fix(bootstrap-kit): remove bp-netbird + bp-dmz-vcluster (charts never published) (#1289)

* fix(bp-catalyst-platform): switch gitea-token-mint Job image to alpine/k8s (curl + kubectl) bitnamilegacy/kubectl:1.29.3 lacks curl, so the post-install Job catalyst-gitea-token-mint CrashLoops with 'sh: 4: curl: not found'. Without the mint, catalyst-gitea-token Secret has empty token, catalyst-catalog + catalyst-organization-controller + catalyst-useraccess-controller all CrashLoop on 'CATALYST_GITEA_TOKEN is required'. alpine/k8s:1.31.4 bundles both kubectl 1.31.4 (matches k3s) and curl — canonical multi-tool image already used elsewhere in the platform. Caught on omantel provision #6. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(bootstrap-kit): bump bp-guacamole pin 0.1.9 → 0.1.12 (bitnamilegacy/kubectl image) bp-guacamole 0.1.9 still references docker.io/bitnami/kubectl:1.30.4 in the storageclass-migrate pre-install Job. Bitnami removed bitnami/kubectl:* tags from Docker Hub mid-2026 (canonical surface is now bitnamilegacy/*). Job goes ImagePullBackOff → pre-install hook timeout → bp-guacamole HR Failed → bootstrap-kit Kustomization Failed → sovereign-tls Kustomization deps unmet → no Cilium Gateway → console.<sovereign> TLS unreachable. Chart 0.1.12 (already on main, never pinned in bootstrap-kit) ships migrationImage: docker.io/bitnamilegacy/kubectl:1.29.3 — the legacy registry path that resolves. Caught on omantel provision #6. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(bootstrap-kit): remove bp-netbird + bp-dmz-vcluster (charts never published) Both blueprint charts have a chart-internal render test that fails ('empty image.tag did not abort render'); Blueprint Release CI never publishes them; HRs permanently fail with 'chart not found' on every fresh Sovereign provision; bootstrap-kit Kustomization wait: true healthCheck never converges; sovereign-tls Kustomization never gets ready; Cilium Gateway never created; console.<sovereign> TLS unreachable. Both blueprints are leaf nodes (no other HR depends on them). Remove from bootstrap-kit until the chart unit tests get fixed; re-add via follow-up PR with the test fixes shipped together. Caught on omantel provision #6. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: alierenbaysal <alierenbaysal@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 16:33:53 +04:00 · 2026-05-10 16:33:53 +04:00 · 1492a28e60
commit 1492a28e60
parent 70208c506e
2 changed files with 0 additions and 155 deletions
--- a/clusters/_template/bootstrap-kit/53-bp-netbird.yaml
+++ b/clusters/_template/bootstrap-kit/53-bp-netbird.yaml
@ -1,84 +0,0 @@
-# bp-netbird — Catalyst bootstrap-kit Blueprint slot 53. NetBird
-# WireGuard-based zero-trust mesh + remote-access overlay.
-#
-# Per ADR-0001 §3.2.8 + EPIC-5 leftovers slice NB #1100: NetBird is the
-# canonical operator/engineer remote-access path into Sovereign workloads.
-#
-# qa-loop iter-12 Fix #53C: matrix asserts the netbird namespace +
-# management/signal/coturn Deployments exist (TC-281, TC-282, TC-283,
-# TC-284). Without this slot the chart was authored but never installed.
-#
-# Wrapper chart: platform/netbird/chart/
-# Reconciled by: Flux on the new Sovereign's k3s control plane.
-#
-# Default-OFF gate: NETBIRD_ENABLED defaults to "false" via envsubst —
-# Sovereigns that want NetBird flip it to "true" in the bootstrap-kit
-# Kustomization substitute.
