A-Chunk 3 finalisation. All live instances are migrated to ESO,
and Tower 0.77.2 makes the migrate + template-deploy paths also
emit ESO-shape overlays (wizard always has). The
`{{- if not .Values.postgres.passwordVaultPath }}` shim in
postgres-secret.yaml has zero remaining production callers.
Changes:
- DELETE templates/postgres-secret.yaml (dual-mode legacy path)
- DELETE _helpers.tpl `instance.pgPassword` (only consumed by
postgres-secret.yaml; no other callers)
- UNWRAP templates/postgres-password-externalsecret.yaml — the
outer `{{- if .Values.postgres.passwordVaultPath }}` conditional
is removed; the template now renders unconditionally and the
chart's `required` directive on tenant.id is the new boundary
(chart render fails loud if Tower forgot to populate it)
- SIMPLIFY values.yaml — drop the legacy `postgres.password` field
and the dual-mode documentation. `passwordVaultPath` stays as an
operator-visible advisory string but the chart hardcodes the
path shape from tenant.id + instance.code
Chart 0.1.7 → 0.1.8. helm template + helm lint verified locally;
helm template with tenant.id missing fails loud with a clear
error pointing the operator at the chart line + the source of the
missing value.
The live instances (erp/erp18v3/v19) carry tenant.id + passwordVaultPath
in their overlays already; this chart version produces the same
manifests for them on next ArgoCD reconcile — no observable change.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Per-instance Postgres password sourced from OpenBao via External
Secrets Operator. Dual-mode for the migration window:
- postgres.passwordVaultPath unset → legacy postgres-secret.yaml
renders with .Values.postgres.password (helm lookup + random
fallback, bit-exact existing behaviour for live instances).
- postgres.passwordVaultPath set → postgres-password-externalsecret.yaml
renders an ExternalSecret that produces the same <release>-pg
Secret (POSTGRES_USER/PASSWORD/DB) from OpenBao path
`tenants/<tenant.id>/instances/<instance.code>/pg`.
Exactly one of the two templates ships per instance (mutually
exclusive `if`s on .Values.postgres.passwordVaultPath). The Postgres
StatefulSet envFroms <release>-pg unchanged.
OpenBao policy already grants the per-cluster ESO read on
`v3/data/tenants/<tenantID>/*` (buildEsoPolicy in tower's
openbao_auth_setup.go) — the new instances/<code>/pg subpath is
covered. No policy change required.
A `required` directive on the ExternalSecret asserts tenant.id is
present when passwordVaultPath is set — fails loud at helm template
time if Tower forgot to populate it.
deletionPolicy: Retain on the ExternalSecret. Postgres PGDATA on
disk hashes to the password in the Secret; an accidental ESO
removal must not cascade into the Secret disappearing.
Chart 0.1.6 → 0.1.7. Verified locally: helm template both modes,
helm lint clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Heavy addon installs (e.g. ks_dashboard_ninja) blocked /web/login
probes for >10s, causing K8s to pull the Pod from Endpoints; Traefik
then 503d the operator addon-apply RPC. failureThreshold: 15 (~75s
of headroom) covers the install window without affecting true
pod-restart detection (initialDelay gates boot).
Chart 0.1.0 -> 0.1.1.
