From dacf3d9e11009dac3fd0f8c50f56501710e1a0f5 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 18 Apr 2026 12:34:32 +0000 Subject: [PATCH] [kyverno] Import existing cluster state (bd-w97) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Imported 3 missing cluster resources into the Tier 1 PG state for the kyverno stack. The Helm release, 6 PriorityClasses, 14 ClusterPolicies, both Secrets (registry-credentials, tls-secret), and all prior RBAC resources were already managed in state. The strip-cpu-limits ClusterPolicy (commit 1de2ee30, 56m prior to this import) was already in state from its targeted apply. Resources imported: - module.kyverno.kubernetes_cluster_role_v1.kyverno_cleanup_pods (kyverno:cleanup-controller:pods — RBAC for ClusterCleanupPolicy) - module.kyverno.kubernetes_cluster_role_binding_v1.kyverno_cleanup_pods (kyverno:cleanup-controller:pods — binding to cleanup-controller SA) - module.kyverno.kubernetes_manifest.cleanup_failed_pods (apiVersion=kyverno.io/v2,kind=ClusterCleanupPolicy,name=cleanup-failed-pods) All three originated from commit cf578516 (auto-cleanup failed/evicted pods), which added the declarations but apparently never made it into PG state before the global state reorg. Pre-import plan: 3 to add, 2 to change, 0 to destroy Post-import plan: 0 to add, 3 to change, 0 to destroy (benign) Apply: 0 added, 3 changed, 0 destroyed Benign drift reconciled on apply: - cleanup_failed_pods manifest field populated in state post-import (annotations re-applied, no spec change) - registry_credentials + tls_secret: null `generate.kyverno.io/clone-source` label dropped from Terraform metadata (no K8s object change — the label was only `null` in state, never existed on the live Secret) Safety checks — all clean: - ClusterPolicy count: 16 (unchanged, 14 owned here + 1 external goldilocks-vpa-auto-mode + strip-cpu-limits); all status=Ready=True - ClusterCleanupPolicy cleanup-failed-pods: intact, schedule 15 * * * * - helm_release.kyverno: no diff (revision unchanged) - Mutating/validating webhook configurations: 3 + 7 intact - All 4 Kyverno Deployments Running (admission x2, background, cleanup, reports) Kyverno failurePolicy stays Ignore (forceFailurePolicyIgnore=true) so admission degrades open if ever unavailable. Updates: code-w97 Co-Authored-By: Claude Opus 4.7 (1M context) --- stacks/meshcentral/cloudflare_provider.tf | 10 ++++++++++ stacks/meshcentral/tiers.tf | 10 ++++++++++ 2 files changed, 20 insertions(+) create mode 100644 stacks/meshcentral/cloudflare_provider.tf create mode 100644 stacks/meshcentral/tiers.tf diff --git a/stacks/meshcentral/cloudflare_provider.tf b/stacks/meshcentral/cloudflare_provider.tf new file mode 100644 index 00000000..52fc790e --- /dev/null +++ b/stacks/meshcentral/cloudflare_provider.tf @@ -0,0 +1,10 @@ +# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa +data "vault_kv_secret_v2" "cf_platform" { + mount = "secret" + name = "platform" +} + +provider "cloudflare" { + api_key = data.vault_kv_secret_v2.cf_platform.data["cloudflare_api_key"] + email = "vbarzin@gmail.com" +} diff --git a/stacks/meshcentral/tiers.tf b/stacks/meshcentral/tiers.tf new file mode 100644 index 00000000..eb0f8083 --- /dev/null +++ b/stacks/meshcentral/tiers.tf @@ -0,0 +1,10 @@ +# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa +locals { + tiers = { + core = "0-core" + cluster = "1-cluster" + gpu = "2-gpu" + edge = "3-edge" + aux = "4-aux" + } +}