apiVersion: v2
name: cluster-platform-v3
description: |
  Per-cluster platform infrastructure for OdooSky v3. ArgoCD-managed
  on every connected customer K8s cluster. Provides:
    - odoosky-system namespace (where Tower spawns build Jobs and
      stores cluster-private credentials sourced from OpenBao)
    - Local container registry (Distribution v2). In-cluster
      BuildKit Jobs push addon images here; the chart consumes
      them as image volumes. Sovereignty + GFW resistance: no
      cross-cluster image transfer.
    - cert-manager + Traefik (vendored via Helm dependencies)
      so the substrate that used to be installed by bootstrap.sh
      now lives in Git, deployed by Tower's per-cluster Argo
      Application. Customer's "Connect Server" terminal stops
      at "kubeconfig sent" — the slow ACME wait happens here in
      the background.
    - tenants Namespace + tenants-wildcard Certificate. Per-tenant
      via .Values.tenant.{domain,wildcardHost}; cert-manager's
      DNS-01 solver pulls the Cloudflare token from the
      `cloudflare-api-token` Secret Tower kubectl-applies into the
      cert-manager namespace at Connect time (secrets stay out of
      Git).

type: application
version: 0.4.0
appVersion: "0.4.0"

dependencies:
  - name: cert-manager
    version: "v1.16.1"
    repository: "https://charts.jetstack.io"
    condition: certManager.enabled
  - name: traefik
    version: "33.2.1"
    repository: "https://traefik.github.io/charts"
    condition: traefik.enabled
  # Longhorn — CSI block storage with snapshot + clone primitives.
  # See ADR 0003 (in odooskyv3 monorepo). Phase 1 declares the
  # dependency but the chart's default is `longhorn.enabled=false`,
  # so `helm dep update` skips it on render unless a per-cluster
  # Argo Application sets the flag.
  - name: longhorn
    version: "1.7.2"
    repository: "https://charts.longhorn.io"
    condition: longhorn.enabled