[ci skip] fix MySQL cluster RBAC, Kyverno policy bugs, Nextcloud memory

- dbaas: add mysql-sidecar-extra ClusterRole for namespaces/CRD list/watch needed by kopf framework in sidecar containers - kyverno: restrict inject-priority-class-from-tier to CREATE operations only (was blocking pod patches with immutable spec error) - kyverno: add resource-governance/custom-limitrange label opt-out to LimitRange generation policy (mirrors existing custom-quota) - nextcloud: bump memory limit 4Gi -> 6Gi, add custom LimitRange with 8Gi max, opt out of Kyverno-managed LimitRange
2026-03-01 17:16:03 +00:00 · 2026-03-01 17:16:03 +00:00 · f2678d3494
commit f2678d3494
parent f491073cca
4 changed files with 131 additions and 4 deletions
--- a/stacks/nextcloud/chart_values.yaml
+++ b/stacks/nextcloud/chart_values.yaml
@ -64,7 +64,7 @@ collabora:
 resources:
  limits:
    cpu: "2"
-    memory: 4Gi
+    memory: 6Gi
  requests:
    cpu: 100m
    memory: 1Gi
--- a/stacks/nextcloud/main.tf
+++ b/stacks/nextcloud/main.tf
@ -16,7 +16,32 @@ resource "kubernetes_namespace" "nextcloud" {
    name = "nextcloud"
    labels = {
      "istio-injection" : "disabled"
-      tier = local.tiers.edge
+      tier                                     = local.tiers.edge
+      "resource-governance/custom-limitrange" = "true"
+    }
+  }
+}
+
+resource "kubernetes_limit_range" "nextcloud" {
+  metadata {
+    name      = "nextcloud-limits"
+    namespace = kubernetes_namespace.nextcloud.metadata[0].name
+  }
+  spec {
+    limit {
+      type = "Container"
+      default = {
+        cpu    = "250m"
+        memory = "256Mi"
+      }
+      default_request = {
+        cpu    = "25m"
+        memory = "64Mi"
+      }
+      max = {
+        cpu    = "4"
+        memory = "8Gi"
+      }
    }
  }
 }
--- a/stacks/platform/modules/dbaas/main.tf
+++ b/stacks/platform/modules/dbaas/main.tf
@ -64,6 +64,42 @@ resource "helm_release" "mysql_operator" {
  version    = "2.2.7"
 }

+# The mysql-sidecar ClusterRole created by the Helm chart is missing
+# namespace and CRD list/watch permissions needed by the kopf framework
+# in the sidecar container. Without these, the sidecar enters degraded
+# mode and never completes InnoDB cluster join operations.
+resource "kubernetes_cluster_role" "mysql_sidecar_extra" {
+  metadata {
+    name = "mysql-sidecar-extra"
+  }
+  rule {
+    api_groups = [""]
+    resources  = ["namespaces"]
+    verbs      = ["list", "watch"]
+  }
+  rule {
+    api_groups = ["apiextensions.k8s.io"]
+    resources  = ["customresourcedefinitions"]
+    verbs      = ["list", "watch"]
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "mysql_sidecar_extra" {
+  metadata {
+    name = "mysql-sidecar-extra"
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = kubernetes_cluster_role.mysql_sidecar_extra.metadata[0].name
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = "mysql-cluster-sa"
+    namespace = kubernetes_namespace.dbaas.metadata[0].name
+  }
+}
+
 resource "helm_release" "mysql_cluster" {
  namespace        = kubernetes_namespace.dbaas.metadata[0].name
  create_namespace = false
--- a/stacks/platform/modules/kyverno/resource-governance.tf
+++ b/stacks/platform/modules/kyverno/resource-governance.tf
@ -82,7 +82,7 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
      name = "generate-limitrange-by-tier"
      annotations = {
        "policies.kyverno.io/title"       = "Generate LimitRange by Tier"
-        "policies.kyverno.io/description" = "Creates tier-appropriate LimitRange defaults in namespaces based on their tier label. Only affects containers without explicit resource specifications."
+        "policies.kyverno.io/description" = "Creates tier-appropriate LimitRange defaults in namespaces based on their tier label. Only affects containers without explicit resource specifications. Excludes namespaces with resource-governance/custom-limitrange label."
      }
    }
    spec = {
@ -105,6 +105,19 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
              }
            ]
          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  selector = {
+                    matchLabels = {
+                      "resource-governance/custom-limitrange" = "true"
+                    }
+                  }
+                }
+              }
+            ]
+          }
          generate = {
            synchronize = true
            apiVersion  = "v1"
@ -151,6 +164,19 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
              }
            ]
          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  selector = {
+                    matchLabels = {
+                      "resource-governance/custom-limitrange" = "true"
+                    }
+                  }
+                }
+              }
+            ]
+          }
          generate = {
            synchronize = true
            apiVersion  = "v1"
@ -197,6 +223,19 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
              }
            ]
          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  selector = {
+                    matchLabels = {
+                      "resource-governance/custom-limitrange" = "true"
+                    }
+                  }
+                }
+              }
+            ]
+          }
          generate = {
            synchronize = true
            apiVersion  = "v1"
@ -243,6 +282,19 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
              }
            ]
          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  selector = {
+                    matchLabels = {
+                      "resource-governance/custom-limitrange" = "true"
+                    }
+                  }
+                }
+              }
+            ]
+          }
          generate = {
            synchronize = true
            apiVersion  = "v1"
@ -289,6 +341,19 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
              }
            ]
          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  selector = {
+                    matchLabels = {
+                      "resource-governance/custom-limitrange" = "true"
+                    }
+                  }
+                }
+              }
+            ]
+          }
          generate = {
            synchronize = true
            apiVersion  = "v1"
@ -686,7 +751,8 @@ resource "kubernetes_manifest" "mutate_priority_from_tier" {
          any = [
            {
              resources = {
-                kinds = ["Pod"]
+                kinds      = ["Pod"]
+                operations = ["CREATE"]
                namespaceSelector = {
                  matchLabels = {
                    tier = tier