openova/clusters/_template/bootstrap-kit/57-bp-openova-flow-emitter.yaml

# bp-openova-flow-emitter — Catalyst bootstrap-kit Blueprint slot 57
# (Observability / OpenovaFlow Flux adapter).
#
# Region-aware DaemonSet sidecar that watches HelmRelease + HelmChart
# CRs on the LOCAL cluster's Flux and POSTs FlowMessage envelopes to
# the configured openova-flow-server (slot 56, primary cluster only).
#
# Topology — runs on EVERY cluster (mother + primary Sovereign + every
# secondary region). The receiving server sits on the primary cluster;
# cross-cluster reachability is via the Cilium Gateway HTTPRoute over
# public HTTPS.
#
# Wrapper chart: platform/openova-flow-emitter/chart/
# Catalyst-curated values: platform/openova-flow-emitter/chart/values.yaml
# Reconciled by: Flux on the new Sovereign's k3s control plane.
#
# dependsOn:
#   - bp-flux         — informer needs Flux's helmrelease CRDs.
#
# Per docs/INVIOLABLE-PRINCIPLES.md #1 (target-state) the emitter runs
# from first cut on every cluster. Per #4 (never hardcode) the
# FLOW_SERVER_URL, FLOW_ID, and REGION_KEY all flow from the
# per-Sovereign overlay's substitute env.

---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: bp-openova-flow-emitter
  namespace: flux-system
spec:
  type: oci
  interval: 15m
  url: oci://registry.t22.omantel.biz/openova-io
  secretRef:
    name: ghcr-pull
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: bp-openova-flow-emitter
  namespace: flux-system
  labels:
    catalyst.openova.io/slot: "57"
spec:
  interval: 15m
  releaseName: openova-flow-emitter
  targetNamespace: catalyst-system
  dependsOn:
    - name: bp-flux
  chart:
    spec:
      chart: bp-openova-flow-emitter
      version: 0.1.1
      sourceRef:
        kind: HelmRepository
        name: bp-openova-flow-emitter
        namespace: flux-system
  install:
    timeout: 15m
    disableWait: true
    remediation:
      retries: 3
  upgrade:
    timeout: 15m
    disableWait: true
    remediation:
      retries: 3
  # Per-Sovereign overlay surface. ${SOVEREIGN_FQDN},
  # ${SOVEREIGN_DEPLOYMENT_ID} and ${SOVEREIGN_REGION_KEY} are all
  # provided by the bootstrap-kit Kustomization's postBuild.substitute
  # env hook (see infra/hetzner/cloudinit-control-plane.tftpl, wired in
  # main.tf for primary CP + secondary CP for_each so multi-region
  # Sovereigns get distinct region tags on FlowNodes).
  #
  # FlowID — the catalyst-api per-deployment 16-char hex id. The catalyst-
  # api proxy /api/v1/flows/{deploymentId}/* queries the openova-flow-
  # server under the same id, so this is the canonical key linking the
  # canvas to the emitter.
  # RegionKey — Hetzner region code for this cluster ("fsn1" for primary,
  # "hel1"/etc for secondaries). Stamped onto every FlowNode.region so
  # the canvas groups bubbles into per-region super-bubbles via
  # `contains` relationships.
  values:
    flowEmitter:
      enabled: true
      # In-cluster Service URL — the emitter DaemonSet lives in the same
      # k3s as the openova-flow-server Deployment, so the POST stays
      # cluster-local with no TLS dependency. The public HTTPRoute at
      # https://openova-flow.<fqdn> exists for the MOTHERSHIP
      # catalyst-api proxy (Agent #8 PR #1405) and any external consumer,
      # NOT for the in-cluster emitter. Using the public URL was a live
      # regression on prov #34, 2026-05-11: emitter posted to
      # https://openova-flow.omantel.biz, TLS handshake EOF'd because
      # bp-catalyst-platform InstallFailed → no wildcard *.<fqdn> cert
      # → no Gateway listener → emitter retry-loop → server stays empty
      # → canvas showed "No nodes to render".
      flowServerUrl: http://openova-flow-server.catalyst-system.svc.cluster.local
      flowId: ${SOVEREIGN_DEPLOYMENT_ID}
      regionKey: ${SOVEREIGN_REGION_KEY}
      namespaceFilter: flux-system