Bucket A retrigger + Bucket D enrollment (5 module-nested stacks)

After fixing the postgresql-lb MetalLB flap (deleted stuck
ServiceL2Status CR l2-rgt9d), Tier 1 CI can apply again. Combined
commit:

  * Bucket A (16 stacks): re-append CI retrigger marker so the
    previously-pending applies pick up:
      blog calico cyberchef descheduler f1-stream homepage jsoncrack
      k8s-dashboard k8s-version-upgrade kms local-path osm_routing
      real-estate-crawler travel_blog vault webhook_handler

  * Bucket D (5 module-nested stacks): keel.sh/enrolled label on
    namespace + KYVERNO_LIFECYCLE_V2 on Deployments inside the module:
      postiz instagram-poster k8s-portal uptime-kuma vaultwarden

Bucket C (raw-deploy apps without V1 marker on their Deployment
lifecycles) deferred — needs per-Deployment lifecycle block additions
that the bulk script can't safely automate:
  beads-server immich llama-cpp novelapp plotting-book trading-bot

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

stacks/blog/main.tf

@@ -169,3 +169,5 @@ module "ingress-www" {
 # CI retrigger v3 2026-05-16T14:06:39Z
 
 # CI retrigger v4 2026-05-16T14:13:59Z
+
+# CI retrigger v5 2026-05-16T23:10:38Z

stacks/calico/main.tf

@@ -75,3 +75,5 @@ resource "kubernetes_namespace" "tigera_operator" {
 # CI retrigger v3 2026-05-16T14:06:39Z
 
 # CI retrigger v4 2026-05-16T14:13:59Z
+
+# CI retrigger v5 2026-05-16T23:10:38Z

stacks/cyberchef/main.tf

@@ -144,3 +144,5 @@ module "ingress" {
 # CI retrigger v3 2026-05-16T14:06:39Z
 
 # CI retrigger v4 2026-05-16T14:13:59Z
+
+# CI retrigger v5 2026-05-16T23:10:38Z

stacks/descheduler/main.tf

@@ -102,3 +102,5 @@ resource "helm_release" "descheduler" { # rename me
 # CI retrigger v3 2026-05-16T14:06:39Z
 
 # CI retrigger v4 2026-05-16T14:13:59Z
+
+# CI retrigger v5 2026-05-16T23:10:38Z

stacks/f1-stream/main.tf

@@ -314,3 +314,5 @@ module "ingress" {
 # CI retrigger v3 2026-05-16T14:06:39Z
 
 # CI retrigger v4 2026-05-16T14:13:59Z
+
+# CI retrigger v5 2026-05-16T23:10:38Z

stacks/homepage/main.tf

@@ -177,3 +177,5 @@ module "ingress" {
 # CI retrigger v3 2026-05-16T14:06:39Z
 
 # CI retrigger v4 2026-05-16T14:13:59Z
+
+# CI retrigger v5 2026-05-16T23:10:38Z

stacks/instagram-poster/modules/instagram-poster/main.tf

@@ -15,6 +15,7 @@ resource "kubernetes_namespace" "instagram_poster" {
     labels = {
       tier              = var.tier
       "istio-injection" = "disabled"
+      "keel.sh/enrolled" = "true"
     }
   }
   lifecycle {
@@ -361,7 +362,12 @@ resource "kubernetes_deployment" "instagram_poster" {
   }
 
   lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
   }
 
   depends_on = [

stacks/jsoncrack/main.tf

@@ -124,3 +124,5 @@ module "ingress" {
 # CI retrigger v3 2026-05-16T14:06:39Z
 
 # CI retrigger v4 2026-05-16T14:13:59Z
+
+# CI retrigger v5 2026-05-16T23:10:38Z

stacks/k8s-dashboard/main.tf

@@ -254,3 +254,5 @@ resource "kubernetes_secret" "kubernetes-dashboard-viewonly-token" {
 # CI retrigger v3 2026-05-16T14:06:39Z
 
 # CI retrigger v4 2026-05-16T14:13:59Z
+
+# CI retrigger v5 2026-05-16T23:10:38Z

stacks/k8s-portal/modules/k8s-portal/main.tf

@@ -10,6 +10,7 @@ resource "kubernetes_namespace" "k8s_portal" {
     name = "k8s-portal"
     labels = {
       tier = var.tier
+      "keel.sh/enrolled" = "true"
     }
   }
   lifecycle {

stacks/k8s-version-upgrade/main.tf

@@ -466,3 +466,5 @@ resource "kubernetes_cron_job_v1" "k8s_version_check" {
 # CI retrigger v3 2026-05-16T14:06:39Z
 
 # CI retrigger v4 2026-05-16T14:13:59Z
+
+# CI retrigger v5 2026-05-16T23:10:38Z

stacks/kms/main.tf

@@ -350,3 +350,5 @@ resource "kubernetes_service" "windows_kms" {
 # CI retrigger v3 2026-05-16T14:06:39Z
 
 # CI retrigger v4 2026-05-16T14:13:59Z
+
+# CI retrigger v5 2026-05-16T23:10:38Z

stacks/local-path/main.tf

@@ -201,3 +201,5 @@ resource "kubernetes_deployment" "local_path_provisioner" {
 # CI retrigger v3 2026-05-16T14:06:39Z
 
 # CI retrigger v4 2026-05-16T14:13:59Z
+
+# CI retrigger v5 2026-05-16T23:10:38Z

stacks/osm_routing/main.tf

@@ -330,3 +330,5 @@ resource "kubernetes_service" "otp" {
 # CI retrigger v3 2026-05-16T14:06:39Z
 
 # CI retrigger v4 2026-05-16T14:13:59Z
+
+# CI retrigger v5 2026-05-16T23:10:38Z

stacks/postiz/modules/postiz/main.tf

@@ -22,6 +22,7 @@ resource "kubernetes_namespace" "postiz" {
     name = var.namespace
     labels = {
       tier = var.tier
+      "keel.sh/enrolled" = "true"
     }
   }
   lifecycle {
@@ -409,7 +410,12 @@ resource "kubernetes_deployment" "temporal" {
     }
   }
   lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
   }
   depends_on = [helm_release.postiz]
 }
@@ -580,7 +586,12 @@ resource "kubernetes_job" "temporal_search_attr_cleanup" {
   }
   wait_for_completion = false
   lifecycle {
-    ignore_changes = [spec[0].template[0].spec[0].dns_config] # KYVERNO_LIFECYCLE_V1
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
   }
   depends_on = [kubernetes_deployment.temporal]
 }

stacks/real-estate-crawler/main.tf

@@ -653,3 +653,5 @@ resource "kubernetes_deployment" "realestate-crawler-celery-beat" {
 # CI retrigger v3 2026-05-16T14:06:39Z
 
 # CI retrigger v4 2026-05-16T14:13:59Z
+
+# CI retrigger v5 2026-05-16T23:10:38Z

stacks/travel_blog/main.tf

@@ -141,3 +141,5 @@ module "ingress" {
 # CI retrigger v3 2026-05-16T14:06:39Z
 
 # CI retrigger v4 2026-05-16T14:13:59Z
+
+# CI retrigger v5 2026-05-16T23:10:38Z

stacks/uptime-kuma/modules/uptime-kuma/main.tf

@@ -27,6 +27,7 @@ resource "kubernetes_namespace" "uptime-kuma" {
     name = "uptime-kuma"
     labels = {
       tier = var.tier
+      "keel.sh/enrolled" = "true"
     }
     # labels = {
     #   "istio-injection" : "enabled"
@@ -164,8 +165,12 @@ resource "kubernetes_deployment" "uptime-kuma" {
     }
   }
   lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
   }
 }
 resource "kubernetes_service" "uptime-kuma" {

stacks/vault/main.tf

@@ -1085,3 +1085,5 @@ resource "vault_kubernetes_secret_backend_role" "user_deployer" {
 # CI retrigger v3 2026-05-16T14:06:39Z
 
 # CI retrigger v4 2026-05-16T14:13:59Z
+
+# CI retrigger v5 2026-05-16T23:10:38Z

stacks/vaultwarden/modules/vaultwarden/main.tf

@@ -10,6 +10,7 @@ resource "kubernetes_namespace" "vaultwarden" {
     labels = {
       "istio-injection" : "disabled"
       tier = var.tier
+      "keel.sh/enrolled" = "true"
     }
   }
   lifecycle {
@@ -176,8 +177,12 @@ resource "kubernetes_deployment" "vaultwarden" {
     }
   }
   lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
+      metadata[0].annotations["keel.sh/policy"],
+      metadata[0].annotations["keel.sh/trigger"],
+      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
+    ]
   }
 }
 

stacks/webhook_handler/main.tf

@@ -318,3 +318,5 @@ resource "kubernetes_manifest" "external_secret" {
 # CI retrigger v3 2026-05-16T14:06:39Z
 
 # CI retrigger v4 2026-05-16T14:13:59Z
+
+# CI retrigger v5 2026-05-16T23:10:38Z