docs: PVC templates need lifecycle.ignore_changes for autoresizer
The canonical proxmox-lvm and proxmox-lvm-encrypted PVC templates were
missing `lifecycle { ignore_changes = [spec[0].resources[0].requests] }`.
Without it, every PVC created from these templates becomes a drift bomb
the moment pvc-autoresizer expands it: the next `tg apply` on that stack
will try to shrink the PVC back to the TF-declared size, K8s rejects the
shrink, and apply fails.
This was latent because pvc-autoresizer was silently broken cluster-wide
(commit 9d5da4d8 fixed it by allow-listing kubelet_volume_stats_available_bytes
in Prometheus). Now that the autoresizer actually works, every existing
proxmox-lvm/encrypted PVC without ignore_changes is at risk.
Sweep needed (separate task): grep for kubernetes_persistent_volume_claim
across stacks/ and add ignore_changes to any with resize.topolvm.io
annotations.
This commit is contained in:
Viktor Barzin
parent
ce9bf5b676
commit
b3ae2c5476
1 changed files with 14 additions and 1 deletions
|
|
@ -188,11 +188,20 @@ resource "kubernetes_persistent_volume_claim" "data_proxmox" {
|
|||
requests = { storage = "1Gi" }
|
||||
}
|
||||
}
|
||||
lifecycle {
|
||||
# pvc-autoresizer expands this PVC up to storage_limit; ignore drift on
|
||||
# requests.storage so the next TF apply doesn't try to shrink it back
|
||||
# (K8s rejects shrinks → apply fails). To bump the floor manually:
|
||||
# temporarily remove this block, apply the new size, re-add the block,
|
||||
# apply again.
|
||||
ignore_changes = [spec[0].resources[0].requests]
|
||||
}
|
||||
}
|
||||
```
|
||||
- `wait_until_bound = false` is **required** (WaitForFirstConsumer binding)
|
||||
- Deployment strategy **must be Recreate** (RWO volumes)
|
||||
- Autoresizer annotations are **required** on all proxmox-lvm PVCs
|
||||
- `lifecycle.ignore_changes` on `requests` is **required** to coexist with the autoresizer
|
||||
- Every proxmox-lvm app **MUST** add a backup CronJob writing to NFS `/mnt/main/<app>-backup/`
|
||||
|
||||
**proxmox-lvm-encrypted PVC template** (Terraform) — use for all sensitive data:
|
||||
|
|
@ -215,9 +224,13 @@ resource "kubernetes_persistent_volume_claim" "data_encrypted" {
|
|||
requests = { storage = "1Gi" }
|
||||
}
|
||||
}
|
||||
lifecycle {
|
||||
# See data_proxmox above — required for autoresizer coexistence.
|
||||
ignore_changes = [spec[0].resources[0].requests]
|
||||
}
|
||||
}
|
||||
```
|
||||
- Same rules as `proxmox-lvm` (wait_until_bound, Recreate strategy, autoresizer, backup CronJob)
|
||||
- Same rules as `proxmox-lvm` (wait_until_bound, Recreate strategy, autoresizer, backup CronJob, `lifecycle.ignore_changes`)
|
||||
- Uses LUKS2 encryption with Argon2id key derivation via Proxmox CSI plugin
|
||||
- Encryption passphrase stored in Vault KV (`secret/viktor/proxmox_csi_encryption_passphrase`), synced to K8s Secret `proxmox-csi-encryption` in `kube-system` via ExternalSecret
|
||||
- Backup key at `/root/.luks-backup-key` on PVE host (chmod 600)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue