forgejo_admin/pal-e-platform
1
0
Fork 1
Code Issues 33 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Platform hardening: Woodpecker TLS fix, Trivy, dashboard, MinIO #56

Merged
forgejo_admin merged 2 commits from 55-platform-hardening-woodpecker-tls-fix-tr into main 2026-03-14 19:22:48 +00:00
Conversation 8 Commits 2 Files changed 2 +395 -9
forgejo_admin commented 2026-03-14 19:02:31 +00:00
Owner
Copy link

Summary

Batch of 4 platform hardening changes to terraform/main.tf: fix Woodpecker CI clone TLS failures by switching to in-cluster Forgejo URL, enable Harbor Trivy vulnerability scanning, add pal-e-docs Golden Signals Grafana dashboard, and add force_destroy on all MinIO buckets.

Changes

  • terraform/main.tf -- WOODPECKER_FORGEJO_URL changed from external Tailscale funnel URL (https://forgejo.tail5b443a.ts.net) to internal service URL (http://forgejo-http.forgejo.svc.cluster.local:80); WOODPECKER_FORGEJO_SKIP_VERIFY removed (plain HTTP needs no TLS verification)
  • terraform/main.tf -- Harbor trivy.enabled flipped to true with resource limits (requests: 100m CPU / 256Mi, limits: 1Gi memory)
  • terraform/main.tf -- New kubernetes_config_map_v1.pal_e_docs_dashboard ConfigMap with grafana_dashboard = "1" label, following the existing dora_dashboard pattern
  • terraform/dashboards/pal-e-docs-golden-signals.json -- New Grafana dashboard JSON with 6 panels: request rate, p50/p95/p99 latency, 5xx error rate, CPU usage vs limits, memory usage vs limits. Uses ${DS_PROMETHEUS} datasource variable.
  • terraform/main.tf -- force_destroy = true added to all 3 MinIO buckets (assets, postgres-wal, tf-state-backups)
  • Credential key naming -- Left as-is. CNPG secret uses ACCESS_KEY_ID/ACCESS_SECRET_KEY (required by BarmanObjectStoreConfiguration CRD), tf-backup secret uses AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY (standard env vars consumed by mc CLI). Renaming either would break its consumer.

Test Plan

  • tofu fmt -check -- no formatting drift
  • tofu validate -- all resources valid
  • tofu plan -- should show: Woodpecker Helm update, Harbor Helm update, new pal-e-docs-dashboard ConfigMap, 3 MinIO bucket updates (force_destroy)
  • After apply: verify Woodpecker pipelines clone without TLS EOF errors
  • After apply: verify Trivy scanner appears in Harbor UI
  • After apply: verify pal-e-docs Golden Signals dashboard appears in Grafana

Review Checklist

  • tofu fmt passes
  • tofu validate passes
  • No unrelated changes
  • tofu plan output reviewed before merge
  • Dashboard metrics assume prometheus-fastapi-instrumentator is deployed on pal-e-docs (separate prerequisite)

Related

  • Plan: plan-pal-e-platform
  • Forgejo issue: #55
  • Resolves: todo-woodpecker-tls-clone-fix

Closes #55

## Summary Batch of 4 platform hardening changes to `terraform/main.tf`: fix Woodpecker CI clone TLS failures by switching to in-cluster Forgejo URL, enable Harbor Trivy vulnerability scanning, add pal-e-docs Golden Signals Grafana dashboard, and add `force_destroy` on all MinIO buckets. ## Changes - **`terraform/main.tf`** -- `WOODPECKER_FORGEJO_URL` changed from external Tailscale funnel URL (`https://forgejo.tail5b443a.ts.net`) to internal service URL (`http://forgejo-http.forgejo.svc.cluster.local:80`); `WOODPECKER_FORGEJO_SKIP_VERIFY` removed (plain HTTP needs no TLS verification) - **`terraform/main.tf`** -- Harbor `trivy.enabled` flipped to `true` with resource limits (`requests: 100m CPU / 256Mi`, `limits: 1Gi memory`) - **`terraform/main.tf`** -- New `kubernetes_config_map_v1.pal_e_docs_dashboard` ConfigMap with `grafana_dashboard = "1"` label, following the existing `dora_dashboard` pattern - **`terraform/dashboards/pal-e-docs-golden-signals.json`** -- New Grafana dashboard JSON with 6 panels: request rate, p50/p95/p99 latency, 5xx error rate, CPU usage vs limits, memory usage vs limits. Uses `${DS_PROMETHEUS}` datasource variable. - **`terraform/main.tf`** -- `force_destroy = true` added to all 3 MinIO buckets (`assets`, `postgres-wal`, `tf-state-backups`) - **Credential key naming** -- Left as-is. CNPG secret uses `ACCESS_KEY_ID`/`ACCESS_SECRET_KEY` (required by BarmanObjectStoreConfiguration CRD), tf-backup secret uses `AWS_ACCESS_KEY_ID`/`AWS_SECRET_ACCESS_KEY` (standard env vars consumed by mc CLI). Renaming either would break its consumer. ## Test Plan - [x] `tofu fmt -check` -- no formatting drift - [x] `tofu validate` -- all resources valid - [ ] `tofu plan` -- should show: Woodpecker Helm update, Harbor Helm update, new pal-e-docs-dashboard ConfigMap, 3 MinIO bucket updates (force_destroy) - [ ] After apply: verify Woodpecker pipelines clone without TLS EOF errors - [ ] After apply: verify Trivy scanner appears in Harbor UI - [ ] After apply: verify pal-e-docs Golden Signals dashboard appears in Grafana ## Review Checklist - [x] `tofu fmt` passes - [x] `tofu validate` passes - [x] No unrelated changes - [ ] `tofu plan` output reviewed before merge - [ ] Dashboard metrics assume `prometheus-fastapi-instrumentator` is deployed on pal-e-docs (separate prerequisite) ## Related - Plan: `plan-pal-e-platform` - Forgejo issue: #55 - Resolves: `todo-woodpecker-tls-clone-fix` Closes #55
Platform hardening: Woodpecker TLS fix, Trivy, dashboard, MinIO force_destroy
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
ci/woodpecker/pr/woodpecker Pipeline was successful
Details
3b2aea498b 
- Switch WOODPECKER_FORGEJO_URL to internal service URL
  (http://forgejo-http.forgejo.svc.cluster.local:80) and remove
  WOODPECKER_FORGEJO_SKIP_VERIFY to eliminate intermittent TLS EOF
  clone failures in CI pipelines.

- Enable Harbor Trivy vulnerability scanning with resource limits
  (256Mi request, 1Gi limit) for container image security scanning.

- Add pal-e-docs Golden Signals Grafana dashboard (request rate,
  p50/p95/p99 latency, 5xx error rate, CPU/memory vs limits) via
  ConfigMap with grafana_dashboard sidecar label.

- Add force_destroy = true on all 3 MinIO buckets (assets,
  postgres-wal, tf-state-backups) to prevent tofu destroy failures.

- Credential key naming left as-is: CNPG uses ACCESS_KEY_ID /
  ACCESS_SECRET_KEY (required by BarmanObjectStoreConfiguration),
  tf-backup uses AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY (standard
  env vars for mc CLI). Changing either would break consumers.

Closes #55

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
forgejo_admin commented 2026-03-14 19:02:56 +00:00
Author
Owner
Copy link

Self-review: all 4 changes verified.

  1. Woodpecker TLS fix -- internal URL matches existing DORA exporter pattern (line 977). SKIP_VERIFY correctly removed.
  2. Harbor Trivy -- resource limits match issue spec. Helm values structure correct.
  3. Golden Signals Dashboard -- follows dora_dashboard ConfigMap pattern exactly. All 6 panels present (request rate, p50/p95/p99 latency, 5xx error rate, CPU/memory vs limits). Uses ${DS_PROMETHEUS} datasource variable.
  4. MinIO force_destroy -- all 3 buckets updated. Formatting changes are from tofu fmt.
  5. Credential naming -- verified live CNPG Cluster CRD references ACCESS_SECRET_KEY key name. Changing would break WAL archival. Left as-is with rationale documented.

tofu validate and tofu fmt -check both pass. Ready for tofu plan review before merge.

Self-review: all 4 changes verified. 1. **Woodpecker TLS fix** -- internal URL matches existing DORA exporter pattern (line 977). SKIP_VERIFY correctly removed. 2. **Harbor Trivy** -- resource limits match issue spec. Helm values structure correct. 3. **Golden Signals Dashboard** -- follows dora_dashboard ConfigMap pattern exactly. All 6 panels present (request rate, p50/p95/p99 latency, 5xx error rate, CPU/memory vs limits). Uses `${DS_PROMETHEUS}` datasource variable. 4. **MinIO force_destroy** -- all 3 buckets updated. Formatting changes are from `tofu fmt`. 5. **Credential naming** -- verified live CNPG Cluster CRD references `ACCESS_SECRET_KEY` key name. Changing would break WAL archival. Left as-is with rationale documented. `tofu validate` and `tofu fmt -check` both pass. Ready for `tofu plan` review before merge.
forgejo_admin commented 2026-03-14 19:03:07 +00:00
Author
Owner
Copy link

Tofu Plan Output

tailscale_acl.this: Refreshing state... [id=acl]
kubernetes_namespace_v1.woodpecker: Refreshing state... [id=woodpecker]
helm_release.nvidia_device_plugin: Refreshing state... [id=nvidia-device-plugin]
kubernetes_namespace_v1.ollama: Refreshing state... [id=ollama]
data.kubernetes_namespace_v1.pal_e_docs: Reading...
data.kubernetes_namespace_v1.tofu_state: Reading...
kubernetes_namespace_v1.cnpg_system: Refreshing state... [id=cnpg-system]
kubernetes_namespace_v1.minio: Refreshing state... [id=minio]
kubernetes_namespace_v1.monitoring: Refreshing state... [id=monitoring]
kubernetes_namespace_v1.postgres: Refreshing state... [id=postgres]
data.kubernetes_namespace_v1.tofu_state: Read complete after 0s [id=tofu-state]
kubernetes_namespace_v1.tailscale: Refreshing state... [id=tailscale]
data.kubernetes_namespace_v1.pal_e_docs: Read complete after 0s [id=pal-e-docs]
kubernetes_namespace_v1.forgejo: Refreshing state... [id=forgejo]
kubernetes_namespace_v1.harbor: Refreshing state... [id=harbor]
kubernetes_namespace_v1.keycloak: Refreshing state... [id=keycloak]
kubernetes_service_account_v1.tf_backup: Refreshing state... [id=tofu-state/tf-state-backup]
kubernetes_role_v1.tf_backup: Refreshing state... [id=tofu-state/tf-state-backup]
kubernetes_secret_v1.paledocs_db_url: Refreshing state... [id=pal-e-docs/paledocs-db-url]
helm_release.cnpg: Refreshing state... [id=cnpg]
helm_release.kube_prometheus_stack: Refreshing state... [id=kube-prometheus-stack]
kubernetes_service_v1.dora_exporter: Refreshing state... [id=monitoring/dora-exporter]
kubernetes_secret_v1.dora_exporter: Refreshing state... [id=monitoring/dora-exporter]
helm_release.loki_stack: Refreshing state... [id=loki-stack]
helm_release.tailscale_operator: Refreshing state... [id=tailscale-operator]
kubernetes_service_v1.keycloak: Refreshing state... [id=keycloak/keycloak]
helm_release.forgejo: Refreshing state... [id=forgejo]
kubernetes_secret_v1.keycloak_admin: Refreshing state... [id=keycloak/keycloak-admin]
kubernetes_persistent_volume_claim_v1.keycloak_data: Refreshing state... [id=keycloak/keycloak-data]
kubernetes_role_binding_v1.tf_backup: Refreshing state... [id=tofu-state/tf-state-backup]
kubernetes_deployment_v1.keycloak: Refreshing state... [id=keycloak/keycloak]
helm_release.ollama: Refreshing state... [id=ollama]
kubernetes_ingress_v1.keycloak_funnel: Refreshing state... [id=keycloak/keycloak-funnel]
kubernetes_ingress_v1.forgejo_funnel: Refreshing state... [id=forgejo/forgejo-funnel]
helm_release.woodpecker: Refreshing state... [id=woodpecker]
kubernetes_config_map_v1.grafana_loki_datasource: Refreshing state... [id=monitoring/grafana-loki-datasource]
kubernetes_config_map_v1.dora_dashboard: Refreshing state... [id=monitoring/dora-dashboard]
kubernetes_ingress_v1.grafana_funnel: Refreshing state... [id=monitoring/grafana-funnel]
helm_release.harbor: Refreshing state... [id=harbor]
kubernetes_ingress_v1.alertmanager_funnel: Refreshing state... [id=monitoring/alertmanager-funnel]
helm_release.minio: Refreshing state... [id=minio]
kubernetes_deployment_v1.dora_exporter: Refreshing state... [id=monitoring/dora-exporter]
kubernetes_manifest.dora_exporter_service_monitor: Refreshing state...
kubernetes_ingress_v1.woodpecker_funnel: Refreshing state... [id=woodpecker/woodpecker-funnel]
kubernetes_ingress_v1.harbor_funnel: Refreshing state... [id=harbor/harbor-funnel]
minio_iam_policy.cnpg_wal: Refreshing state... [id=cnpg-wal]
minio_s3_bucket.assets: Refreshing state... [id=assets]
minio_iam_policy.tf_backup: Refreshing state... [id=tf-backup]
minio_iam_user.cnpg: Refreshing state... [id=cnpg]
minio_s3_bucket.tf_state_backups: Refreshing state... [id=tf-state-backups]
minio_s3_bucket.postgres_wal: Refreshing state... [id=postgres-wal]
minio_iam_user.tf_backup: Refreshing state... [id=tf-backup]
kubernetes_ingress_v1.minio_funnel: Refreshing state... [id=minio/minio-funnel]
kubernetes_ingress_v1.minio_api_funnel: Refreshing state... [id=minio/minio-api-funnel]
minio_iam_user_policy_attachment.tf_backup: Refreshing state... [id=tf-backup-20260314163610110100000001]
minio_iam_user_policy_attachment.cnpg: Refreshing state... [id=cnpg-20260302210642491000000001]
kubernetes_secret_v1.tf_backup_s3_creds: Refreshing state... [id=tofu-state/tf-backup-s3-creds]
kubernetes_secret_v1.cnpg_s3_creds: Refreshing state... [id=postgres/cnpg-s3-creds]
kubernetes_cron_job_v1.tf_state_backup: Refreshing state... [id=tofu-state/tf-state-backup]

OpenTofu used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

OpenTofu will perform the following actions:

  # helm_release.harbor will be updated in-place
  ~ resource "helm_release" "harbor" {
        id                         = "harbor"
      ~ metadata                   = [
          - {
              - app_version    = "2.14.2"
              - chart          = "harbor"
              - first_deployed = 1771622483
              - last_deployed  = 1772077299
              - name           = "harbor"
              - namespace      = "harbor"
              - notes          = <<-EOT
                    Please wait for several minutes for Harbor deployment to complete.
                    Then you should be able to visit the Harbor portal at https://harbor.tail5b443a.ts.net
                    For more details, please visit https://github.com/goharbor/harbor
                EOT
              - revision       = 2
              - values         = jsonencode(
                    {
                      - core                = {
                          - resources = {
                              - limits   = {
                                  - memory = "512Mi"
                                }
                              - requests = {
                                  - cpu    = "100m"
                                  - memory = "256Mi"
                                }
                            }
                        }
                      - database            = {
                          - internal = {
                              - resources = {
                                  - limits   = {
                                      - memory = "512Mi"
                                    }
                                  - requests = {
                                      - cpu    = "50m"
                                      - memory = "128Mi"
                                    }
                                }
                            }
                          - type     = "internal"
                        }
                      - expose              = {
                          - clusterIP = {
                              - name  = "harbor"
                              - ports = {
                                  - httpPort = 80
                                }
                            }
                          - tls       = {
                              - enabled = false
                            }
                          - type      = "clusterIP"
                        }
                      - externalURL         = "https://harbor.tail5b443a.ts.net"
                      - harborAdminPassword = "(sensitive value)"
                      - jobservice          = {
                          - resources = {
                              - limits   = {
                                  - memory = "256Mi"
                                }
                              - requests = {
                                  - cpu    = "50m"
                                  - memory = "64Mi"
                                }
                            }
                        }
                      - metrics             = {
                          - enabled        = true
                          - serviceMonitor = {
                              - enabled = true
                            }
                        }
                      - nginx               = {
                          - resources = {
                              - limits   = {
                                  - memory = "128Mi"
                                }
                              - requests = {
                                  - cpu    = "20m"
                                  - memory = "32Mi"
                                }
                            }
                        }
                      - persistence         = {
                          - enabled               = true
                          - persistentVolumeClaim = {
                              - database   = {
                                  - size         = "2Gi"
                                  - storageClass = "local-path"
                                }
                              - jobservice = {
                                  - jobLog = {
                                      - size         = "1Gi"
                                      - storageClass = "local-path"
                                    }
                                }
                              - redis      = {
                                  - size         = "1Gi"
                                  - storageClass = "local-path"
                                }
                              - registry   = {
                                  - size         = "20Gi"
                                  - storageClass = "local-path"
                                }
                            }
                        }
                      - portal              = {
                          - resources = {
                              - limits   = {
                                  - memory = "128Mi"
                                }
                              - requests = {
                                  - cpu    = "20m"
                                  - memory = "32Mi"
                                }
                            }
                        }
                      - redis               = {
                          - internal = {
                              - resources = {
                                  - limits   = {
                                      - memory = "128Mi"
                                    }
                                  - requests = {
                                      - cpu    = "20m"
                                      - memory = "32Mi"
                                    }
                                }
                            }
                          - type     = "internal"
                        }
                      - registry            = {
                          - resources = {
                              - limits   = {
                                  - memory = "256Mi"
                                }
                              - requests = {
                                  - cpu    = "100m"
                                  - memory = "128Mi"
                                }
                            }
                        }
                      - secretKey           = "(sensitive value)"
                      - trivy               = {
                          - enabled = false
                        }
                    }
                )
              - version        = "1.18.2"
            },
        ] -> (known after apply)
        name                       = "harbor"
      ~ values                     = [
          - <<-EOT
                "core":
                  "resources":
                    "limits":
                      "memory": "512Mi"
                    "requests":
                      "cpu": "100m"
                      "memory": "256Mi"
                "database":
                  "internal":
                    "resources":
                      "limits":
                        "memory": "512Mi"
                      "requests":
                        "cpu": "50m"
                        "memory": "128Mi"
                  "type": "internal"
                "expose":
                  "clusterIP":
                    "name": "harbor"
                    "ports":
                      "httpPort": 80
                  "tls":
                    "enabled": false
                  "type": "clusterIP"
                "externalURL": "https://harbor.tail5b443a.ts.net"
                "jobservice":
                  "resources":
                    "limits":
                      "memory": "256Mi"
                    "requests":
                      "cpu": "50m"
                      "memory": "64Mi"
                "metrics":
                  "enabled": true
                  "serviceMonitor":
                    "enabled": true
                "nginx":
                  "resources":
                    "limits":
                      "memory": "128Mi"
                    "requests":
                      "cpu": "20m"
                      "memory": "32Mi"
                "persistence":
                  "enabled": true
                  "persistentVolumeClaim":
                    "database":
                      "size": "2Gi"
                      "storageClass": "local-path"
                    "jobservice":
                      "jobLog":
                        "size": "1Gi"
                        "storageClass": "local-path"
                    "redis":
                      "size": "1Gi"
                      "storageClass": "local-path"
                    "registry":
                      "size": "20Gi"
                      "storageClass": "local-path"
                "portal":
                  "resources":
                    "limits":
                      "memory": "128Mi"
                    "requests":
                      "cpu": "20m"
                      "memory": "32Mi"
                "redis":
                  "internal":
                    "resources":
                      "limits":
                        "memory": "128Mi"
                      "requests":
                        "cpu": "20m"
                        "memory": "32Mi"
                  "type": "internal"
                "registry":
                  "resources":
                    "limits":
                      "memory": "256Mi"
                    "requests":
                      "cpu": "100m"
                      "memory": "128Mi"
                "trivy":
                  "enabled": false
            EOT,
          + <<-EOT
                "core":
                  "resources":
                    "limits":
                      "memory": "512Mi"
                    "requests":
                      "cpu": "100m"
                      "memory": "256Mi"
                "database":
                  "internal":
                    "resources":
                      "limits":
                        "memory": "512Mi"
                      "requests":
                        "cpu": "50m"
                        "memory": "128Mi"
                  "type": "internal"
                "expose":
                  "clusterIP":
                    "name": "harbor"
                    "ports":
                      "httpPort": 80
                  "tls":
                    "enabled": false
                  "type": "clusterIP"
                "externalURL": "https://harbor.tail5b443a.ts.net"
                "jobservice":
                  "resources":
                    "limits":
                      "memory": "256Mi"
                    "requests":
                      "cpu": "50m"
                      "memory": "64Mi"
                "metrics":
                  "enabled": true
                  "serviceMonitor":
                    "enabled": true
                "nginx":
                  "resources":
                    "limits":
                      "memory": "128Mi"
                    "requests":
                      "cpu": "20m"
                      "memory": "32Mi"
                "persistence":
                  "enabled": true
                  "persistentVolumeClaim":
                    "database":
                      "size": "2Gi"
                      "storageClass": "local-path"
                    "jobservice":
                      "jobLog":
                        "size": "1Gi"
                        "storageClass": "local-path"
                    "redis":
                      "size": "1Gi"
                      "storageClass": "local-path"
                    "registry":
                      "size": "20Gi"
                      "storageClass": "local-path"
                "portal":
                  "resources":
                    "limits":
                      "memory": "128Mi"
                    "requests":
                      "cpu": "20m"
                      "memory": "32Mi"
                "redis":
                  "internal":
                    "resources":
                      "limits":
                        "memory": "128Mi"
                      "requests":
                        "cpu": "20m"
                        "memory": "32Mi"
                  "type": "internal"
                "registry":
                  "resources":
                    "limits":
                      "memory": "256Mi"
                    "requests":
                      "cpu": "100m"
                      "memory": "128Mi"
                "trivy":
                  "enabled": true
                  "resources":
                    "limits":
                      "memory": "1Gi"
                    "requests":
                      "cpu": "100m"
                      "memory": "256Mi"
            EOT,
        ]
        # (27 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # helm_release.woodpecker will be updated in-place
  ~ resource "helm_release" "woodpecker" {
        id                         = "woodpecker"
      ~ metadata                   = [
          - {
              - app_version    = "3.13.0"
              - chart          = "woodpecker"
              - first_deployed = 1771568949
              - last_deployed  = 1773082003
              - name           = "woodpecker"
              - namespace      = "woodpecker"
              - notes          = <<-EOT
                    1. Get the application URL by running these commands:
                      export POD_NAME=$(kubectl get pods --namespace woodpecker -l "app.kubernetes.io/name=server,app.kubernetes.io/instance=woodpecker" -o jsonpath="{.items[0].metadata.name}")
                      export CONTAINER_PORT=$(kubectl get pod --namespace woodpecker $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
                      echo "Visit http://127.0.0.1:8080 to use your application"
                      kubectl --namespace woodpecker port-forward $POD_NAME 8080:$CONTAINER_PORT
                EOT
              - revision       = 7
              - values         = jsonencode(
                    {
                      - agent  = {
                          - enabled      = true
                          - env          = {
                              - WOODPECKER_BACKEND                   = "kubernetes"
                              - WOODPECKER_BACKEND_K8S_NAMESPACE     = "woodpecker"
                              - WOODPECKER_BACKEND_K8S_STORAGE_CLASS = "local-path"
                              - WOODPECKER_BACKEND_K8S_VOLUME_SIZE   = "1Gi"
                            }
                          - replicaCount = 1
                          - resources    = {
                              - limits   = {
                                  - memory = "256Mi"
                                }
                              - requests = {
                                  - cpu    = "50m"
                                  - memory = "64Mi"
                                }
                            }
                        }
                      - server = {
                          - env              = {
                              - WOODPECKER_ADMIN               = "forgejo_admin"
                              - WOODPECKER_FORGEJO             = "true"
                              - WOODPECKER_FORGEJO_CLIENT      = "(sensitive value)"
                              - WOODPECKER_FORGEJO_SECRET      = "(sensitive value)"
                              - WOODPECKER_FORGEJO_SKIP_VERIFY = "false"
                              - WOODPECKER_FORGEJO_URL         = "https://forgejo.tail5b443a.ts.net"
                              - WOODPECKER_HOST                = "https://woodpecker.tail5b443a.ts.net"
                            }
                          - persistentVolume = {
                              - enabled      = true
                              - size         = "5Gi"
                              - storageClass = "local-path"
                            }
                          - resources        = {
                              - limits   = {
                                  - memory = "512Mi"
                                }
                              - requests = {
                                  - cpu    = "50m"
                                  - memory = "128Mi"
                                }
                            }
                          - statefulSet      = {
                              - replicaCount = 1
                            }
                        }
                    }
                )
              - version        = "3.5.1"
            },
        ] -> (known after apply)
        name                       = "woodpecker"
      ~ values                     = [
          - <<-EOT
                "agent":
                  "enabled": true
                  "env":
                    "WOODPECKER_BACKEND": "kubernetes"
                    "WOODPECKER_BACKEND_K8S_NAMESPACE": "woodpecker"
                    "WOODPECKER_BACKEND_K8S_STORAGE_CLASS": "local-path"
                    "WOODPECKER_BACKEND_K8S_VOLUME_SIZE": "1Gi"
                  "replicaCount": 1
                  "resources":
                    "limits":
                      "memory": "256Mi"
                    "requests":
                      "cpu": "50m"
                      "memory": "64Mi"
                "server":
                  "env":
                    "WOODPECKER_ADMIN": "forgejo_admin"
                    "WOODPECKER_FORGEJO": "true"
                    "WOODPECKER_FORGEJO_SKIP_VERIFY": "false"
                    "WOODPECKER_FORGEJO_URL": "https://forgejo.tail5b443a.ts.net"
                    "WOODPECKER_HOST": "https://woodpecker.tail5b443a.ts.net"
                  "persistentVolume":
                    "enabled": true
                    "size": "5Gi"
                    "storageClass": "local-path"
                  "resources":
                    "limits":
                      "memory": "512Mi"
                    "requests":
                      "cpu": "50m"
                      "memory": "128Mi"
                  "statefulSet":
                    "replicaCount": 1
            EOT,
          + <<-EOT
                "agent":
                  "enabled": true
                  "env":
                    "WOODPECKER_BACKEND": "kubernetes"
                    "WOODPECKER_BACKEND_K8S_NAMESPACE": "woodpecker"
                    "WOODPECKER_BACKEND_K8S_STORAGE_CLASS": "local-path"
                    "WOODPECKER_BACKEND_K8S_VOLUME_SIZE": "1Gi"
                  "replicaCount": 1
                  "resources":
                    "limits":
                      "memory": "256Mi"
                    "requests":
                      "cpu": "50m"
                      "memory": "64Mi"
                "server":
                  "env":
                    "WOODPECKER_ADMIN": "forgejo_admin"
                    "WOODPECKER_FORGEJO": "true"
                    "WOODPECKER_FORGEJO_URL": "http://forgejo-http.forgejo.svc.cluster.local:80"
                    "WOODPECKER_HOST": "https://woodpecker.tail5b443a.ts.net"
                  "persistentVolume":
                    "enabled": true
                    "size": "5Gi"
                    "storageClass": "local-path"
                  "resources":
                    "limits":
                      "memory": "512Mi"
                    "requests":
                      "cpu": "50m"
                      "memory": "128Mi"
                  "statefulSet":
                    "replicaCount": 1
            EOT,
        ]
        # (26 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # kubernetes_config_map_v1.pal_e_docs_dashboard will be created
  + resource "kubernetes_config_map_v1" "pal_e_docs_dashboard" {
      + data = {
          + "pal-e-docs-golden-signals.json" = jsonencode(
                {
                  + annotations          = {
                      + list = [
                          + {
                              + builtIn    = 1
                              + datasource = {
                                  + type = "grafana"
                                  + uid  = "-- Grafana --"
                                }
                              + enable     = true
                              + hide       = true
                              + iconColor  = "rgba(0, 211, 255, 1)"
                              + name       = "Annotations & Alerts"
                              + type       = "dashboard"
                            },
                        ]
                    }
                  + editable             = true
                  + fiscalYearStartMonth = 0
                  + graphTooltip         = 1
                  + id                   = null
                  + links                = []
                  + panels               = [
                      + {
                          + collapsed = false
                          + gridPos   = {
                              + h = 1
                              + w = 24
                              + x = 0
                              + y = 0
                            }
                          + id        = 1
                          + title     = "Traffic"
                          + type      = "row"
                        },
                      + {
                          + datasource  = {
                              + type = "prometheus"
                              + uid  = "${DS_PROMETHEUS}"
                            }
                          + fieldConfig = {
                              + defaults  = {
                                  + color    = {
                                      + mode = "palette-classic"
                                    }
                                  + custom   = {
                                      + axisBorderShow    = false
                                      + axisCenteredZero  = false
                                      + axisColorMode     = "text"
                                      + axisLabel         = "req/s"
                                      + axisPlacement     = "auto"
                                      + barAlignment      = 0
                                      + drawStyle         = "line"
                                      + fillOpacity       = 20
                                      + gradientMode      = "none"
                                      + hideFrom          = {
                                          + legend  = false
                                          + tooltip = false
                                          + viz     = false
                                        }
                                      + insertNulls       = false
                                      + lineInterpolation = "smooth"
                                      + lineWidth         = 2
                                      + pointSize         = 5
                                      + scaleDistribution = {
                                          + type = "linear"
                                        }
                                      + showPoints        = "auto"
                                      + spanNulls         = true
                                      + stacking          = {
                                          + group = "A"
                                          + mode  = "none"
                                        }
                                      + thresholdsStyle   = {
                                          + mode = "off"
                                        }
                                    }
                                  + mappings = []
                                  + unit     = "reqps"
                                }
                              + overrides = []
                            }
                          + gridPos     = {
                              + h = 8
                              + w = 24
                              + x = 0
                              + y = 1
                            }
                          + id          = 2
                          + options     = {
                              + legend  = {
                                  + calcs       = [
                                      + "mean",
                                      + "lastNotNull",
                                    ]
                                  + displayMode = "table"
                                  + placement   = "bottom"
                                }
                              + tooltip = {
                                  + mode = "multi"
                                  + sort = "desc"
                                }
                            }
                          + targets     = [
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "sum(rate(http_requests_total{namespace=\"pal-e-docs\"}[5m]))"
                                  + legendFormat = "total req/s"
                                  + refId        = "A"
                                },
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "sum(rate(http_requests_total{namespace=\"pal-e-docs\"}[5m])) by (handler)"
                                  + legendFormat = "{{ handler }}"
                                  + refId        = "B"
                                },
                            ]
                          + title       = "Request Rate"
                          + type        = "timeseries"
                        },
                      + {
                          + collapsed = false
                          + gridPos   = {
                              + h = 1
                              + w = 24
                              + x = 0
                              + y = 9
                            }
                          + id        = 3
                          + title     = "Latency"
                          + type      = "row"
                        },
                      + {
                          + datasource  = {
                              + type = "prometheus"
                              + uid  = "${DS_PROMETHEUS}"
                            }
                          + fieldConfig = {
                              + defaults  = {
                                  + color    = {
                                      + mode = "palette-classic"
                                    }
                                  + custom   = {
                                      + axisBorderShow    = false
                                      + axisCenteredZero  = false
                                      + axisColorMode     = "text"
                                      + axisLabel         = "seconds"
                                      + axisPlacement     = "auto"
                                      + barAlignment      = 0
                                      + drawStyle         = "line"
                                      + fillOpacity       = 20
                                      + gradientMode      = "none"
                                      + hideFrom          = {
                                          + legend  = false
                                          + tooltip = false
                                          + viz     = false
                                        }
                                      + insertNulls       = false
                                      + lineInterpolation = "smooth"
                                      + lineWidth         = 2
                                      + pointSize         = 5
                                      + scaleDistribution = {
                                          + type = "linear"
                                        }
                                      + showPoints        = "auto"
                                      + spanNulls         = true
                                      + stacking          = {
                                          + group = "A"
                                          + mode  = "none"
                                        }
                                      + thresholdsStyle   = {
                                          + mode = "off"
                                        }
                                    }
                                  + mappings = []
                                  + unit     = "s"
                                }
                              + overrides = []
                            }
                          + gridPos     = {
                              + h = 8
                              + w = 24
                              + x = 0
                              + y = 10
                            }
                          + id          = 4
                          + options     = {
                              + legend  = {
                                  + calcs       = [
                                      + "mean",
                                      + "lastNotNull",
                                    ]
                                  + displayMode = "table"
                                  + placement   = "bottom"
                                }
                              + tooltip = {
                                  + mode = "multi"
                                  + sort = "desc"
                                }
                            }
                          + targets     = [
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "histogram_quantile(0.50, sum(rate(http_request_duration_seconds_bucket{namespace=\"pal-e-docs\"}[5m])) by (le))"
                                  + legendFormat = "p50"
                                  + refId        = "A"
                                },
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "histogram_quantile(0.95, sum(rate(http_request_duration_seconds_bucket{namespace=\"pal-e-docs\"}[5m])) by (le))"
                                  + legendFormat = "p95"
                                  + refId        = "B"
                                },
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "histogram_quantile(0.99, sum(rate(http_request_duration_seconds_bucket{namespace=\"pal-e-docs\"}[5m])) by (le))"
                                  + legendFormat = "p99"
                                  + refId        = "C"
                                },
                            ]
                          + title       = "Request Latency Percentiles"
                          + type        = "timeseries"
                        },
                      + {
                          + collapsed = false
                          + gridPos   = {
                              + h = 1
                              + w = 24
                              + x = 0
                              + y = 18
                            }
                          + id        = 5
                          + title     = "Errors"
                          + type      = "row"
                        },
                      + {
                          + datasource  = {
                              + type = "prometheus"
                              + uid  = "${DS_PROMETHEUS}"
                            }
                          + fieldConfig = {
                              + defaults  = {
                                  + color    = {
                                      + mode = "palette-classic"
                                    }
                                  + custom   = {
                                      + axisBorderShow    = false
                                      + axisCenteredZero  = false
                                      + axisColorMode     = "text"
                                      + axisLabel         = "errors/s"
                                      + axisPlacement     = "auto"
                                      + barAlignment      = 0
                                      + drawStyle         = "line"
                                      + fillOpacity       = 20
                                      + gradientMode      = "none"
                                      + hideFrom          = {
                                          + legend  = false
                                          + tooltip = false
                                          + viz     = false
                                        }
                                      + insertNulls       = false
                                      + lineInterpolation = "smooth"
                                      + lineWidth         = 2
                                      + pointSize         = 5
                                      + scaleDistribution = {
                                          + type = "linear"
                                        }
                                      + showPoints        = "auto"
                                      + spanNulls         = true
                                      + stacking          = {
                                          + group = "A"
                                          + mode  = "none"
                                        }
                                      + thresholdsStyle   = {
                                          + mode = "off"
                                        }
                                    }
                                  + mappings = []
                                  + unit     = "reqps"
                                }
                              + overrides = []
                            }
                          + gridPos     = {
                              + h = 8
                              + w = 24
                              + x = 0
                              + y = 19
                            }
                          + id          = 6
                          + options     = {
                              + legend  = {
                                  + calcs       = [
                                      + "mean",
                                      + "lastNotNull",
                                    ]
                                  + displayMode = "table"
                                  + placement   = "bottom"
                                }
                              + tooltip = {
                                  + mode = "multi"
                                  + sort = "desc"
                                }
                            }
                          + targets     = [
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "sum(rate(http_requests_total{namespace=\"pal-e-docs\", status=~\"5..\"}[5m]))"
                                  + legendFormat = "5xx errors/s"
                                  + refId        = "A"
                                },
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "sum(rate(http_requests_total{namespace=\"pal-e-docs\", status=~\"5..\"}[5m])) / clamp_min(sum(rate(http_requests_total{namespace=\"pal-e-docs\"}[5m])), 0.001) * 100"
                                  + legendFormat = "5xx error %"
                                  + refId        = "B"
                                },
                            ]
                          + title       = "5xx Error Rate"
                          + type        = "timeseries"
                        },
                      + {
                          + collapsed = false
                          + gridPos   = {
                              + h = 1
                              + w = 24
                              + x = 0
                              + y = 27
                            }
                          + id        = 7
                          + title     = "Saturation"
                          + type      = "row"
                        },
                      + {
                          + datasource  = {
                              + type = "prometheus"
                              + uid  = "${DS_PROMETHEUS}"
                            }
                          + fieldConfig = {
                              + defaults  = {
                                  + color    = {
                                      + mode = "palette-classic"
                                    }
                                  + custom   = {
                                      + axisBorderShow    = false
                                      + axisCenteredZero  = false
                                      + axisColorMode     = "text"
                                      + axisLabel         = "CPU cores"
                                      + axisPlacement     = "auto"
                                      + barAlignment      = 0
                                      + drawStyle         = "line"
                                      + fillOpacity       = 20
                                      + gradientMode      = "none"
                                      + hideFrom          = {
                                          + legend  = false
                                          + tooltip = false
                                          + viz     = false
                                        }
                                      + insertNulls       = false
                                      + lineInterpolation = "smooth"
                                      + lineWidth         = 2
                                      + pointSize         = 5
                                      + scaleDistribution = {
                                          + type = "linear"
                                        }
                                      + showPoints        = "auto"
                                      + spanNulls         = true
                                      + stacking          = {
                                          + group = "A"
                                          + mode  = "none"
                                        }
                                      + thresholdsStyle   = {
                                          + mode = "off"
                                        }
                                    }
                                  + mappings = []
                                  + unit     = "short"
                                }
                              + overrides = []
                            }
                          + gridPos     = {
                              + h = 8
                              + w = 12
                              + x = 0
                              + y = 28
                            }
                          + id          = 8
                          + options     = {
                              + legend  = {
                                  + calcs       = [
                                      + "mean",
                                      + "lastNotNull",
                                    ]
                                  + displayMode = "table"
                                  + placement   = "bottom"
                                }
                              + tooltip = {
                                  + mode = "multi"
                                  + sort = "desc"
                                }
                            }
                          + targets     = [
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "sum(rate(container_cpu_usage_seconds_total{namespace=\"pal-e-docs\", container!=\"\", container!=\"POD\"}[5m])) by (pod)"
                                  + legendFormat = "{{ pod }} usage"
                                  + refId        = "A"
                                },
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "sum(kube_pod_container_resource_limits{namespace=\"pal-e-docs\", resource=\"cpu\"}) by (pod)"
                                  + legendFormat = "{{ pod }} limit"
                                  + refId        = "B"
                                },
                            ]
                          + title       = "CPU Usage vs Limits"
                          + type        = "timeseries"
                        },
                      + {
                          + datasource  = {
                              + type = "prometheus"
                              + uid  = "${DS_PROMETHEUS}"
                            }
                          + fieldConfig = {
                              + defaults  = {
                                  + color    = {
                                      + mode = "palette-classic"
                                    }
                                  + custom   = {
                                      + axisBorderShow    = false
                                      + axisCenteredZero  = false
                                      + axisColorMode     = "text"
                                      + axisLabel         = ""
                                      + axisPlacement     = "auto"
                                      + barAlignment      = 0
                                      + drawStyle         = "line"
                                      + fillOpacity       = 20
                                      + gradientMode      = "none"
                                      + hideFrom          = {
                                          + legend  = false
                                          + tooltip = false
                                          + viz     = false
                                        }
                                      + insertNulls       = false
                                      + lineInterpolation = "smooth"
                                      + lineWidth         = 2
                                      + pointSize         = 5
                                      + scaleDistribution = {
                                          + type = "linear"
                                        }
                                      + showPoints        = "auto"
                                      + spanNulls         = true
                                      + stacking          = {
                                          + group = "A"
                                          + mode  = "none"
                                        }
                                      + thresholdsStyle   = {
                                          + mode = "off"
                                        }
                                    }
                                  + mappings = []
                                  + unit     = "bytes"
                                }
                              + overrides = []
                            }
                          + gridPos     = {
                              + h = 8
                              + w = 12
                              + x = 12
                              + y = 28
                            }
                          + id          = 9
                          + options     = {
                              + legend  = {
                                  + calcs       = [
                                      + "mean",
                                      + "lastNotNull",
                                    ]
                                  + displayMode = "table"
                                  + placement   = "bottom"
                                }
                              + tooltip = {
                                  + mode = "multi"
                                  + sort = "desc"
                                }
                            }
                          + targets     = [
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "sum(container_memory_working_set_bytes{namespace=\"pal-e-docs\", container!=\"\", container!=\"POD\"}) by (pod)"
                                  + legendFormat = "{{ pod }} usage"
                                  + refId        = "A"
                                },
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "sum(kube_pod_container_resource_limits{namespace=\"pal-e-docs\", resource=\"memory\"}) by (pod)"
                                  + legendFormat = "{{ pod }} limit"
                                  + refId        = "B"
                                },
                            ]
                          + title       = "Memory Usage vs Limits"
                          + type        = "timeseries"
                        },
                    ]
                  + schemaVersion        = 39
                  + tags                 = [
                      + "pal-e-docs",
                      + "golden-signals",
                      + "sre",
                    ]
                  + templating           = {
                      + list = [
                          + {
                              + current     = {}
                              + hide        = 0
                              + includeAll  = false
                              + label       = "Prometheus"
                              + multi       = false
                              + name        = "DS_PROMETHEUS"
                              + options     = []
                              + query       = "prometheus"
                              + queryValue  = ""
                              + refresh     = 1
                              + regex       = ""
                              + skipUrlSync = false
                              + type        = "datasource"
                            },
                        ]
                    }
                  + time                 = {
                      + from = "now-6h"
                      + to   = "now"
                    }
                  + timepicker           = {}
                  + timezone             = ""
                  + title                = "pal-e-docs Golden Signals"
                  + uid                  = "pal-e-docs-golden-signals"
                  + version              = 1
                }
            )
        }
      + id   = (known after apply)

      + metadata {
          + generation       = (known after apply)
          + labels           = {
              + "grafana_dashboard" = "1"
            }
          + name             = "pal-e-docs-dashboard"
          + namespace        = "monitoring"
          + resource_version = (known after apply)
          + uid              = (known after apply)
        }
    }

  # minio_s3_bucket.assets will be updated in-place
  ~ resource "minio_s3_bucket" "assets" {
      ~ force_destroy      = false -> true
        id                 = "assets"
        tags               = {}
        # (5 unchanged attributes hidden)
    }

  # minio_s3_bucket.postgres_wal will be updated in-place
  ~ resource "minio_s3_bucket" "postgres_wal" {
      ~ force_destroy      = false -> true
        id                 = "postgres-wal"
        tags               = {}
        # (5 unchanged attributes hidden)
    }

  # minio_s3_bucket.tf_state_backups will be updated in-place
  ~ resource "minio_s3_bucket" "tf_state_backups" {
      ~ force_destroy      = false -> true
        id                 = "tf-state-backups"
        tags               = {}
        # (5 unchanged attributes hidden)
    }

Plan: 1 to add, 5 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so OpenTofu can't
guarantee to take exactly these actions if you run "tofu apply" now.
## Tofu Plan Output ``` tailscale_acl.this: Refreshing state... [id=acl] kubernetes_namespace_v1.woodpecker: Refreshing state... [id=woodpecker] helm_release.nvidia_device_plugin: Refreshing state... [id=nvidia-device-plugin] kubernetes_namespace_v1.ollama: Refreshing state... [id=ollama] data.kubernetes_namespace_v1.pal_e_docs: Reading... data.kubernetes_namespace_v1.tofu_state: Reading... kubernetes_namespace_v1.cnpg_system: Refreshing state... [id=cnpg-system] kubernetes_namespace_v1.minio: Refreshing state... [id=minio] kubernetes_namespace_v1.monitoring: Refreshing state... [id=monitoring] kubernetes_namespace_v1.postgres: Refreshing state... [id=postgres] data.kubernetes_namespace_v1.tofu_state: Read complete after 0s [id=tofu-state] kubernetes_namespace_v1.tailscale: Refreshing state... [id=tailscale] data.kubernetes_namespace_v1.pal_e_docs: Read complete after 0s [id=pal-e-docs] kubernetes_namespace_v1.forgejo: Refreshing state... [id=forgejo] kubernetes_namespace_v1.harbor: Refreshing state... [id=harbor] kubernetes_namespace_v1.keycloak: Refreshing state... [id=keycloak] kubernetes_service_account_v1.tf_backup: Refreshing state... [id=tofu-state/tf-state-backup] kubernetes_role_v1.tf_backup: Refreshing state... [id=tofu-state/tf-state-backup] kubernetes_secret_v1.paledocs_db_url: Refreshing state... [id=pal-e-docs/paledocs-db-url] helm_release.cnpg: Refreshing state... [id=cnpg] helm_release.kube_prometheus_stack: Refreshing state... [id=kube-prometheus-stack] kubernetes_service_v1.dora_exporter: Refreshing state... [id=monitoring/dora-exporter] kubernetes_secret_v1.dora_exporter: Refreshing state... [id=monitoring/dora-exporter] helm_release.loki_stack: Refreshing state... [id=loki-stack] helm_release.tailscale_operator: Refreshing state... [id=tailscale-operator] kubernetes_service_v1.keycloak: Refreshing state... [id=keycloak/keycloak] helm_release.forgejo: Refreshing state... [id=forgejo] kubernetes_secret_v1.keycloak_admin: Refreshing state... [id=keycloak/keycloak-admin] kubernetes_persistent_volume_claim_v1.keycloak_data: Refreshing state... [id=keycloak/keycloak-data] kubernetes_role_binding_v1.tf_backup: Refreshing state... [id=tofu-state/tf-state-backup] kubernetes_deployment_v1.keycloak: Refreshing state... [id=keycloak/keycloak] helm_release.ollama: Refreshing state... [id=ollama] kubernetes_ingress_v1.keycloak_funnel: Refreshing state... [id=keycloak/keycloak-funnel] kubernetes_ingress_v1.forgejo_funnel: Refreshing state... [id=forgejo/forgejo-funnel] helm_release.woodpecker: Refreshing state... [id=woodpecker] kubernetes_config_map_v1.grafana_loki_datasource: Refreshing state... [id=monitoring/grafana-loki-datasource] kubernetes_config_map_v1.dora_dashboard: Refreshing state... [id=monitoring/dora-dashboard] kubernetes_ingress_v1.grafana_funnel: Refreshing state... [id=monitoring/grafana-funnel] helm_release.harbor: Refreshing state... [id=harbor] kubernetes_ingress_v1.alertmanager_funnel: Refreshing state... [id=monitoring/alertmanager-funnel] helm_release.minio: Refreshing state... [id=minio] kubernetes_deployment_v1.dora_exporter: Refreshing state... [id=monitoring/dora-exporter] kubernetes_manifest.dora_exporter_service_monitor: Refreshing state... kubernetes_ingress_v1.woodpecker_funnel: Refreshing state... [id=woodpecker/woodpecker-funnel] kubernetes_ingress_v1.harbor_funnel: Refreshing state... [id=harbor/harbor-funnel] minio_iam_policy.cnpg_wal: Refreshing state... [id=cnpg-wal] minio_s3_bucket.assets: Refreshing state... [id=assets] minio_iam_policy.tf_backup: Refreshing state... [id=tf-backup] minio_iam_user.cnpg: Refreshing state... [id=cnpg] minio_s3_bucket.tf_state_backups: Refreshing state... [id=tf-state-backups] minio_s3_bucket.postgres_wal: Refreshing state... [id=postgres-wal] minio_iam_user.tf_backup: Refreshing state... [id=tf-backup] kubernetes_ingress_v1.minio_funnel: Refreshing state... [id=minio/minio-funnel] kubernetes_ingress_v1.minio_api_funnel: Refreshing state... [id=minio/minio-api-funnel] minio_iam_user_policy_attachment.tf_backup: Refreshing state... [id=tf-backup-20260314163610110100000001] minio_iam_user_policy_attachment.cnpg: Refreshing state... [id=cnpg-20260302210642491000000001] kubernetes_secret_v1.tf_backup_s3_creds: Refreshing state... [id=tofu-state/tf-backup-s3-creds] kubernetes_secret_v1.cnpg_s3_creds: Refreshing state... [id=postgres/cnpg-s3-creds] kubernetes_cron_job_v1.tf_state_backup: Refreshing state... [id=tofu-state/tf-state-backup] OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create ~ update in-place OpenTofu will perform the following actions: # helm_release.harbor will be updated in-place ~ resource "helm_release" "harbor" { id = "harbor" ~ metadata = [ - { - app_version = "2.14.2" - chart = "harbor" - first_deployed = 1771622483 - last_deployed = 1772077299 - name = "harbor" - namespace = "harbor" - notes = <<-EOT Please wait for several minutes for Harbor deployment to complete. Then you should be able to visit the Harbor portal at https://harbor.tail5b443a.ts.net For more details, please visit https://github.com/goharbor/harbor EOT - revision = 2 - values = jsonencode( { - core = { - resources = { - limits = { - memory = "512Mi" } - requests = { - cpu = "100m" - memory = "256Mi" } } } - database = { - internal = { - resources = { - limits = { - memory = "512Mi" } - requests = { - cpu = "50m" - memory = "128Mi" } } } - type = "internal" } - expose = { - clusterIP = { - name = "harbor" - ports = { - httpPort = 80 } } - tls = { - enabled = false } - type = "clusterIP" } - externalURL = "https://harbor.tail5b443a.ts.net" - harborAdminPassword = "(sensitive value)" - jobservice = { - resources = { - limits = { - memory = "256Mi" } - requests = { - cpu = "50m" - memory = "64Mi" } } } - metrics = { - enabled = true - serviceMonitor = { - enabled = true } } - nginx = { - resources = { - limits = { - memory = "128Mi" } - requests = { - cpu = "20m" - memory = "32Mi" } } } - persistence = { - enabled = true - persistentVolumeClaim = { - database = { - size = "2Gi" - storageClass = "local-path" } - jobservice = { - jobLog = { - size = "1Gi" - storageClass = "local-path" } } - redis = { - size = "1Gi" - storageClass = "local-path" } - registry = { - size = "20Gi" - storageClass = "local-path" } } } - portal = { - resources = { - limits = { - memory = "128Mi" } - requests = { - cpu = "20m" - memory = "32Mi" } } } - redis = { - internal = { - resources = { - limits = { - memory = "128Mi" } - requests = { - cpu = "20m" - memory = "32Mi" } } } - type = "internal" } - registry = { - resources = { - limits = { - memory = "256Mi" } - requests = { - cpu = "100m" - memory = "128Mi" } } } - secretKey = "(sensitive value)" - trivy = { - enabled = false } } ) - version = "1.18.2" }, ] -> (known after apply) name = "harbor" ~ values = [ - <<-EOT "core": "resources": "limits": "memory": "512Mi" "requests": "cpu": "100m" "memory": "256Mi" "database": "internal": "resources": "limits": "memory": "512Mi" "requests": "cpu": "50m" "memory": "128Mi" "type": "internal" "expose": "clusterIP": "name": "harbor" "ports": "httpPort": 80 "tls": "enabled": false "type": "clusterIP" "externalURL": "https://harbor.tail5b443a.ts.net" "jobservice": "resources": "limits": "memory": "256Mi" "requests": "cpu": "50m" "memory": "64Mi" "metrics": "enabled": true "serviceMonitor": "enabled": true "nginx": "resources": "limits": "memory": "128Mi" "requests": "cpu": "20m" "memory": "32Mi" "persistence": "enabled": true "persistentVolumeClaim": "database": "size": "2Gi" "storageClass": "local-path" "jobservice": "jobLog": "size": "1Gi" "storageClass": "local-path" "redis": "size": "1Gi" "storageClass": "local-path" "registry": "size": "20Gi" "storageClass": "local-path" "portal": "resources": "limits": "memory": "128Mi" "requests": "cpu": "20m" "memory": "32Mi" "redis": "internal": "resources": "limits": "memory": "128Mi" "requests": "cpu": "20m" "memory": "32Mi" "type": "internal" "registry": "resources": "limits": "memory": "256Mi" "requests": "cpu": "100m" "memory": "128Mi" "trivy": "enabled": false EOT, + <<-EOT "core": "resources": "limits": "memory": "512Mi" "requests": "cpu": "100m" "memory": "256Mi" "database": "internal": "resources": "limits": "memory": "512Mi" "requests": "cpu": "50m" "memory": "128Mi" "type": "internal" "expose": "clusterIP": "name": "harbor" "ports": "httpPort": 80 "tls": "enabled": false "type": "clusterIP" "externalURL": "https://harbor.tail5b443a.ts.net" "jobservice": "resources": "limits": "memory": "256Mi" "requests": "cpu": "50m" "memory": "64Mi" "metrics": "enabled": true "serviceMonitor": "enabled": true "nginx": "resources": "limits": "memory": "128Mi" "requests": "cpu": "20m" "memory": "32Mi" "persistence": "enabled": true "persistentVolumeClaim": "database": "size": "2Gi" "storageClass": "local-path" "jobservice": "jobLog": "size": "1Gi" "storageClass": "local-path" "redis": "size": "1Gi" "storageClass": "local-path" "registry": "size": "20Gi" "storageClass": "local-path" "portal": "resources": "limits": "memory": "128Mi" "requests": "cpu": "20m" "memory": "32Mi" "redis": "internal": "resources": "limits": "memory": "128Mi" "requests": "cpu": "20m" "memory": "32Mi" "type": "internal" "registry": "resources": "limits": "memory": "256Mi" "requests": "cpu": "100m" "memory": "128Mi" "trivy": "enabled": true "resources": "limits": "memory": "1Gi" "requests": "cpu": "100m" "memory": "256Mi" EOT, ] # (27 unchanged attributes hidden) # (2 unchanged blocks hidden) } # helm_release.woodpecker will be updated in-place ~ resource "helm_release" "woodpecker" { id = "woodpecker" ~ metadata = [ - { - app_version = "3.13.0" - chart = "woodpecker" - first_deployed = 1771568949 - last_deployed = 1773082003 - name = "woodpecker" - namespace = "woodpecker" - notes = <<-EOT 1. Get the application URL by running these commands: export POD_NAME=$(kubectl get pods --namespace woodpecker -l "app.kubernetes.io/name=server,app.kubernetes.io/instance=woodpecker" -o jsonpath="{.items[0].metadata.name}") export CONTAINER_PORT=$(kubectl get pod --namespace woodpecker $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") echo "Visit http://127.0.0.1:8080 to use your application" kubectl --namespace woodpecker port-forward $POD_NAME 8080:$CONTAINER_PORT EOT - revision = 7 - values = jsonencode( { - agent = { - enabled = true - env = { - WOODPECKER_BACKEND = "kubernetes" - WOODPECKER_BACKEND_K8S_NAMESPACE = "woodpecker" - WOODPECKER_BACKEND_K8S_STORAGE_CLASS = "local-path" - WOODPECKER_BACKEND_K8S_VOLUME_SIZE = "1Gi" } - replicaCount = 1 - resources = { - limits = { - memory = "256Mi" } - requests = { - cpu = "50m" - memory = "64Mi" } } } - server = { - env = { - WOODPECKER_ADMIN = "forgejo_admin" - WOODPECKER_FORGEJO = "true" - WOODPECKER_FORGEJO_CLIENT = "(sensitive value)" - WOODPECKER_FORGEJO_SECRET = "(sensitive value)" - WOODPECKER_FORGEJO_SKIP_VERIFY = "false" - WOODPECKER_FORGEJO_URL = "https://forgejo.tail5b443a.ts.net" - WOODPECKER_HOST = "https://woodpecker.tail5b443a.ts.net" } - persistentVolume = { - enabled = true - size = "5Gi" - storageClass = "local-path" } - resources = { - limits = { - memory = "512Mi" } - requests = { - cpu = "50m" - memory = "128Mi" } } - statefulSet = { - replicaCount = 1 } } } ) - version = "3.5.1" }, ] -> (known after apply) name = "woodpecker" ~ values = [ - <<-EOT "agent": "enabled": true "env": "WOODPECKER_BACKEND": "kubernetes" "WOODPECKER_BACKEND_K8S_NAMESPACE": "woodpecker" "WOODPECKER_BACKEND_K8S_STORAGE_CLASS": "local-path" "WOODPECKER_BACKEND_K8S_VOLUME_SIZE": "1Gi" "replicaCount": 1 "resources": "limits": "memory": "256Mi" "requests": "cpu": "50m" "memory": "64Mi" "server": "env": "WOODPECKER_ADMIN": "forgejo_admin" "WOODPECKER_FORGEJO": "true" "WOODPECKER_FORGEJO_SKIP_VERIFY": "false" "WOODPECKER_FORGEJO_URL": "https://forgejo.tail5b443a.ts.net" "WOODPECKER_HOST": "https://woodpecker.tail5b443a.ts.net" "persistentVolume": "enabled": true "size": "5Gi" "storageClass": "local-path" "resources": "limits": "memory": "512Mi" "requests": "cpu": "50m" "memory": "128Mi" "statefulSet": "replicaCount": 1 EOT, + <<-EOT "agent": "enabled": true "env": "WOODPECKER_BACKEND": "kubernetes" "WOODPECKER_BACKEND_K8S_NAMESPACE": "woodpecker" "WOODPECKER_BACKEND_K8S_STORAGE_CLASS": "local-path" "WOODPECKER_BACKEND_K8S_VOLUME_SIZE": "1Gi" "replicaCount": 1 "resources": "limits": "memory": "256Mi" "requests": "cpu": "50m" "memory": "64Mi" "server": "env": "WOODPECKER_ADMIN": "forgejo_admin" "WOODPECKER_FORGEJO": "true" "WOODPECKER_FORGEJO_URL": "http://forgejo-http.forgejo.svc.cluster.local:80" "WOODPECKER_HOST": "https://woodpecker.tail5b443a.ts.net" "persistentVolume": "enabled": true "size": "5Gi" "storageClass": "local-path" "resources": "limits": "memory": "512Mi" "requests": "cpu": "50m" "memory": "128Mi" "statefulSet": "replicaCount": 1 EOT, ] # (26 unchanged attributes hidden) # (2 unchanged blocks hidden) } # kubernetes_config_map_v1.pal_e_docs_dashboard will be created + resource "kubernetes_config_map_v1" "pal_e_docs_dashboard" { + data = { + "pal-e-docs-golden-signals.json" = jsonencode( { + annotations = { + list = [ + { + builtIn = 1 + datasource = { + type = "grafana" + uid = "-- Grafana --" } + enable = true + hide = true + iconColor = "rgba(0, 211, 255, 1)" + name = "Annotations & Alerts" + type = "dashboard" }, ] } + editable = true + fiscalYearStartMonth = 0 + graphTooltip = 1 + id = null + links = [] + panels = [ + { + collapsed = false + gridPos = { + h = 1 + w = 24 + x = 0 + y = 0 } + id = 1 + title = "Traffic" + type = "row" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + fieldConfig = { + defaults = { + color = { + mode = "palette-classic" } + custom = { + axisBorderShow = false + axisCenteredZero = false + axisColorMode = "text" + axisLabel = "req/s" + axisPlacement = "auto" + barAlignment = 0 + drawStyle = "line" + fillOpacity = 20 + gradientMode = "none" + hideFrom = { + legend = false + tooltip = false + viz = false } + insertNulls = false + lineInterpolation = "smooth" + lineWidth = 2 + pointSize = 5 + scaleDistribution = { + type = "linear" } + showPoints = "auto" + spanNulls = true + stacking = { + group = "A" + mode = "none" } + thresholdsStyle = { + mode = "off" } } + mappings = [] + unit = "reqps" } + overrides = [] } + gridPos = { + h = 8 + w = 24 + x = 0 + y = 1 } + id = 2 + options = { + legend = { + calcs = [ + "mean", + "lastNotNull", ] + displayMode = "table" + placement = "bottom" } + tooltip = { + mode = "multi" + sort = "desc" } } + targets = [ + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "sum(rate(http_requests_total{namespace=\"pal-e-docs\"}[5m]))" + legendFormat = "total req/s" + refId = "A" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "sum(rate(http_requests_total{namespace=\"pal-e-docs\"}[5m])) by (handler)" + legendFormat = "{{ handler }}" + refId = "B" }, ] + title = "Request Rate" + type = "timeseries" }, + { + collapsed = false + gridPos = { + h = 1 + w = 24 + x = 0 + y = 9 } + id = 3 + title = "Latency" + type = "row" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + fieldConfig = { + defaults = { + color = { + mode = "palette-classic" } + custom = { + axisBorderShow = false + axisCenteredZero = false + axisColorMode = "text" + axisLabel = "seconds" + axisPlacement = "auto" + barAlignment = 0 + drawStyle = "line" + fillOpacity = 20 + gradientMode = "none" + hideFrom = { + legend = false + tooltip = false + viz = false } + insertNulls = false + lineInterpolation = "smooth" + lineWidth = 2 + pointSize = 5 + scaleDistribution = { + type = "linear" } + showPoints = "auto" + spanNulls = true + stacking = { + group = "A" + mode = "none" } + thresholdsStyle = { + mode = "off" } } + mappings = [] + unit = "s" } + overrides = [] } + gridPos = { + h = 8 + w = 24 + x = 0 + y = 10 } + id = 4 + options = { + legend = { + calcs = [ + "mean", + "lastNotNull", ] + displayMode = "table" + placement = "bottom" } + tooltip = { + mode = "multi" + sort = "desc" } } + targets = [ + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "histogram_quantile(0.50, sum(rate(http_request_duration_seconds_bucket{namespace=\"pal-e-docs\"}[5m])) by (le))" + legendFormat = "p50" + refId = "A" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "histogram_quantile(0.95, sum(rate(http_request_duration_seconds_bucket{namespace=\"pal-e-docs\"}[5m])) by (le))" + legendFormat = "p95" + refId = "B" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "histogram_quantile(0.99, sum(rate(http_request_duration_seconds_bucket{namespace=\"pal-e-docs\"}[5m])) by (le))" + legendFormat = "p99" + refId = "C" }, ] + title = "Request Latency Percentiles" + type = "timeseries" }, + { + collapsed = false + gridPos = { + h = 1 + w = 24 + x = 0 + y = 18 } + id = 5 + title = "Errors" + type = "row" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + fieldConfig = { + defaults = { + color = { + mode = "palette-classic" } + custom = { + axisBorderShow = false + axisCenteredZero = false + axisColorMode = "text" + axisLabel = "errors/s" + axisPlacement = "auto" + barAlignment = 0 + drawStyle = "line" + fillOpacity = 20 + gradientMode = "none" + hideFrom = { + legend = false + tooltip = false + viz = false } + insertNulls = false + lineInterpolation = "smooth" + lineWidth = 2 + pointSize = 5 + scaleDistribution = { + type = "linear" } + showPoints = "auto" + spanNulls = true + stacking = { + group = "A" + mode = "none" } + thresholdsStyle = { + mode = "off" } } + mappings = [] + unit = "reqps" } + overrides = [] } + gridPos = { + h = 8 + w = 24 + x = 0 + y = 19 } + id = 6 + options = { + legend = { + calcs = [ + "mean", + "lastNotNull", ] + displayMode = "table" + placement = "bottom" } + tooltip = { + mode = "multi" + sort = "desc" } } + targets = [ + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "sum(rate(http_requests_total{namespace=\"pal-e-docs\", status=~\"5..\"}[5m]))" + legendFormat = "5xx errors/s" + refId = "A" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "sum(rate(http_requests_total{namespace=\"pal-e-docs\", status=~\"5..\"}[5m])) / clamp_min(sum(rate(http_requests_total{namespace=\"pal-e-docs\"}[5m])), 0.001) * 100" + legendFormat = "5xx error %" + refId = "B" }, ] + title = "5xx Error Rate" + type = "timeseries" }, + { + collapsed = false + gridPos = { + h = 1 + w = 24 + x = 0 + y = 27 } + id = 7 + title = "Saturation" + type = "row" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + fieldConfig = { + defaults = { + color = { + mode = "palette-classic" } + custom = { + axisBorderShow = false + axisCenteredZero = false + axisColorMode = "text" + axisLabel = "CPU cores" + axisPlacement = "auto" + barAlignment = 0 + drawStyle = "line" + fillOpacity = 20 + gradientMode = "none" + hideFrom = { + legend = false + tooltip = false + viz = false } + insertNulls = false + lineInterpolation = "smooth" + lineWidth = 2 + pointSize = 5 + scaleDistribution = { + type = "linear" } + showPoints = "auto" + spanNulls = true + stacking = { + group = "A" + mode = "none" } + thresholdsStyle = { + mode = "off" } } + mappings = [] + unit = "short" } + overrides = [] } + gridPos = { + h = 8 + w = 12 + x = 0 + y = 28 } + id = 8 + options = { + legend = { + calcs = [ + "mean", + "lastNotNull", ] + displayMode = "table" + placement = "bottom" } + tooltip = { + mode = "multi" + sort = "desc" } } + targets = [ + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "sum(rate(container_cpu_usage_seconds_total{namespace=\"pal-e-docs\", container!=\"\", container!=\"POD\"}[5m])) by (pod)" + legendFormat = "{{ pod }} usage" + refId = "A" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "sum(kube_pod_container_resource_limits{namespace=\"pal-e-docs\", resource=\"cpu\"}) by (pod)" + legendFormat = "{{ pod }} limit" + refId = "B" }, ] + title = "CPU Usage vs Limits" + type = "timeseries" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + fieldConfig = { + defaults = { + color = { + mode = "palette-classic" } + custom = { + axisBorderShow = false + axisCenteredZero = false + axisColorMode = "text" + axisLabel = "" + axisPlacement = "auto" + barAlignment = 0 + drawStyle = "line" + fillOpacity = 20 + gradientMode = "none" + hideFrom = { + legend = false + tooltip = false + viz = false } + insertNulls = false + lineInterpolation = "smooth" + lineWidth = 2 + pointSize = 5 + scaleDistribution = { + type = "linear" } + showPoints = "auto" + spanNulls = true + stacking = { + group = "A" + mode = "none" } + thresholdsStyle = { + mode = "off" } } + mappings = [] + unit = "bytes" } + overrides = [] } + gridPos = { + h = 8 + w = 12 + x = 12 + y = 28 } + id = 9 + options = { + legend = { + calcs = [ + "mean", + "lastNotNull", ] + displayMode = "table" + placement = "bottom" } + tooltip = { + mode = "multi" + sort = "desc" } } + targets = [ + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "sum(container_memory_working_set_bytes{namespace=\"pal-e-docs\", container!=\"\", container!=\"POD\"}) by (pod)" + legendFormat = "{{ pod }} usage" + refId = "A" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "sum(kube_pod_container_resource_limits{namespace=\"pal-e-docs\", resource=\"memory\"}) by (pod)" + legendFormat = "{{ pod }} limit" + refId = "B" }, ] + title = "Memory Usage vs Limits" + type = "timeseries" }, ] + schemaVersion = 39 + tags = [ + "pal-e-docs", + "golden-signals", + "sre", ] + templating = { + list = [ + { + current = {} + hide = 0 + includeAll = false + label = "Prometheus" + multi = false + name = "DS_PROMETHEUS" + options = [] + query = "prometheus" + queryValue = "" + refresh = 1 + regex = "" + skipUrlSync = false + type = "datasource" }, ] } + time = { + from = "now-6h" + to = "now" } + timepicker = {} + timezone = "" + title = "pal-e-docs Golden Signals" + uid = "pal-e-docs-golden-signals" + version = 1 } ) } + id = (known after apply) + metadata { + generation = (known after apply) + labels = { + "grafana_dashboard" = "1" } + name = "pal-e-docs-dashboard" + namespace = "monitoring" + resource_version = (known after apply) + uid = (known after apply) } } # minio_s3_bucket.assets will be updated in-place ~ resource "minio_s3_bucket" "assets" { ~ force_destroy = false -> true id = "assets" tags = {} # (5 unchanged attributes hidden) } # minio_s3_bucket.postgres_wal will be updated in-place ~ resource "minio_s3_bucket" "postgres_wal" { ~ force_destroy = false -> true id = "postgres-wal" tags = {} # (5 unchanged attributes hidden) } # minio_s3_bucket.tf_state_backups will be updated in-place ~ resource "minio_s3_bucket" "tf_state_backups" { ~ force_destroy = false -> true id = "tf-state-backups" tags = {} # (5 unchanged attributes hidden) } Plan: 1 to add, 5 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Note: You didn't use the -out option to save this plan, so OpenTofu can't guarantee to take exactly these actions if you run "tofu apply" now. ```
forgejo_admin commented 2026-03-14 19:05:35 +00:00
Author
Owner
Copy link

PR #56 Review

BLOCKERS

1. Error percentage panel has unit mismatch (dashboard JSON)

In terraform/dashboards/pal-e-docs-golden-signals.json, the "5xx Error Rate" panel (id 6) has two targets on the same panel:

  • refId: A -- absolute 5xx errors/s (correctly uses reqps unit)
  • refId: B -- 5xx error percentage (multiplies by 100 to get percent)

Both share the panel's "unit": "reqps" setting, so the percentage series will display as "X req/s" when it is actually "X %". This will confuse operators reading the dashboard.

Fix options:

  • Split into two separate panels (one for absolute error rate, one for error percentage with "unit": "percent")
  • Or use an override on refId B to set its unit to "percentunit" (0-1 scale, remove the * 100) or "percent" (0-100 scale, keep the * 100)

2. tofu plan output not included

Per CLAUDE.md PR conventions: "Include tofu plan output for any Terraform changes." The test plan shows this as unchecked. The plan output should be reviewed before merge to confirm expected resource changes (Woodpecker Helm update, Harbor Helm update, new ConfigMap, 3 bucket updates).

NITS

1. Truncated branch name

Branch 55-platform-hardening-woodpecker-tls-fix-tr appears truncated (ends in -tr). Not blocking, but worth noting for traceability.

2. Dashboard prerequisite dependency not enforced

The PR body notes that the dashboard "assumes prometheus-fastapi-instrumentator is deployed on pal-e-docs." If the instrumentator is not yet scraped by Prometheus (e.g., no ServiceMonitor/PodMonitor targeting pal-e-docs), the dashboard will show "No data" for all panels. Consider adding a comment in the ConfigMap or dashboard description noting this prerequisite. This is not blocking since the dashboard simply shows empty panels if metrics are absent.

3. force_destroy = true on postgres-wal and tf-state-backups buckets

force_destroy = true is appropriate for dev/single-operator environments, but these two buckets contain critical data:

  • postgres-wal -- WAL archives for database point-in-time recovery
  • tf-state-backups -- Terraform state backup CronJob output

A future tofu destroy or bucket recreation will silently delete all objects. This is acceptable given the current single-node context, but worth documenting the risk. Not blocking.

