odoo-tower/cluster-platform-v3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
07c6a9e8640e28303aab01d350ad8edd67131abd
cluster-platform-v3/Chart.yaml
OdooSky v3 6aafa20d36 fix(platform): explicit keda.crds.install + keda-add-ons-http.crds.install — auto-bootstrap CRDs on every server 
Without this, KEDA crashloops on fresh servers because the parent-subchart values merge resolves crds.install=false despite the subcharts default of true. Manual remediation was kubectl apply --server-side -f keda-crds.yaml. Codified now so any client onboarding works first try.

Repro: havari-server03 onboarding 2026-05-10 stalled at OutOfSync until manual CRD apply.
2026-05-10 09:11:44 +02:00

96 lines
4.5 KiB
YAML
Raw Blame History

apiVersion: v2
name: cluster-platform-v3
description: |
Per-cluster platform infrastructure for OdooSky v3. ArgoCD-managed
on every connected customer K8s cluster. Provides:
- odoosky-system namespace (where Tower spawns build Jobs and
stores cluster-private credentials sourced from OpenBao)
- Local container registry (Distribution v2). In-cluster
BuildKit Jobs push addon images here; the chart consumes
them as image volumes. Sovereignty + GFW resistance: no
cross-cluster image transfer.
- cert-manager + Traefik (vendored via Helm dependencies)
so the substrate that used to be installed by bootstrap.sh
now lives in Git, deployed by Tower's per-cluster Argo
Application. Customer's "Connect Server" terminal stops
at "kubeconfig sent" — the slow ACME wait happens here in
the background.
- tenants Namespace + tenants-wildcard Certificate. Per-tenant
via .Values.tenant.{domain,wildcardHost}; cert-manager's
DNS-01 solver pulls the Cloudflare token from the
`cloudflare-api-token` Secret Tower kubectl-applies into the
cert-manager namespace at Connect time (secrets stay out of
Git).
type: application
version: 0.7.5
appVersion: "0.7.5"
# All 6 subcharts now resolve from registry.odoosky.cloud (mirrored
# 2026-05-08, KEDA stack added 2026-05-09). Mirror-first discipline
# + China-region readiness: a Jetstack / Traefik / Longhorn /
# external-secrets-io / KEDA outage no longer blocks new tenant
# cluster bootstrap.
#
# Original upstream sources (for re-sync if a chart bumps):
# cert-manager → https://charts.jetstack.io
# traefik → https://traefik.github.io/charts
# longhorn → https://charts.longhorn.io
# external-secrets → https://charts.external-secrets.io
# keda → https://kedacore.github.io/charts
# keda-add-ons-http→ https://kedacore.github.io/charts
#
# Re-sync recipe: `helm pull <chart> --repo <upstream> --version <v>`
# then `helm push <tgz> oci://registry.odoosky.cloud/odoosky/docker-mirror/charts`.
dependencies:
- name: cert-manager
version: "v1.16.1"
repository: "oci://registry.odoosky.cloud/odoosky/docker-mirror/charts"
condition: certManager.enabled
- name: traefik
version: "33.2.1"
repository: "oci://registry.odoosky.cloud/odoosky/docker-mirror/charts"
condition: traefik.enabled
# Longhorn — CSI block storage with snapshot + clone primitives.
# See ADR 0003 (in odooskyv3 monorepo). Phase 1 declares the
# dependency but the chart's default is `longhorn.enabled=false`,
# so `helm dep update` skips it on render unless a per-cluster
# Argo Application sets the flag.
- name: longhorn
version: "1.7.2"
repository: "oci://registry.odoosky.cloud/odoosky/docker-mirror/charts"
condition: longhorn.enabled
# External Secrets Operator — declarative Secret delivery from
# OpenBao. Replaces Tower's imperative kubectl-stamp pattern for
# the 5 substrate Secrets (Item #9, all phases shipped 2026-05-07).
- name: external-secrets
version: "0.10.7"
repository: "oci://registry.odoosky.cloud/odoosky/docker-mirror/charts"
condition: externalSecrets.enabled
# KEDA core — event-driven autoscaler. Owns the ScaledObject CRD
# and the metrics-server adapter that K8s' HPA reads from. Required
# by KEDA HTTP add-on below; declared here so the install order is
# correct (sync-wave 0 default; HTTP add-on at wave 1).
#
# Currently consumed by AI Studio (per-instance OpenCode pods that
# scale 0↔1 on URL hit, see studio-template-v3). Enabled by default
# because Studio is opt-in per-instance — clusters without any
# Studio pay only for the KEDA control plane (~50 MB RAM).
- name: keda
version: "2.15.1"
repository: "oci://registry.odoosky.cloud/odoosky/docker-mirror/charts"
condition: keda.enabled
# KEDA HTTP add-on — separate component that owns the
# HTTPScaledObject CRD + the interceptor-proxy. Traefik routes
# public traffic to the interceptor (in keda namespace), which
# holds the request while it scales the target Deployment 0→1,
# then forwards. After scaledownPeriod of no traffic, scales 1→0.
#
# AI Studio is the only current consumer; the add-on is harmless
# idle (interceptor is just a small Go service). Studio chart
# creates one HTTPScaledObject per (tenant, instance).
- name: keda-add-ons-http
version: "0.8.0"
repository: "oci://registry.odoosky.cloud/odoosky/docker-mirror/charts"
condition: kedaHttpAddon.enabled
Reference in New Issue View Git Blame Copy Permalink