fix: pin all 32 CNPG-injected parameters to stop drift #15

Closed

forgejo_admin wants to merge 1 commit from 13-fix-cnpg-all-parameters into main

pull from: 13-fix-cnpg-all-parameters

merge into: forgejo_admin:main

forgejo_admin:main

forgejo_admin:188-cross-repo-worktree-isolation-for-parall

forgejo_admin:111-fix-keycloak-probe

forgejo_admin:86-fix-rotate-woodpecker-api-token-in-salt

forgejo_admin:71-feat-deploy-pyrra-slo-manager-with-servi

forgejo_admin:64-hotfix-woodpecker-oauth-login-broken-for

forgejo_admin:18-fix-grafana-duplicate-default-datasource-v2

forgejo_admin:18-fix-grafana-duplicate-default-datasource

Conversation 2 Commits 1 Files changed 1 +33 -11

forgejo_admin commented 2026-03-02 21:23:09 +00:00

Owner

Copy link

Summary

• CNPG admission webhook injects 32 parameters into the Cluster spec, but only 12 were declared in Terraform
• Every missing parameter caused kubernetes_manifest to detect drift on every tofu plan
• This pins all 32 to their running cluster values, eliminating the drift entirely

Changes

• terraform/main.tf: replaced 12-parameter block with all 32 CNPG-injected defaults (alphabetically sorted), added explanatory comment above the block

Test Plan

• tofu fmt passes
• tofu plan should show no diff on the CNPG Cluster resource after apply
• Verify all 32 parameters match kubectl get cluster pal-e-postgres -o jsonpath='{.spec.postgresql.parameters}'

Review Checklist

• Passed automated review-fix loop
• No secrets committed
• No unnecessary file changes
• Commit messages are descriptive

Related Notes

• plan-2026-02-26-tf-modularize-postgres -- Phase 2: Deploy CloudNativePG to k3s
• Forgejo issue: #13

## Summary - CNPG admission webhook injects 32 parameters into the Cluster spec, but only 12 were declared in Terraform - Every missing parameter caused `kubernetes_manifest` to detect drift on every `tofu plan` - This pins all 32 to their running cluster values, eliminating the drift entirely ## Changes - terraform/main.tf: replaced 12-parameter block with all 32 CNPG-injected defaults (alphabetically sorted), added explanatory comment above the block ## Test Plan - [x] `tofu fmt` passes - [ ] `tofu plan` should show no diff on the CNPG Cluster resource after apply - [ ] Verify all 32 parameters match `kubectl get cluster pal-e-postgres -o jsonpath='{.spec.postgresql.parameters}'` ## Review Checklist - [x] Passed automated review-fix loop - [x] No secrets committed - [x] No unnecessary file changes - [x] Commit messages are descriptive ## Related Notes - `plan-2026-02-26-tf-modularize-postgres` -- Phase 2: Deploy CloudNativePG to k3s - Forgejo issue: #13

forgejo_admin added 1 commit 2026-03-02 21:23:09 +00:00

fix: include all 32 CNPG-injected parameters to prevent drift ... dc4e0cb469

PR #14 added wal_receiver_timeout and wal_sender_timeout but CNPG
injects 32 total parameters via its admission webhook. Any parameter
not declared in the manifest causes kubernetes_manifest provider to
detect drift on every tofu plan/apply. This commit pins all 32 to
their running values.

Fixes #13

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

forgejo_admin commented 2026-03-02 21:24:33 +00:00

Author

Owner

Copy link

Closing — wrong approach.

Pinning all 32 CNPG-injected defaults makes us own the operator's internal config. If CNPG updates defaults on upgrade, our manifest overrides them silently. This is brittle.

Root cause: kubernetes_manifest does strict drift detection and CNPG's admission webhook mutates the spec by injecting operational defaults (WAL, logging, TLS, etc.). This is a known provider limitation, not a parameters problem.

Better path: Switch from kubernetes_manifest to kubectl_manifest (gavinbunney/kubectl provider) for CRD resources. It tolerates webhook mutations and we only declare the ~12 tuning params we actually care about.

Also exposed a process gap: no tofu plan was run by the dev agent or validated by QA for any of PRs #12, #14, or #15. Addressing that separately.

**Closing — wrong approach.** Pinning all 32 CNPG-injected defaults makes us own the operator's internal config. If CNPG updates defaults on upgrade, our manifest overrides them silently. This is brittle. **Root cause:** `kubernetes_manifest` does strict drift detection and CNPG's admission webhook mutates the spec by injecting operational defaults (WAL, logging, TLS, etc.). This is a known provider limitation, not a parameters problem. **Better path:** Switch from `kubernetes_manifest` to `kubectl_manifest` (gavinbunney/kubectl provider) for CRD resources. It tolerates webhook mutations and we only declare the ~12 tuning params we actually care about. Also exposed a process gap: no `tofu plan` was run by the dev agent or validated by QA for any of PRs #12, #14, or #15. Addressing that separately.

forgejo_admin commented 2026-03-02 21:37:44 +00:00

Author

Owner

Copy link

Closing. Superseded by architecture revision — Cluster CRD, secrets, and backup resources are moving out of pal-e-platform entirely. Platform will only own the CNPG operator install. App repos will define their own Cluster CRDs, deployed via ArgoCD. See updated plan: plan-2026-02-26-tf-modularize-postgres.

Closing. Superseded by architecture revision — Cluster CRD, secrets, and backup resources are moving out of pal-e-platform entirely. Platform will only own the CNPG operator install. App repos will define their own Cluster CRDs, deployed via ArgoCD. See updated plan: `plan-2026-02-26-tf-modularize-postgres`.

forgejo_admin closed this pull request 2026-03-02 21:41:15 +00:00

forgejo_admin referenced this pull request 2026-03-09 22:34:35 +00:00

Python repo standards: ruff pre-commit hooks + repo setup template #29

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/pal-e-platform!15

No description provided.