openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity

Compare commits

base: openova:1f5c76def184ced8141299974c06ef435785f48e
Branches Tags
openova:a30/wire-roundtrip-test
openova:main
openova:chore/privacy-redact-partner-name
openova:fix/2128-kyverno-cert-race
openova:fix/event-cache-bound
openova:fix/2118-parent-domains-listeners-out-of-cloud-init
openova:revert/pr-2116-vllm-wrong-path
openova:archive/fix-tbd-v45-bp-vllm-default-qwen-channel
openova:docs/claude-md-session-2026-05-20-lessons
openova:docs-consolidation-fold-franchise-product-families
openova:docs/consolidate-strategy-orphans
openova:docs-consolidation-real-fold-remaining-orphans
openova:worktree-agent-ac51219640e148743
openova:docs-consolidation-real-7-canonical-top-level
openova:dependabot/github_actions/docker/setup-buildx-action-4
openova:dependabot/github_actions/actions/setup-go-6
openova:dependabot/github_actions/azure/setup-helm-5
openova:feat-lean-doc-strategy
openova:skip-dynadot-flaky-tests
openova:fix-bp-network-policies-smoke-render-default-off
openova:fix-continuum-no-upstream-annotation
openova:ci-pre-merge-hollow-chart-guard
openova:docs/pillar3-milestone-trust-2026-05-20
openova:fix-tbd-v32-build-workflow-push-rebase-retry
openova:docs-sweep-spire-deferred-followup
openova:docs-alignment-tbd-v29-spire-removed
openova:fix-pillar4-f1-ringbuffer-size
openova:fix-tbd-v27-helmrelease-values-from-appconfigs
openova:fix-anti-canon-openova-io-string-leaks
openova:fix-tbd-v24-miss3-crossplane-provider-pivot
openova:fix-tbd-v18-d-install-config-values
openova:fix-tbd-v25-cutover-totalsteps-mismatch
openova:fix-tbd-v20-wizard-issue-first-voucher-anti-canon-cta
openova:fix/sandbox-mcp-svc-name-defaults
openova:fix-bp-kyverno-policies-no-upstream-annotation
openova:feat-bp-kyverno-policies-split-chart
openova:fix-a69-controller-autobump-uniform
openova:fix-tbd-v13-cutover-state-resume-idempotent
openova:fix-v8-notification-jwt-secret-align
openova:fix-1997-gitea-org-auth
openova:fix-a67-console-prefix-tenant-routes
openova:fix-p4-b4-mcp-env-drift
openova:fix-a65-admin-sidebar-nav
openova:fix-1976-jobstable-batchchip
openova:fix-1956-reenable-cosmetic-workflow
openova:fix-1956-beta-provision-mocks
openova:fix-1956-alpha-spec-realignment
openova:fix-1946-apps-apiversion-drift
openova:fix-1947-hcloud-provider
openova:fix-1821-jobs-region-filter
openova:fix-sme-demo-ci-failure
openova:fix-cosmetic-ci-failure
openova:fix-1948-openova-flow-dns
openova:fix-1928-resources-labelselector
openova:fix-1932-chart-yaml-metadata-restore
openova:revert-1933-kyverno-crd-ordering
openova:fix-1928-resources-namespace
openova:fix-1929-kyverno-bootstrap
openova:fix-1927-treemap-inner-click
openova:fix-d35-binding
openova:fix-1750-billing-purchase
openova:fix-1905-tenant-wildcard-hostnames
openova:fix-tbd-a43-sme-newapi-egress
openova:fix/1776-sandbox-requested-nats
openova:fix/1899-gitea-mirror-interval
openova:fix/1907-bake-sme-pool-seed
openova:fix/1908-cnp-egress-6443
openova:fix/1900-provisioning-org-rbac
openova:fix-1896-gateway-annotation-cap
openova:docs/principle-15-validate-iac-with-evaluator-1779154581
openova:hotfix/a128-tofu-per-prov-listeners-type
openova:archive/fix-1891-d21-bake-time-seed
openova:fix/1886-gateway-listener-per-prov-wildcard
openova:fix/1883-wildcard-cert-le-rate-limit
openova:a31/gateway-lb-annotations
openova:archive/fix-1877-purge-close-race
openova:fix/smtp-retry-backoff-1793
openova:fix/1871-cutover-dep-sovereign-tls
openova:fix/a26-ghcr-pin-existence-check
openova:docs/inviolable-principles-2026-05-18-add3
openova:fix/1864-bp-catalyst-platform-pin-catchup
openova:fix/pin-catchup-bp-catalyst-bp-guacamole-1779142549
openova:fix/1864-bp-guacamole-pin-catchup
openova:fix-d35-nats-consume-leg
openova:fix/d30-pool-entries-homes-rest
openova:fix-a19-ci-handler-tests
openova:archive/fix_a20-lockstep-blueprint-version
openova:fix/a13-revert-velero-pin
openova:fix-a12-newapi-db-migration-retry
openova:fix/a17-ci-failures
openova:archive/1850-baseline-cnp-fixture
openova:fix-a14-a15-a10b-fresh-prov-blockers
openova:fix/a16-hetzner-ssh-key-sweep
openova:fix/cnp-catalyst-ns-ingress
openova:fix/cnp-smtp-egress
openova:fix/c4fup-c6006-followup
openova:archive/fix-a12-newapi-db-migration-hang
openova:fix-c18e-tenant-branch-isolation-retry
openova:fix-k8scache-startup-scan
openova:archive/fix_1725-sandbox-disable-idle-scaling
openova:fix/1778-newapi-httproute
openova:archive/fix-c18e-tenant-branch-isolation
openova:fix/c8b-bootstrap-kit-template-path
openova:fix-cov-1739-rbac-assign-crd
openova:fix/c4-012-c6-006-publish-rbac
openova:fix-cov-1735-proxy-admin-claim
openova:fix-cov-1746-baseline-cnps
openova:fix-c18d-gitea-contents-api-retry
openova:fix/c12009-baseline-cnp
openova:fix/d30b-sme-pool-listener
openova:fix/d35a-c-tenant-sandbox-k8s-channels
openova:fix/d0-mothership-token-redirect
openova:archive/fix_c18d-gitea-contents-api
openova:fix-pin-issue-smtp-502
openova:fix-catalyst-gitops-token-env
openova:fix-e14b-fleet-visibility-gate
openova:fix/a11-newapi-fsgroup
openova:fix/a10-mothership-kubeconfig-hook
openova:fix-g3b-mimir-pod-metrics
openova:fix-a9-mimir-prometheusrule-guard
openova:fix-a8-dep-graph-audit
openova:fix-treemap-hel-region-missing
openova:fix-a6-hardening-indent-warn
openova:fix/e8b-cnpg-pair-seed
openova:fix-a6b-flush-13-bootstrap-kit-drifts
openova:fix-d6-helmwatch-stale-state
openova:fix-a6-deploy-bot-auto-bump-pin
openova:fix-c18c-gitea-plural-ref
openova:fix-e16-users-endpoint
openova:fix-c19-openova-catalog-pivot
openova:fix-c18b-provisioning-token-secret-ownership
openova:fix-newapi-admin-secret-tbd-d14
openova:deploy-cutover-pin-0.1.30
openova:fix-cloud-list-kind-nodes-fanout-tbd-e6
openova:fix-gitea-token-mint-cutover
openova:fix-rbac-matrix-endpoint-tbd-f4
openova:fix-openova-flow-404-root-path
openova:deploy-bp-guacamole-bootstrap-kit-0.1.23
openova:fix-guacamole-readiness-probe-path
openova:chore/bootstrap-kit-pin-1.4.166-tbd-e8
openova:fix/catalog-seed-published-blueprints-tbd-e8
openova:bump-bp-guacamole-022-pin
openova:archive/fix-tbd-g4-guacamole-chart-bump
openova:fix-orphan-httproutes-tbd-g6
openova:feat-sandbox-tier-bound-capabilities
openova:fix-prov-rolling-image-guard
openova:fix-t20-newapi-oidc-secret-materialization
openova:fix-t20-crossplane-provider-hcloud-pin
openova:fix-t20-guacamole-mount-path
openova:fix-t20-nats-stream-overlap
openova:fix-t20-listener-naming-collision
openova:fix-t20-harborpublicurl-hostname
openova:sandbox-wave15-integration-tests
openova:sandbox-wave15-metrics-emitters
openova:sandbox-wave15-provisioning-ui
openova:wave16-collector-chart-1.4.163
openova:sandbox-wave14-byos-placeholder-warning
openova:sandbox-wave14-grafana-dashboard
openova:sandbox-wave13-mcp-stripe
openova:sandbox-wave13-ui-websocket
openova:docs-wave12-14-session-addendum
openova:fix-sandbox-mcp-build-context-and-bump-wiring
openova:dependabot/go_modules/products/sandbox/mcp-server/golang.org/x/crypto-0.45.0
openova:archive/sandbox-wave12-mcp-storage-v2
openova:sandbox-wave12-mcp-storage
openova:sandbox-wave13-mcp-deploy
openova:sandbox-wave12-mcp-preview
openova:fix-convergence-tenant-cnpg-cross-region
openova:sandbox-wave12-mcp-marketplace-flux
openova:sandbox-wave12-mcp-rag-skills-v2
openova:sandbox-wave11-mcp-auth-secrets
openova:dependabot/go_modules/products/openova-flow/adapter-flux/golang.org/x/net-0.38.0
openova:dependabot/go_modules/products/openova-flow/server/golang.org/x/crypto-0.45.0
openova:dependabot/go_modules/products/sandbox/mcp-server/github.com/golang-jwt/jwt/v5-5.2.2
openova:dependabot/go_modules/products/sandbox/mcp-server/golang.org/x/net-0.38.0
openova:dependabot/go_modules/core/cmd/k8s-ws-proxy/golang.org/x/net-0.38.0
openova:dependabot/go_modules/core/cmd/k8s-ws-proxy/golang.org/x/oauth2-0.27.0
openova:dependabot/go_modules/core/controllers/golang.org/x/crypto-0.45.0
openova:dependabot/go_modules/products/openova-flow/adapter-flux/golang.org/x/oauth2-0.27.0
openova:dependabot/go_modules/core/cmd/projector/golang.org/x/crypto-0.45.0
openova:dependabot/go_modules/platform/newapi/internal/handler/github.com/golang-jwt/jwt/v5-5.2.2
openova:dependabot/go_modules/core/cmd/projector/golang.org/x/net-0.38.0
openova:dependabot/go_modules/core/cmd/cert-manager-dynadot-webhook/golang.org/x/net-0.38.0
openova:dependabot/go_modules/core/controllers/golang.org/x/net-0.38.0
openova:dependabot/go_modules/core/controllers/golang.org/x/oauth2-0.27.0
openova:dependabot/go_modules/core/cmd/cert-manager-dynadot-webhook/golang.org/x/crypto-0.45.0
openova:dependabot/go_modules/core/cmd/projector/golang.org/x/oauth2-0.27.0
openova:dependabot/go_modules/core/cmd/cert-manager-dynadot-webhook/golang.org/x/oauth2-0.27.0
openova:dependabot/go_modules/core/services/metering-sidecar/golang.org/x/crypto-0.45.0
openova:dependabot/go_modules/core/services/notification/golang.org/x/crypto-0.45.0
openova:dependabot/go_modules/core/services/shared/golang.org/x/crypto-0.45.0
openova:sandbox-wave11-mcp-pr-issue-logs-v2
openova:test-marketplace-customer-journey
openova:fix-convergence-wave11-newapi-attestation-optional
openova:sandbox-wave11-mcp-db-tools
openova:fix-convergence-wave11-bp-sandbox-harbor-cycle
openova:sandbox-wave10-idle-scaler
openova:sandbox-wave9-controller-newapi-token-wire
openova:fix-convergence-set-tenant-public
openova:sandbox-wave9-playwright-tests
openova:dependabot/go_modules/products/sandbox/mcp-server/golang.org/x/oauth2-0.27.0
openova:sandbox-wave8-mcp-real-tools
openova:fix-convergence-per-tenant-httproute
openova:sandbox-wave9-plans-seed
openova:sandbox-wave8-pod-spawn
openova:fix-convergence-gateway-pool-listeners
openova:sandbox-wave8-session-orchestrator
openova:sandbox-wave8-newapi-sandbox-token
openova:sandbox-wave7-sessions-api
openova:fix-convergence-nats-consumers
openova:docs-session-2026-05-17-convergence
openova:sandbox-wave6-bootstrap-kit-slot
openova:sandbox-wave4-marketplace-catalog-entry
openova:sandbox-wave5-ci-builds
openova:sandbox-wave4-newapi-sovereign-install-v2
openova:archive/fix-convergence-catalyst-sme-jwt-bridge
openova:fix-convergence-per-tenant-dns
openova:fix-convergence-broker-nats-bridge
openova:fix-convergence-bss-voucher-proxy
openova:fix-convergence-vcluster-crd-install
openova:fix-convergence-marketplace-tld-state
openova:sandbox-wave1-controller-chart
openova:sandbox-wave3-ui-scaffold
openova:sandbox-wave1b-newapi-byos-jwt
openova:sandbox-wave2-pty-mcp
openova:wave6-fix-bss-tenants
openova:archive/wave6-fix-bss-billing
openova:archive/wave6-fix-bss-revenue
openova:wave6-fix-bss-vouchers
openova:wave6-fix-bss-orders
openova:archive/wave2-fix-family-b-status-sync
openova:wave2-fix-family-e-compliance
openova:archive/wave2-fix-family-c-resource-detail
openova:archive/wave2-fix-family-d-treemap
openova:prp-store-marketplace-enabled
openova:pro-gateway-per-zone-cert
openova:prn-handover-cert-fallback
openova:prm-dashboard-default-cluster-bss-link
openova:prl-app-helmrelease-fallback
openova:prk-publish-toggle-app-detail
openova:prj-marketplace-get-toggle-state
openova:d30-pri-mark-imported-adopted-clean
openova:d30-pri-mark-imported-adopted
openova:d16-prh-resolve-multicluster
openova:bump-bootstrap-kit-1.4.148
openova:d17-prg-exclude-mother-only-on-sovereign
openova:d27-fix-fresh-seed-published-default
openova:d16-prf-export-route-and-fanout
openova:fix/1546-spa-routing-bp-prefix-pin-fleet
openova:fix/region-key-spec-off-by-one
openova:archive/fix_sovereign-ui-handover-redirect
openova:fix/secondary-region-sovereign-fqdn-slug
openova:feat/multiregion-per-region-network
openova:feat/multiregion-dod-and-dmz-wg-architecture
openova:fix/sovereign-dns-parent-zone-write
openova:fix/tls-restart-rbac-list-watch
openova:fix/cilium-cluster-name-from-first-install
openova:fix/auto-derive-cluster-mesh-id
openova:fix/dependson-canon-resolve-existing
openova:fix/job-dependson-canonical-prefix
openova:fix/event-carries-dependson
openova:fix/tls-restart-flux-substitute-escape
openova:fix/helmwatch-skip-tls-verify-sovereign-self-signed
openova:fix/helmwatch-bridge-tls-skipverify
openova:fix/sovereign-tls-per-name-certs
openova:fix/sovereign-tls-restart-also-cilium-operator
openova:dependabot/npm_and_yarn/core/marketplace/svelte-5.55.7
openova:dependabot/npm_and_yarn/products/continuum/cloudflare-worker/multi-b445804c36
openova:dependabot/npm_and_yarn/core/admin/svelte-5.55.7
openova:dependabot/npm_and_yarn/core/marketplace/devalue-5.8.1
openova:fix/cloud-init-private-nic-subnet-route
openova:fix/basepath-preserve-canonical-nav
openova:fix/workdir-key-by-deployment-id
openova:fix/verifypin-preserve-basepath-on-hard-nav
openova:fix/cloudinit-tftpl-escape-wildcard-cert-issuer
openova:fix/openbao-auth-bootstrap-idempotent-post-upgrade
openova:fix/httproute-backend-service-naming-collapse
openova:fix/cilium-gateway-world-ingress-ccnp
openova:dependabot/go_modules/products/openova-flow/server/github.com/jackc/pgx/v5-5.9.2
openova:fix-default-deny-allowlist-catalyst-ns-prov72
openova:fix-secondary-private-nic-race-prov71
openova:dependabot/npm_and_yarn/core/marketplace/multi-04ca55b44c
openova:dependabot/npm_and_yarn/core/admin/multi-04ca55b44c
openova:fix/flow-snapshot-region-scoped-deps
openova:fix/flow-snapshot-primary-region-group
openova:fix/k3s-tls-san-public-ip-and-qa-region-label
openova:fix/k3s-max-pods-220
openova:fix/k3s-node-ip-bind-private
openova:fix/catalyst-api-mem-4gi
openova:fix/flow-snapshot-dedupe-multiregion
openova:fix/flow-snapshot-derive-region-from-jobname
openova:fix/jobs-table-strip-deploymentid-prefix
openova:fix/bp-guacamole-test-resource-count
openova:fix/bp-cnpg-wait-for-webhook
openova:fix/cilium-kube-proxy-replacement-true
openova:fix/secondary-cp-private-ip-templatefile-var
openova:feat-flow-snapshot-deps-and-drilldown
openova:fix-catalyst-platform-hook-recurrence-1778546000
openova:fix-bp-powerdns-deadline-recurrence-1778534000
openova:dependabot/npm_and_yarn/products/catalyst/bootstrap/ui/tanstack/react-query-5.100.10
openova:dependabot/npm_and_yarn/products/catalyst/bootstrap/ui/tanstack/react-router-1.169.8
openova:dependabot/npm_and_yarn/products/axon/typescript-6.0.3
openova:dependabot/npm_and_yarn/products/catalyst/bootstrap/ui/eslint-10.3.0
openova:dependabot/npm_and_yarn/products/axon/types/node-25.7.0
openova:dependabot/npm_and_yarn/products/catalyst/bootstrap/ui/react-hook-form-7.75.0
openova:dependabot/npm_and_yarn/products/axon/anthropic-ai/claude-agent-sdk-0.2.139
openova:dependabot/npm_and_yarn/products/catalyst/bootstrap/ui/rjsf/core-6.5.2
openova:fix-jobdetail-openova-flow-fallback-1778520000
openova:fix-restore-natural-view-fold-badges-1778518100
openova:feat/openova-flow-canvas-ux-agent9
openova:fix-catalyst-api-openova-flow-env-1778517100
openova:fix/openova-flow-proxy-derive-url-agent8
openova:g3-flux-per-region-path
openova:fix/deployments-list-broken-import-line-181
openova:fix/deployments-list-test-unused-import-180
openova:fix/hetzner-hel1-network-zone-179
openova:fix/shells-issue-176
openova:fix/continuum-switchover-169
openova:fix/deployment-detail-content-170
openova:fix/rbac-audit-events-162
openova:fix/catalyst-api-reflector-reset-156
openova:fix/cutover-deadline-bump-152
openova:fix/es-stores-hr-timeout-143
openova:archive/fix_catalyst-platform-hook-136
openova:fix/aws-skip-region-validation-135
openova:fix/aws-s3-provider-hetzner-133
openova:fix/gitea-hr-timeout-131
openova:archive/fix_keycloak-post-upgrade-hook-timeout-129
openova:fix/cutover-helm-timeout-127
openova:archive/fix124-gitea-token-preinstall
openova:archive/fix_qa-loop-fix120-hetzner-purge-selector
openova:fix/compliance-handler-shape-fix97
openova:archive/fix_qa-loop-fix88-multi-region-overlay
openova:archive/fix_bp-crossplane-claims-composition-validate-89
openova:archive/fix_qa-loop-fix73-qa-fixtures-flag
openova:archive/qa-loop-iter16-fix68-networking
openova:archive/qa-loop-iter16-fix67
openova:archive/fix_qa-loop-iter16-fix65-openova-catalog-helmrepo
openova:archive/fix_bp-catalyst-platform-install-schema-prov7
openova:archive/fix_qa-loop-iter15-fix58-applications-handlers
openova:archive/fix_qa-loop-iter15-fix63-continuum-dr-handlers
openova:fix60-rbac-handlers
openova:revert/bp-keycloak-1.5.0-blocking-provision
openova:fix/qa-loop-iter12-fix54-hcloud-ccm-and-friends
openova:archive/fix_qa-loop-iter12-template-extras
openova:deploy/catalyst-images-0a11107
openova:archive/fix_qa-loop-iter12-services-bootstrap
openova:archive/fix_qa-loop-iter12-keycloak-realm-omantel
openova:fix/iter12-overviewpanel-helm-null-types
openova:archive/fix_qa-loop-iter12-clustermesh-loadbalancer
openova:fix/iter12-resources-pages-live
openova:archive/fix_qa-loop-iter11-networking-fix48
openova:archive/deploy_pin-bootstrap-kit-1.4.119
openova:fix/qa-loop-iter11-compliance-envelope
openova:archive/fix_qa-loop-iter10-application-controller-bump-chart-blueprint-release
openova:fix/qa-loop-iter10-application-controller-targetns
openova:archive/fix_qa-loop-iter8-fix42-app-repo-public
openova:archive/deploy_qa-loop-iter8-fix42-bumps-v2
openova:archive/fix_qa-loop-iter8-fix42-env-ensurebranch
openova:archive/fix_qa-loop-iter9-fix43-rbac-list-regressions
openova:archive/deploy_qa-loop-iter8-fix42-bootstrap-kit-pin
openova:archive/deploy_qa-loop-iter8-fix42-controller-bumps
openova:archive/fix_qa-loop-iter8-controllers-fix-42-followup-containerfiles
openova:archive/fix_qa-loop-iter8-controllers-fix-42
openova:fix/qa-loop-iter8-fix40-followup
openova:fix/qa-loop-iter7-fix38-useraccess-regex-pipe
openova:fix/qa-loop-iter8-cluster-a-b
openova:fix/qa-loop-iter7-fix38-sovereignref-fqdn
openova:fix/qa-loop-iter7-fix38-bootstrap-kit-region
openova:fix/qa-loop-iter7-fix38-region-pattern
openova:fix/qa-loop-iter7-fix38-test-jest-dom
openova:fix/qa-loop-iter7-fix38-three-regressions
openova:archive/fix_qa-loop-iter7-seeder-fqn-resource-names
openova:fix/qa-loop-iter6-clustermesh-template-substitute
openova:fix/qa-loop-iter6-cnpg-pair-render-test
openova:fix/qa-loop-iter6-clustermesh-and-cnpg-pair
openova:epic-6/iter-6-continuum-fixture-image-fix
openova:epic-6/iter-6-continuum-target-state
openova:archive/fix_qa-loop-iter6-qa-fixtures
openova:archive/fix_qa-loop-iter6-spa-target-state-routes
openova:archive/fix_qa-loop-iter6-api-contract-drift
openova:archive/fix_qa-loop-iter5-sse-ready-frame-guard
openova:archive/fix_qa-loop-iter4-users-null-map-redirect
openova:archive/fix_qa-loop-iter4-fix24-chart-bump
openova:fix/qa-loop-iter4-kc-realm-roles-bootstrap
openova:archive/fix_qa-loop-iter3-helmignore-crds-tests
openova:archive/fix_qa-loop-iter3-rbac-post-500
openova:archive/fix_qa-loop-iter3-bump-catalyst-pin-to-1.4.95
openova:dependabot/github_actions/opentofu/setup-opentofu-2
openova:archive/fix_qa-loop-iter3-clusterroles-gvr-sha
openova:archive/fix_qa-loop-iter3-catalog-404
openova:archive/fix_qa-loop-iter2-be-handler-errors
openova:archive/fix_qa-loop-iter1-app-controller-tag-bump
openova:archive/fix_qa-loop-iter1-catalyst-runtime-config-cm
openova:archive/fix_qa-loop-iter1-cloud-list-factory-alias
openova:archive/fix_qa-loop-iter1-sse-timeouts
openova:archive/fix_qa-loop-iter1-catalog-imagepullsecrets
openova:archive/fix_qa-loop-iter1-compliance-crash
openova:archive/fix_qa-loop-iter1-rbac-audit-403
openova:dependabot/npm_and_yarn/products/continuum/cloudflare-worker/multi-ca0691f2bd
openova:archive/fix_qa-loop-iter1-apps-handler-methods
openova:dependabot/npm_and_yarn/products/continuum/cloudflare-worker/multi-1cc4f64875
openova:dependabot/npm_and_yarn/products/continuum/cloudflare-worker/multi-ea700702bc
openova:epic-4/slice-x2-e-logs-exec-ui
openova:dependabot/go_modules/core/cmd/k8s-ws-proxy/github.com/moby/spdystream-0.5.1
openova:epic-4/slice-k-p-x1-g-backend-infra
openova:epic-6/slice-u-dr-1-continuum-ui
openova:epic-6/slice-f-dr-runbook-audit
openova:archive/epic-2_slice-t-o-p-application-pages
openova:epic-6/slice-k-cont-3-lease-witness-impls
openova:dependabot/go_modules/products/catalyst/bootstrap/api/github.com/golang-jwt/jwt/v5-5.2.2
openova:archive/epic-3_slice-f-azure-sso-federation
openova:epic-0/cc1-promote-shared-controllers-internal
openova:archive/epic-0_stretch-ci-failures-fix
openova:dependabot/npm_and_yarn/products/axon/fast-uri-3.1.2
openova:archive/epic-0_slice-c2-environment-controller
openova:fix/auth-gate-route-bypass-1090a2-v2
openova:archive/fix_auth-handlers-logout-pin-1090e
openova:archive/fix_mothership-anon-hang-deep-link-1090b
openova:archive/fix_dashboard-metrics-rbac
openova:fix/parent-kust-prefix-match
openova:fix/cutover-step-06-surface-git-push-error
openova:rollback/contabo-pin-pre-977
openova:archive/fix_no-mid-provision-wipe-914
openova:archive/fix_sme-smtp-defaults-934-followup
openova:archive/feat_auto-cutover-on-handover-933
openova:archive/fix_phase1-watcher-pod-restart-resume
openova:feat/wordpress-tenant-oidc-keycloak-915
openova:archive/feat_newapi-qwen-bankdhofar-channel-915
openova:feat/keycloak-tenant-oidc-clients-915
openova:archive/fix_pdm-client-basicauth
openova:archive/fix_bp-stalwart-tenant-898
openova:fix/sovereign-login-901
openova:archive/fix_bp-keycloak-tenant-899
openova:fix/sme-tenant-parent-index-889
openova:fix/marketplace-api-secrets-887
openova:archive/fix_cutover-driver-rbac-830-hotfix2
openova:archive/fix_cutover-driver-rbac-830-hotfix
openova:archive/feat_multi-domain-data-model-826
openova:archive/fix_durable-phase1-watcher-830-bug3
openova:archive/fix_gitea-admin-secret-830-bug2
openova:archive/fix_cutover-driver-rbac-830-bug1
openova:archive/feat_multi-domain-sovereign-826
openova:archive/feat_bp-newapi-maturation-799
openova:archive/feat_self-sovereignty-cutover-790-B
openova:archive/fix_sovereign-catalyst-api-uses-in-cluster-service-urls-781
openova:dependabot/npm_and_yarn/products/axon/ioredis-5.10.1
openova:archive/feat_handover-auto-fire-and-redirect-764-768
openova:archive/fix_decommission-verbose-log-view-766
openova:archive/fix_deployment-id-branded-type-754-749
openova:archive/fix_cpx21-investigation-and-kubectl-retry-752-753
openova:fix/cloud-init-apply-flux-before-crossplane-provider
openova:fix/sovereign-defaults-orderable-eu-skus
openova:fix/provisioner-regions-empty-not-null
openova:fix/provisioner-omit-empty-singular-sizes
openova:fix/sovereign-default-cost-optimized-sizes
openova:archive/fix_k3s-tls-san-cp-private-ip
openova:feat/marketplace-settings-page-710
openova:feat/sovereign-catalog-admin-page-710
openova:fix/jobdetail-physics-r5
openova:fix/magic-link-url-prefix
openova:fix/dns01-wildcard-tls-chain
openova:fix/553-powerdns-cnpg-namespace
openova:fix/547-min-bootstrap-hrs-cardinality
openova:fix/bp-openbao-bump-1.2.1-517
openova:fix/493-flow-physics-scale
openova:fix/382-omantel
openova:docs/wbs-progress-tick-8
openova:fix/381-omantel
openova:fix/371-omantel
openova:docs/316-wbs-update
openova:fix/375-omantel
openova:fix/316-omantel
openova:fix/378-omantel
openova:fix/370-omantel
openova:fix/post-v2-polish-366-test-followup
openova:fix/post-v2-polish-366
openova:feat/graph-polish-348
openova:docs/adr-0001-catalyst
openova:feat/p3-clean
openova:feat/p2-clean
openova:feat/cloud-section-rename
openova:feat/cloud-list-pages
openova:feat/cloud-architecture-graph
openova:fix/331-bp-external-secrets-stores-split
openova:fix-305-followup-execlogs-apibase
openova:fix/agent-D-bp-powerdns-post-install-hook
openova:fix-305-followup-jobid-colon
openova:fix-305-followup-logtailer-regex
openova:chore/310-bootstrap-trim-prep
openova:fix-305-followup-corefactory-default
openova:fix-305-job-logs-end-to-end
openova:docs/principles-ticket-watch-multiparallel-sessions
openova:fix/sme-services-kustomization-corrupted
openova:fix/flow-mockup-fidelity-final
openova:docs/principles-deploy-chain-and-lessons-27-30
openova:dependabot/go_modules/core/cmd/cert-manager-dynadot-webhook/go.opentelemetry.io/otel/sdk-1.43.0
openova:dependabot/go_modules/core/cmd/cert-manager-dynadot-webhook/google.golang.org/grpc-1.79.3
openova:feat/cert-manager-dynadot-webhook
openova:feat/flow-canvas-polish-and-routing
openova:fix/pipeline-layout-jobname-deps
openova:fix/jobs-dependson-from-helmrelease
openova:feat/jobs-flow-tab-two-level-sugiyama
openova:fix/jobs-backend-only-v2
openova:fix/jobs-table-backend-only
openova:feat/infrastructure-topology-default-and-crud-modals
openova:feat/infrastructure-crud-via-crossplane-xrc
openova:fix/composition-validate-abspath
openova:feat/crossplane-compositions-day2-crud
openova:fix/getjob-accept-bare-jobname
openova:fix/jobs-bridge-backfill-live-state
openova:fix/wizard-realtime-visibility
openova:fix/gitea-postgres-bitnamilegacy
openova:fix/spire-disable-all-spiffeid
openova:feat/infrastructure-page-topology-tabs
openova:fix/spire-disable-default-spiffeid
openova:feat/dashboard-treemap
openova:feat/theme-toggle-and-card-cosmetics
openova:fix/cilium-l7proxy-envoy-crds
openova:feat/jobs-redesign-batch-detail
openova:fix/bootstrap-kit-timeout-15m
openova:fix/scratch-charts-hollow-gate
openova:fix/remove-disabletakeownership-not-in-schema
openova:fix/clusters-otech-bootstrap-tree
openova:feat/security-charts-batch-3
openova:feat/observability-charts-batch-1
openova:feat/jobs-table-view-204
openova:fix/build-smoke-tempo-ntfy-svg
openova:feat/jobs-executions-api-205
openova:feat/jobs-deps-viz-206
openova:fix/issue-207-cloudinit-localpath-poll
openova:feat/job-detail-log-viewer-204
openova:fix/pixel-port-testids
openova:fix/logo-backgrounds-batch-2
openova:fix/bp-powerdns-bootstrap-kit-1.1.2
openova:fix/issue-191-bp-keycloak-bitnami-tag
openova:fix/issue-190-capabilities-gates
openova:fix/issue-192-bp-powerdns-bootstrap-kit
openova:fix/blueprint-yaml-version-sync
openova:feat/cosmetic-regression-guards
openova:fix/cloudinit-keep-local-path-storageclass
openova:fix/bp-flux-no-destroy-version-align
openova:fix/sovereign-pixel-port-console-nova-v3
openova:feat/cloudinit-postback-kubeconfig-bearer-token
openova:feat/bp-external-dns-umbrella-bootstrap-kit
openova:fix/helmwatch-first-seen-gate
openova:docs/operator-runbook-remediation
openova:fix/bp-charts-observability-toggles-default-false
openova:fix/bp-disable-observability-via-helmrelease-values
openova:fix/admin-ui-grounding-helmwatch-not-deployment-status
openova:fix/cloudinit-ghcr-pull-secret-durable
openova:docs/reconcile-pass-3
openova:fix/sovereign-admin-pixel-port-nova-catalog
openova:fix/catalyst-api-deployment-strategy-replace-patch
openova:feat/blueprint-release-subchart-verification
openova:fix/catalyst-api-containerfile-go-1-26
openova:feat/catalyst-api-helmrelease-watch-per-component-sse
openova:feat/bp-charts-as-umbrellas
openova:feat/sovereign-admin-app-cards-tabs
openova:fix/bootstrap-kit-ghcr-pull-secret
openova:fix/flux-bootstrap-split-kustomizations
openova:fix/bootstrap-kit-no-kubesystem-redecl
openova:feat/catalyst-api-persist-deployments-pvc
openova:fix/cloudinit-cilium-pre-flux
openova:fix/provision-events-buffer-replay
openova:fix/ui-containerfile-bundle-bootstrap-kit
openova:fix/logo-tile-per-brand-colour
openova:fix/tofu-remove-redundant-dns-write
openova:fix/tofu-cpx-validation
openova:fix/logo-contrast-mirror-marketplace
openova:fix/catalyst-api-bundle-tofu-binary
openova:fix/wizard-contrast-audit
openova:fix/wizard-review-pixel-match-marketplace
openova:fix/catalyst-api-bundle-tofu-module
openova:fix/provision-invariant-fix
openova:fix/provision-as-spa-route
openova:fix/wizard-review-density-component-cards
openova:fix/wizard-logo-contrast-tile
openova:fix/wizard-card-4line-grid-full-width
openova:fix/canonical-provider-skus
openova:docs/reconcile-pass-2
openova:fix/wizard-step-order-per-provider-sku
openova:fix/marketplace-pages-design-language-match
openova:fix/wizard-card-pixel-match-marketplace
openova:feat/wizard-card-chips-product-detail-family-portfolio
openova:fix/wizard-original-logos
openova:feat/provision-dynamic-dag-sse
openova:feat/wizard-step-reorder-review-revamp
openova:fix/wizard-dependency-mapping-audit
openova:feat/wizard-worker-size-selector
openova:fix/product-family-deps
openova:docs/reconcile-pass-1
openova:fix/component-card-logos
openova:fix/wizard-step-header
openova:feat/wizard-byo-domain
openova:feat/remove-k8gb
openova:feat/pdm-per-sovereign-zones
openova:feat/bp-powerdns
openova:feat/registrar-adapters
openova:dependabot/go_modules/core/pool-domain-manager/github.com/jackc/pgx/v5-5.9.2
openova:feat/pool-domain-manager
openova:feat/wizard-stepcomponents-polish
openova:feat/wizard-stepcomponents-corporate-grid
openova:feat/wizard-ssh-key-ux
openova:feat/group-l-playwright-smoke-tests-v2
openova:feat/sovereign-route-wiring-finish
openova:feat/group-g-dns-finish-v3
openova:feat/group-i-success-state-126-v2
openova:feat/bp-external-dns-leaf-chart
openova:feat/group-f-umbrella-chart-fix-v2
openova:feat/group-m-dod-clean
openova:docs/validation-log-pass-107
openova:feat/group-m-dod-scaffolding
openova:feat/group-g-dns-finish-v2
openova:group-i-wizard-ux-polish
openova:group-l-testing
openova:feat/group-h-franchise-vouchers
openova:group-k-docs
openova:group-j-hetzner-infra-docs
openova:dependabot/github_actions/actions/checkout-6
...
compare: openova:df8c3ebb9d93cae14eafda81e73f96558109e39c
Branches Tags
openova:main
openova:chore/privacy-redact-partner-name
openova:fix/2128-kyverno-cert-race
openova:fix/event-cache-bound
openova:fix/2118-parent-domains-listeners-out-of-cloud-init
openova:revert/pr-2116-vllm-wrong-path
openova:archive/fix-tbd-v45-bp-vllm-default-qwen-channel
openova:docs/claude-md-session-2026-05-20-lessons
openova:docs-consolidation-fold-franchise-product-families
openova:docs/consolidate-strategy-orphans
openova:docs-consolidation-real-fold-remaining-orphans
openova:worktree-agent-ac51219640e148743
openova:docs-consolidation-real-7-canonical-top-level
openova:dependabot/github_actions/docker/setup-buildx-action-4
openova:dependabot/github_actions/actions/setup-go-6
openova:dependabot/github_actions/azure/setup-helm-5
openova:feat-lean-doc-strategy
openova:skip-dynadot-flaky-tests
openova:fix-bp-network-policies-smoke-render-default-off
openova:fix-continuum-no-upstream-annotation
openova:ci-pre-merge-hollow-chart-guard
openova:docs/pillar3-milestone-trust-2026-05-20
openova:fix-tbd-v32-build-workflow-push-rebase-retry
openova:docs-sweep-spire-deferred-followup
openova:docs-alignment-tbd-v29-spire-removed
openova:fix-pillar4-f1-ringbuffer-size
openova:fix-tbd-v27-helmrelease-values-from-appconfigs
openova:fix-anti-canon-openova-io-string-leaks
openova:fix-tbd-v24-miss3-crossplane-provider-pivot
openova:fix-tbd-v18-d-install-config-values
openova:fix-tbd-v25-cutover-totalsteps-mismatch
openova:fix-tbd-v20-wizard-issue-first-voucher-anti-canon-cta
openova:fix/sandbox-mcp-svc-name-defaults
openova:fix-bp-kyverno-policies-no-upstream-annotation
openova:feat-bp-kyverno-policies-split-chart
openova:fix-a69-controller-autobump-uniform
openova:fix-tbd-v13-cutover-state-resume-idempotent
openova:fix-v8-notification-jwt-secret-align
openova:fix-1997-gitea-org-auth
openova:fix-a67-console-prefix-tenant-routes
openova:fix-p4-b4-mcp-env-drift
openova:fix-a65-admin-sidebar-nav
openova:fix-1976-jobstable-batchchip
openova:fix-1956-reenable-cosmetic-workflow
openova:fix-1956-beta-provision-mocks
openova:fix-1956-alpha-spec-realignment
openova:fix-1946-apps-apiversion-drift
openova:fix-1947-hcloud-provider
openova:fix-1821-jobs-region-filter
openova:fix-sme-demo-ci-failure
openova:fix-cosmetic-ci-failure
openova:fix-1948-openova-flow-dns
openova:fix-1928-resources-labelselector
openova:fix-1932-chart-yaml-metadata-restore
openova:revert-1933-kyverno-crd-ordering
openova:fix-1928-resources-namespace
openova:fix-1929-kyverno-bootstrap
openova:fix-1927-treemap-inner-click
openova:fix-d35-binding
openova:fix-1750-billing-purchase
openova:fix-1905-tenant-wildcard-hostnames
openova:fix-tbd-a43-sme-newapi-egress
openova:fix/1776-sandbox-requested-nats
openova:fix/1899-gitea-mirror-interval
openova:fix/1907-bake-sme-pool-seed
openova:fix/1908-cnp-egress-6443
openova:fix/1900-provisioning-org-rbac
openova:fix-1896-gateway-annotation-cap
openova:docs/principle-15-validate-iac-with-evaluator-1779154581
openova:hotfix/a128-tofu-per-prov-listeners-type
openova:archive/fix-1891-d21-bake-time-seed
