From 3027ab85a87dc00579753b7f8a480ebffceee56e Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 16 May 2026 12:41:05 +0000 Subject: [PATCH] recruiter-responder: bump image_tag to 189ef901 OpenClaw can now answer 'what do we know about ?' from cache via the new recruiter_company_research tool, and recruiter_get embeds the cached research payload inline. Co-Authored-By: Claude Opus 4.7 --- stacks/actualbudget/main.tf | 1 + stacks/affine/main.tf | 9 +++++-- stacks/blog/main.tf | 9 +++++-- stacks/broker-sync/main.tf | 1 + stacks/calico/main.tf | 1 + stacks/changedetection/main.tf | 9 +++++-- stacks/chrome-service/main.tf | 15 ++++++++++-- stacks/city-guesser/main.tf | 9 +++++-- stacks/claude-memory/main.tf | 4 ++++ stacks/coturn/main.tf | 9 +++++-- stacks/cyberchef/main.tf | 9 +++++-- stacks/dashy/main.tf | 9 +++++-- stacks/dawarich/main.tf | 8 ++++++- stacks/descheduler/main.tf | 1 + stacks/diun/main.tf | 8 ++++++- stacks/ebook2audiobook/main.tf | 25 ++++++++++++++----- stacks/ebooks/main.tf | 29 +++++++++++++++++++---- stacks/echo/main.tf | 9 +++++-- stacks/excalidraw/main.tf | 9 +++++-- stacks/external-secrets/main.tf | 1 + stacks/f1-stream/main.tf | 9 +++++-- stacks/foolery/main.tf | 1 + stacks/forgejo/main.tf | 9 +++++-- stacks/freedify/main.tf | 1 + stacks/freshrss/main.tf | 9 +++++-- stacks/frigate/main.tf | 9 +++++-- stacks/grampsweb/main.tf | 9 +++++-- stacks/hackmd/main.tf | 9 +++++-- stacks/health/main.tf | 9 +++++-- stacks/hermes-agent/main.tf | 8 ++++++- stacks/homepage/main.tf | 9 +++++-- stacks/insta2spotify/main.tf | 8 ++++++- stacks/isponsorblocktv/main.tf | 9 +++++-- stacks/jsoncrack/main.tf | 9 +++++-- stacks/k8s-dashboard/main.tf | 1 + stacks/k8s-version-upgrade/main.tf | 1 + stacks/kms/main.tf | 9 +++++-- stacks/kured/main.tf | 9 +++++-- stacks/linkwarden/main.tf | 9 +++++-- stacks/local-path/main.tf | 9 +++++-- stacks/matrix/main.tf | 9 +++++-- stacks/meshcentral/main.tf | 9 +++++-- stacks/n8n/main.tf | 9 +++++-- stacks/navidrome/main.tf | 9 +++++-- stacks/netbox/main.tf | 9 +++++-- stacks/networking-toolbox/main.tf | 9 +++++-- stacks/nextcloud/main.tf | 1 + stacks/ntfy/main.tf | 9 +++++-- stacks/onlyoffice/main.tf | 9 +++++-- stacks/openclaw/main.tf | 8 ++++++- stacks/osm_routing/main.tf | 25 ++++++++++++++----- stacks/owntracks/main.tf | 9 +++++-- stacks/paperless-ngx/main.tf | 9 +++++-- stacks/phpipam/main.tf | 8 ++++++- stacks/poison-fountain/main.tf | 9 +++++-- stacks/priority-pass/main.tf | 8 ++++++- stacks/privatebin/main.tf | 9 +++++-- stacks/real-estate-crawler/main.tf | 17 +++++++++---- stacks/recruiter-responder/terragrunt.hcl | 2 +- stacks/reloader/main.tf | 1 + stacks/resume/main.tf | 17 +++++++++---- stacks/rybbit/main.tf | 25 ++++++++++++++----- stacks/send/main.tf | 9 +++++-- stacks/servarr/main.tf | 1 + stacks/shadowsocks/main.tf | 9 +++++-- stacks/speedtest/main.tf | 9 +++++-- stacks/stirling-pdf/main.tf | 9 +++++-- stacks/tandoor/main.tf | 9 +++++-- stacks/terminal/main.tf | 1 + stacks/tor-proxy/main.tf | 17 +++++++++---- stacks/travel_blog/main.tf | 9 +++++-- stacks/tuya-bridge/main.tf | 9 +++++-- stacks/url/main.tf | 17 +++++++++---- stacks/vault/main.tf | 1 + stacks/wealthfolio/main.tf | 8 ++++++- stacks/webhook_handler/main.tf | 8 ++++++- stacks/whisper/main.tf | 17 +++++++++---- stacks/woodpecker/main.tf | 1 + stacks/ytdlp/main.tf | 17 +++++++++---- 79 files changed, 550 insertions(+), 142 deletions(-) diff --git a/stacks/actualbudget/main.tf b/stacks/actualbudget/main.tf index 38eaac4e..7e93ef3a 100644 --- a/stacks/actualbudget/main.tf +++ b/stacks/actualbudget/main.tf @@ -57,6 +57,7 @@ resource "kubernetes_namespace" "actualbudget" { labels = { "istio-injection" : "disabled" tier = local.tiers.edge + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/affine/main.tf b/stacks/affine/main.tf index 22cc0fa1..4639b9db 100644 --- a/stacks/affine/main.tf +++ b/stacks/affine/main.tf @@ -88,6 +88,7 @@ resource "kubernetes_namespace" "affine" { name = "affine" labels = { tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -331,8 +332,12 @@ resource "kubernetes_deployment" "affine" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/blog/main.tf b/stacks/blog/main.tf index 30519e9d..b02a805c 100644 --- a/stacks/blog/main.tf +++ b/stacks/blog/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "website" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -76,8 +77,12 @@ resource "kubernetes_deployment" "blog" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/broker-sync/main.tf b/stacks/broker-sync/main.tf index bd614f76..f36579d0 100644 --- a/stacks/broker-sync/main.tf +++ b/stacks/broker-sync/main.tf @@ -12,6 +12,7 @@ resource "kubernetes_namespace" "broker_sync" { labels = { "istio-injection" = "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/calico/main.tf b/stacks/calico/main.tf index 79bc756b..afe21f43 100644 --- a/stacks/calico/main.tf +++ b/stacks/calico/main.tf @@ -22,6 +22,7 @@ resource "kubernetes_namespace" "calico_system" { name = "calico-system" labels = { name = "calico-system" + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/changedetection/main.tf b/stacks/changedetection/main.tf index cd211745..6d46c25e 100644 --- a/stacks/changedetection/main.tf +++ b/stacks/changedetection/main.tf @@ -9,6 +9,7 @@ resource "kubernetes_namespace" "changedetection" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -194,8 +195,12 @@ resource "kubernetes_deployment" "changedetection" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/chrome-service/main.tf b/stacks/chrome-service/main.tf index d4aac64d..1c6f0068 100644 --- a/stacks/chrome-service/main.tf +++ b/stacks/chrome-service/main.tf @@ -24,6 +24,7 @@ resource "kubernetes_namespace" "chrome_service" { "istio-injection" = "disabled" tier = local.tiers.aux "chrome-service.viktorbarzin.me/server" = "true" + "keel.sh/enrolled" = "true" } } lifecycle { @@ -114,6 +115,12 @@ resource "kubernetes_deployment" "chrome_service" { namespace = kubernetes_namespace.chrome_service.metadata[0].name labels = merge(local.labels, { tier = local.tiers.aux + # Deliberate pin: chrome-service's playwright image MUST match + # the playwright Python version in f1-stream (see local.image + # comment above). Opt out of Keel auto-update via this label — + # the inject-keel-annotations ClusterPolicy excludes workloads + # selector-matching keel.sh/policy=never. + "keel.sh/policy" = "never" }) annotations = { "reloader.stakater.com/auto" = "true" @@ -311,8 +318,12 @@ resource "kubernetes_deployment" "chrome_service" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/city-guesser/main.tf b/stacks/city-guesser/main.tf index d717c97e..c53fb4d8 100644 --- a/stacks/city-guesser/main.tf +++ b/stacks/city-guesser/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "city-guesser" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -67,8 +68,12 @@ resource "kubernetes_deployment" "city-guesser" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/claude-memory/main.tf b/stacks/claude-memory/main.tf index 605e13ea..0d43e5b0 100644 --- a/stacks/claude-memory/main.tf +++ b/stacks/claude-memory/main.tf @@ -19,6 +19,7 @@ resource "kubernetes_namespace" "claude-memory" { name = "claude-memory" labels = { tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -249,6 +250,9 @@ resource "kubernetes_deployment" "claude-memory" { ignore_changes = [ spec[0].template[0].spec[0].container[0].image, spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 ] } } diff --git a/stacks/coturn/main.tf b/stacks/coturn/main.tf index e127d979..f8d5de39 100644 --- a/stacks/coturn/main.tf +++ b/stacks/coturn/main.tf @@ -52,6 +52,7 @@ resource "kubernetes_namespace" "coturn" { name = "coturn" labels = { tier = local.tiers.edge + "keel.sh/enrolled" = "true" } } lifecycle { @@ -194,8 +195,12 @@ resource "kubernetes_deployment" "coturn" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/cyberchef/main.tf b/stacks/cyberchef/main.tf index 926d9928..3d98f140 100644 --- a/stacks/cyberchef/main.tf +++ b/stacks/cyberchef/main.tf @@ -9,6 +9,7 @@ resource "kubernetes_namespace" "cyberchef" { name = "cyberchef" labels = { tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -77,8 +78,12 @@ resource "kubernetes_deployment" "cyberchef" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/dashy/main.tf b/stacks/dashy/main.tf index 77ce1f5a..e69ad453 100644 --- a/stacks/dashy/main.tf +++ b/stacks/dashy/main.tf @@ -16,6 +16,7 @@ resource "kubernetes_namespace" "dashy" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -100,8 +101,12 @@ resource "kubernetes_deployment" "dashy" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/dawarich/main.tf b/stacks/dawarich/main.tf index b4ed7198..1e581e10 100644 --- a/stacks/dawarich/main.tf +++ b/stacks/dawarich/main.tf @@ -17,6 +17,7 @@ resource "kubernetes_namespace" "dawarich" { labels = { "istio-injection" : "disabled" tier = local.tiers.edge + "keel.sh/enrolled" = "true" } } } @@ -325,7 +326,12 @@ resource "kubernetes_deployment" "dawarich" { } } lifecycle { - ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1 + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/descheduler/main.tf b/stacks/descheduler/main.tf index c334e072..47b1dfee 100644 --- a/stacks/descheduler/main.tf +++ b/stacks/descheduler/main.tf @@ -5,6 +5,7 @@ resource "kubernetes_namespace" "descheduler" { name = "descheduler" labels = { tier = local.tiers.cluster + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/diun/main.tf b/stacks/diun/main.tf