odoo-tower/cluster-platform-v3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7e3280aa266494c58e4f4e9782d5f1ad98ceb4a9
cluster-platform-v3/Chart.yaml
pro-777 7e3280aa26 feat(slice 2B.3): chart Restore half — injectedWildcards conditional (0.5.7) 
Add the chart-side machinery that lets Tower bypass the cert-manager
Certificate path on Reconnect by injecting a Vault-stashed wildcard
cert directly as a kubernetes.io/tls Secret.

values.yaml:
  certManager.injectedWildcards: []
    Each entry: { root, primary, crt, key }. Empty list = legacy ACME-only.

templates/tenants-wildcard-cert.yaml:
  Build $injectedRoots index from injectedWildcards[]; per-domain
  Certificate is skipped when its root has an injected entry.

templates/tenants-wildcard-secret.yaml (NEW):
  Per injected entry, render kubernetes.io/tls Secret using the same
  name the cert path would have produced (tenants-wildcard-tls primary,
  tenants-wildcard-<root-as-dashes>-tls non-primary). Sync-wave 2 to
  match the cert path's timing. Label odoosky.io/wildcard-source=
  vault-injected so harvester can skip them.

Verified via helm template + self-signed dummy cert:
  - Pure injection: 0 Certificate, 1 Secret (correct name + base64)
  - Pure ACME: 1 Certificate, 0 Secret (status quo)
  - Mixed (2 domains, 1 injected): 1 Certificate + 1 Secret

Inert without Tower wiring — existing clusters render identically to
0.5.6 because injectedWildcards defaults to []. Pushed first as the
foundation layer for the upcoming Tower restore + harvester slices.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 14:27:30 +03:00

47 lines
1.9 KiB
YAML
Raw Blame History

apiVersion: v2
name: cluster-platform-v3
description: |
Per-cluster platform infrastructure for OdooSky v3. ArgoCD-managed
on every connected customer K8s cluster. Provides:
- odoosky-system namespace (where Tower spawns build Jobs and
stores cluster-private credentials sourced from OpenBao)
- Local container registry (Distribution v2). In-cluster
BuildKit Jobs push addon images here; the chart consumes
them as image volumes. Sovereignty + GFW resistance: no
cross-cluster image transfer.
- cert-manager + Traefik (vendored via Helm dependencies)
so the substrate that used to be installed by bootstrap.sh
now lives in Git, deployed by Tower's per-cluster Argo
Application. Customer's "Connect Server" terminal stops
at "kubeconfig sent" — the slow ACME wait happens here in
the background.
- tenants Namespace + tenants-wildcard Certificate. Per-tenant
via .Values.tenant.{domain,wildcardHost}; cert-manager's
DNS-01 solver pulls the Cloudflare token from the
`cloudflare-api-token` Secret Tower kubectl-applies into the
cert-manager namespace at Connect time (secrets stay out of
Git).
type: application
version: 0.5.7
appVersion: "0.5.7"
dependencies:
- name: cert-manager
version: "v1.16.1"
repository: "https://charts.jetstack.io"
condition: certManager.enabled
- name: traefik
version: "33.2.1"
repository: "https://traefik.github.io/charts"
condition: traefik.enabled
# Longhorn — CSI block storage with snapshot + clone primitives.
# See ADR 0003 (in odooskyv3 monorepo). Phase 1 declares the
# dependency but the chart's default is `longhorn.enabled=false`,
# so `helm dep update` skips it on render unless a per-cluster
# Argo Application sets the flag.
- name: longhorn
version: "1.7.2"
repository: "https://charts.longhorn.io"
condition: longhorn.enabled
Reference in New Issue View Git Blame Copy Permalink