openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity
fix-c18b-provisioning-token-secret-ownership
openova/platform
History
e3mrah f686e30823
Some checks are pending
Build openova-flow-server / build (push) Waiting to run
Details
Build & Deploy Catalyst / build-ui (push) Waiting to run
Details
Build & Deploy Catalyst / build-api (push) Waiting to run
Details
Build & Deploy Catalyst / deploy (push) Blocked by required conditions
Details
Vendor-coupling guardrail / Vendor-coupling guardrail (push) Waiting to run
Details
Test — Bootstrap API (Go) / test (push) Waiting to run
Details
Test — Bootstrap Kit (kind cluster + Flux) / dependency-graph-audit (push) Waiting to run
Details
Test — Bootstrap Kit (kind cluster + Flux) / manifest-validation (push) Blocked by required conditions
Details
Test — Bootstrap Kit (kind cluster + Flux) / kind-reconciliation (push) Blocked by required conditions
Details
fix(cutover): mint Gitea API token + populate provisioning-github-token at handover (#1704) 
The catalyst-platform chart's templates/sme-services/provisioning-github-token.yaml
mirrors gitea-admin-secret.password verbatim into
sme/provisioning-github-token.GITHUB_TOKEN. The SME provisioning service
then sends `Authorization: token <PWD>` to Gitea — Gitea resolves the
Bearer/token credential as an API access token (sha1 lookup), the admin
password is not an access token, so Gitea returns 401 "user does not
exist [uid: 0, name: ]".

End result on t22: voucher checkout returns 200, /jobs redirect fires,
but no Organization CR is ever created (every Gitea API call from
provisioning 401s). Journey step 16 stalls indefinitely.

Verified on t22 (2026-05-18):
  - sme/provisioning-github-token.GITHUB_TOKEN.last8 == gitea-admin-secret.password.last8 == ChxCejmH
  - curl -H "Authorization: token <pwd>" /api/v1/user → 401 user does not exist
  - curl -u gitea_admin:<pwd> /api/v1/user → 200 OK (Basic works, token doesn't)
  - 0 organizations.orgs.openova.io cluster-wide

Fix: new cutover step 09 (gitea-token-mint) runs alongside the existing
01..08 chain at handover. The step:

  1. DELETEs any stale catalyst-platform-bootstrap token (idempotent —
     404 swallowed on first run).
  2. POSTs /api/v1/users/gitea_admin/tokens with scope "all".
  3. Captures the returned .sha1 (raw token bytes appear there exactly
     once — Gitea hashes server-side after creation).
  4. Validates by calling GET /api/v1/user with `Authorization: token <X>`
     and asserts 200 + non-empty login field.
  5. kubectl-patches Secret sme/provisioning-github-token.GITHUB_TOKEN
     to the new token via strategic-merge stringData (kubectl base64s).
  6. Rolls the provisioning Deployment so the new token takes effect
     immediately (best-effort — skipped if marketplace disabled).

Order=9 (last) is functionally fine — none of steps 02-08 read the
provisioning-github-token Secret, and the SME provisioning service first
consumes the token at voucher checkout time (always postdates cutover).
Slot 9 vs 1b avoids renumbering 01..08 which would invalidate operator
history in the cutover-status ConfigMap audit trail.

Token credentials never appear in process argv (passed via stdin / env
to kubectl), and validate-failure paths sed-redact the new token from
stderr before surfacing the response body.

