From 605cf99a1b2b988a0f185903c8cffbc4e15c4839 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Wed, 17 Jun 2026 21:24:34 +0000
Subject: [PATCH] portal-tts: docker.io/ prefix on edge-tts image (Kyverno
 trusted-registries)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The edge-tts apply was blocked by the require-trusted-registries Kyverno policy —
a bare `travisvn/openai-edge-tts` isn't in the allowlist. The policy blanket-
trusts `docker.io/*`, so prefixing the image with `docker.io/` passes admission
with no policy change. Verified live: bg synth round-trips through Whisper
verbatim and a full gateway /v1/talk bg turn returns a coherent spoken Bulgarian
reply ("Добър ден! Добре съм, благодаря!...").

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 stacks/portal-tts/main.tf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/stacks/portal-tts/main.tf b/stacks/portal-tts/main.tf
index 18ef8fb3..39bfbcbd 100644
--- a/stacks/portal-tts/main.tf
+++ b/stacks/portal-tts/main.tf
@@ -43,7 +43,9 @@ variable "edge_tts_image" {
   # bundles ffmpeg so response_format=wav (PCM16) works. Floating tag (no semver
   # discipline upstream) — the namespace is Keel-enrolled so digest bumps roll in
   # automatically; TF owns only the tag string.
-  default     = "travisvn/openai-edge-tts:latest-ffmpeg"
+  # docker.io/ prefix is REQUIRED: Kyverno require-trusted-registries blanket-
+  # trusts docker.io/* but a bare `travisvn/...` is unenumerated → blocked.
+  default     = "docker.io/travisvn/openai-edge-tts:latest-ffmpeg"
   description = "openai-edge-tts image (ffmpeg variant — needed for wav output)."
 }