From b3ae2c5476ea5a6b82682ae56cc22dd22a9398ee Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 9 May 2026 12:02:18 +0000 Subject: [PATCH] docs: PVC templates need lifecycle.ignore_changes for autoresizer The canonical proxmox-lvm and proxmox-lvm-encrypted PVC templates were missing `lifecycle { ignore_changes = [spec[0].resources[0].requests] }`. Without it, every PVC created from these templates becomes a drift bomb the moment pvc-autoresizer expands it: the next `tg apply` on that stack will try to shrink the PVC back to the TF-declared size, K8s rejects the shrink, and apply fails. This was latent because pvc-autoresizer was silently broken cluster-wide (commit 9d5da4d8 fixed it by allow-listing kubelet_volume_stats_available_bytes in Prometheus). Now that the autoresizer actually works, every existing proxmox-lvm/encrypted PVC without ignore_changes is at risk. Sweep needed (separate task): grep for kubernetes_persistent_volume_claim across stacks/ and add ignore_changes to any with resize.topolvm.io annotations. --- .claude/CLAUDE.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md index bb1ce653..68fcfd38 100755 --- a/.claude/CLAUDE.md +++ b/.claude/CLAUDE.md @@ -188,11 +188,20 @@ resource "kubernetes_persistent_volume_claim" "data_proxmox" { requests = { storage = "1Gi" } } } + lifecycle { + # pvc-autoresizer expands this PVC up to storage_limit; ignore drift on + # requests.storage so the next TF apply doesn't try to shrink it back + # (K8s rejects shrinks → apply fails). To bump the floor manually: + # temporarily remove this block, apply the new size, re-add the block, + # apply again. + ignore_changes = [spec[0].resources[0].requests] + } } ``` - `wait_until_bound = false` is **required** (WaitForFirstConsumer binding) - Deployment strategy **must be Recreate** (RWO volumes) - Autoresizer annotations are **required** on all proxmox-lvm PVCs +- `lifecycle.ignore_changes` on `requests` is **required** to coexist with the autoresizer - Every proxmox-lvm app **MUST** add a backup CronJob writing to NFS `/mnt/main/-backup/` **proxmox-lvm-encrypted PVC template** (Terraform) — use for all sensitive data: @@ -215,9 +224,13 @@ resource "kubernetes_persistent_volume_claim" "data_encrypted" { requests = { storage = "1Gi" } } } + lifecycle { + # See data_proxmox above — required for autoresizer coexistence. + ignore_changes = [spec[0].resources[0].requests] + } } ``` -- Same rules as `proxmox-lvm` (wait_until_bound, Recreate strategy, autoresizer, backup CronJob) +- Same rules as `proxmox-lvm` (wait_until_bound, Recreate strategy, autoresizer, backup CronJob, `lifecycle.ignore_changes`) - Uses LUKS2 encryption with Argon2id key derivation via Proxmox CSI plugin - Encryption passphrase stored in Vault KV (`secret/viktor/proxmox_csi_encryption_passphrase`), synced to K8s Secret `proxmox-csi-encryption` in `kube-system` via ExternalSecret - Backup key at `/root/.luks-backup-key` on PVE host (chmod 600)