openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
c59ae92b55
openova/products/dmz-vcluster/chart
History
e3mrah 9a2f423ab7
fix: mark bp-dmz-vcluster + bp-netbird default-off for smoke-render gate (#1286) 
* fix(bp-keycloak): truncate catalyst-api-server description <255 chars (Postgres limit)

Keycloak DB column CLIENT.DESCRIPTION = varchar(255). Previous value was
458 chars, causing realm-config-cli post-install hook to fail with
PSQLException value too long. Caught on omantel provision #6 iter-13
chart roll — keycloak-config-cli Job CrashLoop, bp-keycloak HR False,
upstream HRs blocked.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(bp-keycloak): truncate catalyst-api-server desc <255 chars (Postgres limit)

Keycloak DB column CLIENT.DESCRIPTION = varchar(255). Previous value was
458 chars (since Fix #23 / commit febd5fef), causing realm-config-cli
post-install hook to fail with PSQLException 'value too long for type
character varying(255)' on every fresh Sovereign provision.

Caught on omantel provision #6 — keycloak-config-cli Job CrashLoop,
bp-keycloak HR False, all upstream HRs blocked from converging.

Backport to 1.4.x (1.5.0 had a separate breaking realm-rename change
reverted via PR #1282). Bootstrap-kit pin updated to 1.4.2.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(bp-dmz-vcluster, bp-netbird): mark default-off so smoke-render gate accepts 1-line manifests

Both blueprints are scratch charts (no upstream subchart) gated default-off.
helm-template smoke renders <2 lines, hitting the platform-wide
'Empty render' gate added in #181. Adding the documented annotation
'catalyst.openova.io/smoke-render-mode: "default-off"' for both — same
mechanism bp-qa-app uses (catalyst.openova.io/no-upstream).

Caught on omantel provision #6 — bp-dmz-vcluster + bp-netbird HelmRelease
permanently failing chart pull because Blueprint Release CI never
published their charts (smoke gate failure).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: alierenbaysal <alierenbaysal@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 15:57:18 +04:00
..
templates feat(epic-5): NetBird mesh + ClusterMesh activator + DMZ vCluster scaffolds (#1100) (#1171) 2026-05-09 12:14:56 +04:00
tests feat(epic-5): NetBird mesh + ClusterMesh activator + DMZ vCluster scaffolds (#1100) (#1171) 2026-05-09 12:14:56 +04:00
blueprint.yaml feat(epic-5): NetBird mesh + ClusterMesh activator + DMZ vCluster scaffolds (#1100) (#1171) 2026-05-09 12:14:56 +04:00
Chart.yaml fix: mark bp-dmz-vcluster + bp-netbird default-off for smoke-render gate (#1286) 2026-05-10 15:57:18 +04:00
README.md feat(epic-5): NetBird mesh + ClusterMesh activator + DMZ vCluster scaffolds (#1100) (#1171) 2026-05-09 12:14:56 +04:00
values.yaml fix(infra): wire NetBird, DMZ vCluster, Hubble UI, BGP, Gitea client — qa-loop iter-12 Fix #53B+C (#1275) 2026-05-10 10:50:36 +04:00

README.md

bp-dmz-vcluster

Catalyst-authored Blueprint chart for a DMZ vCluster — an isolated customer-internet-facing virtual Kubernetes cluster running inside the management cluster. Per docs/EPICS-1-6-unified-design.md §8.5 the DMZ vCluster gives customer workloads that need direct internet exposure (public APIs, webhooks, customer-facing dashboards) a hard isolation boundary from the management plane.

What ships

Resource Purpose
HelmRelease/<rel> Wraps the upstream loft-sh/vcluster chart; SHA-pinned via image.tag; resource budget + sync config + storage class
Service/<rel>-apiserver ClusterIP for operator vcluster connect access
HTTPRoute/<rel> (optional) Cilium Gateway exposure for tenant Services synced into the host namespace
NetworkPolicy/<rel>-default-deny Empty ingress + egress = deny-all baseline
NetworkPolicy/<rel>-allow-essentials DNS + designated egress-gateway + intra-namespace

Default-OFF gate

dmz.enabled: false in values.yaml. helm template renders zero resources by default. Operator opts in via per-Sovereign overlay at clusters/<sovereign>/products/dmz-vcluster/release.yaml once Cilium ClusterMesh + the egress gateway are ready.

Isolation model

  • Own openova-system namespace inside the host cluster (dmz by default; multi-DMZ overlays use per-tenant names like dmz-acme).
  • Own Cilium identity — by virtue of the dedicated namespace, Cilium assigns a distinct identity to every DMZ-vCluster Pod. Default Cluster-wide CCNPs (H8 default-deny) treat them as an isolated endpoint cohort.
  • NetworkPolicy default-deny on the host namespace: every flow into or out of the namespace is denied unless explicitly allowed. Allow rules cover DNS + the designated egress gateway + intra-namespace coordination only.
  • Egress to the public internet only via the designated egress gateway — the egress gateway SNATs to a reserved public IP so audit + threat-intel can attribute outbound flows to the tenant.
  • No privileged caps; no host-network access; read-only root FS where the upstream vcluster image permits.

SHA-pinned vcluster image

Per docs/INVIOLABLE-PRINCIPLES.md #4a, dmz.vcluster.image.tag is empty in values.yaml and the helm-template render fails-fast when an overlay leaves it empty (see _helpers.tpl::bp-dmz-vcluster.image). CI populates the SHA tag via yq eval -i .image.tag = "<sha>" when promoting a build into clusters/<sovereign>/.

Upstream HelmRelease wrapper, NOT a vendored subchart

The DMZ vCluster install happens via a HelmRelease pointing at the upstream loft-sh/vcluster chart. The Catalyst layer ships:

  1. The HelmRelease CR with the operator-pinned upstream chart version.
  2. A values: block exposing only the safe subset of upstream values (resources, storage, sync, security context).
  3. The isolation NetworkPolicy + Service + HTTPRoute that ride alongside the upstream install.

Per-Sovereign overlays flip individual values (resource limits, pod-security, auth) without forking the upstream chart. The HelmRepository for https://charts.loft.sh is part of the Sovereign's bootstrap-kit.

Tests

bash tests/render.sh exercises three contracts:

  1. Default-OFF: zero K8s resources rendered (CC3 default-OFF gate).
  2. Fail-fast on empty image tag: render aborts with the exact bp-dmz-vcluster: ... image.tag is empty message when enabled: true without a SHA stamp.
  3. Full-ON canonical bundle: HelmRelease + 2 NetworkPolicies + Service (+ HTTPRoute when hostname is set).

helm lint clean.

See also

  • DESIGN.md — design rationale, isolation boundary, ADR-0001 alignment.
  • blueprint.yaml — Blueprint manifest (catalyst.openova.io/v1alpha1).
  • platform/network-policies/chart/templates/default-deny.yaml — cluster-wide default-deny CCNP that complements the host-namespace NetworkPolicy here.