openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 18 Packages Projects Releases Wiki Activity
1546ba978a
openova/scripts
History
e3mrah c073db28a9
feat(bootstrap-kit): bp-mgmt-vcluster + bp-dmz-vcluster + bp-rtz-vcluster — implement DoD A4 vCluster topology (#1526) 
Founder ruling 2026-05-16: docs/SOVEREIGN-MULTI-REGION-DOD.md A4 has
been promised on every multi-region prov for weeks but never built in
code — the bootstrap-kit had NO mgmt/dmz/rtz vCluster blueprints and
the Sovereign Console canvas reported `vCluster 0/0` on every prov.
This PR ships the 3 missing blueprints + wires them into the
bootstrap-kit so the topology contract finally lands.

DoD A4 ratified contract:
  primary    region → MGMT  + DMZ  vCluster
  secondary  region → DMZ   + RTZ  vCluster
Cross-vCluster intra-region traffic stays inside host k3s via Cilium.
Inter-region traffic goes over the DMZ WireGuard hop per A2.

Charts (all 3 mirror the canonical bp-cert-manager umbrella pattern —
loft-sh/vcluster 0.20.0 bundled as a Helm subchart via
`helm dependency build`, MIRROR-EVERYTHING image via
harbor.openova.io/proxy-ghcr by default, fail-fast image-tag guard
per INVIOLABLE-PRINCIPLES #4a, default-OFF via subchart `condition:`
key, NetworkPolicy isolation baseline):

  platform/bp-mgmt-vcluster/   primary-only,    slot 58
  platform/bp-dmz-vcluster/    every region,    slot 54 (default-ON)
  platform/bp-rtz-vcluster/    secondary-only,  slot 59

Each chart's tests/render.sh covers 3 contracts:
  1. default-OFF renders zero resources (subchart condition gate)
  2. enabled-with-empty-image-tag fails fast (SHA-pin guard)
  3. full-ON renders Namespace + NetworkPolicy + subchart
     StatefulSet + Service

Bootstrap-kit wiring:
  clusters/_template/bootstrap-kit/{54,58,59}-bp-*-vcluster.yaml
  clusters/_template/bootstrap-kit/kustomization.yaml (3 new resources)
  scripts/expected-bootstrap-deps.yaml (slots 54/58/59 + adjacent
    bp-openova-flow-server bp-cnpg dep drift fix)

scripts/check-bootstrap-deps.sh passes 0-drift after the change
(48 HRs present on disk, 14 deferred for W2.K4).

Region-key threading uses the existing `${SOVEREIGN_REGION_KEY}`
postBuild.substitute that the cloud-init tftpl already exports (per
the brief's "DON'T touch infra/hetzner/*" directive). The per-role
enable gates default safely (mgmt=false, dmz=true, rtz=false); a
follow-up tofu PR will add MGMT_VCLUSTER_ENABLED + RTZ_VCLUSTER_ENABLED
substitutes flipped on only on the appropriate CP, taking the canvas
count from `vCluster 3/3` to `vCluster 6/6` on a 3-region Sovereign.

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 16:13:17 +04:00
..
check-bootstrap-deps.sh fix(bp-external-secrets-stores): split ClusterSecretStore into separate chart per #247 pattern (closes #331) (#426) 2026-05-01 17:33:47 +04:00
check-vendor-coupling.sh fix(ci): vendor-coupling guardrail path - products/catalyst/bootstrap/api/internal/objectstorage (closes #438) (#440) 2026-05-01 18:21:57 +04:00
expected-bootstrap-deps.yaml feat(bootstrap-kit): bp-mgmt-vcluster + bp-dmz-vcluster + bp-rtz-vcluster — implement DoD A4 vCluster topology (#1526) 2026-05-16 16:13:17 +04:00
generate-blueprint-deps.sh fix(wizard): blueprint deps sourced from Flux dependsOn (single source of truth) (#652) 2026-05-03 09:47:52 +04:00
operator-recover-sovereign.sh docs(ops): comprehensive operator runbook + remediation playbook + idempotent recovery script 2026-04-29 19:26:29 +02:00