e5f6d16b2e
For Deployments enrolled in Keel with policy=patch, the image tag is updated by Keel as new patches release upstream. Without ignore_changes on the image field, terragrunt apply would fight Keel in an endless loop (TF reverts → Keel re-rolls → repeat — same shape as the calico/tigera-operator fight from earlier). Adding KEEL_IGNORE_IMAGE marker to the lifecycle of these stacks. Image string in TF becomes the initial seed; Keel rolls it forward. Stacks: actualbudget, broker-sync, changedetection, city-guesser, coturn, dashy, dawarich, diun, ebook2audiobook, ebooks, echo, excalidraw, foolery, forgejo, freedify. CI-driven self-hosted stacks (fire-planner, job-hunter, payslip-ingest, recruiter-responder, claude-agent-service, claude-memory) keep TF ownership of image and policy=never — their image_tag is set by CI via terragrunt.hcl inputs, not by Keel. Adding image to ignore_changes on those would break the CI deploy flow. Caveat: only container[0].image is added. Multi-container Deployments (immich, beads, etc.) will need additional container[N].image lines for any container Keel rolls. Those stacks are not currently enrolled. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
119 lines
2.8 KiB
HCL
119 lines
2.8 KiB
HCL
variable "tls_secret_name" {
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
|
|
|
|
resource "kubernetes_namespace" "echo" {
|
|
metadata {
|
|
name = "echo"
|
|
labels = {
|
|
"istio-injection" : "disabled"
|
|
tier = local.tiers.edge
|
|
"keel.sh/enrolled" = "true"
|
|
}
|
|
}
|
|
lifecycle {
|
|
# KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label on every namespace
|
|
ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
|
|
}
|
|
}
|
|
|
|
module "tls_secret" {
|
|
source = "../../modules/kubernetes/setup_tls_secret"
|
|
namespace = kubernetes_namespace.echo.metadata[0].name
|
|
tls_secret_name = var.tls_secret_name
|
|
}
|
|
|
|
resource "kubernetes_deployment" "echo" {
|
|
metadata {
|
|
name = "echo"
|
|
namespace = kubernetes_namespace.echo.metadata[0].name
|
|
labels = {
|
|
app = "echo"
|
|
tier = local.tiers.edge
|
|
}
|
|
}
|
|
spec {
|
|
replicas = 1
|
|
selector {
|
|
match_labels = {
|
|
app = "echo"
|
|
}
|
|
}
|
|
template {
|
|
metadata {
|
|
labels = {
|
|
app = "echo"
|
|
}
|
|
annotations = {
|
|
"diun.enable" = "true"
|
|
"diun.include_tags" = "^\\d+$"
|
|
}
|
|
}
|
|
spec {
|
|
container {
|
|
image = "mendhak/http-https-echo:36"
|
|
name = "echo"
|
|
port {
|
|
container_port = 8080
|
|
}
|
|
port {
|
|
container_port = 8443
|
|
}
|
|
resources {
|
|
requests = {
|
|
cpu = "10m"
|
|
memory = "128Mi"
|
|
}
|
|
limits = {
|
|
memory = "128Mi"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
lifecycle {
|
|
ignore_changes = [
|
|
spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
|
|
spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE — Keel manages tag updates
|
|
metadata[0].annotations["keel.sh/policy"],
|
|
metadata[0].annotations["keel.sh/trigger"],
|
|
metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
|
|
]
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_service" "echo" {
|
|
metadata {
|
|
name = "echo"
|
|
namespace = kubernetes_namespace.echo.metadata[0].name
|
|
labels = {
|
|
"app" = "echo"
|
|
}
|
|
}
|
|
|
|
spec {
|
|
selector = {
|
|
app = "echo"
|
|
}
|
|
port {
|
|
name = "http"
|
|
port = "80"
|
|
target_port = "8080"
|
|
}
|
|
}
|
|
}
|
|
|
|
module "ingress" {
|
|
source = "../../modules/kubernetes/ingress_factory"
|
|
# echo is a header-reflecting diagnostic — public so it's reachable for
|
|
# forward-auth smoke-testing. Anyone visiting echo.viktorbarzin.me sees
|
|
# exactly which X-authentik-* headers Traefik forwarded to backends.
|
|
auth = "public"
|
|
dns_type = "proxied"
|
|
namespace = kubernetes_namespace.echo.metadata[0].name
|
|
name = "echo"
|
|
tls_secret_name = var.tls_secret_name
|
|
}
|