plotting-book: pull image from private ghcr instead of public DockerHub

Anca's plotting-book app now builds its image in her own GitHub repo to the private package ghcr.io/passionprojectsanca/book-plotter (off public DockerHub viktorbarzin/book-plotter). Wire the cluster to pull it: - stacks/plotting-book: point the deployment baseline image at the ghcr package and add imagePullSecrets {ghcr-credentials} so the pod can pull the private image (the live tag is still CI-owned via ignore_changes). - stacks/kyverno: add the plotting-book namespace to the ghcr-credentials allowlist so the Kyverno generate policy clones the pull secret into it. Verified the shared ghcr_pull_token (Viktor, repo-admin on Anca's repo) can read the private package before wiring this. Docs: correct ci-cd.md (it wrongly listed plotting-book as already on ghcr — it was on DockerHub) and note the special arrangement; amend ADR-0003 to record that this GitHub-first repo builds to its own org's ghcr namespace. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 15:32:19 +00:00 · 2026-06-27 15:32:19 +00:00 · c13a3f1694
commit c13a3f1694
parent bf40409141
4 changed files with 29 additions and 6 deletions
--- a/stacks/plotting-book/main.tf
+++ b/stacks/plotting-book/main.tf
@ -118,6 +118,12 @@ resource "kubernetes_deployment" "plotting-book" {
        }
      }
      spec {
+        # Pull the PRIVATE ghcr image. The ghcr-credentials secret is cloned
+        # into this namespace by the Kyverno generate policy in stacks/kyverno
+        # (plotting-book is on its ghcr_private_namespaces allowlist).
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
        volume {
          name = "data"
          persistent_volume_claim {
@ -125,10 +131,12 @@ resource "kubernetes_deployment" "plotting-book" {
          }
        }
        container {
-          # Baseline only — CI owns the live tag (GHA builds viktorbarzin/book-plotter:<sha8>,
-          # Woodpecker repo 43 set-images it; see ignore_changes above). :latest is pushed by
-          # the same GHA build, so a from-scratch apply starts on current code.
-          image             = "viktorbarzin/book-plotter:latest"
+          # Baseline only — CI owns the live tag (GHA in Anca's repo builds
+          # ghcr.io/passionprojectsanca/book-plotter:vX.Y.Z, Woodpecker repo 43
+          # set-images it; see ignore_changes above). :latest is pushed by the
+          # same GHA build, so a from-scratch apply starts on current code.
+          # PRIVATE package — pulled via the ghcr-credentials secret below.
+          image             = "ghcr.io/passionprojectsanca/book-plotter:latest"
          name              = "plotting-book"
          image_pull_policy = "Always"
          env {