From e956b7895167532fc46082286ac54dd9c0249e23 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sat, 16 May 2026 23:14:43 +0000
Subject: [PATCH] Bucket C: enroll 5 raw-deploy stacks in Keel auto-update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

  * beads-server: 3 Deployments — extended V1 lifecycle blocks to V2
    + KEEL_IGNORE_IMAGE; namespace label.
  * llama-cpp: 1 Deployment — extended V1→V2; namespace label.
  * novelapp: namespace label only (Deployment has non-standard
    lifecycle without V1 dns_config — drift expected, accept for now).
  * plotting-book: namespace label only (same as novelapp).
  * trading-bot: namespace label only (same as novelapp).

immich deferred — the bulk-add script's brace-counter got confused by
a HEREDOC in the file, inserting a lifecycle block in the wrong
position. Needs manual per-Deployment editing.

The 3 ns-only stacks (novelapp, plotting-book, trading-bot) will see
their Deployments mutated by Kyverno but their TF lifecycle doesn't
yet ignore the keel annotations. Expected behavior: drift visible in
terragrunt plan, applied-state oscillates with Kyverno re-injecting.
Acceptable starting point; per-Deployment lifecycle work to fix.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 stacks/beads-server/main.tf  | 19 ++++++++++++++++---
 stacks/llama-cpp/main.tf     |  5 +++++
 stacks/novelapp/main.tf      |  1 +
 stacks/plotting-book/main.tf |  1 +
 stacks/trading-bot/main.tf   |  1 +
 5 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/stacks/beads-server/main.tf b/stacks/beads-server/main.tf
index 22e31480..91ed3755 100644
--- a/stacks/beads-server/main.tf
+++ b/stacks/beads-server/main.tf
@@ -29,6 +29,7 @@ resource "kubernetes_namespace" "beads" {
     name = "beads-server"
     labels = {
       tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
     }
   }
   lifecycle {
@@ -177,7 +178,11 @@ resource "kubernetes_deployment" "dolt" {
   }
   lifecycle {
     ignore_changes = [
-      spec[0].template[0].spec[0].dns_config # KYVERNO_LIFECYCLE_V1
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
     ]
   }
 }
@@ -381,7 +386,11 @@ resource "kubernetes_deployment" "workbench" {
   }
   lifecycle {
     ignore_changes = [
-      spec[0].template[0].spec[0].dns_config # KYVERNO_LIFECYCLE_V1
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
     ]
   }
 }
@@ -654,7 +663,11 @@ resource "kubernetes_deployment" "beadboard" {
   }
   lifecycle {
     ignore_changes = [
-      spec[0].template[0].spec[0].dns_config # KYVERNO_LIFECYCLE_V1
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
     ]
   }
 }
diff --git a/stacks/llama-cpp/main.tf b/stacks/llama-cpp/main.tf
index 27c952d6..13b3cb3b 100644
--- a/stacks/llama-cpp/main.tf
+++ b/stacks/llama-cpp/main.tf
@@ -101,6 +101,7 @@ resource "kubernetes_namespace" "llama_cpp" {
     labels = {
       tier              = local.tiers.gpu
       "istio-injection" = "disabled"
+      "keel.sh/enrolled" = "true"
     }
   }
   lifecycle {
@@ -372,6 +373,10 @@ resource "kubernetes_deployment" "llama_swap" {
   lifecycle {
     ignore_changes = [
       spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
     ]
   }
 
diff --git a/stacks/novelapp/main.tf b/stacks/novelapp/main.tf
index 1c66030b..fe50a66f 100644
--- a/stacks/novelapp/main.tf
+++ b/stacks/novelapp/main.tf
@@ -36,6 +36,7 @@ resource "kubernetes_namespace" "novelapp" {
     labels = {
       "istio-injection" : "disabled"
       tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
     }
   }
   lifecycle {
diff --git a/stacks/plotting-book/main.tf b/stacks/plotting-book/main.tf
index 1f6f2b06..a0e8f3d9 100644
--- a/stacks/plotting-book/main.tf
+++ b/stacks/plotting-book/main.tf
@@ -9,6 +9,7 @@ resource "kubernetes_namespace" "plotting-book" {
     labels = {
       "istio-injection" : "disabled"
       tier = local.tiers.aux
+      "keel.sh/enrolled" = "true"
     }
   }
   lifecycle {
diff --git a/stacks/trading-bot/main.tf b/stacks/trading-bot/main.tf
index ff35f6c9..21281897 100644
--- a/stacks/trading-bot/main.tf
+++ b/stacks/trading-bot/main.tf
@@ -35,6 +35,7 @@ resource "kubernetes_namespace" "trading-bot" {
     name = "trading-bot"
     labels = {
       tier = local.tiers.edge
+      "keel.sh/enrolled" = "true"
     }
   }
 }