k8s-portal: wire private-ghcr pull (allowlist + imagePullSecrets)

k8s-portal was the last in-cluster image build; it now builds on GHA and
pushes ghcr.io/viktorbarzin/k8s-portal:latest, which is PRIVATE (infra repo
default). To pull it: add k8s-portal to the sync-ghcr-credentials Kyverno
allowlist (clones the ghcr-credentials Secret into the namespace) and
reference that secret via imagePullSecrets on the deployment — same wiring
as tripit/recruiter-responder. Completes the no-local-builds migration so
nothing builds container images on the cluster anymore (ADR-0002).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

stacks/k8s-portal/modules/k8s-portal/main.tf

@@ -75,6 +75,13 @@ resource "kubernetes_deployment" "k8s_portal" {
       }
 
       spec {
+        # GHCR pull secret: the ghcr-credentials Secret in this namespace is
+        # cloned in by the kyverno stack's sync-ghcr-credentials ClusterPolicy
+        # (allowlisted private-ghcr namespaces only — ADR-0002). Source of
+        # truth: stacks/kyverno/modules/kyverno/ghcr-credentials.tf.
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
         container {
           name  = "portal"
           image = "ghcr.io/viktorbarzin/k8s-portal:latest"

stacks/kyverno/modules/kyverno/ghcr-credentials.tf

@@ -27,6 +27,10 @@ locals {
     # openclaw's install-recruiter-plugin init container pulls the PRIVATE
     # ghcr.io/viktorbarzin/recruiter-responder:latest image (infra#27).
     "openclaw",
+    # k8s-portal: last in-cluster image build, migrated to GHA→ghcr (ADR-0002,
+    # "no local builds"). ghcr.io/viktorbarzin/k8s-portal:latest is PRIVATE
+    # (infra repo default); the deployment references the cloned secret.
+    "k8s-portal",
   ]
 }