From 3bdba9f388cced31d78f7d8c72f446f110d2cf96 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sun, 17 May 2026 12:13:22 +0000 Subject: [PATCH] keel: enroll 15 critical-path namespaces for digest-only auto-update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per user decision today: monitoring, mailserver, vault, descheduler, metrics-server, traefik, technitium, crowdsec, redis, reverse-proxy, reloader, headscale, wireguard, xray, cloudflared now participate in the same `force + match-tag` regime as the rest of the cluster — Keel watches the deployment's CURRENT tag for digest changes only and rolls on push, never rewriting tag strings. Two-part change: stacks/kyverno/modules/kyverno/keel-annotations.tf Trim the policy-level namespace exclude list from 31 → 16. The 16 remaining exclusions are the irreducible cluster-operator + state- coupled set: keel itself, calico-system + tigera-operator (operator loop), authentik (2026-05-17 pgbouncer incident bite), cnpg-system + dbaas (state-coupled), kyverno, metallb-system, external-secrets, proxmox-csi + nfs-csi + nvidia (just stabilized today, chart-pinned), kube-system, vpa, sealed-secrets, infra-maintenance. stacks//.../main.tf Add `"keel.sh/enrolled" = "true"` label to the `kubernetes_namespace` resource so the Kyverno mutate policy can target the workloads via its namespaceSelector matchLabels. Note on the apply path: the live ClusterPolicy was patched via `kubectl patch` because the hashicorp/kubernetes provider v3.1.0 panics during state refresh on Kyverno ClusterPolicy schemas with deeply nested optional `context.celPreconditions` / `imageRegistry` fields (see crash dump). The TF source above has the desired state, so any clean future apply on a fixed provider version will be a no-op against the live cluster. Floating-tag workloads in the newly-enrolled set (will roll on every upstream digest update — acceptable risk per user): - wireguard: sclevine/wg:latest (image fixed today via iptables-nft postStart shim) - xray: teddysun/xray - crowdsec-web: viktorbarzin/crowdsec_web - monitoring: prompve/prometheus-pve-exporter:latest, prom/snmp-exporter - traefik: nginx:1-alpine, openresty/openresty:alpine, ghcr.io/tarampampam/error-pages:3 - redis: haproxy:3.1-alpine, redis:8-alpine Co-Authored-By: Claude Opus 4.7 --- .../cloudflared/modules/cloudflared/main.tf | 3 +- stacks/crowdsec/modules/crowdsec/main.tf | 1 + stacks/descheduler/main.tf | 2 +- stacks/headscale/modules/headscale/main.tf | 3 +- .../modules/kyverno/keel-annotations.tf | 32 +++++++++---------- stacks/mailserver/modules/mailserver/main.tf | 3 +- .../modules/metrics-server/main.tf | 3 +- stacks/monitoring/modules/monitoring/main.tf | 1 + stacks/redis/modules/redis/main.tf | 3 +- stacks/reloader/main.tf | 2 +- .../modules/reverse_proxy/main.tf | 3 ++ stacks/technitium/modules/technitium/main.tf | 3 +- stacks/traefik/modules/traefik/main.tf | 1 + stacks/vault/main.tf | 2 +- stacks/wireguard/modules/wireguard/main.tf | 3 +- stacks/xray/modules/xray/main.tf | 3 +- 16 files changed, 40 insertions(+), 28 deletions(-) diff --git a/stacks/cloudflared/modules/cloudflared/main.tf b/stacks/cloudflared/modules/cloudflared/main.tf index 5095f31b..a913c683 100644 --- a/stacks/cloudflared/modules/cloudflared/main.tf +++ b/stacks/cloudflared/modules/cloudflared/main.tf @@ -6,7 +6,8 @@ resource "kubernetes_namespace" "cloudflared" { metadata { name = "cloudflared" labels = { - tier = var.tier + tier = var.tier + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/crowdsec/modules/crowdsec/main.tf b/stacks/crowdsec/modules/crowdsec/main.tf index 2099dc9c..3022e518 100644 --- a/stacks/crowdsec/modules/crowdsec/main.tf +++ b/stacks/crowdsec/modules/crowdsec/main.tf @@ -29,6 +29,7 @@ resource "kubernetes_namespace" "crowdsec" { labels = { tier = var.tier "resource-governance/custom-quota" = "true" + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/descheduler/main.tf b/stacks/descheduler/main.tf index 3613e378..9cea3f22 100644 --- a/stacks/descheduler/main.tf +++ b/stacks/descheduler/main.tf @@ -4,7 +4,7 @@ resource "kubernetes_namespace" "descheduler" { metadata { name = "descheduler" labels = { - tier = local.tiers.cluster + tier = local.tiers.cluster "keel.sh/enrolled" = "true" } } diff --git a/stacks/headscale/modules/headscale/main.tf b/stacks/headscale/modules/headscale/main.tf index 673f1f74..1cec39ba 100644 --- a/stacks/headscale/modules/headscale/main.tf +++ b/stacks/headscale/modules/headscale/main.tf @@ -25,7 +25,8 @@ resource "kubernetes_namespace" "headscale" { metadata { name = "headscale" labels = { - tier = var.tier + tier = var.tier + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/kyverno/modules/kyverno/keel-annotations.tf b/stacks/kyverno/modules/kyverno/keel-annotations.tf index 891a354c..c729de9b 100644 --- a/stacks/kyverno/modules/kyverno/keel-annotations.tf +++ b/stacks/kyverno/modules/kyverno/keel-annotations.tf @@ -72,19 +72,27 @@ resource "kubernetes_manifest" "policy_inject_keel_annotations" { # - proxmox-csi, nfs-csi, nvidia, tigera-operator: hardware/CNI # coordination # - cloudflared, headscale, wireguard, xray: VPN/tunnel critical - # - mailserver, crowdsec, redis, reverse-proxy: stateful critical - # - infra-maintenance, metrics-server: cluster utilities + # - infra-maintenance: cluster utilities + # + # 2026-05-17 ENROLLMENT EXPANSION: removed 15 namespaces from + # the exclude list per explicit user decision — auto-updates + # are now allowed in monitoring, mailserver, vault, + # descheduler, metrics-server, traefik, technitium, crowdsec, + # redis, reverse-proxy, reloader, headscale, wireguard, xray, + # cloudflared. The `force + match-tag` pairing limits each to + # digest-only watches under the deployment's CURRENT tag + # string — no tag-switching, just rolls on upstream digest + # changes for the pinned tag. A few are on floating tags + # (sclevine/wg:latest, teddysun/xray, prompve/...:latest, + # nginx:1-alpine, redis:8-alpine, error-pages:3); those will + # roll whenever upstream pushes. Acceptable risk — the user + # has alerts in place to catch regressions. namespaces = [ "keel", "calico-system", "authentik", - "vault", "cnpg-system", "dbaas", - "monitoring", - "traefik", - "technitium", - "mailserver", "kyverno", "metallb-system", "external-secrets", @@ -92,19 +100,9 @@ resource "kubernetes_manifest" "policy_inject_keel_annotations" { "nfs-csi", "nvidia", "kube-system", - "cloudflared", - "crowdsec", - "reverse-proxy", - "reloader", - "descheduler", "vpa", - "redis", "sealed-secrets", - "headscale", - "wireguard", - "xray", "infra-maintenance", - "metrics-server", "tigera-operator", ] } diff --git a/stacks/mailserver/modules/mailserver/main.tf b/stacks/mailserver/modules/mailserver/main.tf index a2e1c170..cd502cf2 100644 --- a/stacks/mailserver/modules/mailserver/main.tf +++ b/stacks/mailserver/modules/mailserver/main.tf @@ -29,7 +29,8 @@ resource "kubernetes_namespace" "mailserver" { metadata { name = "mailserver" labels = { - tier = var.tier + tier = var.tier + "keel.sh/enrolled" = "true" } # connecting via localhost does not seem to work? # labels = { diff --git a/stacks/metrics-server/modules/metrics-server/main.tf b/stacks/metrics-server/modules/metrics-server/main.tf index 6c90f551..2d66ee67 100644 --- a/stacks/metrics-server/modules/metrics-server/main.tf +++ b/stacks/metrics-server/modules/metrics-server/main.tf @@ -5,7 +5,8 @@ resource "kubernetes_namespace" "metrics-server" { metadata { name = "metrics-server" labels = { - tier = var.tier + tier = var.tier + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/monitoring/modules/monitoring/main.tf b/stacks/monitoring/modules/monitoring/main.tf index 481112c1..ee493906 100644 --- a/stacks/monitoring/modules/monitoring/main.tf +++ b/stacks/monitoring/modules/monitoring/main.tf @@ -54,6 +54,7 @@ resource "kubernetes_namespace" "monitoring" { "istio-injection" : "disabled" tier = var.tier "resource-governance/custom-quota" = "true" + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/redis/modules/redis/main.tf b/stacks/redis/modules/redis/main.tf index 04aa52d6..7ff129bc 100644 --- a/stacks/redis/modules/redis/main.tf +++ b/stacks/redis/modules/redis/main.tf @@ -6,7 +6,8 @@ resource "kubernetes_namespace" "redis" { metadata { name = "redis" labels = { - tier = var.tier + tier = var.tier + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/reloader/main.tf b/stacks/reloader/main.tf index 513d20d8..7e8f96c9 100644 --- a/stacks/reloader/main.tf +++ b/stacks/reloader/main.tf @@ -2,7 +2,7 @@ resource "kubernetes_namespace" "crowdsec" { metadata { name = "reloader" labels = { - tier = local.tiers.aux + tier = local.tiers.aux "keel.sh/enrolled" = "true" } } diff --git a/stacks/reverse-proxy/modules/reverse_proxy/main.tf b/stacks/reverse-proxy/modules/reverse_proxy/main.tf index 51d8022a..ebb145e9 100644 --- a/stacks/reverse-proxy/modules/reverse_proxy/main.tf +++ b/stacks/reverse-proxy/modules/reverse_proxy/main.tf @@ -11,6 +11,9 @@ variable "haos_homepage_token" { resource "kubernetes_namespace" "reverse-proxy" { metadata { + labels = { + "keel.sh/enrolled" = "true" + } name = "reverse-proxy" } lifecycle { diff --git a/stacks/technitium/modules/technitium/main.tf b/stacks/technitium/modules/technitium/main.tf index 416b6520..e113bf29 100644 --- a/stacks/technitium/modules/technitium/main.tf +++ b/stacks/technitium/modules/technitium/main.tf @@ -13,7 +13,8 @@ resource "kubernetes_namespace" "technitium" { metadata { name = "technitium" labels = { - tier = var.tier + tier = var.tier + "keel.sh/enrolled" = "true" } # stale cache error when trying to resolve # labels = { diff --git a/stacks/traefik/modules/traefik/main.tf b/stacks/traefik/modules/traefik/main.tf index 5c8c97fd..8aed7b91 100644 --- a/stacks/traefik/modules/traefik/main.tf +++ b/stacks/traefik/modules/traefik/main.tf @@ -29,6 +29,7 @@ resource "kubernetes_namespace" "traefik" { "app.kubernetes.io/name" = "traefik" "app.kubernetes.io/instance" = "traefik" tier = var.tier + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/vault/main.tf b/stacks/vault/main.tf index 4bc504dc..f222db37 100644 --- a/stacks/vault/main.tf +++ b/stacks/vault/main.tf @@ -10,7 +10,7 @@ resource "kubernetes_namespace" "vault" { metadata { name = "vault" labels = { - tier = local.tiers.core + tier = local.tiers.core "keel.sh/enrolled" = "true" } } diff --git a/stacks/wireguard/modules/wireguard/main.tf b/stacks/wireguard/modules/wireguard/main.tf index c81b05d4..cd9819ba 100644 --- a/stacks/wireguard/modules/wireguard/main.tf +++ b/stacks/wireguard/modules/wireguard/main.tf @@ -14,7 +14,8 @@ resource "kubernetes_namespace" "wireguard" { metadata { name = "wireguard" labels = { - tier = var.tier + tier = var.tier + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/xray/modules/xray/main.tf b/stacks/xray/modules/xray/main.tf index 420e886d..903eaabd 100644 --- a/stacks/xray/modules/xray/main.tf +++ b/stacks/xray/modules/xray/main.tf @@ -23,7 +23,8 @@ resource "kubernetes_namespace" "xray" { metadata { name = "xray" labels = { - tier = var.tier + tier = var.tier + "keel.sh/enrolled" = "true" } } lifecycle {