openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity
7c3ff940ff
openova/scripts/expected-bootstrap-deps.yaml
hatiyildiz 7c3ff940ff fix(ci): update solver_test.go fixtures + expected-bootstrap-deps.yaml for #550 
- core/cmd/cert-manager-dynadot-webhook/solver_test.go: fix SetDns2Response →
  SetDnsResponse and ResponseCode:"0" → ResponseCode:0 in test fixtures so
  webhook command tests pass against the corrected dynadot-client JSON parsing
- scripts/expected-bootstrap-deps.yaml: declare bp-cert-manager-dynadot-webhook
  at slot 49b so the bootstrap-kit dependency-graph audit passes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-02 10:44:18 +02:00

292 lines
9.6 KiB
YAML
Raw Blame History

# Expected dependency DAG for clusters/_template/bootstrap-kit/*.yaml
#
# Authoritative spec: docs/BOOTSTRAP-KIT-EXPANSION-PLAN.md §2.
# Consumed by: scripts/check-bootstrap-deps.sh
# Updated by: W2.K0 (slots 01-14 baseline + slots 15-48 forward declarations)
# W2.K1, K2, K3, K4 PRs add the corresponding HR files; this
# file already declares the expected deps for those slots so
# each W2 PR can be mechanically verified at merge time.
#
# Schema:
# slots:
# - slot: <int> # numeric prefix on the HR file (01..48)
# name: <string> # value of metadata.name on the HelmRelease
# depends_on: [<string>] # ordered or unordered; comparison is set-based
# wave: <"present"|"W2.K1"|"W2.K2"|"W2.K3"|"W2.K4">
#
# Comparison semantics enforced by check-bootstrap-deps.sh:
# - Each HR file present on disk MUST declare exactly the depends_on set listed
# here (missing edges -> error, extra edges -> error).
# - HRs declared here but not yet present on disk are reported as "deferred"
# (info, not an error) so that this file can be the static authoritative list
# while W2.K1..K4 land their HR files in series.
# - The graph is checked for cycles after merging declared+actual edges.
#
# The slot-numbering convention is documented in BOOTSTRAP-KIT-EXPANSION-PLAN.md §3.
slots:
# ---- Tier 0-4: present today (post-PR-247 baseline) -----------------------
- slot: 1
name: bp-cilium
depends_on: []
wave: present
- slot: 1a
name: bp-gateway-api
# Upstream Kubernetes Gateway API CRDs (Standard channel — issue #503).
# Cilium 1.16's `gatewayAPI.enabled=true` enables the controller but does
# NOT install the gateway.networking.k8s.io CRDs themselves; without them
# every chart that ships HTTPRoute templates (bp-keycloak / bp-gitea /
# bp-powerdns / bp-openbao / bp-harbor / bp-grafana / bp-catalyst-platform)
# fails install with `no matches for kind HTTPRoute`. Same split-CRD
# pattern as bp-crossplane-claims and bp-external-secrets-stores.
depends_on: [bp-cilium]
wave: present
- slot: 2
name: bp-cert-manager
depends_on: [bp-cilium]
wave: present
- slot: 3
name: bp-flux
depends_on: [bp-cert-manager]
wave: present
- slot: 4
name: bp-crossplane
depends_on: [bp-flux]
wave: present
- slot: 5
name: bp-sealed-secrets
depends_on: [bp-cert-manager]
wave: present
- slot: 6
name: bp-spire
depends_on: [bp-cert-manager]
wave: present
- slot: 7
name: bp-nats-jetstream
depends_on: [bp-spire]
wave: present
- slot: 8
name: bp-openbao
# bp-gateway-api dep (issue #503): chart ships an HTTPRoute template;
# gateway.networking.k8s.io/v1 CRDs must be registered before install.
# bp-cnpg dep (issue #512): post-install init hook (`bao operator init`)
# races cnpg readiness on a fresh Sovereign, hitting the 15m install
# timeout. Explicit dep makes Flux wait for cnpg Ready=True first.
depends_on: [bp-spire, bp-gateway-api, bp-cnpg]
wave: present
- slot: 9
name: bp-keycloak
# bp-gateway-api dep (issue #503): chart ships an HTTPRoute template.
depends_on: [bp-cert-manager, bp-gateway-api]
wave: present
- slot: 10
name: bp-gitea
# bp-gateway-api dep (issue #503): chart ships an HTTPRoute template.
depends_on: [bp-keycloak, bp-gateway-api]
wave: present
- slot: 11
name: bp-powerdns
# bp-gateway-api dep (issue #503): chart ships an api-httproute.yaml template.
depends_on: [bp-cert-manager, bp-gateway-api]
wave: present
- slot: 12
name: bp-external-dns
depends_on: [bp-cert-manager, bp-powerdns]
wave: present
- slot: 13
name: bp-catalyst-platform
# bp-gateway-api dep (issue #503): umbrella chart ships catalyst-ui +
# catalyst-api HTTPRoute templates.
# bp-keycloak + bp-cnpg deps (issue #512): umbrella post-install Jobs
# bootstrap OIDC clients + seed PG schemas; both deps take 5+ min to
# reach Ready on a fresh Sovereign, racing the 15m install timeout.
# Explicit deps make Flux wait for both Ready=True before umbrella starts.
depends_on: [bp-gitea, bp-gateway-api, bp-keycloak, bp-cnpg]
wave: present
- slot: 14
name: bp-crossplane-claims
depends_on: [bp-crossplane]
wave: present
# ---- Tier 5: storage + DB (W2.K1, slots 15-19) ----------------------------
- slot: 15
name: bp-external-secrets
depends_on: [bp-openbao, bp-cert-manager]
wave: W2.K1
- slot: 15a
name: bp-external-secrets-stores
# Default ClusterSecretStore CR(s). Split from bp-external-secrets@1.0.0
# at PR #334 (issue #331) to resolve CRD-ordering deadlock —
# ClusterSecretStore CR cannot live in the same Helm release as the ESO
# subchart that registers its CRD. Mirrors bp-crossplane ↔
# bp-crossplane-claims pattern.
depends_on: [bp-external-secrets, bp-openbao]
wave: W2.K1
- slot: 16
name: bp-cnpg
depends_on: [bp-flux]
wave: W2.K1
- slot: 17
name: bp-valkey
depends_on: [bp-flux]
wave: W2.K1
- slot: 18
name: bp-seaweedfs
depends_on: [bp-flux, bp-cert-manager]
wave: W2.K1
- slot: 19
name: bp-harbor
# bp-seaweedfs dependency REMOVED per ADR-0001 §13 (cloud-direct).
# Harbor on Sovereigns writes blobs directly to cloud Object Storage
# (Hetzner / R2 / S3 / Azure / GCS), not via SeaweedFS. See
# clusters/_template/bootstrap-kit/19-harbor.yaml lines 35-37.
# bp-gateway-api dep (issue #503): chart ships an HTTPRoute template;
# gateway.networking.k8s.io/v1 CRDs must be registered first.
depends_on: [bp-cnpg, bp-cert-manager, bp-gateway-api]
wave: W2.K1
# ---- Tier 6: observability (W2.K2, slots 20-26) ---------------------------
- slot: 20
name: bp-opentelemetry
depends_on: [bp-cert-manager]
wave: W2.K2
- slot: 21
name: bp-alloy
depends_on: [bp-opentelemetry]
wave: W2.K2
- slot: 22
name: bp-loki
depends_on: [bp-seaweedfs]
wave: W2.K2
- slot: 23
name: bp-mimir
depends_on: [bp-seaweedfs]
wave: W2.K2
- slot: 24
name: bp-tempo
depends_on: [bp-seaweedfs]
wave: W2.K2
- slot: 25
name: bp-grafana
# bp-gateway-api dep (issue #503): chart ships an HTTPRoute template.
depends_on: [bp-cnpg, bp-loki, bp-mimir, bp-tempo, bp-keycloak, bp-gateway-api]
wave: W2.K2
- slot: 26
name: bp-langfuse
depends_on: [bp-cnpg, bp-keycloak, bp-cert-manager]
wave: W2.K2
# ---- Tier 7: security + policy (W2.K3, slots 27-34) -----------------------
- slot: 27
name: bp-kyverno
depends_on: [bp-cilium]
wave: W2.K3
- slot: 28
name: bp-reloader
depends_on: []
wave: W2.K3
- slot: 29
name: bp-vpa
depends_on: []
wave: W2.K3
- slot: 30
name: bp-trivy
depends_on: [bp-cert-manager]
wave: W2.K3
- slot: 31
name: bp-falco
depends_on: [bp-cilium]
wave: W2.K3
- slot: 32
name: bp-sigstore
depends_on: [bp-cert-manager]
wave: W2.K3
- slot: 33
name: bp-syft-grype
depends_on: [bp-cert-manager]
wave: W2.K3
- slot: 34
name: bp-velero
# No dependsOn — Velero on Hetzner Sovereigns writes DIRECTLY to
# Hetzner Object Storage per ADR-0001 §13 + WBS §3 (S3-aware app
# rule). The previous SeaweedFS dependency was retired in #384;
# Velero's BackupStorageLocation now consumes flux-system/hetzner-
# object-storage Secret (issue #371) via Flux valuesFrom, populated
# at HelmRelease apply time — no in-cluster prerequisite Blueprint.
depends_on: []
wave: W2.K3
# ---- Tier 8 + 9: edge + apps + AI runtime (W2.K4, slots 35-48) ------------
- slot: 35
name: bp-coraza
depends_on: [bp-cilium, bp-cert-manager]
wave: W2.K4
- slot: 36
name: bp-stunner
depends_on: [bp-cilium, bp-cert-manager]
wave: W2.K4
- slot: 37
name: bp-knative
depends_on: [bp-cert-manager]
wave: W2.K4
- slot: 38
name: bp-kserve
depends_on: [bp-knative]
wave: W2.K4
- slot: 39
name: bp-vllm
depends_on: [bp-kserve]
wave: W2.K4
- slot: 40
name: bp-llm-gateway
depends_on: [bp-cnpg, bp-keycloak]
wave: W2.K4
- slot: 41
name: bp-anthropic-adapter
depends_on: [bp-llm-gateway]
wave: W2.K4
- slot: 42
name: bp-bge
depends_on: [bp-cnpg]
wave: W2.K4
- slot: 43
name: bp-nemo-guardrails
depends_on: [bp-llm-gateway, bp-bge, bp-cnpg]
wave: W2.K4
- slot: 44
name: bp-temporal
depends_on: [bp-cnpg, bp-cert-manager]
wave: W2.K4
- slot: 45
name: bp-openmeter
depends_on: [bp-cnpg, bp-nats-jetstream]
wave: W2.K4
- slot: 46
name: bp-livekit
depends_on: [bp-stunner, bp-cert-manager]
wave: W2.K4
- slot: 47
name: bp-matrix
depends_on: [bp-cnpg, bp-keycloak, bp-cert-manager]
wave: W2.K4
- slot: 48
name: bp-librechat
depends_on: [bp-llm-gateway, bp-vllm, bp-bge, bp-keycloak]
wave: W2.K4
# ---- Phase-2 (handover) — DNS-01 webhook against Sovereign's own PowerDNS -
# Authored under #373; lands at slot 49 because slots 36-48 were already
# forward-declared by the W2.K4 batch. Wave is "present" because the HR
# exists on disk now (chart-released; runtime exercise deferred to Phase 8).
- slot: 49
name: bp-cert-manager-powerdns-webhook
depends_on: [bp-cert-manager, bp-powerdns]
wave: present
# PRE-handover DNS-01 solver. Slot 49b sits adjacent to 49 (powerdns).
# Active from Day 0 while Dynadot is authoritative for omani.works.
# Closes openova#550.
- slot: "49b"
name: bp-cert-manager-dynadot-webhook
depends_on: [bp-cert-manager]
wave: present
Reference in New Issue View Git Blame Copy Permalink