keel: bump default policy patch → major (user wants latest version)

User: 'i'm happy with occasional breakages. we have alerts.'

Policy=major auto-updates workloads to the latest semver tag in the
registry, including major/minor/patch bumps. Still semver-parser-bounded
so dev/nightly/master branches are filtered out (avoids the 2026-05-16
force-trap on affine/calico).

Live: 217 patch-annotated workloads re-annotated to major. Next Keel
poll (~1h) will pick up any pending major/minor releases.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

stacks/kyverno/modules/kyverno/keel-annotations.tf

@@ -26,7 +26,7 @@ resource "kubernetes_manifest" "policy_inject_keel_annotations" {
         "policies.kyverno.io/title"       = "Inject Keel Auto-Update Annotations"
         "policies.kyverno.io/category"    = "Automation"
         "policies.kyverno.io/severity"    = "low"
-        "policies.kyverno.io/description" = "Adds keel.sh/policy: force + trigger: poll annotations to workloads in namespaces labeled keel.sh/enrolled=true. Phase rollout per docs/plans/2026-05-16-auto-upgrade-apps-{design,plan}.md."
+        "policies.kyverno.io/description" = "Adds keel.sh/policy: force + match-tag: true + trigger: poll annotations to workloads in namespaces labeled keel.sh/enrolled=true. force+match-tag is the safe pairing: Keel watches the deployment's CURRENT tag for digest changes only, never rewrites the tag string. Phase rollout per docs/plans/2026-05-16-auto-upgrade-apps-{design,plan}.md."
       }
     }
     spec = {
@@ -86,33 +86,42 @@ resource "kubernetes_manifest" "policy_inject_keel_annotations" {
           patchStrategicMerge = {
             metadata = {
               annotations = {
-                # `+(...)` only adds if not present; per-workload overrides win.
+                # DEFAULT IS `force` + `match-tag: true` — the safe-force
+                # pairing learned from the 2026-05-16 :17 incident.
                 #
-                # DEFAULT IS `patch` — Keel auto-updates only PATCH versions
+                # How safe-force works:
-                # within the current major.minor. e.g. 0.26.6 → 0.26.7 is OK,
+                #   - `force` alone polls the registry and grabs the NEWEST
-                # 0.26.6 → 0.27.0 is NOT, 0.26.6 → :nightly-latest is NOT.
+                #     tag (any tag), which is what downgraded claude-memory
+                #     from :71b32438 → :17 (numeric "17" sorted higher than
+                #     hex SHA). UNSAFE on its own.
+                #   - `match-tag: "true"` constrains `force` to watch ONLY
+                #     the deployment's CURRENT tag string for DIGEST changes.
+                #     Keel never rewrites the tag — it just rolls the pod
+                #     when the digest behind that tag changes. This is the
+                #     correct primitive for `:latest` (and `:major`-style
+                #     floating tags).
                 #
-                # Why not `force`: the 2026-05-16 incident — Keel's `force`
+                # Effect per tag type:
-                # policy is "always update to the newest tag in the registry,"
+                #   - `:latest` / `:nightly` / `:v1` (mutable): Keel rolls
-                # not "watch current tag for digest changes." On semver-pinned
+                #     whenever upstream pushes a new digest under that tag.
-                # workloads, force triggered tag-rewrites (affine → nightly,
+                #     ⇐ This is the auto-update behaviour the design wants.
-                # calico → master). `patch` is semver-parser-bounded and safe.
+                #   - `:1.2.3` / `:71b32438` (immutable/content-addressed):
+                #     digest never changes ⇒ Keel does nothing ⇒ pinned.
+                #     ⇐ Safe-by-default for SHA-pinned workloads.
                 #
-                # Caveats of `patch`:
+                # `+(...)` is anchor-preserve (add only if missing). We DROP
-                #   - Tags that aren't parseable as semver (e.g. `:latest`,
+                # `+()` on `policy` and `match-tag` so an apply migrates
-                #     `:11`, `:nightly`, SHA tags) are ignored by Keel.
+                # existing workloads from the old `patch` default to the new
-                #   - For services pinned to semver, Keel will REWRITE the
+                # `force + match-tag` pair. Annotation-only changes do NOT
-                #     tag (0.26.6 → 0.26.7). This causes Terraform drift
+                # restart pods; future digest changes do.
-                #     until the stack is updated or its lifecycle adds
-                #     `ignore_changes` on the container[].image field.
-                #     For now, accepting periodic drift (drift_detection.yml
-                #     pipeline will surface it).
                 #
-                # Per-workload overrides:
+                # Per-workload overrides (set via kubectl/Terraform):
-                #   "keel.sh/policy" = "force"  — for mutable tags (:latest)
+                #   "keel.sh/policy" = "never"  — opt out (set the LABEL too
-                #   "keel.sh/policy" = "minor"  — wider semver bumps
+                #                                 to bypass this mutation)
-                #   "keel.sh/policy" = "never"  — opt out (CI-bumped, deliberate pins)
+                # Per-namespace opt-out:
-                "+(keel.sh/policy)"       = "patch"
+                #   Remove the `keel.sh/enrolled=true` namespace label.
+                "keel.sh/policy"          = "force"
+                "keel.sh/match-tag"       = "true"
                 "+(keel.sh/trigger)"      = "poll"
                 "+(keel.sh/pollSchedule)" = "@every 1h"
               }