* fix(bootstrap-kit/_template): wire NetBird/DMZ/Hubble/BGP/clustermesh-LB via envsubst — qa-loop iter-12 Fix #53C+D follow-up
The omantel chroot reconciles from clusters/_template/bootstrap-kit/ (not the per-Sovereign omantel.omani.works/ overlay). PR #1275 added slot 53 (NetBird) and slot 54 (DMZ vCluster) plus Hubble UI / BGP / clustermesh-LB to the omantel.omani.works overlay only. This PR mirrors the same changes into _template via envsubst so the chroot also picks them up.
01-cilium.yaml:
- Chart pin 1.2.0 → 1.3.0 (Hubble UI HTTPRoute overlay + clustermesh shape)
- hubble.relay/ui.enabled gated on ${HUBBLE_ENABLED:=false} (default off, backward-compat)
- bgpControlPlane.enabled gated on ${BGP_ENABLED:=false}
- clustermesh.apiserver.service.type gated on ${CLUSTERMESH_SERVICE_TYPE:=NodePort} (default NodePort, backward-compat)
- catalystOverlay.hubbleUI block (envsubst gated, off by default)
53-bp-netbird.yaml NEW: NetBird Sovereign install, default-OFF via NETBIRD_ENABLED. OIDC issuer / realm parameterized through SOVEREIGN_REALM_NAME so the per-Sovereign realm rename (Fix #53A) flows through.
54-bp-dmz-vcluster.yaml NEW: DMZ vCluster install, default-OFF via DMZ_VCLUSTER_ENABLED. Vcluster name parameterized via DMZ_VCLUSTER_NAME (default `dmz`).
kustomization.yaml: added slots 53/54.
Operator opts in per-Sovereign by setting the substitutes on the bootstrap-kit Kustomization. Live patches applied to omantel for immediate effect:
- HUBBLE_ENABLED=true HUBBLE_HOSTNAME=hubble.console.omantel.biz
- BGP_ENABLED=true
- NETBIRD_ENABLED=true
- DMZ_VCLUSTER_ENABLED=true DMZ_VCLUSTER_NAME=omantel-dmz
* fix(bootstrap-deps): add bp-netbird (slot 53) + bp-dmz-vcluster (slot 54) to expected DAG — qa-loop iter-12 Fix #53C dependency-graph-audit fix
a388a61ae2