diff --git a/kustomization.yaml b/kustomization.yaml index fe57cd3..42b4801 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -4,6 +4,23 @@ # where the ProviderConfig `default` and the referenced Secrets live. apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +# PAUSED until the platform WireGuard server (WS3) lands. Every resource here still +# carries WS3 placeholders — the WireGuard Client's peer endpoint IP + keys, the +# TrafficRoute's VPN-client network id, and the admin DNS records' gateway VIP +# (10.200.0.10, which does not exist yet). Applying them now would fail the +# Client/TrafficRoute on their placeholders AND create local DNS records that point +# the admin hostnames at a dead VIP — breaking LAN access to those UIs. So we hold +# every resource with `crossplane.io/paused`: once the provider is reachable it +# connects and can manage the controller, but touches nothing here until WS3 fills +# the real values. Unpause by removing this annotation — per-resource as each WS3 +# dependency lands, or all at once when WS3 is complete. +# +# NOTE: `commonAnnotations` pauses EVERY resource in this kustomization — that is +# deliberate, since this file's whole resource set is WS3-gated. Do not add a +# resource here that must reconcile before WS3 lands; it would inherit the pause +# silently (put it in its own kustomization instead). +commonAnnotations: + crossplane.io/paused: "true" resources: - wireguard-vpn-client.yaml - admin-dns.yaml