recruiter-responder: bump image_tag to 189ef901

OpenClaw can now answer 'what do we know about <company>?' from cache via the new recruiter_company_research tool, and recruiter_get embeds the cached research payload inline. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-16 12:41:05 +00:00 · 2026-05-16 12:41:05 +00:00 · 3027ab85a8
commit 3027ab85a8
parent be3b94da85
79 changed files with 550 additions and 142 deletions
--- a/stacks/actualbudget/main.tf
+++ b/stacks/actualbudget/main.tf
@ -57,6 +57,7 @@ resource "kubernetes_namespace" "actualbudget" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.edge
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
--- a/stacks/affine/main.tf
+++ b/stacks/affine/main.tf
@ -88,6 +88,7 @@ resource "kubernetes_namespace" "affine" {
    name = "affine"
    labels = {
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -331,8 +332,12 @@ resource "kubernetes_deployment" "affine" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/blog/main.tf
+++ b/stacks/blog/main.tf
@ -10,6 +10,7 @@ resource "kubernetes_namespace" "website" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -76,8 +77,12 @@ resource "kubernetes_deployment" "blog" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/broker-sync/main.tf
+++ b/stacks/broker-sync/main.tf
@ -12,6 +12,7 @@ resource "kubernetes_namespace" "broker_sync" {
    labels = {
      "istio-injection" = "disabled"
      tier              = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
--- a/stacks/calico/main.tf
+++ b/stacks/calico/main.tf
@ -22,6 +22,7 @@ resource "kubernetes_namespace" "calico_system" {
    name = "calico-system"
    labels = {
      name = "calico-system"
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
--- a/stacks/changedetection/main.tf
+++ b/stacks/changedetection/main.tf
@ -9,6 +9,7 @@ resource "kubernetes_namespace" "changedetection" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -194,8 +195,12 @@ resource "kubernetes_deployment" "changedetection" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/chrome-service/main.tf
+++ b/stacks/chrome-service/main.tf
@ -24,6 +24,7 @@ resource "kubernetes_namespace" "chrome_service" {
      "istio-injection"                       = "disabled"
      tier                                    = local.tiers.aux
      "chrome-service.viktorbarzin.me/server" = "true"
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -114,6 +115,12 @@ resource "kubernetes_deployment" "chrome_service" {
    namespace = kubernetes_namespace.chrome_service.metadata[0].name
    labels = merge(local.labels, {
      tier = local.tiers.aux
+      # Deliberate pin: chrome-service's playwright image MUST match
+      # the playwright Python version in f1-stream (see local.image
+      # comment above). Opt out of Keel auto-update via this label —
+      # the inject-keel-annotations ClusterPolicy excludes workloads
+      # selector-matching keel.sh/policy=never.
+      "keel.sh/policy" = "never"
    })
    annotations = {
      "reloader.stakater.com/auto" = "true"
@ -311,8 +318,12 @@ resource "kubernetes_deployment" "chrome_service" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/city-guesser/main.tf
+++ b/stacks/city-guesser/main.tf
@ -10,6 +10,7 @@ resource "kubernetes_namespace" "city-guesser" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -67,8 +68,12 @@ resource "kubernetes_deployment" "city-guesser" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/claude-memory/main.tf
+++ b/stacks/claude-memory/main.tf
@ -19,6 +19,7 @@ resource "kubernetes_namespace" "claude-memory" {
    name = "claude-memory"
    labels = {
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -249,6 +250,9 @@ resource "kubernetes_deployment" "claude-memory" {
    ignore_changes = [
      spec[0].template[0].spec[0].container[0].image,
      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
    ]
  }
 }
--- a/stacks/coturn/main.tf
+++ b/stacks/coturn/main.tf
@ -52,6 +52,7 @@ resource "kubernetes_namespace" "coturn" {
    name = "coturn"
    labels = {
      tier = local.tiers.edge
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -194,8 +195,12 @@ resource "kubernetes_deployment" "coturn" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/cyberchef/main.tf
+++ b/stacks/cyberchef/main.tf
@ -9,6 +9,7 @@ resource "kubernetes_namespace" "cyberchef" {
    name = "cyberchef"
    labels = {
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -77,8 +78,12 @@ resource "kubernetes_deployment" "cyberchef" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/dashy/main.tf
+++ b/stacks/dashy/main.tf
@ -16,6 +16,7 @@ resource "kubernetes_namespace" "dashy" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -100,8 +101,12 @@ resource "kubernetes_deployment" "dashy" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/dawarich/main.tf
+++ b/stacks/dawarich/main.tf
@ -17,6 +17,7 @@ resource "kubernetes_namespace" "dawarich" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.edge
+      "keel.sh/enrolled" = "true"
    }
  }
 }
@ -325,7 +326,12 @@ resource "kubernetes_deployment" "dawarich" {
    }
  }
  lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/descheduler/main.tf
+++ b/stacks/descheduler/main.tf
@ -5,6 +5,7 @@ resource "kubernetes_namespace" "descheduler" {
    name = "descheduler"
    labels = {
      tier = local.tiers.cluster
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
--- a/stacks/diun/main.tf
+++ b/stacks/diun/main.tf
@ -10,6 +10,7 @@ resource "kubernetes_namespace" "diun" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -237,6 +238,11 @@ resource "kubernetes_deployment" "diun" {
    }
  }
  lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }
--- a/stacks/ebook2audiobook/main.tf
+++ b/stacks/ebook2audiobook/main.tf
@ -17,6 +17,7 @@ resource "kubernetes_namespace" "ebook2audiobook" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.gpu
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -120,8 +121,12 @@ resource "kubernetes_deployment" "ebook2audiobook" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

