recruiter-responder: pull image from ghcr + ghcr-credentials on all consumers (ADR-0002, infra#27)
Migrating recruiter-responder off in-cluster Woodpecker builds: GHA will build and push ghcr.io/viktorbarzin/recruiter-responder (PRIVATE package). This commit lands the pull-side prerequisites BEFORE the first off-infra build fires: - stacks/recruiter-responder: image base forgejo -> ghcr (inert on the live Deployment - both containers are ignore_changes'd; the Woodpecker deploy moves the tag) + ghcr-credentials imagePullSecrets on the Deployment (covers the recruiter-responder container AND the alembic-migrate init container, which share the image). - stacks/openclaw: ghcr-credentials imagePullSecrets on the openclaw Deployment - its install-recruiter-plugin init container consumes the :latest tag of this image. The image ref itself flips to ghcr in a follow-up once the first GHA build has created the package (flipping now would ImagePullBackOff on a not-yet-existing package and wedge the apply). - stacks/kyverno: allowlist openclaw in sync-ghcr-credentials so the pull secret is cloned into that namespace too. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
c594274c83
commit
57ff41e47e
3 changed files with 24 additions and 3 deletions
|
|
@ -13,7 +13,10 @@ variable "tls_secret_name" {
|
|||
|
||||
locals {
|
||||
namespace = "recruiter-responder"
|
||||
image = "forgejo.viktorbarzin.me/viktor/recruiter-responder:${var.image_tag}"
|
||||
# GHA builds + pushes ghcr.io/viktorbarzin/recruiter-responder (PRIVATE,
|
||||
# ADR-0002 off-infra builds, infra#27). Canonical repo stays on Forgejo;
|
||||
# the GitHub mirror runs the build and the Woodpecker deploy moves the tag.
|
||||
image = "ghcr.io/viktorbarzin/recruiter-responder:${var.image_tag}"
|
||||
labels = {
|
||||
app = "recruiter-responder"
|
||||
}
|
||||
|
|
@ -175,6 +178,12 @@ resource "kubernetes_deployment" "recruiter_responder" {
|
|||
image_pull_secrets {
|
||||
name = "registry-credentials"
|
||||
}
|
||||
# GHCR pull secret: the ghcr-credentials Secret in this namespace is
|
||||
# cloned in by the kyverno stack's sync-ghcr-credentials ClusterPolicy
|
||||
# (allowlisted namespace) — the ghcr package is PRIVATE (ADR-0002).
|
||||
image_pull_secrets {
|
||||
name = "ghcr-credentials"
|
||||
}
|
||||
|
||||
init_container {
|
||||
name = "alembic-migrate"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue