From ffdf242e98b88dc8e091bc31bc7d9793fd9d8a75 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Sat, 4 Jul 2026 20:41:31 +0200 Subject: [PATCH 1/2] fix: pause WS3-gated resources until the WireGuard server lands MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Every managed resource here still carries WS3 placeholders — the WireGuard Client's peer endpoint IP + keys, the TrafficRoute's VPN-client network id, and the admin DNS records' gateway VIP (10.200.0.10, which doesn't exist yet). Once provider-upjet-unifi becomes reachable (platform#2467: writable /tmp + Cloud Connector), it would try to reconcile these — failing the Client/TrafficRoute on their placeholders and, worse, CREATING local DNS records that point the admin hostnames at a dead VIP, breaking LAN access to those UIs. Hold every resource with crossplane.io/paused via commonAnnotations so the provider connects and can manage the controller, but touches nothing here until WS3 fills the real values. Unpause by removing the annotation (per-resource as each WS3 dependency lands, or all at once when WS3 is complete). Co-Authored-By: Claude Opus 4.8 --- kustomization.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/kustomization.yaml b/kustomization.yaml index fe57cd3..350b9fb 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -4,6 +4,18 @@ # where the ProviderConfig `default` and the referenced Secrets live. apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +# PAUSED until the platform WireGuard server (WS3) lands. Every resource here still +# carries WS3 placeholders — the WireGuard Client's peer endpoint IP + keys, the +# TrafficRoute's VPN-client network id, and the admin DNS records' gateway VIP +# (10.200.0.10, which does not exist yet). Applying them now would fail the +# Client/TrafficRoute on their placeholders AND create local DNS records that point +# the admin hostnames at a dead VIP — breaking LAN access to those UIs. So we hold +# every resource with `crossplane.io/paused`: once the provider is reachable it +# connects and can manage the controller, but touches nothing here until WS3 fills +# the real values. Unpause by removing this annotation — per-resource as each WS3 +# dependency lands, or all at once when WS3 is complete. +commonAnnotations: + crossplane.io/paused: "true" resources: - wireguard-vpn-client.yaml - admin-dns.yaml From 416c9155978ad720bdce709c18cbf990b83f5b52 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Sat, 4 Jul 2026 21:22:05 +0200 Subject: [PATCH 2/2] docs: warn that the WS3 pause is kustomization-wide Co-Authored-By: Claude Fable 5 --- kustomization.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/kustomization.yaml b/kustomization.yaml index 350b9fb..42b4801 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -14,6 +14,11 @@ kind: Kustomization # connects and can manage the controller, but touches nothing here until WS3 fills # the real values. Unpause by removing this annotation — per-resource as each WS3 # dependency lands, or all at once when WS3 is complete. +# +# NOTE: `commonAnnotations` pauses EVERY resource in this kustomization — that is +# deliberate, since this file's whole resource set is WS3-gated. Do not add a +# resource here that must reconcile before WS3 lands; it would inherit the pause +# silently (put it in its own kustomization instead). commonAnnotations: crossplane.io/paused: "true" resources: