feat: shared-infra values for namespace coexistence#67
Open
tgarciai wants to merge 9 commits into
Open
Conversation
values.shared-infra.yaml: use existing NATS/Valkey in namespace (disables managed subcharts, points connections to external services). values.underpass-runtime.yaml: document that runtime uses these service names with values.shared-infra.yaml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add pre-install/pre-upgrade Job that automatically generates all TLS
certificates from a shared CA, making mTLS deployment fully declarative.
Creates 7 secrets (idempotent — skip if exists):
- {fullname}-internal-ca: ECDSA P-256 CA (10-year validity)
- {fullname}-grpc-tls: kernel gRPC server cert
- {fullname}-nats-tls: NATS server cert
- {fullname}-valkey-tls: Valkey server cert
- {fullname}-nats-ca, {fullname}-valkey-ca: CA mirrors for server configs
- {fullname}-client-tls: kernel client cert for NATS/Valkey mTLS
RBAC: ServiceAccount + Role (get/create secrets) + RoleBinding.
Values: certGen.enabled, certGen.image, certGen.keyCurve, certGen.validityDays.
Contract: runtime chart reads the same CA via certGen.caSecret.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Same fix as runtime: dedicated cert-gen image, imagePullSecrets, readOnlyRootFilesystem preserved. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…mples Covers: quick start with cert-gen (creates CA + 7 secrets), values profiles, deploy commands, verification, cert rotation, service table. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…llSecrets
- cert-gen now generates {fullname}-otel-tls (was missing — mTLS example
referenced it but cert-gen didn't create it)
- Add fail-fast validation: nats.tls.caSecret and valkey.tls.caSecret
required when their respective TLS is enabled
- imagePullSecrets: use values.imagePullSecrets consistently (remove
hardcoded ghcr-pull fallback)
- HELM_INSTALL.md: add OTel cert to secret table (8 secrets total)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
values.shared-infra.yaml: disables managed NATS/Valkey, points connections to existing servicesvalues.underpass-runtime.yaml: documents service names for runtime coexistencePaired with underpass-ai/underpass-runtime#79.
🤖 Generated with Claude Code