2026-03-07 14:30:36 +00:00
variable " tls_secret_name " {
type = string
sensitive = true
}
2026-02-25 21:54:01 +00:00
variable " tier " { type = string }
resource " kubernetes_namespace " " vpa " {
metadata {
name = " vpa "
labels = {
tier = var . tier
}
}
}
module " tls_secret " {
source = " ../../../../modules/kubernetes/setup_tls_secret "
namespace = kubernetes_namespace . vpa . metadata [ 0 ] . name
tls_secret_name = var . tls_secret_name
}
# -----------------------------------------------------------------------------
# VPA — Vertical Pod Autoscaler (Fairwinds Helm chart)
# -----------------------------------------------------------------------------
resource " helm_release " " vpa " {
namespace = kubernetes_namespace . vpa . metadata [ 0 ] . name
create_namespace = false
name = " vpa "
atomic = true
repository = " https://charts.fairwinds.com/stable "
chart = " vpa "
values = [ yamlencode ( {
recommender = {
enabled = true
}
updater = {
enabled = true
}
admissionController = {
enabled = true
}
} ) ]
}
# -----------------------------------------------------------------------------
# Goldilocks — VPA dashboard (Fairwinds Helm chart)
# -----------------------------------------------------------------------------
resource " helm_release " " goldilocks " {
namespace = kubernetes_namespace . vpa . metadata [ 0 ] . name
create_namespace = false
name = " goldilocks "
atomic = true
repository = " https://charts.fairwinds.com/stable "
chart = " goldilocks "
values = [ yamlencode ( {
controller = {
flags = {
on - by - default = " true "
}
}
dashboard = {
replicaCount = 1
flags = {
on - by - default = " true "
}
}
} ) ]
depends_on = [ helm_release . vpa ]
}
# -----------------------------------------------------------------------------
# Ingress — Goldilocks dashboard at goldilocks.viktorbarzin.me
# -----------------------------------------------------------------------------
module " ingress " {
source = " ../../../../modules/kubernetes/ingress_factory "
namespace = kubernetes_namespace . vpa . metadata [ 0 ] . name
name = " goldilocks "
service_name = " goldilocks-dashboard "
port = 80
tls_secret_name = var . tls_secret_name
protected = true
2026-03-07 16:41:36 +00:00
extra_annotations = {
" gethomepage.dev/enabled " = " true "
" gethomepage.dev/name " = " Goldilocks "
" gethomepage.dev/description " = " Resource recommendations "
" gethomepage.dev/icon " = " goldilocks.png "
" gethomepage.dev/group " = " Core Platform "
" gethomepage.dev/pod-selector " = " "
}
2026-02-25 21:54:01 +00:00
depends_on = [ helm_release . goldilocks ]
}
2026-02-26 23:15:43 +00:00
# -----------------------------------------------------------------------------
2026-03-01 19:03:49 +00:00
# Kyverno policy — label namespaces for VPA observe-only mode
2026-02-26 23:15:43 +00:00
# -----------------------------------------------------------------------------
# Goldilocks reads the goldilocks.fairwinds.com/vpa-update-mode label on
# namespaces to decide the updateMode for VPA objects it creates.
2026-03-01 19:03:49 +00:00
# All namespaces get "off" — Terraform is the authoritative source of truth
# for container resources. Goldilocks provides recommendations only.
2026-02-26 23:15:43 +00:00
resource " kubernetes_manifest " " vpa_auto_mode_label " {
manifest = {
apiVersion = " kyverno.io/v1 "
kind = " ClusterPolicy "
metadata = {
name = " goldilocks-vpa-auto-mode "
annotations = {
2026-03-01 19:03:49 +00:00
" policies.kyverno.io/title " = " Goldilocks VPA Observe-Only Mode "
" policies.kyverno.io/description " = " Sets VPA update mode to off for all namespaces. Terraform owns container resources; Goldilocks provides recommendations only. "
2026-02-26 23:15:43 +00:00
}
}
spec = {
rules = [
{
2026-03-01 19:03:49 +00:00
name = " label-vpa-off-all "
2026-02-26 23:15:43 +00:00
match = {
any = [
{
resources = {
kinds = [ " Namespace " ]
}
}
]
}
mutate = {
patchStrategicMerge = {
metadata = {
labels = {
" goldilocks.fairwinds.com/vpa-update-mode " = " off "
}
}
}
}
} ,
]
}
}
depends_on = [ helm_release . goldilocks ]
}