openova:fix/1886-gateway-listener-per-prov-wildcard
openova:fix/1883-wildcard-cert-le-rate-limit
openova:a31/gateway-lb-annotations
openova:archive/fix-1877-purge-close-race
openova:fix/smtp-retry-backoff-1793
openova:fix/1871-cutover-dep-sovereign-tls
openova:fix/a26-ghcr-pin-existence-check
openova:docs/inviolable-principles-2026-05-18-add3
openova:fix/1864-bp-catalyst-platform-pin-catchup
openova:fix/pin-catchup-bp-catalyst-bp-guacamole-1779142549
openova:fix/1864-bp-guacamole-pin-catchup
openova:a30/wire-roundtrip-test
openova:fix-d35-nats-consume-leg
openova:fix/d30-pool-entries-homes-rest
openova:fix-a19-ci-handler-tests
openova:archive/fix_a20-lockstep-blueprint-version
openova:fix/a13-revert-velero-pin
openova:fix-a12-newapi-db-migration-retry
openova:fix/a17-ci-failures
openova:archive/1850-baseline-cnp-fixture
openova:fix-a14-a15-a10b-fresh-prov-blockers
openova:fix/a16-hetzner-ssh-key-sweep
openova:fix/cnp-catalyst-ns-ingress
openova:fix/cnp-smtp-egress
openova:fix/c4fup-c6006-followup
openova:archive/fix-a12-newapi-db-migration-hang
openova:fix-c18e-tenant-branch-isolation-retry
openova:fix-k8scache-startup-scan
openova:archive/fix_1725-sandbox-disable-idle-scaling
openova:fix/1778-newapi-httproute
openova:archive/fix-c18e-tenant-branch-isolation
openova:fix/c8b-bootstrap-kit-template-path
openova:fix-cov-1739-rbac-assign-crd
openova:fix/c4-012-c6-006-publish-rbac
openova:fix-cov-1735-proxy-admin-claim
openova:fix-cov-1746-baseline-cnps
openova:fix-c18d-gitea-contents-api-retry
openova:fix/c12009-baseline-cnp
openova:fix/d30b-sme-pool-listener
openova:fix/d35a-c-tenant-sandbox-k8s-channels
openova:fix/d0-mothership-token-redirect
openova:archive/fix_c18d-gitea-contents-api
openova:fix-pin-issue-smtp-502
openova:fix-catalyst-gitops-token-env
openova:fix-e14b-fleet-visibility-gate
openova:fix/a11-newapi-fsgroup
openova:fix/a10-mothership-kubeconfig-hook
openova:fix-g3b-mimir-pod-metrics
openova:fix-a9-mimir-prometheusrule-guard
openova:fix-a8-dep-graph-audit
openova:fix-treemap-hel-region-missing
openova:fix-a6-hardening-indent-warn
openova:fix/e8b-cnpg-pair-seed
openova:fix-a6b-flush-13-bootstrap-kit-drifts
openova:fix-d6-helmwatch-stale-state
openova:fix-a6-deploy-bot-auto-bump-pin
openova:fix-c18c-gitea-plural-ref
openova:fix-e16-users-endpoint
openova:fix-c19-openova-catalog-pivot
openova:fix-c18b-provisioning-token-secret-ownership
openova:fix-newapi-admin-secret-tbd-d14
openova:deploy-cutover-pin-0.1.30
openova:fix-cloud-list-kind-nodes-fanout-tbd-e6
openova:fix-gitea-token-mint-cutover
openova:fix-rbac-matrix-endpoint-tbd-f4
openova:fix-openova-flow-404-root-path
openova:deploy-bp-guacamole-bootstrap-kit-0.1.23
openova:fix-guacamole-readiness-probe-path
openova:chore/bootstrap-kit-pin-1.4.166-tbd-e8
openova:fix/catalog-seed-published-blueprints-tbd-e8
openova:bump-bp-guacamole-022-pin
openova:archive/fix-tbd-g4-guacamole-chart-bump
openova:fix-orphan-httproutes-tbd-g6
openova:feat-sandbox-tier-bound-capabilities
openova:fix-prov-rolling-image-guard
openova:fix-t20-newapi-oidc-secret-materialization
openova:fix-t20-crossplane-provider-hcloud-pin
openova:fix-t20-guacamole-mount-path
openova:fix-t20-nats-stream-overlap
openova:fix-t20-listener-naming-collision
openova:fix-t20-harborpublicurl-hostname
openova:sandbox-wave15-integration-tests
openova:sandbox-wave15-metrics-emitters
openova:sandbox-wave15-provisioning-ui
openova:wave16-collector-chart-1.4.163
openova:sandbox-wave14-byos-placeholder-warning
openova:sandbox-wave14-grafana-dashboard
openova:sandbox-wave13-mcp-stripe
openova:sandbox-wave13-ui-websocket
openova:docs-wave12-14-session-addendum
openova:fix-sandbox-mcp-build-context-and-bump-wiring
openova:dependabot/go_modules/products/sandbox/mcp-server/golang.org/x/crypto-0.45.0
openova:archive/sandbox-wave12-mcp-storage-v2
openova:sandbox-wave12-mcp-storage
openova:sandbox-wave13-mcp-deploy
openova:sandbox-wave12-mcp-preview
openova:fix-convergence-tenant-cnpg-cross-region
openova:sandbox-wave12-mcp-marketplace-flux
openova:sandbox-wave12-mcp-rag-skills-v2
openova:sandbox-wave11-mcp-auth-secrets
openova:dependabot/go_modules/products/openova-flow/adapter-flux/golang.org/x/net-0.38.0
openova:dependabot/go_modules/products/openova-flow/server/golang.org/x/crypto-0.45.0
openova:dependabot/go_modules/products/sandbox/mcp-server/github.com/golang-jwt/jwt/v5-5.2.2
openova:dependabot/go_modules/products/sandbox/mcp-server/golang.org/x/net-0.38.0
openova:dependabot/go_modules/core/cmd/k8s-ws-proxy/golang.org/x/net-0.38.0
openova:dependabot/go_modules/core/cmd/k8s-ws-proxy/golang.org/x/oauth2-0.27.0
openova:dependabot/go_modules/core/controllers/golang.org/x/crypto-0.45.0
openova:dependabot/go_modules/products/openova-flow/adapter-flux/golang.org/x/oauth2-0.27.0
openova:dependabot/go_modules/core/cmd/projector/golang.org/x/crypto-0.45.0
openova:dependabot/go_modules/platform/newapi/internal/handler/github.com/golang-jwt/jwt/v5-5.2.2
openova:dependabot/go_modules/core/cmd/projector/golang.org/x/net-0.38.0
openova:dependabot/go_modules/core/cmd/cert-manager-dynadot-webhook/golang.org/x/net-0.38.0
openova:dependabot/go_modules/core/controllers/golang.org/x/net-0.38.0
openova:dependabot/go_modules/core/controllers/golang.org/x/oauth2-0.27.0
openova:dependabot/go_modules/core/cmd/cert-manager-dynadot-webhook/golang.org/x/crypto-0.45.0
openova:dependabot/go_modules/core/cmd/projector/golang.org/x/oauth2-0.27.0
openova:dependabot/go_modules/core/cmd/cert-manager-dynadot-webhook/golang.org/x/oauth2-0.27.0
openova:dependabot/go_modules/core/services/metering-sidecar/golang.org/x/crypto-0.45.0
openova:dependabot/go_modules/core/services/notification/golang.org/x/crypto-0.45.0
openova:dependabot/go_modules/core/services/shared/golang.org/x/crypto-0.45.0
openova:sandbox-wave11-mcp-pr-issue-logs-v2
openova:test-marketplace-customer-journey
openova:fix-convergence-wave11-newapi-attestation-optional
openova:sandbox-wave11-mcp-db-tools
openova:fix-convergence-wave11-bp-sandbox-harbor-cycle
openova:sandbox-wave10-idle-scaler
openova:sandbox-wave9-controller-newapi-token-wire
openova:fix-convergence-set-tenant-public
openova:sandbox-wave9-playwright-tests
openova:dependabot/go_modules/products/sandbox/mcp-server/golang.org/x/oauth2-0.27.0
openova:sandbox-wave8-mcp-real-tools
openova:fix-convergence-per-tenant-httproute
openova:sandbox-wave9-plans-seed
openova:sandbox-wave8-pod-spawn
openova:fix-convergence-gateway-pool-listeners
openova:sandbox-wave8-session-orchestrator
openova:sandbox-wave8-newapi-sandbox-token
openova:sandbox-wave7-sessions-api
openova:fix-convergence-nats-consumers
openova:docs-session-2026-05-17-convergence
openova:sandbox-wave6-bootstrap-kit-slot
openova:sandbox-wave4-marketplace-catalog-entry
openova:sandbox-wave5-ci-builds
openova:sandbox-wave4-newapi-sovereign-install-v2
openova:archive/fix-convergence-catalyst-sme-jwt-bridge
openova:fix-convergence-per-tenant-dns
openova:fix-convergence-broker-nats-bridge
openova:fix-convergence-bss-voucher-proxy
openova:fix-convergence-vcluster-crd-install
openova:fix-convergence-marketplace-tld-state
openova:sandbox-wave1-controller-chart
openova:sandbox-wave3-ui-scaffold
openova:sandbox-wave1b-newapi-byos-jwt
openova:sandbox-wave2-pty-mcp
openova:wave6-fix-bss-tenants
openova:archive/wave6-fix-bss-billing
openova:archive/wave6-fix-bss-revenue
openova:wave6-fix-bss-vouchers
openova:wave6-fix-bss-orders
openova:archive/wave2-fix-family-b-status-sync
openova:wave2-fix-family-e-compliance
openova:archive/wave2-fix-family-c-resource-detail
openova:archive/wave2-fix-family-d-treemap
openova:prp-store-marketplace-enabled
openova:pro-gateway-per-zone-cert
openova:prn-handover-cert-fallback
openova:prm-dashboard-default-cluster-bss-link
openova:prl-app-helmrelease-fallback
openova:prk-publish-toggle-app-detail
openova:prj-marketplace-get-toggle-state
openova:d30-pri-mark-imported-adopted-clean
openova:d30-pri-mark-imported-adopted
openova:d16-prh-resolve-multicluster
openova:bump-bootstrap-kit-1.4.148
openova:d17-prg-exclude-mother-only-on-sovereign
openova:d27-fix-fresh-seed-published-default
openova:d16-prf-export-route-and-fanout
openova:fix/1546-spa-routing-bp-prefix-pin-fleet
openova:fix/region-key-spec-off-by-one
openova:archive/fix_sovereign-ui-handover-redirect
openova:fix/secondary-region-sovereign-fqdn-slug
openova:feat/multiregion-per-region-network
openova:feat/multiregion-dod-and-dmz-wg-architecture
openova:fix/sovereign-dns-parent-zone-write
openova:fix/tls-restart-rbac-list-watch
openova:fix/cilium-cluster-name-from-first-install
openova:fix/auto-derive-cluster-mesh-id
openova:fix/dependson-canon-resolve-existing
openova:fix/job-dependson-canonical-prefix
openova:fix/event-carries-dependson
openova:fix/tls-restart-flux-substitute-escape
openova:fix/helmwatch-skip-tls-verify-sovereign-self-signed
openova:fix/helmwatch-bridge-tls-skipverify
openova:fix/sovereign-tls-per-name-certs
openova:fix/sovereign-tls-restart-also-cilium-operator
openova:dependabot/npm_and_yarn/core/marketplace/svelte-5.55.7
openova:dependabot/npm_and_yarn/products/continuum/cloudflare-worker/multi-b445804c36
openova:dependabot/npm_and_yarn/core/admin/svelte-5.55.7
openova:dependabot/npm_and_yarn/core/marketplace/devalue-5.8.1
openova:fix/cloud-init-private-nic-subnet-route
openova:fix/basepath-preserve-canonical-nav
openova:fix/workdir-key-by-deployment-id
openova:fix/verifypin-preserve-basepath-on-hard-nav
openova:fix/cloudinit-tftpl-escape-wildcard-cert-issuer
openova:fix/openbao-auth-bootstrap-idempotent-post-upgrade
openova:fix/httproute-backend-service-naming-collapse
openova:fix/cilium-gateway-world-ingress-ccnp
openova:dependabot/go_modules/products/openova-flow/server/github.com/jackc/pgx/v5-5.9.2
openova:fix-default-deny-allowlist-catalyst-ns-prov72
openova:fix-secondary-private-nic-race-prov71
openova:dependabot/npm_and_yarn/core/marketplace/multi-04ca55b44c
openova:dependabot/npm_and_yarn/core/admin/multi-04ca55b44c
openova:fix/flow-snapshot-region-scoped-deps
openova:fix/flow-snapshot-primary-region-group
openova:fix/k3s-tls-san-public-ip-and-qa-region-label
openova:fix/k3s-max-pods-220
openova:fix/k3s-node-ip-bind-private
openova:fix/catalyst-api-mem-4gi
openova:fix/flow-snapshot-dedupe-multiregion
openova:fix/flow-snapshot-derive-region-from-jobname
openova:fix/jobs-table-strip-deploymentid-prefix
openova:fix/bp-guacamole-test-resource-count
openova:fix/bp-cnpg-wait-for-webhook
openova:fix/cilium-kube-proxy-replacement-true
openova:fix/secondary-cp-private-ip-templatefile-var
openova:feat-flow-snapshot-deps-and-drilldown
openova:fix-catalyst-platform-hook-recurrence-1778546000
openova:fix-bp-powerdns-deadline-recurrence-1778534000
openova:dependabot/npm_and_yarn/products/catalyst/bootstrap/ui/tanstack/react-query-5.100.10
openova:dependabot/npm_and_yarn/products/catalyst/bootstrap/ui/tanstack/react-router-1.169.8
openova:dependabot/npm_and_yarn/products/axon/typescript-6.0.3
openova:dependabot/npm_and_yarn/products/catalyst/bootstrap/ui/eslint-10.3.0
openova:dependabot/npm_and_yarn/products/axon/types/node-25.7.0
openova:dependabot/npm_and_yarn/products/catalyst/bootstrap/ui/react-hook-form-7.75.0
openova:dependabot/npm_and_yarn/products/axon/anthropic-ai/claude-agent-sdk-0.2.139
openova:dependabot/npm_and_yarn/products/catalyst/bootstrap/ui/rjsf/core-6.5.2
openova:fix-jobdetail-openova-flow-fallback-1778520000
openova:fix-restore-natural-view-fold-badges-1778518100
openova:feat/openova-flow-canvas-ux-agent9
openova:fix-catalyst-api-openova-flow-env-1778517100
openova:fix/openova-flow-proxy-derive-url-agent8
openova:g3-flux-per-region-path
openova:fix/deployments-list-broken-import-line-181
openova:fix/deployments-list-test-unused-import-180
openova:fix/hetzner-hel1-network-zone-179
openova:fix/shells-issue-176
openova:fix/continuum-switchover-169
openova:fix/deployment-detail-content-170
openova:fix/rbac-audit-events-162
openova:fix/catalyst-api-reflector-reset-156
openova:fix/cutover-deadline-bump-152
openova:fix/es-stores-hr-timeout-143
openova:archive/fix_catalyst-platform-hook-136
openova:fix/aws-skip-region-validation-135
openova:fix/aws-s3-provider-hetzner-133
openova:fix/gitea-hr-timeout-131
openova:archive/fix_keycloak-post-upgrade-hook-timeout-129
openova:fix/cutover-helm-timeout-127
openova:archive/fix124-gitea-token-preinstall
openova:archive/fix_qa-loop-fix120-hetzner-purge-selector
openova:fix/compliance-handler-shape-fix97
openova:archive/fix_qa-loop-fix88-multi-region-overlay
openova:archive/fix_bp-crossplane-claims-composition-validate-89
openova:archive/fix_qa-loop-fix73-qa-fixtures-flag
openova:archive/qa-loop-iter16-fix68-networking
openova:archive/qa-loop-iter16-fix67
openova:archive/fix_qa-loop-iter16-fix65-openova-catalog-helmrepo
openova:archive/fix_bp-catalyst-platform-install-schema-prov7
openova:archive/fix_qa-loop-iter15-fix58-applications-handlers
openova:archive/fix_qa-loop-iter15-fix63-continuum-dr-handlers
openova:fix60-rbac-handlers
openova:revert/bp-keycloak-1.5.0-blocking-provision
openova:fix/qa-loop-iter12-fix54-hcloud-ccm-and-friends
openova:archive/fix_qa-loop-iter12-template-extras
openova:deploy/catalyst-images-0a11107
openova:archive/fix_qa-loop-iter12-services-bootstrap
openova:archive/fix_qa-loop-iter12-keycloak-realm-omantel
openova:fix/iter12-overviewpanel-helm-null-types
openova:archive/fix_qa-loop-iter12-clustermesh-loadbalancer
openova:fix/iter12-resources-pages-live
openova:archive/fix_qa-loop-iter11-networking-fix48
openova:archive/deploy_pin-bootstrap-kit-1.4.119
openova:fix/qa-loop-iter11-compliance-envelope
openova:archive/fix_qa-loop-iter10-application-controller-bump-chart-blueprint-release
openova:fix/qa-loop-iter10-application-controller-targetns
openova:archive/fix_qa-loop-iter8-fix42-app-repo-public
openova:archive/deploy_qa-loop-iter8-fix42-bumps-v2
openova:archive/fix_qa-loop-iter8-fix42-env-ensurebranch
openova:archive/fix_qa-loop-iter9-fix43-rbac-list-regressions
openova:archive/deploy_qa-loop-iter8-fix42-bootstrap-kit-pin
openova:archive/deploy_qa-loop-iter8-fix42-controller-bumps
openova:archive/fix_qa-loop-iter8-controllers-fix-42-followup-containerfiles
openova:archive/fix_qa-loop-iter8-controllers-fix-42
openova:fix/qa-loop-iter8-fix40-followup
openova:fix/qa-loop-iter7-fix38-useraccess-regex-pipe
openova:fix/qa-loop-iter8-cluster-a-b
openova:fix/qa-loop-iter7-fix38-sovereignref-fqdn
openova:fix/qa-loop-iter7-fix38-bootstrap-kit-region
openova:fix/qa-loop-iter7-fix38-region-pattern
openova:fix/qa-loop-iter7-fix38-test-jest-dom
openova:fix/qa-loop-iter7-fix38-three-regressions
openova:archive/fix_qa-loop-iter7-seeder-fqn-resource-names
openova:fix/qa-loop-iter6-clustermesh-template-substitute
openova:fix/qa-loop-iter6-cnpg-pair-render-test
openova:fix/qa-loop-iter6-clustermesh-and-cnpg-pair
openova:epic-6/iter-6-continuum-fixture-image-fix
openova:epic-6/iter-6-continuum-target-state
openova:archive/fix_qa-loop-iter6-qa-fixtures
openova:archive/fix_qa-loop-iter6-spa-target-state-routes
openova:archive/fix_qa-loop-iter6-api-contract-drift
openova:archive/fix_qa-loop-iter5-sse-ready-frame-guard
openova:archive/fix_qa-loop-iter4-users-null-map-redirect
openova:archive/fix_qa-loop-iter4-fix24-chart-bump
openova:fix/qa-loop-iter4-kc-realm-roles-bootstrap
openova:archive/fix_qa-loop-iter3-helmignore-crds-tests
openova:archive/fix_qa-loop-iter3-rbac-post-500
openova:archive/fix_qa-loop-iter3-bump-catalyst-pin-to-1.4.95
openova:dependabot/github_actions/opentofu/setup-opentofu-2
openova:archive/fix_qa-loop-iter3-clusterroles-gvr-sha
openova:archive/fix_qa-loop-iter3-catalog-404
openova:archive/fix_qa-loop-iter2-be-handler-errors
openova:archive/fix_qa-loop-iter1-app-controller-tag-bump
openova:archive/fix_qa-loop-iter1-catalyst-runtime-config-cm
openova:archive/fix_qa-loop-iter1-cloud-list-factory-alias
openova:archive/fix_qa-loop-iter1-sse-timeouts
openova:archive/fix_qa-loop-iter1-catalog-imagepullsecrets
openova:archive/fix_qa-loop-iter1-compliance-crash
openova:archive/fix_qa-loop-iter1-rbac-audit-403
openova:dependabot/npm_and_yarn/products/continuum/cloudflare-worker/multi-ca0691f2bd
