infra/stacks/tuya-bridge/variables.tf

variable "tls_secret_name" {
  type      = string
  sensitive = true
}

variable "image_tag" {
  type        = string
  default     = "latest"
  description = "tuya_bridge image tag pushed to forgejo.viktorbarzin.me/viktor/tuya_bridge. Each Woodpecker run does `kubectl set image` to the 8-char git SHA; this variable is only used on initial create / TF recreate (image is in lifecycle.ignore_changes)."
}
tuya-bridge: switch to Forgejo image + CI-driven deploy Mirrors the kms-website pattern: deployment image now points to forgejo.viktorbarzin.me/viktor/tuya_bridge:${var.image_tag} and the new Woodpecker pipeline in tuya_bridge/.woodpecker.yml drives the rollout via `kubectl set image` on every push. Changes: - Extract `tls_secret_name` and add `image_tag` (default "latest") to a new variables.tf, matching the kms / fire-planner / payslip-ingest convention. - Add `image_pull_secrets { name = "registry-credentials" }` (Kyverno ClusterPolicy sync-registry-credentials already syncs the Secret into every namespace). - Set explicit `image_pull_policy = "IfNotPresent"` — SHA-tagged images are immutable, no need to re-pull on every restart. The image attribute remains in `lifecycle.ignore_changes` (line was already there from the prior Keel-managed era), so future `tg apply`s do not fight Woodpecker's `kubectl set image`. Keel is still enrolled on the namespace but will skip SHA-tagged images under `policy: patch` (non-semver), so the CI pipeline is the sole rollout mechanism. Backstory: the 2026-05-26 cluster-health incident was tuya-bridge crashlooping after Keel rewrote `:latest` to a stale broken `:0.1` tag on Docker Hub (which predated the `prometheus_exporter.py` addition). Manual rebuild + push was the immediate fix; this commit plus tuya_bridge/.woodpecker.yml close the underlying gap so a source change reliably produces a fresh registry image. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-29 05:45:16 +00:00			`variable "tls_secret_name" {`
			`type = string`
			`sensitive = true`
			`}`

			`variable "image_tag" {`
			`type = string`
			`default = "latest"`
			description = "tuya_bridge image tag pushed to forgejo.viktorbarzin.me/viktor/tuya_bridge. Each Woodpecker run does `kubectl set image` to the 8-char git SHA; this variable is only used on initial create / TF recreate (image is in lifecycle.ignore_changes)."
			`}`