viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks/proxmox-csi/modules/proxmox-csi/main.tf
Viktor Barzin bcf22640b2 keel: enroll 11 more namespaces (operators + critical infra) 
Per user decision, removed authentik, kyverno, metallb-system,
external-secrets, proxmox-csi, nfs-csi, vpa, sealed-secrets,
infra-maintenance from the policy-level exclude list, and added
keel.sh/enrolled=true to aiostreams (alive — 1/1 Running, despite
being earlier flagged as scaled-to-0) and woodpecker.

Net cluster coverage: 197/227 workloads on safe-force (86%), up from
170/227 (74%). All 197 are paired with match-tag=true (digest-only).

Remaining 7 namespaces in Kyverno exclude list (irreducible):
- keel (self-update)
- calico-system + tigera-operator (operator-managed Installation CR)
- cnpg-system + dbaas (state-coupled)
- nvidia (chart-pinned at 570.195.03 per code-8vr0 until NVIDIA ships
  ubuntu26.04 driver images)
- kube-system (k8s built-ins)

Files:
- stacks/kyverno/modules/kyverno/keel-annotations.tf — exclude list
  trimmed from 16 → 7
- stacks/authentik, kyverno, proxmox-csi, nfs-csi, vpa, sealed-secrets,
  servarr/aiostreams, metallb (creates ns "metallb-system"), woodpecker —
  added keel.sh/enrolled=true label on kubernetes_namespace resource
- infra-maintenance was in the policy exclude but the namespace doesn't
  actually exist in the cluster; the removal is a no-op there

Applied via kubectl patch on the live ClusterPolicy + kubectl label on
namespaces because the kubernetes provider v3.1.0 panics on Kyverno
ClusterPolicy refresh — TF source has the desired state for next clean
apply on a fixed provider.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-17 20:59:14 +00:00

225 lines
6.6 KiB
HCL
Raw Blame History

resource "kubernetes_namespace" "proxmox_csi" {
metadata {
name = "proxmox-csi"
labels = {
tier = var.tier
"resource-governance/custom-quota" = "true"
"keel.sh/enrolled" = "true"
}
}
lifecycle {
# KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label on every namespace
ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
}
}
resource "helm_release" "proxmox_csi" {
namespace = kubernetes_namespace.proxmox_csi.metadata[0].name
create_namespace = false
name = "proxmox-csi-plugin"
atomic = true
timeout = 300
repository = "oci://ghcr.io/sergelogvinov/charts"
chart = "proxmox-csi-plugin"
version = "0.5.6"
values = [yamlencode({
config = {
clusters = [{
url = var.proxmox_url
insecure = true
token_id = var.proxmox_token_id
token_secret = var.proxmox_token_secret
region = var.proxmox_cluster_name
}]
}
# StorageClass for block volumes on existing HDD thin pool.
# `resize.topolvm.io/enabled=true` opts the SC into pvc-autoresizer:
# without it, the controller filters this SC out and never patches its
# PVCs no matter how full they get. Required alongside the per-PVC
# threshold/increase/storage_limit annotations.
storageClass = [
{
name = "proxmox-lvm"
storage = "local-lvm"
reclaimPolicy = "Retain"
fstype = "ext4"
ssd = false
cache = "none"
volumeBindingMode = "WaitForFirstConsumer"
allowVolumeExpansion = true
annotations = {
"resize.topolvm.io/enabled" = "true"
}
},
{
name = "proxmox-lvm-encrypted"
storage = "local-lvm"
reclaimPolicy = "Retain"
fstype = "ext4"
ssd = false
cache = "none"
volumeBindingMode = "WaitForFirstConsumer"
allowVolumeExpansion = true
annotations = {
"resize.topolvm.io/enabled" = "true"
}
extraParameters = {
"csi.storage.k8s.io/node-stage-secret-name" = "proxmox-csi-encryption"
"csi.storage.k8s.io/node-stage-secret-namespace" = "kube-system"
"csi.storage.k8s.io/node-expand-secret-name" = "proxmox-csi-encryption"
"csi.storage.k8s.io/node-expand-secret-namespace" = "kube-system"
}
},
]
controller = {
replicas = 2
resources = {
requests = { cpu = "10m", memory = "32Mi" }
limits = { memory = "64Mi" }
}
}
# LUKS2 Argon2id key derivation needs ~1GiB memory
node = {
plugin = {
resources = {
requests = { cpu = "10m", memory = "64Mi" }
limits = { memory = "1280Mi" }
}
}
}
})]
}
# Topology labels on K8s nodes — required for Proxmox CSI to map nodes to Proxmox VMs.
# region = Proxmox cluster name, zone = Proxmox node name (where the VM runs).
# All our VMs run on the single Proxmox node "pve".
locals {
k8s_nodes = {
"k8s-master" = { vmid = 200, proxmox_node = "pve" }
"k8s-node1" = { vmid = 201, proxmox_node = "pve" }
"k8s-node2" = { vmid = 202, proxmox_node = "pve" }
"k8s-node3" = { vmid = 203, proxmox_node = "pve" }
"k8s-node4" = { vmid = 204, proxmox_node = "pve" }
}
}
resource "null_resource" "node_labels" {
for_each = local.k8s_nodes
provisioner "local-exec" {
command = <<-EOT
kubectl --kubeconfig=${var.kube_config_path} label node ${each.key} \
topology.kubernetes.io/region=${var.proxmox_cluster_name} \
topology.kubernetes.io/zone=${each.value.proxmox_node} \
node.csi.proxmox.sinextra.dev/name=${each.key} \
--overwrite
EOT
}
triggers = {
region = var.proxmox_cluster_name
zone = each.value.proxmox_node
}
}
# --- RBAC for PVE host snapshot restore script ---
# Provides kubectl access from the Proxmox host for the lvm-pvc-snapshot restore subcommand.
# Minimal permissions: read PVs/PVCs/Pods, scale Deployments/StatefulSets.
resource "kubernetes_service_account" "pve_snapshot_admin" {
metadata {
name = "pve-snapshot-admin"
namespace = "kube-system"
}
}
resource "kubernetes_secret" "pve_snapshot_admin_token" {
metadata {
name = "pve-snapshot-admin-token"
namespace = "kube-system"
annotations = {
"kubernetes.io/service-account.name" = kubernetes_service_account.pve_snapshot_admin.metadata[0].name
}
}
type = "kubernetes.io/service-account-token"
}
resource "kubernetes_cluster_role" "pve_snapshot_admin" {
metadata {
name = "pve-snapshot-admin"
}
rule {
api_groups = [""]
resources = ["persistentvolumes", "persistentvolumeclaims", "pods"]
verbs = ["get", "list"]
}
rule {
api_groups = ["apps"]
resources = ["deployments", "statefulsets", "replicasets"]
verbs = ["get", "list", "update", "patch"]
}
rule {
api_groups = ["apps"]
resources = ["deployments/scale", "statefulsets/scale"]
verbs = ["get", "update", "patch"]
}
}
resource "kubernetes_cluster_role_binding" "pve_snapshot_admin" {
metadata {
name = "pve-snapshot-admin"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = kubernetes_cluster_role.pve_snapshot_admin.metadata[0].name
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account.pve_snapshot_admin.metadata[0].name
namespace = "kube-system"
}
}
# --- ExternalSecret for LUKS encryption passphrase ---
# Creates K8s Secret "proxmox-csi-encryption" in kube-system from Vault KV.
# Referenced by the proxmox-lvm-encrypted StorageClass for node-stage and node-expand.
resource "kubernetes_manifest" "external_secret_encryption" {
manifest = {
apiVersion = "external-secrets.io/v1beta1"
kind = "ExternalSecret"
metadata = {
name = "proxmox-csi-encryption"
namespace = "kube-system"
}
spec = {
refreshInterval = "1h"
secretStoreRef = {
kind = "ClusterSecretStore"
name = "vault-kv"
}
target = {
name = "proxmox-csi-encryption"
creationPolicy = "Owner"
deletionPolicy = "Retain"
}
data = [{
secretKey = "encryption-passphrase"
remoteRef = {
key = "viktor"
property = "proxmox_csi_encryption_passphrase"
}
}]
}
}
}
Reference in a new issue View git blame Copy permalink