PR #1875 added `- name: sovereign-tls` to bp-self-sovereign-cutover.dependsOn
to gate the URL rewrite behind Gateway TLS readiness. That fix was
unresolvable: Flux HelmRelease.dependsOn can ONLY reference other
HelmReleases, but sovereign-tls is a Flux Kustomization. helm-controller
verbatim on t27 fresh-prov (A84 empirical test, 2026-05-18):
helmreleases.helm.toolkit.fluxcd.io "sovereign-tls" not found
bp-self-sovereign-cutover sat forever in dependency-wait, cutover never
fired, handover never fired.
This commit moves the readiness check INTO the chart: chart 0.1.32 adds
a Phase -1 (gateway-wait) at the top of the Step-06 helmrepository-
patches Job. The Job polls `gateway.networking.k8s.io/v1.Gateway
cilium-gateway` in `kube-system` until status.conditions[Programmed]=
True, with a 30 min default deadline. If the Gateway never programs,
the Job exits 1 (surfacing the block to the operator) rather than
rewriting URLs into a Gateway that won't answer TLS.
RBAC: ClusterRole gains gateway.networking.k8s.io/gateways
{get,list,watch}.
Bootstrap-kit slot `06a-bp-self-sovereign-cutover.yaml`:
- reverts the bad PR #1875 `- name: sovereign-tls` dependsOn entry
- bumps chart pin 0.1.31 -> 0.1.32
Tests: cutover-contract Case 20 guards the Phase -1 block + RBAC.
helm-template confirms the Phase -1 wait + env (GATEWAY_NAMESPACE=
kube-system, GATEWAY_NAME=cilium-gateway, GATEWAY_WAIT_TIMEOUT_
SECONDS=1800) renders into the cutover-step-06-helmrepository-patches
ConfigMap.podSpec.
Closes#1871
Refs #1875 (supersedes)
Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ee4dfedef8