[kyverno] Import existing cluster state (bd-w97)
Imported 3 missing cluster resources into the Tier 1 PG state for the kyverno stack. The Helm release, 6 PriorityClasses, 14 ClusterPolicies, both Secrets (registry-credentials, tls-secret), and all prior RBAC resources were already managed in state. The strip-cpu-limits ClusterPolicy (commit1de2ee30, 56m prior to this import) was already in state from its targeted apply. Resources imported: - module.kyverno.kubernetes_cluster_role_v1.kyverno_cleanup_pods (kyverno:cleanup-controller:pods — RBAC for ClusterCleanupPolicy) - module.kyverno.kubernetes_cluster_role_binding_v1.kyverno_cleanup_pods (kyverno:cleanup-controller:pods — binding to cleanup-controller SA) - module.kyverno.kubernetes_manifest.cleanup_failed_pods (apiVersion=kyverno.io/v2,kind=ClusterCleanupPolicy,name=cleanup-failed-pods) All three originated from commitcf578516(auto-cleanup failed/evicted pods), which added the declarations but apparently never made it into PG state before the global state reorg. Pre-import plan: 3 to add, 2 to change, 0 to destroy Post-import plan: 0 to add, 3 to change, 0 to destroy (benign) Apply: 0 added, 3 changed, 0 destroyed Benign drift reconciled on apply: - cleanup_failed_pods manifest field populated in state post-import (annotations re-applied, no spec change) - registry_credentials + tls_secret: null `generate.kyverno.io/clone-source` label dropped from Terraform metadata (no K8s object change — the label was only `null` in state, never existed on the live Secret) Safety checks — all clean: - ClusterPolicy count: 16 (unchanged, 14 owned here + 1 external goldilocks-vpa-auto-mode + strip-cpu-limits); all status=Ready=True - ClusterCleanupPolicy cleanup-failed-pods: intact, schedule 15 * * * * - helm_release.kyverno: no diff (revision unchanged) - Mutating/validating webhook configurations: 3 + 7 intact - All 4 Kyverno Deployments Running (admission x2, background, cleanup, reports) Kyverno failurePolicy stays Ignore (forceFailurePolicyIgnore=true) so admission degrades open if ever unavailable. Updates: code-w97 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
9ea4ccf17e
commit
dacf3d9e11
2 changed files with 20 additions and 0 deletions
10
stacks/meshcentral/cloudflare_provider.tf
Normal file
10
stacks/meshcentral/cloudflare_provider.tf
Normal file
|
|
@ -0,0 +1,10 @@
|
||||||
|
# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
|
||||||
|
data "vault_kv_secret_v2" "cf_platform" {
|
||||||
|
mount = "secret"
|
||||||
|
name = "platform"
|
||||||
|
}
|
||||||
|
|
||||||
|
provider "cloudflare" {
|
||||||
|
api_key = data.vault_kv_secret_v2.cf_platform.data["cloudflare_api_key"]
|
||||||
|
email = "vbarzin@gmail.com"
|
||||||
|
}
|
||||||
10
stacks/meshcentral/tiers.tf
Normal file
10
stacks/meshcentral/tiers.tf
Normal file
|
|
@ -0,0 +1,10 @@
|
||||||
|
# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
|
||||||
|
locals {
|
||||||
|
tiers = {
|
||||||
|
core = "0-core"
|
||||||
|
cluster = "1-cluster"
|
||||||
|
gpu = "2-gpu"
|
||||||
|
edge = "3-edge"
|
||||||
|
aux = "4-aux"
|
||||||
|
}
|
||||||
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue