arcodange-org/erp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chart: Phase C of multi-env evolution — template literals, add sandbox overlay #11

Merged
arcodange merged 1 commits from claude/chart-multi-env-prep into main 2026-05-31 23:27:06 +02:00
Conversation 0 Commits 1 Files Changed 7 +65 -6
arcodange commented 2026-05-31 23:26:49 +02:00
Owner
Copy Link

Summary

Phase C of the multi-env extension to the new-web-app runbook conventions discussed in the design thread. Pure refactor — prod helm render is byte-identical (10857 bytes both before and after, diff exit 0).

This PR ONLY templates the chart and prepares the sandbox overlay. It does NOT activate sandbox (the factory tfvars schema change, the tools app_roles module evolution, the actual sandbox iac/main.tf for_each, the ArgoCD app, the DB and Vault paths — none of those are touched here).

What changes

5 chart template files had a hardcoded erp / creds/erp / erp/config / erp.arcodange.lab literal — now they read from .Values.*:

File Before After
chart/templates/vaultauth.yaml role: erp role: {{ .Values.vault.k8sRole }}
chart/templates/vaultdynamicsecret.yaml path: creds/erp path: {{ .Values.vault.dynamicPath }}
chart/templates/vaultsecret.yaml path: erp/config path: {{ .Values.vault.staticPath }}
chart/templates/config.yaml DOLI_DB_NAME: erp + DOLI_URL_ROOT: https://erp.arcodange.lab DOLI_DB_NAME: {{ .Values.db.name }} + DOLI_URL_ROOT: 'https://{{ .Values.host }}'

chart/values.yaml gains a documented multi-env coordinate block at the top with prod defaults:

env:      prod
instance: erp
host:     erp.arcodange.lab
db:
  name: erp
vault:
  k8sRole:     erp
  dynamicPath: creds/erp
  staticPath:  erp/config

The elision rule (env=prod → no suffix, env=non-prod → <app>-<env> suffix) keeps the prod render character-for-character identical.

chart/values-sandbox.yaml is added as the ready-to-use overlay for Phase D. NOT wired into any helm install or ArgoCD app today — the platform side isn't evolved yet. The file documents the convention so the Phase D commit can simply helm install -f values.yaml -f values-sandbox.yaml.

Bonus fix

.gitea/workflows/vault.yaml had a real CI bug: the vault_step JWT role was gitea_cicd_webapp (copy-paste leftover from the template repo) instead of gitea_cicd_erp. The erp repo's CI would have failed JWT auth against Vault. Bundled here because it touches the same file family and is a 1-line fix.

Verification

# Before refactor (captured on origin/main)
helm template erp chart/ --namespace erp > /tmp/before.yaml   # 10857 bytes

# After refactor (this branch)
helm template erp chart/ --namespace erp > /tmp/after.yaml    # 10857 bytes

diff /tmp/before.yaml /tmp/after.yaml                          # exit 0, no output

Sandbox overlay smoke test:

helm template erp chart/ -f chart/values.yaml -f chart/values-sandbox.yaml --namespace erp-sandbox
# All substitutions produce erp-sandbox / creds/erp-sandbox / DOLI_URL_ROOT=https://erp-sandbox.arcodange.lab

What's NOT in this PR (Phases A, B, D, E)

  • Phase Aarcodange-org/tools/hashicorp-vault/iac/modules/app_roles: add optional env parameter (default "prod") + compute local.instance + propagate to derived names. Additive change, backwards-compatible for every app that doesn't set env.
  • Phase Barcodange-org/factory: postgres/iac tfvars schema (set(string)list(object({name, envs})) with envs defaulting to ["prod"]), argocd templates render one Application per env, conventions.md updated.
  • Phase D — when A+B+C are merged: this repo's iac/main.tf switches to for_each over local.envs = toset(["prod", "sandbox"]), factory tfvars adds envs = ["prod", "sandbox"] to erp.
  • Phase E — ArgoCD Application "erp-sandbox" registered, DNS for erp-sandbox.arcodange.lab provisioned.

