From 5bc7a766300adbf97d475f42d98903fdddd8e91a Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Fri, 29 May 2026 05:45:16 +0000
Subject: [PATCH] tuya-bridge: switch to Forgejo image + CI-driven deploy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Mirrors the kms-website pattern: deployment image now points to
forgejo.viktorbarzin.me/viktor/tuya_bridge:${var.image_tag} and the
new Woodpecker pipeline in tuya_bridge/.woodpecker.yml drives the
rollout via `kubectl set image` on every push.

Changes:
- Extract `tls_secret_name` and add `image_tag` (default "latest")
  to a new variables.tf, matching the kms / fire-planner /
  payslip-ingest convention.
- Add `image_pull_secrets { name = "registry-credentials" }` (Kyverno
  ClusterPolicy sync-registry-credentials already syncs the Secret
  into every namespace).
- Set explicit `image_pull_policy = "IfNotPresent"` — SHA-tagged
  images are immutable, no need to re-pull on every restart.

The image attribute remains in `lifecycle.ignore_changes` (line was
already there from the prior Keel-managed era), so future `tg apply`s
do not fight Woodpecker's `kubectl set image`. Keel is still enrolled
on the namespace but will skip SHA-tagged images under `policy: patch`
(non-semver), so the CI pipeline is the sole rollout mechanism.

Backstory: the 2026-05-26 cluster-health incident was tuya-bridge
crashlooping after Keel rewrote `:latest` to a stale broken `:0.1`
tag on Docker Hub (which predated the `prometheus_exporter.py`
addition). Manual rebuild + push was the immediate fix; this commit
plus tuya_bridge/.woodpecker.yml close the underlying gap so a
source change reliably produces a fresh registry image.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 stacks/tuya-bridge/main.tf      | 13 ++++++-------
 stacks/tuya-bridge/variables.tf | 10 ++++++++++
 2 files changed, 16 insertions(+), 7 deletions(-)
 create mode 100644 stacks/tuya-bridge/variables.tf

diff --git a/stacks/tuya-bridge/main.tf b/stacks/tuya-bridge/main.tf
index 02ec817d..85b1a0b5 100644
--- a/stacks/tuya-bridge/main.tf
+++ b/stacks/tuya-bridge/main.tf
@@ -1,8 +1,3 @@
-variable "tls_secret_name" {
-  type      = string
-  sensitive = true
-}
-
 resource "kubernetes_namespace" "tuya-bridge" {
   metadata {
     name = "tuya-bridge"
@@ -77,9 +72,13 @@ resource "kubernetes_deployment" "tuya-bridge" {
         }
       }
       spec {
+        image_pull_secrets {
+          name = "registry-credentials"
+        }
         container {
-          image = "viktorbarzin/tuya_bridge:latest"
-          name  = "tuya-bridge"
+          image             = "forgejo.viktorbarzin.me/viktor/tuya_bridge:${var.image_tag}"
+          image_pull_policy = "IfNotPresent"
+          name              = "tuya-bridge"
           port {
             container_port = 8080
           }
diff --git a/stacks/tuya-bridge/variables.tf b/stacks/tuya-bridge/variables.tf
new file mode 100644
index 00000000..5c2be4d3
--- /dev/null
+++ b/stacks/tuya-bridge/variables.tf
@@ -0,0 +1,10 @@
+variable "tls_secret_name" {
+  type      = string
+  sensitive = true
+}
+
+variable "image_tag" {
+  type        = string
+  default     = "latest"
+  description = "tuya_bridge image tag pushed to forgejo.viktorbarzin.me/viktor/tuya_bridge. Each Woodpecker run does `kubectl set image` to the 8-char git SHA; this variable is only used on initial create / TF recreate (image is in lifecycle.ignore_changes)."
+}