openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity
c45a3e9af5
openova/platform/netbird/chart/Chart.yaml
e3mrah 3e786e5b36 fix(infra): wire NetBird, DMZ vCluster, Hubble UI, BGP, Gitea client — qa-loop iter-12 Fix #53B+C 
Phase-4 infra installs from iter-12 diagnostic audit (37 of 41 e-blocked TCs covered):

bp-catalyst-platform 1.4.120 → 1.4.122 — Gitea client wired (cluster B, 4 TCs):
- catalyst-api Deployment now reads CATALYST_GITEA_URL + CATALYST_GITEA_TOKEN from `catalyst-gitea-token` Secret (mirrors blueprint-controller pattern).
- Unblocks /api/v1/sovereigns/.../blueprints/{publish,curatable,curate,edit-pr} which previously returned 503 "Gitea client unconfigured".
- TC-081, TC-082, TC-083, TC-085.

bp-netbird 0.1.0 → 0.1.1 + slot 53 install (cluster C, 4 TCs):
- Pinned image tags (netbirdio/management:0.34.0, signal:0.34.0, coturn:4.6.2) so chart renders without CI mirror cycle.
- Bootstrap-kit slot 53 enables NetBird on omantel; OIDC issuer points at the new omantel realm (Fix #53A).
- TC-281, TC-282, TC-283, TC-284.

bp-dmz-vcluster 0.1.0 → 0.1.1 + slot 54 install (cluster C, 3 TCs):
- Pinned upstream loft-sh/vcluster:0.20.0 tag.
- Bootstrap-kit slot 54 enables DMZ vCluster `omantel-dmz` on omantel.
- TC-286, TC-287, TC-288.

bp-cilium chart pin 1.2.0 → 1.3.0 + Hubble UI ingress + BGP (cluster C, 3 TCs):
- Hubble relay + UI enabled in omantel cilium overlay.
- catalystOverlay.hubbleUI block enables HTTPRoute hubble.console.omantel.biz; external-dns auto-creates the DNS record.
- bgpControlPlane.enabled=true for multi-region peering (TC-349).
- TC-289, TC-290, TC-349.

Total: 14 of the 25 cluster-C TCs covered + 4 cluster-B TCs.
2026-05-10 08:47:40 +02:00

56 lines
2.5 KiB
YAML
Raw Blame History

apiVersion: v2
name: bp-netbird
version: 0.1.1
appVersion: "0.34.0"
description: |
Catalyst-authored Blueprint chart for NetBird — a WireGuard-based
zero-trust mesh + remote-access overlay. NetBird's management +
signal services + coturn (TURN/STUN) deploy in the Sovereign cluster
and operators / engineers / customer admins enroll devices via
Keycloak SSO.
Per ADR-0001 §3.2.8: NetBird is an opt-in product-tier capability
shipped as a Sovereign-installed Blueprint under platform/ (per the
EPIC-5 leftovers brief — NetBird is operationally part of the
Sovereign-mesh story, not a customer-facing product like Continuum).
This is a scratch chart — no upstream NetBird Helm chart is bundled.
The container images are upstream `netbirdio/management`,
`netbirdio/signal`, and `coturn/coturn`, SHA-pinned per
docs/INVIOLABLE-PRINCIPLES.md #4a. CI populates the SHA tags via
`yq eval -i .image.tag = "<sha>"` when promoting a build into
clusters/<sovereign>/.
Includes:
- NetBird management Deployment + Service (peer registration,
ACL distribution, account/user CRUD via OIDC)
- NetBird signal Deployment + Service (WebRTC signaling for
WireGuard handshake brokering between peers)
- coturn TURN/STUN Deployment + Service (NAT traversal fallback
for peers behind symmetric NATs)
- HTTPRoute (Cilium Gateway) for browser ingress + OIDC callback
- SealedSecret placeholder for the management API setup-key seed
and OIDC client secret
- NetworkPolicy: default-deny + selective egress to keycloak
- ConfigMap consumed by keycloak-config-cli post-deploy Job
(mirrors the Guacamole pattern from slice K+P+X1+G #1164 —
adds NetBird OIDC client + `netbird-user` realm role +
`netbird-users` group)
type: application
keywords: [catalyst, blueprint, netbird, wireguard, mesh, vpn, oidc, remote-access]
maintainers:
- name: OpenOva Catalyst
email: catalyst@openova.io
# Scratch chart — the binary surface is fully owned by NetBird upstream.
# The `sigstore/common` library subchart below is included ONLY to
# satisfy the platform-wide blueprint-release.yaml hollow-chart gate
# (issue #181) — every umbrella MUST declare at least one dependency.
# `common` is a tiny library chart (helper templates only, zero runtime
# resources). Mirrors the same pattern used by bp-guacamole +
# bp-cert-manager-dynadot-webhook + bp-coraza for the same reason.
dependencies:
- name: common
version: "0.1.3"
repository: "https://sigstore.github.io/helm-charts"
Reference in New Issue View Git Blame Copy Permalink