vaultwarden: track :latest tag for Keel auto-upgrade (was 1.35.7)

Earlier today Keel's hourly poll caught vaultwarden's deployment in a window where the `keel.sh/match-tag` annotation wasn't set, fell into 'watch repository tags' mode, and rewrote 1.35.7 -> 1.21.0. Vaultwarden 1.21.0 doesn't have the API endpoints the modern Bitwarden clients call (/identity/accounts/prelogin/password, /api/devices/knowndevice, /api/config), so the Chrome extension started 404-ing on login. Same race shape as the 2026-05-17 authentik/pgbouncer incident. The fundamental issue: `policy: force` on a semver-pinned tag is unsafe because Keel happily rewrites the tag string if it can't find a stable 'current tag' to digest-watch. Fix: switch to `:latest` (the mutable tag vaultwarden publishes for the newest stable release). Keel now digest-watches `:latest` (safe mode) and rolls forward on each upstream release. Matches cluster convention (128 other Keel-managed workloads use the same `:latest` + force + match-tag pattern). Also added imagePullPolicy=Always (required with :latest so the kubelet revalidates the manifest on each rollout instead of using a cached layer), and extended the lifecycle.ignore_changes to cover the match-tag annotation and kubernetes.io/change-cause (Keel rewrites this on every rollout). Current `:latest` digest -> vaultwarden 1.36.0 (released 2026-05-03). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-26 13:26:36 +00:00 · 2026-05-26 13:26:36 +00:00 · b3dcccfc41
commit b3dcccfc41
parent 8ed427a7e4
1 changed files with 6 additions and 3 deletions
--- a/stacks/vaultwarden/modules/vaultwarden/main.tf
+++ b/stacks/vaultwarden/modules/vaultwarden/main.tf
@ -87,8 +87,9 @@ resource "kubernetes_deployment" "vaultwarden" {
      }
      spec {
        container {
-          image = "vaultwarden/server:1.35.7"
-          name  = "vaultwarden"
+          image             = "vaultwarden/server:latest"
+          image_pull_policy = "Always"
+          name              = "vaultwarden"

          resources {
            requests = {
@ -181,7 +182,9 @@ resource "kubernetes_deployment" "vaultwarden" {
      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
      metadata[0].annotations["keel.sh/policy"],
      metadata[0].annotations["keel.sh/trigger"],
-      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+      metadata[0].annotations["keel.sh/pollSchedule"],         # KYVERNO_LIFECYCLE_V2
+      metadata[0].annotations["keel.sh/match-tag"],             # KYVERNO_LIFECYCLE_V2
+      metadata[0].annotations["kubernetes.io/change-cause"],    # Keel rewrites this on every rollout
    ]
  }
 }