odoo-tower/cluster-platform-v3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d60206344808cc6d3feeef5979a89d2c96ff9f06
cluster-platform-v3/Chart.yaml
OdooSky v3 d602063448 chart 0.7.3 — slug-suffix per-tenant ClusterIssuer (qsoft2 SSL fix) 
cluster-issuer.yaml: name → letsencrypt-prod-{{ tenant.slug }}, hard-pin
apiTokenSecretRef.name to cloudflare-api-token-{{ tenant.slug }} so it
matches the ESO-created Secret. ACME account key also slug-suffixed
for tenant isolation. Pre-0.7.3 the unsuffixed letsencrypt-prod
mismatched what instance.go:504 stamps into per-instance Certificates
(letsencrypt-prod-<slug>), so cert-manager logged 'Referenced
ClusterIssuer not found' and erp2 served Traefik default cert forever.

tenants-wildcard-cert.yaml: issuerRef.name → letsencrypt-prod-{{ $.Values.tenant.slug }}
to match the renamed ClusterIssuer.

values.yaml: secrets.cloudflareTokenSecret block deprecated (the chart
no longer reads it; kept for back-compat with external overrides).

Diagnosed in the qsoft2 migrate test 2026-05-09.
2026-05-09 21:30:36 +03:00

67 lines
3.0 KiB
YAML
Raw Blame History

apiVersion: v2
name: cluster-platform-v3
description: |
Per-cluster platform infrastructure for OdooSky v3. ArgoCD-managed
on every connected customer K8s cluster. Provides:
- odoosky-system namespace (where Tower spawns build Jobs and
stores cluster-private credentials sourced from OpenBao)
- Local container registry (Distribution v2). In-cluster
BuildKit Jobs push addon images here; the chart consumes
them as image volumes. Sovereignty + GFW resistance: no
cross-cluster image transfer.
- cert-manager + Traefik (vendored via Helm dependencies)
so the substrate that used to be installed by bootstrap.sh
now lives in Git, deployed by Tower's per-cluster Argo
Application. Customer's "Connect Server" terminal stops
at "kubeconfig sent" — the slow ACME wait happens here in
the background.
- tenants Namespace + tenants-wildcard Certificate. Per-tenant
via .Values.tenant.{domain,wildcardHost}; cert-manager's
DNS-01 solver pulls the Cloudflare token from the
`cloudflare-api-token` Secret Tower kubectl-applies into the
cert-manager namespace at Connect time (secrets stay out of
Git).
type: application
version: 0.7.3
appVersion: "0.7.3"
# All 4 subcharts now resolve from registry.odoosky.cloud (mirrored
# 2026-05-08). Mirror-first discipline + China-region readiness: a
# Jetstack / Traefik / Longhorn / external-secrets-io outage no longer
# blocks new tenant cluster bootstrap.
#
# Original upstream sources (for re-sync if a chart bumps):
# cert-manager → https://charts.jetstack.io
# traefik → https://traefik.github.io/charts
# longhorn → https://charts.longhorn.io
# external-secrets → https://charts.external-secrets.io
#
# Re-sync recipe: `helm pull <chart> --repo <upstream> --version <v>`
# then `helm push <tgz> oci://registry.odoosky.cloud/odoosky/docker-mirror/charts`.
dependencies:
- name: cert-manager
version: "v1.16.1"
repository: "oci://registry.odoosky.cloud/odoosky/docker-mirror/charts"
condition: certManager.enabled
- name: traefik
version: "33.2.1"
repository: "oci://registry.odoosky.cloud/odoosky/docker-mirror/charts"
condition: traefik.enabled
# Longhorn — CSI block storage with snapshot + clone primitives.
# See ADR 0003 (in odooskyv3 monorepo). Phase 1 declares the
# dependency but the chart's default is `longhorn.enabled=false`,
# so `helm dep update` skips it on render unless a per-cluster
# Argo Application sets the flag.
- name: longhorn
version: "1.7.2"
repository: "oci://registry.odoosky.cloud/odoosky/docker-mirror/charts"
condition: longhorn.enabled
# External Secrets Operator — declarative Secret delivery from
# OpenBao. Replaces Tower's imperative kubectl-stamp pattern for
# the 5 substrate Secrets (Item #9, all phases shipped 2026-05-07).
- name: external-secrets
version: "0.10.7"
repository: "oci://registry.odoosky.cloud/odoosky/docker-mirror/charts"
condition: externalSecrets.enabled
Reference in New Issue View Git Blame Copy Permalink