Contract-test guard added (Case 19): step ConfigMap rendered with
order=9, the POST /api/v1/users/.../tokens call present, sha1 capture
present, Authorization: token validation present, kubectl patch present.
Existing step-count gates updated 8 → 9 and 7 job-mode → 8.

chart bp-self-sovereign-cutover: 0.1.29 → 0.1.30

Refs TBD-C18

Co-authored-by: hatiyildiz <hati.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 17:30:56 +04:00
..
alloy fix(bp-trivy): node-collector tolerates control-plane taint (closes #769) (#772) 2026-05-04 17:38:29 +02:00
anthropic-adapter feat(charts): bp-temporal + bp-llm-gateway + bp-anthropic-adapter wrapper charts (closes #267 #268 #271) (#288) 2026-04-30 19:37:19 +04:00
bge feat(charts): bp-vllm + bp-bge + bp-nemo-guardrails wrapper charts (#283) 2026-04-30 18:37:07 +04:00
bp-dmz-vcluster fix(blueprints): vcluster charts smoke-render annotation = "default-off" (#1527) 2026-05-16 16:15:51 +04:00
bp-mgmt-vcluster fix(bp-mgmt-vcluster): namespace PSS baseline (was restricted) — A4 (#1535) 2026-05-16 18:06:59 +04:00
bp-rtz-vcluster fix(blueprints): vcluster charts smoke-render annotation = "default-off" (#1527) 2026-05-16 16:15:51 +04:00
bp-vcluster-helmrepo fix(bootstrap-kit): install vcluster CRDs + controller on Sovereign (gates Org → vCluster spawn) (#1624) 2026-05-18 09:27:58 +04:00
cert-manager fix(charts): explicit harbor.openova.io/proxy-dockerhub prefix on all chart-hook images (#163) (#1367) 2026-05-11 11:32:21 +04:00
cert-manager-dynadot-webhook feat(catalyst-chart): land Blueprint CRD + fix 5 string-form depends (slice B4, #1095) (#1112) 2026-05-08 22:25:08 +04:00
cert-manager-powerdns-webhook fix(bp-cert-manager-powerdns-webhook,bp-catalyst-platform): staging ClusterIssuer for QA Sovereigns (Fix #123, LE rate-limit bypass) (#1339) 2026-05-11 01:08:07 +04:00
cilium fix(cilium): gatewayAPI hostNetwork.nodes.matchLabels (prov #76) (#1480) 2026-05-14 18:17:35 +04:00
clickhouse docs(seaweedfs+guacamole): replace MinIO with SeaweedFS as unified S3 encapsulation; add Guacamole to bp-relay 2026-04-28 10:23:46 +02:00
cluster-autoscaler-hcloud fix(autoscaler): attach scale-up VMs to private network so they k3s-join (#1427) 2026-05-12 06:11:30 +04:00
cnpg feat(platform): add global.imageRegistry to bp-openbao/external-secrets/cnpg/valkey/nats-jetstream/powerdns/gitea (PR 2/3, #560) (#565) 2026-05-02 12:52:43 +04:00
cnpg-pair fix(cnpg-pair tests): exclude helm-test hook resources from non-test count (#1225) 2026-05-09 23:51:08 +04:00
coraza fix(bp-coraza,bp-syft-grype): add common library subchart to satisfy hollow-chart gate (#220) 2026-04-30 06:15:28 +02:00
crossplane fix(blueprints): align blueprint.yaml spec.version with Chart.yaml version (#817) (#819) 2026-05-04 22:32:49 +04:00
crossplane-claims fix(charts): explicit harbor.openova.io/proxy-dockerhub prefix on all chart-hook images (#163) (#1367) 2026-05-11 11:32:21 +04:00
debezium docs(pass-32): registry-DNS sweep — harbor.<domain> across 9 component READMEs 2026-04-27 22:36:39 +02:00
external-dns fix(bp-external-dns): apiserver Endpoints sync timeout — Cilium kube-apiserver entity required (closes #770) (#771) 2026-05-04 19:27:17 +04:00
external-secrets feat(platform): add global.imageRegistry to bp-openbao/external-secrets/cnpg/valkey/nats-jetstream/powerdns/gitea (PR 2/3, #560) (#565) 2026-05-02 12:52:43 +04:00
external-secrets-stores fix(charts): explicit harbor.openova.io/proxy-dockerhub prefix on all chart-hook images (#163) (#1367) 2026-05-11 11:32:21 +04:00
failover-controller refactor(platform): remove k8gb — replaced by PowerDNS lua-records (#171) 2026-04-29 08:51:09 +02:00
falco fix(bp-falco): rename rules_file → rules_files (Falco 0.36+ canonical key, Closes #570) (#574) 2026-05-02 12:59:29 +04:00
ferretdb docs(pass-11b): retry banners on failover-controller/trivy/clickhouse/ferretdb (Edit needed Read first) 2026-04-27 21:45:56 +02:00
flink docs(seaweedfs+guacamole): replace MinIO with SeaweedFS as unified S3 encapsulation; add Guacamole to bp-relay 2026-04-28 10:23:46 +02:00
flux fix(charts): explicit harbor.openova.io/proxy-dockerhub prefix on all chart-hook images (#163) (#1367) 2026-05-11 11:32:21 +04:00
gateway-api fix: bp-gateway-api 5→10 CRDs + bp-gitea CNPG + bp-harbor CNPG race fix + DAG audit (#592) 2026-05-02 15:20:05 +04:00
gitea fix(httproute): collapse double-prefix when releaseName contains chart name (gitea/harbor/openbao 500/404) (#1483) 2026-05-14 19:00:07 +04:00
grafana feat(platform): add global.imageRegistry to remaining bp-* charts + bp-catalyst-platform (PR 3/3, #560) (#580) 2026-05-02 13:21:53 +04:00
guacamole deploy: bump bp-guacamole upstream 1.5.5 chart 0.1.24 2026-05-18 13:10:06 +00:00
harbor fix(httproute): collapse double-prefix when releaseName contains chart name (gitea/harbor/openbao 500/404) (#1483) 2026-05-14 19:00:07 +04:00
hcloud-ccm fix(infra): hcloud-CCM + cilium DNS hardening + chart-side gitea token — qa-loop iter-12 Fix #54 (#1281) 2026-05-10 11:56:50 +04:00
hcloud-csi fix(multi): Family G — 6 singletons (C8-001/C8-005/C9-006/C10-002/C10-003/C7-007) (#1601) 2026-05-17 22:20:29 +04:00
iceberg docs(seaweedfs+guacamole): replace MinIO with SeaweedFS as unified S3 encapsulation; add Guacamole to bp-relay 2026-04-28 10:23:46 +02:00
k8s-ws-proxy deploy: bump bp-k8s-ws-proxy to image 74d23ab chart 0.1.11 2026-05-11 07:33:51 +00:00
keda docs(pass-10): banners on 7 more components + opentofu active-active drift fix 2026-04-27 21:43:45 +02:00
keycloak feat(sandbox+auth+newapi): Wave 1b — newapi proxy + BYOS + org-scoped JWT (#1619) 2026-05-18 08:43:11 +04:00
knative feat(charts): bp-stunner + bp-knative + bp-kserve wrapper charts (closes #263 #264 #265) (#290) 2026-04-30 19:37:38 +04:00
kserve feat(charts): bp-stunner + bp-knative + bp-kserve wrapper charts (closes #263 #264 #265) (#290) 2026-04-30 19:37:38 +04:00
kyverno feat(bp-kyverno): land 19 compliance ClusterPolicy templates (slice K, #1096) (#1138) 2026-05-09 01:57:51 +04:00
langfuse fix(bp-langfuse): drop apostrophe from description to clear GHCR 500 (resolves #215) (#278) 2026-04-30 17:31:51 +04:00
