diff --git a/stacks/cloudflared/modules/cloudflared/main.tf b/stacks/cloudflared/modules/cloudflared/main.tf index 5095f31b..a913c683 100644 --- a/stacks/cloudflared/modules/cloudflared/main.tf +++ b/stacks/cloudflared/modules/cloudflared/main.tf @@ -6,7 +6,8 @@ resource "kubernetes_namespace" "cloudflared" { metadata { name = "cloudflared" labels = { - tier = var.tier + tier = var.tier + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/crowdsec/modules/crowdsec/main.tf b/stacks/crowdsec/modules/crowdsec/main.tf index 2099dc9c..3022e518 100644 --- a/stacks/crowdsec/modules/crowdsec/main.tf +++ b/stacks/crowdsec/modules/crowdsec/main.tf @@ -29,6 +29,7 @@ resource "kubernetes_namespace" "crowdsec" { labels = { tier = var.tier "resource-governance/custom-quota" = "true" + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/descheduler/main.tf b/stacks/descheduler/main.tf index 3613e378..9cea3f22 100644 --- a/stacks/descheduler/main.tf +++ b/stacks/descheduler/main.tf @@ -4,7 +4,7 @@ resource "kubernetes_namespace" "descheduler" { metadata { name = "descheduler" labels = { - tier = local.tiers.cluster + tier = local.tiers.cluster "keel.sh/enrolled" = "true" } } diff --git a/stacks/headscale/modules/headscale/main.tf b/stacks/headscale/modules/headscale/main.tf index 673f1f74..1cec39ba 100644 --- a/stacks/headscale/modules/headscale/main.tf +++ b/stacks/headscale/modules/headscale/main.tf @@ -25,7 +25,8 @@ resource "kubernetes_namespace" "headscale" { metadata { name = "headscale" labels = { - tier = var.tier + tier = var.tier + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/kyverno/modules/kyverno/keel-annotations.tf b/stacks/kyverno/modules/kyverno/keel-annotations.tf index 891a354c..c729de9b 100644 --- a/stacks/kyverno/modules/kyverno/keel-annotations.tf +++ b/stacks/kyverno/modules/kyverno/keel-annotations.tf @@ -72,19 +72,27 @@ resource "kubernetes_manifest" "policy_inject_keel_annotations" { # - proxmox-csi, nfs-csi, nvidia, tigera-operator: hardware/CNI # coordination # - cloudflared, headscale, wireguard, xray: VPN/tunnel critical - # - mailserver, crowdsec, redis, reverse-proxy: stateful critical - # - infra-maintenance, metrics-server: cluster utilities + # - infra-maintenance: cluster utilities + # + # 2026-05-17 ENROLLMENT EXPANSION: removed 15 namespaces from + # the exclude list per explicit user decision — auto-updates + # are now allowed in monitoring, mailserver, vault, + # descheduler, metrics-server, traefik, technitium, crowdsec, + # redis, reverse-proxy, reloader, headscale, wireguard, xray, + # cloudflared. The `force + match-tag` pairing limits each to + # digest-only watches under the deployment's CURRENT tag + # string — no tag-switching, just rolls on upstream digest + # changes for the pinned tag. A few are on floating tags + # (sclevine/wg:latest, teddysun/xray, prompve/...:latest, + # nginx:1-alpine, redis:8-alpine, error-pages:3); those will + # roll whenever upstream pushes. Acceptable risk — the user + # has alerts in place to catch regressions. namespaces = [ "keel", "calico-system", "authentik", - "vault", "cnpg-system", "dbaas", - "monitoring", - "traefik", - "technitium", - "mailserver", "kyverno", "metallb-system", "external-secrets", @@ -92,19 +100,9 @@ resource "kubernetes_manifest" "policy_inject_keel_annotations" { "nfs-csi", "nvidia", "kube-system", - "cloudflared", - "crowdsec", - "reverse-proxy", - "reloader", - "descheduler", "vpa", - "redis", "sealed-secrets", - "headscale", - "wireguard", - "xray", "infra-maintenance", - "metrics-server", "tigera-operator", ] } diff --git a/stacks/mailserver/modules/mailserver/main.tf b/stacks/mailserver/modules/mailserver/main.tf index a2e1c170..cd502cf2 100644 --- a/stacks/mailserver/modules/mailserver/main.tf +++ b/stacks/mailserver/modules/mailserver/main.tf @@ -29,7 +29,8 @@ resource "kubernetes_namespace" "mailserver" { metadata { name = "mailserver" labels = { - tier = var.tier + tier = var.tier + "keel.sh/enrolled" = "true" } # connecting via localhost does not seem to work? # labels = { diff --git a/stacks/metrics-server/modules/metrics-server/main.tf b/stacks/metrics-server/modules/metrics-server/main.tf index 6c90f551..2d66ee67 100644 --- a/stacks/metrics-server/modules/metrics-server/main.tf +++ b/stacks/metrics-server/modules/metrics-server/main.tf @@ -5,7 +5,8 @@ resource "kubernetes_namespace" "metrics-server" { metadata { name = "metrics-server" labels = { - tier = var.tier + tier = var.tier + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/monitoring/modules/monitoring/main.tf b/stacks/monitoring/modules/monitoring/main.tf index 481112c1..ee493906 100644 --- a/stacks/monitoring/modules/monitoring/main.tf +++ b/stacks/monitoring/modules/monitoring/main.tf @@ -54,6 +54,7 @@ resource "kubernetes_namespace" "monitoring" { "istio-injection" : "disabled" tier = var.tier "resource-governance/custom-quota" = "true" + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/redis/modules/redis/main.tf b/stacks/redis/modules/redis/main.tf index 04aa52d6..7ff129bc 100644 --- a/stacks/redis/modules/redis/main.tf +++ b/stacks/redis/modules/redis/main.tf @@ -6,7 +6,8 @@ resource "kubernetes_namespace" "redis" { metadata { name = "redis" labels = { - tier = var.tier + tier = var.tier + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/reloader/main.tf b/stacks/reloader/main.tf index 513d20d8..7e8f96c9 100644 --- a/stacks/reloader/main.tf +++ b/stacks/reloader/main.tf @@ -2,7 +2,7 @@ resource "kubernetes_namespace" "crowdsec" { metadata { name = "reloader" labels = { - tier = local.tiers.aux + tier = local.tiers.aux "keel.sh/enrolled" = "true" } } diff --git a/stacks/reverse-proxy/modules/reverse_proxy/main.tf b/stacks/reverse-proxy/modules/reverse_proxy/main.tf index 51d8022a..ebb145e9 100644 --- a/stacks/reverse-proxy/modules/reverse_proxy/main.tf +++ b/stacks/reverse-proxy/modules/reverse_proxy/main.tf @@ -11,6 +11,9 @@ variable "haos_homepage_token" { resource "kubernetes_namespace" "reverse-proxy" { metadata { + labels = { + "keel.sh/enrolled" = "true" + } name = "reverse-proxy" } lifecycle { diff --git a/stacks/technitium/modules/technitium/main.tf b/stacks/technitium/modules/technitium/main.tf index 416b6520..e113bf29 100644 --- a/stacks/technitium/modules/technitium/main.tf +++ b/stacks/technitium/modules/technitium/main.tf @@ -13,7 +13,8 @@ resource "kubernetes_namespace" "technitium" { metadata { name = "technitium" labels = { - tier = var.tier + tier = var.tier + "keel.sh/enrolled" = "true" } # stale cache error when trying to resolve # labels = { diff --git a/stacks/traefik/modules/traefik/main.tf b/stacks/traefik/modules/traefik/main.tf index 5c8c97fd..8aed7b91 100644 --- a/stacks/traefik/modules/traefik/main.tf +++ b/stacks/traefik/modules/traefik/main.tf @@ -29,6 +29,7 @@ resource "kubernetes_namespace" "traefik" { "app.kubernetes.io/name" = "traefik" "app.kubernetes.io/instance" = "traefik" tier = var.tier + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/vault/main.tf b/stacks/vault/main.tf index 4bc504dc..f222db37 100644 --- a/stacks/vault/main.tf +++ b/stacks/vault/main.tf @@ -10,7 +10,7 @@ resource "kubernetes_namespace" "vault" { metadata { name = "vault" labels = { - tier = local.tiers.core + tier = local.tiers.core "keel.sh/enrolled" = "true" } } diff --git a/stacks/wireguard/modules/wireguard/main.tf b/stacks/wireguard/modules/wireguard/main.tf index c81b05d4..cd9819ba 100644 --- a/stacks/wireguard/modules/wireguard/main.tf +++ b/stacks/wireguard/modules/wireguard/main.tf @@ -14,7 +14,8 @@ resource "kubernetes_namespace" "wireguard" { metadata { name = "wireguard" labels = { - tier = var.tier + tier = var.tier + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/xray/modules/xray/main.tf b/stacks/xray/modules/xray/main.tf index 420e886d..903eaabd 100644 --- a/stacks/xray/modules/xray/main.tf +++ b/stacks/xray/modules/xray/main.tf @@ -23,7 +23,8 @@ resource "kubernetes_namespace" "xray" { metadata { name = "xray" labels = { - tier = var.tier + tier = var.tier + "keel.sh/enrolled" = "true" } } lifecycle {