feat(chart): rip out pg dual-mode shim — ESO-only (0.1.8)

A-Chunk 3 finalisation. All live instances are migrated to ESO, and Tower 0.77.2 makes the migrate + template-deploy paths also emit ESO-shape overlays (wizard always has). The `{{- if not .Values.postgres.passwordVaultPath }}` shim in postgres-secret.yaml has zero remaining production callers. Changes: - DELETE templates/postgres-secret.yaml (dual-mode legacy path) - DELETE _helpers.tpl `instance.pgPassword` (only consumed by postgres-secret.yaml; no other callers) - UNWRAP templates/postgres-password-externalsecret.yaml — the outer `{{- if .Values.postgres.passwordVaultPath }}` conditional is removed; the template now renders unconditionally and the chart's `required` directive on tenant.id is the new boundary (chart render fails loud if Tower forgot to populate it) - SIMPLIFY values.yaml — drop the legacy `postgres.password` field and the dual-mode documentation. `passwordVaultPath` stays as an operator-visible advisory string but the chart hardcodes the path shape from tenant.id + instance.code Chart 0.1.7 → 0.1.8. helm template + helm lint verified locally; helm template with tenant.id missing fails loud with a clear error pointing the operator at the chart line + the source of the missing value. The live instances (erp/erp18v3/v19) carry tenant.id + passwordVaultPath in their overlays already; this chart version produces the same manifests for them on next ArgoCD reconcile — no observable change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 13:56:40 +03:00
parent 96071aec8e
commit 4a8dc61a92
5 changed files with 24 additions and 75 deletions
--- a/values.yaml
+++ b/values.yaml
@@ -17,10 +17,12 @@ instance:
  # `instance.size: medium` (etc); they don't have to know the numbers.
  size: small

-# tenant — owning tenant identity. Currently only required when
-# postgres.passwordVaultPath is set (the ESO path needs to know which
-# tenant subtree to read from OpenBao). Tower writes `tenant.id` into
-# every new overlay; legacy overlays without ESO leave this empty.
+# tenant — owning tenant identity. Required: the chart's ExternalSecret
+# constructs `tenants/<tenant.id>/instances/<instance.code>/pg` from
+# this value. Tower writes it into every overlay (wizard create,
+# bundle-migrate, template-deploy). The `required` directive in
+# templates/postgres-password-externalsecret.yaml fails loud at chart
+# render time if it's missing.
 tenant:
  id: ""

@@ -164,30 +166,13 @@ postgres:
  tag: "16-alpine"
  user: odoo
  database: postgres
-  # If empty, the chart auto-generates on first install and re-reads
-  # the existing Secret on subsequent upgrades (lookup pattern).
-  # Ignored when `passwordVaultPath` is set — ESO sources the password
-  # from OpenBao instead.
-  password: ""
-  # passwordVaultPath — when set, the chart renders an ExternalSecret
-  # pulling the password from OpenBao at
-  # `tenants/<tenant.id>/instances/<instance.code>/pg` (field
-  # `password`). The legacy postgres-secret.yaml template is gated
-  # off; the ExternalSecret produces the same `<release>-pg` Secret
-  # shape so postgres-statefulset.yaml is unchanged.
-  #
-  # When empty (default), the chart falls back to the legacy
-  # postgres-secret.yaml path using `.password` above. Tower sets
-  # this field on every new instance starting v0.77; pre-v0.77
-  # instances stay on the legacy path until migrated by the one-shot
-  # tool (Chunk 3 of A-OpenBao).
-  #
-  # The actual path resolution is hardcoded in the
-  # postgres-password-externalsecret.yaml template; this field is
-  # the on/off toggle. Setting it to any non-empty value is
-  # equivalent ("use ESO for this instance"); the path string itself
-  # is currently advisory (it's the OpenBao subtree the operator can
-  # `bao kv list` to find the password).
+  # passwordVaultPath — operator-visible advisory string carrying the
+  # OpenBao path Tower wrote the password to. Tower sets this on every
+  # overlay (it's how the operator runs `bao kv get` if they need to
+  # rotate the password manually). The chart's
+  # postgres-password-externalsecret.yaml template hardcodes the same
+  # path shape — this field is informational, not load-bearing for
+  # ExternalSecret resolution.
  passwordVaultPath: ""
  # externalSecretsStoreRef — ClusterSecretStore name the
  # ExternalSecret references. Provisioned by cluster-platform-v3