Test plan

  • helm template erp chart/ --namespace erp byte-identical to origin/main (diff exit 0)
  • helm template erp chart/ -f chart/values.yaml -f chart/values-sandbox.yaml --namespace erp-sandbox produces erp-sandbox derived names everywhere
  • .gitea/workflows/vault.yaml CI still triggers cleanly (the typo fix is the actual unblock)
  • ArgoCD picks up the new manifest with no spec drift (Phase D will introduce real drift; this PR alone should be silent)
## Summary Phase C of the multi-env extension to the new-web-app runbook conventions discussed in the design thread. **Pure refactor — prod helm render is byte-identical** (10857 bytes both before and after, `diff` exit 0). This PR ONLY templates the chart and prepares the sandbox overlay. It does NOT activate sandbox (the factory tfvars schema change, the tools `app_roles` module evolution, the actual sandbox iac/main.tf for_each, the ArgoCD app, the DB and Vault paths — none of those are touched here). ### What changes 5 chart template files had a hardcoded `erp` / `creds/erp` / `erp/config` / `erp.arcodange.lab` literal — now they read from `.Values.*`: | File | Before | After | |---|---|---| | `chart/templates/vaultauth.yaml` | `role: erp` | `role: {{ .Values.vault.k8sRole }}` | | `chart/templates/vaultdynamicsecret.yaml` | `path: creds/erp` | `path: {{ .Values.vault.dynamicPath }}` | | `chart/templates/vaultsecret.yaml` | `path: erp/config` | `path: {{ .Values.vault.staticPath }}` | | `chart/templates/config.yaml` | `DOLI_DB_NAME: erp` + `DOLI_URL_ROOT: https://erp.arcodange.lab` | `DOLI_DB_NAME: {{ .Values.db.name }}` + `DOLI_URL_ROOT: 'https://{{ .Values.host }}'` | `chart/values.yaml` gains a documented multi-env coordinate block at the top with prod defaults: ```yaml env: prod instance: erp host: erp.arcodange.lab db: name: erp vault: k8sRole: erp dynamicPath: creds/erp staticPath: erp/config ``` The elision rule (env=prod → no suffix, env=non-prod → `<app>-<env>` suffix) keeps the prod render character-for-character identical. `chart/values-sandbox.yaml` is added as the **ready-to-use overlay** for Phase D. NOT wired into any helm install or ArgoCD app today — the platform side isn't evolved yet. The file documents the convention so the Phase D commit can simply `helm install -f values.yaml -f values-sandbox.yaml`. ### Bonus fix `.gitea/workflows/vault.yaml` had a real CI bug: the vault_step JWT role was `gitea_cicd_webapp` (copy-paste leftover from the template repo) instead of `gitea_cicd_erp`. The erp repo's CI would have failed JWT auth against Vault. Bundled here because it touches the same file family and is a 1-line fix. ### Verification ```sh # Before refactor (captured on origin/main) helm template erp chart/ --namespace erp > /tmp/before.yaml # 10857 bytes # After refactor (this branch) helm template erp chart/ --namespace erp > /tmp/after.yaml # 10857 bytes diff /tmp/before.yaml /tmp/after.yaml # exit 0, no output ``` Sandbox overlay smoke test: ```sh helm template erp chart/ -f chart/values.yaml -f chart/values-sandbox.yaml --namespace erp-sandbox # All substitutions produce erp-sandbox / creds/erp-sandbox / DOLI_URL_ROOT=https://erp-sandbox.arcodange.lab ``` ## What's NOT in this PR (Phases A, B, D, E) - **Phase A** — `arcodange-org/tools/hashicorp-vault/iac/modules/app_roles`: add optional `env` parameter (default `"prod"`) + compute `local.instance` + propagate to derived names. Additive change, backwards-compatible for every app that doesn't set `env`. - **Phase B** — `arcodange-org/factory`: postgres/iac tfvars schema (`set(string)` → `list(object({name, envs}))` with `envs` defaulting to `["prod"]`), argocd templates render one Application per env, conventions.md updated. - **Phase D** — when A+B+C are merged: this repo's `iac/main.tf` switches to `for_each` over `local.envs = toset(["prod", "sandbox"])`, factory tfvars adds `envs = ["prod", "sandbox"]` to erp. - **Phase E** — ArgoCD Application "erp-sandbox" registered, DNS for `erp-sandbox.arcodange.lab` provisioned. ## Test plan - [ ] `helm template erp chart/ --namespace erp` byte-identical to origin/main (`diff` exit 0) - [ ] `helm template erp chart/ -f chart/values.yaml -f chart/values-sandbox.yaml --namespace erp-sandbox` produces erp-sandbox derived names everywhere - [ ] `.gitea/workflows/vault.yaml` CI still triggers cleanly (the typo fix is the actual unblock) - [ ] ArgoCD picks up the new manifest with no spec drift (Phase D will introduce real drift; this PR alone should be silent)
arcodange added 1 commit 2026-05-31 23:26:50 +02:00
chart: template hardcoded single-env literals; add values-sandbox.yaml overlay ec4df4719f 
Phase C of the multi-env evolution discussed in the runbook design thread
(see PR description). Pure refactor — the prod helm template render is
verified byte-identical (10857 bytes both before and after, diff exit 0).

What was hardcoded, now templated:
- chart/templates/vaultauth.yaml          role: erp                       → role: {{ .Values.vault.k8sRole }}
- chart/templates/vaultdynamicsecret.yaml path: creds/erp                 → path: {{ .Values.vault.dynamicPath }}
- chart/templates/vaultsecret.yaml        path: erp/config                → path: {{ .Values.vault.staticPath }}
- chart/templates/config.yaml             DOLI_DB_NAME: erp               → DOLI_DB_NAME: {{ .Values.db.name }}
                                          DOLI_URL_ROOT: https://erp..lab → DOLI_URL_ROOT: 'https://{{ .Values.host }}'

values.yaml gains a documented multi-env coordinate block with prod defaults
(env, instance, host, db.name, vault.k8sRole, vault.dynamicPath, vault.staticPath).
The elision rule (env=prod → no suffix, env=non-prod → "<app>-<env>" suffix)
guarantees the prod render is unchanged.

chart/values-sandbox.yaml is added as the ready-to-use overlay for Phase D.
It is NOT wired into any helm install / ArgoCD app today — the platform side
(factory/postgres/iac tfvars, tools/hashicorp-vault/iac module signature) is
not yet evolved. The file documents the convention so the Phase D commit can
just `helm install -f values.yaml -f values-sandbox.yaml`.

Also fixes .gitea/workflows/vault.yaml CI typo: the vault_step JWT role was
gitea_cicd_webapp (copy-paste from the template repo) instead of
gitea_cicd_erp. Real bug — the erp CI would have failed JWT auth against
Vault. Fix unrelated to multi-env but bundled here because it's small and
touches the same file family.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
arcodange merged commit b4bdbe75df into main 2026-05-31 23:27:06 +02:00
arcodange deleted branch claude/chart-multi-env-prep 2026-05-31 23:27:06 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
arcodange
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: arcodange-org/erp#11
Delete Branch "claude/chart-multi-env-prep"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?