Eai 1452 seaweed s3 rebased 4 sync options

docs/manual_helm_install/components/s3.md

@@ -14,10 +14,11 @@ authenticate with are created via ExternalSecrets from OpenBao (in full
 cluster-forge deployments) or via `kubectl create secret generic` (in manual
 installations). No static `secrets-*.yaml` file is required.
 
-**Note on credential compatibility:** For backward compatibility with MinIO,
-the secret keys in OpenBao still reference `minio-*` paths (e.g.,
-`secrets/data/minio-api-access-key`). These same credentials are used by
-SeaweedFS via the `seaweedfs-s3-config` secret.
+**Note on OpenBao path names:** In-cluster object storage is **SeaweedFS**
+(filer S3). OpenBao KV entries still use the historical `secrets/minio-*` paths
+(e.g. `secrets/data/minio-api-access-key`) so existing ExternalSecrets and
+charts (AIRM, Keycloak, etc.) keep working unchanged. The SeaweedFS filer reads
+those values via the `seaweedfs-s3-config` Secret.
 
 These instructions assume you have the cluster-forge sources available
 locally and that `SOURCES_DIR` points at the `sources/` directory:

root/values.yaml

@@ -686,6 +686,20 @@ apps:
     namespace: kyverno
     path: kyverno-policies/base
     syncWave: -20
+  # Used only when enabledApps includes this name (small/medium). Kyverno may
+  # default fields on ClusterPolicy; ignore to avoid perpetual OutOfSync.
+  kyverno-policies-storage-local-path:
+    namespace: kyverno
+    path: kyverno-policies/storage-local-path
+    syncWave: -20
+    ignoreDifferences:
+      - group: kyverno.io
+        kind: ClusterPolicy
+        jqPathExpressions:
+          # jsonPointers do not support wildcards; Kyverno sets these on rules.
+          - .spec.rules[].skipBackgroundRequests
+          - .spec.rules[].validate.allowExistingViolations
+          - .status
   metallb:
     namespace: default
     path: metallb/v0.15.2
@@ -722,7 +736,8 @@ apps:
     path: seaweedfs-config
     namespace: seaweedfs-instance
     valuesFile: values.yaml
-    syncWave: 0
+    # After seaweedfs-operator (0): CRD/webhook ready before Seaweed + ExternalSecrets.
+    syncWave: 10
   openbao:
     ignoreDifferences:
       - group: "apps"

root/values_medium.yaml

@@ -52,17 +52,6 @@ enabledApps:
   - rabbitmq
 
 apps:
-  # Modular Kyverno policy applications (only the storage-local-path addition)
-  kyverno-policies-storage-local-path:
-    namespace: kyverno
-    path: kyverno-policies/storage-local-path
-    syncWave: -20
-    ignoreDifferences:
-      - group: kyverno.io
-        kind: ClusterPolicy
-        jsonPointers:
-          - /spec/rules/*/skipBackgroundRequests
-          - /spec/rules/*/validate/allowExistingViolations
   aiwb-infra-cnpg:
     valuesObject:
       instances: 1

root/values_small.yaml

@@ -114,18 +114,6 @@ apps:
         requests:
           cpu: "250m"
           memory: "512Mi"
-  kyverno-policies-storage-local-path:
-    ignoreDifferences: []
-    namespace: kyverno
-    path: kyverno-policies/storage-local-path
-    source: clusterForge
-    syncOptions:
-      - CreateNamespace=true
-    syncWave:
-      - group: kyverno.io
-        kind: ClusterPolicy
-    wave: 26  # Deploy after base policies
-
   seaweedfs-config:
     valuesObject:
       seaweed:

sources/keycloak-config/templates/keycloak-cluster.yaml

@@ -1,10 +1,17 @@
 ---
+# CNPG bootstrap reads keycloak-cnpg-user (and superuser) Secrets at initdb time.
+# Run these ExternalSecrets as PreSync hooks so OpenBao-backed Secrets exist and are
+# Healthy before the Cluster resource applies (avoids password mismatch vs Keycloak).
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
   name: keycloak-cnpg-superuser-credentials
   namespace: keycloak
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocd.argoproj.io/sync-wave: "-3"
 spec:
+  refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore
     name: openbao-secret-store
@@ -27,6 +34,9 @@ kind: ExternalSecret
 metadata:
   name: keycloak-cnpg-user-credentials
   namespace: keycloak
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocd.argoproj.io/sync-wave: "-2"
 spec:
   data:
     - remoteRef:
@@ -50,6 +60,9 @@ kind: Cluster
 metadata:
   name: keycloak-cnpg
   namespace: keycloak
+  annotations:
+    # After PreSync CNPG ExternalSecrets; before HTTPRoute/other wave-0 extras if any.
+    argocd.argoproj.io/sync-wave: "1"
 spec:
   affinity:
     enablePodAntiAffinity: true

sources/keycloak-old/templates/es-keycloak-cnpg-superuser-credentials.yaml

@@ -5,7 +5,11 @@ kind: ExternalSecret
 metadata:
   name: keycloak-cnpg-superuser-credentials
   namespace: keycloak
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocd.argoproj.io/sync-wave: "-3"
 spec:
+  refreshInterval: 1h
   secretStoreRef:
     kind: ClusterSecretStore
     name: openbao-secret-store

sources/keycloak-old/templates/es-keycloak-cnpg-user-credentials.yaml

@@ -5,6 +5,9 @@ kind: ExternalSecret
 metadata:
   name: {{ .Values.postgresql.userSecretName }}-credentials
   namespace: keycloak
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocd.argoproj.io/sync-wave: "-2"
 spec:
   data:
     - remoteRef:

sources/keycloak-old/templates/keycloak-cnpg.yaml

@@ -5,6 +5,9 @@ kind: Cluster
 metadata:
   name: keycloak-cnpg
   namespace: keycloak
+  annotations:
+    # After PreSync CNPG ExternalSecrets; before Keycloak Deployment (wave 5) so initdb uses final secrets.
+    argocd.argoproj.io/sync-wave: "1"
 spec:
   affinity:
     enablePodAntiAffinity: true

sources/keycloak-old/templates/keycloak-deployment.yaml

@@ -6,6 +6,9 @@ metadata:
     app: keycloak
   name: keycloak
   namespace: keycloak
+  annotations:
+    # After CNPG Cluster (wave 1) so JDBC connects once Postgres is up with bootstrap secrets.
+    argocd.argoproj.io/sync-wave: "5"
 spec:
   replicas: 1
   selector:

sources/openbao-config/0.1.0/templates/openbao-secret-definitions.yaml

@@ -83,21 +83,22 @@ data:
     secrets/keycloak-cnpg-superuser-password|random||16
 
     # =============================================================================
-    # MINIO SECRETS
+    # SEAWEEDFS S3 (filer). OpenBao paths still use legacy "minio-*" names for
+    # compatibility with ExternalSecrets, AIRM, and Keycloak references.
     # =============================================================================
 
-    # MinIO API access credentials
-    secrets/minio-api-access-key|static|api-default-user|0
+    # Filer S3 API access (SeaweedFS s3.json ApiUser); override via --set minio.apiAccessKey=...
+    secrets/minio-api-access-key|static|{{ .Values.minio.apiAccessKey }}|0
     secrets/minio-api-secret-key|random||16
 
-    # MinIO console access credentials
-    secrets/minio-console-access-key|static|default-user|0
+    # Filer S3 console identities (SeaweedFS s3.json Console); override via --set minio.consoleAccessKey=...
+    secrets/minio-console-access-key|static|{{ .Values.minio.consoleAccessKey }}|0
     secrets/minio-console-secret-key|random||16
 
-    # MinIO root admin password
+    # SeaweedFS admin UI password (ExternalSecret seaweed-admin-es-secret)
     secrets/minio-root-password|random||16
 
-    # MinIO additional secrets
+    # OIDC / Keycloak client material for object-store console flows (legacy names)
     secrets/minio-client-secret|random||16
     secrets/minio-openid-url|static|https://kc.{{ .Values.domain }}/realms/airm/.well-known/openid-configuration|0
 

sources/openbao-config/0.1.0/values.yaml

@@ -1,8 +1,8 @@
 domain: # to be filled by cluster-forge app
 
+# In-cluster object storage is SeaweedFS (filer S3). OpenBao KV paths remain
+# `secrets/minio-*` for backward compatibility. Static access key names below
+# are rendered into openbao-secret-definitions (override with --set minio.*).
 minio:
-  # Seed values for MinIO access keys stored in OpenBao. Override at install
-  # time (`--set minio.apiAccessKey=...`) when integrating with an
-  # externally-provisioned MinIO whose existing keys differ from these defaults.
   apiAccessKey: api-default-user
   consoleAccessKey: default-user

sources/seaweedfs-config/templates/seaweedfs-es-admin.yaml

@@ -5,15 +5,17 @@ metadata:
   namespace: seaweedfs-instance
   annotations:
     argocd.argoproj.io/hook: PreSync
+    argocd.argoproj.io/sync-wave: "-1"
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
     name: openbao-secret-store
-  refreshInterval: 5m
+  refreshInterval: 1m
   target:
     name: seaweedfs-admin-secret
   data:
     - secretKey: admin-password 
       remoteRef:
+        # Legacy OpenBao path name; backs SeaweedFS admin UI, not MinIO.
         key: secrets/data/minio-root-password
         property: value

sources/seaweedfs-config/templates/seaweedfs-es-s3-config.yaml

@@ -4,12 +4,17 @@ metadata:
   name: seaweedfs-es-s3-config
   namespace: seaweedfs-instance
   annotations:
+    # PreSync + sync-wave: ensure OpenBao-backed Secret exists (and Argo marks this
+    # resource Healthy per ExternalSecret health rules) before the Seaweed CR syncs.
     argocd.argoproj.io/hook: PreSync
+    argocd.argoproj.io/sync-wave: "-2"
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
     name: openbao-secret-store
-  refreshInterval: 5m
+  # Shorter interval so the filer picks up OpenBao updates soon after the secret
+  # manager reconciles static keys (default openbao cron is every 5m).
+  refreshInterval: 1m
   target:
     name: seaweedfs-s3-config
     template:
@@ -43,6 +48,7 @@ spec:
               }
             ] 
           }
+  # OpenBao paths use legacy "minio-*" keys (shared with AIRM / Keycloak); values feed SeaweedFS only.
   data:
     - secretKey: API_ACCESS_KEY
       remoteRef:

sources/seaweedfs-config/templates/seaweedfs-seaweed.yaml

@@ -1,40 +1,40 @@
-{{- with .Values.seaweed }}
-apiVersion: seaweed.seaweedfs.com/v1
-kind: Seaweed
-metadata:
-  name: seaweed
-  namespace: seaweedfs-instance
-spec:
-  image: chrislusf/seaweedfs:latest
-  volumeServerDiskCount: 1
-  hostSuffix: plat-dev-1.silogen.ai
-  master:
-    replicas: {{ .master.replicas }}
-    volumeSizeLimitMB: 1024
-  volume:
-    replicas: {{ .volume.replicas }}
-    storageClassName: {{ .storageClassName }}
-    requests:
-      storage: {{ .volume.requests.storage }}
-    # Topology configuration for rack/datacenter-aware placement
-    rack: "rack1"
-    dataCenter: "dc1"
-  filer:
-    replicas: {{ .filer.replicas }}
-    volumes:
-      - name: s3-metadata
-        persistentVolumeClaim:
-          claimName: pvc-seaweed-s3-metadata
-    volumeMounts:
-      - mountPath: /data/
-        name: s3-metadata
-    s3:
-      enabled: true
-      configSecret:
-        name: seaweedfs-s3-config
-        key: s3.json
-    config: |
-      [leveldb2]
-      enabled = true
-      dir = "/data/filerldb2"
+{{- with .Values.seaweed }}
+apiVersion: seaweed.seaweedfs.com/v1
+kind: Seaweed
+metadata:
+  name: seaweed
+  namespace: seaweedfs-instance
+spec:
+  image: chrislusf/seaweedfs:latest
+  volumeServerDiskCount: 1
+  hostSuffix: plat-dev-1.silogen.ai
+  master:
+    replicas: {{ .master.replicas }}
+    volumeSizeLimitMB: 1024
+  volume:
+    replicas: {{ .volume.replicas }}
+    storageClassName: {{ .storageClassName }}
+    requests:
+      storage: {{ .volume.requests.storage }}
+    # Topology configuration for rack/datacenter-aware placement
+    rack: "rack1"
+    dataCenter: "dc1"
+  filer:
+    replicas: {{ .filer.replicas }}
+    volumes:
+      - name: s3-metadata
+        persistentVolumeClaim:
+          claimName: pvc-seaweed-s3-metadata
+    volumeMounts:
+      - mountPath: /data/
+        name: s3-metadata
+    s3:
+      enabled: true
+      configSecret:
+        name: seaweedfs-s3-config
+        key: s3.json
+    config: |
+      [leveldb2]
+      enabled = true
+      dir = "/data/filerldb2"
 {{- end}}