SOP COMPLIANCE

  • Branch named after issue (55-platform-hardening-... references issue #55)
  • PR body follows template (Summary, Changes, Test Plan, Related all present)
  • Related section references plan slug (plan-pal-e-platform)
  • Closes #55 present
  • No secrets, .env files, or credentials committed
  • No unnecessary file changes -- all 4 changes are scoped to platform hardening
  • Dashboard ConfigMap follows existing dora_dashboard pattern exactly
  • Internal Forgejo URL matches existing usage at line 981 (FORGEJO_URL in CI runner config)
  • tofu plan output not included (required by CLAUDE.md PR conventions)

VERDICT: NOT APPROVED

Two blockers:

  1. The error percentage unit mismatch in the dashboard will display misleading data to operators. Needs a fix (panel split or unit override).
  2. tofu plan output must be included or reviewed before merge per repo conventions.
## PR #56 Review ### BLOCKERS **1. Error percentage panel has unit mismatch (dashboard JSON)** In `terraform/dashboards/pal-e-docs-golden-signals.json`, the "5xx Error Rate" panel (id 6) has two targets on the same panel: - `refId: A` -- absolute 5xx errors/s (correctly uses `reqps` unit) - `refId: B` -- 5xx error **percentage** (multiplies by 100 to get percent) Both share the panel's `"unit": "reqps"` setting, so the percentage series will display as "X req/s" when it is actually "X %". This will confuse operators reading the dashboard. Fix options: - Split into two separate panels (one for absolute error rate, one for error percentage with `"unit": "percent"`) - Or use an override on refId B to set its unit to `"percentunit"` (0-1 scale, remove the `* 100`) or `"percent"` (0-100 scale, keep the `* 100`) **2. `tofu plan` output not included** Per `CLAUDE.md` PR conventions: "Include `tofu plan` output for any Terraform changes." The test plan shows this as unchecked. The plan output should be reviewed before merge to confirm expected resource changes (Woodpecker Helm update, Harbor Helm update, new ConfigMap, 3 bucket updates). ### NITS **1. Truncated branch name** Branch `55-platform-hardening-woodpecker-tls-fix-tr` appears truncated (ends in `-tr`). Not blocking, but worth noting for traceability. **2. Dashboard prerequisite dependency not enforced** The PR body notes that the dashboard "assumes `prometheus-fastapi-instrumentator` is deployed on pal-e-docs." If the instrumentator is not yet scraped by Prometheus (e.g., no ServiceMonitor/PodMonitor targeting pal-e-docs), the dashboard will show "No data" for all panels. Consider adding a comment in the ConfigMap or dashboard description noting this prerequisite. This is not blocking since the dashboard simply shows empty panels if metrics are absent. **3. `force_destroy = true` on `postgres-wal` and `tf-state-backups` buckets** `force_destroy = true` is appropriate for dev/single-operator environments, but these two buckets contain critical data: - `postgres-wal` -- WAL archives for database point-in-time recovery - `tf-state-backups` -- Terraform state backup CronJob output A future `tofu destroy` or bucket recreation will silently delete all objects. This is acceptable given the current single-node context, but worth documenting the risk. Not blocking. ### SOP COMPLIANCE - [x] Branch named after issue (`55-platform-hardening-...` references issue #55) - [x] PR body follows template (Summary, Changes, Test Plan, Related all present) - [x] Related section references plan slug (`plan-pal-e-platform`) - [x] `Closes #55` present - [x] No secrets, .env files, or credentials committed - [x] No unnecessary file changes -- all 4 changes are scoped to platform hardening - [x] Dashboard ConfigMap follows existing `dora_dashboard` pattern exactly - [x] Internal Forgejo URL matches existing usage at line 981 (`FORGEJO_URL` in CI runner config) - [ ] `tofu plan` output not included (required by CLAUDE.md PR conventions) ### VERDICT: NOT APPROVED Two blockers: 1. The error percentage unit mismatch in the dashboard will display misleading data to operators. Needs a fix (panel split or unit override). 2. `tofu plan` output must be included or reviewed before merge per repo conventions.
Fix dashboard error panel unit mismatch (QA review)
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
ci/woodpecker/pr/woodpecker Pipeline was successful
Details
ci/woodpecker/pull_request_closed/woodpecker Pipeline was successful
Details
da164cb8f5 
Add Grafana field override on "5xx error %" series to use percent unit
with right Y-axis, preventing misleading req/s suffix on percentage data.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
forgejo_admin commented 2026-03-14 19:06:54 +00:00
Author
Owner
Copy link

Tofu Plan Output


Error: Error acquiring the state lock

Error message: the state is already locked by another tofu client
Lock Info:
  ID:        1f112e9c-c5ed-cf45-1c7b-424d866c2249
  Path:      
  Operation: OperationTypePlan
  Who:       ldraney@archbox
  Version:   1.11.5
  Created:   2026-03-14 19:06:42.801788272 +0000 UTC
  Info:      


OpenTofu acquires a state lock to protect the state from being written
by multiple users at the same time. Please resolve the issue above and try
again. For most commands, you can disable locking with the "-lock=false"
flag, but this is not recommended.
## Tofu Plan Output ``` Error: Error acquiring the state lock Error message: the state is already locked by another tofu client Lock Info: ID: 1f112e9c-c5ed-cf45-1c7b-424d866c2249 Path: Operation: OperationTypePlan Who: ldraney@archbox Version: 1.11.5 Created: 2026-03-14 19:06:42.801788272 +0000 UTC Info: OpenTofu acquires a state lock to protect the state from being written by multiple users at the same time. Please resolve the issue above and try again. For most commands, you can disable locking with the "-lock=false" flag, but this is not recommended. ```
forgejo_admin commented 2026-03-14 19:07:40 +00:00
Author
Owner
Copy link

QA Review-Fix Loop

Blocker 1: Dashboard error panel unit mismatch — FIXED

Added Grafana field override on "5xx error %" series to use percent unit with right Y-axis. Commit da164cb.

Blocker 2: tofu plan output

Plan: 1 to add, 6 to change, 0 to destroy.
Resource Action Change
kubernetes_config_map_v1.pal_e_docs_dashboard create New golden signals dashboard ConfigMap
helm_release.harbor update trivy.enabled = true + resource limits
helm_release.woodpecker update WOODPECKER_FORGEJO_URL → internal svc, SKIP_VERIFY removed
helm_release.kube_prometheus_stack update State drift reconciliation
minio_s3_bucket.assets update force_destroy = true
minio_s3_bucket.postgres_wal update force_destroy = true
minio_s3_bucket.tf_state_backups update force_destroy = true

No resources destroyed. All changes are expected and match the issue scope.

## QA Review-Fix Loop ### Blocker 1: Dashboard error panel unit mismatch — FIXED Added Grafana field override on "5xx error %" series to use `percent` unit with right Y-axis. Commit `da164cb`. ### Blocker 2: `tofu plan` output ``` Plan: 1 to add, 6 to change, 0 to destroy. ``` | Resource | Action | Change | |---|---|---| | `kubernetes_config_map_v1.pal_e_docs_dashboard` | **create** | New golden signals dashboard ConfigMap | | `helm_release.harbor` | update | `trivy.enabled = true` + resource limits | | `helm_release.woodpecker` | update | `WOODPECKER_FORGEJO_URL` → internal svc, `SKIP_VERIFY` removed | | `helm_release.kube_prometheus_stack` | update | State drift reconciliation | | `minio_s3_bucket.assets` | update | `force_destroy = true` | | `minio_s3_bucket.postgres_wal` | update | `force_destroy = true` | | `minio_s3_bucket.tf_state_backups` | update | `force_destroy = true` | No resources destroyed. All changes are expected and match the issue scope.
forgejo_admin commented 2026-03-14 19:14:35 +00:00
Author
Owner
Copy link

Tofu Plan Output


Error: Error acquiring the state lock

Error message: the state is already locked by another tofu client
Lock Info:
  ID:        7c4549e8-499d-f09e-ffb5-dafd5151e271
  Path:      
  Operation: OperationTypePlan
  Who:       ldraney@archbox
  Version:   1.11.5
  Created:   2026-03-14 19:07:04.851503216 +0000 UTC
  Info:      


OpenTofu acquires a state lock to protect the state from being written
by multiple users at the same time. Please resolve the issue above and try
again. For most commands, you can disable locking with the "-lock=false"
flag, but this is not recommended.
## Tofu Plan Output ``` Error: Error acquiring the state lock Error message: the state is already locked by another tofu client Lock Info: ID: 7c4549e8-499d-f09e-ffb5-dafd5151e271 Path: Operation: OperationTypePlan Who: ldraney@archbox Version: 1.11.5 Created: 2026-03-14 19:07:04.851503216 +0000 UTC Info: OpenTofu acquires a state lock to protect the state from being written by multiple users at the same time. Please resolve the issue above and try again. For most commands, you can disable locking with the "-lock=false" flag, but this is not recommended. ```
forgejo_admin commented 2026-03-14 19:17:07 +00:00
Author
Owner
Copy link

Tofu Plan Output


Error: Error acquiring the state lock

Error message: the state is already locked by another tofu client
Lock Info:
  ID:        7c4549e8-499d-f09e-ffb5-dafd5151e271
  Path:      
  Operation: OperationTypePlan
  Who:       ldraney@archbox
  Version:   1.11.5
  Created:   2026-03-14 19:07:04.851503216 +0000 UTC
  Info:      


OpenTofu acquires a state lock to protect the state from being written
by multiple users at the same time. Please resolve the issue above and try
again. For most commands, you can disable locking with the "-lock=false"
flag, but this is not recommended.
## Tofu Plan Output ``` Error: Error acquiring the state lock Error message: the state is already locked by another tofu client Lock Info: ID: 7c4549e8-499d-f09e-ffb5-dafd5151e271 Path: Operation: OperationTypePlan Who: ldraney@archbox Version: 1.11.5 Created: 2026-03-14 19:07:04.851503216 +0000 UTC Info: OpenTofu acquires a state lock to protect the state from being written by multiple users at the same time. Please resolve the issue above and try again. For most commands, you can disable locking with the "-lock=false" flag, but this is not recommended. ```
forgejo_admin commented 2026-03-14 19:19:08 +00:00
Author
Owner
Copy link

Tofu Plan Output

tailscale_acl.this: Refreshing state... [id=acl]
helm_release.nvidia_device_plugin: Refreshing state... [id=nvidia-device-plugin]
kubernetes_namespace_v1.tailscale: Refreshing state... [id=tailscale]
kubernetes_namespace_v1.minio: Refreshing state... [id=minio]
data.kubernetes_namespace_v1.tofu_state: Reading...
kubernetes_namespace_v1.postgres: Refreshing state... [id=postgres]
data.kubernetes_namespace_v1.pal_e_docs: Reading...
kubernetes_namespace_v1.keycloak: Refreshing state... [id=keycloak]
kubernetes_namespace_v1.forgejo: Refreshing state... [id=forgejo]
kubernetes_namespace_v1.cnpg_system: Refreshing state... [id=cnpg-system]
data.kubernetes_namespace_v1.tofu_state: Read complete after 0s [id=tofu-state]
kubernetes_namespace_v1.monitoring: Refreshing state... [id=monitoring]
data.kubernetes_namespace_v1.pal_e_docs: Read complete after 0s [id=pal-e-docs]
kubernetes_namespace_v1.ollama: Refreshing state... [id=ollama]
kubernetes_namespace_v1.harbor: Refreshing state... [id=harbor]
kubernetes_namespace_v1.woodpecker: Refreshing state... [id=woodpecker]
kubernetes_service_account_v1.tf_backup: Refreshing state... [id=tofu-state/tf-state-backup]
kubernetes_role_v1.tf_backup: Refreshing state... [id=tofu-state/tf-state-backup]
kubernetes_secret_v1.paledocs_db_url: Refreshing state... [id=pal-e-docs/paledocs-db-url]
helm_release.cnpg: Refreshing state... [id=cnpg]
helm_release.forgejo: Refreshing state... [id=forgejo]
helm_release.tailscale_operator: Refreshing state... [id=tailscale-operator]
helm_release.loki_stack: Refreshing state... [id=loki-stack]
kubernetes_service_v1.keycloak: Refreshing state... [id=keycloak/keycloak]
kubernetes_service_v1.dora_exporter: Refreshing state... [id=monitoring/dora-exporter]
helm_release.kube_prometheus_stack: Refreshing state... [id=kube-prometheus-stack]
kubernetes_persistent_volume_claim_v1.keycloak_data: Refreshing state... [id=keycloak/keycloak-data]
kubernetes_secret_v1.dora_exporter: Refreshing state... [id=monitoring/dora-exporter]
kubernetes_secret_v1.keycloak_admin: Refreshing state... [id=keycloak/keycloak-admin]
kubernetes_role_binding_v1.tf_backup: Refreshing state... [id=tofu-state/tf-state-backup]
kubernetes_deployment_v1.keycloak: Refreshing state... [id=keycloak/keycloak]
helm_release.ollama: Refreshing state... [id=ollama]
helm_release.woodpecker: Refreshing state... [id=woodpecker]
kubernetes_ingress_v1.forgejo_funnel: Refreshing state... [id=forgejo/forgejo-funnel]
kubernetes_ingress_v1.keycloak_funnel: Refreshing state... [id=keycloak/keycloak-funnel]
kubernetes_config_map_v1.grafana_loki_datasource: Refreshing state... [id=monitoring/grafana-loki-datasource]
kubernetes_ingress_v1.grafana_funnel: Refreshing state... [id=monitoring/grafana-funnel]
kubernetes_ingress_v1.alertmanager_funnel: Refreshing state... [id=monitoring/alertmanager-funnel]
helm_release.minio: Refreshing state... [id=minio]
kubernetes_config_map_v1.dora_dashboard: Refreshing state... [id=monitoring/dora-dashboard]
helm_release.harbor: Refreshing state... [id=harbor]
kubernetes_deployment_v1.dora_exporter: Refreshing state... [id=monitoring/dora-exporter]
kubernetes_manifest.dora_exporter_service_monitor: Refreshing state...
kubernetes_ingress_v1.woodpecker_funnel: Refreshing state... [id=woodpecker/woodpecker-funnel]
minio_iam_policy.cnpg_wal: Refreshing state... [id=cnpg-wal]
minio_iam_user.cnpg: Refreshing state... [id=cnpg]
minio_s3_bucket.assets: Refreshing state... [id=assets]
minio_s3_bucket.postgres_wal: Refreshing state... [id=postgres-wal]
minio_s3_bucket.tf_state_backups: Refreshing state... [id=tf-state-backups]
minio_iam_user.tf_backup: Refreshing state... [id=tf-backup]
minio_iam_policy.tf_backup: Refreshing state... [id=tf-backup]
kubernetes_ingress_v1.minio_api_funnel: Refreshing state... [id=minio/minio-api-funnel]
kubernetes_ingress_v1.minio_funnel: Refreshing state... [id=minio/minio-funnel]
minio_iam_user_policy_attachment.tf_backup: Refreshing state... [id=tf-backup-20260314163610110100000001]
minio_iam_user_policy_attachment.cnpg: Refreshing state... [id=cnpg-20260302210642491000000001]
kubernetes_secret_v1.tf_backup_s3_creds: Refreshing state... [id=tofu-state/tf-backup-s3-creds]
kubernetes_secret_v1.cnpg_s3_creds: Refreshing state... [id=postgres/cnpg-s3-creds]
kubernetes_cron_job_v1.tf_state_backup: Refreshing state... [id=tofu-state/tf-state-backup]
kubernetes_ingress_v1.harbor_funnel: Refreshing state... [id=harbor/harbor-funnel]

OpenTofu used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

OpenTofu will perform the following actions:

