beads-server: codify Keel annotations on Dolt deployment (drift cleanup)

Task 1's recovery from the broken `:latest` image rollout left keel.sh/policy=never set imperatively via `kubectl annotate` — out of TF, which violates the "all infra via TF" rule. Now codified alongside match-tag, trigger, pollSchedule. Removed those three keys from ignore_changes (was the original "Keel manages these" pattern, no longer correct for this deployment). Also added KYVERNO_LIFECYCLE_V1 ignore_changes on the presence_schema migration Job so future applies don't try to replace it over the Kyverno-injected ndots dns_config. Verified: 0 added, 3 changed (unrelated pre-existing drift on beadboard/workbench/service), 0 destroyed. Dolt pod uninterrupted (revision 13 preserved).
2026-05-17 22:22:40 +00:00 · 2026-05-17 22:22:40 +00:00 · 309f83ec8c
commit 309f83ec8c
parent 5482f46125
1 changed files with 17 additions and 3 deletions
--- a/stacks/beads-server/main.tf
+++ b/stacks/beads-server/main.tf
@ -103,6 +103,16 @@ resource "kubernetes_deployment" "dolt" {
      app  = "dolt"
      tier = local.tiers.aux
    }
+    annotations = {
+      # Keel is namespace-enrolled (keel.sh/enrolled=true on the namespace),
+      # but this deployment opts OUT of auto-updates: dolthub/dolt-sql-server:latest
+      # currently resolves to a broken 0.50.10 build. Pinned image lives in the
+      # container spec below. Codified here so TF state matches live, no drift.
+      "keel.sh/policy"       = "never"
+      "keel.sh/match-tag"    = "true"
+      "keel.sh/trigger"      = "poll"
+      "keel.sh/pollSchedule" = "@every 1h"
+    }
  }
  spec {
    replicas = 1
@ -201,10 +211,9 @@ resource "kubernetes_deployment" "dolt" {
  lifecycle {
    ignore_changes = [
      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
-      metadata[0].annotations["keel.sh/policy"],
-      metadata[0].annotations["keel.sh/trigger"],
-      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
+      # Keel annotations are codified in metadata.annotations above (policy=never
+      # opts this deployment out of auto-updates — see the comment there).
    ]
  }
 }
@ -251,6 +260,11 @@ resource "kubernetes_job" "presence_schema_migrate" {
    create = "5m"
  }
  depends_on = [kubernetes_deployment.dolt]
+  lifecycle {
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+    ]
+  }
 }

 resource "kubernetes_service" "dolt" {