-
---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: netbird
-  labels:
-    catalyst.openova.io/sovereign: ${SOVEREIGN_FQDN}
---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: bp-netbird
-  namespace: flux-system
-spec:
-  type: oci
-  interval: 15m
-  url: oci://ghcr.io/openova-io
-  secretRef:
-    name: ghcr-pull
---
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: bp-netbird
-  namespace: flux-system
-spec:
-  interval: 15m
-  releaseName: netbird
-  targetNamespace: netbird
-  dependsOn:
-    - name: bp-cilium
-    - name: bp-cert-manager
-    - name: bp-keycloak
-    - name: bp-sealed-secrets
-    - name: bp-nats-jetstream
-  chart:
-    spec:
-      chart: bp-netbird
-      version: 0.1.1
-      sourceRef:
-        kind: HelmRepository
-        name: bp-netbird
-        namespace: flux-system
-  install:
-    disableWait: true
-    remediation:
-      retries: 3
-  upgrade:
-    disableWait: true
-    remediation:
-      retries: 3
-  values:
-    netbird:
-      enabled: ${NETBIRD_ENABLED:=false}
-      management:
-        domain: netbird.${SOVEREIGN_FQDN}
-      coturn:
-        realm: netbird.${SOVEREIGN_FQDN}
-      oidc:
-        issuer: https://keycloak.${SOVEREIGN_FQDN}/realms/${SOVEREIGN_REALM_NAME:=sovereign}
-        redirectURI: https://netbird.${SOVEREIGN_FQDN}/
-        audience: netbird
-      httproute:
-        hostname: netbird.${SOVEREIGN_FQDN}
-      realmConfig:
-        enabled: true
-        realm: ${SOVEREIGN_REALM_NAME:=sovereign}
--- a/clusters/_template/bootstrap-kit/54-bp-dmz-vcluster.yaml
+++ b/clusters/_template/bootstrap-kit/54-bp-dmz-vcluster.yaml
@ -1,71 +0,0 @@
-# bp-dmz-vcluster — Catalyst bootstrap-kit Blueprint slot 54. DMZ
-# isolated virtual Kubernetes cluster running inside the management
-# cluster.
-#
-# Per ADR-0001 §3.2.8 + EPIC-5 leftovers slice DMZ #1100: every
-# Sovereign that publishes customer-facing APIs / webhooks gets a
-# DMZ vCluster.
-#
-# qa-loop iter-12 Fix #53C: matrix asserts dmz namespace + vcluster
-# CRD registered + omantel-dmz kubeconfig context (TC-286, TC-287,
-# TC-288). Without this slot the chart was authored but never installed.
-#
-# Wrapper chart: products/dmz-vcluster/chart/
-# Reconciled by: Flux on the new Sovereign's k3s control plane.
-#
-# Default-OFF gate: DMZ_VCLUSTER_ENABLED defaults to "false" via envsubst.
-
---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: dmz
-  labels:
-    catalyst.openova.io/sovereign: ${SOVEREIGN_FQDN}
-    catalyst.openova.io/isolation: dmz
---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: bp-dmz-vcluster
-  namespace: flux-system
-spec:
-  type: oci
-  interval: 15m
-  url: oci://ghcr.io/openova-io
-  secretRef:
-    name: ghcr-pull
---
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: bp-dmz-vcluster
-  namespace: flux-system
-spec:
-  interval: 15m
-  releaseName: dmz-vcluster
-  targetNamespace: dmz
-  dependsOn:
-    - name: bp-cilium
-    - name: bp-cert-manager
-  chart:
-    spec:
-      chart: bp-dmz-vcluster
-      version: 0.1.1
-      sourceRef:
-        kind: HelmRepository
-        name: bp-dmz-vcluster
-        namespace: flux-system
-  install:
-    disableWait: true
-    remediation:
-      retries: 3
-  upgrade:
-    disableWait: true
-    remediation:
-      retries: 3
-  values:
-    dmz:
-      enabled: ${DMZ_VCLUSTER_ENABLED:=false}
-      hostNamespace: dmz
-      vclusterName: ${DMZ_VCLUSTER_NAME:=dmz}