From 25a39fd54e3da34ced7b8ae9c0b9114dd5cb7aa6 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sat, 13 Jun 2026 15:38:42 +0000
Subject: [PATCH] k8s-portal: wire private-ghcr pull (allowlist +
 imagePullSecrets)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

k8s-portal was the last in-cluster image build; it now builds on GHA and
pushes ghcr.io/viktorbarzin/k8s-portal:latest, which is PRIVATE (infra repo
default). To pull it: add k8s-portal to the sync-ghcr-credentials Kyverno
allowlist (clones the ghcr-credentials Secret into the namespace) and
reference that secret via imagePullSecrets on the deployment — same wiring
as tripit/recruiter-responder. Completes the no-local-builds migration so
nothing builds container images on the cluster anymore (ADR-0002).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 stacks/k8s-portal/modules/k8s-portal/main.tf       | 7 +++++++
 stacks/kyverno/modules/kyverno/ghcr-credentials.tf | 4 ++++
 2 files changed, 11 insertions(+)

diff --git a/stacks/k8s-portal/modules/k8s-portal/main.tf b/stacks/k8s-portal/modules/k8s-portal/main.tf
index 908fca49..e32fd519 100644
--- a/stacks/k8s-portal/modules/k8s-portal/main.tf
+++ b/stacks/k8s-portal/modules/k8s-portal/main.tf
@@ -75,6 +75,13 @@ resource "kubernetes_deployment" "k8s_portal" {
       }
 
       spec {
+        # GHCR pull secret: the ghcr-credentials Secret in this namespace is
+        # cloned in by the kyverno stack's sync-ghcr-credentials ClusterPolicy
+        # (allowlisted private-ghcr namespaces only — ADR-0002). Source of
+        # truth: stacks/kyverno/modules/kyverno/ghcr-credentials.tf.
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
         container {
           name  = "portal"
           image = "ghcr.io/viktorbarzin/k8s-portal:latest"
diff --git a/stacks/kyverno/modules/kyverno/ghcr-credentials.tf b/stacks/kyverno/modules/kyverno/ghcr-credentials.tf
index 6af4220f..07a1df85 100644
--- a/stacks/kyverno/modules/kyverno/ghcr-credentials.tf
+++ b/stacks/kyverno/modules/kyverno/ghcr-credentials.tf
@@ -27,6 +27,10 @@ locals {
     # openclaw's install-recruiter-plugin init container pulls the PRIVATE
     # ghcr.io/viktorbarzin/recruiter-responder:latest image (infra#27).
     "openclaw",
+    # k8s-portal: last in-cluster image build, migrated to GHA→ghcr (ADR-0002,
+    # "no local builds"). ghcr.io/viktorbarzin/k8s-portal:latest is PRIVATE
+    # (infra repo default); the deployment references the cloned secret.
+    "k8s-portal",
   ]
 }