diff --git a/stacks/actualbudget/factory/main.tf b/stacks/actualbudget/factory/main.tf index dda5816a..820f3117 100644 --- a/stacks/actualbudget/factory/main.tf +++ b/stacks/actualbudget/factory/main.tf @@ -116,6 +116,10 @@ resource "kubernetes_deployment" "actualbudget" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "actualbudget" { @@ -214,6 +218,10 @@ resource "kubernetes_deployment" "actualbudget-http-api" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "actualbudget-http-api" { @@ -304,4 +312,8 @@ resource "kubernetes_cron_job_v1" "bank-sync" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } diff --git a/stacks/affine/main.tf b/stacks/affine/main.tf index d1d979ba..bb550bcb 100644 --- a/stacks/affine/main.tf +++ b/stacks/affine/main.tf @@ -323,6 +323,10 @@ resource "kubernetes_deployment" "affine" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "affine" { diff --git a/stacks/authentik/modules/authentik/pgbouncer.tf b/stacks/authentik/modules/authentik/pgbouncer.tf index 16126a16..427d643d 100644 --- a/stacks/authentik/modules/authentik/pgbouncer.tf +++ b/stacks/authentik/modules/authentik/pgbouncer.tf @@ -115,6 +115,10 @@ resource "kubernetes_deployment" "pgbouncer" { } } depends_on = [kubernetes_secret.pgbouncer_auth] + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } # --- 4️⃣ Service --- diff --git a/stacks/blog/main.tf b/stacks/blog/main.tf index b9cf381d..bf5e2699 100644 --- a/stacks/blog/main.tf +++ b/stacks/blog/main.tf @@ -75,6 +75,10 @@ resource "kubernetes_deployment" "blog" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "blog" { diff --git a/stacks/broker-sync/main.tf b/stacks/broker-sync/main.tf index cfc0f54e..fb5915f8 100644 --- a/stacks/broker-sync/main.tf +++ b/stacks/broker-sync/main.tf @@ -126,6 +126,10 @@ resource "kubernetes_cron_job_v1" "version_probe" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # Trading212 steady-state daily sync. Phase 1 deliverable. @@ -222,6 +226,10 @@ resource "kubernetes_cron_job_v1" "trading212" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # IMAP ingest — InvestEngine + Schwab email parsers, one combined pod. @@ -347,6 +355,10 @@ resource "kubernetes_cron_job_v1" "imap" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # CSV drop-folder processor — Scottish Widows, Fidelity quarterly, Freetrade, etc. @@ -435,6 +447,10 @@ resource "kubernetes_cron_job_v1" "csv_drop" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # Monthly HMRC FX reconciliation — rewrites last-month activities with official @@ -523,6 +539,10 @@ resource "kubernetes_cron_job_v1" "fx_reconcile" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # Backup: snapshot sync.db / fx.db / csv-archive into NFS daily, keep 30 days. @@ -600,6 +620,10 @@ resource "kubernetes_cron_job_v1" "backup" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # ----------------------------------------------------------------------------- diff --git a/stacks/changedetection/main.tf b/stacks/changedetection/main.tf index a682bfb2..63db05ba 100644 --- a/stacks/changedetection/main.tf +++ b/stacks/changedetection/main.tf @@ -186,6 +186,10 @@ resource "kubernetes_deployment" "changedetection" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "changedetection" { diff --git a/stacks/city-guesser/main.tf b/stacks/city-guesser/main.tf index 067f3c80..afcd9938 100644 --- a/stacks/city-guesser/main.tf +++ b/stacks/city-guesser/main.tf @@ -66,6 +66,10 @@ resource "kubernetes_deployment" "city-guesser" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "city-guesser" { diff --git a/stacks/claude-agent-service/main.tf b/stacks/claude-agent-service/main.tf index 319521e3..bbed0e07 100644 --- a/stacks/claude-agent-service/main.tf +++ b/stacks/claude-agent-service/main.tf @@ -590,4 +590,8 @@ resource "kubernetes_cron_job_v1" "claude_oauth_expiry_monitor" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } diff --git a/stacks/claude-memory/main.tf b/stacks/claude-memory/main.tf index 050da572..2394cd75 100644 --- a/stacks/claude-memory/main.tf +++ b/stacks/claude-memory/main.tf @@ -242,7 +242,8 @@ resource "kubernetes_deployment" "claude-memory" { lifecycle { # DRIFT_WORKAROUND: CI pipeline owns image tag (kubectl set image from Woodpecker/GHA). Reviewed 2026-04-18. ignore_changes = [ - spec[0].template[0].spec[0].container[0].image + spec[0].template[0].spec[0].container[0].image, + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 ] } } diff --git a/stacks/cloudflared/modules/cloudflared/main.tf b/stacks/cloudflared/modules/cloudflared/main.tf index 08f1ec24..5095f31b 100644 --- a/stacks/cloudflared/modules/cloudflared/main.tf +++ b/stacks/cloudflared/modules/cloudflared/main.tf @@ -93,6 +93,10 @@ resource "kubernetes_deployment" "cloudflared" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_pod_disruption_budget_v1" "cloudflared" { diff --git a/stacks/coturn/main.tf b/stacks/coturn/main.tf index 9dd380c1..e127d979 100644 --- a/stacks/coturn/main.tf +++ b/stacks/coturn/main.tf @@ -193,6 +193,10 @@ resource "kubernetes_deployment" "coturn" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } # LoadBalancer service with MetalLB — exposes STUN/TURN signaling + relay ports diff --git a/stacks/crowdsec/modules/crowdsec/main.tf b/stacks/crowdsec/modules/crowdsec/main.tf index 382c187d..cf59ea47 100644 --- a/stacks/crowdsec/modules/crowdsec/main.tf +++ b/stacks/crowdsec/modules/crowdsec/main.tf @@ -237,6 +237,10 @@ resource "kubernetes_deployment" "crowdsec-web" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "crowdsec-web" { @@ -362,6 +366,10 @@ resource "kubernetes_cron_job_v1" "crowdsec_blocklist_import" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # Service account for the blocklist import job (needs kubectl exec permissions) diff --git a/stacks/cyberchef/main.tf b/stacks/cyberchef/main.tf index 8e96b035..916b513b 100644 --- a/stacks/cyberchef/main.tf +++ b/stacks/cyberchef/main.tf @@ -76,6 +76,10 @@ resource "kubernetes_deployment" "cyberchef" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "cyberchef" { diff --git a/stacks/dashy/main.tf b/stacks/dashy/main.tf index 4712a08e..f773d64f 100644 --- a/stacks/dashy/main.tf +++ b/stacks/dashy/main.tf @@ -99,6 +99,10 @@ resource "kubernetes_deployment" "dashy" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "dashy" { diff --git a/stacks/dbaas/modules/dbaas/main.tf b/stacks/dbaas/modules/dbaas/main.tf index 4ee35d21..854e20b8 100644 --- a/stacks/dbaas/modules/dbaas/main.tf +++ b/stacks/dbaas/modules/dbaas/main.tf @@ -456,6 +456,10 @@ resource "kubernetes_cron_job_v1" "mysql-backup" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # Per-database MySQL backups (enables single-database restore without affecting others) @@ -551,6 +555,10 @@ resource "kubernetes_cron_job_v1" "mysql-backup-per-db" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # resource "kubernetes_persistent_volume" "mysql" { @@ -756,6 +764,10 @@ resource "kubernetes_deployment" "phpmyadmin" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "phpmyadmin" { @@ -1283,6 +1295,10 @@ resource "kubernetes_deployment" "pgadmin" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "pgadmin" { metadata { @@ -1391,6 +1407,10 @@ resource "kubernetes_cron_job_v1" "postgresql-backup" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # Per-database PostgreSQL backups (enables single-database restore without affecting others) @@ -1498,4 +1518,8 @@ resource "kubernetes_cron_job_v1" "postgresql-backup-per-db" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } diff --git a/stacks/ebook2audiobook/main.tf b/stacks/ebook2audiobook/main.tf index 50df6240..f9871882 100644 --- a/stacks/ebook2audiobook/main.tf +++ b/stacks/ebook2audiobook/main.tf @@ -119,6 +119,10 @@ resource "kubernetes_deployment" "ebook2audiobook" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } @@ -317,6 +321,10 @@ resource "kubernetes_deployment" "audiblez" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } @@ -403,6 +411,10 @@ resource "kubernetes_deployment" "audiblez-web" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "audiblez-web" { diff --git a/stacks/echo/main.tf b/stacks/echo/main.tf index b305b6e8..7c31e2f1 100644 --- a/stacks/echo/main.tf +++ b/stacks/echo/main.tf @@ -73,6 +73,10 @@ resource "kubernetes_deployment" "echo" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "echo" { diff --git a/stacks/excalidraw/main.tf b/stacks/excalidraw/main.tf index ae317f36..c7b1f013 100644 --- a/stacks/excalidraw/main.tf +++ b/stacks/excalidraw/main.tf @@ -116,6 +116,10 @@ resource "kubernetes_deployment" "excalidraw" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "draw" { diff --git a/stacks/f1-stream/main.tf b/stacks/f1-stream/main.tf index f78e63ef..e7496778 100644 --- a/stacks/f1-stream/main.tf +++ b/stacks/f1-stream/main.tf @@ -141,6 +141,10 @@ resource "kubernetes_deployment" "f1-stream" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } diff --git a/stacks/forgejo/main.tf b/stacks/forgejo/main.tf index fa951c7b..bb774230 100644 --- a/stacks/forgejo/main.tf +++ b/stacks/forgejo/main.tf @@ -134,6 +134,10 @@ resource "kubernetes_deployment" "forgejo" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "forgejo" { diff --git a/stacks/freshrss/main.tf b/stacks/freshrss/main.tf index da01c70d..dca27cd7 100644 --- a/stacks/freshrss/main.tf +++ b/stacks/freshrss/main.tf @@ -188,6 +188,10 @@ resource "kubernetes_deployment" "freshrss" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "freshrss" { diff --git a/stacks/frigate/main.tf b/stacks/frigate/main.tf index 5526e61a..31079be9 100644 --- a/stacks/frigate/main.tf +++ b/stacks/frigate/main.tf @@ -223,6 +223,10 @@ for name, det in stats.get('detectors', {}).items(): } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "frigate" { diff --git a/stacks/grampsweb/main.tf b/stacks/grampsweb/main.tf index 01e4fd51..bf0c5cbb 100644 --- a/stacks/grampsweb/main.tf +++ b/stacks/grampsweb/main.tf @@ -326,6 +326,10 @@ resource "kubernetes_deployment" "grampsweb" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "grampsweb" { diff --git a/stacks/hackmd/main.tf b/stacks/hackmd/main.tf index 9c5aa93c..2eb31cdd 100644 --- a/stacks/hackmd/main.tf +++ b/stacks/hackmd/main.tf @@ -164,6 +164,10 @@ resource "kubernetes_deployment" "hackmd" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "hackmd" { diff --git a/stacks/headscale/modules/headscale/main.tf b/stacks/headscale/modules/headscale/main.tf index 29ab43f9..a628085d 100644 --- a/stacks/headscale/modules/headscale/main.tf +++ b/stacks/headscale/modules/headscale/main.tf @@ -249,6 +249,10 @@ resource "kubernetes_deployment" "headscale" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "headscale" { metadata { @@ -486,6 +490,10 @@ resource "kubernetes_cron_job_v1" "headscale_backup" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # Grafana dashboard diff --git a/stacks/health/main.tf