From f2678d3494b463dc2f5ffd8ef2d751f52cec7de6 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sun, 1 Mar 2026 17:16:03 +0000 Subject: [PATCH] [ci skip] fix MySQL cluster RBAC, Kyverno policy bugs, Nextcloud memory - dbaas: add mysql-sidecar-extra ClusterRole for namespaces/CRD list/watch needed by kopf framework in sidecar containers - kyverno: restrict inject-priority-class-from-tier to CREATE operations only (was blocking pod patches with immutable spec error) - kyverno: add resource-governance/custom-limitrange label opt-out to LimitRange generation policy (mirrors existing custom-quota) - nextcloud: bump memory limit 4Gi -> 6Gi, add custom LimitRange with 8Gi max, opt out of Kyverno-managed LimitRange --- stacks/nextcloud/chart_values.yaml | 2 +- stacks/nextcloud/main.tf | 27 ++++++- stacks/platform/modules/dbaas/main.tf | 36 ++++++++++ .../modules/kyverno/resource-governance.tf | 70 ++++++++++++++++++- 4 files changed, 131 insertions(+), 4 deletions(-) diff --git a/stacks/nextcloud/chart_values.yaml b/stacks/nextcloud/chart_values.yaml index 61b8245d..458a2b0b 100644 --- a/stacks/nextcloud/chart_values.yaml +++ b/stacks/nextcloud/chart_values.yaml @@ -64,7 +64,7 @@ collabora: resources: limits: cpu: "2" - memory: 4Gi + memory: 6Gi requests: cpu: 100m memory: 1Gi diff --git a/stacks/nextcloud/main.tf b/stacks/nextcloud/main.tf index b3c1a757..4aec6687 100644 --- a/stacks/nextcloud/main.tf +++ b/stacks/nextcloud/main.tf @@ -16,7 +16,32 @@ resource "kubernetes_namespace" "nextcloud" { name = "nextcloud" labels = { "istio-injection" : "disabled" - tier = local.tiers.edge + tier = local.tiers.edge + "resource-governance/custom-limitrange" = "true" + } + } +} + +resource "kubernetes_limit_range" "nextcloud" { + metadata { + name = "nextcloud-limits" + namespace = kubernetes_namespace.nextcloud.metadata[0].name + } + spec { + limit { + type = "Container" + default = { + cpu = "250m" + memory = "256Mi" + } + default_request = { + cpu = "25m" + memory = "64Mi" + } + max = { + cpu = "4" + memory = "8Gi" + } } } } diff --git a/stacks/platform/modules/dbaas/main.tf b/stacks/platform/modules/dbaas/main.tf index 540aeca4..dea3a43c 100644 --- a/stacks/platform/modules/dbaas/main.tf +++ b/stacks/platform/modules/dbaas/main.tf @@ -64,6 +64,42 @@ resource "helm_release" "mysql_operator" { version = "2.2.7" } +# The mysql-sidecar ClusterRole created by the Helm chart is missing +# namespace and CRD list/watch permissions needed by the kopf framework +# in the sidecar container. Without these, the sidecar enters degraded +# mode and never completes InnoDB cluster join operations. +resource "kubernetes_cluster_role" "mysql_sidecar_extra" { + metadata { + name = "mysql-sidecar-extra" + } + rule { + api_groups = [""] + resources = ["namespaces"] + verbs = ["list", "watch"] + } + rule { + api_groups = ["apiextensions.k8s.io"] + resources = ["customresourcedefinitions"] + verbs = ["list", "watch"] + } +} + +resource "kubernetes_cluster_role_binding" "mysql_sidecar_extra" { + metadata { + name = "mysql-sidecar-extra" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = kubernetes_cluster_role.mysql_sidecar_extra.metadata[0].name + } + subject { + kind = "ServiceAccount" + name = "mysql-cluster-sa" + namespace = kubernetes_namespace.dbaas.metadata[0].name + } +} + resource "helm_release" "mysql_cluster" { namespace = kubernetes_namespace.dbaas.metadata[0].name create_namespace = false diff --git a/stacks/platform/modules/kyverno/resource-governance.tf b/stacks/platform/modules/kyverno/resource-governance.tf index e6244d80..5183dbc0 100644 --- a/stacks/platform/modules/kyverno/resource-governance.tf +++ b/stacks/platform/modules/kyverno/resource-governance.tf @@ -82,7 +82,7 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" { name = "generate-limitrange-by-tier" annotations = { "policies.kyverno.io/title" = "Generate LimitRange by Tier" - "policies.kyverno.io/description" = "Creates tier-appropriate LimitRange defaults in namespaces based on their tier label. Only affects containers without explicit resource specifications." + "policies.kyverno.io/description" = "Creates tier-appropriate LimitRange defaults in namespaces based on their tier label. Only affects containers without explicit resource specifications. Excludes namespaces with resource-governance/custom-limitrange label." } } spec = { @@ -105,6 +105,19 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" { } ] } + exclude = { + any = [ + { + resources = { + selector = { + matchLabels = { + "resource-governance/custom-limitrange" = "true" + } + } + } + } + ] + } generate = { synchronize = true apiVersion = "v1" @@ -151,6 +164,19 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" { } ] } + exclude = { + any = [ + { + resources = { + selector = { + matchLabels = { + "resource-governance/custom-limitrange" = "true" + } + } + } + } + ] + } generate = { synchronize = true apiVersion = "v1" @@ -197,6 +223,19 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" { } ] } + exclude = { + any = [ + { + resources = { + selector = { + matchLabels = { + "resource-governance/custom-limitrange" = "true" + } + } + } + } + ] + } generate = { synchronize = true apiVersion = "v1" @@ -243,6 +282,19 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" { } ] } + exclude = { + any = [ + { + resources = { + selector = { + matchLabels = { + "resource-governance/custom-limitrange" = "true" + } + } + } + } + ] + } generate = { synchronize = true apiVersion = "v1" @@ -289,6 +341,19 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" { } ] } + exclude = { + any = [ + { + resources = { + selector = { + matchLabels = { + "resource-governance/custom-limitrange" = "true" + } + } + } + } + ] + } generate = { synchronize = true apiVersion = "v1" @@ -686,7 +751,8 @@ resource "kubernetes_manifest" "mutate_priority_from_tier" { any = [ { resources = { - kinds = ["Pod"] + kinds = ["Pod"] + operations = ["CREATE"] namespaceSelector = { matchLabels = { tier = tier