viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

fire-planner: pull image from ghcr + add ghcr-credentials to all pod specs
Some checks failed
ci/woodpecker/push/build-cli Pipeline was canceled
Details
ci/woodpecker/push/default Pipeline was canceled
Details

Browse source 
Migrating fire-planner off in-cluster Woodpecker builds to GitHub
Actions -> ghcr.io (ADR-0002, issue #26). The image base moves
forgejo.viktorbarzin.me/viktor/fire-planner ->
ghcr.io/viktorbarzin/fire-planner (a PRIVATE ghcr package), so the
deployment, all three cronjobs (recompute, col-refresh,
examples-weekly) and the examples bulk job gain the ghcr-credentials
imagePullSecret (the kyverno sync-ghcr-credentials allowlist already
covers the fire-planner namespace). registry-credentials stays
alongside so the currently-running sha-pinned forgejo image can still
be pulled until the first ghcr deploy lands; the cronjob images are TF
literals and flip to ghcr :latest on this apply.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-13 00:38:09 +00:00
parent e696957ebf
commit f18dfa4c8b
1 changed files with 22 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

27
stacks/fire-planner/main.tf
View file

@ -13,11 +13,13 @@ variable "tls_secret_name" {
locals {
namespace = "fire-planner"
# Phase 3 cutover 2026-05-07. NOTE: the registry-private repo for
# fire-planner has 0 tags first build via Woodpecker on the new Forgejo
# repo (viktor/fire-planner, Dockerfile + .woodpecker.yml added 2026-05-07)
# must succeed BEFORE the next pod restart, otherwise pulls will 404.
image = "forgejo.viktorbarzin.me/viktor/fire-planner:${var.image_tag}"
# ADR-0002 off-infra builds (2026-06-13, issue infra#26): GHA on the GitHub
# mirror builds + pushes ghcr.io/viktorbarzin/fire-planner (:sha8 + :latest);
# Woodpecker is deploy-only. PRIVATE ghcr package every pod spec pulls via
# the ghcr-credentials Secret (kyverno sync-ghcr-credentials allowlist).
# registry-credentials stays alongside so the currently-running sha-pinned
# forgejo image remains pullable until the first ghcr deploy lands.
image = "ghcr.io/viktorbarzin/fire-planner:${var.image_tag}"
labels = {
app = "fire-planner"
}
@ -230,6 +232,9 @@ resource "kubernetes_deployment" "fire_planner" {
image_pull_secrets {
name = "registry-credentials"
}
image_pull_secrets {
name = "ghcr-credentials"
}
init_container {
name = "alembic-migrate"
@ -390,6 +395,9 @@ resource "kubernetes_cron_job_v1" "fire_planner_recompute" {
image_pull_secrets {
name = "registry-credentials"
}
image_pull_secrets {
name = "ghcr-credentials"
}
container {
name = "recompute"
image = local.image
@ -473,6 +481,9 @@ resource "kubernetes_cron_job_v1" "fire_planner_col_refresh" {
image_pull_secrets {
name = "registry-credentials"
}
image_pull_secrets {
name = "ghcr-credentials"
}
container {
name = "col-refresh"
image = local.image
@ -738,6 +749,9 @@ resource "kubernetes_job_v1" "examples_bulk_ingest" {
image_pull_secrets {
name = "registry-credentials"
}
image_pull_secrets {
name = "ghcr-credentials"
}
container {
name = "ingest"
image = local.image
@ -859,6 +873,9 @@ resource "kubernetes_cron_job_v1" "examples_weekly_delta" {
image_pull_secrets {
name = "registry-credentials"
}
image_pull_secrets {
name = "ghcr-credentials"
}
container {
name = "ingest"
image = local.image