b/stacks/health/main.tf index 294c2d35..494236f3 100644 --- a/stacks/health/main.tf +++ b/stacks/health/main.tf @@ -145,6 +145,10 @@ resource "kubernetes_deployment" "health" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "health" { diff --git a/stacks/homepage/main.tf b/stacks/homepage/main.tf index d989917f..007f7533 100644 --- a/stacks/homepage/main.tf +++ b/stacks/homepage/main.tf @@ -117,6 +117,10 @@ resource "kubernetes_deployment" "cache_proxy" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "cache_proxy" { diff --git a/stacks/immich/frame.tf b/stacks/immich/frame.tf index 5e3ea8ca..acd5fdbe 100644 --- a/stacks/immich/frame.tf +++ b/stacks/immich/frame.tf @@ -95,6 +95,10 @@ resource "kubernetes_deployment" "immich-frame" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } diff --git a/stacks/immich/main.tf b/stacks/immich/main.tf index d39c9e4b..b17e7d55 100644 --- a/stacks/immich/main.tf +++ b/stacks/immich/main.tf @@ -782,6 +782,10 @@ resource "kubernetes_cron_job_v1" "postgresql-backup" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # POWER TOOLS diff --git a/stacks/infra-maintenance/modules/infra-maintenance/main.tf b/stacks/infra-maintenance/modules/infra-maintenance/main.tf index ca4605df..3f794a06 100644 --- a/stacks/infra-maintenance/modules/infra-maintenance/main.tf +++ b/stacks/infra-maintenance/modules/infra-maintenance/main.tf @@ -188,6 +188,10 @@ resource "kubernetes_cron_job_v1" "backup-etcd" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # Weekly etcd defragmentation — prevents fragmentation buildup that causes slow requests @@ -242,6 +246,10 @@ resource "kubernetes_cron_job_v1" "defrag-etcd" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # Clean up evicted/failed pods cluster-wide daily @@ -277,6 +285,10 @@ resource "kubernetes_cron_job_v1" "cleanup-failed-pods" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service_account" "cleanup_sa" { diff --git a/stacks/isponsorblocktv/main.tf b/stacks/isponsorblocktv/main.tf index ba1daad2..da440bc4 100644 --- a/stacks/isponsorblocktv/main.tf +++ b/stacks/isponsorblocktv/main.tf @@ -91,4 +91,8 @@ resource "kubernetes_deployment" "isponsorblocktv-vermont" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } diff --git a/stacks/jsoncrack/main.tf b/stacks/jsoncrack/main.tf index ede0aa5d..1e1a1de8 100644 --- a/stacks/jsoncrack/main.tf +++ b/stacks/jsoncrack/main.tf @@ -56,6 +56,10 @@ resource "kubernetes_deployment" "jsoncrack" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "jsoncrack" { diff --git a/stacks/kms/main.tf b/stacks/kms/main.tf index 563c2adf..1ad91cd2 100644 --- a/stacks/kms/main.tf +++ b/stacks/kms/main.tf @@ -96,6 +96,10 @@ resource "kubernetes_deployment" "kms-web-page" { } } depends_on = [kubernetes_config_map.kms-web-page] + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "kms-web-page" { @@ -176,6 +180,10 @@ resource "kubernetes_deployment" "windows_kms" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "windows_kms" { diff --git a/stacks/linkwarden/main.tf b/stacks/linkwarden/main.tf index b77ae314..c4fe89e0 100644 --- a/stacks/linkwarden/main.tf +++ b/stacks/linkwarden/main.tf @@ -201,6 +201,10 @@ resource "kubernetes_deployment" "linkwarden" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "linkwarden" { metadata { diff --git a/stacks/mailserver/modules/mailserver/main.tf b/stacks/mailserver/modules/mailserver/main.tf index a1b9e125..4880684c 100644 --- a/stacks/mailserver/modules/mailserver/main.tf +++ b/stacks/mailserver/modules/mailserver/main.tf @@ -704,5 +704,9 @@ sys.exit(0 if success else 1) } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } diff --git a/stacks/mailserver/modules/mailserver/roundcubemail.tf b/stacks/mailserver/modules/mailserver/roundcubemail.tf index 4ddf7892..83fc1ca8 100644 --- a/stacks/mailserver/modules/mailserver/roundcubemail.tf +++ b/stacks/mailserver/modules/mailserver/roundcubemail.tf @@ -231,6 +231,10 @@ resource "kubernetes_deployment" "roundcubemail" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "roundcubemail" { diff --git a/stacks/matrix/main.tf b/stacks/matrix/main.tf index 9846ba78..79a23f4c 100644 --- a/stacks/matrix/main.tf +++ b/stacks/matrix/main.tf @@ -196,6 +196,10 @@ resource "kubernetes_deployment" "matrix" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "matrix" { diff --git a/stacks/meshcentral/main.tf b/stacks/meshcentral/main.tf index bfa208f1..7103a64c 100644 --- a/stacks/meshcentral/main.tf +++ b/stacks/meshcentral/main.tf @@ -235,6 +235,10 @@ EOT } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } @@ -261,14 +265,14 @@ resource "kubernetes_service" "meshcentral" { } module "ingress" { - source = "../../modules/kubernetes/ingress_factory" - dns_type = "proxied" - namespace = kubernetes_namespace.meshcentral.metadata[0].name - name = "meshcentral" - tls_secret_name = var.tls_secret_name - port = 80 - protected = true - anti_ai_scraping = false + source = "../../modules/kubernetes/ingress_factory" + dns_type = "proxied" + namespace = kubernetes_namespace.meshcentral.metadata[0].name + name = "meshcentral" + tls_secret_name = var.tls_secret_name + port = 80 + protected = true + anti_ai_scraping = false extra_annotations = { "gethomepage.dev/enabled" = "true" "gethomepage.dev/name" = "MeshCentral" diff --git a/stacks/monitoring/modules/monitoring/goflow2.tf b/stacks/monitoring/modules/monitoring/goflow2.tf index 1eba5392..96b10e8d 100644 --- a/stacks/monitoring/modules/monitoring/goflow2.tf +++ b/stacks/monitoring/modules/monitoring/goflow2.tf @@ -50,6 +50,10 @@ resource "kubernetes_deployment" "goflow2" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "goflow2" { diff --git a/stacks/monitoring/modules/monitoring/idrac.tf b/stacks/monitoring/modules/monitoring/idrac.tf index a61b2f9a..5112457a 100644 --- a/stacks/monitoring/modules/monitoring/idrac.tf +++ b/stacks/monitoring/modules/monitoring/idrac.tf @@ -91,6 +91,10 @@ resource "kubernetes_deployment" "idrac-redfish" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "idrac-redfish-exporter" { diff --git a/stacks/monitoring/modules/monitoring/loki.tf b/stacks/monitoring/modules/monitoring/loki.tf index 41c9699a..5f6ceaa3 100644 --- a/stacks/monitoring/modules/monitoring/loki.tf +++ b/stacks/monitoring/modules/monitoring/loki.tf @@ -100,6 +100,10 @@ resource "kubernetes_daemon_set_v1" "sysctl-inotify" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } */ diff --git a/stacks/monitoring/modules/monitoring/main.tf b/stacks/monitoring/modules/monitoring/main.tf index 59bc34d2..501124b1 100644 --- a/stacks/monitoring/modules/monitoring/main.tf +++ b/stacks/monitoring/modules/monitoring/main.tf @@ -92,6 +92,10 @@ resource "kubernetes_cron_job_v1" "monitor_prom" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # ----------------------------------------------------------------------------- @@ -215,6 +219,10 @@ resource "kubernetes_cron_job_v1" "dns_anomaly_monitor" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # Expose Pushgateway via NodePort so the PVE host can push LVM snapshot metrics diff --git a/stacks/monitoring/modules/monitoring/pve_exporter.tf b/stacks/monitoring/modules/monitoring/pve_exporter.tf index 4c103297..2c24dd42 100644 --- a/stacks/monitoring/modules/monitoring/pve_exporter.tf +++ b/stacks/monitoring/modules/monitoring/pve_exporter.tf @@ -86,6 +86,10 @@ resource "kubernetes_deployment" "pve_exporter" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "proxmox-exporter" { diff --git a/stacks/monitoring/modules/monitoring/snmp_exporter.tf b/stacks/monitoring/modules/monitoring/snmp_exporter.tf index 07eaf39a..232b1c28 100644 --- a/stacks/monitoring/modules/monitoring/snmp_exporter.tf +++ b/stacks/monitoring/modules/monitoring/snmp_exporter.tf @@ -90,6 +90,10 @@ resource "kubernetes_deployment" "snmp-exporter" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "snmp-exporter" { diff --git a/stacks/n8n/main.tf b/stacks/n8n/main.tf index 620b58d3..62e9a528 100644 --- a/stacks/n8n/main.tf +++ b/stacks/n8n/main.tf @@ -281,6 +281,10 @@ resource "kubernetes_deployment" "n8n" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "n8n" { diff --git a/stacks/navidrome/main.tf b/stacks/navidrome/main.tf index ed1f59f8..9e170e0c 100644 --- a/stacks/navidrome/main.tf +++ b/stacks/navidrome/main.tf @@ -202,6 +202,10 @@ resource "kubernetes_deployment" "navidrome" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "navidrome" { diff --git a/stacks/netbox/main.tf b/stacks/netbox/main.tf index 4aa2e570..b95f9e49 100644 --- a/stacks/netbox/main.tf +++ b/stacks/netbox/main.tf @@ -200,6 +200,10 @@ resource "kubernetes_deployment" "netbox" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "netbox" { metadata { diff --git a/stacks/networking-toolbox/main.tf b/stacks/networking-toolbox/main.tf index f5c56116..720db4b4 100644 --- a/stacks/networking-toolbox/main.tf +++ b/stacks/networking-toolbox/main.tf @@ -70,6 +70,10 @@ resource "kubernetes_deployment" "networking-toolbox" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "networking-toolbox" { diff --git a/stacks/nextcloud/main.tf b/stacks/nextcloud/main.tf index eb3c3e26..14a5122d 100644 --- a/stacks/nextcloud/main.tf +++ b/stacks/nextcloud/main.tf @@ -467,6 +467,10 @@ resource "kubernetes_cron_job_v1" "nextcloud_watchdog" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_cron_job_v1" "nextcloud-backup" { @@ -537,4 +541,8 @@ resource "kubernetes_cron_job_v1" "nextcloud-backup" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } diff --git a/stacks/novelapp/main.tf b/stacks/novelapp/main.tf index 34ecb598..6dab8e35 100644 --- a/stacks/novelapp/main.tf +++ b/stacks/novelapp/main.tf @@ -87,6 +87,7 @@ resource "kubernetes_deployment" "novelapp" { # DRIFT_WORKAROUND: CI pipeline owns image tag (kubectl set image from Woodpecker/GHA). Reviewed 2026-04-18. ignore_changes = [ spec[0].template[0].spec[0].container[0].image, + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 ] } spec { diff --git a/stacks/ntfy/main.tf b/stacks/ntfy/main.tf index 29e8c834..e69c3bd3 100644 --- a/stacks/ntfy/main.tf +++ b/stacks/ntfy/main.tf @@ -155,6 +155,10 @@ resource "kubernetes_deployment" "ntfy" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "ntfy" { diff --git a/stacks/nvidia/modules/nvidia/main.tf b/stacks/nvidia/modules/nvidia/main.tf index be2893b0..f11bd2c3 100644 --- a/stacks/nvidia/modules/nvidia/main.tf +++ b/stacks/nvidia/modules/nvidia/main.tf @@ -13,7 +13,7 @@ resource "kubernetes_namespace" "nvidia" { labels = { "istio-injection" : "disabled" tier = var.tier - "resource-governance/custom-quota" = "true" + "resource-governance/custom-quota" = "true" "resource-governance/custom-limitrange" = "true" } } @@ -181,6 +181,10 @@ resource "kubernetes_deployment" "nvidia-exporter" { } } depends_on = [helm_release.nvidia-gpu-operator] + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "nvidia-exporter" { diff --git a/stacks/onlyoffice/main.tf b/stacks/onlyoffice/main.tf index 840fdafd..1785e453 100644 --- a/stacks/onlyoffice/main.tf +++ b/stacks/onlyoffice/main.tf @@ -224,6 +224,10 @@ resource "kubernetes_deployment" "onlyoffice-document-server" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "onlyoffice" { diff --git a/stacks/openclaw/main.tf b/stacks/openclaw/main.tf index 79c1eef9..18572fb1 100644 --- a/stacks/openclaw/main.tf +++ b/stacks/openclaw/main.tf @@ -606,6 +606,10 @@ resource "kubernetes_deployment" "openclaw" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "openclaw" { @@ -807,6 +811,10 @@ resource "kubernetes_deployment" "task_webhook" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "task_webhook" { @@ -944,6 +952,10 @@ resource "kubernetes_cron_job_v1" "cluster_healthcheck" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # --- CronJob: Task processor — polls Forgejo issues and triggers OpenClaw --- @@ -1036,6 +1048,10 @@ resource "kubernetes_cron_job_v1" "task_processor" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # --- OpenLobster: Multi-user Telegram AI assistant (trial) --- diff --git a/stacks/osm_routing/main.tf b/stacks/osm_routing/main.tf index 0cf9f291..9e031980 100644 --- a/stacks/osm_routing/main.tf +++ b/stacks/osm_routing/main.tf @@ -112,6 +112,10 @@ resource "kubernetes_deployment" "osrm-foot" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "osrm-foot" { @@ -193,6 +197,10 @@ resource "kubernetes_deployment" "osrm-bicycle" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "osrm-bicycle" { @@ -278,6 +286,10 @@ resource "kubernetes_deployment" "otp" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "otp" { diff --git a/stacks/owntracks/main.tf b/stacks/owntracks/main.tf index 5a92f2d6..5af77559 100644 --- a/stacks/owntracks/main.tf +++ b/stacks/owntracks/main.tf @@ -181,6 +181,10 @@ resource "kubernetes_deployment" "owntracks" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } diff --git a/stacks/paperless-ngx/main.tf b/stacks/paperless-ngx/main.tf index dbbb9fdf..a8ff4548 100644 --- a/stacks/paperless-ngx/main.tf +++ b/stacks/paperless-ngx/main.tf @@ -202,6 +202,10 @@ resource "kubernetes_deployment" "paperless-ngx" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "paperless-ngx" { diff --git a/stacks/phpipam/main.tf b/stacks/phpipam/main.tf index 47343d88..c277ba21 100644 --- a/stacks/phpipam/main.tf +++ b/stacks/phpipam/main.tf @@ -372,6 +372,10 @@ resource "kubernetes_cron_job_v1" "phpipam_dns_sync" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # CronJob: Import devices from pfSense (Kea DHCP leases + ARP table) into phpIPAM @@ -568,6 +572,10 @@ PYEOF } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # CronJob: Import devices from remote sites (London + Valchedrym) via SSH @@ -728,4 +736,8 @@ PYEOF } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } diff --git a/stacks/plotting-book/main.tf b/stacks/plotting-book/main.tf index bf2ca4ae..07d116f2 100644 --- a/stacks/plotting-book/main.tf +++ b/stacks/plotting-book/main.tf @@ -87,6 +87,7 @@ resource "kubernetes_deployment" "plotting-book" { # DRIFT_WORKAROUND: CI pipeline owns image tag (kubectl set image from Woodpecker/GHA). Reviewed 2026-04-18. ignore_changes = [ spec[0].template[0].spec[0].container[0].image, + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 ] } spec { @@ -312,6 +313,10 @@ resource "kubernetes_cron_job_v1" "plotting_book_backup" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # Sealed Secrets — encrypted secrets safe to commit to git diff --git a/stacks/poison-fountain/main.tf b/stacks/poison-fountain/main.tf index 97dbfebc..64e7ae21 100644 --- a/stacks/poison-fountain/main.tf +++ b/stacks/poison-fountain/main.tf @@ -178,6 +178,10 @@ resource "kubernetes_deployment" "poison_fountain" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } # Internal service (for ForwardAuth from Traefik) @@ -297,4 +301,8 @@ resource "kubernetes_cron_job_v1" "poison_fetcher" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } diff --git a/stacks/privatebin/main.tf b/stacks/privatebin/main.tf index 56759f87..dc3a94b6 100644 --- a/stacks/privatebin/main.tf +++ b/stacks/privatebin/main.tf @@ -105,6 +105,10 @@ resource "kubernetes_deployment" "privatebin" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "privatebin" { diff --git a/stacks/real-estate-crawler/main.tf b/stacks/real-estate-crawler/main.tf index 6efa4ed6..87e74634 100644 --- a/stacks/real-estate-crawler/main.tf +++ b/stacks/real-estate-crawler/main.tf @@ -158,7 +158,8 @@ resource "kubernetes_deployment" "realestate-crawler-ui" { } lifecycle { ignore_changes = [ - spec[0].template[0].spec[0].container[0].image + spec[0].template[0].spec[0].container[0].image, + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 ] } } @@ -304,7 +305,8 @@ resource "kubernetes_deployment" "realestate-crawler-api" { } lifecycle { ignore_changes = [ - spec[0].template[0].spec[0].container[0].image + spec[0].template[0].spec[0].container[0].image, + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 ] } } @@ -467,6 +469,10 @@ resource "kubernetes_deployment" "realestate-crawler-celery" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "realestate-crawler-celery-metrics" { @@ -574,4 +580,8 @@ resource "kubernetes_deployment" "realestate-crawler-celery-beat" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } diff --git a/stacks/redis/modules/redis/main.tf b/stacks/redis/modules/redis/main.tf index f6e28793..418aebd3 100644 --- a/stacks/redis/modules/redis/main.tf +++ b/stacks/redis/modules/redis/main.tf @@ -240,6 +240,10 @@ resource "kubernetes_deployment" "haproxy" { } depends_on = [helm_release.redis] + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } # Dedicated service for HAProxy master-only routing. @@ -372,4 +376,8 @@ resource "kubernetes_cron_job_v1" "redis-backup" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } diff --git a/stacks/resume/main.tf b/stacks/resume/main.tf index cc5aceca..ddf82227 100644 --- a/stacks/resume/main.tf +++ b/stacks/resume/main.tf @@ -140,6 +140,10 @@ resource "kubernetes_deployment" "printer" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "printer" { @@ -326,6 +330,10 @@ resource "kubernetes_deployment" "resume" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "resume" { diff --git a/stacks/rybbit/main.tf b/stacks/rybbit/main.tf index 4de6de83..f386a338 100644 --- a/stacks/rybbit/main.tf +++ b/stacks/rybbit/main.tf @@ -222,6 +222,10 @@ resource "kubernetes_deployment" "clickhouse" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "clickhouse" { @@ -285,6 +289,10 @@ resource "kubernetes_cron_job_v1" "clickhouse_truncate_logs" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_deployment" "rybbit" { @@ -424,6 +432,10 @@ resource "kubernetes_deployment" "rybbit" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "rybbit" { @@ -522,6 +534,10 @@ resource "kubernetes_deployment" "rybbit-client" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "rybbit-client" { diff --git a/stacks/send/main.tf b/stacks/send/main.tf index 4c9b9a23..fc333246 100644 --- a/stacks/send/main.tf +++ b/stacks/send/main.tf @@ -140,6 +140,10 @@ resource "kubernetes_deployment" "send" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "send" { metadata { diff --git a/stacks/servarr/aiostreams/main.tf b/stacks/servarr/aiostreams/main.tf index b9188b3b..4ef69adc 100644 --- a/stacks/servarr/aiostreams/main.tf +++ b/stacks/servarr/aiostreams/main.tf @@ -109,6 +109,10 @@ resource "kubernetes_deployment" "aiostreams" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "aiostreams" { diff --git a/stacks/servarr/flaresolverr/main.tf b/stacks/servarr/flaresolverr/main.tf index 9b8f3f63..2538fafe 100644 --- a/stacks/servarr/flaresolverr/main.tf +++ b/stacks/servarr/flaresolverr/main.tf @@ -47,6 +47,10 @@ resource "kubernetes_deployment" "flaresolverr" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "flaresolverr" { diff --git a/stacks/servarr/lidarr/main.tf b/stacks/servarr/lidarr/main.tf index 9cc1f219..c2dfa465 100644 --- a/stacks/servarr/lidarr/main.tf +++ b/stacks/servarr/lidarr/main.tf @@ -115,6 +115,10 @@ resource "kubernetes_deployment" "lidarr" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "lidarr" { diff --git a/stacks/servarr/listenarr/main.tf b/stacks/servarr/listenarr/main.tf index 28a5afb3..e30d42d0 100644 --- a/stacks/servarr/listenarr/main.tf +++ b/stacks/servarr/listenarr/main.tf @@ -98,6 +98,10 @@ resource "kubernetes_deployment" "listenarr" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "listenarr" { diff --git a/stacks/servarr/prowlarr/main.tf b/stacks/servarr/prowlarr/main.tf index e0eabba4..fd8a94bd 100644 --- a/stacks/servarr/prowlarr/main.tf +++ b/stacks/servarr/prowlarr/main.tf @@ -126,6 +126,10 @@ resource "kubernetes_deployment" "prowlarr" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "prowlarr" { diff --git a/stacks/servarr/qbittorrent/main.tf b/stacks/servarr/qbittorrent/main.tf index b32f28ca..980f1543 100644 --- a/stacks/servarr/qbittorrent/main.tf +++ b/stacks/servarr/qbittorrent/main.tf @@ -135,6 +135,10 @@ resource "kubernetes_deployment" "qbittorrent" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "qbittorrent" { @@ -247,6 +251,10 @@ resource "kubernetes_cron_job_v1" "qbittorrent_ratio_monitor" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_config_map" "ratio_monitor_script" { diff --git a/stacks/servarr/readarr/main.tf b/stacks/servarr/readarr/main.tf index a0688373..8af766b0 100644 --- a/stacks/servarr/readarr/main.tf +++ b/stacks/servarr/readarr/main.tf @@ -115,6 +115,10 @@ resource "kubernetes_deployment" "readarr" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "readarr" { diff --git a/stacks/servarr/soulseek/main.tf b/stacks/servarr/soulseek/main.tf index 80944191..e402a218 100644 --- a/stacks/servarr/soulseek/main.tf +++ b/stacks/servarr/soulseek/main.tf @@ -79,6 +79,10 @@ resource "kubernetes_deployment" "soulseek" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "soulseek" { diff --git a/stacks/shadowsocks/main.tf b/stacks/shadowsocks/main.tf index 123aedcf..e98db03e 100644 --- a/stacks/shadowsocks/main.tf +++ b/stacks/shadowsocks/main.tf @@ -114,6 +114,10 @@ resource "kubernetes_deployment" "shadowsocks" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "mailserver" { # rename me diff --git a/stacks/speedtest/main.tf b/stacks/speedtest/main.tf index e2d329dd..c94f1fab 100644 --- a/stacks/speedtest/main.tf +++ b/stacks/speedtest/main.tf @@ -200,6 +200,10 @@ resource "kubernetes_deployment" "speedtest" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "speedtest" { diff --git a/stacks/stirling-pdf/main.tf b/stacks/stirling-pdf/main.tf index 1175b8f3..fd8ff151 100644 --- a/stacks/stirling-pdf/main.tf +++ b/stacks/stirling-pdf/main.tf @@ -103,6 +103,10 @@ resource "kubernetes_deployment" "stirling-pdf" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "stirling-pdf" { diff --git a/stacks/tandoor/main.tf b/stacks/tandoor/main.tf index c62fdfbd..cd9a6126 100644 --- a/stacks/tandoor/main.tf +++ b/stacks/tandoor/main.tf @@ -224,6 +224,10 @@ resource "kubernetes_deployment" "tandoor" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "tandoor" { diff --git a/stacks/technitium/modules/technitium/ha.tf b/stacks/technitium/modules/technitium/ha.tf index fb841a49..9c96db29 100644 --- a/stacks/technitium/modules/technitium/ha.tf +++ b/stacks/technitium/modules/technitium/ha.tf @@ -165,6 +165,10 @@ resource "kubernetes_deployment" "technitium_secondary" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } # Secondary web service — internal only, used by setup Job @@ -316,6 +320,10 @@ resource "kubernetes_deployment" "technitium_tertiary" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "technitium_tertiary_web" { @@ -447,4 +455,8 @@ resource "kubernetes_cron_job_v1" "technitium_zone_sync" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } diff --git a/stacks/tor-proxy/main.tf b/stacks/tor-proxy/main.tf index b987fc7c..21db5b94 100644 --- a/stacks/tor-proxy/main.tf +++ b/stacks/tor-proxy/main.tf @@ -105,6 +105,10 @@ resource "kubernetes_deployment" "tor-proxy" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "tor-proxy" { @@ -228,6 +232,10 @@ resource "kubernetes_deployment" "torrserver" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "torrserver" { diff --git a/stacks/trading-bot/main.tf b/stacks/trading-bot/main.tf index fea7bb02..b695e9ed 100644 --- a/stacks/trading-bot/main.tf +++ b/stacks/trading-bot/main.tf @@ -318,6 +318,7 @@ resource "kubernetes_deployment" "trading-bot-frontend" { ignore_changes = [ spec[0].template[0].spec[0].container[0].image, spec[0].template[0].spec[0].container[1].image, + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 ] } depends_on = [kubernetes_job.migrations] @@ -584,6 +585,7 @@ resource "kubernetes_deployment" "trading-bot-workers" { spec[0].template[0].spec[0].container[3].image, spec[0].template[0].spec[0].container[4].image, spec[0].template[0].spec[0].container[5].image, + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 ] } depends_on = [kubernetes_job.migrations] diff --git a/stacks/traefik/modules/traefik/main.tf b/stacks/traefik/modules/traefik/main.tf index 15a400de..788b1678 100644 --- a/stacks/traefik/modules/traefik/main.tf +++ b/stacks/traefik/modules/traefik/main.tf @@ -422,6 +422,10 @@ resource "kubernetes_deployment" "bot_block_proxy" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "bot_block_proxy" { @@ -646,6 +650,10 @@ resource "kubernetes_deployment" "auth_proxy" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "auth_proxy" { diff --git a/stacks/travel_blog/main.tf b/stacks/travel_blog/main.tf index 92528795..26c9ae67 100644 --- a/stacks/travel_blog/main.tf +++ b/stacks/travel_blog/main.tf @@ -75,6 +75,10 @@ resource "kubernetes_deployment" "blog" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "travel-blog" { diff --git a/stacks/tuya-bridge/main.tf b/stacks/tuya-bridge/main.tf index f27a2d7a..4d87f8aa 100644 --- a/stacks/tuya-bridge/main.tf +++ b/stacks/tuya-bridge/main.tf @@ -131,6 +131,10 @@ resource "kubernetes_deployment" "tuya-bridge" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "tuya-bridge" { diff --git a/stacks/uptime-kuma/modules/uptime-kuma/main.tf b/stacks/uptime-kuma/modules/uptime-kuma/main.tf index 45bc88a1..90261184 100644 --- a/stacks/uptime-kuma/modules/uptime-kuma/main.tf +++ b/stacks/uptime-kuma/modules/uptime-kuma/main.tf @@ -156,6 +156,10 @@ resource "kubernetes_deployment" "uptime-kuma" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "uptime-kuma" { metadata { diff --git a/stacks/url/main.tf b/stacks/url/main.tf index 55fdb2fb..979b0aaa 100644 --- a/stacks/url/main.tf +++ b/stacks/url/main.tf @@ -259,6 +259,10 @@ resource "kubernetes_deployment" "shlink" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "shlink" { @@ -400,6 +404,10 @@ resource "kubernetes_deployment" "shlink-web" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "shlink-web" { diff --git a/stacks/vault/main.tf b/stacks/vault/main.tf index 41e28624..7dff43ef 100644 --- a/stacks/vault/main.tf +++ b/stacks/vault/main.tf @@ -336,6 +336,10 @@ resource "kubernetes_cron_job_v1" "vault_backup" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # ============================================================================= @@ -391,8 +395,8 @@ resource "vault_kubernetes_auth_backend_role" "ci" { bound_service_account_names = ["default"] bound_service_account_namespaces = ["woodpecker"] token_policies = [vault_policy.ci.name] - token_ttl = 604800 # 7d - token_period = 604800 # periodic: auto-renews indefinitely + token_ttl = 604800 # 7d + token_period = 604800 # periodic: auto-renews indefinitely } # --- ESO Policy & Role --- @@ -420,8 +424,8 @@ resource "vault_kubernetes_auth_backend_role" "eso" { bound_service_account_names = ["external-secrets"] bound_service_account_namespaces = ["external-secrets"] token_policies = [vault_policy.eso_reader.name] - token_ttl = 864000 # 10d (staggered from ci/openclaw) - token_period = 864000 # periodic: auto-renews indefinitely + token_ttl = 864000 # 10d (staggered from ci/openclaw) + token_period = 864000 # periodic: auto-renews indefinitely } # --- Woodpecker Secret Sync Policy & Role --- @@ -441,8 +445,8 @@ resource "vault_kubernetes_auth_backend_role" "woodpecker_sync" { bound_service_account_names = ["default"] bound_service_account_namespaces = ["woodpecker"] token_policies = [vault_policy.woodpecker_sync.name] - token_ttl = 691200 # 8d (staggered from others) - token_period = 691200 # periodic: auto-renews indefinitely + token_ttl = 691200 # 8d (staggered from others) + token_period = 691200 # periodic: auto-renews indefinitely } # --- OpenClaw Policy & Role --- @@ -465,8 +469,8 @@ resource "vault_kubernetes_auth_backend_role" "openclaw" { bound_service_account_names = ["openclaw"] bound_service_account_namespaces = ["openclaw"] token_policies = [vault_policy.openclaw_k8s.name] - token_ttl = 777600 # 9d (staggered from others) - token_period = 777600 # periodic: auto-renews indefinitely + token_ttl = 777600 # 9d (staggered from others) + token_period = 777600 # periodic: auto-renews indefinitely } # --- Terraform State Policy & Role (Claude Agent) --- @@ -486,8 +490,8 @@ resource "vault_kubernetes_auth_backend_role" "terraform_state" { bound_service_account_names = ["default"] bound_service_account_namespaces = ["claude-agent"] token_policies = [vault_policy.terraform_state.name] - token_ttl = 518400 # 6d (staggered from others: ci=7d, eso=10d, woodpecker=8d, openclaw=9d) - token_period = 518400 # periodic: auto-renews indefinitely + token_ttl = 518400 # 6d (staggered from others: ci=7d, eso=10d, woodpecker=8d, openclaw=9d) + token_period = 518400 # periodic: auto-renews indefinitely } # ============================================================================= @@ -503,8 +507,8 @@ resource "vault_mount" "database" { # MySQL connection — app user rotation only resource "vault_database_secret_backend_connection" "mysql" { - backend = vault_mount.database.path - name = "mysql" + backend = vault_mount.database.path + name = "mysql" allowed_roles = [ "mysql-speedtest", "mysql-wrongmove", "mysql-codimd", "mysql-nextcloud", "mysql-shlink", "mysql-grafana", @@ -521,8 +525,8 @@ resource "vault_database_secret_backend_connection" "mysql" { # PostgreSQL connection — CNPG superuser resource "vault_database_secret_backend_connection" "postgresql" { - backend = vault_mount.database.path - name = "postgresql" + backend = vault_mount.database.path + name = "postgresql" allowed_roles = [ # "pg-trading", # Commented out 2026-04-06 - trading-bot disabled "pg-health", "pg-linkwarden", @@ -822,9 +826,9 @@ resource "kubernetes_namespace" "user_namespace" { metadata { name = each.value labels = { - tier = "4-aux" + tier = "4-aux" "resource-governance/custom-quota" = "true" - "managed-by" = "vault-user-onboarding" + "managed-by" = "vault-user-onboarding" } } lifecycle { @@ -839,7 +843,7 @@ resource "vault_policy" "namespace_owner" { if user.role == "namespace-owner" }) - name = "namespace-owner-${each.key}" + name = "namespace-owner-${each.key}" policy = <<-EOT # Read/write own secrets path "secret/data/${each.key}" { diff --git a/stacks/vaultwarden/modules/vaultwarden/main.tf b/stacks/vaultwarden/modules/vaultwarden/main.tf index 95ee5ced..b3d24983 100644 --- a/stacks/vaultwarden/modules/vaultwarden/main.tf +++ b/stacks/vaultwarden/modules/vaultwarden/main.tf @@ -168,6 +168,10 @@ resource "kubernetes_deployment" "vaultwarden" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "vaultwarden" { @@ -334,6 +338,10 @@ resource "kubernetes_cron_job_v1" "vaultwarden-backup" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } # ----------------------------------------------------------------------------- @@ -418,4 +426,8 @@ METRICS } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } diff --git a/stacks/wealthfolio/main.tf b/stacks/wealthfolio/main.tf index c3c50ba4..d223d024 100644 --- a/stacks/wealthfolio/main.tf +++ b/stacks/wealthfolio/main.tf @@ -315,4 +315,8 @@ resource "kubernetes_cron_job_v1" "wealthfolio_sync" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } diff --git a/stacks/whisper/main.tf b/stacks/whisper/main.tf index c7019039..2858d680 100644 --- a/stacks/whisper/main.tf +++ b/stacks/whisper/main.tf @@ -116,6 +116,10 @@ resource "kubernetes_deployment" "whisper" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "whisper" { @@ -234,6 +238,10 @@ resource "kubernetes_deployment" "piper" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "piper" { diff --git a/stacks/woodpecker/main.tf b/stacks/woodpecker/main.tf index cdd9de04..58b105af 100644 --- a/stacks/woodpecker/main.tf +++ b/stacks/woodpecker/main.tf @@ -317,6 +317,10 @@ resource "kubernetes_cron_job_v1" "vault_secret_sync" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].job_template[0].spec[0].template[0].spec[0].dns_config] + } } module "ingress" { diff --git a/stacks/xray/modules/xray/main.tf b/stacks/xray/modules/xray/main.tf index c91b7c5f..358f3c58 100644 --- a/stacks/xray/modules/xray/main.tf +++ b/stacks/xray/modules/xray/main.tf @@ -153,6 +153,10 @@ resource "kubernetes_deployment" "xray" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "xray" { diff --git a/stacks/ytdlp/main.tf b/stacks/ytdlp/main.tf index 4efbfef7..a73f434a 100644 --- a/stacks/ytdlp/main.tf +++ b/stacks/ytdlp/main.tf @@ -147,6 +147,10 @@ resource "kubernetes_deployment" "ytdlp" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "ytdlp" { @@ -317,6 +321,10 @@ resource "kubernetes_deployment" "yt_highlights" { } } } + lifecycle { + # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 + ignore_changes = [spec[0].template[0].spec[0].dns_config] + } } resource "kubernetes_service" "yt_highlights" {