[ci skip] switch VPA from Auto to Initial mode for Terraform compatibility

VPA Auto mode modifies Deployment specs at runtime, causing conflicts with Terraform on every apply (drift -> reset -> VPA evict loop). Initial mode only mutates Pod resource requests at creation time via the admission webhook, leaving the Deployment spec unchanged. This means terraform plan shows no drift while pods still get VPA-optimized resources on every restart. - 171 VPAs switched from Auto to Initial - 20 VPAs remain Off (tier-0 critical services) - Goldilocks dashboard continues to show recommendations
2026-02-28 22:43:29 +00:00 · 2026-02-28 22:43:29 +00:00 · f9a4823ccc
commit f9a4823ccc
parent f64c979ba5
1 changed files with 4 additions and 3 deletions
--- a/stacks/platform/modules/vpa/main.tf
+++ b/stacks/platform/modules/vpa/main.tf
@ -133,9 +133,10 @@ resource "kubernetes_manifest" "vpa_auto_mode_label" {
            }
          }
        },
-        # All other namespaces: auto mode
+        # All other namespaces: initial mode (compatible with Terraform —
+        # VPA mutates pods at creation, not the deployment spec)
        {
-          name = "label-vpa-auto-default"
+          name = "label-vpa-initial-default"
          match = {
            any = [
              {
@ -162,7 +163,7 @@ resource "kubernetes_manifest" "vpa_auto_mode_label" {
            patchStrategicMerge = {
              metadata = {
                labels = {
-                  "goldilocks.fairwinds.com/vpa-update-mode" = "auto"
+                  "goldilocks.fairwinds.com/vpa-update-mode" = "initial"
                }
              }
            }