viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chrome-service: stop ignoring container[0].image so TF re-asserts the pinned browser image

Browse source 
The chrome-service container (container[0]) runs the pinned Microsoft Playwright
image, which ships chromium under /ms-playwright. Its image was still listed in
the deployment's lifecycle ignore_changes — a leftover KEEL_IGNORE from before
ADR-0002 #29 moved the novnc container to TF management. With that field ignored,
a stray clobber of container[0] to ghcr chrome-service-novnc:latest (which has no
chromium there) stuck permanently: the container crash-looped ~12h on "chromium
binary not found under /ms-playwright" (273 restarts) and TF could not revert it.

Remove container[0].image from ignore_changes so Terraform pins it to local.image
and re-asserts it on every apply. Both containers are TF-managed now (novnc since
ADR-0002 #29); Keel is inert (policy=never), so nothing should fight TF here.

Surfaced by /cluster-health. Live state was already restored transiently via
kubectl set image; this commit makes the fix durable.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-16 08:18:32 +00:00
parent 1ba453c65d
commit a0725ede57
1 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
stacks/chrome-service/main.tf
View file

@ -439,8 +439,12 @@ resource "kubernetes_deployment" "chrome_service" {
metadata[0].annotations["keel.sh/trigger"],
metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
metadata[0].annotations["keel.sh/match-tag"],
spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE Keel manages tag updates
# container[1]=novnc now TF-managed on ghcr:latest (ADR-0002 #29) was KEEL_IGNORE
# container[0]=chrome-service (MS Playwright, pinned via local.image) and
# container[1]=novnc (ghcr:latest, ADR-0002 #29) are BOTH TF-managed now.
# container[0].image was previously KEEL_IGNORE'd here; that let a stray
# clobber to the novnc image stick (chromium-not-found crashloop 2026-06-16)
# because TF could not revert the ignored field. Removed so TF re-asserts the
# pinned image. Keel is inert (keel.sh/policy=never) and no deploy step touches these.
spec[0].template[0].spec[0].init_container[0].image,
metadata[0].annotations["kubernetes.io/change-cause"],
metadata[0].annotations["deployment.kubernetes.io/revision"],