@ -322,8 +327,12 @@ resource "kubernetes_deployment" "audiblez" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

@ -412,8 +421,12 @@ resource "kubernetes_deployment" "audiblez-web" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/ebooks/main.tf
+++ b/stacks/ebooks/main.tf
@ -9,6 +9,7 @@ resource "kubernetes_namespace" "ebooks" {
    name = "ebooks"
    labels = {
      tier = local.tiers.edge
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -364,7 +365,12 @@ resource "kubernetes_deployment" "calibre-web-automated" {
    }
  }
  lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

@ -485,7 +491,12 @@ resource "kubernetes_deployment" "annas-archive-stacks" {
    }
  }
  lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

@ -634,7 +645,12 @@ resource "kubernetes_deployment" "audiobookshelf" {
    }
  }
  lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

@ -909,7 +925,12 @@ resource "kubernetes_deployment" "book_search" {
    }
  }
  lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/echo/main.tf
+++ b/stacks/echo/main.tf
@ -10,6 +10,7 @@ resource "kubernetes_namespace" "echo" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.edge
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -74,8 +75,12 @@ resource "kubernetes_deployment" "echo" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/excalidraw/main.tf
+++ b/stacks/excalidraw/main.tf
@ -11,6 +11,7 @@ resource "kubernetes_namespace" "excalidraw" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -124,8 +125,12 @@ resource "kubernetes_deployment" "excalidraw" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/external-secrets/main.tf
+++ b/stacks/external-secrets/main.tf
@ -3,6 +3,7 @@ resource "kubernetes_namespace" "external_secrets" {
    name = "external-secrets"
    labels = {
      tier = local.tiers.cluster
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
--- a/stacks/f1-stream/main.tf
+++ b/stacks/f1-stream/main.tf
@ -13,6 +13,7 @@ resource "kubernetes_namespace" "f1-stream" {
      "istio-injection" : "disabled"
      tier                                    = local.tiers.aux
      "chrome-service.viktorbarzin.me/client" = "true"
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -202,8 +203,12 @@ resource "kubernetes_deployment" "f1-stream" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/foolery/main.tf
+++ b/stacks/foolery/main.tf
@ -9,6 +9,7 @@ resource "kubernetes_namespace" "foolery" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
--- a/stacks/forgejo/main.tf
+++ b/stacks/forgejo/main.tf
@ -10,6 +10,7 @@ resource "kubernetes_namespace" "forgejo" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.edge
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -169,8 +170,12 @@ resource "kubernetes_deployment" "forgejo" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/freedify/main.tf
+++ b/stacks/freedify/main.tf
@ -55,6 +55,7 @@ resource "kubernetes_namespace" "freedify" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
--- a/stacks/freshrss/main.tf
+++ b/stacks/freshrss/main.tf
@ -8,6 +8,7 @@ resource "kubernetes_namespace" "immich" {
    name = "freshrss"
    labels = {
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -203,8 +204,12 @@ resource "kubernetes_deployment" "freshrss" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/frigate/main.tf
+++ b/stacks/frigate/main.tf
@ -10,6 +10,7 @@ resource "kubernetes_namespace" "frigate" {
    name = "frigate"
    labels = {
      tier = local.tiers.gpu
+      "keel.sh/enrolled" = "true"
    }
    # labels = {
    #   "istio-injection" : "enabled"
@ -231,8 +232,12 @@ for name, det in stats.get('detectors', {}).items():
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/grampsweb/main.tf
+++ b/stacks/grampsweb/main.tf
@ -51,6 +51,7 @@ resource "kubernetes_namespace" "grampsweb" {
    name = "grampsweb"
    labels = {
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -334,8 +335,12 @@ resource "kubernetes_deployment" "grampsweb" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/hackmd/main.tf
+++ b/stacks/hackmd/main.tf
@ -10,6 +10,7 @@ resource "kubernetes_namespace" "hackmd" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.edge
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -172,8 +173,12 @@ resource "kubernetes_deployment" "hackmd" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/health/main.tf
+++ b/stacks/health/main.tf
@ -10,6 +10,7 @@ resource "kubernetes_namespace" "health" {
    name = "health"
    labels = {
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -153,8 +154,12 @@ resource "kubernetes_deployment" "health" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/hermes-agent/main.tf
+++ b/stacks/hermes-agent/main.tf
@ -10,6 +10,7 @@ resource "kubernetes_namespace" "hermes_agent" {
    name = "hermes-agent"
    labels = {
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -386,7 +387,12 @@ resource "kubernetes_deployment" "hermes_agent" {
    }
  }
  lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/homepage/main.tf
+++ b/stacks/homepage/main.tf
@ -16,6 +16,7 @@ resource "kubernetes_namespace" "homepage" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -118,8 +119,12 @@ resource "kubernetes_deployment" "cache_proxy" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/insta2spotify/main.tf
+++ b/stacks/insta2spotify/main.tf
@ -10,6 +10,7 @@ resource "kubernetes_namespace" "insta2spotify" {
    labels = {
      "istio-injection" = "disabled"
      tier              = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -209,7 +210,12 @@ resource "kubernetes_deployment" "insta2spotify" {
    }
  }
  lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/isponsorblocktv/main.tf
+++ b/stacks/isponsorblocktv/main.tf
@ -6,6 +6,7 @@ resource "kubernetes_namespace" "isponsorblocktv" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.edge
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -99,7 +100,11 @@ resource "kubernetes_deployment" "isponsorblocktv-vermont" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }
--- a/stacks/jsoncrack/main.tf
+++ b/stacks/jsoncrack/main.tf
@ -10,6 +10,7 @@ resource "kubernetes_namespace" "jsoncrack" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -57,8 +58,12 @@ resource "kubernetes_deployment" "jsoncrack" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/k8s-dashboard/main.tf
+++ b/stacks/k8s-dashboard/main.tf
@ -32,6 +32,7 @@ resource "kubernetes_namespace" "k8s-dashboard" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.cluster
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
--- a/stacks/k8s-version-upgrade/main.tf
+++ b/stacks/k8s-version-upgrade/main.tf
@ -63,6 +63,7 @@ resource "kubernetes_namespace" "k8s_upgrade" {
    name = local.namespace
    labels = {
      tier = local.tiers.cluster
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
--- a/stacks/kms/main.tf
+++ b/stacks/kms/main.tf
@ -10,6 +10,7 @@ resource "kubernetes_namespace" "kms" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -305,8 +306,12 @@ resource "kubernetes_deployment" "windows_kms" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
  depends_on = [kubernetes_manifest.kms_slack_external_secret]
 }
--- a/stacks/kured/main.tf
+++ b/stacks/kured/main.tf
@ -31,6 +31,7 @@ resource "kubernetes_namespace" "kured" {
    labels = {
      "istio-injection" = "disabled"
      tier              = local.tiers.cluster
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -307,7 +308,11 @@ resource "kubernetes_daemon_set_v1" "kured_sentinel_gate" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }
--- a/stacks/linkwarden/main.tf
+++ b/stacks/linkwarden/main.tf
@ -19,6 +19,7 @@ resource "kubernetes_namespace" "linkwarden" {
    name = "linkwarden"
    labels = {
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -202,8 +203,12 @@ resource "kubernetes_deployment" "linkwarden" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }
 resource "kubernetes_service" "linkwarden" {
--- a/stacks/local-path/main.tf
+++ b/stacks/local-path/main.tf
@ -128,6 +128,7 @@ resource "kubernetes_deployment" "local_path_provisioner" {
