fix(bootstrap-kit): remove bp-netbird + bp-dmz-vcluster (charts never published) (#1289)

* fix(bp-catalyst-platform): switch gitea-token-mint Job image to alpine/k8s (curl + kubectl) bitnamilegacy/kubectl:1.29.3 lacks curl, so the post-install Job catalyst-gitea-token-mint CrashLoops with 'sh: 4: curl: not found'. Without the mint, catalyst-gitea-token Secret has empty token, catalyst-catalog + catalyst-organization-controller + catalyst-useraccess-controller all CrashLoop on 'CATALYST_GITEA_TOKEN is required'. alpine/k8s:1.31.4 bundles both kubectl 1.31.4 (matches k3s) and curl — canonical multi-tool image already used elsewhere in the platform. Caught on omantel provision #6. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(bootstrap-kit): bump bp-guacamole pin 0.1.9 → 0.1.12 (bitnamilegacy/kubectl image) bp-guacamole 0.1.9 still references docker.io/bitnami/kubectl:1.30.4 in the storageclass-migrate pre-install Job. Bitnami removed bitnami/kubectl:* tags from Docker Hub mid-2026 (canonical surface is now bitnamilegacy/*). Job goes ImagePullBackOff → pre-install hook timeout → bp-guacamole HR Failed → bootstrap-kit Kustomization Failed → sovereign-tls Kustomization deps unmet → no Cilium Gateway → console.<sovereign> TLS unreachable. Chart 0.1.12 (already on main, never pinned in bootstrap-kit) ships migrationImage: docker.io/bitnamilegacy/kubectl:1.29.3 — the legacy registry path that resolves. Caught on omantel provision #6. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(bootstrap-kit): remove bp-netbird + bp-dmz-vcluster (charts never published) Both blueprint charts have a chart-internal render test that fails ('empty image.tag did not abort render'); Blueprint Release CI never publishes them; HRs permanently fail with 'chart not found' on every fresh Sovereign provision; bootstrap-kit Kustomization wait: true healthCheck never converges; sovereign-tls Kustomization never gets ready; Cilium Gateway never created; console.<sovereign> TLS unreachable. Both blueprints are leaf nodes (no other HR depends on them). Remove from bootstrap-kit until the chart unit tests get fixed; re-add via follow-up PR with the test fixes shipped together. Caught on omantel provision #6. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: alierenbaysal <alierenbaysal@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 16:33:53 +04:00 · 2026-05-10 16:33:53 +04:00 · 1492a28e60
commit 1492a28e60
parent 70208c506e
2 changed files with 0 additions and 155 deletions
--- a/clusters/_template/bootstrap-kit/53-bp-netbird.yaml
+++ b/clusters/_template/bootstrap-kit/53-bp-netbird.yaml
@ -1,84 +0,0 @@
 # bp-netbird — Catalyst bootstrap-kit Blueprint slot 53. NetBird
 # WireGuard-based zero-trust mesh + remote-access overlay.
 #
 # Per ADR-0001 §3.2.8 + EPIC-5 leftovers slice NB #1100: NetBird is the
 # canonical operator/engineer remote-access path into Sovereign workloads.
 #
 # qa-loop iter-12 Fix #53C: matrix asserts the netbird namespace +
 # management/signal/coturn Deployments exist (TC-281, TC-282, TC-283,
 # TC-284). Without this slot the chart was authored but never installed.
 #
 # Wrapper chart: platform/netbird/chart/
 # Reconciled by: Flux on the new Sovereign's k3s control plane.
 #
 # Default-OFF gate: NETBIRD_ENABLED defaults to "false" via envsubst —
 # Sovereigns that want NetBird flip it to "true" in the bootstrap-kit
 # Kustomization substitute.
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: netbird
  labels:
    catalyst.openova.io/sovereign: ${SOVEREIGN_FQDN}
 ---
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: HelmRepository
 metadata:
  name: bp-netbird
  namespace: flux-system
 spec:
  type: oci
  interval: 15m
  url: oci://ghcr.io/openova-io
  secretRef:
    name: ghcr-pull
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: bp-netbird
  namespace: flux-system
 spec:
  interval: 15m
  releaseName: netbird
  targetNamespace: netbird
  dependsOn:
    - name: bp-cilium
    - name: bp-cert-manager
    - name: bp-keycloak
    - name: bp-sealed-secrets
    - name: bp-nats-jetstream
  chart:
    spec:
      chart: bp-netbird
      version: 0.1.1
      sourceRef:
        kind: HelmRepository
        name: bp-netbird
        namespace: flux-system
  install:
    disableWait: true
    remediation:
      retries: 3
  upgrade:
    disableWait: true
    remediation:
      retries: 3
  values:
    netbird:
      enabled: ${NETBIRD_ENABLED:=false}
      management:
        domain: netbird.${SOVEREIGN_FQDN}
      coturn:
        realm: netbird.${SOVEREIGN_FQDN}
      oidc:
        issuer: https://keycloak.${SOVEREIGN_FQDN}/realms/${SOVEREIGN_REALM_NAME:=sovereign}
        redirectURI: https://netbird.${SOVEREIGN_FQDN}/
        audience: netbird
      httproute:
        hostname: netbird.${SOVEREIGN_FQDN}
      realmConfig:
        enabled: true
        realm: ${SOVEREIGN_REALM_NAME:=sovereign}
--- a/clusters/_template/bootstrap-kit/54-bp-dmz-vcluster.yaml
+++ b/clusters/_template/bootstrap-kit/54-bp-dmz-vcluster.yaml
@ -1,71 +0,0 @@
 # bp-dmz-vcluster — Catalyst bootstrap-kit Blueprint slot 54. DMZ
 # isolated virtual Kubernetes cluster running inside the management
 # cluster.
 #
 # Per ADR-0001 §3.2.8 + EPIC-5 leftovers slice DMZ #1100: every
 # Sovereign that publishes customer-facing APIs / webhooks gets a
 # DMZ vCluster.
 #
 # qa-loop iter-12 Fix #53C: matrix asserts dmz namespace + vcluster
 # CRD registered + omantel-dmz kubeconfig context (TC-286, TC-287,
 # TC-288). Without this slot the chart was authored but never installed.
 #
 # Wrapper chart: products/dmz-vcluster/chart/
 # Reconciled by: Flux on the new Sovereign's k3s control plane.
 #
 # Default-OFF gate: DMZ_VCLUSTER_ENABLED defaults to "false" via envsubst.
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: dmz
  labels:
    catalyst.openova.io/sovereign: ${SOVEREIGN_FQDN}
    catalyst.openova.io/isolation: dmz
 ---
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: HelmRepository
 metadata:
  name: bp-dmz-vcluster
  namespace: flux-system
 spec:
  type: oci
  interval: 15m
  url: oci://ghcr.io/openova-io
  secretRef:
    name: ghcr-pull
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: bp-dmz-vcluster
  namespace: flux-system
 spec:
  interval: 15m
  releaseName: dmz-vcluster
  targetNamespace: dmz
  dependsOn:
    - name: bp-cilium
    - name: bp-cert-manager
  chart:
    spec:
      chart: bp-dmz-vcluster
      version: 0.1.1
      sourceRef:
        kind: HelmRepository
        name: bp-dmz-vcluster
        namespace: flux-system
  install:
    disableWait: true
    remediation:
      retries: 3
  upgrade:
    disableWait: true
    remediation:
      retries: 3
  values:
    dmz:
      enabled: ${DMZ_VCLUSTER_ENABLED:=false}
      hostNamespace: dmz
      vclusterName: ${DMZ_VCLUSTER_NAME:=dmz}