From 53834deb246aad6535d1806e800cd7200077f348 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Wed, 24 Jun 2026 20:45:30 +0000 Subject: [PATCH 1/2] instagram-poster: scale to 0 (unused, dead ExternalSecret) Viktor confirmed the Instagram Graph poster isn't used. Its ExternalSecret has been dead on missing Vault keys (ig_graph_long_lived_token, ig_business_account_id), so the deployment sat at 0/1 firing DeploymentReplicasMismatch. Setting replicas=0 stops the alert and makes the scale-down durable (a bare kubectl scale reverts on the next stack apply). Re-set to 1 after minting a Meta long-lived token + populating the Vault keys. Co-Authored-By: Claude Opus 4.8 --- stacks/instagram-poster/modules/instagram-poster/main.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/stacks/instagram-poster/modules/instagram-poster/main.tf b/stacks/instagram-poster/modules/instagram-poster/main.tf index 65714739..351fb41c 100644 --- a/stacks/instagram-poster/modules/instagram-poster/main.tf +++ b/stacks/instagram-poster/modules/instagram-poster/main.tf @@ -227,7 +227,11 @@ resource "kubernetes_deployment" "instagram_poster" { } spec { - replicas = 1 + # Scaled to 0 (2026-06-24): Instagram Graph integration is unused and its + # ExternalSecret is dead (missing ig_graph_long_lived_token / + # ig_business_account_id in Vault secret/instagram-poster). Set back to 1 + # after minting a Meta long-lived token and populating those keys. + replicas = 0 # RWO PVC — cannot rolling-update. strategy { type = "Recreate" From aa510e3600e1d491728d1b831f6fc25d6c3a4d31 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Wed, 24 Jun 2026 20:49:53 +0000 Subject: [PATCH 2/2] instagram-poster: force_conflicts on ESO manifests (fix apply) The ESO v1 migration (2026-06-22) made the external-secrets controller own .spec.refreshInterval via server-side apply, so terraform apply of the two ExternalSecret manifests fails with a field-manager conflict (Woodpecker #348), which blocked the replicas=0 scale-down from landing. Add force_conflicts=true to both, matching the grafana/woodpecker/traefik fix applied to other stacks the same day. Co-Authored-By: Claude Opus 4.8 --- .../modules/instagram-poster/main.tf | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/stacks/instagram-poster/modules/instagram-poster/main.tf b/stacks/instagram-poster/modules/instagram-poster/main.tf index 351fb41c..7dc3f846 100644 --- a/stacks/instagram-poster/modules/instagram-poster/main.tf +++ b/stacks/instagram-poster/modules/instagram-poster/main.tf @@ -35,6 +35,14 @@ resource "kubernetes_namespace" "instagram_poster" { # - immich_tag_instagram (optional — auto-resolved if missing) # - immich_tag_posted (optional — auto-resolved if missing) resource "kubernetes_manifest" "external_secret" { + # The external-secrets controller takes server-side-apply ownership of + # .spec.refreshInterval, so a plain TF apply conflicts. force_conflicts lets + # TF win (values match, so it's stable) — same pattern as grafana/woodpecker/ + # traefik/k8s-version-upgrade. Surfaced 2026-06-24 by the first IG apply since + # the ESO v1 migration (the scale-to-0 push). + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -139,6 +147,11 @@ resource "kubernetes_manifest" "external_secret" { # ESO refreshes the K8s Secret every 15m. `reloader.stakater.com/match` # bounces the pod when the password changes. resource "kubernetes_manifest" "benchmark_db_external_secret" { + # See external_secret above — ESO owns .spec.refreshInterval; force_conflicts + # lets the TF apply win instead of erroring on the field-manager conflict. + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret"