e3mrah
2c32fde847
feat(epic-5): NetBird mesh + ClusterMesh activator + DMZ vCluster scaffolds (#1100) (#1171)
Closes the EPIC-5 leftovers (per .claude/architect-briefs/epic-5/00-master-brief-leftovers.md):
* NB — bp-netbird platform Blueprint chart (default-OFF, SHA-pinned, fail-fast).
Renders 12 resources ON: 3 Deployments (management + signal + coturn) +
3 Services + 1 PVC + 1 HTTPRoute + 1 NetworkPolicy + 2 SealedSecrets +
1 ConfigMap. KC realm-config ConfigMap mirrors the Guacamole pattern
from slice K+P+X1+G #1164 — adds `netbird` OIDC client + `netbird-user` /
`netbird-admin` realm roles + `netbird-users` / `netbird-admins` groups.
* CM — ClusterMesh activator slice on the existing Cilium chart.
ADDs platform/cilium/chart/values-clustermesh.yaml (operator-applied
values overlay) + templates/clustermesh-config.yaml (renders the
catalyst-clustermesh-config ConfigMap when cluster.name + cluster.id
are set per-Sovereign). Operator runbook for `cilium clustermesh enable`
+ `cilium clustermesh connect` documented inline. Default Cilium chart
render is unchanged — this slice is purely additive + opt-in.
* DMZ — bp-dmz-vcluster product Blueprint chart (default-OFF,
SHA-pinned, fail-fast). Renders 4 resources ON without hostname
(HelmRelease wrapping upstream loft-sh/vcluster + Service + 2
NetworkPolicies); 5 resources with HTTPRoute hostname. Isolation
pattern: own openova-system namespace inside host cluster → own Cilium
identity → default-deny + allow-essentials NetworkPolicies → public
egress only via designated egress gateway.
All 3 charts: helm lint clean. Tests at chart/tests/render.sh +
chart/tests/clustermesh-overlay.sh. Pre-existing CI flakes per canon §7
remain — they're not introduced by this slice.
Co-authored-by: hatiyildiz <hati.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>