odoo-tower/cluster-platform-v3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eccb648276c08588148208dd6bd9786e942f47ed
cluster-platform-v3/Chart.yaml
pro-777 eccb648276 0.2.0 — vendor cert-manager + traefik; parameterized substrate 
bootstrap.sh-equivalent K8s manifests now ship as part of this
chart instead of being installed inline by the customer's
`curl … | sudo bash`. Result: customer terminal time drops from
~5 min to ~1 min once Tower's SubmitConnect (B2) creates the
per-cluster Argo Application that points here.

What's vendored:
  - cert-manager v1.16.1 (helm dep, charts/cert-manager-v1.16.1.tgz)
  - traefik 33.2.1       (helm dep, charts/traefik-33.2.1.tgz)

What's parameterized via .Values.tenant.{domain,wildcardHost}:
  - letsencrypt-prod ClusterIssuer (DNS-01 + tenant's Cloudflare zone)
  - tenants Namespace
  - tenants-wildcard Certificate (commonName + dnsNames from helm.values)

What stays out of Git (Tower kubectl-applies via kubeconfig at
Connect time, sourced from the tenant's Vault paths):
  - cloudflare-api-token Secret (cert-manager ns)
  - s3-backup-creds Secret      (tenants ns)

The chart references both Secrets by name only.

Argo health roll-up: a tenant server is "Ready" when this
Application's Health is `Healthy` and the tenants-wildcard
Certificate's Ready condition is True. Tower's Server card UI
will surface this as "Provisioning…" → "Ready" in B4.

Lint + template clean with a real tenant value set; clean with
empty values too (templates skip themselves so a default-rendered
chart doesn't fail without a tenant).
2026-04-29 15:09:33 +03:00

38 lines
1.5 KiB
YAML
Raw Blame History

apiVersion: v2
name: cluster-platform-v3
description: |
Per-cluster platform infrastructure for OdooSky v3. ArgoCD-managed
on every connected customer K8s cluster. Provides:
- odoosky-system namespace (where Tower spawns build Jobs and
stores cluster-private credentials sourced from OpenBao)
- Local container registry (Distribution v2). In-cluster
BuildKit Jobs push addon images here; the chart consumes
them as image volumes. Sovereignty + GFW resistance: no
cross-cluster image transfer.
- cert-manager + Traefik (vendored via Helm dependencies)
so the substrate that used to be installed by bootstrap.sh
now lives in Git, deployed by Tower's per-cluster Argo
Application. Customer's "Connect Server" terminal stops
at "kubeconfig sent" — the slow ACME wait happens here in
the background.
- tenants Namespace + tenants-wildcard Certificate. Per-tenant
via .Values.tenant.{domain,wildcardHost}; cert-manager's
DNS-01 solver pulls the Cloudflare token from the
`cloudflare-api-token` Secret Tower kubectl-applies into the
cert-manager namespace at Connect time (secrets stay out of
Git).
type: application
version: 0.2.0
appVersion: "0.2.0"
dependencies:
- name: cert-manager
version: "v1.16.1"
repository: "https://charts.jetstack.io"
condition: certManager.enabled
- name: traefik
version: "33.2.1"
repository: "https://traefik.github.io/charts"
condition: traefik.enabled
Reference in New Issue View Git Blame Copy Permalink