From eb8b5505210d655043a0536bef27a5e00956e0a9 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sat, 13 Jun 2026 09:49:58 +0000
Subject: [PATCH] chrome-service: TF-manage novnc image (ghcr:latest), drop its
 KEEL_IGNORE (ADR-0002 #29)

novnc's image was ignore_changed (KEEL_IGNORE) but nothing manages its
tag (keel.sh/policy=never), so the earlier forgejo->ghcr repoint never
took. Removing container[1].image from ignore_changes lets terragrunt
own novnc=ghcr:latest and roll it. container[0]/[2] (pinned playwright)
stay ignored.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 stacks/chrome-service/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stacks/chrome-service/main.tf b/stacks/chrome-service/main.tf
index 944c880f..a0e803c9 100644
--- a/stacks/chrome-service/main.tf
+++ b/stacks/chrome-service/main.tf
@@ -440,7 +440,7 @@ resource "kubernetes_deployment" "chrome_service" {
       metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
       metadata[0].annotations["keel.sh/match-tag"],
       spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE — Keel manages tag updates
-      spec[0].template[0].spec[0].container[1].image,
+      # container[1]=novnc now TF-managed on ghcr:latest (ADR-0002 #29) — was KEEL_IGNORE
       spec[0].template[0].spec[0].init_container[0].image,
       metadata[0].annotations["kubernetes.io/change-cause"],
       metadata[0].annotations["deployment.kubernetes.io/revision"],