From a0725ede57be066b12a25912e01382afdc4b4d2d Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Tue, 16 Jun 2026 08:18:32 +0000
Subject: [PATCH] chrome-service: stop ignoring container[0].image so TF
 re-asserts the pinned browser image
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The chrome-service container (container[0]) runs the pinned Microsoft Playwright
image, which ships chromium under /ms-playwright. Its image was still listed in
the deployment's lifecycle ignore_changes — a leftover KEEL_IGNORE from before
ADR-0002 #29 moved the novnc container to TF management. With that field ignored,
a stray clobber of container[0] to ghcr chrome-service-novnc:latest (which has no
chromium there) stuck permanently: the container crash-looped ~12h on "chromium
binary not found under /ms-playwright" (273 restarts) and TF could not revert it.

Remove container[0].image from ignore_changes so Terraform pins it to local.image
and re-asserts it on every apply. Both containers are TF-managed now (novnc since
ADR-0002 #29); Keel is inert (policy=never), so nothing should fight TF here.

Surfaced by /cluster-health. Live state was already restored transiently via
kubectl set image; this commit makes the fix durable.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 stacks/chrome-service/main.tf | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/stacks/chrome-service/main.tf b/stacks/chrome-service/main.tf
index a0e803c9..30210808 100644
--- a/stacks/chrome-service/main.tf
+++ b/stacks/chrome-service/main.tf
@@ -439,8 +439,12 @@ resource "kubernetes_deployment" "chrome_service" {
       metadata[0].annotations["keel.sh/trigger"],
       metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
       metadata[0].annotations["keel.sh/match-tag"],
-      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE — Keel manages tag updates
-      # container[1]=novnc now TF-managed on ghcr:latest (ADR-0002 #29) — was KEEL_IGNORE
+      # container[0]=chrome-service (MS Playwright, pinned via local.image) and
+      # container[1]=novnc (ghcr:latest, ADR-0002 #29) are BOTH TF-managed now.
+      # container[0].image was previously KEEL_IGNORE'd here; that let a stray
+      # clobber to the novnc image stick (chromium-not-found crashloop 2026-06-16)
+      # because TF could not revert the ignored field. Removed so TF re-asserts the
+      # pinned image. Keel is inert (keel.sh/policy=never) and no deploy step touches these.
       spec[0].template[0].spec[0].init_container[0].image,
       metadata[0].annotations["kubernetes.io/change-cause"],
       metadata[0].annotations["deployment.kubernetes.io/revision"],