openova/clusters/_template/bootstrap-kit/07-nats-jetstream.yaml

# bp-nats-jetstream — Catalyst bootstrap-kit Blueprint. Catalyst's control-plane event spine. Per-Org Account isolation. KV bucket per Environment.
#
# Wrapper chart: platform/nats-jetstream/chart/
# Catalyst-curated values: platform/nats-jetstream/chart/values.yaml
# Reconciled by: Flux on the new Sovereign's k3s control plane.

---
apiVersion: v1
kind: Namespace
metadata:
  name: nats-system
  labels:
    catalyst.openova.io/sovereign: ${SOVEREIGN_FQDN}
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: bp-nats-jetstream
  namespace: flux-system
spec:
  type: oci
  interval: 15m
  url: oci://ghcr.io/openova-io
  secretRef:
    name: ghcr-pull
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: bp-nats-jetstream
  namespace: flux-system
spec:
  interval: 15m
  releaseName: nats-jetstream
  targetNamespace: nats-system
  # No dependsOn: bp-spire was dropped (PR #665, founder direction
  # 2026-05-03 — Cilium WireGuard mesh handles east-west mTLS).
  # NATS no longer needs SVID-based auth; the kernel-level WireGuard
  # encryption between every pod covers the in-flight traffic.
  chart:
    spec:
      chart: bp-nats-jetstream
      version: 1.1.1
      sourceRef:
        kind: HelmRepository
        name: bp-nats-jetstream
        namespace: flux-system
  # Event-driven install: NATS StatefulSet with JetStream raft initialisation
  # — quorum formation across N replicas is legitimately multi-minute on
  # cold start. Helm install completes when manifests apply; downstream
  # dependsOn checks Ready=True independently. Replaces PR #221 timeout.
  install:
    disableWait: true
    remediation:
      retries: 3
  upgrade:
    disableWait: true
    remediation:
      retries: 3