viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[ci skip] Add tier labels to all namespace resources for Kyverno resource governance

Browse source 
Added `tier = var.tier` to kubernetes_namespace labels in ~73 service
modules. This enables Kyverno to generate LimitRange defaults,
ResourceQuotas, and PriorityClass injection for all namespaces.

Previously only 11 namespaces had tier labels; now all 80 active
namespaces are labeled. All pods restarted in rolling waves to pick
up the new policies.
This commit is contained in:
Viktor Barzin 2026-02-21 23:38:05 +00:00
parent 517f5d6a6c
commit d345841ef2
66 changed files with 135 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

1
modules/kubernetes/actualbudget/main.tf
View file

@ -14,6 +14,7 @@ resource "kubernetes_namespace" "actualbudget" {
name = "actualbudget"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

3
modules/kubernetes/affine/main.tf
View file

@ -6,6 +6,9 @@ variable "smtp_password" { type = string }
resource "kubernetes_namespace" "affine" {
metadata {
name = "affine"
labels = {
tier = var.tier
}
}
}

1
modules/kubernetes/audiobookshelf/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "audiobookshelf" {
name = "audiobookshelf"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

1
modules/kubernetes/blog/main.tf
View file

@ -7,6 +7,7 @@ resource "kubernetes_namespace" "website" {
name = "website"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

3
modules/kubernetes/calibre/main.tf
View file

@ -10,6 +10,9 @@ variable "homepage_password" {
resource "kubernetes_namespace" "calibre" {
metadata {
name = "calibre"
labels = {
tier = var.tier
}
# labels = {
# "istio-injection" : "enabled"
# }

1
modules/kubernetes/changedetection/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "changedetection" {
name = "changedetection"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

3
modules/kubernetes/cloudflared/main.tf
View file

@ -5,6 +5,9 @@ variable "cloudflare_tunnel_token" {}
resource "kubernetes_namespace" "cloudflared" {
metadata {
name = "cloudflared"
labels = {
tier = var.tier
}
}
}
variable "tier" { type = string }

4
modules/kubernetes/coturn/main.tf
View file

@ -1,6 +1,7 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "turn_secret" { type = string }
variable "public_ip" { type = string }
locals {
turn_realm = "viktorbarzin.me"
@ -44,6 +45,7 @@ resource "kubernetes_config_map" "coturn_config" {
# Network use 0.0.0.0, coturn auto-detects pod IP
listening-ip=0.0.0.0
external-ip=${var.public_ip}
# Media relay port range (narrow 100 ports)
min-port=${local.min_port}
@ -153,7 +155,7 @@ resource "kubernetes_service" "coturn" {
name = "coturn"
namespace = kubernetes_namespace.coturn.metadata[0].name
annotations = {
"metallb.universe.tf/loadBalancerIPs" = "10.0.20.200"
"metallb.universe.tf/loadBalancerIPs" = "10.0.20.200"
"metallb.universe.tf/allow-shared-ip" = "shared"
}
}

3
modules/kubernetes/cyberchef/main.tf
View file

@ -3,6 +3,9 @@ variable "tier" { type = string }
resource "kubernetes_namespace" "cyberchef" {
metadata {
name = "cyberchef"
labels = {
tier = var.tier
}
}
}

1
modules/kubernetes/dashy/main.tf
View file

@ -13,6 +13,7 @@ resource "kubernetes_namespace" "dashy" {
name = "dashy"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

1
modules/kubernetes/dawarich/main.tf
View file

@ -12,6 +12,7 @@ resource "kubernetes_namespace" "dawarich" {
name = "dawarich"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

1
modules/kubernetes/diun/main.tf
View file

@ -8,6 +8,7 @@ resource "kubernetes_namespace" "diun" {
name = "diun"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

9
modules/kubernetes/drone/main.tf
View file

@ -19,6 +19,7 @@ resource "kubernetes_namespace" "drone" {
name = "drone"
labels = {
"resource-governance/custom-quota" = "true"
tier = var.tier
}
}
}
@ -30,10 +31,10 @@ resource "kubernetes_resource_quota" "drone" {
}
spec {
hard = {
"requests.cpu" = "8"
"requests.memory" = "8Gi"
"limits.cpu" = "16"
"limits.memory" = "32Gi"
"requests.cpu" = "16"
"requests.memory" = "16Gi"
"limits.cpu" = "48"
"limits.memory" = "96Gi"
pods = "30"
}
}

1
modules/kubernetes/ebook2audiobook/main.tf
View file

@ -13,6 +13,7 @@ resource "kubernetes_namespace" "ebook2audiobook" {
name = "ebook2audiobook"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

1
modules/kubernetes/echo/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "echo" {
name = "echo"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

1
modules/kubernetes/excalidraw/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "excalidraw" {
name = "excalidraw"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

2
modules/kubernetes/f1-stream/main.tf
View file

@ -37,7 +37,7 @@ resource "kubernetes_deployment" "f1-stream" {
}
spec {
container {
image = "viktorbarzin/f1-stream:v1.2.7"
image = "viktorbarzin/f1-stream:v1.2.8"
name = "f1-stream"
resources {
limits = {

1
modules/kubernetes/forgejo/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "forgejo" {
name = "forgejo"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

1
modules/kubernetes/freedify/main.tf
View file

@ -14,6 +14,7 @@ resource "kubernetes_namespace" "freedify" {
name = "freedify"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

3
modules/kubernetes/freshrss/main.tf
View file

@ -10,6 +10,9 @@ module "tls_secret" {
resource "kubernetes_namespace" "immich" {
metadata {
name = "freshrss"
labels = {
tier = var.tier
}
}
}

3
modules/kubernetes/frigate/main.tf
View file

@ -4,6 +4,9 @@ variable "tier" { type = string }
resource "kubernetes_namespace" "frigate" {
metadata {
name = "frigate"
labels = {
tier = var.tier
}
# labels = {
# "istio-injection" : "enabled"
# }

3
modules/kubernetes/grampsweb/main.tf
View file

@ -5,6 +5,9 @@ variable "smtp_password" { type = string }
resource "kubernetes_namespace" "grampsweb" {
metadata {
name = "grampsweb"
labels = {
tier = var.tier
}
}
}

1
modules/kubernetes/hackmd/main.tf
View file

@ -7,6 +7,7 @@ resource "kubernetes_namespace" "hackmd" {
name = "hackmd"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

3
modules/kubernetes/health/main.tf
View file

@ -6,6 +6,9 @@ variable "secret_key" { type = string }
resource "kubernetes_namespace" "health" {
metadata {
name = "health"
labels = {
tier = var.tier
}
}
}

3
modules/kubernetes/immich/main.tf
View file

@ -18,6 +18,9 @@ module "tls_secret" {
resource "kubernetes_namespace" "immich" {
metadata {
name = "immich"
labels = {
tier = var.tier
}
}
}

1
modules/kubernetes/isponsorblocktv/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "isponsorblocktv" {
name = "isponsorblocktv"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

1
modules/kubernetes/jsoncrack/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "jsoncrack" {
name = "jsoncrack"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

1
modules/kubernetes/kms/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "kms" {
name = "kms"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

3
modules/kubernetes/linkwarden/main.tf
View file

@ -7,6 +7,9 @@ variable "authentik_client_secret" {}
resource "kubernetes_namespace" "linkwarden" {
metadata {
name = "linkwarden"
labels = {
tier = var.tier
}
}
}

3
modules/kubernetes/mailserver/main.tf
View file

@ -8,6 +8,9 @@ variable "sasl_passwd" {} # For sendgrid i.e relayhost
resource "kubernetes_namespace" "mailserver" {
metadata {
name = "mailserver"
labels = {
tier = var.tier
}
# connecting via localhost does not seem to work?
# labels = {
# "istio-injection" : "enabled"

1
modules/kubernetes/matrix/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "matrix" {
name = "matrix"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

1
modules/kubernetes/mcaptcha/main.tf
View file

@ -14,6 +14,7 @@ resource "kubernetes_namespace" "mcaptcha" {
name = "mcaptcha"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

1
modules/kubernetes/meshcentral/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "meshcentral" {
name = "meshcentral"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

3
modules/kubernetes/n8n/main.tf
View file

@ -11,6 +11,9 @@ module "tls_secret" {
resource "kubernetes_namespace" "n8n" {
metadata {
name = "n8n"
labels = {
tier = var.tier
}
}
}

1
modules/kubernetes/navidrome/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "navidrome" {
name = "navidrome"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

3
modules/kubernetes/netbox/main.tf
View file

@ -4,6 +4,9 @@ variable "tier" { type = string }
resource "kubernetes_namespace" "netbox" {
metadata {
name = "netbox"
labels = {
tier = var.tier
}
}
}

1
modules/kubernetes/networking-toolbox/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "networking-toolbox" {
name = "networking-toolbox"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

3
modules/kubernetes/ntfy/main.tf
View file

@ -3,6 +3,9 @@ variable "tier" { type = string }
resource "kubernetes_namespace" "ntfy" {
metadata {
name = "ntfy"
labels = {
tier = var.tier
}
}
}

3
modules/kubernetes/ollama/main.tf
View file

@ -8,6 +8,9 @@ variable "ollama_api_credentials" {
resource "kubernetes_namespace" "ollama" {
metadata {
name = "ollama"
labels = {
tier = var.tier
}
}
}

11
modules/kubernetes/openclaw/main.tf
View file

@ -10,6 +10,9 @@ variable "skill_secrets" { type = map(string) }
resource "kubernetes_namespace" "openclaw" {
metadata {
name = "openclaw"
labels = {
tier = var.tier
}
}
}
@ -86,10 +89,10 @@ resource "kubernetes_config_map" "openclaw_config" {
fallbacks = ["gemini/gemini-2.5-flash", "llama-as-openai/Llama-3.3-70B-Instruct"]
}
models = {
"modal/zai-org/GLM-5-FP8" = { streaming = false }
"gemini/gemini-2.5-flash" = {}
"llama-as-openai/Llama-3.3-70B-Instruct" = {}
"llama-as-openai/Llama-4-Scout-17B-16E-Instruct-FP8" = {}
"modal/zai-org/GLM-5-FP8" = { streaming = false }
"gemini/gemini-2.5-flash" = {}
"llama-as-openai/Llama-3.3-70B-Instruct" = {}
"llama-as-openai/Llama-4-Scout-17B-16E-Instruct-FP8" = {}
}
}
}

1
modules/kubernetes/osm-routing/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "osm-routing" {
name = "osm-routing"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

1
modules/kubernetes/owntracks/main.tf
View file

@ -12,6 +12,7 @@ resource "kubernetes_namespace" "owntracks" {
name = "owntracks"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

3
modules/kubernetes/paperless-ngx/main.tf
View file

@ -9,6 +9,9 @@ variable "homepage_password" {}
resource "kubernetes_namespace" "paperless-ngx" {
metadata {
name = "paperless-ngx"
labels = {
tier = var.tier
}
# labels = {
# "istio-injection" : "enabled"
# }

1
modules/kubernetes/plotting-book/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "plotting-book" {
name = "plotting-book"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

1
modules/kubernetes/privatebin/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "privatebin" {
name = "privatebin"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

6
modules/kubernetes/real-estate-crawler/main.tf
View file

@ -12,6 +12,7 @@ resource "kubernetes_namespace" "realestate-crawler" {
name = "realestate-crawler"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}
@ -57,7 +58,7 @@ resource "kubernetes_deployment" "realestate-crawler-ui" {
image = "viktorbarzin/immoweb:latest"
port {
name = "http"
container_port = 80
container_port = 8080
protocol = "TCP"
}
env {
@ -89,7 +90,8 @@ resource "kubernetes_service" "realestate-crawler-ui" {
app = "realestate-crawler-ui"
}
port {
port = 80
port = 80
target_port = 8080
}
}
}

3
modules/kubernetes/redis/main.tf
View file

@ -4,6 +4,9 @@ variable "tier" { type = string }
resource "kubernetes_namespace" "redis" {
metadata {
name = "redis"
labels = {
tier = var.tier
}
}
}

3
modules/kubernetes/resume/main.tf
View file

@ -12,6 +12,9 @@ locals {
resource "kubernetes_namespace" "resume" {
metadata {
name = local.namespace
labels = {
tier = var.tier
}
}
}

3
modules/kubernetes/rybbit/main.tf
View file

@ -6,6 +6,9 @@ variable "postgres_password" { type = string }
resource "kubernetes_namespace" "rybbit" {
metadata {
name = "rybbit"
labels = {
tier = var.tier
}
}
}

1
modules/kubernetes/send/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "send" {
name = "send"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

3
modules/kubernetes/servarr/main.tf
View file

@ -5,6 +5,9 @@ variable "aiostreams_database_connection_string" { type = string }
resource "kubernetes_namespace" "servarr" {
metadata {
name = "servarr"
labels = {
tier = var.tier
}
}
}

3
modules/kubernetes/shadowsocks/main.tf
View file

@ -7,6 +7,9 @@ variable "method" {
resource "kubernetes_namespace" "shadowsocks" {
metadata {
name = "shadowsocks"
labels = {
tier = var.tier
}
# TLS termination seems iffy - I get pfsense MiTM-ing
# labels = {
# "istio-injection" : "enabled"

3
modules/kubernetes/speedtest/main.tf
View file

@ -6,6 +6,9 @@ variable "db_password" { type = string }
resource "kubernetes_namespace" "speedtest" {
metadata {
name = "speedtest"
labels = {
tier = var.tier
}
}
}

1
modules/kubernetes/stirling-pdf/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "stirling-pdf" {
name = "stirling-pdf"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

1
modules/kubernetes/tandoor/main.tf
View file

@ -8,6 +8,7 @@ resource "kubernetes_namespace" "tandoor" {
name = "tandoor"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

3
modules/kubernetes/technitium/main.tf
View file

@ -6,6 +6,9 @@ variable "technitium_db_password" {}
resource "kubernetes_namespace" "technitium" {
metadata {
name = "technitium"
labels = {
tier = var.tier
}
# stale cache error when trying to resolve
# labels = {
# "istio-injection" : "enabled"

1
modules/kubernetes/tor-proxy/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "tor-proxy" {
name = "tor-proxy"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

1
modules/kubernetes/travel_blog/main.tf
View file

@ -6,6 +6,7 @@ resource "kubernetes_namespace" "travel-blog" {
name = "travel-blog"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

1
modules/kubernetes/tuya-bridge/main.tf
View file

@ -10,6 +10,7 @@ resource "kubernetes_namespace" "tuya-bridge" {
name = "tuya-bridge"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

3
modules/kubernetes/uptime-kuma/main.tf
View file

@ -4,6 +4,9 @@ variable "tier" { type = string }
resource "kubernetes_namespace" "uptime-kuma" {
metadata {
name = "uptime-kuma"
labels = {
tier = var.tier
}
# labels = {
# "istio-injection" : "enabled"
# }

1
modules/kubernetes/vaultwarden/main.tf
View file

@ -7,6 +7,7 @@ resource "kubernetes_namespace" "vaultwarden" {
name = "vaultwarden"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

1
modules/kubernetes/wealthfolio/main.tf
View file

@ -14,6 +14,7 @@ resource "kubernetes_namespace" "wealthfolio" {
name = "wealthfolio"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

3
modules/kubernetes/webhook_handler/main.tf
View file

@ -12,6 +12,9 @@ variable "ssh_key" {}
resource "kubernetes_namespace" "webhook-handler" {
metadata {
name = "webhook-handler"
labels = {
tier = var.tier
}
}
}

3
modules/kubernetes/whisper/main.tf
View file

@ -4,6 +4,9 @@ variable "tier" { type = string }
resource "kubernetes_namespace" "whisper" {
metadata {
name = "whisper"
labels = {
tier = var.tier
}
}
}

3
modules/kubernetes/xray/main.tf
View file

@ -19,6 +19,9 @@ module "tls_secret" {
resource "kubernetes_namespace" "xray" {
metadata {
name = "xray"
labels = {
tier = var.tier
}
}
}

1
modules/kubernetes/youtube_dl/main.tf
View file

@ -9,6 +9,7 @@ resource "kubernetes_namespace" "ytdlp" {
name = "ytdlp"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}