chore(release): 0.10.28 / chart 0.3.38 — multi-tenant secret bootstrap fix

dforsber · dforsber · commit 90377e92a5a1 · 2026-04-30T14:55:44.000+03:00
Critical fix: 0.10.27 multi-tenant bootstrap was failing for any freshly-
registered user attempting to ATTACH a DuckLake catalog over PGWire.
ATTACH was killed during the eager-attach phase with "Secret with name
&lt;catalog&gt;_adm_postgres not found" because the bootstrap fetched the
single-tenant variants and the multi-tenant ATTACH path couldn't resolve
them. Verified end-to-end with matview_stress and tantivy_stress.

Also picks up the previously-uncommitted chart template files (NOTES.txt,
gatewayclass.yaml) that match what's already shipping in the internal chart.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,17 @@ All notable changes to BoilStream will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.10.28] - 2026-04-30
+
+### Fixes
+
+- **⚠️ Critical: multi-tenant secret bootstrap was broken in 0.10.27.** Every freshly-registered user that connected via PGWire and tried to `ATTACH 'ducklake:<catalog>'` got `FATAL: Database '<catalog>' is not available: Secret with name "<catalog>_adm_postgres" not found` and the connection was killed during the eager-attach phase. Bootstrap was reading a stale path for the per-connection tenant identifier, so the `/secrets` fetch ran in single-tenant mode and cached the wrong (unprefixed) variants of each catalog's postgres-creds reference; the subsequent multi-tenant ATTACH then couldn't resolve them. Bootstrap now reads the tenant identifier through the supported settings path and passes its just-established session state directly to the secret fetch, so the multi-tenant secrets are cached before ATTACH runs. Reproduces locally in seconds with `matview_stress --smoke` against a freshly-registered user; verified with the full e2e suite (3728 tests, 0 fail) plus DuckDB-isolated serial suite (15/15) plus matview/tantivy stress smokes.
+
+### Notes
+
+- Chart version **0.3.38** tracks appVersion `0.10.28`.
+- ARM64 (`aarch64-linux-0.10.28`) and x86_64 (`x64-linux-0.10.28`) Docker images built on AWS EC2 (Graviton 2 / Intel Xeon).
+
 ## [0.10.27] - 2026-04-29
 
 ### Fixes
diff --git a/charts/boilstream/Chart.yaml b/charts/boilstream/Chart.yaml
@@ -6,8 +6,8 @@ description: |
   support. Each pod participates in S3-based leader election and serves
   per-user catalogs; failed pods are recovered from S3 backups.
 type: application
-version: 0.3.37
-appVersion: "0.10.27"
+version: 0.3.38
+appVersion: "0.10.28"
 kubeVersion: ">=1.27.0"
 keywords:
   - streaming
diff --git a/charts/boilstream/templates/NOTES.txt b/charts/boilstream/templates/NOTES.txt
@@ -0,0 +1,29 @@
+{{- if .Values.gateway.enabled }}
+{{- $hasClass := lookup "gateway.networking.k8s.io/v1" "GatewayClass" "" .Values.gateway.className -}}
+{{- if and (not $hasClass) (not .Values.gateway.createClass) }}
+
+╭──────────────────────────────────────────────────────────────────────╮
+│  WARNING — GatewayClass {{ printf "%q" .Values.gateway.className }} not found in this cluster
+│
+│  The chart's Gateway + TLSRoutes will sit Pending forever until you
+│  create it. Pick one:
+│
+│    1) Re-run with the chart's built-in flag:
+│         helm upgrade {{ .Release.Name }} ./charts/boilstream \
+│           --set gateway.createClass=true \
+│           --reuse-values
+│
+│    2) Apply the GatewayClass directly (one-shot):
+│         kubectl apply -f - <<'YAML'
+│         apiVersion: gateway.networking.k8s.io/v1
+│         kind: GatewayClass
+│         metadata: {{ printf "{ name: %s }" .Values.gateway.className }}
+│         spec: { controllerName: gateway.envoyproxy.io/gatewayclass-controller }
+│         YAML
+│
+│    3) Install Envoy Gateway's own helm chart, which creates one too:
+│         helm install eg oci://docker.io/envoyproxy/gateway-helm \
+│           --version v1.2.1 -n envoy-gateway-system --create-namespace
+╰──────────────────────────────────────────────────────────────────────╯
+{{- end }}
+{{- end }}
diff --git a/charts/boilstream/templates/gatewayclass.yaml b/charts/boilstream/templates/gatewayclass.yaml
@@ -0,0 +1,23 @@
+{{- /*
+  GatewayClass — referenced by the chart's Gateway via spec.gatewayClassName.
+
+  Rendered only when both gateway.enabled AND gateway.createClass are true.
+  Cluster-scoped resource; safe to ignore (no-op) when the Envoy Gateway
+  helm install already created it. Set createClass: true on first install
+  to a fresh cluster — the alternative is the standalone `kubectl apply`
+  documented in the chart README's prerequisites section.
+
+  If the GatewayClass is missing the Envoy Gateway controller logs
+  "no accepted gatewayclass" forever and the chart's Gateway never gets
+  programmed (no LB, no listeners, public traffic 400s at the edge).
+*/}}
+{{- if and .Values.gateway.enabled .Values.gateway.createClass }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: {{ .Values.gateway.className }}
+  labels:
+    {{- include "boilstream.labels" . | nindent 4 }}
+spec:
+  controllerName: {{ .Values.gateway.classControllerName | default "gateway.envoyproxy.io/gatewayclass-controller" }}
+{{- end }}
