  replicas: 1
+  # Recreate (not RollingUpdate): the PVC is RWO, so two registry
+  # pods overlapping would block on the volume mount.
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      odoosky.io/component: registry
+  template:
+    metadata:
+      labels:
+        odoosky.io/component: registry
+    spec:
+      containers:
+        - name: registry
+          image: "{{ .Values.registry.image.repository }}:{{ .Values.registry.image.tag }}"
+          imagePullPolicy: {{ .Values.registry.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 5000
+          env:
+            # Allow image deletes via the API (Tower may garbage-collect
+            # unused addon-versions later).
+            - name: REGISTRY_STORAGE_DELETE_ENABLED
+              value: "true"
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/registry
+          resources:
+            {{- toYaml .Values.registry.resources | nindent 12 }}
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 5000
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 5000
+            initialDelaySeconds: 30
+            periodSeconds: 30
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: registry
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: registry
+  namespace: {{ .Values.namespace }}
+  labels:
+    odoosky.io/component: registry
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: {{ .Values.registry.service.port }}
+      targetPort: 5000
+  selector:
+    odoosky.io/component: registry
+{{- end }}
diff --git a/values.yaml b/values.yaml
new file mode 100644
index 0000000..8014079
--- /dev/null
+++ b/values.yaml
@@ -0,0 +1,36 @@
+# cluster-platform-v3 — defaults.
+#
+# Most knobs you'd flip live here so customer-cluster overlays can
+# tune sizing without forking the chart.
+
+namespace: odoosky-system
+
+registry:
+  enabled: true
+  image:
+    repository: registry
+    tag: "2.8"
+    pullPolicy: IfNotPresent
+  # ClusterIP service hostname:
+  #   registry.odoosky-system.svc.cluster.local:5000
+  # Used internally by build Jobs (push) and the Odoo Deployment's
+  # image volumes (pull). Plain HTTP — the registry never sees
+  # off-cluster traffic; node-side k3s registries.yaml whitelists
+  # the hostname for HTTP image pulls.
+  service:
+    port: 5000
+  # Storage. The registry survives node restarts but is recreatable —
+  # if the PVC is wiped, Tower's ensureAddonImage will rebuild any
+  # missing images from Gitea source on demand. So we don't need a
+  # large or replicated PV here.
+  persistence:
+    enabled: true
+    size: 10Gi
+    storageClass: ""  # "" = use the cluster's default; on k3s that's local-path
+  resources:
+    requests:
+      cpu: 50m
+      memory: 64Mi
+    limits:
+      cpu: 500m
+      memory: 256Mi