extract monitoring, nvidia, mailserver, cloudflared, kyverno from platform [ci skip]

Phase 2 of platform stack split. 5 more modules extracted into independent stacks. All applied successfully with zero destroys. Cloudflared now reads k8s_users from Vault directly to compute user_domains. Woodpecker pipeline runs all 8 extracted stacks in parallel. Memory bumped to 6Gi for 9 concurrent TF processes. Platform reduced from 27 to 19 modules.
2026-03-17 21:34:11 +00:00 · 2026-03-17 21:34:11 +00:00 · ae36dc253b
commit ae36dc253b
parent 3c804aedf8
73 changed files with 166093 additions and 96 deletions
--- a/stacks/cloudflared/modules/cloudflared/main.tf
+++ b/stacks/cloudflared/modules/cloudflared/main.tf
@ -0,0 +1,130 @@
+# Contents for cloudflare tunnel
+
+variable "tls_secret_name" {}
+variable "cloudflare_tunnel_token" {}
+resource "kubernetes_namespace" "cloudflared" {
+  metadata {
+    name = "cloudflared"
+    labels = {
+      tier = var.tier
+    }
+  }
+}
+variable "tier" { type = string }
+
+module "tls_secret" {
+  source          = "../../../../modules/kubernetes/setup_tls_secret"
+  namespace       = kubernetes_namespace.cloudflared.metadata[0].name
+  tls_secret_name = var.tls_secret_name
+}
+
+resource "kubernetes_deployment" "cloudflared" {
+  metadata {
+    name      = "cloudflared"
+    namespace = kubernetes_namespace.cloudflared.metadata[0].name
+    labels = {
+      app  = "cloudflared"
+      tier = var.tier
+    }
+    annotations = {
+      "reloader.stakater.com/search" = "true"
+    }
+  }
+  spec {
+    replicas = 3
+    strategy {
+      type = "RollingUpdate"
+    }
+    selector {
+      match_labels = {
+        app = "cloudflared"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app = "cloudflared"
+        }
+      }
+      spec {
+        topology_spread_constraint {
+          max_skew           = 1
+          topology_key       = "kubernetes.io/hostname"
+          when_unsatisfiable = "ScheduleAnyway"
+          label_selector {
+            match_labels = {
+              app = "cloudflared"
+            }
+          }
+        }
+        container {
+          # image = "wisdomsky/cloudflared-web:latest"
+          image   = "cloudflare/cloudflared"
+          name    = "cloudflared"
+          command = ["cloudflared", "tunnel", "run"]
+          env {
+            name  = "TUNNEL_TOKEN"
+            value = var.cloudflare_tunnel_token
+          }
+
+          port {
+            container_port = 14333
+          }
+          resources {
+            requests = {
+              cpu    = "15m"
+              memory = "128Mi"
+            }
+            limits = {
+              memory = "128Mi"
+            }
+          }
+        }
+        dns_config {
+          option {
+            name  = "ndots"
+            value = "2"
+          }
+        }
+      }
+    }
+  }
+}
+
+resource "kubernetes_pod_disruption_budget_v1" "cloudflared" {
+  metadata {
+    name      = "cloudflared"
+    namespace = kubernetes_namespace.cloudflared.metadata[0].name
+  }
+  spec {
+    max_unavailable = "1"
+    selector {
+      match_labels = {
+        app = "cloudflared"
+      }
+    }
+  }
+}
+
+resource "kubernetes_service" "cloudflared" {
+  metadata {
+    name      = "cloudflared"
+    namespace = kubernetes_namespace.cloudflared.metadata[0].name
+    labels = {
+      "app" = "cloudflared"
+    }
+  }
+
+  spec {
+    selector = {
+      app = "cloudflared"
+    }
+    port {
+      name        = "http"
+      target_port = 14333
+      port        = 80
+      protocol    = "TCP"
+    }
+  }
+}
+