From 82a0c5aedf1528f5fd4a567609a539472c0f1fba Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Mon, 15 Jun 2026 10:32:38 +0000
Subject: [PATCH] =?UTF-8?q?t3-afk:=20fix=20crashloop=20=E2=80=94=20exclude?=
 =?UTF-8?q?=20from=20Keel=20at=20the=20deployment=20level?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Keel "patch"-downgraded the image docker.io/library/node:24 -> library/node:24.0.2,
which is below t3@0.0.27's required node >=24.10, so `t3 serve` exited silently and
the pod crash-looped (~160 restarts / 13h).

Root cause: keel.sh/policy=never was on the POD-TEMPLATE labels, but Keel reads the
policy at the DEPLOYMENT level. The cluster's Kyverno inject-keel-annotations is
opt-out, so it stamped policy=patch and Keel acted on it.

Fix: set keel.sh/policy=never as a deployment-level annotation; ignore_changes the
Kyverno-injected keel.sh/pollSchedule + keel.sh/trigger annotations; the image stays
TF-owned (apply reverted Keel's downgrade). Pod now 1/1, t3 serve 200.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 stacks/t3-afk/main.tf | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/stacks/t3-afk/main.tf b/stacks/t3-afk/main.tf
index 22aedf0b..a56cffde 100644
--- a/stacks/t3-afk/main.tf
+++ b/stacks/t3-afk/main.tf
@@ -131,6 +131,16 @@ resource "kubernetes_deployment" "t3_afk" {
     name      = "t3-afk"
     namespace = kubernetes_namespace.t3_afk.metadata[0].name
     labels    = local.labels
+    # keel.sh/policy=never must be a DEPLOYMENT-level annotation — that's where
+    # Keel reads it. (A pod-template label is ignored by Keel, which is why the
+    # earlier attempt failed.) The cluster's Kyverno inject-keel-annotations
+    # policy is opt-OUT: it stamps policy=patch on any workload that doesn't
+    # carry its own keel.sh/policy — and Keel then "patch"-downgraded
+    # node:24 -> node:24.0.2 (below t3@0.0.27's required node >=24.10), which
+    # crash-looped `t3 serve`. ADR 0003 (Keel-excluded).
+    annotations = {
+      "keel.sh/policy" = "never"
+    }
   }
 
   spec {
@@ -146,11 +156,7 @@ resource "kubernetes_deployment" "t3_afk" {
 
     template {
       metadata {
-        labels = merge(local.labels, {
-          # Belt-and-braces: this namespace isn't Keel-enrolled, but pin the
-          # churny pre-1.0 T3 explicitly out of any auto-upgrade. ADR 0003.
-          "keel.sh/policy" = "never"
-        })
+        labels = local.labels
       }
 
       spec {
@@ -312,7 +318,14 @@ resource "kubernetes_deployment" "t3_afk" {
   }
 
   lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      # Kyverno's inject-keel-annotations stamps pollSchedule/trigger alongside
+      # the policy; we own keel.sh/policy=never above, but ignore these two so
+      # they don't perpetually drift the plan.
+      metadata[0].annotations["keel.sh/pollSchedule"],
+      metadata[0].annotations["keel.sh/trigger"],
+    ]
   }
 }