Bucket C: enroll 5 raw-deploy stacks in Keel auto-update

* beads-server: 3 Deployments — extended V1 lifecycle blocks to V2
    + KEEL_IGNORE_IMAGE; namespace label.
  * llama-cpp: 1 Deployment — extended V1→V2; namespace label.
  * novelapp: namespace label only (Deployment has non-standard
    lifecycle without V1 dns_config — drift expected, accept for now).
  * plotting-book: namespace label only (same as novelapp).
  * trading-bot: namespace label only (same as novelapp).

immich deferred — the bulk-add script's brace-counter got confused by
a HEREDOC in the file, inserting a lifecycle block in the wrong
position. Needs manual per-Deployment editing.

The 3 ns-only stacks (novelapp, plotting-book, trading-bot) will see
their Deployments mutated by Kyverno but their TF lifecycle doesn't
yet ignore the keel annotations. Expected behavior: drift visible in
terragrunt plan, applied-state oscillates with Kyverno re-injecting.
Acceptable starting point; per-Deployment lifecycle work to fix.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

stacks/beads-server/main.tf

@@ -29,6 +29,7 @@ resource "kubernetes_namespace" "beads" {
     name = "beads-server"
     labels = {
       tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
     }
   }
   lifecycle {
@@ -177,7 +178,11 @@ resource "kubernetes_deployment" "dolt" {
   }
   lifecycle {
     ignore_changes = [
-      spec[0].template[0].spec[0].dns_config # KYVERNO_LIFECYCLE_V1
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
     ]
   }
 }
@@ -381,7 +386,11 @@ resource "kubernetes_deployment" "workbench" {
   }
   lifecycle {
     ignore_changes = [
-      spec[0].template[0].spec[0].dns_config # KYVERNO_LIFECYCLE_V1
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
     ]
   }
 }
@@ -654,7 +663,11 @@ resource "kubernetes_deployment" "beadboard" {
   }
   lifecycle {
     ignore_changes = [
-      spec[0].template[0].spec[0].dns_config # KYVERNO_LIFECYCLE_V1
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
     ]
   }
 }

stacks/llama-cpp/main.tf

@@ -101,6 +101,7 @@ resource "kubernetes_namespace" "llama_cpp" {
     labels = {
       tier              = local.tiers.gpu
       "istio-injection" = "disabled"
+      "keel.sh/enrolled" = "true"
     }
   }
   lifecycle {
@@ -372,6 +373,10 @@ resource "kubernetes_deployment" "llama_swap" {
   lifecycle {
     ignore_changes = [
       spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
     ]
   }
 

stacks/novelapp/main.tf

@@ -36,6 +36,7 @@ resource "kubernetes_namespace" "novelapp" {
     labels = {
       "istio-injection" : "disabled"
       tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
     }
   }
   lifecycle {

stacks/plotting-book/main.tf

@@ -9,6 +9,7 @@ resource "kubernetes_namespace" "plotting-book" {
     labels = {
       "istio-injection" : "disabled"
       tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
     }
   }
   lifecycle {

stacks/trading-bot/main.tf

@@ -35,6 +35,7 @@ resource "kubernetes_namespace" "trading-bot" {
     name = "trading-bot"
     labels = {
       tier = local.tiers.edge
+      "keel.sh/enrolled" = "true"
     }
   }
 }