fix(dbaas,vault): fix backup CronJob failures and mysql-operator memory

- Add docker.io/library/ prefix to mysql and postgres backup images to satisfy Kyverno require-trusted-registries policy (both CronJobs were blocked for 46h, triggering MySQLBackupStale alert) - Document mysql-operator chart ignoring resources values key — the LimitRange default (256Mi) was silently applied, putting the operator at 97% memory. Patched live to 512Mi via kubectl. - Increase vault-raft-backup backoff_limit to 6 for transient failures (also fixed NFS export: vault-backup was a separate ZFS dataset not in the TrueNAS NFS share — destroyed dataset, created directory)
2026-03-19 23:26:05 +00:00 · 2026-03-19 23:26:05 +00:00 · e823b795f7
commit e823b795f7
parent 250a058627
2 changed files with 10 additions and 4 deletions
--- a/stacks/dbaas/modules/dbaas/main.tf
+++ b/stacks/dbaas/modules/dbaas/main.tf
@ -74,14 +74,19 @@ resource "helm_release" "mysql_operator" {
  chart      = "mysql-operator"
  version    = "2.2.7"

+  # NOTE: The mysql-operator chart (2.2.7) does NOT expose a resources values key.
+  # The resources block below is ignored by the chart. Without explicit resources
+  # on the deployment, the LimitRange default (256Mi) applies silently.
+  # Fix: kubectl patch deployment mysql-operator -n mysql-operator --type=json \
+  #   -p='[{"op":"replace","path":"/spec/template/spec/containers/0/resources","value":{"requests":{"cpu":"100m","memory":"256Mi"},"limits":{"memory":"512Mi"}}}]'
  values = [yamlencode({
    resources = {
      requests = {
        cpu    = "100m"
-        memory = "512Mi"
+        memory = "256Mi"
      }
      limits = {
-        memory = "580Mi"
+        memory = "512Mi"
      }
    }
  })]
@ -323,7 +328,7 @@ resource "kubernetes_cron_job_v1" "mysql-backup" {
          spec {
            container {
              name  = "mysql-backup"
-              image = "mysql"
+              image = "docker.io/library/mysql:8.0"
              env {
                name = "MYSQL_PWD"
                value_from {
@ -1059,7 +1064,7 @@ resource "kubernetes_cron_job_v1" "postgresql-backup" {
          spec {
            container {
              name  = "postgresql-backup"
-              image = "postgres:16.4-bullseye"
+              image = "docker.io/library/postgres:16.4-bullseye"
              env {
                name = "PGPASSWORD"
                value_from {
--- a/stacks/vault/main.tf
+++ b/stacks/vault/main.tf
@ -256,6 +256,7 @@ resource "kubernetes_cron_job_v1" "vault_backup" {
    job_template {
      metadata {}
      spec {
+        backoff_limit = 6
        template {
          metadata {}
          spec {