From f1e81772d5525ebce33d5878046e5fa760403951 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Thu, 2 Jul 2026 05:31:00 +0000 Subject: [PATCH] broker-sync: repoint image to ghcr (was frozen on pre-migration DockerHub) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The nightly ibkr sync failed with 'No such command ibkr': every broker-sync CronJob still pulled viktorbarzin/broker-sync:latest from DockerHub, which nothing has pushed to since the ADR-0002 move to GHA->ghcr on 2026-06-13 — the jobs were silently running a frozen pre-ibkr build. The migration had allowlisted only the wealthfolio namespace for the private ghcr.io/viktorbarzin/wealthfolio-sync image, so broker-sync also lacked pull credentials. Repoint the image, add ghcr-credentials imagePullSecrets to all eight CronJobs, and allowlist the broker-sync namespace (wealthfolio stays — its own monthly sync pulls the same image). Related: code-9ko8. Co-Authored-By: Claude Fable 5 --- stacks/broker-sync/main.tf | 26 ++++++++++++++++++- .../modules/kyverno/ghcr-credentials.tf | 5 ++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/stacks/broker-sync/main.tf b/stacks/broker-sync/main.tf index 67f8089e..02c72d0b 100644 --- a/stacks/broker-sync/main.tf +++ b/stacks/broker-sync/main.tf @@ -87,7 +87,7 @@ resource "kubernetes_persistent_volume_claim" "data_encrypted" { } locals { - broker_sync_image = "viktorbarzin/broker-sync:${var.image_tag}" + broker_sync_image = "ghcr.io/viktorbarzin/wealthfolio-sync:${var.image_tag}" # Shared env block for every CronJob: auth into Wealthfolio + data path. common_env = [ @@ -123,6 +123,9 @@ resource "kubernetes_cron_job_v1" "version_probe" { } spec { restart_policy = "OnFailure" + image_pull_secrets { + name = "ghcr-credentials" + } container { name = "broker-sync" image = local.broker_sync_image @@ -167,6 +170,9 @@ resource "kubernetes_cron_job_v1" "trading212" { } spec { restart_policy = "OnFailure" + image_pull_secrets { + name = "ghcr-credentials" + } # Pin every job that mounts the shared RWO data volume to one node: # cross-node scheduling forced a nightly detach/attach cycle whose # QMP hotplug intermittently ghost-attaches on disk-heavy VMs and @@ -283,6 +289,9 @@ resource "kubernetes_cron_job_v1" "ibkr" { } spec { restart_policy = "OnFailure" + image_pull_secrets { + name = "ghcr-credentials" + } # Pin every job that mounts the shared RWO data volume to one node: # cross-node scheduling forced a nightly detach/attach cycle whose # QMP hotplug intermittently ghost-attaches on disk-heavy VMs and @@ -423,6 +432,9 @@ resource "kubernetes_cron_job_v1" "imap" { } spec { restart_policy = "OnFailure" + image_pull_secrets { + name = "ghcr-credentials" + } # Pin every job that mounts the shared RWO data volume to one node: # cross-node scheduling forced a nightly detach/attach cycle whose # QMP hotplug intermittently ghost-attaches on disk-heavy VMs and @@ -581,6 +593,9 @@ resource "kubernetes_cron_job_v1" "csv_drop" { } spec { restart_policy = "OnFailure" + image_pull_secrets { + name = "ghcr-credentials" + } # Pin every job that mounts the shared RWO data volume to one node: # cross-node scheduling forced a nightly detach/attach cycle whose # QMP hotplug intermittently ghost-attaches on disk-heavy VMs and @@ -679,6 +694,9 @@ resource "kubernetes_cron_job_v1" "fx_reconcile" { } spec { restart_policy = "OnFailure" + image_pull_secrets { + name = "ghcr-credentials" + } # Pin every job that mounts the shared RWO data volume to one node: # cross-node scheduling forced a nightly detach/attach cycle whose # QMP hotplug intermittently ghost-attaches on disk-heavy VMs and @@ -777,6 +795,9 @@ resource "kubernetes_cron_job_v1" "backup" { } spec { restart_policy = "OnFailure" + image_pull_secrets { + name = "ghcr-credentials" + } # Pin every job that mounts the shared RWO data volume to one node: # cross-node scheduling forced a nightly detach/attach cycle whose # QMP hotplug intermittently ghost-attaches on disk-heavy VMs and @@ -886,6 +907,9 @@ resource "kubernetes_cron_job_v1" "fidelity" { } spec { restart_policy = "OnFailure" + image_pull_secrets { + name = "ghcr-credentials" + } # Pin every job that mounts the shared RWO data volume to one node: # cross-node scheduling forced a nightly detach/attach cycle whose # QMP hotplug intermittently ghost-attaches on disk-heavy VMs and diff --git a/stacks/kyverno/modules/kyverno/ghcr-credentials.tf b/stacks/kyverno/modules/kyverno/ghcr-credentials.tf index 0cd85b41..e4a5ec6a 100644 --- a/stacks/kyverno/modules/kyverno/ghcr-credentials.tf +++ b/stacks/kyverno/modules/kyverno/ghcr-credentials.tf @@ -22,6 +22,11 @@ locals { "instagram-poster", "payslip-ingest", "wealthfolio", + # broker-sync pulls the same PRIVATE ghcr.io/viktorbarzin/wealthfolio-sync + # image; the ADR-0002 migration only allowlisted the wealthfolio namespace, + # so broker-sync silently kept running the frozen pre-migration DockerHub + # image (its CronJobs lacked pull auth for ghcr). + "broker-sync", "fire-planner", "recruiter-responder", # openclaw's install-recruiter-plugin init container pulls the PRIVATE