odoo-tower/cluster-platform-v3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ff7eb9fafcc78490af7ae484dac4e5a89c2ae1bf
cluster-platform-v3/Chart.yaml
OdooSky v3 ff7eb9fafc fix(eso): chart 0.7.1 — explicit CRD defaults to clear ArgoCD OutOfSync 
ArgoCD was reporting all 6 ExternalSecrets as OutOfSync because the
live CRs had conversionStrategy/decodingStrategy/metadataPolicy fields
filled in by the CRD defaults that werent in the chart manifests.
Stamping them explicitly so the diff is clean. Tower UI will now show
Provisioning state correctly transition to Ready.
2026-05-07 21:47:00 +03:00

56 lines
2.3 KiB
YAML
Raw Blame History

apiVersion: v2
name: cluster-platform-v3
description: |
Per-cluster platform infrastructure for OdooSky v3. ArgoCD-managed
on every connected customer K8s cluster. Provides:
- odoosky-system namespace (where Tower spawns build Jobs and
stores cluster-private credentials sourced from OpenBao)
- Local container registry (Distribution v2). In-cluster
BuildKit Jobs push addon images here; the chart consumes
them as image volumes. Sovereignty + GFW resistance: no
cross-cluster image transfer.
- cert-manager + Traefik (vendored via Helm dependencies)
so the substrate that used to be installed by bootstrap.sh
now lives in Git, deployed by Tower's per-cluster Argo
Application. Customer's "Connect Server" terminal stops
at "kubeconfig sent" — the slow ACME wait happens here in
the background.
- tenants Namespace + tenants-wildcard Certificate. Per-tenant
via .Values.tenant.{domain,wildcardHost}; cert-manager's
DNS-01 solver pulls the Cloudflare token from the
`cloudflare-api-token` Secret Tower kubectl-applies into the
cert-manager namespace at Connect time (secrets stay out of
Git).
type: application
version: 0.7.1
appVersion: "0.7.1"
dependencies:
- name: cert-manager
version: "v1.16.1"
repository: "https://charts.jetstack.io"
condition: certManager.enabled
- name: traefik
version: "33.2.1"
repository: "https://traefik.github.io/charts"
condition: traefik.enabled
# Longhorn — CSI block storage with snapshot + clone primitives.
# See ADR 0003 (in odooskyv3 monorepo). Phase 1 declares the
# dependency but the chart's default is `longhorn.enabled=false`,
# so `helm dep update` skips it on render unless a per-cluster
# Argo Application sets the flag.
- name: longhorn
version: "1.7.2"
repository: "https://charts.longhorn.io"
condition: longhorn.enabled
# External Secrets Operator — declarative Secret delivery from
# OpenBao. Replaces Tower's imperative kubectl-stamp pattern for
# gitea-archive-pull (Phase 1 pilot, 2026-05-07). The other 4
# Tower-stamped Secrets remain on the legacy path until a planned
# follow-up sprint (Item #9 in v3 open queue).
- name: external-secrets
version: "0.10.7"
repository: "https://charts.external-secrets.io"
condition: externalSecrets.enabled
Reference in New Issue View Git Blame Copy Permalink