From 90fb0685ae3bebc9c0ba7ee83bcaae40b5687d08 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 13 Jun 2026 02:42:45 +0000 Subject: [PATCH] traefik: x402-gateway image forgejo -> ghcr + KEEL_IGNORE_IMAGE (ADR-0002 infra#28) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Formalizing x402-gateway CI (was a manual no-CI image). The deployment lives in the traefik module; its image was NOT in ignore_changes, so a set-image deploy would be reverted on the next traefik apply — added it (KEEL_IGNORE_IMAGE). Base repointed to ghcr:latest; the GHA deploy set-images the :sha8. Public ghcr package = no pull secret. Inert on the live pod (image now ignored); rolling cutover keeps forwardAuth up. Co-Authored-By: Claude Fable 5 --- stacks/traefik/modules/traefik/main.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/stacks/traefik/modules/traefik/main.tf b/stacks/traefik/modules/traefik/main.tf index 36fb9623..c504891d 100644 --- a/stacks/traefik/modules/traefik/main.tf +++ b/stacks/traefik/modules/traefik/main.tf @@ -572,7 +572,7 @@ resource "kubernetes_deployment" "x402_gateway" { } container { name = "x402-gateway" - image = "forgejo.viktorbarzin.me/viktor/x402-gateway:d9b83125" + image = "ghcr.io/viktorbarzin/x402-gateway:latest" port { name = "http" container_port = 8923 @@ -664,6 +664,9 @@ resource "kubernetes_deployment" "x402_gateway" { # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2 ignore_changes = [ spec[0].template[0].spec[0].dns_config, + # KEEL_IGNORE_IMAGE: the GHA->ghcr build (ADR-0002 infra#28) set-images + # the running :sha8 tag; don't let terragrunt revert it to :latest. + spec[0].template[0].spec[0].container[0].image, # KEEL_LIFECYCLE_V1: keel.sh annotations + tier label are stamped on the # live object (keel enrollment / resource-governance) — don't strip them. metadata[0].annotations["keel.sh/policy"],