    namespace = kubernetes_namespace.local_path_storage.metadata[0].name
    labels = {
      tier = "default"
+      "keel.sh/enrolled" = "true"
    }
  }
  spec {
@ -185,8 +186,12 @@ resource "kubernetes_deployment" "local_path_provisioner" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/matrix/main.tf
+++ b/stacks/matrix/main.tf
@ -11,6 +11,7 @@ resource "kubernetes_namespace" "matrix" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -204,8 +205,12 @@ resource "kubernetes_deployment" "matrix" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/meshcentral/main.tf
+++ b/stacks/meshcentral/main.tf
@ -11,6 +11,7 @@ resource "kubernetes_namespace" "meshcentral" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -250,8 +251,12 @@ EOT
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/n8n/main.tf
+++ b/stacks/n8n/main.tf
@ -16,6 +16,7 @@ resource "kubernetes_namespace" "n8n" {
    name = "n8n"
    labels = {
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -368,8 +369,12 @@ resource "kubernetes_deployment" "n8n" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/navidrome/main.tf
+++ b/stacks/navidrome/main.tf
@ -9,6 +9,7 @@ resource "kubernetes_namespace" "navidrome" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -210,8 +211,12 @@ resource "kubernetes_deployment" "navidrome" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/netbox/main.tf
+++ b/stacks/netbox/main.tf
@ -11,6 +11,7 @@ resource "kubernetes_namespace" "netbox" {
    name = "netbox"
    labels = {
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -201,8 +202,12 @@ resource "kubernetes_deployment" "netbox" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }
 resource "kubernetes_service" "netbox" {
--- a/stacks/networking-toolbox/main.tf
+++ b/stacks/networking-toolbox/main.tf
@ -10,6 +10,7 @@ resource "kubernetes_namespace" "networking-toolbox" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -71,8 +72,12 @@ resource "kubernetes_deployment" "networking-toolbox" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/nextcloud/main.tf
+++ b/stacks/nextcloud/main.tf
@ -30,6 +30,7 @@ resource "kubernetes_namespace" "nextcloud" {
      tier                                    = local.tiers.edge
      "resource-governance/custom-limitrange" = "true"
      "resource-governance/custom-quota"      = "true"
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
--- a/stacks/ntfy/main.tf
+++ b/stacks/ntfy/main.tf
@ -10,6 +10,7 @@ resource "kubernetes_namespace" "ntfy" {
    name = "ntfy"
    labels = {
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -163,8 +164,12 @@ resource "kubernetes_deployment" "ntfy" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/onlyoffice/main.tf
+++ b/stacks/onlyoffice/main.tf
@ -14,6 +14,7 @@ resource "kubernetes_namespace" "onlyoffice" {
      tier                                    = local.tiers.edge
      "resource-governance/custom-limitrange" = "true"
      "resource-governance/custom-quota"      = "true"
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -232,8 +233,12 @@ resource "kubernetes_deployment" "onlyoffice-document-server" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/openclaw/main.tf
+++ b/stacks/openclaw/main.tf
@ -21,6 +21,7 @@ resource "kubernetes_namespace" "openclaw" {
      tier                                    = local.tiers.aux
      "resource-governance/custom-limitrange" = "true"
      "resource-governance/custom-quota"      = "true"
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -1315,7 +1316,12 @@ resource "kubernetes_deployment" "openlobster" {
    }
  }
  lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/osm_routing/main.tf
+++ b/stacks/osm_routing/main.tf
@ -12,6 +12,7 @@ resource "kubernetes_namespace" "osm-routing" {
      "istio-injection" : "disabled"
      tier                               = local.tiers.aux
      "resource-governance/custom-quota" = "true"
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -113,8 +114,12 @@ resource "kubernetes_deployment" "osrm-foot" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

@ -198,8 +203,12 @@ resource "kubernetes_deployment" "osrm-bicycle" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

@ -287,8 +296,12 @@ resource "kubernetes_deployment" "otp" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/owntracks/main.tf
+++ b/stacks/owntracks/main.tf
@ -50,6 +50,7 @@ resource "kubernetes_namespace" "owntracks" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -194,8 +195,12 @@ resource "kubernetes_deployment" "owntracks" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/paperless-ngx/main.tf
+++ b/stacks/paperless-ngx/main.tf
@ -21,6 +21,7 @@ resource "kubernetes_namespace" "paperless-ngx" {
    name = "paperless-ngx"
    labels = {
      tier = local.tiers.edge
+      "keel.sh/enrolled" = "true"
    }
    # labels = {
    #   "istio-injection" : "enabled"
@ -211,8 +212,12 @@ resource "kubernetes_deployment" "paperless-ngx" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/phpipam/main.tf
+++ b/stacks/phpipam/main.tf
@ -18,6 +18,7 @@ resource "kubernetes_namespace" "phpipam" {
    name = "phpipam"
    labels = {
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -201,7 +202,12 @@ resource "kubernetes_deployment" "phpipam_web" {
    }
  }
  lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/poison-fountain/main.tf
+++ b/stacks/poison-fountain/main.tf
@ -11,6 +11,7 @@ resource "kubernetes_namespace" "poison_fountain" {
    labels = {
      "istio-injection" = "disabled"
      tier              = local.tiers.cluster
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -179,8 +180,12 @@ resource "kubernetes_deployment" "poison_fountain" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/priority-pass/main.tf
+++ b/stacks/priority-pass/main.tf
@ -20,6 +20,7 @@ resource "kubernetes_namespace" "priority-pass" {
    labels = {
      "istio-injection" = "disabled"
      tier              = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -148,7 +149,12 @@ resource "kubernetes_deployment" "priority-pass" {
    }
  }
  lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/privatebin/main.tf
+++ b/stacks/privatebin/main.tf
@ -11,6 +11,7 @@ resource "kubernetes_namespace" "privatebin" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.edge
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -113,8 +114,12 @@ resource "kubernetes_deployment" "privatebin" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/real-estate-crawler/main.tf
+++ b/stacks/real-estate-crawler/main.tf
@ -119,6 +119,7 @@ resource "kubernetes_namespace" "realestate-crawler" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -522,8 +523,12 @@ resource "kubernetes_deployment" "realestate-crawler-celery" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

@ -633,7 +638,11 @@ resource "kubernetes_deployment" "realestate-crawler-celery-beat" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }
--- a/stacks/recruiter-responder/terragrunt.hcl
+++ b/stacks/recruiter-responder/terragrunt.hcl
@ -19,5 +19,5 @@ dependency "external-secrets" {

 inputs = {
  # Override per-deploy in CI / commit.
-  image_tag = "f3cb91ff"
+  image_tag = "189ef901"
 }
--- a/stacks/reloader/main.tf
+++ b/stacks/reloader/main.tf
@ -3,6 +3,7 @@ resource "kubernetes_namespace" "crowdsec" {
    name = "reloader"
    labels = {
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
--- a/stacks/resume/main.tf
+++ b/stacks/resume/main.tf
@ -25,6 +25,7 @@ resource "kubernetes_namespace" "resume" {
    name = local.namespace
    labels = {
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -144,8 +145,12 @@ resource "kubernetes_deployment" "printer" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

@ -341,8 +346,12 @@ resource "kubernetes_deployment" "resume" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/rybbit/main.tf
+++ b/stacks/rybbit/main.tf
@ -15,6 +15,7 @@ resource "kubernetes_namespace" "rybbit" {
    name = "rybbit"
    labels = {
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -230,8 +231,12 @@ resource "kubernetes_deployment" "clickhouse" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

@ -440,8 +445,12 @@ resource "kubernetes_deployment" "rybbit" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

@ -542,8 +551,12 @@ resource "kubernetes_deployment" "rybbit-client" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/send/main.tf
+++ b/stacks/send/main.tf
@ -12,6 +12,7 @@ resource "kubernetes_namespace" "send" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -148,8 +149,12 @@ resource "kubernetes_deployment" "send" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }
 resource "kubernetes_service" "send" {
--- a/stacks/servarr/main.tf
+++ b/stacks/servarr/main.tf
@ -49,6 +49,7 @@ resource "kubernetes_namespace" "servarr" {
    name = "servarr"
    labels = {
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
--- a/stacks/shadowsocks/main.tf
+++ b/stacks/shadowsocks/main.tf
@ -7,6 +7,7 @@ resource "kubernetes_namespace" "shadowsocks" {
    name = "shadowsocks"
    labels = {
      tier = local.tiers.edge
+      "keel.sh/enrolled" = "true"
    }
    # TLS termination seems iffy - I get pfsense MiTM-ing
    # labels = {
@ -115,8 +116,12 @@ resource "kubernetes_deployment" "shadowsocks" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/speedtest/main.tf
+++ b/stacks/speedtest/main.tf
@ -10,6 +10,7 @@ resource "kubernetes_namespace" "speedtest" {
    name = "speedtest"
    labels = {
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -208,8 +209,12 @@ resource "kubernetes_deployment" "speedtest" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/stirling-pdf/main.tf
+++ b/stacks/stirling-pdf/main.tf
@ -11,6 +11,7 @@ resource "kubernetes_namespace" "stirling-pdf" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -111,8 +112,12 @@ resource "kubernetes_deployment" "stirling-pdf" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/tandoor/main.tf
+++ b/stacks/tandoor/main.tf
@ -12,6 +12,7 @@ resource "kubernetes_namespace" "tandoor" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -232,8 +233,12 @@ resource "kubernetes_deployment" "tandoor" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/terminal/main.tf
+++ b/stacks/terminal/main.tf
@ -9,6 +9,7 @@ resource "kubernetes_namespace" "terminal" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
--- a/stacks/tor-proxy/main.tf
+++ b/stacks/tor-proxy/main.tf
@ -11,6 +11,7 @@ resource "kubernetes_namespace" "tor-proxy" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -106,8 +107,12 @@ resource "kubernetes_deployment" "tor-proxy" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

@ -240,8 +245,12 @@ resource "kubernetes_deployment" "torrserver" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/travel_blog/main.tf
+++ b/stacks/travel_blog/main.tf
@ -10,6 +10,7 @@ resource "kubernetes_namespace" "travel-blog" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -76,8 +77,12 @@ resource "kubernetes_deployment" "blog" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/tuya-bridge/main.tf
+++ b/stacks/tuya-bridge/main.tf
@ -9,6 +9,7 @@ resource "kubernetes_namespace" "tuya-bridge" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.cluster
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -152,8 +153,12 @@ resource "kubernetes_deployment" "tuya-bridge" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/url/main.tf
+++ b/stacks/url/main.tf
@ -25,6 +25,7 @@ resource "kubernetes_namespace" "shlink" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -260,8 +261,12 @@ resource "kubernetes_deployment" "shlink" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

@ -406,8 +411,12 @@ resource "kubernetes_deployment" "shlink-web" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/vault/main.tf
+++ b/stacks/vault/main.tf
@ -11,6 +11,7 @@ resource "kubernetes_namespace" "vault" {
    name = "vault"
    labels = {
      tier = local.tiers.core
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
--- a/stacks/wealthfolio/main.tf
+++ b/stacks/wealthfolio/main.tf
@ -11,6 +11,7 @@ resource "kubernetes_namespace" "wealthfolio" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -105,7 +106,12 @@ resource "random_string" "random" {

 resource "kubernetes_deployment" "wealthfolio" {
  lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
  metadata {
    name      = "wealthfolio"
--- a/stacks/webhook_handler/main.tf
+++ b/stacks/webhook_handler/main.tf
@ -13,6 +13,7 @@ resource "kubernetes_namespace" "webhook-handler" {
    name = "webhook-handler"
    labels = {
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -234,7 +235,12 @@ resource "kubernetes_deployment" "webhook_handler" {
    }
  }
  lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/whisper/main.tf
+++ b/stacks/whisper/main.tf
@ -10,6 +10,7 @@ resource "kubernetes_namespace" "whisper" {
    name = "whisper"
    labels = {
      tier = local.tiers.gpu
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -124,8 +125,12 @@ resource "kubernetes_deployment" "whisper" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

@ -246,8 +251,12 @@ resource "kubernetes_deployment" "piper" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

--- a/stacks/woodpecker/main.tf
+++ b/stacks/woodpecker/main.tf
@ -32,6 +32,7 @@ resource "kubernetes_namespace" "woodpecker" {
    labels = {
      "resource-governance/custom-quota" = "true"
      tier                               = local.tiers.edge
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
--- a/stacks/ytdlp/main.tf
+++ b/stacks/ytdlp/main.tf
@ -41,6 +41,7 @@ resource "kubernetes_namespace" "ytdlp" {
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
    }
  }
  lifecycle {
@ -148,8 +149,12 @@ resource "kubernetes_deployment" "ytdlp" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }

@ -323,8 +328,12 @@ resource "kubernetes_deployment" "yt_highlights" {
    }
  }
  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
  }
 }