job-hunter: ghcr-credentials pull secret on deployment + CronJobs

ADR-0002 wave 1 (infra#14): job-hunter's image moves to private ghcr; the deployment AND both :latest CronJobs need the Kyverno-cloned pull secret. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-12 22:56:48 +00:00 · 2026-06-12 22:56:48 +00:00 · 1c41781996
commit 1c41781996
parent 6f41de71fa
2 changed files with 15 additions and 0 deletions
--- a/stacks/job-hunter/cronjob.tf
+++ b/stacks/job-hunter/cronjob.tf
@ -40,6 +40,11 @@ resource "kubernetes_cron_job_v1" "job_hunter_refresh" {
            image_pull_secrets {
              name = "registry-credentials"
            }
+            # Private ghcr image (ADR-0002 off-infra builds) — cloned into this
+            # namespace by the kyverno sync-ghcr-credentials allowlist policy.
+            image_pull_secrets {
+              name = "ghcr-credentials"
+            }

            init_container {
              name              = "alembic-migrate"
@ -147,6 +152,11 @@ resource "kubernetes_cron_job_v1" "job_hunter_alert" {
            image_pull_secrets {
              name = "registry-credentials"
            }
+            # Private ghcr image (ADR-0002 off-infra builds) — cloned into this
+            # namespace by the kyverno sync-ghcr-credentials allowlist policy.
+            image_pull_secrets {
+              name = "ghcr-credentials"
+            }
            container {
              name              = "alert"
              image             = local.image
--- a/stacks/job-hunter/main.tf
+++ b/stacks/job-hunter/main.tf
@ -175,6 +175,11 @@ resource "kubernetes_deployment" "job_hunter" {
        image_pull_secrets {
          name = "registry-credentials"
        }
+        # Private ghcr image (ADR-0002 off-infra builds) — cloned into this
+        # namespace by the kyverno sync-ghcr-credentials allowlist policy.
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }

        init_container {
          name    = "alembic-migrate"