viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[ci skip] switch VPA to off mode globally, fix Ollama/MySQL resources

Browse source 
- Kyverno policy: VPA mode set to 'off' for all namespaces (was 'initial'
  for non-core). Terraform is now sole authority for container resources.
  Goldilocks provides recommendations only.
- Ollama: add explicit CPU/memory resources (500m/4Gi req, 4/12Gi limit)
  alongside GPU allocation. Fixes OOMKill from VPA scaling down resources.
- MySQL InnoDB Cluster: bump memory limit from 2Gi to 3Gi.
- Remove redundant per-namespace VPA opt-out labels from onlyoffice,
  openclaw, trading-bot (now handled globally by Kyverno policy).
This commit is contained in:
Viktor Barzin 2026-03-01 19:03:49 +00:00
parent 304b5e4b3d
commit 32762a0916
No known key found for this signature in database
GPG key ID: 0EB088298288D958
7 changed files with 21 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

4
stacks/platform/modules/dbaas/main.tf
View file

@ -150,7 +150,7 @@ resource "helm_release" "mysql_cluster" {
}
limits = {
cpu = "2"
memory = "2Gi"
memory = "3Gi"
}
}
@ -176,7 +176,7 @@ resource "helm_release" "mysql_cluster" {
cpu = "250m"
}
limits = {
memory = "2Gi"
memory = "3Gi"
cpu = "2"
}
}

54
stacks/platform/modules/vpa/main.tf
View file

@ -86,12 +86,12 @@ module "ingress" {
}
# -----------------------------------------------------------------------------
# Kyverno policy label namespaces for VPA mode by tier
# Kyverno policy label namespaces for VPA observe-only mode
# -----------------------------------------------------------------------------
# Goldilocks reads the goldilocks.fairwinds.com/vpa-update-mode label on
# namespaces to decide the updateMode for VPA objects it creates.
# Tier 0-core gets "off" (recommend only these are critical infra where
# evictions cause downtime). All other namespaces get "auto".
# All namespaces get "off" Terraform is the authoritative source of truth
# for container resources. Goldilocks provides recommendations only.
resource "kubernetes_manifest" "vpa_auto_mode_label" {
manifest = {
@ -100,25 +100,19 @@ resource "kubernetes_manifest" "vpa_auto_mode_label" {
metadata = {
name = "goldilocks-vpa-auto-mode"
annotations = {
"policies.kyverno.io/title" = "Goldilocks VPA Mode by Tier"
"policies.kyverno.io/description" = "Sets VPA update mode per namespace: Off for tier-0 critical infra (no evictions), Auto for all others."
"policies.kyverno.io/title" = "Goldilocks VPA Observe-Only Mode"
"policies.kyverno.io/description" = "Sets VPA update mode to off for all namespaces. Terraform owns container resources; Goldilocks provides recommendations only."
}
}
spec = {
rules = [
# Tier 0-core: recommend only, never evict
{
name = "label-vpa-off-tier-0"
name = "label-vpa-off-all"
match = {
any = [
{
resources = {
kinds = ["Namespace"]
selector = {
matchLabels = {
tier = "0-core"
}
}
}
}
]
@ -133,42 +127,6 @@ resource "kubernetes_manifest" "vpa_auto_mode_label" {
}
}
},
# All other namespaces: initial mode (compatible with Terraform
# VPA mutates pods at creation, not the deployment spec)
{
name = "label-vpa-initial-default"
match = {
any = [
{
resources = {
kinds = ["Namespace"]
}
}
]
}
exclude = {
any = [
{
resources = {
selector = {
matchLabels = {
tier = "0-core"
}
}
}
}
]
}
mutate = {
patchStrategicMerge = {
metadata = {
labels = {
"goldilocks.fairwinds.com/vpa-update-mode" = "initial"
}
}
}
}
},
]
}
}