deploy(bp-guacamole): bump bootstrap-kit pin 0.1.22 -> 0.1.23 (Refs TBD-G4 phase 2, C12-005) (#1700)

Pulls in PR #1699 — liveness + readiness probe paths flipped from
`/` to `/guacamole/`. The Apache Guacamole webapp deploys under
Tomcat's context path /guacamole/, not /, so probing `/` made
kubelet restart the Pod every ~60s and the kube-system Cilium
gateway returned 503 to `https://guacamole.<sov>/` because the
Endpoint was never Ready (observed on t22, 5 restarts in 8m).

Mirrors the #1693/#1694 split — chart fix + bootstrap-kit pin
bump always shipped as two PRs so the chart bumps reach the
Blueprint Release dispatch BEFORE the bootstrap-kit reconciles
against a non-existent chart version.

Co-authored-by: hatiyildiz <hati.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

clusters/_template/bootstrap-kit/52-bp-guacamole.yaml

@@ -121,7 +121,14 @@ spec:
       # exist on any Sovereign — the canonical gateway is
       # kube-system/cilium-gateway installed by 01-cilium.yaml and
       # used by every other Sovereign HTTPRoute.
-      version: 0.1.22
+      # 0.1.23 (Refs TBD-G4 phase 2 / C12-005, 2026-05-18): pulls in
+      # PR #1699 (liveness + readiness probe paths flipped from `/`
+      # to `/guacamole/`). The Apache Guacamole webapp deploys under
+      # Tomcat's context path /guacamole/, not /, so probing `/`
+      # made kubelet restart the Pod every ~60s and the kube-system
+      # Cilium gateway returned 503 to the public hostname because
+      # the Endpoint was never Ready (observed on t22, 5 restarts).
+      version: 0.1.23
       sourceRef:
         kind: HelmRepository
         name: bp-guacamole

platform/guacamole/chart/Chart.yaml

@@ -40,7 +40,15 @@ name: bp-guacamole
 # 0.1.17 (Fix #163, 2026-05-11, MIRROR-EVERYTHING): migrationImage AND
 # oidc-secret-bootstrap-job both gain explicit
 # harbor.openova.io/proxy-dockerhub prefix per CLAUDE.md inviolable rule.
-version: 0.1.22
+# 0.1.23 (Refs TBD-G4 phase 2, 2026-05-18): readiness + liveness probe
+# paths flipped from `/` to `/guacamole/`. The Apache Guacamole webapp
+# deploys at Tomcat's context path /guacamole/ (the WAR file is
+# `guacamole.war` so Tomcat exposes it at /<warname>/). The container
+# root path `/` returns 404 from Tomcat's empty ROOT context, so
+# probing `/` made kubelet restart the Pod every ~60s and the kube-
+# system Cilium gateway returned 503 to `https://guacamole.<sov>/`
+# because no endpoint was ever Ready (observed on t22, 5 restarts).
+version: 0.1.24
 appVersion: "1.5.5"
 description: |
   Catalyst-authored Blueprint chart for Apache Guacamole — a clientless

platform/guacamole/chart/templates/guacamole-deployment.yaml

@@ -100,15 +100,27 @@ spec:
             {{- toYaml .Values.guacamole.webapp.resources | nindent 12 }}
           securityContext:
             {{- toYaml .Values.guacamole.containerSecurityContext | nindent 12 }}
+          # The Apache Guacamole webapp deploys under Tomcat's context
+          # path `/guacamole/` (the WAR is `guacamole.war` so Tomcat
+          # exposes it at `/<warname>/`). The container root path `/`
+          # is NOT served by the webapp — it returns 404 from Tomcat's
+          # ROOT context. Probing `/` previously caused liveness +
+          # readiness probes to fail with HTTP 404, the kubelet to
+          # restart the Pod every ~60s, and the kube-system Cilium
+          # gateway to return 503 to the public hostname because no
+          # endpoint was ever Ready (observed on t22, 5 restarts).
+          # Probing `/guacamole/` matches the actual webapp root.
+          # Operator-visible /guacamole.html → /guacamole/ redirect is
+          # handled by the HTTPRoute (separate PR / TBD-G6 follow-up).
           livenessProbe:
             httpGet:
-              path: /
+              path: /guacamole/
               port: http
             initialDelaySeconds: 30
             periodSeconds: 30
           readinessProbe:
             httpGet:
-              path: /
+              path: /guacamole/
               port: http
             initialDelaySeconds: 10
             periodSeconds: 10