From 1c4178199619ea760778596639bf714a17c80119 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Fri, 12 Jun 2026 22:56:48 +0000 Subject: [PATCH] job-hunter: ghcr-credentials pull secret on deployment + CronJobs ADR-0002 wave 1 (infra#14): job-hunter's image moves to private ghcr; the deployment AND both :latest CronJobs need the Kyverno-cloned pull secret. Co-Authored-By: Claude Fable 5 --- stacks/job-hunter/cronjob.tf | 10 ++++++++++ stacks/job-hunter/main.tf | 5 +++++ 2 files changed, 15 insertions(+) diff --git a/stacks/job-hunter/cronjob.tf b/stacks/job-hunter/cronjob.tf index 968266b5..aa7009d0 100644 --- a/stacks/job-hunter/cronjob.tf +++ b/stacks/job-hunter/cronjob.tf @@ -40,6 +40,11 @@ resource "kubernetes_cron_job_v1" "job_hunter_refresh" { image_pull_secrets { name = "registry-credentials" } + # Private ghcr image (ADR-0002 off-infra builds) — cloned into this + # namespace by the kyverno sync-ghcr-credentials allowlist policy. + image_pull_secrets { + name = "ghcr-credentials" + } init_container { name = "alembic-migrate" @@ -147,6 +152,11 @@ resource "kubernetes_cron_job_v1" "job_hunter_alert" { image_pull_secrets { name = "registry-credentials" } + # Private ghcr image (ADR-0002 off-infra builds) — cloned into this + # namespace by the kyverno sync-ghcr-credentials allowlist policy. + image_pull_secrets { + name = "ghcr-credentials" + } container { name = "alert" image = local.image diff --git a/stacks/job-hunter/main.tf b/stacks/job-hunter/main.tf index 8b84dfe5..da256229 100644 --- a/stacks/job-hunter/main.tf +++ b/stacks/job-hunter/main.tf @@ -175,6 +175,11 @@ resource "kubernetes_deployment" "job_hunter" { image_pull_secrets { name = "registry-credentials" } + # Private ghcr image (ADR-0002 off-infra builds) — cloned into this + # namespace by the kyverno sync-ghcr-credentials allowlist policy. + image_pull_secrets { + name = "ghcr-credentials" + } init_container { name = "alembic-migrate"