0.2.0 — vendor cert-manager + traefik; parameterized substrate

bootstrap.sh-equivalent K8s manifests now ship as part of this chart instead of being installed inline by the customer's `curl … | sudo bash`. Result: customer terminal time drops from ~5 min to ~1 min once Tower's SubmitConnect (B2) creates the per-cluster Argo Application that points here. What's vendored: - cert-manager v1.16.1 (helm dep, charts/cert-manager-v1.16.1.tgz) - traefik 33.2.1 (helm dep, charts/traefik-33.2.1.tgz) What's parameterized via .Values.tenant.{domain,wildcardHost}: - letsencrypt-prod ClusterIssuer (DNS-01 + tenant's Cloudflare zone) - tenants Namespace - tenants-wildcard Certificate (commonName + dnsNames from helm.values) What stays out of Git (Tower kubectl-applies via kubeconfig at Connect time, sourced from the tenant's Vault paths): - cloudflare-api-token Secret (cert-manager ns) - s3-backup-creds Secret (tenants ns) The chart references both Secrets by name only. Argo health roll-up: a tenant server is "Ready" when this Application's Health is `Healthy` and the tenants-wildcard Certificate's Ready condition is True. Tower's Server card UI will surface this as "Provisioning…" → "Ready" in B4. Lint + template clean with a real tenant value set; clean with empty values too (templates skip themselves so a default-rendered chart doesn't fail without a tenant).
2026-04-29 15:09:33 +03:00
parent 0c17429d4c
commit eccb648276
7 changed files with 152 additions and 2 deletions
--- a/values.yaml
+++ b/values.yaml
@@ -5,6 +5,55 @@

 namespace: odoosky-system

+# tenant — per-tenant identity injected by Tower as helm.values on
+# the per-cluster Argo Application. Empty defaults are safe to lint
+# but a real deploy MUST set domain + wildcardHost (the Certificate
+# template fails with `required` on an empty value).
+tenant:
+  # Domain the Cloudflare zone covers, e.g. "acme-erp.com".
+  domain: ""
+  # Wildcard hostname the cluster-wide tenants-wildcard cert covers,
+  # e.g. "*.tenants.acme-erp.com". Every tenant instance Ingress
+  # references the resulting Secret (`tenants-wildcard-tls` in the
+  # `tenants` namespace) by name.
+  wildcardHost: ""
+
+# acme — Let's Encrypt registration. Operator email is per-platform,
+# not per-tenant.
+acme:
+  email: m@havari.me
+  server: https://acme-v02.api.letsencrypt.org/directory
+
+# certManager — the upstream jetstack chart, pinned at v1.16.1 by
+# Chart.yaml's dependency. We turn on CRDs + force the namespace so
+# the ClusterIssuer template below can reference solver Secrets in
+# `cert-manager` ns.
+certManager:
+  enabled: true
+  installCRDs: true
+
+# traefik — upstream chart. LoadBalancer Service so the customer's
+# k3s servicelb maps :80/:443 to the host. Tower currently doesn't
+# rely on Traefik's IngressRoute features here; instances are on
+# their own per-tenant Traefik later. This Traefik gives the cluster
+# a default ingress for the registry + future platform endpoints.
+traefik:
+  enabled: true
+  service:
+    type: LoadBalancer
+
+# secrets — Tower applies these out-of-band via the registered
+# kubeconfig at Connect time (B2). The chart references them by
+# name only; values never enter Git.
+secrets:
+  cloudflareTokenSecret:
+    namespace: cert-manager
+    name: cloudflare-api-token
+    key: api-token
+  s3CredentialsSecret:
+    namespace: tenants
+    name: s3-backup-creds
+
 registry:
  enabled: true
  image: