From eb99ee5635ec051a9672baedf604a205b1d38dcd Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 16 May 2026 23:10:38 +0000 Subject: [PATCH] Bucket A retrigger + Bucket D enrollment (5 module-nested stacks) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After fixing the postgresql-lb MetalLB flap (deleted stuck ServiceL2Status CR l2-rgt9d), Tier 1 CI can apply again. Combined commit: * Bucket A (16 stacks): re-append CI retrigger marker so the previously-pending applies pick up: blog calico cyberchef descheduler f1-stream homepage jsoncrack k8s-dashboard k8s-version-upgrade kms local-path osm_routing real-estate-crawler travel_blog vault webhook_handler * Bucket D (5 module-nested stacks): keel.sh/enrolled label on namespace + KYVERNO_LIFECYCLE_V2 on Deployments inside the module: postiz instagram-poster k8s-portal uptime-kuma vaultwarden Bucket C (raw-deploy apps without V1 marker on their Deployment lifecycles) deferred — needs per-Deployment lifecycle block additions that the bulk script can't safely automate: beads-server immich llama-cpp novelapp plotting-book trading-bot Co-Authored-By: Claude Opus 4.7 --- stacks/blog/main.tf | 2 ++ stacks/calico/main.tf | 2 ++ stacks/cyberchef/main.tf | 2 ++ stacks/descheduler/main.tf | 2 ++ stacks/f1-stream/main.tf | 2 ++ stacks/homepage/main.tf | 2 ++ .../modules/instagram-poster/main.tf | 8 +++++++- stacks/jsoncrack/main.tf | 2 ++ stacks/k8s-dashboard/main.tf | 2 ++ stacks/k8s-portal/modules/k8s-portal/main.tf | 1 + stacks/k8s-version-upgrade/main.tf | 2 ++ stacks/kms/main.tf | 2 ++ stacks/local-path/main.tf | 2 ++ stacks/osm_routing/main.tf | 2 ++ stacks/postiz/modules/postiz/main.tf | 15 +++++++++++++-- stacks/real-estate-crawler/main.tf | 2 ++ stacks/travel_blog/main.tf | 2 ++ stacks/uptime-kuma/modules/uptime-kuma/main.tf | 9 +++++++-- stacks/vault/main.tf | 2 ++ stacks/vaultwarden/modules/vaultwarden/main.tf | 9 +++++++-- stacks/webhook_handler/main.tf | 2 ++ 21 files changed, 67 insertions(+), 7 deletions(-) diff --git a/stacks/blog/main.tf b/stacks/blog/main.tf index 4701f953..de39bd16 100644 --- a/stacks/blog/main.tf +++ b/stacks/blog/main.tf @@ -169,3 +169,5 @@ module "ingress-www" { # CI retrigger v3 2026-05-16T14:06:39Z # CI retrigger v4 2026-05-16T14:13:59Z + +# CI retrigger v5 2026-05-16T23:10:38Z diff --git a/stacks/calico/main.tf b/stacks/calico/main.tf index 38a3d1cd..09b14621 100644 --- a/stacks/calico/main.tf +++ b/stacks/calico/main.tf @@ -75,3 +75,5 @@ resource "kubernetes_namespace" "tigera_operator" { # CI retrigger v3 2026-05-16T14:06:39Z # CI retrigger v4 2026-05-16T14:13:59Z + +# CI retrigger v5 2026-05-16T23:10:38Z diff --git a/stacks/cyberchef/main.tf b/stacks/cyberchef/main.tf index 52e0181f..58909a18 100644 --- a/stacks/cyberchef/main.tf +++ b/stacks/cyberchef/main.tf @@ -144,3 +144,5 @@ module "ingress" { # CI retrigger v3 2026-05-16T14:06:39Z # CI retrigger v4 2026-05-16T14:13:59Z + +# CI retrigger v5 2026-05-16T23:10:38Z diff --git a/stacks/descheduler/main.tf b/stacks/descheduler/main.tf index 9ae48b0b..5bcd5ff5 100644 --- a/stacks/descheduler/main.tf +++ b/stacks/descheduler/main.tf @@ -102,3 +102,5 @@ resource "helm_release" "descheduler" { # rename me # CI retrigger v3 2026-05-16T14:06:39Z # CI retrigger v4 2026-05-16T14:13:59Z + +# CI retrigger v5 2026-05-16T23:10:38Z diff --git a/stacks/f1-stream/main.tf b/stacks/f1-stream/main.tf index 02f1c1c6..d29f5aa6 100644 --- a/stacks/f1-stream/main.tf +++ b/stacks/f1-stream/main.tf @@ -314,3 +314,5 @@ module "ingress" { # CI retrigger v3 2026-05-16T14:06:39Z # CI retrigger v4 2026-05-16T14:13:59Z + +# CI retrigger v5 2026-05-16T23:10:38Z diff --git a/stacks/homepage/main.tf b/stacks/homepage/main.tf index 6887e7a6..58a3cc0c 100644 --- a/stacks/homepage/main.tf +++ b/stacks/homepage/main.tf @@ -177,3 +177,5 @@ module "ingress" { # CI retrigger v3 2026-05-16T14:06:39Z # CI retrigger v4 2026-05-16T14:13:59Z + +# CI retrigger v5 2026-05-16T23:10:38Z diff --git a/stacks/instagram-poster/modules/instagram-poster/main.tf b/stacks/instagram-poster/modules/instagram-poster/main.tf index 2308f7b1..c5c133fe 100644 --- a/stacks/instagram-poster/modules/instagram-poster/main.tf +++ b/stacks/instagram-poster/modules/instagram-poster/main.tf @@ -15,6 +15,7 @@ resource "kubernetes_namespace" "instagram_poster" { labels = { tier = var.tier "istio-injection" = "disabled" + "keel.sh/enrolled" = "true" } } lifecycle { @@ -361,7 +362,12 @@ resource "kubernetes_deployment" "instagram_poster" { } lifecycle { - ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1 + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } depends_on = [ diff --git a/stacks/jsoncrack/main.tf b/stacks/jsoncrack/main.tf index 0ed01454..55a4b503 100644 --- a/stacks/jsoncrack/main.tf +++ b/stacks/jsoncrack/main.tf @@ -124,3 +124,5 @@ module "ingress" { # CI retrigger v3 2026-05-16T14:06:39Z # CI retrigger v4 2026-05-16T14:13:59Z + +# CI retrigger v5 2026-05-16T23:10:38Z diff --git a/stacks/k8s-dashboard/main.tf b/stacks/k8s-dashboard/main.tf index 676db18a..39f4c4a0 100644 --- a/stacks/k8s-dashboard/main.tf +++ b/stacks/k8s-dashboard/main.tf @@ -254,3 +254,5 @@ resource "kubernetes_secret" "kubernetes-dashboard-viewonly-token" { # CI retrigger v3 2026-05-16T14:06:39Z # CI retrigger v4 2026-05-16T14:13:59Z + +# CI retrigger v5 2026-05-16T23:10:38Z diff --git a/stacks/k8s-portal/modules/k8s-portal/main.tf b/stacks/k8s-portal/modules/k8s-portal/main.tf index 96825174..60057635 100644 --- a/stacks/k8s-portal/modules/k8s-portal/main.tf +++ b/stacks/k8s-portal/modules/k8s-portal/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "k8s_portal" { name = "k8s-portal" labels = { tier = var.tier + "keel.sh/enrolled" = "true" } } lifecycle { diff --git a/stacks/k8s-version-upgrade/main.tf b/stacks/k8s-version-upgrade/main.tf index 3467669f..4bb4ddcb 100644 --- a/stacks/k8s-version-upgrade/main.tf +++ b/stacks/k8s-version-upgrade/main.tf @@ -466,3 +466,5 @@ resource "kubernetes_cron_job_v1" "k8s_version_check" { # CI retrigger v3 2026-05-16T14:06:39Z # CI retrigger v4 2026-05-16T14:13:59Z + +# CI retrigger v5 2026-05-16T23:10:38Z diff --git a/stacks/kms/main.tf b/stacks/kms/main.tf index fba094f0..fe824914 100644 --- a/stacks/kms/main.tf +++ b/stacks/kms/main.tf @@ -350,3 +350,5 @@ resource "kubernetes_service" "windows_kms" { # CI retrigger v3 2026-05-16T14:06:39Z # CI retrigger v4 2026-05-16T14:13:59Z + +# CI retrigger v5 2026-05-16T23:10:38Z diff --git a/stacks/local-path/main.tf b/stacks/local-path/main.tf index fcbf4a4e..db39c78d 100644 --- a/stacks/local-path/main.tf +++ b/stacks/local-path/main.tf @@ -201,3 +201,5 @@ resource "kubernetes_deployment" "local_path_provisioner" { # CI retrigger v3 2026-05-16T14:06:39Z # CI retrigger v4 2026-05-16T14:13:59Z + +# CI retrigger v5 2026-05-16T23:10:38Z diff --git a/stacks/osm_routing/main.tf b/stacks/osm_routing/main.tf index 2711ba3a..f81fa5cc 100644 --- a/stacks/osm_routing/main.tf +++ b/stacks/osm_routing/main.tf @@ -330,3 +330,5 @@ resource "kubernetes_service" "otp" { # CI retrigger v3 2026-05-16T14:06:39Z # CI retrigger v4 2026-05-16T14:13:59Z + +# CI retrigger v5 2026-05-16T23:10:38Z diff --git a/stacks/postiz/modules/postiz/main.tf b/stacks/postiz/modules/postiz/main.tf index 4740703c..485729b6 100644 --- a/stacks/postiz/modules/postiz/main.tf +++ b/stacks/postiz/modules/postiz/main.tf @@ -22,6 +22,7 @@ resource "kubernetes_namespace" "postiz" { name = var.namespace labels = { tier = var.tier + "keel.sh/enrolled" = "true" } } lifecycle { @@ -409,7 +410,12 @@ resource "kubernetes_deployment" "temporal" { } } lifecycle { - ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1 + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } depends_on = [helm_release.postiz] } @@ -580,7 +586,12 @@ resource "kubernetes_job" "temporal_search_attr_cleanup" { } wait_for_completion = false lifecycle { - ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1 + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } depends_on = [kubernetes_deployment.temporal] } diff --git a/stacks/real-estate-crawler/main.tf b/stacks/real-estate-crawler/main.tf index a9ad967c..90b1255b 100644 --- a/stacks/real-estate-crawler/main.tf +++ b/stacks/real-estate-crawler/main.tf @@ -653,3 +653,5 @@ resource "kubernetes_deployment" "realestate-crawler-celery-beat" { # CI retrigger v3 2026-05-16T14:06:39Z # CI retrigger v4 2026-05-16T14:13:59Z + +# CI retrigger v5 2026-05-16T23:10:38Z diff --git a/stacks/travel_blog/main.tf b/stacks/travel_blog/main.tf index f086f9b0..aa07ede4 100644 --- a/stacks/travel_blog/main.tf +++ b/stacks/travel_blog/main.tf @@ -141,3 +141,5 @@ module "ingress" { # CI retrigger v3 2026-05-16T14:06:39Z # CI retrigger v4 2026-05-16T14:13:59Z + +# CI retrigger v5 2026-05-16T23:10:38Z diff --git a/stacks/uptime-kuma/modules/uptime-kuma/main.tf b/stacks/uptime-kuma/modules/uptime-kuma/main.tf index b3e71e18..f62ea402 100644 --- a/stacks/uptime-kuma/modules/uptime-kuma/main.tf +++ b/stacks/uptime-kuma/modules/uptime-kuma/main.tf @@ -27,6 +27,7 @@ resource "kubernetes_namespace" "uptime-kuma" { name = "uptime-kuma" labels = { tier = var.tier + "keel.sh/enrolled" = "true" } # labels = { # "istio-injection" : "enabled" @@ -164,8 +165,12 @@ resource "kubernetes_deployment" "uptime-kuma" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } resource "kubernetes_service" "uptime-kuma" { diff --git a/stacks/vault/main.tf b/stacks/vault/main.tf index 978685a5..0abfe8e5 100644 --- a/stacks/vault/main.tf +++ b/stacks/vault/main.tf @@ -1085,3 +1085,5 @@ resource "vault_kubernetes_secret_backend_role" "user_deployer" { # CI retrigger v3 2026-05-16T14:06:39Z # CI retrigger v4 2026-05-16T14:13:59Z + +# CI retrigger v5 2026-05-16T23:10:38Z diff --git a/stacks/vaultwarden/modules/vaultwarden/main.tf b/stacks/vaultwarden/modules/vaultwarden/main.tf index 2ad070f6..f3a90523 100644 --- a/stacks/vaultwarden/modules/vaultwarden/main.tf +++ b/stacks/vaultwarden/modules/vaultwarden/main.tf @@ -10,6 +10,7 @@ resource "kubernetes_namespace" "vaultwarden" { labels = { "istio-injection" : "disabled" tier = var.tier + "keel.sh/enrolled" = "true" } } lifecycle { @@ -176,8 +177,12 @@ resource "kubernetes_deployment" "vaultwarden" { } } lifecycle { - # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 - ignore_changes = [spec[0].template[0].spec[0].dns_config] + ignore_changes = [ + spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1 + metadata[0].annotations["keel.sh/policy"], + metadata[0].annotations["keel.sh/trigger"], + metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2 + ] } } diff --git a/stacks/webhook_handler/main.tf b/stacks/webhook_handler/main.tf index 8178a9f7..130f2469 100644 --- a/stacks/webhook_handler/main.tf +++ b/stacks/webhook_handler/main.tf @@ -318,3 +318,5 @@ resource "kubernetes_manifest" "external_secret" { # CI retrigger v3 2026-05-16T14:06:39Z # CI retrigger v4 2026-05-16T14:13:59Z + +# CI retrigger v5 2026-05-16T23:10:38Z