a8931db541
Two disjoint regressions stack-failed test-bootstrap-kit.yaml on every push to main: 1. manifest-validation — TestBootstrapKit_BlueprintCardsHaveRequiredFields asserts platform/<bp>/blueprint.yaml spec.version == chart/Chart.yaml version. Six blueprints had drifted: cilium (1.3.0->1.3.5), cert-manager (1.2.0->1.2.2), flux (1.2.0->1.2.2), openbao (1.2.14->1.2.16), keycloak (1.5.0->1.4.5 — blueprint led chart, sync to authoritative Chart.yaml), gitea (1.2.5->1.2.7). Chart.yaml is canonical (drives bootstrap-kit pin -> Sovereign install); blueprint.yaml gets resynced down/up to match. 2. pin-sync-audit on push — full-sweep audit races the blueprint-release auto-bump hook. Chart-bump merge commit has chart=N pin=N-1 drift until the auto-bump bot commits the pin update ~60s later; the bot push (GITHUB_TOKEN convention) does not retrigger this workflow, so the failure remains in run history. Fix: set continue-on-error: true on push/workflow_dispatch events (PR remains blocking via --changed-only). The full-sweep output still surfaces drift on the run summary; it just doesn't fail the overall run while the heal-in- ~60s window is open. Documented inline in the job header. Net effect: every push to main re-runs cleanly green. The 13 pre-existing drifts called out in the existing job comment will continue to heal as each lagging chart gets its next bump (auto-bump hook + this PR's manifest-validation alignment). Refs PRs #1666 #1687 #1695 #1698 #1706 #1707 (the manual collector PRs TBD-A6 eliminated for bootstrap-kit pins; this PR extends the convergence to blueprint.yaml versions which the test asserts but the auto-bump hook does not yet update). Co-authored-by: hatiyildiz <hatiyildiz@users.noreply.github.com>
42 lines
2.1 KiB
YAML
42 lines
2.1 KiB
YAML
apiVersion: catalyst.openova.io/v1alpha1
|
|
kind: Blueprint
|
|
metadata:
|
|
name: bp-cert-manager
|
|
labels:
|
|
catalyst.openova.io/section: pts-3-3-security-and-policy
|
|
spec:
|
|
version: 1.2.2
|
|
card:
|
|
title: cert-manager
|
|
summary: TLS certificate automation. Lets Encrypt issuer with Dynadot DNS-01 for omani.works pool, HTTP-01 for BYO domains.
|
|
visibility: unlisted # mandatory infra, auto-installed by bootstrap kit
|
|
manifests:
|
|
chart: ./chart
|
|
depends: []
|
|
|
|
# ── Outputs advertised to dependent Blueprints (#113) ────────────────────
|
|
# Blueprints that issue Certificates (cilium-gateway, harbor, gitea, etc.)
|
|
# consume `issuerName` rather than hardcoding "letsencrypt-prod" so that
|
|
# operators can swap the active issuer (DNS-01 vs HTTP-01) via the
|
|
# bp-catalyst-platform umbrella values without editing every dependent
|
|
# chart. The chart's templates/clusterissuer-letsencrypt-dns01.yaml ships
|
|
# both issuers; this output names the one a dependent Blueprint should
|
|
# default to in production.
|
|
outputs:
|
|
# Default issuer name. As of openova#159 (bp-cert-manager-dynadot-webhook
|
|
# ships) the wildcard-capable DNS-01 issuer is enabled by default in
|
|
# the chart's values.yaml — dependents that issue wildcard certs (the
|
|
# Cilium Gateway's *.<sub>.<pool> TLS listener) reference this name
|
|
# directly. Cluster overlays MAY revert to letsencrypt-http01-prod by
|
|
# flipping certManager.issuers.dns01.enabled=false in the umbrella
|
|
# chart values; the http01 issuer remains templated for that path.
|
|
issuerName: letsencrypt-dns01-prod
|
|
# Kind is always ClusterIssuer for Catalyst — the wildcard cert lives
|
|
# in cilium-gateway and is consumed cluster-wide.
|
|
issuerKind: ClusterIssuer
|
|
# The TARGET-STATE wildcard issuer name. Equal to issuerName above now
|
|
# that DNS-01 is the default; kept as a separate field so a dependent
|
|
# Blueprint that explicitly needs the wildcard variant can pin to it
|
|
# independent of which issuer is currently the default.
|
|
wildcardIssuerName: letsencrypt-dns01-prod
|