From b3ef0dba760f8d02f7be768d4b517f5d42079369 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Thu, 11 Jun 2026 00:34:44 +0000
Subject: [PATCH] authentik: ignore Keel-managed image_pull_policy on pgbouncer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Keel flip-flops the pgbouncer container's imagePullPolicy, so the
declared Always kept re-diffing on every plan. Ignore it like the
image tag (KEEL_IGNORE pattern) — plan-to-zero restored.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 stacks/authentik/modules/authentik/pgbouncer.tf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/stacks/authentik/modules/authentik/pgbouncer.tf b/stacks/authentik/modules/authentik/pgbouncer.tf
index a501b950..ca018335 100644
--- a/stacks/authentik/modules/authentik/pgbouncer.tf
+++ b/stacks/authentik/modules/authentik/pgbouncer.tf
@@ -162,7 +162,8 @@ resource "kubernetes_deployment" "pgbouncer" {
       metadata[0].annotations["keel.sh/trigger"],
       metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
       metadata[0].annotations["keel.sh/match-tag"],
-      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE — Keel manages tag updates
+      spec[0].template[0].spec[0].container[0].image,             # KEEL_IGNORE_IMAGE — Keel manages tag updates
+      spec[0].template[0].spec[0].container[0].image_pull_policy, # Keel flip-flops this between Always/IfNotPresent
       metadata[0].annotations["kubernetes.io/change-cause"],
       metadata[0].annotations["deployment.kubernetes.io/revision"],
       spec[0].template[0].metadata[0].annotations["keel.sh/update-time"], # KEEL_LIFECYCLE_V1