openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 18 Packages Projects Releases Wiki Activity
fix-c18b-provisioning-token-secret-ownership
openova/platform/wordpress-tenant
History
e3mrah c04b2ec76d
feat(wordpress-tenant): activeHotStandby option wires bp-cnpg-pair (D31) (#1562) 
Sovereign DoD D31 — tenants subscribing to an HA-capable marketplace app
may opt into a cross-region active-hot-standby Postgres pair for their
WordPress instance instead of the default single CNPG Cluster.

Mirrors the canonical bp-cnpg-pair pattern (primary + replica Cluster
CRs with WAL streaming over Cilium ClusterMesh via a managed Service
annotated service.cilium.io/global=true). When the new
pg.activeHotStandby.enabled flag is false (default), templates render
the existing single Cluster bit-for-bit — no regression for non-HA
tenants.

Catalog seed flags WordPress with ha + cnpg-pair tags so the marketplace
HA filter can surface it.

Chart bumped 0.2.1 -> 0.3.0. New render-gate test asserts both default
single-cluster shape AND the enabled 2-Cluster shape with the right
nodeSelectors, replica.source, externalCluster.host, Cilium global
annotation, and bootstrap.pg_basebackup; all 5 cases pass.

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 23:39:29 +04:00
..
chart feat(wordpress-tenant): activeHotStandby option wires bp-cnpg-pair (D31) (#1562) 2026-05-16 23:39:29 +04:00
blueprint.yaml feat(bp-wordpress-tenant): wp-cli OIDC bootstrap + oidc.* canonical block (0.2.0, #915) (#927) 2026-05-05 14:10:41 +04:00
README.md feat(bp-wordpress-tenant): turnkey SSO-wired WordPress per SME (#800) (#811) 2026-05-04 22:13:32 +04:00

README.md

platform/wordpress-tenant

Catalyst Blueprint that provisions a turnkey, SSO-pre-wired WordPress instance per SME tenant inside the SME's vcluster. Part of the #795 SME-tenant turnkey experience epic, ticket #800 (SME-5).

What's here

Path Contents
blueprint.yaml Catalyst Blueprint metadata (configSchema, depends, placementSchema)
chart/ Helm chart bp-wordpress-tenant v0.1.0 — see chart/README.md
chart/templates/ Deployment, Service, Ingress, PVC, CNPG Cluster, NetworkPolicy, ServiceAccount + 3 post-install Jobs (db-secret-sync, oidc-config, admin-user)
chart/tests/ observability-toggle.sh (per #182)

Operator install

helm install acme-wordpress oci://ghcr.io/openova-io/bp-wordpress-tenant \
  --version 0.1.0 \
  --namespace sme-acme \
  --set smeDomain=acme.otech31.omani.works \
  --set keycloak.realmURL=https://auth.acme.otech31.omani.works/realms/sme \
  --set keycloak.clientSecretName=wordpress-oidc \
  --set adminUser.email=admin@acme.com

The Sovereign's tenant-provisioning pipeline (#804) wires this Helm release into a Flux HelmRelease per SME, registers the OIDC client in the SME realm, seals the client secret into wordpress-oidc, and renders the per-SME values overlay.

See also

  • chart/README.md — full value reference + boot sequence
  • docs/BLUEPRINT-AUTHORING.md §11 (umbrella shape, hollow-chart guard, observability toggles)
  • docs/INVIOLABLE-PRINCIPLES.md (no hardcoding, SHA-pinned images, target-state shape)
  • Issue #795 (epic), #800 (this Blueprint)