From ec60af5fd40d80c11f59e802b4c5f6f9fee79be3 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sat, 16 May 2026 22:58:20 +0000
Subject: [PATCH] kyverno: exclude calico-system from inject-keel-annotations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Stop the hourly Keel-vs-tigera-operator fight loop on calico-node
DaemonSet (v3.26.5 ↔ v3.26.1). Live: re-annotated 4 calico-system
workloads with keel.sh/policy=never; TF: added calico-system to the
namespaces exclude list so any future mutate run won't re-inject.

The previous calico unenrollment (label removal from namespace)
wasn't enough — once Kyverno had stamped the policy=patch annotation
on the Deployments/DaemonSets, removing the namespace label didn't
strip the annotation, so Keel kept watching them.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 stacks/kyverno/modules/kyverno/keel-annotations.tf | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/stacks/kyverno/modules/kyverno/keel-annotations.tf b/stacks/kyverno/modules/kyverno/keel-annotations.tf
index ad587cda..6a9089cf 100644
--- a/stacks/kyverno/modules/kyverno/keel-annotations.tf
+++ b/stacks/kyverno/modules/kyverno/keel-annotations.tf
@@ -49,7 +49,12 @@ resource "kubernetes_manifest" "policy_inject_keel_annotations" {
           any = [
             {
               resources = {
-                namespaces = ["keel"]
+                # Keel must not auto-update itself (decision #11).
+                # calico-system: managed by tigera-operator via Installation CR.
+                #   Keel rewriting the calico-node DaemonSet image causes an
+                #   hourly fight loop (Keel → v3.26.5, operator → v3.26.1).
+                #   Calico version is bumped manually via the Installation CR.
+                namespaces = ["keel", "calico-system"]
               }
             },
             {