instagram-poster: image base forgejo->ghcr + ghcr-credentials pull secret

Prep for migrating instagram-poster off in-cluster Woodpecker builds to GitHub Actions -> ghcr.io (ADR-0002, issue #23, PRIVATE-repo path). Viktor asked for the wave-2 migration of instagram-poster per the wave-1 retro recipe: before onboarding, the stack must (a) carry the ghcr-credentials imagePullSecret on the Deployment so the cluster can pull the private ghcr image, and (b) repoint the image base from forgejo.viktorbarzin.me/viktor to ghcr.io/viktorbarzin. The Deployment image is KEEL_IGNORE_IMAGE (ignore_changes), so this apply does NOT roll the pod to a not-yet-existing ghcr image — the live forgejo-built :da5b4191 keeps running until the first GHA build POSTs the Woodpecker deploy. The three CronJobs run curlimages/curl (public DockerHub), not the app image, so they need neither the pull secret nor a repoint. registry-credentials stays for the transition window. Closes: nothing (stack prep only; repo onboarding follows) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-13 00:02:04 +00:00 · 2026-06-13 00:02:04 +00:00 · 29c6925031
commit 29c6925031
parent 72b5843e4b
1 changed files with 14 additions and 4 deletions
--- a/stacks/instagram-poster/modules/instagram-poster/main.tf
+++ b/stacks/instagram-poster/modules/instagram-poster/main.tf
@ -1,9 +1,10 @@
 locals {
  namespace = "instagram-poster"
-  # Forgejo registry consolidation (2026-05-07): all custom service images
-  # live under forgejo.viktorbarzin.me/viktor/<name>. The old 10.0.20.10
-  # private registry was decommissioned the same day.
-  image = "forgejo.viktorbarzin.me/viktor/instagram-poster:${var.image_tag}"
+  # Off-infra CI (ADR-0002, issue #23): GHA builds on the GitHub mirror and
+  # pushes ghcr.io/viktorbarzin/instagram-poster (private — pulls need the
+  # ghcr-credentials Secret cloned in by the kyverno sync-ghcr-credentials
+  # ClusterPolicy). Replaces the forgejo.viktorbarzin.me/viktor base.
+  image = "ghcr.io/viktorbarzin/instagram-poster:${var.image_tag}"
  labels = {
    app = "instagram-poster"
  }
@ -244,9 +245,18 @@ resource "kubernetes_deployment" "instagram_poster" {
      }

      spec {
+        # registry-credentials (forgejo) kept for the transition — the live
+        # pod runs the last forgejo-built image until the first GHA→ghcr
+        # deploy lands. ghcr-credentials is cloned into this namespace by the
+        # kyverno stack's sync-ghcr-credentials ClusterPolicy (allowlisted
+        # private-ghcr namespaces only — ADR-0002). Source of truth:
+        # stacks/kyverno/modules/kyverno/ghcr-credentials.tf.
        image_pull_secrets {
          name = "registry-credentials"
        }
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }

        # PVC mounts as root by default; pod runs as uid/gid 10001 (poster).
        # fs_group makes kubelet chown the volume to gid 10001 on mount.