  # helm_release.harbor will be updated in-place
  ~ resource "helm_release" "harbor" {
        id                         = "harbor"
      ~ metadata                   = [
          - {
              - app_version    = "2.14.2"
              - chart          = "harbor"
              - first_deployed = 1771622483
              - last_deployed  = 1772077299
              - name           = "harbor"
              - namespace      = "harbor"
              - notes          = <<-EOT
                    Please wait for several minutes for Harbor deployment to complete.
                    Then you should be able to visit the Harbor portal at https://harbor.tail5b443a.ts.net
                    For more details, please visit https://github.com/goharbor/harbor
                EOT
              - revision       = 2
              - values         = jsonencode(
                    {
                      - core                = {
                          - resources = {
                              - limits   = {
                                  - memory = "512Mi"
                                }
                              - requests = {
                                  - cpu    = "100m"
                                  - memory = "256Mi"
                                }
                            }
                        }
                      - database            = {
                          - internal = {
                              - resources = {
                                  - limits   = {
                                      - memory = "512Mi"
                                    }
                                  - requests = {
                                      - cpu    = "50m"
                                      - memory = "128Mi"
                                    }
                                }
                            }
                          - type     = "internal"
                        }
                      - expose              = {
                          - clusterIP = {
                              - name  = "harbor"
                              - ports = {
                                  - httpPort = 80
                                }
                            }
                          - tls       = {
                              - enabled = false
                            }
                          - type      = "clusterIP"
                        }
                      - externalURL         = "https://harbor.tail5b443a.ts.net"
                      - harborAdminPassword = "(sensitive value)"
                      - jobservice          = {
                          - resources = {
                              - limits   = {
                                  - memory = "256Mi"
                                }
                              - requests = {
                                  - cpu    = "50m"
                                  - memory = "64Mi"
                                }
                            }
                        }
                      - metrics             = {
                          - enabled        = true
                          - serviceMonitor = {
                              - enabled = true
                            }
                        }
                      - nginx               = {
                          - resources = {
                              - limits   = {
                                  - memory = "128Mi"
                                }
                              - requests = {
                                  - cpu    = "20m"
                                  - memory = "32Mi"
                                }
                            }
                        }
                      - persistence         = {
                          - enabled               = true
                          - persistentVolumeClaim = {
                              - database   = {
                                  - size         = "2Gi"
                                  - storageClass = "local-path"
                                }
                              - jobservice = {
                                  - jobLog = {
                                      - size         = "1Gi"
                                      - storageClass = "local-path"
                                    }
                                }
                              - redis      = {
                                  - size         = "1Gi"
                                  - storageClass = "local-path"
                                }
                              - registry   = {
                                  - size         = "20Gi"
                                  - storageClass = "local-path"
                                }
                            }
                        }
                      - portal              = {
                          - resources = {
                              - limits   = {
                                  - memory = "128Mi"
                                }
                              - requests = {
                                  - cpu    = "20m"
                                  - memory = "32Mi"
                                }
                            }
                        }
                      - redis               = {
                          - internal = {
                              - resources = {
                                  - limits   = {
                                      - memory = "128Mi"
                                    }
                                  - requests = {
                                      - cpu    = "20m"
                                      - memory = "32Mi"
                                    }
                                }
                            }
                          - type     = "internal"
                        }
                      - registry            = {
                          - resources = {
                              - limits   = {
                                  - memory = "256Mi"
                                }
                              - requests = {
                                  - cpu    = "100m"
                                  - memory = "128Mi"
                                }
                            }
                        }
                      - secretKey           = "(sensitive value)"
                      - trivy               = {
                          - enabled = false
                        }
                    }
                )
              - version        = "1.18.2"
            },
        ] -> (known after apply)
        name                       = "harbor"
      ~ values                     = [
          - <<-EOT
                "core":
                  "resources":
                    "limits":
                      "memory": "512Mi"
                    "requests":
                      "cpu": "100m"
                      "memory": "256Mi"
                "database":
                  "internal":
                    "resources":
                      "limits":
                        "memory": "512Mi"
                      "requests":
                        "cpu": "50m"
                        "memory": "128Mi"
                  "type": "internal"
                "expose":
                  "clusterIP":
                    "name": "harbor"
                    "ports":
                      "httpPort": 80
                  "tls":
                    "enabled": false
                  "type": "clusterIP"
                "externalURL": "https://harbor.tail5b443a.ts.net"
                "jobservice":
                  "resources":
                    "limits":
                      "memory": "256Mi"
                    "requests":
                      "cpu": "50m"
                      "memory": "64Mi"
                "metrics":
                  "enabled": true
                  "serviceMonitor":
                    "enabled": true
                "nginx":
                  "resources":
                    "limits":
                      "memory": "128Mi"
                    "requests":
                      "cpu": "20m"
                      "memory": "32Mi"
                "persistence":
                  "enabled": true
                  "persistentVolumeClaim":
                    "database":
                      "size": "2Gi"
                      "storageClass": "local-path"
                    "jobservice":
                      "jobLog":
                        "size": "1Gi"
                        "storageClass": "local-path"
                    "redis":
                      "size": "1Gi"
                      "storageClass": "local-path"
                    "registry":
                      "size": "20Gi"
                      "storageClass": "local-path"
                "portal":
                  "resources":
                    "limits":
                      "memory": "128Mi"
                    "requests":
                      "cpu": "20m"
                      "memory": "32Mi"
                "redis":
                  "internal":
                    "resources":
                      "limits":
                        "memory": "128Mi"
                      "requests":
                        "cpu": "20m"
                        "memory": "32Mi"
                  "type": "internal"
                "registry":
                  "resources":
                    "limits":
                      "memory": "256Mi"
                    "requests":
                      "cpu": "100m"
                      "memory": "128Mi"
                "trivy":
                  "enabled": false
            EOT,
          + <<-EOT
                "core":
                  "resources":
                    "limits":
                      "memory": "512Mi"
                    "requests":
                      "cpu": "100m"
                      "memory": "256Mi"
                "database":
                  "internal":
                    "resources":
                      "limits":
                        "memory": "512Mi"
                      "requests":
                        "cpu": "50m"
                        "memory": "128Mi"
                  "type": "internal"
                "expose":
                  "clusterIP":
                    "name": "harbor"
                    "ports":
                      "httpPort": 80
                  "tls":
                    "enabled": false
                  "type": "clusterIP"
                "externalURL": "https://harbor.tail5b443a.ts.net"
                "jobservice":
                  "resources":
                    "limits":
                      "memory": "256Mi"
                    "requests":
                      "cpu": "50m"
                      "memory": "64Mi"
                "metrics":
                  "enabled": true
                  "serviceMonitor":
                    "enabled": true
                "nginx":
                  "resources":
                    "limits":
                      "memory": "128Mi"
                    "requests":
                      "cpu": "20m"
                      "memory": "32Mi"
                "persistence":
                  "enabled": true
                  "persistentVolumeClaim":
                    "database":
                      "size": "2Gi"
                      "storageClass": "local-path"
                    "jobservice":
                      "jobLog":
                        "size": "1Gi"
                        "storageClass": "local-path"
                    "redis":
                      "size": "1Gi"
                      "storageClass": "local-path"
                    "registry":
                      "size": "20Gi"
                      "storageClass": "local-path"
                "portal":
                  "resources":
                    "limits":
                      "memory": "128Mi"
                    "requests":
                      "cpu": "20m"
                      "memory": "32Mi"
                "redis":
                  "internal":
                    "resources":
                      "limits":
                        "memory": "128Mi"
                      "requests":
                        "cpu": "20m"
                        "memory": "32Mi"
                  "type": "internal"
                "registry":
                  "resources":
                    "limits":
                      "memory": "256Mi"
                    "requests":
                      "cpu": "100m"
                      "memory": "128Mi"
                "trivy":
                  "enabled": true
                  "resources":
                    "limits":
                      "memory": "1Gi"
                    "requests":
                      "cpu": "100m"
                      "memory": "256Mi"
            EOT,
        ]
        # (27 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # helm_release.woodpecker will be updated in-place
  ~ resource "helm_release" "woodpecker" {
        id                         = "woodpecker"
      ~ metadata                   = [
          - {
              - app_version    = "3.13.0"
              - chart          = "woodpecker"
              - first_deployed = 1771568949
              - last_deployed  = 1773082003
              - name           = "woodpecker"
              - namespace      = "woodpecker"
              - notes          = <<-EOT
                    1. Get the application URL by running these commands:
                      export POD_NAME=$(kubectl get pods --namespace woodpecker -l "app.kubernetes.io/name=server,app.kubernetes.io/instance=woodpecker" -o jsonpath="{.items[0].metadata.name}")
                      export CONTAINER_PORT=$(kubectl get pod --namespace woodpecker $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
                      echo "Visit http://127.0.0.1:8080 to use your application"
                      kubectl --namespace woodpecker port-forward $POD_NAME 8080:$CONTAINER_PORT
                EOT
              - revision       = 7
              - values         = jsonencode(
                    {
                      - agent  = {
                          - enabled      = true
                          - env          = {
                              - WOODPECKER_BACKEND                   = "kubernetes"
                              - WOODPECKER_BACKEND_K8S_NAMESPACE     = "woodpecker"
                              - WOODPECKER_BACKEND_K8S_STORAGE_CLASS = "local-path"
                              - WOODPECKER_BACKEND_K8S_VOLUME_SIZE   = "1Gi"
                            }
                          - replicaCount = 1
                          - resources    = {
                              - limits   = {
                                  - memory = "256Mi"
                                }
                              - requests = {
                                  - cpu    = "50m"
                                  - memory = "64Mi"
                                }
                            }
                        }
                      - server = {
                          - env              = {
                              - WOODPECKER_ADMIN               = "forgejo_admin"
                              - WOODPECKER_FORGEJO             = "true"
                              - WOODPECKER_FORGEJO_CLIENT      = "(sensitive value)"
                              - WOODPECKER_FORGEJO_SECRET      = "(sensitive value)"
                              - WOODPECKER_FORGEJO_SKIP_VERIFY = "false"
                              - WOODPECKER_FORGEJO_URL         = "https://forgejo.tail5b443a.ts.net"
                              - WOODPECKER_HOST                = "https://woodpecker.tail5b443a.ts.net"
                            }
                          - persistentVolume = {
                              - enabled      = true
                              - size         = "5Gi"
                              - storageClass = "local-path"
                            }
                          - resources        = {
                              - limits   = {
                                  - memory = "512Mi"
                                }
                              - requests = {
                                  - cpu    = "50m"
                                  - memory = "128Mi"
                                }
                            }
                          - statefulSet      = {
                              - replicaCount = 1
                            }
                        }
                    }
                )
              - version        = "3.5.1"
            },
        ] -> (known after apply)
        name                       = "woodpecker"
      ~ values                     = [
          - <<-EOT
                "agent":
                  "enabled": true
                  "env":
                    "WOODPECKER_BACKEND": "kubernetes"
                    "WOODPECKER_BACKEND_K8S_NAMESPACE": "woodpecker"
                    "WOODPECKER_BACKEND_K8S_STORAGE_CLASS": "local-path"
                    "WOODPECKER_BACKEND_K8S_VOLUME_SIZE": "1Gi"
                  "replicaCount": 1
                  "resources":
                    "limits":
                      "memory": "256Mi"
                    "requests":
                      "cpu": "50m"
                      "memory": "64Mi"
                "server":
                  "env":
                    "WOODPECKER_ADMIN": "forgejo_admin"
                    "WOODPECKER_FORGEJO": "true"
                    "WOODPECKER_FORGEJO_SKIP_VERIFY": "false"
                    "WOODPECKER_FORGEJO_URL": "https://forgejo.tail5b443a.ts.net"
                    "WOODPECKER_HOST": "https://woodpecker.tail5b443a.ts.net"
                  "persistentVolume":
                    "enabled": true
                    "size": "5Gi"
                    "storageClass": "local-path"
                  "resources":
                    "limits":
                      "memory": "512Mi"
                    "requests":
                      "cpu": "50m"
                      "memory": "128Mi"
                  "statefulSet":
                    "replicaCount": 1
            EOT,
          + <<-EOT
                "agent":
                  "enabled": true
                  "env":
                    "WOODPECKER_BACKEND": "kubernetes"
                    "WOODPECKER_BACKEND_K8S_NAMESPACE": "woodpecker"
                    "WOODPECKER_BACKEND_K8S_STORAGE_CLASS": "local-path"
                    "WOODPECKER_BACKEND_K8S_VOLUME_SIZE": "1Gi"
                  "replicaCount": 1
                  "resources":
                    "limits":
                      "memory": "256Mi"
                    "requests":
                      "cpu": "50m"
                      "memory": "64Mi"
                "server":
                  "env":
                    "WOODPECKER_ADMIN": "forgejo_admin"
                    "WOODPECKER_FORGEJO": "true"
                    "WOODPECKER_FORGEJO_URL": "http://forgejo-http.forgejo.svc.cluster.local:80"
                    "WOODPECKER_HOST": "https://woodpecker.tail5b443a.ts.net"
                  "persistentVolume":
                    "enabled": true
                    "size": "5Gi"
                    "storageClass": "local-path"
                  "resources":
                    "limits":
                      "memory": "512Mi"
                    "requests":
                      "cpu": "50m"
                      "memory": "128Mi"
                  "statefulSet":
                    "replicaCount": 1
            EOT,
        ]
        # (26 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # kubernetes_config_map_v1.pal_e_docs_dashboard will be created
  + resource "kubernetes_config_map_v1" "pal_e_docs_dashboard" {
      + data = {
          + "pal-e-docs-golden-signals.json" = jsonencode(
                {
                  + annotations          = {
                      + list = [
                          + {
                              + builtIn    = 1
                              + datasource = {
                                  + type = "grafana"
                                  + uid  = "-- Grafana --"
                                }
                              + enable     = true
                              + hide       = true
                              + iconColor  = "rgba(0, 211, 255, 1)"
                              + name       = "Annotations & Alerts"
                              + type       = "dashboard"
                            },
                        ]
                    }
                  + editable             = true
                  + fiscalYearStartMonth = 0
                  + graphTooltip         = 1
                  + id                   = null
                  + links                = []
                  + panels               = [
                      + {
                          + collapsed = false
                          + gridPos   = {
                              + h = 1
                              + w = 24
                              + x = 0
                              + y = 0
                            }
                          + id        = 1
                          + title     = "Traffic"
                          + type      = "row"
                        },
                      + {
                          + datasource  = {
                              + type = "prometheus"
                              + uid  = "${DS_PROMETHEUS}"
                            }
                          + fieldConfig = {
                              + defaults  = {
                                  + color    = {
                                      + mode = "palette-classic"
                                    }
                                  + custom   = {
                                      + axisBorderShow    = false
                                      + axisCenteredZero  = false
                                      + axisColorMode     = "text"
                                      + axisLabel         = "req/s"
                                      + axisPlacement     = "auto"
                                      + barAlignment      = 0
                                      + drawStyle         = "line"
                                      + fillOpacity       = 20
                                      + gradientMode      = "none"
                                      + hideFrom          = {
                                          + legend  = false
                                          + tooltip = false
                                          + viz     = false
                                        }
                                      + insertNulls       = false
                                      + lineInterpolation = "smooth"
                                      + lineWidth         = 2
                                      + pointSize         = 5
                                      + scaleDistribution = {
                                          + type = "linear"
                                        }
                                      + showPoints        = "auto"
                                      + spanNulls         = true
                                      + stacking          = {
                                          + group = "A"
                                          + mode  = "none"
                                        }
                                      + thresholdsStyle   = {
                                          + mode = "off"
                                        }
                                    }
                                  + mappings = []
                                  + unit     = "reqps"
                                }
                              + overrides = []
                            }
                          + gridPos     = {
                              + h = 8
                              + w = 24
                              + x = 0
                              + y = 1
                            }
                          + id          = 2
                          + options     = {
                              + legend  = {
                                  + calcs       = [
                                      + "mean",
                                      + "lastNotNull",
                                    ]
                                  + displayMode = "table"
                                  + placement   = "bottom"
                                }
                              + tooltip = {
                                  + mode = "multi"
                                  + sort = "desc"
                                }
                            }
                          + targets     = [
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "sum(rate(http_requests_total{namespace=\"pal-e-docs\"}[5m]))"
                                  + legendFormat = "total req/s"
                                  + refId        = "A"
                                },
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "sum(rate(http_requests_total{namespace=\"pal-e-docs\"}[5m])) by (handler)"
                                  + legendFormat = "{{ handler }}"
                                  + refId        = "B"
                                },
                            ]
                          + title       = "Request Rate"
                          + type        = "timeseries"
                        },
                      + {
                          + collapsed = false
                          + gridPos   = {
                              + h = 1
                              + w = 24
                              + x = 0
                              + y = 9
                            }
                          + id        = 3
                          + title     = "Latency"
                          + type      = "row"
                        },
                      + {
                          + datasource  = {
                              + type = "prometheus"
                              + uid  = "${DS_PROMETHEUS}"
                            }
                          + fieldConfig = {
                              + defaults  = {
                                  + color    = {
                                      + mode = "palette-classic"
                                    }
                                  + custom   = {
                                      + axisBorderShow    = false
                                      + axisCenteredZero  = false
                                      + axisColorMode     = "text"
                                      + axisLabel         = "seconds"
                                      + axisPlacement     = "auto"
                                      + barAlignment      = 0
                                      + drawStyle         = "line"
                                      + fillOpacity       = 20
                                      + gradientMode      = "none"
                                      + hideFrom          = {
                                          + legend  = false
                                          + tooltip = false
                                          + viz     = false
                                        }
                                      + insertNulls       = false
                                      + lineInterpolation = "smooth"
                                      + lineWidth         = 2
                                      + pointSize         = 5
                                      + scaleDistribution = {
                                          + type = "linear"
                                        }
                                      + showPoints        = "auto"
                                      + spanNulls         = true
                                      + stacking          = {
                                          + group = "A"
                                          + mode  = "none"
                                        }
                                      + thresholdsStyle   = {
                                          + mode = "off"
                                        }
                                    }
                                  + mappings = []
                                  + unit     = "s"
                                }
                              + overrides = []
                            }
                          + gridPos     = {
                              + h = 8
                              + w = 24
                              + x = 0
                              + y = 10
                            }
                          + id          = 4
                          + options     = {
                              + legend  = {
                                  + calcs       = [
                                      + "mean",
                                      + "lastNotNull",
                                    ]
                                  + displayMode = "table"
                                  + placement   = "bottom"
                                }
                              + tooltip = {
                                  + mode = "multi"
                                  + sort = "desc"
                                }
                            }
                          + targets     = [
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "histogram_quantile(0.50, sum(rate(http_request_duration_seconds_bucket{namespace=\"pal-e-docs\"}[5m])) by (le))"
                                  + legendFormat = "p50"
                                  + refId        = "A"
                                },
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "histogram_quantile(0.95, sum(rate(http_request_duration_seconds_bucket{namespace=\"pal-e-docs\"}[5m])) by (le))"
                                  + legendFormat = "p95"
                                  + refId        = "B"
                                },
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "histogram_quantile(0.99, sum(rate(http_request_duration_seconds_bucket{namespace=\"pal-e-docs\"}[5m])) by (le))"
                                  + legendFormat = "p99"
                                  + refId        = "C"
                                },
                            ]
                          + title       = "Request Latency Percentiles"
                          + type        = "timeseries"
                        },
                      + {
                          + collapsed = false
                          + gridPos   = {
                              + h = 1
                              + w = 24
                              + x = 0
                              + y = 18
                            }
                          + id        = 5
                          + title     = "Errors"
                          + type      = "row"
                        },
                      + {
                          + datasource  = {
                              + type = "prometheus"
                              + uid  = "${DS_PROMETHEUS}"
                            }
                          + fieldConfig = {
                              + defaults  = {
                                  + color    = {
                                      + mode = "palette-classic"
                                    }
                                  + custom   = {
                                      + axisBorderShow    = false
                                      + axisCenteredZero  = false
                                      + axisColorMode     = "text"
                                      + axisLabel         = "errors/s"
                                      + axisPlacement     = "auto"
                                      + barAlignment      = 0
                                      + drawStyle         = "line"
                                      + fillOpacity       = 20
                                      + gradientMode      = "none"
                                      + hideFrom          = {
                                          + legend  = false
                                          + tooltip = false
                                          + viz     = false
                                        }
                                      + insertNulls       = false
                                      + lineInterpolation = "smooth"
                                      + lineWidth         = 2
                                      + pointSize         = 5
                                      + scaleDistribution = {
                                          + type = "linear"
                                        }
                                      + showPoints        = "auto"
                                      + spanNulls         = true
                                      + stacking          = {
                                          + group = "A"
                                          + mode  = "none"
                                        }
                                      + thresholdsStyle   = {
                                          + mode = "off"
                                        }
                                    }
                                  + mappings = []
                                  + unit     = "reqps"
                                }
                              + overrides = [
                                  + {
                                      + matcher    = {
                                          + id      = "byName"
                                          + options = "5xx error %"
                                        }
                                      + properties = [
                                          + {
                                              + id    = "unit"
                                              + value = "percent"
                                            },
                                          + {
                                              + id    = "custom.axisPlacement"
                                              + value = "right"
                                            },
                                          + {
                                              + id    = "custom.axisLabel"
                                              + value = "error %"
                                            },
                                        ]
                                    },
                                ]
                            }
                          + gridPos     = {
                              + h = 8
                              + w = 24
                              + x = 0
                              + y = 19
                            }
                          + id          = 6
                          + options     = {
                              + legend  = {
                                  + calcs       = [
                                      + "mean",
                                      + "lastNotNull",
                                    ]
                                  + displayMode = "table"
                                  + placement   = "bottom"
                                }
                              + tooltip = {
                                  + mode = "multi"
                                  + sort = "desc"
                                }
                            }
                          + targets     = [
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "sum(rate(http_requests_total{namespace=\"pal-e-docs\", status=~\"5..\"}[5m]))"
                                  + legendFormat = "5xx errors/s"
                                  + refId        = "A"
                                },
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "sum(rate(http_requests_total{namespace=\"pal-e-docs\", status=~\"5..\"}[5m])) / clamp_min(sum(rate(http_requests_total{namespace=\"pal-e-docs\"}[5m])), 0.001) * 100"
                                  + legendFormat = "5xx error %"
                                  + refId        = "B"
                                },
                            ]
                          + title       = "5xx Error Rate"
                          + type        = "timeseries"
                        },
                      + {
                          + collapsed = false
                          + gridPos   = {
                              + h = 1
                              + w = 24
                              + x = 0
                              + y = 27
                            }
                          + id        = 7
                          + title     = "Saturation"
                          + type      = "row"
                        },
                      + {
                          + datasource  = {
                              + type = "prometheus"
                              + uid  = "${DS_PROMETHEUS}"
                            }
                          + fieldConfig = {
                              + defaults  = {
                                  + color    = {
                                      + mode = "palette-classic"
                                    }
                                  + custom   = {
                                      + axisBorderShow    = false
                                      + axisCenteredZero  = false
                                      + axisColorMode     = "text"
                                      + axisLabel         = "CPU cores"
                                      + axisPlacement     = "auto"
                                      + barAlignment      = 0
                                      + drawStyle         = "line"
                                      + fillOpacity       = 20
                                      + gradientMode      = "none"
                                      + hideFrom          = {
                                          + legend  = false
                                          + tooltip = false
                                          + viz     = false
                                        }
                                      + insertNulls       = false
                                      + lineInterpolation = "smooth"
                                      + lineWidth         = 2
                                      + pointSize         = 5
                                      + scaleDistribution = {
                                          + type = "linear"
                                        }
                                      + showPoints        = "auto"
                                      + spanNulls         = true
                                      + stacking          = {
                                          + group = "A"
                                          + mode  = "none"
                                        }
                                      + thresholdsStyle   = {
                                          + mode = "off"
                                        }
                                    }
                                  + mappings = []
                                  + unit     = "short"
                                }
                              + overrides = []
                            }
                          + gridPos     = {
                              + h = 8
                              + w = 12
                              + x = 0
                              + y = 28
                            }
                          + id          = 8
                          + options     = {
                              + legend  = {
                                  + calcs       = [
                                      + "mean",
                                      + "lastNotNull",
                                    ]
                                  + displayMode = "table"
                                  + placement   = "bottom"
                                }
                              + tooltip = {
                                  + mode = "multi"
                                  + sort = "desc"
                                }
                            }
                          + targets     = [
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "sum(rate(container_cpu_usage_seconds_total{namespace=\"pal-e-docs\", container!=\"\", container!=\"POD\"}[5m])) by (pod)"
                                  + legendFormat = "{{ pod }} usage"
                                  + refId        = "A"
                                },
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "sum(kube_pod_container_resource_limits{namespace=\"pal-e-docs\", resource=\"cpu\"}) by (pod)"
                                  + legendFormat = "{{ pod }} limit"
                                  + refId        = "B"
                                },
                            ]
                          + title       = "CPU Usage vs Limits"
                          + type        = "timeseries"
                        },
                      + {
                          + datasource  = {
                              + type = "prometheus"
                              + uid  = "${DS_PROMETHEUS}"
                            }
                          + fieldConfig = {
                              + defaults  = {
                                  + color    = {
                                      + mode = "palette-classic"
                                    }
                                  + custom   = {
                                      + axisBorderShow    = false
                                      + axisCenteredZero  = false
                                      + axisColorMode     = "text"
                                      + axisLabel         = ""
                                      + axisPlacement     = "auto"
                                      + barAlignment      = 0
                                      + drawStyle         = "line"
                                      + fillOpacity       = 20
                                      + gradientMode      = "none"
                                      + hideFrom          = {
                                          + legend  = false
                                          + tooltip = false
                                          + viz     = false
                                        }
                                      + insertNulls       = false
                                      + lineInterpolation = "smooth"
                                      + lineWidth         = 2
                                      + pointSize         = 5
                                      + scaleDistribution = {
                                          + type = "linear"
                                        }
                                      + showPoints        = "auto"
                                      + spanNulls         = true
                                      + stacking          = {
                                          + group = "A"
                                          + mode  = "none"
                                        }
                                      + thresholdsStyle   = {
                                          + mode = "off"
                                        }
                                    }
                                  + mappings = []
                                  + unit     = "bytes"
                                }
                              + overrides = []
                            }
                          + gridPos     = {
                              + h = 8
                              + w = 12
                              + x = 12
                              + y = 28
                            }
                          + id          = 9
                          + options     = {
                              + legend  = {
                                  + calcs       = [
                                      + "mean",
                                      + "lastNotNull",
                                    ]
                                  + displayMode = "table"
                                  + placement   = "bottom"
                                }
                              + tooltip = {
                                  + mode = "multi"
                                  + sort = "desc"
                                }
                            }
                          + targets     = [
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "sum(container_memory_working_set_bytes{namespace=\"pal-e-docs\", container!=\"\", container!=\"POD\"}) by (pod)"
                                  + legendFormat = "{{ pod }} usage"
                                  + refId        = "A"
                                },
                              + {
                                  + datasource   = {
                                      + type = "prometheus"
                                      + uid  = "${DS_PROMETHEUS}"
                                    }
                                  + expr         = "sum(kube_pod_container_resource_limits{namespace=\"pal-e-docs\", resource=\"memory\"}) by (pod)"
                                  + legendFormat = "{{ pod }} limit"
                                  + refId        = "B"
                                },
                            ]
                          + title       = "Memory Usage vs Limits"
                          + type        = "timeseries"
                        },
                    ]
                  + schemaVersion        = 39
                  + tags                 = [
                      + "pal-e-docs",
                      + "golden-signals",
                      + "sre",
                    ]
                  + templating           = {
                      + list = [
                          + {
                              + current     = {}
                              + hide        = 0
                              + includeAll  = false
                              + label       = "Prometheus"
                              + multi       = false
                              + name        = "DS_PROMETHEUS"
                              + options     = []
                              + query       = "prometheus"
                              + queryValue  = ""
                              + refresh     = 1
                              + regex       = ""
                              + skipUrlSync = false
                              + type        = "datasource"
                            },
                        ]
                    }
                  + time                 = {
                      + from = "now-6h"
                      + to   = "now"
                    }
                  + timepicker           = {}
                  + timezone             = ""
                  + title                = "pal-e-docs Golden Signals"
                  + uid                  = "pal-e-docs-golden-signals"
                  + version              = 1
                }
            )
        }
      + id   = (known after apply)

      + metadata {
          + generation       = (known after apply)
          + labels           = {
              + "grafana_dashboard" = "1"
            }
          + name             = "pal-e-docs-dashboard"
          + namespace        = "monitoring"
          + resource_version = (known after apply)
          + uid              = (known after apply)
        }
    }

  # minio_s3_bucket.assets will be updated in-place
  ~ resource "minio_s3_bucket" "assets" {
      ~ force_destroy      = false -> true
        id                 = "assets"
        tags               = {}
        # (5 unchanged attributes hidden)
    }

  # minio_s3_bucket.postgres_wal will be updated in-place
  ~ resource "minio_s3_bucket" "postgres_wal" {
      ~ force_destroy      = false -> true
        id                 = "postgres-wal"
        tags               = {}
        # (5 unchanged attributes hidden)
    }

  # minio_s3_bucket.tf_state_backups will be updated in-place
  ~ resource "minio_s3_bucket" "tf_state_backups" {
      ~ force_destroy      = false -> true
        id                 = "tf-state-backups"
        tags               = {}
        # (5 unchanged attributes hidden)
    }

Plan: 1 to add, 5 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so OpenTofu can't
guarantee to take exactly these actions if you run "tofu apply" now.
## Tofu Plan Output ``` tailscale_acl.this: Refreshing state... [id=acl] helm_release.nvidia_device_plugin: Refreshing state... [id=nvidia-device-plugin] kubernetes_namespace_v1.tailscale: Refreshing state... [id=tailscale] kubernetes_namespace_v1.minio: Refreshing state... [id=minio] data.kubernetes_namespace_v1.tofu_state: Reading... kubernetes_namespace_v1.postgres: Refreshing state... [id=postgres] data.kubernetes_namespace_v1.pal_e_docs: Reading... kubernetes_namespace_v1.keycloak: Refreshing state... [id=keycloak] kubernetes_namespace_v1.forgejo: Refreshing state... [id=forgejo] kubernetes_namespace_v1.cnpg_system: Refreshing state... [id=cnpg-system] data.kubernetes_namespace_v1.tofu_state: Read complete after 0s [id=tofu-state] kubernetes_namespace_v1.monitoring: Refreshing state... [id=monitoring] data.kubernetes_namespace_v1.pal_e_docs: Read complete after 0s [id=pal-e-docs] kubernetes_namespace_v1.ollama: Refreshing state... [id=ollama] kubernetes_namespace_v1.harbor: Refreshing state... [id=harbor] kubernetes_namespace_v1.woodpecker: Refreshing state... [id=woodpecker] kubernetes_service_account_v1.tf_backup: Refreshing state... [id=tofu-state/tf-state-backup] kubernetes_role_v1.tf_backup: Refreshing state... [id=tofu-state/tf-state-backup] kubernetes_secret_v1.paledocs_db_url: Refreshing state... [id=pal-e-docs/paledocs-db-url] helm_release.cnpg: Refreshing state... [id=cnpg] helm_release.forgejo: Refreshing state... [id=forgejo] helm_release.tailscale_operator: Refreshing state... [id=tailscale-operator] helm_release.loki_stack: Refreshing state... [id=loki-stack] kubernetes_service_v1.keycloak: Refreshing state... [id=keycloak/keycloak] kubernetes_service_v1.dora_exporter: Refreshing state... [id=monitoring/dora-exporter] helm_release.kube_prometheus_stack: Refreshing state... [id=kube-prometheus-stack] kubernetes_persistent_volume_claim_v1.keycloak_data: Refreshing state... [id=keycloak/keycloak-data] kubernetes_secret_v1.dora_exporter: Refreshing state... [id=monitoring/dora-exporter] kubernetes_secret_v1.keycloak_admin: Refreshing state... [id=keycloak/keycloak-admin] kubernetes_role_binding_v1.tf_backup: Refreshing state... [id=tofu-state/tf-state-backup] kubernetes_deployment_v1.keycloak: Refreshing state... [id=keycloak/keycloak] helm_release.ollama: Refreshing state... [id=ollama] helm_release.woodpecker: Refreshing state... [id=woodpecker] kubernetes_ingress_v1.forgejo_funnel: Refreshing state... [id=forgejo/forgejo-funnel] kubernetes_ingress_v1.keycloak_funnel: Refreshing state... [id=keycloak/keycloak-funnel] kubernetes_config_map_v1.grafana_loki_datasource: Refreshing state... [id=monitoring/grafana-loki-datasource] kubernetes_ingress_v1.grafana_funnel: Refreshing state... [id=monitoring/grafana-funnel] kubernetes_ingress_v1.alertmanager_funnel: Refreshing state... [id=monitoring/alertmanager-funnel] helm_release.minio: Refreshing state... [id=minio] kubernetes_config_map_v1.dora_dashboard: Refreshing state... [id=monitoring/dora-dashboard] helm_release.harbor: Refreshing state... [id=harbor] kubernetes_deployment_v1.dora_exporter: Refreshing state... [id=monitoring/dora-exporter] kubernetes_manifest.dora_exporter_service_monitor: Refreshing state... kubernetes_ingress_v1.woodpecker_funnel: Refreshing state... [id=woodpecker/woodpecker-funnel] minio_iam_policy.cnpg_wal: Refreshing state... [id=cnpg-wal] minio_iam_user.cnpg: Refreshing state... [id=cnpg] minio_s3_bucket.assets: Refreshing state... [id=assets] minio_s3_bucket.postgres_wal: Refreshing state... [id=postgres-wal] minio_s3_bucket.tf_state_backups: Refreshing state... [id=tf-state-backups] minio_iam_user.tf_backup: Refreshing state... [id=tf-backup] minio_iam_policy.tf_backup: Refreshing state... [id=tf-backup] kubernetes_ingress_v1.minio_api_funnel: Refreshing state... [id=minio/minio-api-funnel] kubernetes_ingress_v1.minio_funnel: Refreshing state... [id=minio/minio-funnel] minio_iam_user_policy_attachment.tf_backup: Refreshing state... [id=tf-backup-20260314163610110100000001] minio_iam_user_policy_attachment.cnpg: Refreshing state... [id=cnpg-20260302210642491000000001] kubernetes_secret_v1.tf_backup_s3_creds: Refreshing state... [id=tofu-state/tf-backup-s3-creds] kubernetes_secret_v1.cnpg_s3_creds: Refreshing state... [id=postgres/cnpg-s3-creds] kubernetes_cron_job_v1.tf_state_backup: Refreshing state... [id=tofu-state/tf-state-backup] kubernetes_ingress_v1.harbor_funnel: Refreshing state... [id=harbor/harbor-funnel] OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create ~ update in-place OpenTofu will perform the following actions: # helm_release.harbor will be updated in-place ~ resource "helm_release" "harbor" { id = "harbor" ~ metadata = [ - { - app_version = "2.14.2" - chart = "harbor" - first_deployed = 1771622483 - last_deployed = 1772077299 - name = "harbor" - namespace = "harbor" - notes = <<-EOT Please wait for several minutes for Harbor deployment to complete. Then you should be able to visit the Harbor portal at https://harbor.tail5b443a.ts.net For more details, please visit https://github.com/goharbor/harbor EOT - revision = 2 - values = jsonencode( { - core = { - resources = { - limits = { - memory = "512Mi" } - requests = { - cpu = "100m" - memory = "256Mi" } } } - database = { - internal = { - resources = { - limits = { - memory = "512Mi" } - requests = { - cpu = "50m" - memory = "128Mi" } } } - type = "internal" } - expose = { - clusterIP = { - name = "harbor" - ports = { - httpPort = 80 } } - tls = { - enabled = false } - type = "clusterIP" } - externalURL = "https://harbor.tail5b443a.ts.net" - harborAdminPassword = "(sensitive value)" - jobservice = { - resources = { - limits = { - memory = "256Mi" } - requests = { - cpu = "50m" - memory = "64Mi" } } } - metrics = { - enabled = true - serviceMonitor = { - enabled = true } } - nginx = { - resources = { - limits = { - memory = "128Mi" } - requests = { - cpu = "20m" - memory = "32Mi" } } } - persistence = { - enabled = true - persistentVolumeClaim = { - database = { - size = "2Gi" - storageClass = "local-path" } - jobservice = { - jobLog = { - size = "1Gi" - storageClass = "local-path" } } - redis = { - size = "1Gi" - storageClass = "local-path" } - registry = { - size = "20Gi" - storageClass = "local-path" } } } - portal = { - resources = { - limits = { - memory = "128Mi" } - requests = { - cpu = "20m" - memory = "32Mi" } } } - redis = { - internal = { - resources = { - limits = { - memory = "128Mi" } - requests = { - cpu = "20m" - memory = "32Mi" } } } - type = "internal" } - registry = { - resources = { - limits = { - memory = "256Mi" } - requests = { - cpu = "100m" - memory = "128Mi" } } } - secretKey = "(sensitive value)" - trivy = { - enabled = false } } ) - version = "1.18.2" }, ] -> (known after apply) name = "harbor" ~ values = [ - <<-EOT "core": "resources": "limits": "memory": "512Mi" "requests": "cpu": "100m" "memory": "256Mi" "database": "internal": "resources": "limits": "memory": "512Mi" "requests": "cpu": "50m" "memory": "128Mi" "type": "internal" "expose": "clusterIP": "name": "harbor" "ports": "httpPort": 80 "tls": "enabled": false "type": "clusterIP" "externalURL": "https://harbor.tail5b443a.ts.net" "jobservice": "resources": "limits": "memory": "256Mi" "requests": "cpu": "50m" "memory": "64Mi" "metrics": "enabled": true "serviceMonitor": "enabled": true "nginx": "resources": "limits": "memory": "128Mi" "requests": "cpu": "20m" "memory": "32Mi" "persistence": "enabled": true "persistentVolumeClaim": "database": "size": "2Gi" "storageClass": "local-path" "jobservice": "jobLog": "size": "1Gi" "storageClass": "local-path" "redis": "size": "1Gi" "storageClass": "local-path" "registry": "size": "20Gi" "storageClass": "local-path" "portal": "resources": "limits": "memory": "128Mi" "requests": "cpu": "20m" "memory": "32Mi" "redis": "internal": "resources": "limits": "memory": "128Mi" "requests": "cpu": "20m" "memory": "32Mi" "type": "internal" "registry": "resources": "limits": "memory": "256Mi" "requests": "cpu": "100m" "memory": "128Mi" "trivy": "enabled": false EOT, + <<-EOT "core": "resources": "limits": "memory": "512Mi" "requests": "cpu": "100m" "memory": "256Mi" "database": "internal": "resources": "limits": "memory": "512Mi" "requests": "cpu": "50m" "memory": "128Mi" "type": "internal" "expose": "clusterIP": "name": "harbor" "ports": "httpPort": 80 "tls": "enabled": false "type": "clusterIP" "externalURL": "https://harbor.tail5b443a.ts.net" "jobservice": "resources": "limits": "memory": "256Mi" "requests": "cpu": "50m" "memory": "64Mi" "metrics": "enabled": true "serviceMonitor": "enabled": true "nginx": "resources": "limits": "memory": "128Mi" "requests": "cpu": "20m" "memory": "32Mi" "persistence": "enabled": true "persistentVolumeClaim": "database": "size": "2Gi" "storageClass": "local-path" "jobservice": "jobLog": "size": "1Gi" "storageClass": "local-path" "redis": "size": "1Gi" "storageClass": "local-path" "registry": "size": "20Gi" "storageClass": "local-path" "portal": "resources": "limits": "memory": "128Mi" "requests": "cpu": "20m" "memory": "32Mi" "redis": "internal": "resources": "limits": "memory": "128Mi" "requests": "cpu": "20m" "memory": "32Mi" "type": "internal" "registry": "resources": "limits": "memory": "256Mi" "requests": "cpu": "100m" "memory": "128Mi" "trivy": "enabled": true "resources": "limits": "memory": "1Gi" "requests": "cpu": "100m" "memory": "256Mi" EOT, ] # (27 unchanged attributes hidden) # (2 unchanged blocks hidden) } # helm_release.woodpecker will be updated in-place ~ resource "helm_release" "woodpecker" { id = "woodpecker" ~ metadata = [ - { - app_version = "3.13.0" - chart = "woodpecker" - first_deployed = 1771568949 - last_deployed = 1773082003 - name = "woodpecker" - namespace = "woodpecker" - notes = <<-EOT 1. Get the application URL by running these commands: export POD_NAME=$(kubectl get pods --namespace woodpecker -l "app.kubernetes.io/name=server,app.kubernetes.io/instance=woodpecker" -o jsonpath="{.items[0].metadata.name}") export CONTAINER_PORT=$(kubectl get pod --namespace woodpecker $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") echo "Visit http://127.0.0.1:8080 to use your application" kubectl --namespace woodpecker port-forward $POD_NAME 8080:$CONTAINER_PORT EOT - revision = 7 - values = jsonencode( { - agent = { - enabled = true - env = { - WOODPECKER_BACKEND = "kubernetes" - WOODPECKER_BACKEND_K8S_NAMESPACE = "woodpecker" - WOODPECKER_BACKEND_K8S_STORAGE_CLASS = "local-path" - WOODPECKER_BACKEND_K8S_VOLUME_SIZE = "1Gi" } - replicaCount = 1 - resources = { - limits = { - memory = "256Mi" } - requests = { - cpu = "50m" - memory = "64Mi" } } } - server = { - env = { - WOODPECKER_ADMIN = "forgejo_admin" - WOODPECKER_FORGEJO = "true" - WOODPECKER_FORGEJO_CLIENT = "(sensitive value)" - WOODPECKER_FORGEJO_SECRET = "(sensitive value)" - WOODPECKER_FORGEJO_SKIP_VERIFY = "false" - WOODPECKER_FORGEJO_URL = "https://forgejo.tail5b443a.ts.net" - WOODPECKER_HOST = "https://woodpecker.tail5b443a.ts.net" } - persistentVolume = { - enabled = true - size = "5Gi" - storageClass = "local-path" } - resources = { - limits = { - memory = "512Mi" } - requests = { - cpu = "50m" - memory = "128Mi" } } - statefulSet = { - replicaCount = 1 } } } ) - version = "3.5.1" }, ] -> (known after apply) name = "woodpecker" ~ values = [ - <<-EOT "agent": "enabled": true "env": "WOODPECKER_BACKEND": "kubernetes" "WOODPECKER_BACKEND_K8S_NAMESPACE": "woodpecker" "WOODPECKER_BACKEND_K8S_STORAGE_CLASS": "local-path" "WOODPECKER_BACKEND_K8S_VOLUME_SIZE": "1Gi" "replicaCount": 1 "resources": "limits": "memory": "256Mi" "requests": "cpu": "50m" "memory": "64Mi" "server": "env": "WOODPECKER_ADMIN": "forgejo_admin" "WOODPECKER_FORGEJO": "true" "WOODPECKER_FORGEJO_SKIP_VERIFY": "false" "WOODPECKER_FORGEJO_URL": "https://forgejo.tail5b443a.ts.net" "WOODPECKER_HOST": "https://woodpecker.tail5b443a.ts.net" "persistentVolume": "enabled": true "size": "5Gi" "storageClass": "local-path" "resources": "limits": "memory": "512Mi" "requests": "cpu": "50m" "memory": "128Mi" "statefulSet": "replicaCount": 1 EOT, + <<-EOT "agent": "enabled": true "env": "WOODPECKER_BACKEND": "kubernetes" "WOODPECKER_BACKEND_K8S_NAMESPACE": "woodpecker" "WOODPECKER_BACKEND_K8S_STORAGE_CLASS": "local-path" "WOODPECKER_BACKEND_K8S_VOLUME_SIZE": "1Gi" "replicaCount": 1 "resources": "limits": "memory": "256Mi" "requests": "cpu": "50m" "memory": "64Mi" "server": "env": "WOODPECKER_ADMIN": "forgejo_admin" "WOODPECKER_FORGEJO": "true" "WOODPECKER_FORGEJO_URL": "http://forgejo-http.forgejo.svc.cluster.local:80" "WOODPECKER_HOST": "https://woodpecker.tail5b443a.ts.net" "persistentVolume": "enabled": true "size": "5Gi" "storageClass": "local-path" "resources": "limits": "memory": "512Mi" "requests": "cpu": "50m" "memory": "128Mi" "statefulSet": "replicaCount": 1 EOT, ] # (26 unchanged attributes hidden) # (2 unchanged blocks hidden) } # kubernetes_config_map_v1.pal_e_docs_dashboard will be created + resource "kubernetes_config_map_v1" "pal_e_docs_dashboard" { + data = { + "pal-e-docs-golden-signals.json" = jsonencode( { + annotations = { + list = [ + { + builtIn = 1 + datasource = { + type = "grafana" + uid = "-- Grafana --" } + enable = true + hide = true + iconColor = "rgba(0, 211, 255, 1)" + name = "Annotations & Alerts" + type = "dashboard" }, ] } + editable = true + fiscalYearStartMonth = 0 + graphTooltip = 1 + id = null + links = [] + panels = [ + { + collapsed = false + gridPos = { + h = 1 + w = 24 + x = 0 + y = 0 } + id = 1 + title = "Traffic" + type = "row" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + fieldConfig = { + defaults = { + color = { + mode = "palette-classic" } + custom = { + axisBorderShow = false + axisCenteredZero = false + axisColorMode = "text" + axisLabel = "req/s" + axisPlacement = "auto" + barAlignment = 0 + drawStyle = "line" + fillOpacity = 20 + gradientMode = "none" + hideFrom = { + legend = false + tooltip = false + viz = false } + insertNulls = false + lineInterpolation = "smooth" + lineWidth = 2 + pointSize = 5 + scaleDistribution = { + type = "linear" } + showPoints = "auto" + spanNulls = true + stacking = { + group = "A" + mode = "none" } + thresholdsStyle = { + mode = "off" } } + mappings = [] + unit = "reqps" } + overrides = [] } + gridPos = { + h = 8 + w = 24 + x = 0 + y = 1 } + id = 2 + options = { + legend = { + calcs = [ + "mean", + "lastNotNull", ] + displayMode = "table" + placement = "bottom" } + tooltip = { + mode = "multi" + sort = "desc" } } + targets = [ + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "sum(rate(http_requests_total{namespace=\"pal-e-docs\"}[5m]))" + legendFormat = "total req/s" + refId = "A" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "sum(rate(http_requests_total{namespace=\"pal-e-docs\"}[5m])) by (handler)" + legendFormat = "{{ handler }}" + refId = "B" }, ] + title = "Request Rate" + type = "timeseries" }, + { + collapsed = false + gridPos = { + h = 1 + w = 24 + x = 0 + y = 9 } + id = 3 + title = "Latency" + type = "row" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + fieldConfig = { + defaults = { + color = { + mode = "palette-classic" } + custom = { + axisBorderShow = false + axisCenteredZero = false + axisColorMode = "text" + axisLabel = "seconds" + axisPlacement = "auto" + barAlignment = 0 + drawStyle = "line" + fillOpacity = 20 + gradientMode = "none" + hideFrom = { + legend = false + tooltip = false + viz = false } + insertNulls = false + lineInterpolation = "smooth" + lineWidth = 2 + pointSize = 5 + scaleDistribution = { + type = "linear" } + showPoints = "auto" + spanNulls = true + stacking = { + group = "A" + mode = "none" } + thresholdsStyle = { + mode = "off" } } + mappings = [] + unit = "s" } + overrides = [] } + gridPos = { + h = 8 + w = 24 + x = 0 + y = 10 } + id = 4 + options = { + legend = { + calcs = [ + "mean", + "lastNotNull", ] + displayMode = "table" + placement = "bottom" } + tooltip = { + mode = "multi" + sort = "desc" } } + targets = [ + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "histogram_quantile(0.50, sum(rate(http_request_duration_seconds_bucket{namespace=\"pal-e-docs\"}[5m])) by (le))" + legendFormat = "p50" + refId = "A" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "histogram_quantile(0.95, sum(rate(http_request_duration_seconds_bucket{namespace=\"pal-e-docs\"}[5m])) by (le))" + legendFormat = "p95" + refId = "B" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "histogram_quantile(0.99, sum(rate(http_request_duration_seconds_bucket{namespace=\"pal-e-docs\"}[5m])) by (le))" + legendFormat = "p99" + refId = "C" }, ] + title = "Request Latency Percentiles" + type = "timeseries" }, + { + collapsed = false + gridPos = { + h = 1 + w = 24 + x = 0 + y = 18 } + id = 5 + title = "Errors" + type = "row" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + fieldConfig = { + defaults = { + color = { + mode = "palette-classic" } + custom = { + axisBorderShow = false + axisCenteredZero = false + axisColorMode = "text" + axisLabel = "errors/s" + axisPlacement = "auto" + barAlignment = 0 + drawStyle = "line" + fillOpacity = 20 + gradientMode = "none" + hideFrom = { + legend = false + tooltip = false + viz = false } + insertNulls = false + lineInterpolation = "smooth" + lineWidth = 2 + pointSize = 5 + scaleDistribution = { + type = "linear" } + showPoints = "auto" + spanNulls = true + stacking = { + group = "A" + mode = "none" } + thresholdsStyle = { + mode = "off" } } + mappings = [] + unit = "reqps" } + overrides = [ + { + matcher = { + id = "byName" + options = "5xx error %" } + properties = [ + { + id = "unit" + value = "percent" }, + { + id = "custom.axisPlacement" + value = "right" }, + { + id = "custom.axisLabel" + value = "error %" }, ] }, ] } + gridPos = { + h = 8 + w = 24 + x = 0 + y = 19 } + id = 6 + options = { + legend = { + calcs = [ + "mean", + "lastNotNull", ] + displayMode = "table" + placement = "bottom" } + tooltip = { + mode = "multi" + sort = "desc" } } + targets = [ + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "sum(rate(http_requests_total{namespace=\"pal-e-docs\", status=~\"5..\"}[5m]))" + legendFormat = "5xx errors/s" + refId = "A" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "sum(rate(http_requests_total{namespace=\"pal-e-docs\", status=~\"5..\"}[5m])) / clamp_min(sum(rate(http_requests_total{namespace=\"pal-e-docs\"}[5m])), 0.001) * 100" + legendFormat = "5xx error %" + refId = "B" }, ] + title = "5xx Error Rate" + type = "timeseries" }, + { + collapsed = false + gridPos = { + h = 1 + w = 24 + x = 0 + y = 27 } + id = 7 + title = "Saturation" + type = "row" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + fieldConfig = { + defaults = { + color = { + mode = "palette-classic" } + custom = { + axisBorderShow = false + axisCenteredZero = false + axisColorMode = "text" + axisLabel = "CPU cores" + axisPlacement = "auto" + barAlignment = 0 + drawStyle = "line" + fillOpacity = 20 + gradientMode = "none" + hideFrom = { + legend = false + tooltip = false + viz = false } + insertNulls = false + lineInterpolation = "smooth" + lineWidth = 2 + pointSize = 5 + scaleDistribution = { + type = "linear" } + showPoints = "auto" + spanNulls = true + stacking = { + group = "A" + mode = "none" } + thresholdsStyle = { + mode = "off" } } + mappings = [] + unit = "short" } + overrides = [] } + gridPos = { + h = 8 + w = 12 + x = 0 + y = 28 } + id = 8 + options = { + legend = { + calcs = [ + "mean", + "lastNotNull", ] + displayMode = "table" + placement = "bottom" } + tooltip = { + mode = "multi" + sort = "desc" } } + targets = [ + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "sum(rate(container_cpu_usage_seconds_total{namespace=\"pal-e-docs\", container!=\"\", container!=\"POD\"}[5m])) by (pod)" + legendFormat = "{{ pod }} usage" + refId = "A" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "sum(kube_pod_container_resource_limits{namespace=\"pal-e-docs\", resource=\"cpu\"}) by (pod)" + legendFormat = "{{ pod }} limit" + refId = "B" }, ] + title = "CPU Usage vs Limits" + type = "timeseries" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + fieldConfig = { + defaults = { + color = { + mode = "palette-classic" } + custom = { + axisBorderShow = false + axisCenteredZero = false + axisColorMode = "text" + axisLabel = "" + axisPlacement = "auto" + barAlignment = 0 + drawStyle = "line" + fillOpacity = 20 + gradientMode = "none" + hideFrom = { + legend = false + tooltip = false + viz = false } + insertNulls = false + lineInterpolation = "smooth" + lineWidth = 2 + pointSize = 5 + scaleDistribution = { + type = "linear" } + showPoints = "auto" + spanNulls = true + stacking = { + group = "A" + mode = "none" } + thresholdsStyle = { + mode = "off" } } + mappings = [] + unit = "bytes" } + overrides = [] } + gridPos = { + h = 8 + w = 12 + x = 12 + y = 28 } + id = 9 + options = { + legend = { + calcs = [ + "mean", + "lastNotNull", ] + displayMode = "table" + placement = "bottom" } + tooltip = { + mode = "multi" + sort = "desc" } } + targets = [ + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "sum(container_memory_working_set_bytes{namespace=\"pal-e-docs\", container!=\"\", container!=\"POD\"}) by (pod)" + legendFormat = "{{ pod }} usage" + refId = "A" }, + { + datasource = { + type = "prometheus" + uid = "${DS_PROMETHEUS}" } + expr = "sum(kube_pod_container_resource_limits{namespace=\"pal-e-docs\", resource=\"memory\"}) by (pod)" + legendFormat = "{{ pod }} limit" + refId = "B" }, ] + title = "Memory Usage vs Limits" + type = "timeseries" }, ] + schemaVersion = 39 + tags = [ + "pal-e-docs", + "golden-signals", + "sre", ] + templating = { + list = [ + { + current = {} + hide = 0 + includeAll = false + label = "Prometheus" + multi = false + name = "DS_PROMETHEUS" + options = [] + query = "prometheus" + queryValue = "" + refresh = 1 + regex = "" + skipUrlSync = false + type = "datasource" }, ] } + time = { + from = "now-6h" + to = "now" } + timepicker = {} + timezone = "" + title = "pal-e-docs Golden Signals" + uid = "pal-e-docs-golden-signals" + version = 1 } ) } + id = (known after apply) + metadata { + generation = (known after apply) + labels = { + "grafana_dashboard" = "1" } + name = "pal-e-docs-dashboard" + namespace = "monitoring" + resource_version = (known after apply) + uid = (known after apply) } } # minio_s3_bucket.assets will be updated in-place ~ resource "minio_s3_bucket" "assets" { ~ force_destroy = false -> true id = "assets" tags = {} # (5 unchanged attributes hidden) } # minio_s3_bucket.postgres_wal will be updated in-place ~ resource "minio_s3_bucket" "postgres_wal" { ~ force_destroy = false -> true id = "postgres-wal" tags = {} # (5 unchanged attributes hidden) } # minio_s3_bucket.tf_state_backups will be updated in-place ~ resource "minio_s3_bucket" "tf_state_backups" { ~ force_destroy = false -> true id = "tf-state-backups" tags = {} # (5 unchanged attributes hidden) } Plan: 1 to add, 5 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Note: You didn't use the -out option to save this plan, so OpenTofu can't guarantee to take exactly these actions if you run "tofu apply" now. ```
forgejo_admin deleted branch 55-platform-hardening-woodpecker-tls-fix-tr 2026-03-14 19:22:48 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-platform!56
No description provided.