From 12bdd06f74a6856c1afbe7589cd3611ab58802bc Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Fri, 12 Jun 2026 23:18:15 +0000
Subject: [PATCH] =?UTF-8?q?kyverno:=20force=5Fnew=20on=20sync-ghcr-credent?=
 =?UTF-8?q?ials=20=E2=80=94=20generate=20rules=20are=20immutable?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pipeline 138: the validate-policy webhook denies in-place edits of a
generate rule (allowlist additions). force_new = delete+recreate;
generated secrets survive and generateExisting re-adopts.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 stacks/kyverno/modules/kyverno/ghcr-credentials.tf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/stacks/kyverno/modules/kyverno/ghcr-credentials.tf b/stacks/kyverno/modules/kyverno/ghcr-credentials.tf
index 2ca0bf25..0a26a918 100644
--- a/stacks/kyverno/modules/kyverno/ghcr-credentials.tf
+++ b/stacks/kyverno/modules/kyverno/ghcr-credentials.tf
@@ -47,6 +47,11 @@ resource "kubernetes_secret" "ghcr_credentials" {
 }
 
 resource "kubectl_manifest" "sync_ghcr_credentials" {
+  # Kyverno's validate-policy webhook DENIES in-place changes to a generate
+  # rule's spec ("changes of immutable fields ... is disallowed"), so any
+  # allowlist edit must delete+recreate the policy. Generated secrets survive
+  # policy deletion; generateExisting re-adopts them on recreate.
+  force_new = true
   yaml_body = yamlencode({
     apiVersion = "kyverno.io/v1"
     kind       = "ClusterPolicy"