odoo-tower/cluster-platform-v3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
52a157f187c7ed618d3a134caae4b7341442be3f
cluster-platform-v3/Chart.yaml
OdooSky v3 52a157f187 fix(eso): chart 0.6.2 - revert fullnameOverride; use templated SA in ClusterSecretStore 
Chart 0.6.1's fullnameOverride attempted to give ESO resources stable
names (just 'external-secrets' instead of '<release>-external-secrets')
but ArgoCD couldn't fully drain the prefixed resources from 0.6.0,
leaving sync stuck. Reverting: keep the subchart's default release-
prefixed naming, template the SA reference in ClusterSecretStore via
{{ .Release.Name }}-external-secrets so it resolves correctly per
cluster.
2026-05-07 21:01:38 +03:00

56 lines
2.3 KiB
YAML
Raw Blame History

apiVersion: v2
name: cluster-platform-v3
description: |
Per-cluster platform infrastructure for OdooSky v3. ArgoCD-managed
on every connected customer K8s cluster. Provides:
- odoosky-system namespace (where Tower spawns build Jobs and
stores cluster-private credentials sourced from OpenBao)
- Local container registry (Distribution v2). In-cluster
BuildKit Jobs push addon images here; the chart consumes
them as image volumes. Sovereignty + GFW resistance: no
cross-cluster image transfer.
- cert-manager + Traefik (vendored via Helm dependencies)
so the substrate that used to be installed by bootstrap.sh
now lives in Git, deployed by Tower's per-cluster Argo
Application. Customer's "Connect Server" terminal stops
at "kubeconfig sent" — the slow ACME wait happens here in
the background.
- tenants Namespace + tenants-wildcard Certificate. Per-tenant
via .Values.tenant.{domain,wildcardHost}; cert-manager's
DNS-01 solver pulls the Cloudflare token from the
`cloudflare-api-token` Secret Tower kubectl-applies into the
cert-manager namespace at Connect time (secrets stay out of
Git).
type: application
version: 0.6.2
appVersion: "0.6.2"
dependencies:
- name: cert-manager
version: "v1.16.1"
repository: "https://charts.jetstack.io"
condition: certManager.enabled
- name: traefik
version: "33.2.1"
repository: "https://traefik.github.io/charts"
condition: traefik.enabled
# Longhorn — CSI block storage with snapshot + clone primitives.
# See ADR 0003 (in odooskyv3 monorepo). Phase 1 declares the
# dependency but the chart's default is `longhorn.enabled=false`,
# so `helm dep update` skips it on render unless a per-cluster
# Argo Application sets the flag.
- name: longhorn
version: "1.7.2"
repository: "https://charts.longhorn.io"
condition: longhorn.enabled
# External Secrets Operator — declarative Secret delivery from
# OpenBao. Replaces Tower's imperative kubectl-stamp pattern for
# gitea-archive-pull (Phase 1 pilot, 2026-05-07). The other 4
# Tower-stamped Secrets remain on the legacy path until a planned
# follow-up sprint (Item #9 in v3 open queue).
- name: external-secrets
version: "0.10.7"
repository: "https://charts.external-secrets.io"
condition: externalSecrets.enabled
Reference in New Issue View Git Blame Copy Permalink