openova:archive/fix_qa-loop-iter1-apps-handler-methods
openova:dependabot/npm_and_yarn/products/continuum/cloudflare-worker/multi-1cc4f64875
openova:dependabot/npm_and_yarn/products/continuum/cloudflare-worker/multi-ea700702bc
openova:epic-4/slice-x2-e-logs-exec-ui
openova:dependabot/go_modules/core/cmd/k8s-ws-proxy/github.com/moby/spdystream-0.5.1
openova:epic-4/slice-k-p-x1-g-backend-infra
openova:epic-6/slice-u-dr-1-continuum-ui
openova:epic-6/slice-f-dr-runbook-audit
openova:archive/epic-2_slice-t-o-p-application-pages
openova:epic-6/slice-k-cont-3-lease-witness-impls
openova:dependabot/go_modules/products/catalyst/bootstrap/api/github.com/golang-jwt/jwt/v5-5.2.2
openova:archive/epic-3_slice-f-azure-sso-federation
openova:epic-0/cc1-promote-shared-controllers-internal
openova:archive/epic-0_stretch-ci-failures-fix
openova:dependabot/npm_and_yarn/products/axon/fast-uri-3.1.2
openova:archive/epic-0_slice-c2-environment-controller
openova:fix/auth-gate-route-bypass-1090a2-v2
openova:archive/fix_auth-handlers-logout-pin-1090e
openova:archive/fix_mothership-anon-hang-deep-link-1090b
openova:archive/fix_dashboard-metrics-rbac
openova:fix/parent-kust-prefix-match
openova:fix/cutover-step-06-surface-git-push-error
openova:rollback/contabo-pin-pre-977
openova:archive/fix_no-mid-provision-wipe-914
openova:archive/fix_sme-smtp-defaults-934-followup
openova:archive/feat_auto-cutover-on-handover-933
openova:archive/fix_phase1-watcher-pod-restart-resume
openova:feat/wordpress-tenant-oidc-keycloak-915
openova:archive/feat_newapi-qwen-bankdhofar-channel-915
openova:feat/keycloak-tenant-oidc-clients-915
openova:archive/fix_pdm-client-basicauth
openova:archive/fix_bp-stalwart-tenant-898
openova:fix/sovereign-login-901
openova:archive/fix_bp-keycloak-tenant-899
openova:fix/sme-tenant-parent-index-889
openova:fix/marketplace-api-secrets-887
openova:archive/fix_cutover-driver-rbac-830-hotfix2
openova:archive/fix_cutover-driver-rbac-830-hotfix
openova:archive/feat_multi-domain-data-model-826
openova:archive/fix_durable-phase1-watcher-830-bug3
openova:archive/fix_gitea-admin-secret-830-bug2
openova:archive/fix_cutover-driver-rbac-830-bug1
openova:archive/feat_multi-domain-sovereign-826
openova:archive/feat_bp-newapi-maturation-799
openova:archive/feat_self-sovereignty-cutover-790-B
openova:archive/fix_sovereign-catalyst-api-uses-in-cluster-service-urls-781
openova:dependabot/npm_and_yarn/products/axon/ioredis-5.10.1
openova:archive/feat_handover-auto-fire-and-redirect-764-768
openova:archive/fix_decommission-verbose-log-view-766
openova:archive/fix_deployment-id-branded-type-754-749
openova:archive/fix_cpx21-investigation-and-kubectl-retry-752-753
openova:fix/cloud-init-apply-flux-before-crossplane-provider
openova:fix/sovereign-defaults-orderable-eu-skus
openova:fix/provisioner-regions-empty-not-null
openova:fix/provisioner-omit-empty-singular-sizes
openova:fix/sovereign-default-cost-optimized-sizes
openova:archive/fix_k3s-tls-san-cp-private-ip
openova:feat/marketplace-settings-page-710
openova:feat/sovereign-catalog-admin-page-710
openova:fix/jobdetail-physics-r5
openova:fix/magic-link-url-prefix
openova:fix/dns01-wildcard-tls-chain
openova:fix/553-powerdns-cnpg-namespace
openova:fix/547-min-bootstrap-hrs-cardinality
openova:fix/bp-openbao-bump-1.2.1-517
openova:fix/493-flow-physics-scale
openova:fix/382-omantel
openova:docs/wbs-progress-tick-8
openova:fix/381-omantel
openova:fix/371-omantel
openova:docs/316-wbs-update
openova:fix/375-omantel
openova:fix/316-omantel
openova:fix/378-omantel
openova:fix/370-omantel
openova:fix/post-v2-polish-366-test-followup
openova:fix/post-v2-polish-366
openova:feat/graph-polish-348
openova:docs/adr-0001-catalyst
openova:feat/p3-clean
openova:feat/p2-clean
openova:feat/cloud-section-rename
openova:feat/cloud-list-pages
openova:feat/cloud-architecture-graph
openova:fix/331-bp-external-secrets-stores-split
openova:fix-305-followup-execlogs-apibase
openova:fix/agent-D-bp-powerdns-post-install-hook
openova:fix-305-followup-jobid-colon
openova:fix-305-followup-logtailer-regex
openova:chore/310-bootstrap-trim-prep
openova:fix-305-followup-corefactory-default
openova:fix-305-job-logs-end-to-end
openova:docs/principles-ticket-watch-multiparallel-sessions
openova:fix/sme-services-kustomization-corrupted
openova:fix/flow-mockup-fidelity-final
openova:docs/principles-deploy-chain-and-lessons-27-30
openova:dependabot/go_modules/core/cmd/cert-manager-dynadot-webhook/go.opentelemetry.io/otel/sdk-1.43.0
openova:dependabot/go_modules/core/cmd/cert-manager-dynadot-webhook/google.golang.org/grpc-1.79.3
openova:feat/cert-manager-dynadot-webhook
openova:feat/flow-canvas-polish-and-routing
openova:fix/pipeline-layout-jobname-deps
openova:fix/jobs-dependson-from-helmrelease
openova:feat/jobs-flow-tab-two-level-sugiyama
openova:fix/jobs-backend-only-v2
openova:fix/jobs-table-backend-only
openova:feat/infrastructure-topology-default-and-crud-modals
openova:feat/infrastructure-crud-via-crossplane-xrc
openova:fix/composition-validate-abspath
openova:feat/crossplane-compositions-day2-crud
openova:fix/getjob-accept-bare-jobname
openova:fix/jobs-bridge-backfill-live-state
openova:fix/wizard-realtime-visibility
openova:fix/gitea-postgres-bitnamilegacy
openova:fix/spire-disable-all-spiffeid
openova:feat/infrastructure-page-topology-tabs
openova:fix/spire-disable-default-spiffeid
openova:feat/dashboard-treemap
openova:feat/theme-toggle-and-card-cosmetics
openova:fix/cilium-l7proxy-envoy-crds
openova:feat/jobs-redesign-batch-detail
openova:fix/bootstrap-kit-timeout-15m
openova:fix/scratch-charts-hollow-gate
openova:fix/remove-disabletakeownership-not-in-schema
openova:fix/clusters-otech-bootstrap-tree
openova:feat/security-charts-batch-3
openova:feat/observability-charts-batch-1
openova:feat/jobs-table-view-204
openova:fix/build-smoke-tempo-ntfy-svg
openova:feat/jobs-executions-api-205
openova:feat/jobs-deps-viz-206
openova:fix/issue-207-cloudinit-localpath-poll
openova:feat/job-detail-log-viewer-204
openova:fix/pixel-port-testids
openova:fix/logo-backgrounds-batch-2
openova:fix/bp-powerdns-bootstrap-kit-1.1.2
openova:fix/issue-191-bp-keycloak-bitnami-tag
openova:fix/issue-190-capabilities-gates
openova:fix/issue-192-bp-powerdns-bootstrap-kit
openova:fix/blueprint-yaml-version-sync
openova:feat/cosmetic-regression-guards
openova:fix/cloudinit-keep-local-path-storageclass
openova:fix/bp-flux-no-destroy-version-align
openova:fix/sovereign-pixel-port-console-nova-v3
openova:feat/cloudinit-postback-kubeconfig-bearer-token
openova:feat/bp-external-dns-umbrella-bootstrap-kit
openova:fix/helmwatch-first-seen-gate
openova:docs/operator-runbook-remediation
openova:fix/bp-charts-observability-toggles-default-false
openova:fix/bp-disable-observability-via-helmrelease-values
openova:fix/admin-ui-grounding-helmwatch-not-deployment-status
openova:fix/cloudinit-ghcr-pull-secret-durable
openova:docs/reconcile-pass-3
openova:fix/sovereign-admin-pixel-port-nova-catalog
openova:fix/catalyst-api-deployment-strategy-replace-patch
openova:feat/blueprint-release-subchart-verification
openova:fix/catalyst-api-containerfile-go-1-26
openova:feat/catalyst-api-helmrelease-watch-per-component-sse
openova:feat/bp-charts-as-umbrellas
openova:feat/sovereign-admin-app-cards-tabs
openova:fix/bootstrap-kit-ghcr-pull-secret
openova:fix/flux-bootstrap-split-kustomizations
openova:fix/bootstrap-kit-no-kubesystem-redecl
openova:feat/catalyst-api-persist-deployments-pvc
openova:fix/cloudinit-cilium-pre-flux
openova:fix/provision-events-buffer-replay
openova:fix/ui-containerfile-bundle-bootstrap-kit
openova:fix/logo-tile-per-brand-colour
openova:fix/tofu-remove-redundant-dns-write
openova:fix/tofu-cpx-validation
openova:fix/logo-contrast-mirror-marketplace
openova:fix/catalyst-api-bundle-tofu-binary
openova:fix/wizard-contrast-audit
openova:fix/wizard-review-pixel-match-marketplace
openova:fix/catalyst-api-bundle-tofu-module
openova:fix/provision-invariant-fix
openova:fix/provision-as-spa-route
openova:fix/wizard-review-density-component-cards
openova:fix/wizard-logo-contrast-tile
openova:fix/wizard-card-4line-grid-full-width
openova:fix/canonical-provider-skus
openova:docs/reconcile-pass-2
openova:fix/wizard-step-order-per-provider-sku
openova:fix/marketplace-pages-design-language-match
openova:fix/wizard-card-pixel-match-marketplace
openova:feat/wizard-card-chips-product-detail-family-portfolio
openova:fix/wizard-original-logos
openova:feat/provision-dynamic-dag-sse
openova:feat/wizard-step-reorder-review-revamp
openova:fix/wizard-dependency-mapping-audit
openova:feat/wizard-worker-size-selector
openova:fix/product-family-deps
openova:docs/reconcile-pass-1
openova:fix/component-card-logos
openova:fix/wizard-step-header
openova:feat/wizard-byo-domain
openova:feat/remove-k8gb
openova:feat/pdm-per-sovereign-zones
openova:feat/bp-powerdns
openova:feat/registrar-adapters
openova:dependabot/go_modules/core/pool-domain-manager/github.com/jackc/pgx/v5-5.9.2
openova:feat/pool-domain-manager
openova:feat/wizard-stepcomponents-polish
openova:feat/wizard-stepcomponents-corporate-grid
openova:feat/wizard-ssh-key-ux
openova:feat/group-l-playwright-smoke-tests-v2
openova:feat/sovereign-route-wiring-finish
openova:feat/group-g-dns-finish-v3
openova:feat/group-i-success-state-126-v2
openova:feat/bp-external-dns-leaf-chart
openova:feat/group-f-umbrella-chart-fix-v2
openova:feat/group-m-dod-clean
openova:docs/validation-log-pass-107
openova:feat/group-m-dod-scaffolding
openova:feat/group-g-dns-finish-v2
openova:group-i-wizard-ux-polish
openova:group-l-testing
openova:feat/group-h-franchise-vouchers
openova:group-k-docs
openova:group-j-hetzner-infra-docs
openova:dependabot/github_actions/actions/checkout-6

2 Commits
1f5c76def1 ... df8c3ebb9d

Author SHA1 Message Date
hatiyildiz
df8c3ebb9d fix(bp-keycloak): bump blueprint.yaml version to match Chart.yaml 1.1.2 2026-04-29 20:08:53 +02:00
hatiyildiz
27a1ac5472 fix(bp-keycloak): pin to current Bitnami Keycloak tag (closes #191) 
Bitnami consolidated their tag scheme around 2025-09 (see
https://github.com/bitnami/charts/issues/30852). The chart was pinned to
upstream bitnami/keycloak Helm chart 24.7.1, whose default image tag
`bitnami/keycloak:26.2.4-debian-12-r0` now returns 404 in the Docker Hub
registry — installs hit ImagePullBackOff (verified on omantel).

Changes:
- Upstream Bitnami chart: 24.7.1 -> 25.2.0 (latest, appVersion 26.3.3)
- Override image.registry/image.repository for every Bitnami image used
  by the chart (keycloak app, keycloak-config-cli, postgresql,
  postgres-exporter, os-shell) to point at `bitnamilegacy/*`, where the
  historic debian-12 tags are preserved
- Replace deprecated `proxy: edge` with `proxyHeaders: "xforwarded"`
  (chart 25.x renamed the field; Catalyst fronts Keycloak with Cilium
  Gateway which sets X-Forwarded-* headers)
- bp-keycloak chart version: 1.1.1 -> 1.1.2

Verification (registry HEAD via Bearer token):
  bitnami/keycloak:26.2.4-debian-12-r0          -> 404 (broken pin)
  bitnami/keycloak:26.3.3-debian-12-r0          -> 404 (registry move)
  bitnamilegacy/keycloak:26.3.3-debian-12-r0    -> 200
  bitnamilegacy/keycloak-config-cli:6.4.0-...   -> 200
  bitnamilegacy/postgresql:17.6.0-debian-12-r0  -> 200
  bitnamilegacy/postgres-exporter:0.17.1-...    -> 200
  bitnamilegacy/os-shell:12-debian-12-r50       -> 200

`helm template platform/keycloak/chart` renders cleanly; rendered images
all resolve to bitnamilegacy/* tags listed above.

Long-term follow-up (not blocking): bitnamilegacy is explicitly marked
"no longer updated, may be removed in the future" — Catalyst should
either build its own Keycloak image or migrate to the Bitnami Secure
Image (BSI/Photon) catalog when chart support catches up. Tracked in
the bp-keycloak description block.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-29 20:08:35 +02:00
3 changed files with 54 additions and 6 deletions
Show Stats Expand all files Collapse all files

2
platform/keycloak/blueprint.yaml
View File

@ -5,7 +5,7 @@ metadata:
labels:
catalyst.openova.io/section: pts-2-3-per-sovereign-supporting-services
spec:
version: 1.1.1
version: 1.1.2
card:
title: keycloak
summary: Keycloak — user identity. Topology decided by Sovereign CRD spec.keycloakTopology (per-organization for SME, shared-sovereign for corporate).

15
platform/keycloak/chart/Chart.yaml
View File

@ -1,6 +1,6 @@
apiVersion: v2
name: bp-keycloak
version: 1.1.1
version: 1.1.2
description: |
Catalyst-curated Blueprint umbrella chart for Keycloak. Depends on the
upstream `keycloak` chart (bitnami) as a Helm subchart so
@ -16,12 +16,21 @@ maintainers:
email: catalyst@openova.io
# Upstream chart pulled in as a Helm subchart so `helm dependency build`
# bundles it into the OCI artifact. Pinned to bitnami/keycloak 24.7.1
# bundles it into the OCI artifact. Pinned to bitnami/keycloak 25.2.0
# (matches platform/keycloak/blueprint.yaml + values.yaml
# `catalystBlueprint.upstream.version`). Per
# docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode) the version is
# operator-bumpable via PR + Blueprint release.
#
# Bitnami consolidated their tag scheme around 2025-09 (see
# https://github.com/bitnami/charts/issues/30852): the original
# `bitnami/keycloak:<x>-debian-12-rN` tags now 404 in the registry. The
# preserved historic tags live under `bitnamilegacy/keycloak` (read-only
# archive). values.yaml overrides image.registry/image.repository to point
# every Bitnami image used by this chart at `bitnamilegacy/*` so installs
# succeed. Long-term we will migrate to a Catalyst-built or upstream
# replacement Keycloak image (issue #191 follow-up).
dependencies:
- name: keycloak
version: "24.7.1"
version: "25.2.0"
repository: "https://charts.bitnami.com/bitnami"

43
platform/keycloak/chart/values.yaml
View File

@ -9,7 +9,7 @@
# the values namespace).
catalystBlueprint:
upstream: { chart: keycloak, version: "24.7.1", repo: "https://charts.bitnami.com/bitnami" }
upstream: { chart: keycloak, version: "25.2.0", repo: "https://charts.bitnami.com/bitnami" }
# ─── Upstream chart values (subchart key: keycloak) ───────────────────────
# Generated by docs/PROVISIONING-PLAN.md tickets [F] chart Pass 105+.
@ -17,12 +17,51 @@ keycloak:
auth:
adminUser: admin
production: true
proxy: edge
# Chart 25.x renamed `proxy: edge` to `proxyHeaders: "xforwarded"`. Catalyst
# fronts Keycloak with Cilium Gateway (which sets `X-Forwarded-*`), and we
# require `proxyHeaders` to be set so chart-level production-mode validation
# passes without forcing in-pod TLS.
proxyHeaders: "xforwarded"
# ─── Bitnami image-registry consolidation (issue #191) ──────────────────
# Bitnami consolidated their tag scheme around 2025-09 (see
# https://github.com/bitnami/charts/issues/30852). The original
# `bitnami/keycloak:<x>-debian-12-rN` tags now 404 in the registry; the
# preserved historic tags moved to `bitnamilegacy/*` (read-only archive,
# explicitly published as "no longer updated, may be removed in the
# future"). Override repository for every Bitnami image referenced by
# this chart (keycloak app, keycloak-config-cli sidecar, postgresql,
# postgres-exporter, os-shell init) so `helm install` resolves real
# manifests. Verified existence with registry HEAD calls before pinning.
# Tag stays the chart 25.2.0 default (`26.3.3-debian-12-r0`) — re-pin
# when the chart bumps and we re-verify the new tag.
image:
registry: docker.io
repository: bitnamilegacy/keycloak
tag: 26.3.3-debian-12-r0
keycloakConfigCli:
image:
registry: docker.io
repository: bitnamilegacy/keycloak-config-cli
tag: 6.4.0-debian-12-r11
postgresql:
enabled: true
auth:
username: keycloak
database: keycloak
image:
registry: docker.io
repository: bitnamilegacy/postgresql
tag: 17.6.0-debian-12-r0
metrics:
image:
registry: docker.io
repository: bitnamilegacy/postgres-exporter
tag: 0.17.1-debian-12-r15
volumePermissions:
image:
registry: docker.io
repository: bitnamilegacy/os-shell
tag: 12-debian-12-r50
ingress:
enabled: false # Catalyst uses Cilium Gateway, not the chart ingress
resources: