Panfactum
diff --git a/‎packages/infrastructure/kube_argo/main.tf
+18-3 b/‎packages/infrastructure/kube_argo/main.tf
+18-3
diff --git a/‎packages/infrastructure/kube_buildkit/main.tf
+7 b/‎packages/infrastructure/kube_buildkit/main.tf
+7
diff --git a/‎packages/infrastructure/kube_cert_issuers/main.tf
+7-4 b/‎packages/infrastructure/kube_cert_issuers/main.tf
+7-4
diff --git a/‎packages/infrastructure/kube_cloudnative_pg/main.tf
+9 b/‎packages/infrastructure/kube_cloudnative_pg/main.tf
+9
diff --git a/‎packages/infrastructure/kube_core_dns/main.tf
+4-3 b/‎packages/infrastructure/kube_core_dns/main.tf
+4-3
diff --git a/‎packages/infrastructure/kube_cron_job/main.tf
+6 b/‎packages/infrastructure/kube_cron_job/main.tf
+6
diff --git a/‎packages/infrastructure/kube_cron_job/vars.tf
+6 b/‎packages/infrastructure/kube_cron_job/vars.tf
+6
diff --git a/‎packages/infrastructure/kube_daemon_set/FOOTER.md
+3 b/‎packages/infrastructure/kube_daemon_set/FOOTER.md
+3
diff --git a/‎packages/infrastructure/kube_daemon_set/README.md
+22 b/‎packages/infrastructure/kube_daemon_set/README.md
+22
diff --git a/‎packages/infrastructure/kube_daemon_set/config.yaml
+3 b/‎packages/infrastructure/kube_daemon_set/config.yaml
+3
diff --git a/‎packages/infrastructure/kube_daemon_set/main.tf
+184 b/‎packages/infrastructure/kube_daemon_set/main.tf
+184
diff --git a/‎packages/infrastructure/kube_daemon_set/outputs.tf
+14 b/‎packages/infrastructure/kube_daemon_set/outputs.tf
+14
@@ -223,9 +223,7 @@ resource "kubernetes_config_map" "artifacts" {
     namespace = local.namespace
     labels    = module.util_controller.labels
     annotations = {
-      "workflows.argoproj.io/default-artifact-repository"       = "s3"
-      "reflector.v1.k8s.emberstack.com/reflection-allowed"      = "true"
-      "reflector.v1.k8s.emberstack.com/reflection-auto-enabled" = "true"
+      "workflows.argoproj.io/default-artifact-repository" = "s3"
     }
   }
   data = {
@@ -239,6 +237,13 @@ resource "kubernetes_config_map" "artifacts" {
   }
 }
 
+module "sync_artifact_config_map" {
+  source = "../kube_sync_config_map"
+
+  config_map_name      = kubernetes_config_map.artifacts.metadata[0].name
+  config_map_namespace = kubernetes_config_map.artifacts.metadata[0].namespace
+}
+
 /***************************************
 * Database Backend
 ***************************************/
@@ -600,6 +605,13 @@ resource "kubectl_manifest" "pdb_server" {
   depends_on        = [helm_release.argo]
 }
 
+module "image_cache" {
+  source = "../kube_node_image_cache"
+  images = [
+    "quay.io/argoproj/argoexec:v3.5.11"
+  ]
+}
+
 /***************************************
 * Argo Events
 ***************************************/
@@ -1093,3 +1105,6 @@ resource "kubectl_manifest" "test_workflow_template" {
   force_conflicts   = true
 }
 
+
+
+
@@ -311,6 +311,13 @@ resource "kubernetes_horizontal_pod_autoscaler_v2" "autoscaler" {
   depends_on = [module.buildkit]
 }
 
+module "image_cache" {
+  source = "../kube_node_image_cache"
+  images = [
+    "docker.io/moby/buildkit:${var.buildkit_image_version}"
+  ]
+}
+
 /***************************************
 * Buildkit Scale-To-Zero
 *
 
@@ -280,16 +280,19 @@ resource "kubernetes_config_map" "ca_bundle" {
     name      = "internal-ca"
     labels    = data.pf_kube_labels.labels.labels
     namespace = var.namespace
-    annotations = {
-      "reflector.v1.k8s.emberstack.com/reflection-auto-enabled" = "true"
-      "reflector.v1.k8s.emberstack.com/reflection-allowed"      = "true"
-    }
   }
   data = {
     "ca.crt" = vault_pki_secret_backend_root_cert.pki_internal.issuing_ca
   }
 }
 
+module "sync_ca_bundle" {
+  source = "../kube_sync_config_map"
+
+  config_map_name      = kubernetes_config_map.ca_bundle.metadata[0].name
+  config_map_namespace = kubernetes_config_map.ca_bundle.metadata[0].namespace
+}
+
 //////////////////////////////////
 /// Regular certs - RSA
 //////////////////////////////////
 
@@ -200,6 +200,15 @@ resource "kubectl_manifest" "pdb" {
   depends_on        = [helm_release.cnpg]
 }
 
+# This needs to be updated when the helm version is updated
+module "image_cache" {
+  source = "../kube_node_image_cache"
+  images = [
+    "ghcr.io/cloudnative-pg/cloudnative-pg:1.24.1",
+    "ghcr.io/cloudnative-pg/postgresql:16.4-43"
+  ]
+}
+
 /***************************************
 * Volume Snapshot Class (for backups)
 ***************************************/
 
@@ -163,7 +163,8 @@ module "core_dns" {
     var.monitoring_enabled ? [
       {
         name             = "proxy"
-        image_registry   = module.pull_through.quay_registry
+        image_registry   = "quay.io"
+        image_registry   = "quay.io"
         image_repository = "brancz/kube-rbac-proxy"
         image_tag        = "v0.17.1"
 
@@ -215,8 +216,8 @@ module "core_dns" {
   service_ip   = var.service_ip
   service_name = "kube-dns" // By convention, this must be available at kube-system/kube-dns
 
-  vpa_enabled = var.vpa_enabled
-
+  vpa_enabled               = var.vpa_enabled
+  node_image_cached_enabled = false // This is deployed before Kyverno is available
 
   extra_pod_labels = {
     "k8s-app" = "kube-dns"
 
@@ -182,3 +182,9 @@ resource "kubectl_manifest" "pdb" {
   depends_on        = [kubectl_manifest.cron_job]
 }
 
+module "image_cache" {
+  count  = var.node_image_cached_enabled ? 1 : 0
+  source = "../kube_node_image_cache"
+
+  images = tolist(toset([for container in var.containers : "${container.image_registry}/${container.image_repository}:${container.image_tag}"]))
+}
@@ -307,3 +307,9 @@ variable "pull_through_cache_enabled" {
   type        = bool
   default     = true
 }
+
+variable "node_image_cached_enabled" {
+  description = "Whether to add the container images to the node image cache for faster startup times"
+  type        = bool
+  default     = false
+}
@@ -0,0 +1,3 @@
+## Maintainer Notes
+
+No notes.
@@ -0,0 +1,22 @@
+# Kubernetes DaemonSet
+
+Provides a production-hardened instance of a Kubernetes [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/)
+with the following enhancements:
+
+- Standardized resource labels
+- Pod and container security hardening
+- Temporary directory mounting
+- [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) and [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) mounting
+- [Downward-API](https://kubernetes.io/docs/concepts/workloads/pods/downward-api/) integrations
+- Service account configuration with default permissions
+- [Readiness and liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configurations
+- Automatic reloading via the [Reloader](https://github.com/stakater/Reloader)
+- [Vertical pod autoscaling](https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler)
+- [Pod disruption budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/)
+- [Toleration](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) switches for the various Panfactum node classes
+
+## Usage
+
+### Basics
+
+This module follows the basic workload deployment patterns describe in [this guide](/docs/main/guides/deploying-workloads/basics).
@@ -0,0 +1,3 @@
+type: submodule
+status: stable
+group: kubernetes
@@ -0,0 +1,184 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.27.0"
+    }
+    kubectl = {
+      source  = "alekc/kubectl"
+      version = "2.0.4"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "3.6.0"
+    }
+    pf = {
+      source  = "panfactum/pf"
+      version = "0.0.3"
+    }
+  }
+}
+
+locals {
+  all_ports = merge([for container_name, config in var.containers : config.ports]...)
+  service_ports = { for name, config in local.all_ports : name => {
+    pod_port     = config.port
+    service_port = config.service_port
+    protocol     = config.protocol
+  } if config.expose_on_service }
+}
+
+// This is needed b/c this can never
+// change without destroying the deployment first
+resource "random_id" "daemon_set_id" {
+  byte_length = 8
+}
+
+data "pf_kube_labels" "labels" {
+  module = "kube_daemon_set"
+}
+
+module "pod_template" {
+  source = "../kube_pod"
+
+  # Pod metadata
+  namespace                  = var.namespace
+  service_account            = kubernetes_service_account.service_account.metadata[0].name
+  workload_name              = var.name
+  match_labels               = { id = random_id.daemon_set_id.hex }
+  dns_policy                 = var.dns_policy
+  host_network               = var.host_network
+  extra_pod_annotations      = var.extra_pod_annotations
+  extra_pod_labels           = var.extra_pod_labels
+  pod_version_labels_enabled = var.pod_version_labels_enabled
+  extra_labels               = data.pf_kube_labels.labels.labels
+
+  # Container configuration
+  common_env                  = var.common_env
+  common_secrets              = var.common_secrets
+  common_env_from_secrets     = var.common_env_from_secrets
+  common_env_from_config_maps = var.common_env_from_config_maps
+  containers                  = var.containers
+  pull_through_cache_enabled  = var.pull_through_cache_enabled
+
+  # Mount configuration
+  config_map_mounts = var.config_map_mounts
+  secret_mounts     = var.secret_mounts
+  tmp_directories   = var.tmp_directories
+  mount_owner       = var.mount_owner
+
+  # Scheduling params
+  priority_class_name                  = var.priority_class_name
+  burstable_nodes_enabled              = var.burstable_nodes_enabled
+  spot_nodes_enabled                   = var.spot_nodes_enabled
+  arm_nodes_enabled                    = var.arm_nodes_enabled
+  controller_nodes_enabled             = var.controller_nodes_enabled
+  instance_type_anti_affinity_required = false
+  az_anti_affinity_required            = false
+  host_anti_affinity_required          = false
+  extra_tolerations                    = var.extra_tolerations
+  controller_nodes_required            = false
+  node_requirements                    = var.node_requirements
+  node_preferences                     = {}
+  az_spread_preferred                  = false
+  az_spread_required                   = false
+  panfactum_scheduler_enabled          = false
+  termination_grace_period_seconds     = var.termination_grace_period_seconds
+  restart_policy                       = var.restart_policy
+}
+
+resource "kubernetes_service_account" "service_account" {
+  metadata {
+    name      = random_id.daemon_set_id.hex
+    namespace = var.namespace
+    labels    = module.pod_template.labels
+  }
+}
+
+resource "kubectl_manifest" "daemon_set" {
+  yaml_body = yamlencode({
+    apiVersion = "apps/v1"
+    kind       = "DaemonSet"
+    metadata = {
+      namespace = var.namespace
+      name      = var.name
+      labels    = module.pod_template.labels
+      annotations = {
+        "reloader.stakater.com/auto" = "true"
+      }
+    }
+    spec = {
+      minReadySeconds = var.min_ready_seconds
+      updateStrategy = {
+        type = var.update_type
+      }
+      selector = {
+        matchLabels = module.pod_template.match_labels
+      }
+      template = module.pod_template.pod_template
+    }
+  })
+  server_side_apply = true
+  force_conflicts   = true
+  wait_for_rollout  = var.wait_for_rollout
+}
+
+resource "kubectl_manifest" "vpa" {
+  count = var.vpa_enabled ? 1 : 0
+  yaml_body = yamlencode({
+    apiVersion = "autoscaling.k8s.io/v1"
+    kind       = "VerticalPodAutoscaler"
+    metadata = {
+      name      = var.name
+      namespace = var.namespace
+      labels    = module.pod_template.labels
+    }
+    spec = {
+      targetRef = {
+        apiVersion = "apps/v1"
+        kind       = "DaemonSet"
+        name       = var.name
+      }
+      updatePolicy = {
+        updateMode = "Auto"
+      }
+      resourcePolicy = {
+        containerPolicies = [for config in var.containers : {
+          containerName = config.name
+          minAllowed = {
+            memory = "${config.minimum_memory}Mi"
+            cpu    = "${config.minimum_cpu}m"
+          }
+          maxAllowed = { for k, v in {
+            memory = config.maximum_memory != null ? "${config.maximum_memory}Mi" : null
+            cpu    = config.maximum_cpu != null ? "${config.maximum_cpu}Mi" : null
+          } : k => v if v != null }
+        }]
+      }
+    }
+  })
+  depends_on = [kubectl_manifest.daemon_set]
+}
+
+resource "kubectl_manifest" "pdb" {
+  yaml_body = yamlencode({
+    apiVersion = "policy/v1"
+    kind       = "PodDisruptionBudget"
+    metadata = {
+      name      = "${var.name}-pdb"
+      namespace = var.namespace
+      labels    = module.pod_template.labels
+    }
+    spec = {
+      selector = {
+        matchLabels = module.pod_template.match_labels
+      }
+      minAvailable               = var.min_available # Needs to be minAvailable as daemonset does not implement the scale subresource
+      unhealthyPodEvictionPolicy = var.unhealthy_pod_eviction_policy
+    }
+  })
+  force_conflicts   = true
+  server_side_apply = true
+  depends_on        = [kubectl_manifest.daemon_set]
+}
+
@@ -0,0 +1,14 @@
+output "match_labels" {
+  description = "The labels unique to this Deployment that can be used to select any pods in this DaemonSet"
+  value       = module.pod_template.match_labels
+}
+
+output "labels" {
+  description = "The default labels assigned to all resources in this DaemonSet"
+  value       = module.pod_template.labels
+}
+
+output "service_account_name" {
+  description = "The service account used for the pods"
+  value       = kubernetes_service_account.service_account.metadata[0].name
+}
Original file line number	Diff line number	Diff line change
`@@ -311,6 +311,13 @@ resource "kubernetes_horizontal_pod_autoscaler_v2" "autoscaler" {`
`311`	`311`	`depends_on = [module.buildkit]`
`312`	`312`	`}`
`313`	`313`
	`314`	`+module "image_cache" {`
	`315`	`+ source = "../kube_node_image_cache"`
	`316`	`+ images = [`
	`317`	`+ "docker.io/moby/buildkit:${var.buildkit_image_version}"`
	`318`	`+ ]`
	`319`	`+}`
	`320`	`+`
`314`	`321`	`/***************************************`
`315`	`322`	`* Buildkit Scale-To-Zero`
`316`	`323`	`*`
Original file line number	Diff line number	Diff line change
`@@ -182,3 +182,9 @@ resource "kubectl_manifest" "pdb" {`
`182`	`182`	`depends_on = [kubectl_manifest.cron_job]`
`183`	`183`	`}`
`184`	`184`
	`185`	`+module "image_cache" {`
	`186`	`+ count = var.node_image_cached_enabled ? 1 : 0`
	`187`	`+ source = "../kube_node_image_cache"`
	`188`	`+`
	`189`	`+ images = tolist(toset([for container in var.containers : "${container.image_registry}/${container.image_repository}:${container.image_tag}"]))`
	`190`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+## Maintainer Notes`
	`2`	`+`
	`3`	`+No notes.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+type: submodule`
	`2`	`+status: stable`
	`3`	`+group: kubernetes`