[ci skip] fix MySQL cluster RBAC, Kyverno policy bugs, Nextcloud memory

- dbaas: add mysql-sidecar-extra ClusterRole for namespaces/CRD list/watch needed by kopf framework in sidecar containers - kyverno: restrict inject-priority-class-from-tier to CREATE operations only (was blocking pod patches with immutable spec error) - kyverno: add resource-governance/custom-limitrange label opt-out to LimitRange generation policy (mirrors existing custom-quota) - nextcloud: bump memory limit 4Gi -> 6Gi, add custom LimitRange with 8Gi max, opt out of Kyverno-managed LimitRange
2026-03-01 17:16:03 +00:00 · 2026-03-01 17:16:03 +00:00 · f2678d3494
commit f2678d3494
parent f491073cca
4 changed files with 131 additions and 4 deletions
--- a/stacks/nextcloud/chart_values.yaml
+++ b/stacks/nextcloud/chart_values.yaml
@ -64,7 +64,7 @@ collabora:
 resources:
  limits:
    cpu: "2"
-    memory: 4Gi
+    memory: 6Gi
  requests:
    cpu: 100m
    memory: 1Gi
--- a/stacks/nextcloud/main.tf
+++ b/stacks/nextcloud/main.tf
@ -16,7 +16,32 @@ resource "kubernetes_namespace" "nextcloud" {
    name = "nextcloud"
    labels = {
      "istio-injection" : "disabled"
-      tier = local.tiers.edge
+      tier                                     = local.tiers.edge
+      "resource-governance/custom-limitrange" = "true"
+    }
+  }
+}
+
+resource "kubernetes_limit_range" "nextcloud" {
+  metadata {
+    name      = "nextcloud-limits"
+    namespace = kubernetes_namespace.nextcloud.metadata[0].name
+  }
+  spec {
+    limit {
+      type = "Container"
+      default = {
+        cpu    = "250m"
+        memory = "256Mi"
+      }
+      default_request = {
+        cpu    = "25m"
+        memory = "64Mi"
+      }
+      max = {
+        cpu    = "4"
+        memory = "8Gi"
+      }
    }
  }
 }