payslip-ingest: image base forgejo -> ghcr, ghcr-credentials pull secret, cron to :latest+Always

Prep for moving payslip-ingest's image build off-infra to GitHub Actions -> ghcr.io (ADR-0002 wave 2, issue #24). One stack commit before onboarding: - image base repointed forgejo.viktorbarzin.me/viktor/payslip-ingest -> ghcr.io/viktorbarzin/payslip-ingest (private ghcr package) - ghcr-credentials imagePullSecrets added on the Deployment AND the actualbudget-payroll-sync CronJob pod specs (namespace is already in the kyverno sync-ghcr-credentials allowlist; secret verified present) - the CronJob's SHA pin is retired: terragrunt image_tag 4f70681d -> latest plus explicit imagePullPolicy Always on the cron container, per the fleet convention for owned-app CronJobs — one less set-image target, and the cron can never go back to pulling the dead Forgejo tag The Deployment keeps KEEL_IGNORE_IMAGE; its concrete :sha8 tag is set by the Woodpecker deploy pipeline after each GHA build. Closes: nothing yet — the repo-side onboarding (offinfra-onboard) follows. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-13 00:03:11 +00:00 · 2026-06-13 00:03:11 +00:00 · 5d236c2352
commit 5d236c2352
parent 72b5843e4b
2 changed files with 31 additions and 10 deletions
--- a/stacks/payslip-ingest/main.tf
+++ b/stacks/payslip-ingest/main.tf
@ -8,10 +8,13 @@ variable "postgresql_host" { type = string }

 locals {
  namespace = "payslip-ingest"
-  # Phase 3 of forgejo-registry-consolidation — image= flipped to Forgejo
-  # 2026-05-07. registry-private kept image at the same path, so the new
-  # Forgejo URL is `viktor/<name>` under forgejo.viktorbarzin.me.
-  image = "forgejo.viktorbarzin.me/viktor/payslip-ingest:${var.image_tag}"
+  # Image built OFF-INFRA by GitHub Actions, pushed to GHCR (private) — ADR-0002,
+  # 2026-06-13 (issue #24): Forgejo viktor/payslip-ingest push-mirrors -> private
+  # ViktorBarzin/payslip-ingest GitHub repo -> GHA builds + pushes
+  # ghcr.io/viktorbarzin/payslip-ingest. The running Deployment tag is set via
+  # `kubectl set image` by the Woodpecker deploy pipeline (image is
+  # KEEL_IGNORE_IMAGE below); the CronJob tracks :latest with pull policy Always.
+  image = "ghcr.io/viktorbarzin/payslip-ingest:${var.image_tag}"
  labels = {
    app = "payslip-ingest"
  }
@ -200,6 +203,11 @@ resource "kubernetes_deployment" "payslip_ingest" {
        image_pull_secrets {
          name = "registry-credentials"
        }
+        # Private ghcr image (ADR-0002 off-infra builds) — cloned into this
+        # namespace by the kyverno sync-ghcr-credentials allowlist policy.
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }

        init_container {
          name    = "alembic-migrate"
@ -376,10 +384,19 @@ resource "kubernetes_cron_job_v1" "actualbudget_payroll_sync" {
            image_pull_secrets {
              name = "registry-credentials"
            }
+            # Private ghcr image (ADR-0002 off-infra builds) — cloned into this
+            # namespace by the kyverno sync-ghcr-credentials allowlist policy.
+            image_pull_secrets {
+              name = "ghcr-credentials"
+            }
            container {
-              name    = "sync"
-              image   = local.image
-              command = ["python", "-m", "payslip_ingest", "sync-meta-deposits"]
+              name  = "sync"
+              image = local.image
+              # Fleet convention for owned-app CronJobs (ADR-0002): track
+              # :latest and re-pull on every run. Replaces the dead SHA pin
+              # (:4f70681d) on the decommissioned Forgejo image path.
+              image_pull_policy = "Always"
+              command           = ["python", "-m", "payslip_ingest", "sync-meta-deposits"]

              env_from {
                secret_ref {
--- a/stacks/payslip-ingest/terragrunt.hcl
+++ b/stacks/payslip-ingest/terragrunt.hcl
@ -18,7 +18,11 @@ dependency "external-secrets" {
 }

 inputs = {
-  # payslip-ingest repo HEAD — includes migrations 0004 + 0005, bonus-dedup,
-  # and the Woodpecker path-filter fix. Bump on every deploy.
-  image_tag = "4f70681d"
+  # :latest — CI drives the rollout (ADR-0002, issue #24): every master push
+  # builds :<sha8> + :latest on ghcr, then the Woodpecker deploy pipeline sets
+  # the Deployment to the concrete SHA (image is KEEL_IGNORE_IMAGE'd in the
+  # stack). The actualbudget-payroll-sync CronJob tracks :latest with
+  # imagePullPolicy Always — the old SHA pin (4f70681d, a Forgejo-only tag)
+  # is retired so the cron can never reference the dead registry path.
+  image_tag = "latest"
 }