librechat feat(charts): bp-librechat wrapper chart (closes #275) (#287) 2026-04-30 18:56:59 +04:00
litmus feat(platform): security umbrellas (falco/kyverno/trivy/sigstore/syft-grype/reloader/coraza/litmus) (#216) 2026-04-30 06:07:38 +02:00
livekit feat(charts): bp-openmeter (CH-less) + bp-livekit + bp-matrix wrapper charts (closes #272 #273 #274) (#289) 2026-04-30 19:37:28 +04:00
llm-gateway feat(charts): bp-temporal + bp-llm-gateway + bp-anthropic-adapter wrapper charts (closes #267 #268 #271) (#288) 2026-04-30 19:37:19 +04:00
loki feat(platform): observability stack umbrellas (grafana/loki/mimir/tempo/alloy/otel/langfuse/velero) (#214) 2026-04-29 22:11:04 +02:00
matrix feat(charts): bp-openmeter (CH-less) + bp-livekit + bp-matrix wrapper charts (closes #272 #273 #274) (#289) 2026-04-30 19:37:28 +04:00
milvus docs(seaweedfs+guacamole): replace MinIO with SeaweedFS as unified S3 encapsulation; add Guacamole to bp-relay 2026-04-28 10:23:46 +02:00
mimir feat(catalyst-api): compliance score aggregator + handler (slice S, #1096) (#1141) 2026-05-09 02:37:31 +04:00
nats-jetstream feat(bp-nats-jetstream): land Stream + KV CR templates (slice H4, #1095) (#1114) 2026-05-08 22:32:54 +04:00
nemo-guardrails feat(charts): bp-vllm + bp-bge + bp-nemo-guardrails wrapper charts (#283) 2026-04-30 18:37:07 +04:00
neo4j docs(pass-12): role-in-Catalyst banners on 11 AI/ML Application Blueprints 2026-04-27 21:47:45 +02:00
netbird fix: mark bp-dmz-vcluster + bp-netbird default-off for smoke-render gate (#1286) 2026-05-10 15:57:18 +04:00
network-policies feat(bp-network-policies): land default-deny CCNP + system-namespace + DNS allow templates (slice H8, #1095) (#1116) 2026-05-08 22:40:30 +04:00
newapi feat(sandbox): tier-bound MCP capabilities (Free/Pro/Ent plans gate tool access) (#1690) 2026-05-18 16:30:00 +04:00
openbao fix(openbao): make auth-bootstrap Job idempotent on post-upgrade (token already revoked) (#1484) 2026-05-14 19:13:34 +04:00
openclaw feat(bp-openclaw): per-tenant Keycloak SSO + NewAPI as OpenAI-compatible LLM gateway (#915) (#917) 2026-05-05 13:26:59 +04:00
openmeter feat(charts): bp-openmeter (CH-less) + bp-livekit + bp-matrix wrapper charts (closes #272 #273 #274) (#289) 2026-04-30 19:37:28 +04:00
openova-flow-emitter/chart chore(deploy): bump openova-flow-adapter-flux image to 00eeff2 [skip ci] 2026-05-18 12:17:03 +00:00
openova-flow-server/chart chore(deploy): bump openova-flow-server image to fab091f [skip ci] 2026-05-18 13:23:07 +00:00
opensearch docs(seaweedfs+guacamole): replace MinIO with SeaweedFS as unified S3 encapsulation; add Guacamole to bp-relay 2026-04-28 10:23:46 +02:00
opentelemetry feat(platform): observability stack umbrellas (grafana/loki/mimir/tempo/alloy/otel/langfuse/velero) (#214) 2026-04-29 22:11:04 +02:00
opentelemetry-operator feat(bp-opentelemetry-operator): scaffold operator + default Instrumentation CR (slice H5, #1095) (#1121) 2026-05-08 23:06:29 +04:00
opentofu refactor(platform): remove k8gb — replaced by PowerDNS lua-records (#171) 2026-04-29 08:51:09 +02:00
powerdns fix(bp-powerdns): root-cause Job DeadlineExceeded recurrence (post Fix #144) (#1425) 2026-05-12 02:13:34 +04:00
qa-app fix(bp-qa-app): annotate no-upstream to satisfy hollow-chart guard (#1261) 2026-05-10 04:51:13 +04:00
reflector/chart fix: bp-reflector + rename ghcr-pull-secret->ghcr-pull (Closes #543) (#554) 2026-05-02 12:17:51 +04:00
reloader fix(catalyst-api,bp-reloader): tofu state on PVC + Reloader annotations strategy (closes #715) (#716) 2026-05-04 02:04:26 +04:00
sandbox/chart deploy: bump sandbox-controller image to 8017700 2026-05-18 12:33:11 +00:00
sealed-secrets fix(blueprints): align blueprint.yaml spec.version with Chart.yaml version (#817) (#819) 2026-05-04 22:32:49 +04:00
seaweedfs fix(bp-seaweedfs, bp-cluster-autoscaler-hcloud): StorageClass + autoscaler config (qa-loop Wave 5 Fix #79, Gaps B+D) (#1314) 2026-05-10 21:18:39 +04:00
self-sovereign-cutover fix(cutover): mint Gitea API token + populate provisioning-github-token at handover (#1704) 2026-05-18 17:30:56 +04:00
sigstore feat(platform): security umbrellas (falco/kyverno/trivy/sigstore/syft-grype/reloader/coraza/litmus) (#216) 2026-04-30 06:07:38 +02:00
spire fix(blueprints): align blueprint.yaml spec.version with Chart.yaml version (#817) (#819) 2026-05-04 22:32:49 +04:00
stalwart docs(seaweedfs+guacamole): replace MinIO with SeaweedFS as unified S3 encapsulation; add Guacamole to bp-relay 2026-04-28 10:23:46 +02:00
stalwart-sovereign feat(bp-stalwart-sovereign): per-Sovereign Stalwart for Console mail (#924) (#931) 2026-05-05 14:20:16 +04:00
stalwart-tenant feat(bp-stalwart-tenant): wire Keycloak OIDC SSO end-to-end (#915) (#920) 2026-05-05 13:37:46 +04:00
strimzi docs(pass-35): completion sweep for surviving DNS placeholders (8 components) 2026-04-27 22:46:16 +02:00
stunner feat(charts): bp-stunner + bp-knative + bp-kserve wrapper charts (closes #263 #264 #265) (#290) 2026-04-30 19:37:38 +04:00
syft-grype fix(bp-coraza,bp-syft-grype): add common library subchart to satisfy hollow-chart gate (#220) 2026-04-30 06:15:28 +02:00
tempo feat(platform): observability stack umbrellas (grafana/loki/mimir/tempo/alloy/otel/langfuse/velero) (#214) 2026-04-29 22:11:04 +02:00
temporal feat(charts): bp-temporal + bp-llm-gateway + bp-anthropic-adapter wrapper charts (closes #267 #268 #271) (#288) 2026-04-30 19:37:19 +04:00
trivy fix(bp-trivy): node-collector tolerates control-plane taint (closes #769) (#772) 2026-05-04 17:38:29 +02:00
valkey feat(platform): add global.imageRegistry to bp-openbao/external-secrets/cnpg/valkey/nats-jetstream/powerdns/gitea (PR 2/3, #560) (#565) 2026-05-02 12:52:43 +04:00
velero feat(platform): add global.imageRegistry to remaining bp-* charts + bp-catalyst-platform (PR 3/3, #560) (#580) 2026-05-02 13:21:53 +04:00
vllm feat(charts): bp-vllm + bp-bge + bp-nemo-guardrails wrapper charts (#283) 2026-04-30 18:37:07 +04:00
vpa fix(bp-vpa): drop registry.k8s.io/ prefix in repository (upstream prepends it) (#641) 2026-05-02 23:32:35 +04:00
wordpress-tenant feat(wordpress-tenant): activeHotStandby option wires bp-cnpg-pair (D31) (#1562) 2026-05-16 23:39:29 +04:00