From 29c69250315b26c957d9a5fe78c33d87d8338d3d Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 13 Jun 2026 00:02:04 +0000 Subject: [PATCH] instagram-poster: image base forgejo->ghcr + ghcr-credentials pull secret MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Prep for migrating instagram-poster off in-cluster Woodpecker builds to GitHub Actions -> ghcr.io (ADR-0002, issue #23, PRIVATE-repo path). Viktor asked for the wave-2 migration of instagram-poster per the wave-1 retro recipe: before onboarding, the stack must (a) carry the ghcr-credentials imagePullSecret on the Deployment so the cluster can pull the private ghcr image, and (b) repoint the image base from forgejo.viktorbarzin.me/viktor to ghcr.io/viktorbarzin. The Deployment image is KEEL_IGNORE_IMAGE (ignore_changes), so this apply does NOT roll the pod to a not-yet-existing ghcr image — the live forgejo-built :da5b4191 keeps running until the first GHA build POSTs the Woodpecker deploy. The three CronJobs run curlimages/curl (public DockerHub), not the app image, so they need neither the pull secret nor a repoint. registry-credentials stays for the transition window. Closes: nothing (stack prep only; repo onboarding follows) Co-Authored-By: Claude Fable 5 --- .../modules/instagram-poster/main.tf | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/stacks/instagram-poster/modules/instagram-poster/main.tf b/stacks/instagram-poster/modules/instagram-poster/main.tf index 343bbfba..bf558d33 100644 --- a/stacks/instagram-poster/modules/instagram-poster/main.tf +++ b/stacks/instagram-poster/modules/instagram-poster/main.tf @@ -1,9 +1,10 @@ locals { namespace = "instagram-poster" - # Forgejo registry consolidation (2026-05-07): all custom service images - # live under forgejo.viktorbarzin.me/viktor/. The old 10.0.20.10 - # private registry was decommissioned the same day. - image = "forgejo.viktorbarzin.me/viktor/instagram-poster:${var.image_tag}" + # Off-infra CI (ADR-0002, issue #23): GHA builds on the GitHub mirror and + # pushes ghcr.io/viktorbarzin/instagram-poster (private — pulls need the + # ghcr-credentials Secret cloned in by the kyverno sync-ghcr-credentials + # ClusterPolicy). Replaces the forgejo.viktorbarzin.me/viktor base. + image = "ghcr.io/viktorbarzin/instagram-poster:${var.image_tag}" labels = { app = "instagram-poster" } @@ -244,9 +245,18 @@ resource "kubernetes_deployment" "instagram_poster" { } spec { + # registry-credentials (forgejo) kept for the transition — the live + # pod runs the last forgejo-built image until the first GHA→ghcr + # deploy lands. ghcr-credentials is cloned into this namespace by the + # kyverno stack's sync-ghcr-credentials ClusterPolicy (allowlisted + # private-ghcr namespaces only — ADR-0002). Source of truth: + # stacks/kyverno/modules/kyverno/ghcr-credentials.tf. image_pull_secrets { name = "registry-credentials" } + image_pull_secrets { + name = "ghcr-credentials" + } # PVC mounts as root by default; pod runs as uid/gid 10001 (poster). # fs_group makes kubelet chown the volume to gid 10001 on mount.