From f9a4823ccc17d49838a7fda2e21efda5226e6dd5 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sat, 28 Feb 2026 22:43:29 +0000
Subject: [PATCH] [ci skip] switch VPA from Auto to Initial mode for Terraform
 compatibility

VPA Auto mode modifies Deployment specs at runtime, causing conflicts
with Terraform on every apply (drift -> reset -> VPA evict loop).

Initial mode only mutates Pod resource requests at creation time via
the admission webhook, leaving the Deployment spec unchanged. This
means terraform plan shows no drift while pods still get VPA-optimized
resources on every restart.

- 171 VPAs switched from Auto to Initial
- 20 VPAs remain Off (tier-0 critical services)
- Goldilocks dashboard continues to show recommendations
---
 stacks/platform/modules/vpa/main.tf | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/stacks/platform/modules/vpa/main.tf b/stacks/platform/modules/vpa/main.tf
index 10c1776c..dadb0c40 100644
--- a/stacks/platform/modules/vpa/main.tf
+++ b/stacks/platform/modules/vpa/main.tf
@@ -133,9 +133,10 @@ resource "kubernetes_manifest" "vpa_auto_mode_label" {
             }
           }
         },
-        # All other namespaces: auto mode
+        # All other namespaces: initial mode (compatible with Terraform —
+        # VPA mutates pods at creation, not the deployment spec)
         {
-          name = "label-vpa-auto-default"
+          name = "label-vpa-initial-default"
           match = {
             any = [
               {
@@ -162,7 +163,7 @@ resource "kubernetes_manifest" "vpa_auto_mode_label" {
             patchStrategicMerge = {
               metadata = {
                 labels = {
-                  "goldilocks.fairwinds.com/vpa-update-mode" = "auto"
+                  "goldilocks.fairwinds.com/vpa-update-mode" = "initial"
                 }
               }
             }