diff --git a/Chart.yaml b/Chart.yaml index d4c0dfe..c2521d9 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -23,8 +23,8 @@ description: | Git). type: application -version: 0.7.0 -appVersion: "0.7.0" +version: 0.7.1 +appVersion: "0.7.1" dependencies: - name: cert-manager diff --git a/templates/cloudflare-api-token-externalsecret.yaml b/templates/cloudflare-api-token-externalsecret.yaml index 607d15e..f87f0f4 100644 --- a/templates/cloudflare-api-token-externalsecret.yaml +++ b/templates/cloudflare-api-token-externalsecret.yaml @@ -27,6 +27,9 @@ spec: remoteRef: key: tenants/{{ .Values.tenant.id }}/cloudflare-token property: api_token + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None {{- end }} {{- end }} {{- end }} diff --git a/templates/docker-mirror-pull-externalsecret.yaml b/templates/docker-mirror-pull-externalsecret.yaml index 29d3694..97a8f3b 100644 --- a/templates/docker-mirror-pull-externalsecret.yaml +++ b/templates/docker-mirror-pull-externalsecret.yaml @@ -33,14 +33,23 @@ spec: remoteRef: key: platform/docker-mirror-pull property: registry + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None - secretKey: username remoteRef: key: platform/docker-mirror-pull property: username + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None - secretKey: password remoteRef: key: platform/docker-mirror-pull property: password + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None {{- end }} {{- end }} {{- end }} diff --git a/templates/gitea-archive-pull-externalsecret.yaml b/templates/gitea-archive-pull-externalsecret.yaml index 5b262c3..32af786 100644 --- a/templates/gitea-archive-pull-externalsecret.yaml +++ b/templates/gitea-archive-pull-externalsecret.yaml @@ -33,5 +33,11 @@ spec: remoteRef: key: platform/gitea-archive-pull property: token + # CRD defaults stamped explicitly so ArgoCD's diff matches the + # live spec (otherwise the app sits in OutOfSync forever even + # though ESO is happily reconciling). + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None {{- end }} {{- end }} diff --git a/templates/longhorn-s3-creds-externalsecret.yaml b/templates/longhorn-s3-creds-externalsecret.yaml index ae1a2aa..d80a887 100644 --- a/templates/longhorn-s3-creds-externalsecret.yaml +++ b/templates/longhorn-s3-creds-externalsecret.yaml @@ -38,10 +38,16 @@ spec: remoteRef: key: tenants/{{ .Values.tenant.id }}/s3-credentials property: access_key + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None - secretKey: secret_key remoteRef: key: tenants/{{ .Values.tenant.id }}/s3-credentials property: secret_key + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None {{- end }} {{- end }} {{- end }} diff --git a/templates/longhorn.yaml b/templates/longhorn.yaml index 1545d64..cd4fb21 100644 --- a/templates/longhorn.yaml +++ b/templates/longhorn.yaml @@ -1,17 +1,19 @@ {{- if .Values.longhorn.enabled }} -# Tenant data StorageClass. Tower's instance overlays don't pin a -# storageClassName today (they let the cluster default decide). Phase -# 1 of ADR 0003 just defines this class so Phase 2/3 can flip new -# instances to bind here without further chart changes. +# Tenant data StorageClass. Tower's instance overlays bind here in +# Phase 6 (Tower stamps storageClassName=longhorn-tenants on new +# instance PVCs). Existing instances on local-path stay where they +# are — Longhorn additive, doesn't replace. # # `replicaCount` comes from values; Standalone tier ships replicas=1 -# (durability is hourly S3, not local mirrors). +# (durability is hourly S3 backup, not local mirrors). apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: longhorn-tenants annotations: - # Not the cluster default in Phase 1 — explicit opt-in only. + # Not the cluster default — explicit opt-in only via Tower's + # PVC-stamp logic. (Two default storage classes is a k8s + # misconfig; k3s already provides local-path as default.) storageclass.kubernetes.io/is-default-class: "false" provisioner: driver.longhorn.io allowVolumeExpansion: true @@ -25,8 +27,8 @@ parameters: fsType: "ext4" {{- end }} # NOTE: The CSI VolumeSnapshotClass (snapshot.storage.k8s.io/v1) lives -# in Phase 3 of ADR 0003, alongside the Tower code that consumes it. -# It depends on the external-snapshotter CRDs which Longhorn does not -# ship — they're a separate install. Adding it here would fail the -# initial sync on a fresh cluster. Phase 3 will land both together -# (snapshotter CRDs + VolumeSnapshotClass + Tower VolumeClone path). +# in Phase 3 of ADR 0003, alongside the Tower code that consumes it +# AND the external-snapshotter CRDs (which Longhorn does not ship — +# they're a separate install). Adding VolumeSnapshotClass here would +# fail the initial sync. Phase 3 lands all three together: snapshotter +# CRDs + controller + VolumeSnapshotClass + Tower VolumeClone path. diff --git a/templates/s3-backup-creds-externalsecret.yaml b/templates/s3-backup-creds-externalsecret.yaml index 242220e..f3a7fa9 100644 --- a/templates/s3-backup-creds-externalsecret.yaml +++ b/templates/s3-backup-creds-externalsecret.yaml @@ -34,10 +34,16 @@ spec: remoteRef: key: tenants/{{ .Values.tenant.id }}/s3-credentials property: access_key + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None - secretKey: secret_key remoteRef: key: tenants/{{ .Values.tenant.id }}/s3-credentials property: secret_key + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None {{- end }} {{- end }} {{- end }}