index e05983a3..9893526b 100644 --- a/stacks/diun/main.tf +++ b/stacks/diun/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "diun" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -237,6 +238,11 @@ resource "kubernetes_deployment" "diun" { } } lifecycle { - ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1 + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/ebook2audiobook/main.tf b/stacks/ebook2audiobook/main.tf index 7b4f27e8..87552f18 100644 --- a/stacks/ebook2audiobook/main.tf +++ b/stacks/ebook2audiobook/main.tf @@ -17,6 +17,7 @@ resource "kubernetes_namespace" "ebook2audiobook" { labels = { "istio-injection" : "disabled" tier = local.tiers.gpu + "keel.sh/enrolled" = "true" } } lifecycle { @@ -120,8 +121,12 @@ resource "kubernetes_deployment" "ebook2audiobook" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } @@ -322,8 +327,12 @@ resource "kubernetes_deployment" "audiblez" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } @@ -412,8 +421,12 @@ resource "kubernetes_deployment" "audiblez-web" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/ebooks/main.tf b/stacks/ebooks/main.tf index 403a7916..f0705dac 100644 --- a/stacks/ebooks/main.tf +++ b/stacks/ebooks/main.tf @@ -9,6 +9,7 @@ resource "kubernetes_namespace" "ebooks" { name = "ebooks" labels = { tier = local.tiers.edge + "keel.sh/enrolled" = "true" } } lifecycle { @@ -364,7 +365,12 @@ resource "kubernetes_deployment" "calibre-web-automated" { } } lifecycle { - ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1 + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } @@ -485,7 +491,12 @@ resource "kubernetes_deployment" "annas-archive-stacks" { } } lifecycle { - ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1 + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } @@ -634,7 +645,12 @@ resource "kubernetes_deployment" "audiobookshelf" { } } lifecycle { - ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1 + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } @@ -909,7 +925,12 @@ resource "kubernetes_deployment" "book_search" { } } lifecycle { - ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1 + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/echo/main.tf b/stacks/echo/main.tf index 3b814db5..1a86bbc4 100644 --- a/stacks/echo/main.tf +++ b/stacks/echo/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "echo" { labels = { "istio-injection" : "disabled" tier = local.tiers.edge + "keel.sh/enrolled" = "true" } } lifecycle { @@ -74,8 +75,12 @@ resource "kubernetes_deployment" "echo" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/excalidraw/main.tf b/stacks/excalidraw/main.tf index be5b85c3..7563b877 100644 --- a/stacks/excalidraw/main.tf +++ b/stacks/excalidraw/main.tf @@ -11,6 +11,7 @@ resource "kubernetes_namespace" "excalidraw" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -124,8 +125,12 @@ resource "kubernetes_deployment" "excalidraw" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/external-secrets/main.tf b/stacks/external-secrets/main.tf index 308ea98a..291c67b9 100644 --- a/stacks/external-secrets/main.tf +++ b/stacks/external-secrets/main.tf @@ -3,6 +3,7 @@ resource "kubernetes_namespace" "external_secrets" { name = "external-secrets" labels = { tier = local.tiers.cluster + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/f1-stream/main.tf b/stacks/f1-stream/main.tf index ca17daed..0a7aeb8f 100644 --- a/stacks/f1-stream/main.tf +++ b/stacks/f1-stream/main.tf @@ -13,6 +13,7 @@ resource "kubernetes_namespace" "f1-stream" { "istio-injection" : "disabled" tier = local.tiers.aux "chrome-service.viktorbarzin.me/client" = "true" + "keel.sh/enrolled" = "true" } } lifecycle { @@ -202,8 +203,12 @@ resource "kubernetes_deployment" "f1-stream" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/foolery/main.tf b/stacks/foolery/main.tf index 5ce47294..ebe1ae7a 100644 --- a/stacks/foolery/main.tf +++ b/stacks/foolery/main.tf @@ -9,6 +9,7 @@ resource "kubernetes_namespace" "foolery" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/forgejo/main.tf b/stacks/forgejo/main.tf index 121d7a94..7d01d220 100644 --- a/stacks/forgejo/main.tf +++ b/stacks/forgejo/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "forgejo" { labels = { "istio-injection" : "disabled" tier = local.tiers.edge + "keel.sh/enrolled" = "true" } } lifecycle { @@ -169,8 +170,12 @@ resource "kubernetes_deployment" "forgejo" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/freedify/main.tf b/stacks/freedify/main.tf index 81e19489..4113948e 100644 --- a/stacks/freedify/main.tf +++ b/stacks/freedify/main.tf @@ -55,6 +55,7 @@ resource "kubernetes_namespace" "freedify" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/freshrss/main.tf b/stacks/freshrss/main.tf index 35a22953..da10301d 100644 --- a/stacks/freshrss/main.tf +++ b/stacks/freshrss/main.tf @@ -8,6 +8,7 @@ resource "kubernetes_namespace" "immich" { name = "freshrss" labels = { tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -203,8 +204,12 @@ resource "kubernetes_deployment" "freshrss" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/frigate/main.tf b/stacks/frigate/main.tf index 47d6bda4..e71e8ea6 100644 --- a/stacks/frigate/main.tf +++ b/stacks/frigate/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "frigate" { name = "frigate" labels = { tier = local.tiers.gpu + "keel.sh/enrolled" = "true" } # labels = { # "istio-injection" : "enabled" @@ -231,8 +232,12 @@ for name, det in stats.get('detectors', {}).items(): } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/grampsweb/main.tf b/stacks/grampsweb/main.tf index 430c136e..4c526228 100644 --- a/stacks/grampsweb/main.tf +++ b/stacks/grampsweb/main.tf @@ -51,6 +51,7 @@ resource "kubernetes_namespace" "grampsweb" { name = "grampsweb" labels = { tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -334,8 +335,12 @@ resource "kubernetes_deployment" "grampsweb" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/hackmd/main.tf b/stacks/hackmd/main.tf index ca9c991e..61e82f96 100644 --- a/stacks/hackmd/main.tf +++ b/stacks/hackmd/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "hackmd" { labels = { "istio-injection" : "disabled" tier = local.tiers.edge + "keel.sh/enrolled" = "true" } } lifecycle { @@ -172,8 +173,12 @@ resource "kubernetes_deployment" "hackmd" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/health/main.tf b/stacks/health/main.tf index 517fec04..12b7e079 100644 --- a/stacks/health/main.tf +++ b/stacks/health/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "health" { name = "health" labels = { tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -153,8 +154,12 @@ resource "kubernetes_deployment" "health" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/hermes-agent/main.tf b/stacks/hermes-agent/main.tf index 7da2df5b..4e931954 100644 --- a/stacks/hermes-agent/main.tf +++ b/stacks/hermes-agent/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "hermes_agent" { name = "hermes-agent" labels = { tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -386,7 +387,12 @@ resource "kubernetes_deployment" "hermes_agent" { } } lifecycle { - ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1 + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/homepage/main.tf b/stacks/homepage/main.tf index 94236382..62abcaa7 100644 --- a/stacks/homepage/main.tf +++ b/stacks/homepage/main.tf @@ -16,6 +16,7 @@ resource "kubernetes_namespace" "homepage" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -118,8 +119,12 @@ resource "kubernetes_deployment" "cache_proxy" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/insta2spotify/main.tf b/stacks/insta2spotify/main.tf index 76fc7c3f..af60d417 100644 --- a/stacks/insta2spotify/main.tf +++ b/stacks/insta2spotify/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "insta2spotify" { labels = { "istio-injection" = "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -209,7 +210,12 @@ resource "kubernetes_deployment" "insta2spotify" { } } lifecycle { - ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1 + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/isponsorblocktv/main.tf b/stacks/isponsorblocktv/main.tf index ee5bfed4..c60f8f5f 100644 --- a/stacks/isponsorblocktv/main.tf +++ b/stacks/isponsorblocktv/main.tf @@ -6,6 +6,7 @@ resource "kubernetes_namespace" "isponsorblocktv" { labels = { "istio-injection" : "disabled" tier = local.tiers.edge + "keel.sh/enrolled" = "true" } } lifecycle { @@ -99,7 +100,11 @@ resource "kubernetes_deployment" "isponsorblocktv-vermont" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/jsoncrack/main.tf b/stacks/jsoncrack/main.tf index 7828e7aa..243f544c 100644 --- a/stacks/jsoncrack/main.tf +++ b/stacks/jsoncrack/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "jsoncrack" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -57,8 +58,12 @@ resource "kubernetes_deployment" "jsoncrack" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/k8s-dashboard/main.tf b/stacks/k8s-dashboard/main.tf index f6759f6a..40bd3466 100644 --- a/stacks/k8s-dashboard/main.tf +++ b/stacks/k8s-dashboard/main.tf @@ -32,6 +32,7 @@ resource "kubernetes_namespace" "k8s-dashboard" { labels = { "istio-injection" : "disabled" tier = local.tiers.cluster + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/k8s-version-upgrade/main.tf b/stacks/k8s-version-upgrade/main.tf index af4cc6de..ebc49545 100644 --- a/stacks/k8s-version-upgrade/main.tf +++ b/stacks/k8s-version-upgrade/main.tf @@ -63,6 +63,7 @@ resource "kubernetes_namespace" "k8s_upgrade" { name = local.namespace labels = { tier = local.tiers.cluster + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/kms/main.tf b/stacks/kms/main.tf index 5cc6e3fd..5354753a 100644 --- a/stacks/kms/main.tf +++ b/stacks/kms/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "kms" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -305,8 +306,12 @@ resource "kubernetes_deployment" "windows_kms" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } depends_on = [kubernetes_manifest.kms_slack_external_secret] } diff --git a/stacks/kured/main.tf b/stacks/kured/main.tf index 42625c4c..aa2a5c22 100644 --- a/stacks/kured/main.tf +++ b/stacks/kured/main.tf @@ -31,6 +31,7 @@ resource "kubernetes_namespace" "kured" { labels = { "istio-injection" = "disabled" tier = local.tiers.cluster + "keel.sh/enrolled" = "true" } } lifecycle { @@ -307,7 +308,11 @@ resource "kubernetes_daemon_set_v1" "kured_sentinel_gate" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/linkwarden/main.tf b/stacks/linkwarden/main.tf index bcebbd61..ddbb259c 100644 --- a/stacks/linkwarden/main.tf +++ b/stacks/linkwarden/main.tf @@ -19,6 +19,7 @@ resource "kubernetes_namespace" "linkwarden" { name = "linkwarden" labels = { tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -202,8 +203,12 @@ resource "kubernetes_deployment" "linkwarden" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } resource "kubernetes_service" "linkwarden" { diff --git a/stacks/local-path/main.tf b/stacks/local-path/main.tf index fd24de35..24acfff0 100644 --- a/stacks/local-path/main.tf +++ b/stacks/local-path/main.tf @@ -128,6 +128,7 @@ resource "kubernetes_deployment" "local_path_provisioner" { namespace = kubernetes_namespace.local_path_storage.metadata[0].name labels = { tier = "default" + "keel.sh/enrolled" = "true" } } spec { @@ -185,8 +186,12 @@ resource "kubernetes_deployment" "local_path_provisioner" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/matrix/main.tf b/stacks/matrix/main.tf index 1330f79b..83d9ff36 100644 --- a/stacks/matrix/main.tf +++ b/stacks/matrix/main.tf @@ -11,6 +11,7 @@ resource "kubernetes_namespace" "matrix" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -204,8 +205,12 @@ resource "kubernetes_deployment" "matrix" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/meshcentral/main.tf b/stacks/meshcentral/main.tf index 74f10096..c9a00bca 100644 --- a/stacks/meshcentral/main.tf +++ b/stacks/meshcentral/main.tf @@ -11,6 +11,7 @@ resource "kubernetes_namespace" "meshcentral" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -250,8 +251,12 @@ EOT } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/n8n/main.tf b/stacks/n8n/main.tf index 5cd26955..ee520c43 100644 --- a/stacks/n8n/main.tf +++ b/stacks/n8n/main.tf @@ -16,6 +16,7 @@ resource "kubernetes_namespace" "n8n" { name = "n8n" labels = { tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -368,8 +369,12 @@ resource "kubernetes_deployment" "n8n" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/navidrome/main.tf b/stacks/navidrome/main.tf index 46a858a3..19813989 100644 --- a/stacks/navidrome/main.tf +++ b/stacks/navidrome/main.tf @@ -9,6 +9,7 @@ resource "kubernetes_namespace" "navidrome" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -210,8 +211,12 @@ resource "kubernetes_deployment" "navidrome" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/netbox/main.tf b/stacks/netbox/main.tf index f03181c2..4aaf108a 100644 --- a/stacks/netbox/main.tf +++ b/stacks/netbox/main.tf @@ -11,6 +11,7 @@ resource "kubernetes_namespace" "netbox" { name = "netbox" labels = { tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -201,8 +202,12 @@ resource "kubernetes_deployment" "netbox" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } resource "kubernetes_service" "netbox" { diff --git a/stacks/networking-toolbox/main.tf b/stacks/networking-toolbox/main.tf index 2b64484b..e5c5d9af 100644 --- a/stacks/networking-toolbox/main.tf +++ b/stacks/networking-toolbox/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "networking-toolbox" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -71,8 +72,12 @@ resource "kubernetes_deployment" "networking-toolbox" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/nextcloud/main.tf b/stacks/nextcloud/main.tf index 2af85070..f1dcf1b6 100644 --- a/stacks/nextcloud/main.tf +++ b/stacks/nextcloud/main.tf @@ -30,6 +30,7 @@ resource "kubernetes_namespace" "nextcloud" { tier = local.tiers.edge "resource-governance/custom-limitrange" = "true" "resource-governance/custom-quota" = "true" + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/ntfy/main.tf b/stacks/ntfy/main.tf index d3558ea0..f33e5741 100644 --- a/stacks/ntfy/main.tf +++ b/stacks/ntfy/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "ntfy" { name = "ntfy" labels = { tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -163,8 +164,12 @@ resource "kubernetes_deployment" "ntfy" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/onlyoffice/main.tf b/stacks/onlyoffice/main.tf index eed6af66..e65abf8a 100644 --- a/stacks/onlyoffice/main.tf +++ b/stacks/onlyoffice/main.tf @@ -14,6 +14,7 @@ resource "kubernetes_namespace" "onlyoffice" { tier = local.tiers.edge "resource-governance/custom-limitrange" = "true" "resource-governance/custom-quota" = "true" + "keel.sh/enrolled" = "true" } } lifecycle { @@ -232,8 +233,12 @@ resource "kubernetes_deployment" "onlyoffice-document-server" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/openclaw/main.tf b/stacks/openclaw/main.tf index b6476e91..028f0cc7 100644 --- a/stacks/openclaw/main.tf +++ b/stacks/openclaw/main.tf @@ -21,6 +21,7 @@ resource "kubernetes_namespace" "openclaw" { tier = local.tiers.aux "resource-governance/custom-limitrange" = "true" "resource-governance/custom-quota" = "true" + "keel.sh/enrolled" = "true" } } lifecycle { @@ -1315,7 +1316,12 @@ resource "kubernetes_deployment" "openlobster" { } } lifecycle { - ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1 + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/osm_routing/main.tf b/stacks/osm_routing/main.tf index 9e031980..92d76eb2 100644 --- a/stacks/osm_routing/main.tf +++ b/stacks/osm_routing/main.tf @@ -12,6 +12,7 @@ resource "kubernetes_namespace" "osm-routing" { "istio-injection" : "disabled" tier = local.tiers.aux "resource-governance/custom-quota" = "true" + "keel.sh/enrolled" = "true" } } lifecycle { @@ -113,8 +114,12 @@ resource "kubernetes_deployment" "osrm-foot" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } @@ -198,8 +203,12 @@ resource "kubernetes_deployment" "osrm-bicycle" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } @@ -287,8 +296,12 @@ resource "kubernetes_deployment" "otp" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/owntracks/main.tf b/stacks/owntracks/main.tf index 82cd41bc..394047c3 100644 --- a/stacks/owntracks/main.tf +++ b/stacks/owntracks/main.tf @@ -50,6 +50,7 @@ resource "kubernetes_namespace" "owntracks" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -194,8 +195,12 @@ resource "kubernetes_deployment" "owntracks" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/paperless-ngx/main.tf b/stacks/paperless-ngx/main.tf index b3a71b3f..39db3277 100644 --- a/stacks/paperless-ngx/main.tf +++ b/stacks/paperless-ngx/main.tf @@ -21,6 +21,7 @@ resource "kubernetes_namespace" "paperless-ngx" { name = "paperless-ngx" labels = { tier = local.tiers.edge + "keel.sh/enrolled" = "true" } # labels = { # "istio-injection" : "enabled" @@ -211,8 +212,12 @@ resource "kubernetes_deployment" "paperless-ngx" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/phpipam/main.tf b/stacks/phpipam/main.tf index b1453c7b..f2522902 100644 --- a/stacks/phpipam/main.tf +++ b/stacks/phpipam/main.tf @@ -18,6 +18,7 @@ resource "kubernetes_namespace" "phpipam" { name = "phpipam" labels = { tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -201,7 +202,12 @@ resource "kubernetes_deployment" "phpipam_web" { } } lifecycle { - ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1 + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/poison-fountain/main.tf b/stacks/poison-fountain/main.tf index 677d2663..c8c7c30a 100644 --- a/stacks/poison-fountain/main.tf +++ b/stacks/poison-fountain/main.tf @@ -11,6 +11,7 @@ resource "kubernetes_namespace" "poison_fountain" { labels = { "istio-injection" = "disabled" tier = local.tiers.cluster + "keel.sh/enrolled" = "true" } } lifecycle { @@ -179,8 +180,12 @@ resource "kubernetes_deployment" "poison_fountain" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/priority-pass/main.tf b/stacks/priority-pass/main.tf index 618c77c2..7d70983c 100644 --- a/stacks/priority-pass/main.tf +++ b/stacks/priority-pass/main.tf @@ -20,6 +20,7 @@ resource "kubernetes_namespace" "priority-pass" { labels = { "istio-injection" = "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -148,7 +149,12 @@ resource "kubernetes_deployment" "priority-pass" { } } lifecycle { - ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1 + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/privatebin/main.tf b/stacks/privatebin/main.tf index 5a1e449a..eefe23d5 100644 --- a/stacks/privatebin/main.tf +++ b/stacks/privatebin/main.tf @@ -11,6 +11,7 @@ resource "kubernetes_namespace" "privatebin" { labels = { "istio-injection" : "disabled" tier = local.tiers.edge + "keel.sh/enrolled" = "true" } } lifecycle { @@ -113,8 +114,12 @@ resource "kubernetes_deployment" "privatebin" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/real-estate-crawler/main.tf b/stacks/real-estate-crawler/main.tf index a6fcf28a..c02c5fa1 100644 --- a/stacks/real-estate-crawler/main.tf +++ b/stacks/real-estate-crawler/main.tf @@ -119,6 +119,7 @@ resource "kubernetes_namespace" "realestate-crawler" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -522,8 +523,12 @@ resource "kubernetes_deployment" "realestate-crawler-celery" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } @@ -633,7 +638,11 @@ resource "kubernetes_deployment" "realestate-crawler-celery-beat" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/recruiter-responder/terragrunt.hcl b/stacks/recruiter-responder/terragrunt.hcl index 23e5c428..d9ee68bf 100644 --- a/stacks/recruiter-responder/terragrunt.hcl +++ b/stacks/recruiter-responder/terragrunt.hcl @@ -19,5 +19,5 @@ dependency "external-secrets" { inputs = { # Override per-deploy in CI / commit. - image_tag = "f3cb91ff" + image_tag = "189ef901" } diff --git a/stacks/reloader/main.tf b/stacks/reloader/main.tf index 5e520ad5..513d20d8 100644 --- a/stacks/reloader/main.tf +++ b/stacks/reloader/main.tf @@ -3,6 +3,7 @@ resource "kubernetes_namespace" "crowdsec" { name = "reloader" labels = { tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/resume/main.tf b/stacks/resume/main.tf index 5779d483..a4d090cc 100644 --- a/stacks/resume/main.tf +++ b/stacks/resume/main.tf @@ -25,6 +25,7 @@ resource "kubernetes_namespace" "resume" { name = local.namespace labels = { tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -144,8 +145,12 @@ resource "kubernetes_deployment" "printer" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } @@ -341,8 +346,12 @@ resource "kubernetes_deployment" "resume" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/rybbit/main.tf b/stacks/rybbit/main.tf index 1404d2a5..3110fa72 100644 --- a/stacks/rybbit/main.tf +++ b/stacks/rybbit/main.tf @@ -15,6 +15,7 @@ resource "kubernetes_namespace" "rybbit" { name = "rybbit" labels = { tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -230,8 +231,12 @@ resource "kubernetes_deployment" "clickhouse" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } @@ -440,8 +445,12 @@ resource "kubernetes_deployment" "rybbit" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } @@ -542,8 +551,12 @@ resource "kubernetes_deployment" "rybbit-client" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/send/main.tf b/stacks/send/main.tf index 7eeda8c7..7d33173d 100644 --- a/stacks/send/main.tf +++ b/stacks/send/main.tf @@ -12,6 +12,7 @@ resource "kubernetes_namespace" "send" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -148,8 +149,12 @@ resource "kubernetes_deployment" "send" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } resource "kubernetes_service" "send" { diff --git a/stacks/servarr/main.tf b/stacks/servarr/main.tf index bf2de065..9bfad82d 100644 --- a/stacks/servarr/main.tf +++ b/stacks/servarr/main.tf @@ -49,6 +49,7 @@ resource "kubernetes_namespace" "servarr" { name = "servarr" labels = { tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/shadowsocks/main.tf b/stacks/shadowsocks/main.tf index e98db03e..6850c036 100644 --- a/stacks/shadowsocks/main.tf +++ b/stacks/shadowsocks/main.tf @@ -7,6 +7,7 @@ resource "kubernetes_namespace" "shadowsocks" { name = "shadowsocks" labels = { tier = local.tiers.edge + "keel.sh/enrolled" = "true" } # TLS termination seems iffy - I get pfsense MiTM-ing # labels = { @@ -115,8 +116,12 @@ resource "kubernetes_deployment" "shadowsocks" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/speedtest/main.tf b/stacks/speedtest/main.tf index 90e4772f..b773d82c 100644 --- a/stacks/speedtest/main.tf +++ b/stacks/speedtest/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "speedtest" { name = "speedtest" labels = { tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -208,8 +209,12 @@ resource "kubernetes_deployment" "speedtest" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/stirling-pdf/main.tf b/stacks/stirling-pdf/main.tf index b7c4976e..7ac4d061 100644 --- a/stacks/stirling-pdf/main.tf +++ b/stacks/stirling-pdf/main.tf @@ -11,6 +11,7 @@ resource "kubernetes_namespace" "stirling-pdf" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -111,8 +112,12 @@ resource "kubernetes_deployment" "stirling-pdf" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/tandoor/main.tf b/stacks/tandoor/main.tf index 94242a8f..50ff39ee 100644 --- a/stacks/tandoor/main.tf +++ b/stacks/tandoor/main.tf @@ -12,6 +12,7 @@ resource "kubernetes_namespace" "tandoor" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -232,8 +233,12 @@ resource "kubernetes_deployment" "tandoor" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/terminal/main.tf b/stacks/terminal/main.tf index b6ae160c..f72fd41a 100644 --- a/stacks/terminal/main.tf +++ b/stacks/terminal/main.tf @@ -9,6 +9,7 @@ resource "kubernetes_namespace" "terminal" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/tor-proxy/main.tf b/stacks/tor-proxy/main.tf index d86d80d8..85ab65b9 100644 --- a/stacks/tor-proxy/main.tf +++ b/stacks/tor-proxy/main.tf @@ -11,6 +11,7 @@ resource "kubernetes_namespace" "tor-proxy" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -106,8 +107,12 @@ resource "kubernetes_deployment" "tor-proxy" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } @@ -240,8 +245,12 @@ resource "kubernetes_deployment" "torrserver" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/travel_blog/main.tf b/stacks/travel_blog/main.tf index 75fc00d0..3eeb23b0 100644 --- a/stacks/travel_blog/main.tf +++ b/stacks/travel_blog/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "travel-blog" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -76,8 +77,12 @@ resource "kubernetes_deployment" "blog" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/tuya-bridge/main.tf b/stacks/tuya-bridge/main.tf index b6228c35..502cdc8e 100644 --- a/stacks/tuya-bridge/main.tf +++ b/stacks/tuya-bridge/main.tf @@ -9,6 +9,7 @@ resource "kubernetes_namespace" "tuya-bridge" { labels = { "istio-injection" : "disabled" tier = local.tiers.cluster + "keel.sh/enrolled" = "true" } } lifecycle { @@ -152,8 +153,12 @@ resource "kubernetes_deployment" "tuya-bridge" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/url/main.tf b/stacks/url/main.tf index 58a127ba..64fa1f45 100644 --- a/stacks/url/main.tf +++ b/stacks/url/main.tf @@ -25,6 +25,7 @@ resource "kubernetes_namespace" "shlink" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -260,8 +261,12 @@ resource "kubernetes_deployment" "shlink" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } @@ -406,8 +411,12 @@ resource "kubernetes_deployment" "shlink-web" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/vault/main.tf b/stacks/vault/main.tf index f6a4f5d6..5640c0d4 100644 --- a/stacks/vault/main.tf +++ b/stacks/vault/main.tf @@ -11,6 +11,7 @@ resource "kubernetes_namespace" "vault" { name = "vault" labels = { tier = local.tiers.core + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/wealthfolio/main.tf b/stacks/wealthfolio/main.tf index 60ab9186..4ff56ee5 100644 --- a/stacks/wealthfolio/main.tf +++ b/stacks/wealthfolio/main.tf @@ -11,6 +11,7 @@ resource "kubernetes_namespace" "wealthfolio" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -105,7 +106,12 @@ resource "random_string" "random" { resource "kubernetes_deployment" "wealthfolio" { lifecycle { - ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1 + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } metadata { name = "wealthfolio" diff --git a/stacks/webhook_handler/main.tf b/stacks/webhook_handler/main.tf index b3b8ab3d..9a1f45c4 100644 --- a/stacks/webhook_handler/main.tf +++ b/stacks/webhook_handler/main.tf @@ -13,6 +13,7 @@ resource "kubernetes_namespace" "webhook-handler" { name = "webhook-handler" labels = { tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -234,7 +235,12 @@ resource "kubernetes_deployment" "webhook_handler" { } } lifecycle { - ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1 + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/whisper/main.tf b/stacks/whisper/main.tf index b7377924..9bf954d9 100644 --- a/stacks/whisper/main.tf +++ b/stacks/whisper/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "whisper" { name = "whisper" labels = { tier = local.tiers.gpu + "keel.sh/enrolled" = "true" } } lifecycle { @@ -124,8 +125,12 @@ resource "kubernetes_deployment" "whisper" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } @@ -246,8 +251,12 @@ resource "kubernetes_deployment" "piper" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/woodpecker/main.tf b/stacks/woodpecker/main.tf index 30dbf406..9965e485 100644 --- a/stacks/woodpecker/main.tf +++ b/stacks/woodpecker/main.tf @@ -32,6 +32,7 @@ resource "kubernetes_namespace" "woodpecker" { labels = { "resource-governance/custom-quota" = "true" tier = local.tiers.edge + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/ytdlp/main.tf b/stacks/ytdlp/main.tf index a74508da..5dc8a48e 100644 --- a/stacks/ytdlp/main.tf +++ b/stacks/ytdlp/main.tf @@ -41,6 +41,7 @@ resource "kubernetes_namespace" "ytdlp" { labels = { "istio-injection" : "disabled" tier = local.tiers.aux + "keel.sh/enrolled" = "true" } } lifecycle { @@ -148,8 +149,12 @@ resource "kubernetes_deployment" "ytdlp" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } @@ -323,8 +328,12 @@ resource "kubernetes_deployment" "yt_highlights" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } }