Skip to content

feat: multi-repo overlay architecture for addon values#628

Open
allamand wants to merge 2 commits into
feature/agent-platformfrom
feature/overlay-multi-repo
Open

feat: multi-repo overlay architecture for addon values#628
allamand wants to merge 2 commits into
feature/agent-platformfrom
feature/overlay-multi-repo

Conversation

@allamand

Copy link
Copy Markdown
Contributor

Summary

Implements #574 — Multi-Repo Values Overlay Architecture.

Adds support for an optional overlay Git repository (GitLab, CodeCommit, or any Git source) that provides value overrides for addons without modifying the source platform repo.

Changes

File Change
platform/infra/terraform/common/variables.tf +3 variables: overlay_repo_url, overlay_repo_revision, overlay_repo_base_path
platform/infra/terraform/common/locals.tf Propagate overlay annotations to cluster secret
gitops/bootstrap/addons.yaml ref:valuesref:defaults + conditional ref:overlay source
platform-charts/appset-chart/values.yaml Add overlay variables with empty defaults
platform-charts/appset-chart/templates/application-set.yaml Add conditional overlay source per addon
platform-charts/appset-chart/templates/_application_set.tpl $values/$defaults/ + $overlay/ paths in valueFiles helper

How to use

# In terraform.tfvars:
overlay_repo_url       = "https://gitlab.cnoe.io/user1/my-overrides.git"
overlay_repo_revision  = "main"
overlay_repo_base_path = "gitops/addons/"

The overlay repo structure mirrors the platform repo:

gitops/addons/
├── configs/<addon>/values.yaml              # Override default addon values
├── overlays/environments/<env>/<addon>/values.yaml
└── overlays/clusters/<cluster>/<addon>/values.yaml

Backward compatibility

  • If overlay_repo_url is empty (default) → no overlay source rendered → identical behavior to today
  • ignoreMissingValueFiles: true already in place → missing overlay files are silently skipped

Closes #574

Add support for an optional overlay Git repository that provides
value overrides for addons without modifying the source platform repo.

Changes:
- Terraform: 3 new variables (overlay_repo_url, revision, base_path)
- Bootstrap addons.yaml: ref:values → ref:defaults + conditional ref:overlay
- appset-chart: $values/ → $defaults/ + conditional $overlay/ paths
- Fully backward-compatible: empty overlay_repo_url = no change in behavior
@allamand allamand force-pushed the feature/overlay-multi-repo branch from 8c41627 to 8390cec Compare May 11, 2026 12:44
@allamand allamand marked this pull request as ready for review May 11, 2026 12:48
The bootstrap Application loads gitops/bootstrap/ as a directory source,
which parses YAML before ArgoCD processes Go templates. The {{- if }}
conditionals broke YAML parsing.

Fix:
- Always include overlay source, using 'or' to fall back to the main
  repo when overlay_repo_url is empty
- Add empty overlay annotations to seed secret so missingkey=error
  doesn't fail on missing keys
- ignoreMissingValueFiles: true handles non-existent overlay files
@allamand allamand marked this pull request as draft May 11, 2026 18:31
@allamand allamand marked this pull request as ready for review May 18, 2026 15:21
@allamand allamand requested review from hmuthusamy and punkwalker and removed request for hmuthusamy May 18, 2026 15:42
@hmuthusamy

Copy link
Copy Markdown
Collaborator

@allamand We have folks testing with the current structure. once that is implemented, we will merge this as this will require changes to the other appset paths we are validating on. @punkwalker Please review this as well

allamand pushed a commit that referenced this pull request Jun 4, 2026
…rom PR #628)

Add support for an optional overlay Git repository (GitLab) that provides
value overrides for addons without modifying the source platform repo (GitHub).

Changes:
- bootstrap/addons.yaml: ref:values → ref:defaults + conditional ref:overlay
- appset-chart: $values/ → $defaults/ + conditional $overlay/ paths
- New valuesObject passes overlay repo coordinates to appset-chart
- Fully backward-compatible: empty overlay_repo_url = no change in behavior
@allamand

allamand commented Jun 4, 2026

Copy link
Copy Markdown
Contributor Author

@hmuthusamy I will close this branch, i've cherry pick the changes in #709 directly, and currently validating it works end to end

allamand pushed a commit that referenced this pull request Jun 5, 2026
…patible) + open addon enablement via GitLab overlay

CRITICAL: the PR #628 cherry-pick added Go-template {{- if }} control
blocks to addons.yaml. gitops/bootstrap is applied in ArgoCD directory
mode (raw YAML), so {{- if }} broke YAML parsing — bootstrap app errored:
'Failed to unmarshal addons.yaml: line 28 could not find expected':''.

