infra/modules/kubernetes/setup_tls_secret/main.tf

variable "namespace" { type = string }
variable "tls_secret_name" {}
variable "tls_crt" {
  default = ""
}
variable "tls_key" {
  default = ""
}

resource "kubernetes_secret" "tls_secret" {
  metadata {
    name      = var.tls_secret_name
    namespace = var.namespace
  }
  data = {
    # Cannot set default function in variable so use default behaviour here
    "tls.crt" = var.tls_crt == "" ? file("${path.root}/secrets/fullchain.pem") : var.tls_crt
    "tls.key" = var.tls_key == "" ? file("${path.root}/secrets/privkey.pem") : var.tls_key
  }
  type = "kubernetes.io/tls"
  lifecycle {
    # KYVERNO_LIFECYCLE_V1: the sync-tls-secret policy stamps generate.kyverno.io/* + app.kubernetes.io/managed-by labels on this generated Secret
    ignore_changes = [metadata[0].labels]
  }
}
fix some typos [ci skip] 2025-12-29 20:16:53 +00:00			`variable "namespace" { type = string }`
Add LE renewal pipeline 2021-02-16 00:01:14 +00:00			`variable "tls_secret_name" {}`
			`variable "tls_crt" {`
			`default = ""`
			`}`
			`variable "tls_key" {`
			`default = ""`
			`}`
initial 2021-02-07 23:45:55 +00:00
			`resource "kubernetes_secret" "tls_secret" {`
			`metadata {`
			`name = var.tls_secret_name`
			`namespace = var.namespace`
			`}`
			`data = {`
Add LE renewal pipeline 2021-02-16 00:01:14 +00:00			`# Cannot set default function in variable so use default behaviour here`
			`"tls.crt" = var.tls_crt == "" ? file("${path.root}/secrets/fullchain.pem") : var.tls_crt`
			`"tls.key" = var.tls_key == "" ? file("${path.root}/secrets/privkey.pem") : var.tls_key`
initial 2021-02-07 23:45:55 +00:00			`}`
			`type = "kubernetes.io/tls"`
[infra] Suppress Kyverno label drift on module.tls_secret Secrets [ci skip] ## Context Wave 3B of the state-drift consolidation audit (plan section "Shared Kyverno drift-suppression") identified a second Kyverno admission-induced drift class, complementary to the `# KYVERNO_LIFECYCLE_V1` ndots dns_config suppression landed in c9d221d5. The ClusterPolicy `sync-tls-secret` runs on every `kubernetes_secret` created via `modules/kubernetes/setup_tls_secret` and stamps the following labels on the generated Secret: app.kubernetes.io/managed-by = kyverno generate.kyverno.io/policy-name = sync-tls-secret generate.kyverno.io/policy-namespace = "" generate.kyverno.io/rule-name = sync-tls-secret generate.kyverno.io/source-kind = Secret generate.kyverno.io/source-namespace = kyverno generate.kyverno.io/source-uid = <uid> generate.kyverno.io/source-version = v1 generate.kyverno.io/source-group = "" generate.kyverno.io/clone-source = "" Terraform does not manage any labels on this Secret, so every `terragrunt plan` showed all 10 labels as `-> null`. This was observed on the dawarich stack (one of the 93 callers of setup_tls_secret) and reproduces identically on any stack that consumes this module. Root cause ticket: beads `code-seq`. ## This change Adds a single `lifecycle { ignore_changes = [metadata[0].labels] }` block to `modules/kubernetes/setup_tls_secret/main.tf`. One module edit, 93 callers' `module.tls_secret.kubernetes_secret.tls_secret` drift cleared. The marker comment `# KYVERNO_LIFECYCLE_V1` stays consistent with the Wave 3A convention (c9d221d5) — the rule now stands for "any Kyverno-induced drift", not only ndots dns_config. AGENTS.md's "Kyverno Drift Suppression" section will grow to catalog the fields ignored; this commit keeps the scope tight to the code change. ## What is NOT in this change - Namespace-level Goldilocks label drift (`goldilocks.fairwinds.com/vpa-update-mode = off`) — a different admission controller, different resource, different fix. Filed as beads `code-dwx` for a follow-up sweep across all 105 Tier 1 stacks. - AGENTS.md documentation expansion — will land alongside the Goldilocks sweep so both patterns are catalogued together. - Retroactive marker on other Kyverno-generated Secrets — the sync-tls-secret policy is the only generate policy that produces Secrets in this repo (verified: `kubectl get cpol -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'` + cross-reference). ## Verification Dawarich stack: ``` Before: Plan: 0 to add, 2 to change, 0 to destroy. (kubernetes_namespace.dawarich — Goldilocks drift, untouched) (module.tls_secret.kubernetes_secret.tls_secret — Kyverno label drift) After: Plan: 0 to add, 1 to change, 0 to destroy. (kubernetes_namespace.dawarich — Goldilocks drift, untouched) ``` Closes: code-seq (partial — tls_secret branch) Refs: code-dwx (Goldilocks follow-up) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-18 19:23:02 +00:00			`lifecycle {`
			`# KYVERNO_LIFECYCLE_V1: the sync-tls-secret policy stamps generate.kyverno.io/* + app.kubernetes.io/managed-by labels on this generated Secret`
			`ignore_changes = [metadata[0].labels]`
			`}`
initial 2021-02-07 23:45:55 +00:00			`}`