From 9765f6b9a449fe5e5d6df0d409554b29977ad57f Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sat, 16 May 2026 13:01:35 +0000
Subject: [PATCH] keel: enable Slack notifications on every upgrade
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Wire Keel's Slack notifier to the existing bot token in Vault
(secret/viktor -> slack_bot_token). Posts to #general by default;
override via slack.channel in the Helm values if you want a dedicated
channel like #keel-notifications.

Notification level is "info" so we get every rollout event, not just
errors. Approval flow is OFF — opt-out-pure means all updates apply
unattended. If we later introduce approvals, add slack.approvalsChannel.

Resolves user request: 'keel should send notifications to slack everytime
it upgrades an app'.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 stacks/keel/main.tf | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/stacks/keel/main.tf b/stacks/keel/main.tf
index 43ef5240..30a65f7b 100644
--- a/stacks/keel/main.tf
+++ b/stacks/keel/main.tf
@@ -11,6 +11,13 @@
 # (stacks/kyverno/modules/kyverno/keel-annotations.tf) on namespaces
 # labeled keel.sh/enrolled=true.
 
+# Slack bot token for posting upgrade notifications. Existing token in
+# Vault — same one used elsewhere — see secret/viktor -> slack_bot_token.
+data "vault_kv_secret_v2" "viktor" {
+  mount = "secret"
+  name  = "viktor"
+}
+
 resource "kubernetes_namespace" "keel" {
   metadata {
     name = "keel"
@@ -52,6 +59,17 @@ resource "helm_release" "keel" {
     persistence = {
       enabled = false
     }
+    # Slack notifications: post every rollout to the configured channel.
+    # Bot token from Vault (secret/viktor -> slack_bot_token). The Keel
+    # chart sets SLACK_BOT_TOKEN, SLACK_CHANNELS, etc. on the deployment
+    # from these values.
+    slack = {
+      enabled  = true
+      botToken = data.vault_kv_secret_v2.viktor.data["slack_bot_token"]
+      channel  = "general"
+      # No approval flow — opt-out-pure means everything auto-rolls.
+      # If we ever introduce gated rollouts, set approvalsChannel here.
+    }
     # Keel uses each watched Deployment's own imagePullSecrets to query
     # its registry. Forgejo creds (`registry-credentials`) are auto-synced
     # to every namespace by Kyverno already, so Keel pods don't need a