From 6d71a91fadb7140ace609f7cd0c942eb7d4152bb Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sat, 16 May 2026 13:18:35 +0000
Subject: [PATCH] =?UTF-8?q?calico:=20unenroll=20from=20Keel=20=E2=80=94=20?=
 =?UTF-8?q?tigera-operator=20owns=20DaemonSet=20spec?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Keel kept rewriting calico-node + calico-kube-controllers images to
v3.26.5 (proper patch update); tigera-operator immediately reverted
to v3.26.1 because the Installation CR is the source of truth.
Endless churn but no data loss — Calico stayed healthy throughout.

Removing keel.sh/enrolled label and live label from calico-system ns.
Calico upgrades go through the tigera-operator's Installation CR
manually, not Keel.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 stacks/calico/main.tf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/stacks/calico/main.tf b/stacks/calico/main.tf
index afe21f43..4bb8b488 100644
--- a/stacks/calico/main.tf
+++ b/stacks/calico/main.tf
@@ -22,7 +22,9 @@ resource "kubernetes_namespace" "calico_system" {
     name = "calico-system"
     labels = {
       name = "calico-system"
-      "keel.sh/enrolled" = "true"
+# calico-system namespace is managed by tigera-operator — auto-update is
+      # incompatible (operator reverts DaemonSet image from its Installation CR).
+      # "keel.sh/enrolled" = "true"
     }
   }
   lifecycle {