From 7b4a8ba867d86a28017f3951cfe7e46bc8abc4df Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sat, 27 Jun 2026 08:04:55 +0000
Subject: [PATCH] chrome-service: pin noVNC image to the x11vnc-supervision
 build
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Deploys the self-heal fix from the previous commit. Keel is off for this
deployment (keel.sh/policy=never, because the browser container's playwright
image is version-pinned to f1-stream) and the novnc image was :latest with
imagePullPolicy=IfNotPresent, so a rebuilt :latest would NOT be re-pulled on a
rollout — the supervised entrypoint would never reach the running pod.

Pin novnc to :19d0f0933a8ec75be6cfa077db88e0f8c3760f40 (the build of the prior
commit; ghcr digest sha256:5b783ac6, == :latest) so the stack apply rolls the
sidecar onto the new image. Future novnc entrypoint changes deploy by bumping
this digest after build-chrome-service-novnc.yml publishes a new SHA tag.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 stacks/chrome-service/main.tf | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/stacks/chrome-service/main.tf b/stacks/chrome-service/main.tf
index 37f82c01..0394a93d 100644
--- a/stacks/chrome-service/main.tf
+++ b/stacks/chrome-service/main.tf
@@ -333,15 +333,20 @@ resource "kubernetes_deployment" "chrome_service" {
         container {
           name = "novnc"
           # Phase 3 cutover 2026-05-07 — Forgejo registry consolidation.
-          image             = "ghcr.io/viktorbarzin/chrome-service-novnc:latest"
+          # SHA-pinned (not :latest): Keel is OFF for this deployment
+          # (keel.sh/policy=never, below) and :latest/IfNotPresent won't re-pull a
+          # rebuilt image, so a new noVNC entrypoint only deploys when this digest
+          # is bumped here. Bump after build-chrome-service-novnc.yml pushes a new
+          # SHA tag. 2026-06-27: bumped to land the x11vnc-supervision self-heal fix
+          # (noVNC went black after a browser-container restart; see
+          # docs/architecture/chrome-service.md "x11vnc supervision").
+          image             = "ghcr.io/viktorbarzin/chrome-service-novnc:19d0f0933a8ec75be6cfa077db88e0f8c3760f40"
           image_pull_policy = "IfNotPresent"
           # Cap RLIMIT_NOFILE before the entrypoint runs. Containerd grants pods
           # nofile=2^31; x11vnc sweeps the whole fd table on each client connect,
           # so every VNC connection hangs on "Connecting" until it times out
-          # (fd-sweep bug, same as android-emulator). entrypoint.sh now also sets
-          # this, but the image is :latest/IfNotPresent so a rebuilt entrypoint
-          # isn't guaranteed to be pulled — this wrapper applies the cap
-          # deterministically on every rollout off the cached image.
+          # (fd-sweep bug, same as android-emulator). entrypoint.sh also sets this;
+          # the wrapper keeps the cap deterministic even off a cached image.
           command = ["bash", "-c", "ulimit -n 65536; exec /entrypoint.sh"]
           port {
             name           = "http"