Fix: use sprig 'dig' (missingkey-safe) for optional overlay_repo_* annotations
instead of {{- if }} structural control flow. Overlay source is now always
present, defaulting to the addons/fleet repo when overlay_repo_url is absent
(idempotent no-op). Valid YAML, backward-compatible, missingkey-safe.

Also opens addon enablement to tenants: fleet-secret appsets (hub + spokes)
now merge $overlay enabled-addons.yaml/addon-overrides.yaml from GitLab
fleet-config on top of the GitHub defaults.
allamand added a commit that referenced this pull request Jun 5, 2026
…e failure) (#718)

* fix(crossplane): stop NATGateway late-initializing vpcId

The PlatformCluster Composition never sets spec.forProvider.vpcId on the
NATGateway, but the Upbound AWS EC2 provider late-initializes it from the
observed resource. availabilityMode defaults to "zonal", for which the EC2
API rejects VpcId on create:

  MissingParameter: VpcId is not supported for a NAT gateway with
  availability mode zonal

This stays dormant while the NAT exists (observe-only), but any (re)create
- e.g. after an out-of-band NAT deletion - fails, which breaks the private
subnet default route, blocks provider image pulls, and cascades into ArgoCD
cluster-cache sync errors.

Excluding LateInitialize from managementPolicies prevents the provider from
copying vpcId into the spec, so (re)create uses subnetId only and succeeds.

* fix(bootstrap): replace {{- if }} blocks with dig (directory-mode compatible) + open addon enablement via GitLab overlay

CRITICAL: the PR #628 cherry-pick added Go-template {{- if }} control
blocks to addons.yaml. gitops/bootstrap is applied in ArgoCD directory
mode (raw YAML), so {{- if }} broke YAML parsing — bootstrap app errored:
'Failed to unmarshal addons.yaml: line 28 could not find expected':''.

Fix: use sprig 'dig' (missingkey-safe) for optional overlay_repo_* annotations
instead of {{- if }} structural control flow. Overlay source is now always
present, defaulting to the addons/fleet repo when overlay_repo_url is absent
(idempotent no-op). Valid YAML, backward-compatible, missingkey-safe.

Also opens addon enablement to tenants: fleet-secret appsets (hub + spokes)
now merge $overlay enabled-addons.yaml/addon-overrides.yaml from GitLab
fleet-config on top of the GitHub defaults.

---------

Co-authored-by: Workshop User <workshopuser@example.com>
allamand added a commit that referenced this pull request Jun 12, 2026
…rom PR #628)

Add support for an optional overlay Git repository (GitLab) that provides
value overrides for addons without modifying the source platform repo (GitHub).

Changes:
- bootstrap/addons.yaml: ref:values → ref:defaults + conditional ref:overlay
- appset-chart: $values/ → $defaults/ + conditional $overlay/ paths
- New valuesObject passes overlay repo coordinates to appset-chart
- Fully backward-compatible: empty overlay_repo_url = no change in behavior
allamand added a commit that referenced this pull request Jun 12, 2026
…e failure) (#718)

* fix(crossplane): stop NATGateway late-initializing vpcId

The PlatformCluster Composition never sets spec.forProvider.vpcId on the
NATGateway, but the Upbound AWS EC2 provider late-initializes it from the
observed resource. availabilityMode defaults to "zonal", for which the EC2
API rejects VpcId on create:

  MissingParameter: VpcId is not supported for a NAT gateway with
  availability mode zonal

This stays dormant while the NAT exists (observe-only), but any (re)create
- e.g. after an out-of-band NAT deletion - fails, which breaks the private
subnet default route, blocks provider image pulls, and cascades into ArgoCD
cluster-cache sync errors.

Excluding LateInitialize from managementPolicies prevents the provider from
copying vpcId into the spec, so (re)create uses subnetId only and succeeds.

* fix(bootstrap): replace {{- if }} blocks with dig (directory-mode compatible) + open addon enablement via GitLab overlay

CRITICAL: the PR #628 cherry-pick added Go-template {{- if }} control
blocks to addons.yaml. gitops/bootstrap is applied in ArgoCD directory
mode (raw YAML), so {{- if }} broke YAML parsing — bootstrap app errored:
'Failed to unmarshal addons.yaml: line 28 could not find expected':''.

Fix: use sprig 'dig' (missingkey-safe) for optional overlay_repo_* annotations
instead of {{- if }} structural control flow. Overlay source is now always
present, defaulting to the addons/fleet repo when overlay_repo_url is absent
(idempotent no-op). Valid YAML, backward-compatible, missingkey-safe.

Also opens addon enablement to tenants: fleet-secret appsets (hub + spokes)
now merge $overlay enabled-addons.yaml/addon-overrides.yaml from GitLab
fleet-config on top of the GitHub defaults.

---------

Co-authored-by: Workshop User <workshopuser@example.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants